github.com/yacovm/fabric@v2.0.0-alpha.0.20191128145320-c5d4087dc723+incompatible/common/crypto/expiration.go (about) 1 /* 2 Copyright IBM Corp. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package crypto 8 9 import ( 10 "crypto/x509" 11 "encoding/pem" 12 "time" 13 14 "github.com/golang/protobuf/proto" 15 "github.com/hyperledger/fabric-protos-go/msp" 16 ) 17 18 // ExpiresAt returns when the given identity expires, or a zero time.Time 19 // in case we cannot determine that 20 func ExpiresAt(identityBytes []byte) time.Time { 21 sId := &msp.SerializedIdentity{} 22 // If protobuf parsing failed, we make no decisions about the expiration time 23 if err := proto.Unmarshal(identityBytes, sId); err != nil { 24 return time.Time{} 25 } 26 return certExpirationTime(sId.IdBytes) 27 } 28 29 func certExpirationTime(pemBytes []byte) time.Time { 30 bl, _ := pem.Decode(pemBytes) 31 if bl == nil { 32 // If the identity isn't a PEM block, we make no decisions about the expiration time 33 return time.Time{} 34 } 35 cert, err := x509.ParseCertificate(bl.Bytes) 36 if err != nil { 37 return time.Time{} 38 } 39 return cert.NotAfter 40 } 41 42 // WarnFunc notifies a warning happened with the given format, and can be replaced with Warnf of a logger. 43 type WarnFunc func(format string, args ...interface{}) 44 45 // Scheduler invokes f after d time, and can be replaced with time.AfterFunc. 46 type Scheduler func(d time.Duration, f func()) *time.Timer 47 48 // TrackExpiration warns a week before one of the certificates expires 49 func TrackExpiration(tls bool, serverCert []byte, clientCertChain [][]byte, sIDBytes []byte, warn WarnFunc, now time.Time, s Scheduler) { 50 sID := &msp.SerializedIdentity{} 51 if err := proto.Unmarshal(sIDBytes, sID); err != nil { 52 return 53 } 54 55 trackCertExpiration(sID.IdBytes, "enrollment", warn, now, s) 56 57 if !tls { 58 return 59 } 60 61 trackCertExpiration(serverCert, "server TLS", warn, now, s) 62 63 if len(clientCertChain) == 0 || len(clientCertChain[0]) == 0 { 64 return 65 } 66 67 trackCertExpiration(clientCertChain[0], "client TLS", warn, now, s) 68 } 69 70 func trackCertExpiration(rawCert []byte, certRole string, warn WarnFunc, now time.Time, sched Scheduler) { 71 expirationTime := certExpirationTime(rawCert) 72 if expirationTime.IsZero() { 73 // If the certificate expiration time cannot be classified, return. 74 return 75 } 76 77 timeLeftUntilExpiration := expirationTime.Sub(now) 78 oneWeek := time.Hour * 24 * 7 79 80 if timeLeftUntilExpiration < 0 { 81 warn("The %s certificate has expired", certRole) 82 return 83 } 84 85 if timeLeftUntilExpiration < oneWeek { 86 days := timeLeftUntilExpiration / (time.Hour * 24) 87 hours := (timeLeftUntilExpiration - (days * time.Hour * 24)) / time.Hour 88 warn("The %s certificate expires within %d days and %d hours", certRole, days, hours) 89 return 90 } 91 92 timeLeftUntilOneWeekBeforeExpiration := timeLeftUntilExpiration - oneWeek 93 94 sched(timeLeftUntilOneWeekBeforeExpiration, func() { 95 warn("The %s certificate will expire within one week", certRole) 96 }) 97 }