added the time shift option for the tls OSN certificate. (hyperledger#5251)

pfi79 · web-flow · commit 118c4327ddbb · 2025-07-27T18:42:52.000+03:00
Signed-off-by: Fedor Partanskiy &lt;fredprtnsk@gmail.com&gt;
diff --git a/common/fabhttp/tls.go b/common/fabhttp/tls.go
@@ -10,6 +10,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"os"
+	"time"
 
 	"github.com/hyperledger/fabric/internal/pkg/comm"
 )
@@ -20,6 +21,7 @@ type TLS struct {
 	KeyFile            string
 	ClientCertRequired bool
 	ClientCACertFiles  []string
+	TimeShift          time.Duration
 }
 
 func (t TLS) Config() (*tls.Config, error) {
@@ -44,6 +46,12 @@ func (t TLS) Config() (*tls.Config, error) {
 			CipherSuites: comm.DefaultTLSCipherSuites,
 			ClientCAs:    caCertPool,
 		}
+		if t.TimeShift > 0 {
+			tlsConfig.Time = func() time.Time {
+				return time.Now().Add((-1) * t.TimeShift)
+			}
+		}
+
 		if t.ClientCertRequired {
 			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 		} else {
diff --git a/integration/nwo/operational_client.go b/integration/nwo/operational_client.go
@@ -18,14 +18,18 @@ import (
 )
 
 func OrdererOperationalClients(n *Network, o *Orderer) (authClient, unauthClient *http.Client) {
-	return operationalClients(n, n.OrdererLocalTLSDir(o))
+	return OrdererOperationalClientsTimeShift(n, o, 0)
+}
+
+func OrdererOperationalClientsTimeShift(n *Network, o *Orderer, timeShift time.Duration) (authClient, unauthClient *http.Client) {
+	return operationalClients(n, n.OrdererLocalTLSDir(o), timeShift)
 }
 
 func PeerOperationalClients(n *Network, p *Peer) (authClient, unauthClient *http.Client) {
-	return operationalClients(n, n.PeerLocalTLSDir(p))
+	return operationalClients(n, n.PeerLocalTLSDir(p), 0)
 }
 
-func operationalClients(n *Network, tlsDir string) (authClient, unauthClient *http.Client) {
+func operationalClients(n *Network, tlsDir string, timeShift time.Duration) (authClient, unauthClient *http.Client) {
 	fingerprint := "http::" + tlsDir
 	if d := n.throttleDuration(fingerprint); d > 0 {
 		time.Sleep(d)
@@ -42,19 +46,30 @@ func operationalClients(n *Network, tlsDir string) (authClient, unauthClient *ht
 	Expect(err).NotTo(HaveOccurred())
 	clientCertPool.AppendCertsFromPEM(caCert)
 
+	authenticatedTlsConfig := &tls.Config{
+		Certificates: []tls.Certificate{clientCert},
+		RootCAs:      clientCertPool,
+	}
+	unauthenticatedTlsConfig := &tls.Config{RootCAs: clientCertPool}
+	if timeShift > 0 {
+		authenticatedTlsConfig.Time = func() time.Time {
+			return time.Now().Add((-1) * timeShift)
+		}
+		unauthenticatedTlsConfig.Time = func() time.Time {
+			return time.Now().Add((-1) * timeShift)
+		}
+	}
+
 	authenticatedClient := &http.Client{
 		Transport: &http.Transport{
 			MaxIdleConnsPerHost: -1,
-			TLSClientConfig: &tls.Config{
-				Certificates: []tls.Certificate{clientCert},
-				RootCAs:      clientCertPool,
-			},
+			TLSClientConfig:     authenticatedTlsConfig,
 		},
 	}
 	unauthenticatedClient := &http.Client{
 		Transport: &http.Transport{
 			MaxIdleConnsPerHost: -1,
-			TLSClientConfig:     &tls.Config{RootCAs: clientCertPool},
+			TLSClientConfig:     unauthenticatedTlsConfig,
 		},
 	}
 
diff --git a/orderer/common/server/main.go b/orderer/common/server/main.go
@@ -675,6 +675,7 @@ func newAdminServer(admin localconfig.Admin) *fabhttp.Server {
 			KeyFile:            admin.TLS.PrivateKey,
 			ClientCertRequired: admin.TLS.ClientAuthRequired,
 			ClientCACertFiles:  admin.TLS.ClientRootCAs,
+			TimeShift:          admin.TLS.TLSHandshakeTimeShift,
 		},
 	})
 }

Original file line number	Diff line number	Diff line change
`@@ -675,6 +675,7 @@ func newAdminServer(admin localconfig.Admin) *fabhttp.Server {`
`675`	`675`	`KeyFile: admin.TLS.PrivateKey,`
`676`	`676`	`ClientCertRequired: admin.TLS.ClientAuthRequired,`
`677`	`677`	`ClientCACertFiles: admin.TLS.ClientRootCAs,`
	`678`	`+ TimeShift: admin.TLS.TLSHandshakeTimeShift,`
`678`	`679`	`},`
`679`	`680`	`})`
`680`	`681`	`}`