Skip to content

fix(fxconfig/transaction): surface policy key parse errors#248

Open
Prachi194agrawal wants to merge 1 commit into
hyperledger:mainfrom
Prachi194agrawal:bug/policy-parse-errors-fix
Open

fix(fxconfig/transaction): surface policy key parse errors#248
Prachi194agrawal wants to merge 1 commit into
hyperledger:mainfrom
Prachi194agrawal:bug/policy-parse-errors-fix

Conversation

@Prachi194agrawal

Copy link
Copy Markdown
Contributor

Type of change

  • Bug fix
  • Test update

Description

This change improves the error reporting when parsing threshold policy key material for fxconfig commands.

Previously, parseCertificateOrPublicKey had two silent failure paths:

  • Valid non-ECDSA certificates (for example RSA) caused the function to return a generic “no ECDSA public key in block” error, with no indication that the algorithm was wrong.
  • Corrupt or malformed DER bytes caused the underlying ASN.1 parse error from x509.ParsePKIXPublicKey to be dropped, again returning only the generic message.

In addition, getPubKeyFromPemData would discard these detailed errors while iterating over PEM blocks and eventually return a single generic
no ECDSA public key in pem file message to the caller.

This PR:

  • Updates parseCertificateOrPublicKey to:
    • Return a specific error when a certificate uses a non-ECDSA algorithm, e.g. certificate uses RSA algorithm, expected ECDSA.
    • Wrap and propagate parse failures from x509.ParsePKIXPublicKey as failed to parse public key: <underlying error>.
    • Keep the success path for valid ECDSA public keys and certificates unchanged.
  • Updates getPubKeyFromPemData to:
    • Track the last parse error encountered across PEM blocks.
    • Wrap and return that error as no ECDSA public key in pem file: <underlying error> when no usable key is found.
    • Fall back to the original generic error only when no specific parse error was produced.

With these changes, users of:

  • fxconfig namespace create --threshold-policy <path>
  • fxconfig namespace update --threshold-policy <path>

now see clear, actionable error messages that distinguish between algorithm mismatch, corrupt key material, and the absence of any ECDSA key in the file.

Additional details (Optional)

The tests are written to be resilient to small differences in Go’s ASN.1 error strings by checking for either the wrapped message prefix (failed to parse public key) or the presence of "asn1" in the error text.

Related issues

Signed-off-by: Prachi Agrawal <prachi194agrawal@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug(fxconfig/transaction): parseCertificateOrPublicKey silently swallows parse errors, giving misleading diagnostics on invalid PEM key files

1 participant