Open semil opened 1 year ago
@arkadiPiven and I are working on a fix.
I think we just forgot to close this issue when the fix https://github.com/hyperledger/fabric/pull/4407 was merged. Should we just close this issue @semil or do you want to consider different approaches?
Description
Critical areas of the code like https://github.com/hyperledger/fabric/blob/c24c9b57439cfb1a9c2332d953286946ebfc3600/orderer/common/cluster/util.go#L812-L820 are using timestamp's
String()
method in order to calculate it's string representation.The string method uses: https://github.com/hyperledger/fabric/blob/c24c9b57439cfb1a9c2332d953286946ebfc3600/vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go#L271-L273
https://github.com/hyperledger/fabric/blob/c24c9b57439cfb1a9c2332d953286946ebfc3600/vendor/google.golang.org/protobuf/internal/impl/api_export.go#L173-L177
https://github.com/hyperledger/fabric/blob/c24c9b57439cfb1a9c2332d953286946ebfc3600/vendor/google.golang.org/protobuf/encoding/prototext/encode.go#L85-L98
Which clearly states "Do not depend on the output being stable. It may change over time across different versions of the program.".
Evidence to that is the way the timestamp
seconds:1693225332; nanos:471402000
is converted to string:seconds:1693225332 nanos:471402000
seconds:1693225332 nanos:471402000
note the double vs single spacing.This string is then converted to bytes array and it's hash is used to calculated different security components.
Steps to reproduce
No response