CORDA-1986 Ensure key alias format is supported by the major HSM vendors (#3950)

2025-06-13 20:58:19 +00:00 · 2018-09-17 10:19:34 +01:00
parent 0b2e0b04ec
commit 137f7664c1
3 changed files with 17 additions and 8 deletions
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
@ -41,15 +41,21 @@ object X509Utilities {
    val DEFAULT_IDENTITY_SIGNATURE_SCHEME = Crypto.EDDSA_ED25519_SHA512
    val DEFAULT_TLS_SIGNATURE_SCHEME = Crypto.ECDSA_SECP256R1_SHA256

-    // TODO This class is more of a general purpose utility class and as such these constants belong elsewhere
+    // TODO This class is more of a general purpose utility class and as such these constants belong elsewhere.
    // Aliases for private keys and certificates.
    const val CORDA_ROOT_CA = "cordarootca"
    const val CORDA_INTERMEDIATE_CA = "cordaintermediateca"
    const val CORDA_CLIENT_TLS = "cordaclienttls"
    const val CORDA_CLIENT_CA = "cordaclientca"

-    // TODO These don't need to be prefixes, but can be the full aliases.
+    // TODO These don't need to be prefixes, but can be the full aliases. However, because they are used as key aliases
+    //      we should ensure that:
+    //      a) they always contain valid characters, preferably [A-Za-z0-9] in order to be supported by the majority of
+    //         crypto service implementations (i.e., HSMs).
+    //      b) they are at most 127 chars in length (i.e., as of 2018, Azure Key Vault does not support bigger aliases).
    const val NODE_IDENTITY_ALIAS_PREFIX = "identity"
+    // TODO Hyphen (-) seems to be supported by the major HSM vendors, but we should consider remove it in the
+    //      future and stick to [A-Za-z0-9].
    const val DISTRIBUTED_NOTARY_ALIAS_PREFIX = "distributed-notary"

    val DEFAULT_VALIDITY_WINDOW = Pair(0.millis, 3650.days)