Create client CA certificate with X509 name constraint (#731)

* The node will be issued a CA certificate with name constraint which will allow the node to create keys with a valid certificate chain.
2025-06-14 13:18:18 +00:00 · 2017-05-24 16:13:37 +01:00
parent bbe4c170c2
commit 246de55433
22 changed files with 513 additions and 299 deletions
--- a/node-api/src/main/kotlin/net/corda/nodeapi/ArtemisMessagingComponent.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/ArtemisMessagingComponent.kt
@ -107,8 +107,10 @@ abstract class ArtemisMessagingComponent : SingletonSerializeAsToken() {
     */
    fun checkStorePasswords() {
        val config = config ?: return
-        config.keyStoreFile.read {
-            KeyStore.getInstance("JKS").load(it, config.keyStorePassword.toCharArray())
+        arrayOf(config.sslKeystore, config.nodeKeystore).forEach {
+            it.read {
+                KeyStore.getInstance("JKS").load(it, config.keyStorePassword.toCharArray())
+            }
        }
        config.trustStoreFile.read {
            KeyStore.getInstance("JKS").load(it, config.trustStorePassword.toCharArray())
--- a/node-api/src/main/kotlin/net/corda/nodeapi/ArtemisTcpTransport.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/ArtemisTcpTransport.kt
@ -53,14 +53,14 @@ class ArtemisTcpTransport {
            )

            if (config != null && enableSSL) {
-                config.keyStoreFile.expectedOnDefaultFileSystem()
+                config.sslKeystore.expectedOnDefaultFileSystem()
                config.trustStoreFile.expectedOnDefaultFileSystem()
-                val tlsOptions = mapOf<String, Any?>(
+                val tlsOptions = mapOf(
                        // Enable TLS transport layer with client certs and restrict to at least SHA256 in handshake
                        // and AES encryption
                        TransportConstants.SSL_ENABLED_PROP_NAME to true,
                        TransportConstants.KEYSTORE_PROVIDER_PROP_NAME to "JKS",
-                        TransportConstants.KEYSTORE_PATH_PROP_NAME to config.keyStoreFile,
+                        TransportConstants.KEYSTORE_PATH_PROP_NAME to config.sslKeystore,
                        TransportConstants.KEYSTORE_PASSWORD_PROP_NAME to config.keyStorePassword, // TODO proper management of keystores and password
                        TransportConstants.TRUSTSTORE_PROVIDER_PROP_NAME to "JKS",
                        TransportConstants.TRUSTSTORE_PATH_PROP_NAME to config.trustStoreFile,
--- a/node-api/src/main/kotlin/net/corda/nodeapi/config/SSLConfiguration.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/config/SSLConfiguration.kt
@ -7,6 +7,7 @@ interface SSLConfiguration {
    val keyStorePassword: String
    val trustStorePassword: String
    val certificatesDirectory: Path
-    val keyStoreFile: Path get() = certificatesDirectory / "sslkeystore.jks"
+    val sslKeystore: Path get() = certificatesDirectory / "sslkeystore.jks"
+    val nodeKeystore: Path get() = certificatesDirectory / "nodekeystore.jks"
    val trustStoreFile: Path get() = certificatesDirectory / "truststore.jks"
 }