ENT-1561 - Identity copying tool for distributed notary (#563)

* check in before shelving this task * keytool in-progress, TODO: Docs and more test * unit test and doc * minor typo
2024-12-29 01:08:57 +00:00 · 2018-03-16 09:42:27 +00:00 · 2018-03-16 09:42:27 +00:00 · 2a898658c2
commit 2a898658c2
parent a99a910730
6 changed files with 279 additions and 31 deletions
--- a/network-management/registration-tool/README.md
+++ b/network-management/registration-tool/README.md
@ -51,4 +51,46 @@ trustStorePassword = "password"
 ##Running the registration tool
-``java -jar registration-tool-<<version>>.jar --config-file <<config file path>>``
+``java -jar registration-tool-<<version>>.jar --config-file <<config file path>>``
 # Private key copy tool
 The key copy tool copies the private key from the source keystore to the destination keystore, it's similar to the ``importkeystore`` option in Java keytool with extra support for Corda's key algorithms.  
 **This is useful for provisioning keystores for distributed notaries.**
 ### Command line option
 ```
 Argument                        Description
 ---------                       -----------
 srckeystore                     Path to the source keystore containing the private key.
 destkeystore                    Path to the destination keystore which the private key should copy to.
 srcstorepass                    Source keystore password.
 deststorepass                   Destination keystore password.
 srcalias                        The alias of the private key the tool is copying.
 destalias                       Optional: The private key will be stored using this alias if provided, otherwise [srcalias] will be used.
 ```
 ### Usage
 ``java -jar registration-tool-<<version>>.jar --importkeystore [options]``
 ### Example
 Copy ``distributed-notary-private-key`` from distributed notaries keystore to node's keystore.
 ```
 java -jar registration-tool-<<version>>.jar \
 --importkeystore \
 --srckeystore notaryKeystore.jks \
 --destkeystore node.jks \
 --srcstorepass notaryPassword \
 --deststorepass nodepassword \
 --srcalias distributed-notary-private-key
 ```
--- a/network-management/registration-tool/src/main/kotlin/com/r3/corda/networkmanage/registration/KeyCopyTool.kt
+++ b/network-management/registration-tool/src/main/kotlin/com/r3/corda/networkmanage/registration/KeyCopyTool.kt
@ -0,0 +1,32 @@
 package com.r3.corda.networkmanage.registration
 import com.r3.corda.networkmanage.registration.ToolOption.KeyCopierOption
 import net.corda.nodeapi.internal.crypto.X509KeyStore
 /**
 * This utility will copy private key with [KeyCopierOption.srcAlias] from provided source keystore and copy it to target
 * keystore with the same alias, or [KeyCopierOption.destAlias] if provided.
 *
 * This tool uses Corda's security provider which support EdDSA keys.
 */
 fun KeyCopierOption.copyKeystore() {
    println("**************************************")
    println("*                                    *")
    println("*           Key copy tool            *")
    println("*                                    *")
    println("**************************************")
    println()
    println("This utility will copy private key with [srcalias] from provided source keystore and copy it to target keystore with the same alias, or [destalias] if provided.")
    println()
    // Read private key and certificates from notary identity keystore.
    val srcKeystore = X509KeyStore.fromFile(srcPath, srcPass)
    val srcPrivateKey = srcKeystore.getPrivateKey(srcAlias)
    val srcCertChain = srcKeystore.getCertificateChain(srcAlias)
    X509KeyStore.fromFile(destPath, destPass).update {
        val keyAlias = destAlias ?: srcAlias
        setPrivateKey(keyAlias, srcPrivateKey, srcCertChain)
        println("Added '$keyAlias' to keystore : $destPath, the tool will now terminate.")
    }
 }
--- a/network-management/registration-tool/src/main/kotlin/com/r3/corda/networkmanage/registration/Main.kt
+++ b/network-management/registration-tool/src/main/kotlin/com/r3/corda/networkmanage/registration/Main.kt
@ -0,0 +1,96 @@
 package com.r3.corda.networkmanage.registration
 import com.r3.corda.networkmanage.registration.ToolOption.KeyCopierOption
 import com.r3.corda.networkmanage.registration.ToolOption.RegistrationOption
 import joptsimple.ArgumentAcceptingOptionSpec
 import joptsimple.OptionParser
 import joptsimple.OptionSet
 import joptsimple.OptionSpecBuilder
 import joptsimple.util.PathConverter
 import joptsimple.util.PathProperties
 import java.nio.file.Path
 fun main(args: Array<String>) {
    val options = parseOptions(*args)
    when (options) {
        is RegistrationOption -> options.runRegistration()
        is KeyCopierOption -> options.copyKeystore()
    }
 }
 private const val importKeyFlag = "importkeystore"
 internal fun parseOptions(vararg args: String): ToolOption {
    val optionParser = OptionParser()
    val isCopyKeyArg = optionParser.accepts(importKeyFlag)
    val configFileArg = optionParser
            .accepts("config-file", "The path to the registration config file")
            .availableUnless(importKeyFlag)
            .withRequiredArg()
            .withValuesConvertedBy(PathConverter(PathProperties.FILE_EXISTING))
    // key copy tool args
    val destKeystorePathArg = optionParser.accepts("destkeystore")
            .requireOnlyIf(importKeyFlag)
            .withRequiredArg()
            .withValuesConvertedBy(PathConverter(PathProperties.FILE_EXISTING))
    val srcKeystorePathArg = optionParser.accepts("srckeystore")
            .requireOnlyIf(importKeyFlag)
            .withRequiredArg()
            .withValuesConvertedBy(PathConverter(PathProperties.FILE_EXISTING))
    val destPasswordArg = optionParser.accepts("deststorepass")
            .requireOnlyIf(importKeyFlag)
            .withRequiredArg()
    val srcPasswordArg = optionParser.accepts("srcstorepass")
            .requireOnlyIf(importKeyFlag)
            .withRequiredArg()
    val destAliasArg = optionParser.accepts("destalias")
            .availableIf(importKeyFlag)
            .withRequiredArg()
    val srcAliasArg = optionParser.accepts("srcalias")
            .requireOnlyIf(importKeyFlag)
            .withRequiredArg()
    val optionSet = optionParser.parse(*args)
    val isCopyKey = optionSet.has(isCopyKeyArg)
    return if (isCopyKey) {
        val targetKeystorePath = optionSet.valueOf(destKeystorePathArg)
        val srcKeystorePath = optionSet.valueOf(srcKeystorePathArg)
        val destPassword = optionSet.valueOf(destPasswordArg)
        val srcPassword = optionSet.valueOf(srcPasswordArg)
        val destAlias = optionSet.getOrNull(destAliasArg)
        val srcAlias = optionSet.valueOf(srcAliasArg)
        KeyCopierOption(srcKeystorePath, targetKeystorePath, srcPassword, destPassword, srcAlias, destAlias)
    } else {
        val configFilePath = optionSet.valueOf(configFileArg)
        RegistrationOption(configFilePath)
    }
 }
 private fun <V : Any> OptionSet.getOrNull(opt: ArgumentAcceptingOptionSpec<V>): V? = if (has(opt)) valueOf(opt) else null
 private fun OptionSpecBuilder.requireOnlyIf(optionName: String): OptionSpecBuilder = requiredIf(optionName).availableIf(optionName)
 sealed class ToolOption {
    data class RegistrationOption(val configFilePath: Path) : ToolOption()
    data class KeyCopierOption(val srcPath: Path,
                               val destPath: Path,
                               val srcPass: String,
                               val destPass: String,
                               val srcAlias: String,
                               val destAlias: String?) : ToolOption()
 }
 fun readPassword(fmt: String): String {
    return if (System.console() != null) {
        String(System.console().readPassword(fmt))
    } else {
        print(fmt)
        readLine() ?: ""
    }
 }
--- a/network-management/registration-tool/src/main/kotlin/com/r3/corda/networkmanage/registration/RegistrationTool.kt
+++ b/network-management/registration-tool/src/main/kotlin/com/r3/corda/networkmanage/registration/RegistrationTool.kt
@ -10,37 +10,20 @@
 package com.r3.corda.networkmanage.registration
 import com.r3.corda.networkmanage.registration.ToolOption.RegistrationOption
 import com.typesafe.config.ConfigFactory
 import com.typesafe.config.ConfigParseOptions
 import joptsimple.OptionParser
 import joptsimple.util.PathConverter
 import net.corda.core.identity.CordaX500Name
 import net.corda.core.internal.CertRole
 import net.corda.core.internal.div
 import net.corda.node.utilities.registration.HTTPNetworkRegistrationService
 import net.corda.node.utilities.registration.NetworkRegistrationHelper
 import net.corda.nodeapi.internal.config.SSLConfiguration
 import net.corda.nodeapi.internal.config.parseAs
 import java.net.URL
 import java.nio.file.Path
 import java.nio.file.Paths
 fun main(args: Array<String>) {
    val optionParser = OptionParser()
    val configFileArg = optionParser
            .accepts("config-file", "The path to the registration config file")
            .withRequiredArg()
            .withValuesConvertedBy(PathConverter())
    val baseDirArg = optionParser
            .accepts("baseDir", "The registration tool's base directory, default to current directory.")
            .withRequiredArg()
            .withValuesConvertedBy(PathConverter())
            .defaultsTo(Paths.get("."))
    val optionSet = optionParser.parse(*args)
    val configFilePath = optionSet.valueOf(configFileArg)
    val baseDir = optionSet.valueOf(baseDirArg)
 fun RegistrationOption.runRegistration() {
    val config = ConfigFactory.parseFile(configFilePath.toFile(), ConfigParseOptions.defaults().setAllowMissing(false))
            .resolve()
            .parseAs<RegistrationConfig>()
@ -48,7 +31,7 @@ fun main(args: Array<String>) {
    val sslConfig = object : SSLConfiguration {
        override val keyStorePassword: String  by lazy { config.keyStorePassword ?: readPassword("Node Keystore password:") }
        override val trustStorePassword: String by lazy { config.trustStorePassword ?: readPassword("Node TrustStore password:") }
-        override val certificatesDirectory: Path = baseDir
+        override val certificatesDirectory: Path = configFilePath.parent / "certificates"
    }
    NetworkRegistrationHelper(sslConfig,
@ -59,15 +42,6 @@ fun main(args: Array<String>) {
            config.networkRootTrustStorePassword ?: readPassword("Network trust root password:"), config.certRole).buildKeystore()
 }
 fun readPassword(fmt: String): String {
    return if (System.console() != null) {
        String(System.console().readPassword(fmt))
    } else {
        print(fmt)
        readLine() ?: ""
    }
 }
 data class RegistrationConfig(val legalName: CordaX500Name,
                              val email: String,
                              val compatibilityZoneURL: URL,
--- a/network-management/registration-tool/src/test/kotlin/com/r3/corda/networkmanage/registration/KeyCopyToolTest.kt
+++ b/network-management/registration-tool/src/test/kotlin/com/r3/corda/networkmanage/registration/KeyCopyToolTest.kt
@ -0,0 +1,41 @@
 package com.r3.corda.networkmanage.registration
 import net.corda.core.crypto.Crypto
 import net.corda.core.internal.div
 import net.corda.nodeapi.internal.crypto.X509KeyStore
 import net.corda.nodeapi.internal.crypto.X509Utilities
 import org.junit.Assert.assertEquals
 import org.junit.Rule
 import org.junit.Test
 import org.junit.rules.TemporaryFolder
 import java.nio.file.Path
 import javax.security.auth.x500.X500Principal
 class KeyCopyToolTest {
    @Rule
    @JvmField
    val tempFolder = TemporaryFolder()
    private val tempDir: Path by lazy { tempFolder.root.toPath() }
    @Test
    fun `key copy correctly`() {
        val keyCopyOption = ToolOption.KeyCopierOption(tempDir / "srcKeystore.jks", tempDir / "destKeystore.jks", "srctestpass", "desttestpass", "TestKeyAlias", null)
        // Prepare source and destination keystores
        val keyPair = Crypto.generateKeyPair()
        val cert = X509Utilities.createSelfSignedCACertificate(X500Principal("O=Test"), keyPair)
        X509KeyStore.fromFile(keyCopyOption.srcPath, keyCopyOption.srcPass, createNew = true).update {
            setPrivateKey(keyCopyOption.srcAlias, keyPair.private, listOf(cert))
        }
        X509KeyStore.fromFile(keyCopyOption.destPath, keyCopyOption.destPass, createNew = true)
        // Copy private key from src keystore to dest keystore using the tool
        keyCopyOption.copyKeystore()
        // Verify key copied correctly
        val destKeystore = X509KeyStore.fromFile(keyCopyOption.destPath, keyCopyOption.destPass)
        assertEquals(keyPair.private, destKeystore.getPrivateKey(keyCopyOption.srcAlias, keyCopyOption.destPass))
        assertEquals(cert, destKeystore.getCertificate(keyCopyOption.srcAlias))
    }
 }
--- a/network-management/registration-tool/src/test/kotlin/com/r3/corda/networkmanage/registration/OptionParserTest.kt
+++ b/network-management/registration-tool/src/test/kotlin/com/r3/corda/networkmanage/registration/OptionParserTest.kt
@ -0,0 +1,63 @@
 package com.r3.corda.networkmanage.registration
 import joptsimple.OptionException
 import junit.framework.Assert.assertEquals
 import net.corda.core.internal.div
 import org.assertj.core.api.Assertions.assertThatThrownBy
 import org.junit.Before
 import org.junit.Rule
 import org.junit.Test
 import org.junit.rules.TemporaryFolder
 import java.nio.file.Files
 import java.nio.file.Path
 class OptionParserTest {
    @Rule
    @JvmField
    val tempFolder = TemporaryFolder()
    lateinit var tempDir: Path
    @Before
    fun setup() {
        tempDir = tempFolder.root.toPath()
        Files.createFile(tempDir / "test.file")
        Files.createFile(tempDir / "source.jks")
        Files.createFile(tempDir / "target.jks")
    }
    @Test
    fun `parse registration args correctly`() {
        requireNotNull(parseOptions("--config-file", "${tempDir / "test.file"}") as? ToolOption.RegistrationOption).apply {
            assertEquals(tempDir / "test.file", configFilePath)
        }
    }
    @Test
    fun `registration args should be unavailable in key copy mode`() {
        assertThatThrownBy {
            val keyCopyArgs = arrayOf("--importkeystore", "--srckeystore", "${tempDir / "source.jks"}", "--srcstorepass", "password1", "--destkeystore", "${tempDir / "target.jks"}", "--deststorepass", "password2", "-srcalias", "testalias")
            parseOptions(*keyCopyArgs, "--config-file", "test.file")
        }.isInstanceOf(OptionException::class.java)
                .hasMessageContaining("Option(s) [config-file] are unavailable given other options on the command line")
    }
    @Test
    fun `key copy args should be unavailable in registration mode`() {
        assertThatThrownBy {
            parseOptions("--config-file", "${tempDir / "test.file"}", "--srckeystore", "${tempDir / "source.jks"}")
        }.isInstanceOf(OptionException::class.java)
                .hasMessageContaining("Option(s) [srckeystore] are unavailable given other options on the command line")
    }
    @Test
    fun `parse key copy option correctly`() {
        val keyCopyArgs = arrayOf("--importkeystore", "--srckeystore", "${tempDir / "source.jks"}", "--srcstorepass", "password1", "--destkeystore", "${tempDir / "target.jks"}", "--deststorepass", "password2", "-srcalias", "testalias")
        requireNotNull(parseOptions(*keyCopyArgs) as? ToolOption.KeyCopierOption).apply {
            assertEquals(tempDir / "source.jks", srcPath)
            assertEquals(tempDir / "target.jks", destPath)
            assertEquals("password1", srcPass)
            assertEquals("password2", destPass)
            assertEquals("testalias", srcAlias)
        }
    }
 }