ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2025-06-20 08:03:53 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Adding CSR signature verification (#537)

Browse Source
This commit is contained in:
Michal Kit
2018-03-14 09:17:09 +00:00
committed by GitHub
parent 34800ab527
commit 341e060424
4 changed files with 64 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
View File

@ -14,7 +14,10 @@ import net.corda.core.CordaOID
import net.corda.core.crypto.Crypto
import net.corda.core.crypto.SignatureScheme
import net.corda.core.crypto.random63BitValue
import net.corda.core.internal.*
import net.corda.core.internal.CertRole
import net.corda.core.internal.reader
import net.corda.core.internal.uncheckedCast
import net.corda.core.internal.writer
import net.corda.core.utilities.days
import net.corda.core.utilities.millis
import org.bouncycastle.asn1.*
@ -36,6 +39,7 @@ import java.math.BigInteger
import java.nio.file.Path
import java.security.KeyPair
import java.security.PublicKey
import java.security.SignatureException
import java.security.cert.*
import java.security.cert.Certificate
import java.time.Duration
@ -275,7 +279,11 @@ object X509Utilities {
return JcaPKCS10CertificationRequestBuilder(subject, keyPair.public)
.addAttribute(BCStyle.E, DERUTF8String(email))
.addAttribute(ASN1ObjectIdentifier(CordaOID.X509_EXTENSION_CORDA_ROLE), certRole)
.build(signer)
.build(signer).apply {
if (!isSignatureValid()) {
throw SignatureException("The certificate signing request signature validation failed.")
}
}
}
fun createCertificateSigningRequest(subject: X500Principal, email: String, keyPair: KeyPair, certRole: CertRole = CertRole.NODE_CA): PKCS10CertificationRequest {
@ -321,6 +329,13 @@ val Certificate.x509: X509Certificate get() = requireNotNull(this as? X509Certif
val Array<Certificate>.x509: List<X509Certificate> get() = map { it.x509 }
/**
* Validates the signature of the CSR
*/
fun PKCS10CertificationRequest.isSignatureValid(): Boolean {
return this.isSignatureValid(JcaContentVerifierProviderBuilder().build(this.subjectPublicKeyInfo))
}
/**
* Wraps a [CertificateFactory] to remove boilerplate. It's unclear whether [CertificateFactory] is threadsafe so best
* so assume this class is not.