mirror of
https://github.com/corda/corda.git
synced 2025-01-29 15:43:55 +00:00
[ENT-2821] Make the default schemes for TLS and identity available from the CryptoService interface (#4354)
* Make the default schemes for TLS and identity available from the CryptoService interface. * Change CryptoService.generateKeyPair to accept SignatureScheme instead of Int.
This commit is contained in:
Florian Friemel
GitHub
parent
838c99c6e4
commit
382e3b651f
@ -1,6 +1,7 @@
|
||||
package net.corda.nodeapi.internal.cryptoservice
|
||||
|
||||
import net.corda.core.DoNotImplement
|
||||
import net.corda.core.crypto.SignatureScheme
|
||||
import org.bouncycastle.operator.ContentSigner
|
||||
import java.security.KeyPair
|
||||
import java.security.PublicKey
|
||||
@ -16,7 +17,7 @@ interface CryptoService {
|
||||
*
|
||||
* Returns the [PublicKey] of the generated [KeyPair].
|
||||
*/
|
||||
fun generateKeyPair(alias: String, schemeNumberID: Int): PublicKey
|
||||
fun generateKeyPair(alias: String, scheme: SignatureScheme): PublicKey
|
||||
|
||||
/** Check if this [CryptoService] has a private key entry for the input alias. */
|
||||
fun containsKey(alias: String): Boolean
|
||||
@ -37,6 +38,16 @@ interface CryptoService {
|
||||
* Returns [ContentSigner] for the key identified by the input alias.
|
||||
*/
|
||||
fun getSigner(alias: String): ContentSigner
|
||||
|
||||
/**
|
||||
* Returns the [SignatureScheme] that should be used for generating key pairs for the node's legal identity with this [CryptoService].
|
||||
*/
|
||||
fun defaultIdentitySignatureScheme(): SignatureScheme
|
||||
|
||||
/**
|
||||
* Returns the [SignatureScheme] that should be used with this [CryptoService] when generating key pairs for TLS.
|
||||
*/
|
||||
fun defaultTLSSignatureScheme(): SignatureScheme
|
||||
}
|
||||
|
||||
open class CryptoServiceException(message: String?, cause: Throwable? = null) : Exception(message, cause)
|
||||
|
||||
@ -956,7 +956,7 @@ abstract class AbstractNode<S>(val configuration: NodeConfiguration,
|
||||
return PartyAndCertificate(X509Utilities.buildCertPath(identityCertPath))
|
||||
}
|
||||
|
||||
protected open fun generateKeyPair(alias: String) = cryptoService.generateKeyPair(alias, X509Utilities.DEFAULT_IDENTITY_SIGNATURE_SCHEME.schemeNumberID)
|
||||
protected open fun generateKeyPair(alias: String) = cryptoService.generateKeyPair(alias, cryptoService.defaultIdentitySignatureScheme())
|
||||
|
||||
protected open fun makeVaultService(keyManagementService: KeyManagementService,
|
||||
services: ServicesForResolution,
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
package net.corda.node.services.keys.cryptoservice
|
||||
|
||||
import net.corda.core.crypto.Crypto
|
||||
import net.corda.core.crypto.SignatureScheme
|
||||
import net.corda.core.crypto.newSecureRandom
|
||||
import net.corda.core.crypto.sha256
|
||||
import net.corda.node.services.config.NodeConfiguration
|
||||
@ -27,13 +28,13 @@ class BCCryptoService(private val legalName: X500Principal, private val certific
|
||||
// TODO make it private when E2ETestKeyManagementService does not require direct access to the private key.
|
||||
internal var certificateStore: CertificateStore = certificateStoreSupplier.get(true)
|
||||
|
||||
override fun generateKeyPair(alias: String, schemeNumberID: Int): PublicKey {
|
||||
override fun generateKeyPair(alias: String, scheme: SignatureScheme): PublicKey {
|
||||
try {
|
||||
val keyPair = Crypto.generateKeyPair(Crypto.findSignatureScheme(schemeNumberID))
|
||||
val keyPair = Crypto.generateKeyPair(scheme)
|
||||
importKey(alias, keyPair)
|
||||
return keyPair.public
|
||||
} catch (e: Exception) {
|
||||
throw CryptoServiceException("Cannot generate key for alias $alias and signature scheme with id $schemeNumberID", e)
|
||||
throw CryptoServiceException("Cannot generate key for alias $alias and signature scheme ${scheme.schemeCodeName} (id ${scheme.schemeNumberID})", e)
|
||||
}
|
||||
}
|
||||
|
||||
@ -67,6 +68,14 @@ class BCCryptoService(private val legalName: X500Principal, private val certific
|
||||
}
|
||||
}
|
||||
|
||||
override fun defaultIdentitySignatureScheme(): SignatureScheme {
|
||||
return X509Utilities.DEFAULT_IDENTITY_SIGNATURE_SCHEME
|
||||
}
|
||||
|
||||
override fun defaultTLSSignatureScheme(): SignatureScheme {
|
||||
return X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME
|
||||
}
|
||||
|
||||
/**
|
||||
* If a node is running in [NodeConfiguration.devMode] and for backwards compatibility purposes, the same [KeyStore]
|
||||
* is reused outside [BCCryptoService] to update certificate paths. [resyncKeystore] will sync [BCCryptoService]'s
|
||||
|
||||
@ -117,7 +117,7 @@ open class NetworkRegistrationHelper(
|
||||
return if (cryptoService.containsKey(nodeCaKeyAlias)) {
|
||||
cryptoService.getPublicKey(nodeCaKeyAlias)!!
|
||||
} else {
|
||||
cryptoService.generateKeyPair(nodeCaKeyAlias, X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME.schemeNumberID)
|
||||
cryptoService.generateKeyPair(nodeCaKeyAlias, cryptoService.defaultTLSSignatureScheme())
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -46,9 +46,8 @@ class BCCryptoServiceTests {
|
||||
}
|
||||
|
||||
private fun generateKeyAndSignForScheme(cryptoService: BCCryptoService, signatureScheme: SignatureScheme) {
|
||||
val schemeNumberID = signatureScheme.schemeNumberID
|
||||
val alias = "signature$schemeNumberID"
|
||||
val pubKey = cryptoService.generateKeyPair(alias, schemeNumberID)
|
||||
val alias = "signature${signatureScheme.schemeNumberID}"
|
||||
val pubKey = cryptoService.generateKeyPair(alias, signatureScheme)
|
||||
assertTrue { cryptoService.containsKey(alias) }
|
||||
|
||||
val signatureData = cryptoService.sign(alias, clearData)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user