[ENT-2821] Make the default schemes for TLS and identity available from the CryptoService interface (#4354)

* Make the default schemes for TLS and identity available from the CryptoService interface.

* Change CryptoService.generateKeyPair to accept SignatureScheme instead of Int.

node-api/src/main/kotlin/net/corda/nodeapi/internal/cryptoservice/CryptoService.kt

@@ -1,6 +1,7 @@
 package net.corda.nodeapi.internal.cryptoservice
 
 import net.corda.core.DoNotImplement
+import net.corda.core.crypto.SignatureScheme
 import org.bouncycastle.operator.ContentSigner
 import java.security.KeyPair
 import java.security.PublicKey
@@ -16,7 +17,7 @@ interface CryptoService {
      *
      * Returns the [PublicKey] of the generated [KeyPair].
      */
-    fun generateKeyPair(alias: String, schemeNumberID: Int): PublicKey
+    fun generateKeyPair(alias: String, scheme: SignatureScheme): PublicKey
 
     /** Check if this [CryptoService] has a private key entry for the input alias. */
     fun containsKey(alias: String): Boolean
@@ -37,6 +38,16 @@ interface CryptoService {
      * Returns [ContentSigner] for the key identified by the input alias.
      */
     fun getSigner(alias: String): ContentSigner
+
+    /**
+     * Returns the [SignatureScheme] that should be used for generating key pairs for the node's legal identity with this [CryptoService].
+     */
+    fun defaultIdentitySignatureScheme(): SignatureScheme
+
+    /**
+     * Returns the [SignatureScheme] that should be used with this [CryptoService] when generating key pairs for TLS.
+     */
+    fun defaultTLSSignatureScheme(): SignatureScheme
 }
 
 open class CryptoServiceException(message: String?, cause: Throwable? = null) : Exception(message, cause)

node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt

@@ -956,7 +956,7 @@ abstract class AbstractNode<S>(val configuration: NodeConfiguration,
         return PartyAndCertificate(X509Utilities.buildCertPath(identityCertPath))
     }
 
-    protected open fun generateKeyPair(alias: String) = cryptoService.generateKeyPair(alias, X509Utilities.DEFAULT_IDENTITY_SIGNATURE_SCHEME.schemeNumberID)
+    protected open fun generateKeyPair(alias: String) = cryptoService.generateKeyPair(alias, cryptoService.defaultIdentitySignatureScheme())
 
     protected open fun makeVaultService(keyManagementService: KeyManagementService,
                                         services: ServicesForResolution,

node/src/main/kotlin/net/corda/node/services/keys/cryptoservice/BCCryptoService.kt

@@ -1,6 +1,7 @@
 package net.corda.node.services.keys.cryptoservice
 
 import net.corda.core.crypto.Crypto
+import net.corda.core.crypto.SignatureScheme
 import net.corda.core.crypto.newSecureRandom
 import net.corda.core.crypto.sha256
 import net.corda.node.services.config.NodeConfiguration
@@ -27,13 +28,13 @@ class BCCryptoService(private val legalName: X500Principal, private val certific
     // TODO make it private when E2ETestKeyManagementService does not require direct access to the private key.
     internal var certificateStore: CertificateStore = certificateStoreSupplier.get(true)
 
-    override fun generateKeyPair(alias: String, schemeNumberID: Int): PublicKey {
+    override fun generateKeyPair(alias: String, scheme: SignatureScheme): PublicKey {
         try {
-            val keyPair = Crypto.generateKeyPair(Crypto.findSignatureScheme(schemeNumberID))
+            val keyPair = Crypto.generateKeyPair(scheme)
             importKey(alias, keyPair)
             return keyPair.public
         } catch (e: Exception) {
-            throw CryptoServiceException("Cannot generate key for alias $alias and signature scheme with id $schemeNumberID", e)
+            throw CryptoServiceException("Cannot generate key for alias $alias and signature scheme ${scheme.schemeCodeName} (id ${scheme.schemeNumberID})", e)
         }
     }
 
@@ -67,6 +68,14 @@ class BCCryptoService(private val legalName: X500Principal, private val certific
         }
     }
 
+    override fun defaultIdentitySignatureScheme(): SignatureScheme {
+        return X509Utilities.DEFAULT_IDENTITY_SIGNATURE_SCHEME
+    }
+
+    override fun defaultTLSSignatureScheme(): SignatureScheme {
+        return X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME
+    }
+
     /**
      * If a node is running in [NodeConfiguration.devMode] and for backwards compatibility purposes, the same [KeyStore]
      * is reused outside [BCCryptoService] to update certificate paths. [resyncKeystore] will sync [BCCryptoService]'s

node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt

@@ -117,7 +117,7 @@ open class NetworkRegistrationHelper(
         return if (cryptoService.containsKey(nodeCaKeyAlias)) {
             cryptoService.getPublicKey(nodeCaKeyAlias)!!
         } else {
-            cryptoService.generateKeyPair(nodeCaKeyAlias, X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME.schemeNumberID)
+            cryptoService.generateKeyPair(nodeCaKeyAlias, cryptoService.defaultTLSSignatureScheme())
         }
     }
 

node/src/test/kotlin/net/corda/node/services/keys/cryptoservice/BCCryptoServiceTests.kt

@@ -46,9 +46,8 @@ class BCCryptoServiceTests {
     }
 
     private fun generateKeyAndSignForScheme(cryptoService: BCCryptoService, signatureScheme: SignatureScheme) {
-        val schemeNumberID = signatureScheme.schemeNumberID
+        val alias = "signature${signatureScheme.schemeNumberID}"
-        val alias = "signature$schemeNumberID"
+        val pubKey = cryptoService.generateKeyPair(alias, signatureScheme)
-        val pubKey = cryptoService.generateKeyPair(alias, schemeNumberID)
         assertTrue { cryptoService.containsKey(alias) }
 
         val signatureData = cryptoService.sign(alias, clearData)