ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2025-06-22 17:09:00 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

CORDA-3979: Support for multiple trust roots (#6772)

Browse Source
This commit is contained in:
Denis Rekalov
2020-10-20 12:18:00 +03:00
committed by GitHub
parent 401d8b8856
commit 4193adf6fd
37 changed files with 486 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
core/src/main/kotlin/net/corda/core/identity/PartyAndCertificate.kt
View File

@ -42,8 +42,11 @@ class PartyAndCertificate(val certPath: CertPath) {
override fun toString(): String = party.toString()
/** Verify the certificate path is valid. */
fun verify(trustAnchor: TrustAnchor): PKIXCertPathValidatorResult {
val result = certPath.validate(trustAnchor)
fun verify(trustAnchor: TrustAnchor): PKIXCertPathValidatorResult = verify(setOf(trustAnchor))
/** Verify the certificate path is valid against one of the specified trust anchors. */
fun verify(trustAnchors: Set<TrustAnchor>): PKIXCertPathValidatorResult {
val result = certPath.validate(trustAnchors)
// Apply Corda-specific validity rules to the chain. This only applies to chains with any roles present, so
// an all-null chain is in theory valid.
var parentRole: CertRole? = CertRole.extract(result.trustAnchor.trustedCert)

8
core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt
View File

@ -506,8 +506,8 @@ fun ExecutorService.join() {
}
// TODO: Currently the certificate revocation status is not handled here. Nowhere in the code the second parameter is used. Consider adding the support in the future.
fun CertPath.validate(trustAnchor: TrustAnchor, checkRevocation: Boolean = false): PKIXCertPathValidatorResult {
val parameters = PKIXParameters(setOf(trustAnchor)).apply { isRevocationEnabled = checkRevocation }
fun CertPath.validate(trustAnchors: Set<TrustAnchor>, checkRevocation: Boolean = false): PKIXCertPathValidatorResult {
val parameters = PKIXParameters(trustAnchors).apply { isRevocationEnabled = checkRevocation }
try {
return CertPathValidator.getInstance("PKIX").validate(this, parameters) as PKIXCertPathValidatorResult
} catch (e: CertPathValidatorException) {
@ -517,8 +517,8 @@ Reason: ${e.reason}
Offending cert index: ${e.index}
Cert path: $this
Trust anchor:
$trustAnchor""", e, this, e.index)
Trust anchors:
$trustAnchors""", e, this, e.index)
}
}

2
core/src/main/kotlin/net/corda/core/internal/NetworkParametersServiceInternal.kt
View File

@ -40,5 +40,5 @@ interface NetworkParametersStorage : NetworkParametersService {
/**
* Set information that given parameters are current parameters for the network.
*/
fun setCurrentParameters(currentSignedParameters: SignedDataWithCert<NetworkParameters>, trustRoot: X509Certificate)
fun setCurrentParameters(currentSignedParameters: SignedDataWithCert<NetworkParameters>, trustRoots: Set<X509Certificate>)
}