CORDA-2395 Add cordapp code signing dev key to production blacklist. (#4519)

* Add cordapp code signing dev key to production blacklist. * Remove code used to generate the actual PK hash (it is now attached to the JIRA story) * Remove wiki page reference. * Remove the non redundant cash transfer.
2025-01-18 02:39:51 +00:00 · 2019-01-09 15:41:24 +00:00 · 2019-01-09 15:41:24 +00:00 · 4530a5e982
commit 4530a5e982
parent dd6a007ff2
3 changed files with 15 additions and 17 deletions
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/KeyStoreConfigHelpers.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/KeyStoreConfigHelpers.kt
@ -9,7 +9,9 @@ import net.corda.core.identity.PartyAndCertificate
 import net.corda.core.internal.hash
 import net.corda.core.internal.toX500Name
 import net.corda.nodeapi.internal.config.CertificateStore
-import net.corda.nodeapi.internal.crypto.*
+import net.corda.nodeapi.internal.crypto.CertificateAndKeyPair
+import net.corda.nodeapi.internal.crypto.CertificateType
+import net.corda.nodeapi.internal.crypto.X509Utilities
 import org.bouncycastle.asn1.x509.GeneralName
 import org.bouncycastle.asn1.x509.GeneralSubtree
 import org.bouncycastle.asn1.x509.NameConstraints
@ -102,7 +104,12 @@ const val DEV_CA_TRUST_STORE_FILE: String = "cordatruststore.jks"
 const val DEV_CA_TRUST_STORE_PASS: String = "trustpass"
 const val DEV_CA_TRUST_STORE_PRIVATE_KEY_PASS: String = "trustpasskeypass"

-val DEV_PUB_KEY_HASHES: List<SecureHash.SHA256> get() = listOf(DEV_INTERMEDIATE_CA.certificate, DEV_ROOT_CA.certificate).map { it.publicKey.hash.sha256() }
+// A code signing policy is currently under design.
+// The following interim key represents a self-signed certificate produced using the Java keytool and located in the gradle cordapp plugins resources key store:
+// https://github.com/corda/corda-gradle-plugins/blob/master/cordapp/src/main/resources/certificates/cordadevcodesign.jks
+const val DEV_CORDAPP_CODE_SIGNING_STR = "AA59D829F2CA8FDDF5ABEA40D815F937E3E54E572B65B93B5C216AE6594E7D6B"
+
+val DEV_PUB_KEY_HASHES: List<SecureHash.SHA256> get() = listOf(DEV_INTERMEDIATE_CA.certificate, DEV_ROOT_CA.certificate).map { it.publicKey.hash.sha256() } + SecureHash.parse(DEV_CORDAPP_CODE_SIGNING_STR).sha256()

 // We need a class so that we can get hold of the class loader
 internal object DevCaHelper {
@ -115,4 +122,4 @@ fun loadDevCaKeyStore(classLoader: ClassLoader = DevCaHelper::class.java.classLo
        "certificates/$DEV_CA_KEY_STORE_FILE", DEV_CA_KEY_STORE_PASS, DEV_CA_PRIVATE_KEY_PASS, classLoader)

 fun loadDevCaTrustStore(classLoader: ClassLoader = DevCaHelper::class.java.classLoader): CertificateStore = CertificateStore.fromResource(
-        "certificates/$DEV_CA_TRUST_STORE_FILE", DEV_CA_TRUST_STORE_PASS, DEV_CA_TRUST_STORE_PRIVATE_KEY_PASS, classLoader)
+        "certificates/$DEV_CA_TRUST_STORE_FILE", DEV_CA_TRUST_STORE_PASS, DEV_CA_TRUST_STORE_PRIVATE_KEY_PASS, classLoader)
--- a/node/src/integration-test/kotlin/net/corda/node/utilities/registration/NodeRegistrationTest.kt
+++ b/node/src/integration-test/kotlin/net/corda/node/utilities/registration/NodeRegistrationTest.kt
@ -100,17 +100,6 @@ class NodeRegistrationTest {
                    aliceName.organisation,
                    genevieveName.organisation,
                    notaryName.organisation)
-
-            // Check the nodes can communicate among themselves (and the notary).
-            val anonymous = false
-            genevieve.rpc.startFlow(
-                    ::CashIssueAndPaymentFlow,
-                    1000.DOLLARS,
-                    OpaqueBytes.of(12),
-                    alice.nodeInfo.singleIdentity(),
-                    anonymous,
-                    defaultNotaryIdentity
-            ).returnValue.getOrThrow()
        }
    }
 }
--- a/testing/test-utils/src/main/kotlin/net/corda/testing/core/internal/JarSignatureTestUtils.kt
+++ b/testing/test-utils/src/main/kotlin/net/corda/testing/core/internal/JarSignatureTestUtils.kt
@ -67,11 +67,13 @@ object JarSignatureTestUtils {
        return ks.getCertificate(alias).publicKey
    }

-    fun Path.getPublicKey(alias: String, storePassword: String) : PublicKey {
-        val ks = loadKeyStore(this.resolve("_teststore"), storePassword)
+    fun Path.getPublicKey(alias: String, storeName: String, storePassword: String) : PublicKey {
+        val ks = loadKeyStore(this.resolve(storeName), storePassword)
        return ks.getCertificate(alias).publicKey
    }

+    fun Path.getPublicKey(alias: String, storePassword: String) = getPublicKey(alias, "_teststore", storePassword)
+
    fun Path.getJarSigners(fileName: String) =
            JarInputStream(FileInputStream((this / fileName).toFile())).use(JarSignatureCollector::collectSigners)

@ -97,4 +99,4 @@ object JarSignatureTestUtils {
            output.close()
        }
    }
-}
+}