Validating the entire cert path in node registration, rather just checking the root cert. (#2298)

Also reduced duplicate code when creating the node CA cert path for testing, and renamed IdentityGenerator to DevIdentityGenerator.
2025-06-16 14:18:20 +00:00 · 2017-12-29 14:38:30 +00:00
parent 39d25958e2
commit 4a2f157118
18 changed files with 205 additions and 189 deletions
--- a/node/src/integration-test/kotlin/net/corda/node/NodeKeystoreCheckTest.kt
+++ b/node/src/integration-test/kotlin/net/corda/node/NodeKeystoreCheckTest.kt
@ -10,23 +10,23 @@ import net.corda.nodeapi.internal.config.SSLConfiguration
 import net.corda.nodeapi.internal.crypto.*
 import net.corda.testing.ALICE_NAME
 import net.corda.testing.driver.driver
+import org.assertj.core.api.Assertions.assertThatThrownBy
 import org.junit.Test
 import java.nio.file.Path
-import kotlin.test.assertEquals
-import kotlin.test.assertFailsWith
-import kotlin.test.assertTrue

 class NodeKeystoreCheckTest {
+    @Test
+    fun `starting node in non-dev mode with no key store`() {
+        driver(startNodesInProcess = true) {
+            assertThatThrownBy {
+                startNode(customOverrides = mapOf("devMode" to false)).getOrThrow()
+            }.hasMessageContaining("Identity certificate not found")
+        }
+    }
+
    @Test
    fun `node should throw exception if cert path doesn't chain to the trust root`() {
        driver(startNodesInProcess = true) {
-            // This will fail because there are no keystore configured.
-            assertFailsWith(IllegalArgumentException::class) {
-                startNode(customOverrides = mapOf("devMode" to false)).getOrThrow()
-            }.apply {
-                assertTrue(message?.startsWith("Identity certificate not found. ") ?: false)
-            }
-
            // Create keystores
            val keystorePassword = "password"
            val config = object : SSLConfiguration {
@ -37,9 +37,12 @@ class NodeKeystoreCheckTest {
            config.configureDevKeyAndTrustStores(ALICE_NAME)

            // This should pass with correct keystore.
-            val node = startNode(providedName = ALICE_NAME, customOverrides = mapOf("devMode" to false,
-                    "keyStorePassword" to keystorePassword,
-                    "trustStorePassword" to keystorePassword)).get()
+            val node = startNode(
+                    providedName = ALICE_NAME,
+                    customOverrides = mapOf("devMode" to false,
+                            "keyStorePassword" to keystorePassword,
+                            "trustStorePassword" to keystorePassword)
+            ).getOrThrow()
            node.stop()

            // Fiddle with node keystore.
@ -53,11 +56,9 @@ class NodeKeystoreCheckTest {
            keystore.setKeyEntry(X509Utilities.CORDA_CLIENT_CA, nodeCA.keyPair.private, config.keyStorePassword.toCharArray(), arrayOf(badNodeCACert.cert, badRoot.cert))
            keystore.save(config.nodeKeystore, config.keyStorePassword)

-            assertFailsWith(IllegalArgumentException::class) {
+            assertThatThrownBy {
                startNode(providedName = ALICE_NAME, customOverrides = mapOf("devMode" to false)).getOrThrow()
-            }.apply {
-                assertEquals("Client CA certificate must chain to the trusted root.", message)
-            }
+            }.hasMessage("Client CA certificate must chain to the trusted root.")
        }
    }
 }
--- a/node/src/integration-test/kotlin/net/corda/node/services/BFTNotaryServiceTests.kt
+++ b/node/src/integration-test/kotlin/net/corda/node/services/BFTNotaryServiceTests.kt
@ -23,7 +23,7 @@ import net.corda.node.services.config.BFTSMaRtConfiguration
 import net.corda.node.services.config.NotaryConfig
 import net.corda.node.services.transactions.minClusterSize
 import net.corda.node.services.transactions.minCorrectReplicas
-import net.corda.nodeapi.internal.IdentityGenerator
+import net.corda.nodeapi.internal.DevIdentityGenerator
 import net.corda.nodeapi.internal.network.NetworkParametersCopier
 import net.corda.nodeapi.internal.network.NotaryInfo
 import net.corda.testing.chooseIdentity
@ -60,7 +60,7 @@ class BFTNotaryServiceTests {
        (Paths.get("config") / "currentView").deleteIfExists() // XXX: Make config object warn if this exists?
        val replicaIds = (0 until clusterSize)

-        notary = IdentityGenerator.generateDistributedNotaryIdentity(
+        notary = DevIdentityGenerator.generateDistributedNotaryIdentity(
                replicaIds.map { mockNet.baseDirectory(mockNet.nextNodeId + it) },
                CordaX500Name("BFT", "Zurich", "CH"))

--- a/node/src/integration-test/kotlin/net/corda/node/utilities/registration/NodeRegistrationTest.kt
+++ b/node/src/integration-test/kotlin/net/corda/node/utilities/registration/NodeRegistrationTest.kt
@ -6,7 +6,10 @@ import net.corda.core.internal.cert
 import net.corda.core.internal.concurrent.transpose
 import net.corda.core.internal.toX509CertHolder
 import net.corda.core.messaging.startFlow
-import net.corda.core.utilities.*
+import net.corda.core.utilities.NetworkHostAndPort
+import net.corda.core.utilities.OpaqueBytes
+import net.corda.core.utilities.getOrThrow
+import net.corda.core.utilities.minutes
 import net.corda.finance.DOLLARS
 import net.corda.finance.flows.CashIssueAndPaymentFlow
 import net.corda.nodeapi.internal.crypto.CertificateAndKeyPair
@ -16,7 +19,6 @@ import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_CLIENT_CA
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_INTERMEDIATE_CA
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_ROOT_CA
-import net.corda.nodeapi.internal.network.NotaryInfo
 import net.corda.testing.ROOT_CA
 import net.corda.testing.SerializationEnvironmentRule
 import net.corda.testing.driver.PortAllocation
@ -25,7 +27,6 @@ import net.corda.testing.node.internal.CompatibilityZoneParams
 import net.corda.testing.node.internal.internalDriver
 import net.corda.testing.node.internal.network.NetworkMapServer
 import net.corda.testing.singleIdentity
-import net.corda.testing.singleIdentityAndCert
 import org.assertj.core.api.Assertions.assertThat
 import org.assertj.core.api.Assertions.assertThatThrownBy
 import org.bouncycastle.pkcs.PKCS10CertificationRequest
@ -39,6 +40,7 @@ import java.io.InputStream
 import java.net.URL
 import java.security.KeyPair
 import java.security.cert.CertPath
+import java.security.cert.CertPathValidatorException
 import java.security.cert.Certificate
 import java.util.zip.ZipEntry
 import java.util.zip.ZipOutputStream
@ -50,8 +52,10 @@ class NodeRegistrationTest {
    @Rule
    @JvmField
    val testSerialization = SerializationEnvironmentRule(true)
+
    private val portAllocation = PortAllocation.Incremental(13000)
    private val registrationHandler = RegistrationHandler(ROOT_CA)
+
    private lateinit var server: NetworkMapServer
    private lateinit var serverHostAndPort: NetworkHostAndPort

@ -73,72 +77,63 @@ class NodeRegistrationTest {
                portAllocation = portAllocation,
                compatibilityZone = compatibilityZone,
                initialiseSerialization = false,
-                notarySpecs = listOf(NotarySpec(CordaX500Name(organisation = "NotaryService", locality = "Zurich", country = "CH"), validating = false)),
+                notarySpecs = listOf(NotarySpec(CordaX500Name("NotaryService", "Zurich", "CH"), validating = false)),
                extraCordappPackagesToScan = listOf("net.corda.finance"),
                onNetworkParametersGeneration = { server.networkParameters = it }
        ) {
-            val notary = defaultNotaryNode.get()
+            val aliceName = "Alice"
+            val genevieveName = "Genevieve"

-            val ALICE_NAME = "Alice"
-            val GENEVIEVE_NAME = "Genevieve"
-            val nodesFutures = listOf(startNode(providedName = CordaX500Name(ALICE_NAME, "London", "GB")),
-                    startNode(providedName = CordaX500Name(GENEVIEVE_NAME, "London", "GB")))
+            val nodes = listOf(
+                    startNode(providedName = CordaX500Name(aliceName, "London", "GB")),
+                    startNode(providedName = CordaX500Name(genevieveName, "London", "GB")),
+                    defaultNotaryNode
+            ).transpose().getOrThrow()
+            val (alice, genevieve) = nodes

-            val (alice, genevieve) = nodesFutures.transpose().get()
-            val nodes = listOf(alice, genevieve, notary)
-
-            assertThat(registrationHandler.idsPolled).contains(ALICE_NAME, GENEVIEVE_NAME)
+            assertThat(registrationHandler.idsPolled).contains(aliceName, genevieveName)
            // Notary identities are generated beforehand hence notary nodes don't go through registration.
            // This test isn't specifically testing this, or relying on this behavior, though if this check fail,
            // this will probably lead to the rest of the test to fail.
            assertThat(registrationHandler.idsPolled).doesNotContain("NotaryService")

            // Check each node has each other identity in their network map cache.
-            val nodeIdentities = nodes.map { it.nodeInfo.singleIdentity() }
            for (node in nodes) {
-                assertThat(node.rpc.networkMapSnapshot().map { it.singleIdentity() }).containsAll(nodeIdentities)
+                assertThat(node.rpc.networkMapSnapshot()).containsOnlyElementsOf(nodes.map { it.nodeInfo })
            }

            // Check we nodes communicate among themselves (and the notary).
            val anonymous = false
-            genevieve.rpc.startFlow(::CashIssueAndPaymentFlow, 1000.DOLLARS, OpaqueBytes.of(12),
+            genevieve.rpc.startFlow(
+                    ::CashIssueAndPaymentFlow,
+                    1000.DOLLARS,
+                    OpaqueBytes.of(12),
                    alice.nodeInfo.singleIdentity(),
                    anonymous,
-                    notary.nodeInfo.singleIdentity())
-                    .returnValue
-                    .getOrThrow()
+                    defaultNotaryIdentity
+            ).returnValue.getOrThrow()
        }
    }

    @Test
    fun `node registration wrong root cert`() {
-        val someCert = createSelfKeyAndSelfSignedCertificate().certificate.cert
-        val compatibilityZone = CompatibilityZoneParams(URL("http://$serverHostAndPort"), rootCert = someCert)
+        val someRootCert = X509Utilities.createSelfSignedCACertificate(
+                CordaX500Name("Integration Test Corda Node Root CA", "R3 Ltd", "London", "GB"),
+                Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME))
+        val compatibilityZone = CompatibilityZoneParams(URL("http://$serverHostAndPort"), rootCert = someRootCert.cert)
        internalDriver(
                portAllocation = portAllocation,
                notarySpecs = emptyList(),
                compatibilityZone = compatibilityZone,
                initialiseSerialization = false,
-                // Changing the content of the truststore makes the node fail in a number of ways if started out process.
-                startNodesInProcess = true
+                startNodesInProcess = true  // We need to run the nodes in the same process so that we can capture the correct exception
        ) {
            assertThatThrownBy {
                startNode(providedName = CordaX500Name("Alice", "London", "GB")).getOrThrow()
-            }.isInstanceOf(WrongRootCertException::class.java)
+            }.isInstanceOf(CertPathValidatorException::class.java)
        }
    }

-    private fun createSelfKeyAndSelfSignedCertificate(): CertificateAndKeyPair {
-        val rootCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val rootCACert = X509Utilities.createSelfSignedCACertificate(
-                CordaX500Name(
-                        commonName = "Integration Test Corda Node Root CA",
-                        organisation = "R3 Ltd",
-                        locality = "London",
-                        country = "GB"),
-                rootCAKey)
-        return CertificateAndKeyPair(rootCACert, rootCAKey)
-    }
 }

@Path("certificate")
@ -185,13 +180,14 @@ class RegistrationHandler(private val rootCertAndKeyPair: CertificateAndKeyPair)
                                              caCertPath: Array<Certificate>): Pair<CertPath, CordaX500Name> {
        val request = JcaPKCS10CertificationRequest(certificationRequest)
        val name = CordaX500Name.parse(request.subject.toString())
-        val x509CertificateHolder = X509Utilities.createCertificate(CertificateType.NODE_CA,
+        val nodeCaCert = X509Utilities.createCertificate(
+                CertificateType.NODE_CA,
                caCertPath.first().toX509CertHolder(),
                caKeyPair,
                name,
                request.publicKey,
                nameConstraints = null)
-        val certPath = X509CertificateFactory().generateCertPath(x509CertificateHolder.cert, *caCertPath)
+        val certPath = X509CertificateFactory().generateCertPath(nodeCaCert.cert, *caCertPath)
        return Pair(certPath, name)
    }
 }
--- a/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
+++ b/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
@ -59,7 +59,7 @@ import net.corda.node.services.vault.NodeVaultService
 import net.corda.node.services.vault.VaultSoftLockManager
 import net.corda.node.shell.InteractiveShell
 import net.corda.node.utilities.AffinityExecutor
-import net.corda.nodeapi.internal.IdentityGenerator
+import net.corda.nodeapi.internal.DevIdentityGenerator
 import net.corda.nodeapi.internal.SignedNodeInfo
 import net.corda.nodeapi.internal.crypto.KeyStoreWrapper
 import net.corda.nodeapi.internal.crypto.X509CertificateFactory
@ -726,10 +726,10 @@ abstract class AbstractNode(val configuration: NodeConfiguration,

        val (id, singleName) = if (notaryConfig == null || !notaryConfig.isClusterConfig) {
            // Node's main identity or if it's a single node notary
-            Pair(IdentityGenerator.NODE_IDENTITY_ALIAS_PREFIX, configuration.myLegalName)
+            Pair(DevIdentityGenerator.NODE_IDENTITY_ALIAS_PREFIX, configuration.myLegalName)
        } else {
            // The node is part of a distributed notary whose identity must already be generated beforehand.
-            Pair(IdentityGenerator.DISTRIBUTED_NOTARY_ALIAS_PREFIX, null)
+            Pair(DevIdentityGenerator.DISTRIBUTED_NOTARY_ALIAS_PREFIX, null)
        }
        // TODO: Integrate with Key management service?
        val privateKeyAlias = "$id-private-key"
--- a/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt
+++ b/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt
@ -12,10 +12,10 @@ import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_ROOT_CA
 import org.bouncycastle.openssl.jcajce.JcaPEMWriter
 import org.bouncycastle.util.io.pem.PemObject
 import java.io.StringWriter
-import java.nio.file.Path
 import java.security.KeyPair
 import java.security.KeyStore
 import java.security.cert.Certificate
+import java.security.cert.X509Certificate

 /**
 * Helper for managing the node registration process, which checks for any existing certificates and requests them if
@ -32,7 +32,7 @@ class NetworkRegistrationHelper(private val config: NodeConfiguration, private v
    // TODO: Use different password for private key.
    private val privateKeyPassword = config.keyStorePassword
    private val trustStore: KeyStore
-    private val rootCert: Certificate
+    private val rootCert: X509Certificate

    init {
        require(config.trustStoreFile.exists()) {
@ -46,7 +46,7 @@ class NetworkRegistrationHelper(private val config: NodeConfiguration, private v
                    "This file must contain the root CA cert of your compatibility zone. " +
                    "Please contact your CZ operator."
        }
-        this.rootCert = rootCert
+        this.rootCert = rootCert as X509Certificate
    }

    /**
@ -94,12 +94,8 @@ class NetworkRegistrationHelper(private val config: NodeConfiguration, private v
            caKeyStore.save(config.nodeKeystore, keystorePassword)
            println("Node private key and certificate stored in ${config.nodeKeystore}.")

-            // TODO This should actually be using X509Utilities.validateCertificateChain
-            // Check that the root of the signed certificate matches the expected certificate in the truststore.
-            if (rootCert != certificates.last()) {
-                // Assumes certificate chain always starts with client certificate and end with root certificate.
-                throw WrongRootCertException(rootCert, certificates.last(), config.trustStoreFile)
-            }
+            println("Checking root of the certificate path is what we expect.")
+            X509Utilities.validateCertificateChain(rootCert, *certificates)

            println("Generating SSL certificate for node messaging service.")
            val sslKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
@ -169,17 +165,3 @@ class NetworkRegistrationHelper(private val config: NodeConfiguration, private v
        }
    }
 }
-
-/**
- * Exception thrown when the doorman root certificate doesn't match the expected (out-of-band) root certificate.
- * This usually means that there has been a Man-in-the-middle attack when contacting the doorman.
- */
-class WrongRootCertException(expected: Certificate,
-                             actual: Certificate,
-                             expectedFilePath: Path):
-        Exception("""
-            The Root CA returned back from the registration process does not match the expected Root CA
-            expected: $expected
-            actual: $actual
-            the expected certificate is stored in: $expectedFilePath with alias $CORDA_ROOT_CA
-            """.trimMargin())
--- a/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt
+++ b/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt
@ -14,12 +14,14 @@ import net.corda.core.internal.createDirectories
 import net.corda.node.services.config.NodeConfiguration
 import net.corda.nodeapi.internal.crypto.*
 import net.corda.testing.ALICE_NAME
+import net.corda.testing.internal.createDevNodeCaCertPath
 import net.corda.testing.internal.rigorousMock
 import org.assertj.core.api.Assertions.assertThat
 import org.assertj.core.api.Assertions.assertThatThrownBy
 import org.junit.After
 import org.junit.Before
 import org.junit.Test
+import java.security.cert.CertPathValidatorException
 import java.security.cert.Certificate
 import java.security.cert.X509Certificate
 import kotlin.test.assertFalse
@ -29,16 +31,19 @@ class NetworkRegistrationHelperTest {
    private val fs = Jimfs.newFileSystem(unix())
    private val requestId = SecureHash.randomSHA256().toString()
    private val nodeLegalName = ALICE_NAME
-    private val intermediateCaName = CordaX500Name("CORDA_INTERMEDIATE_CA", "R3 Ltd", "London", "GB")
-    private val rootCaName = CordaX500Name("CORDA_ROOT_CA", "R3 Ltd", "London", "GB")
-    private val nodeCaCert = createCaCert(nodeLegalName)
-    private val intermediateCaCert = createCaCert(intermediateCaName)
-    private val rootCaCert = createCaCert(rootCaName)

+    private lateinit var rootCaCert: X509Certificate
+    private lateinit var intermediateCaCert: X509Certificate
+    private lateinit var nodeCaCert: X509Certificate
    private lateinit var config: NodeConfiguration

    @Before
    fun init() {
+        val (rootCa, intermediateCa, nodeCa) = createDevNodeCaCertPath(nodeLegalName)
+        this.rootCaCert = rootCa.certificate.cert
+        this.intermediateCaCert = intermediateCa.certificate.cert
+        this.nodeCaCert = nodeCa.certificate.cert
+
        val baseDirectory = fs.getPath("/baseDir").createDirectories()
        abstract class AbstractNodeConfiguration : NodeConfiguration
        config = rigorousMock<AbstractNodeConfiguration>().also {
@ -108,11 +113,13 @@ class NetworkRegistrationHelperTest {

    @Test
    fun `wrong root cert in truststore`() {
-        saveTrustStoreWithRootCa(createCaCert(CordaX500Name("Foo", "MU", "GB")))
+        val rootKeyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
+        val rootCert = X509Utilities.createSelfSignedCACertificate(CordaX500Name("Foo", "MU", "GB"), rootKeyPair)
+        saveTrustStoreWithRootCa(rootCert.cert)
        val registrationHelper = createRegistrationHelper()
        assertThatThrownBy {
            registrationHelper.buildKeystore()
-        }.isInstanceOf(WrongRootCertException::class.java)
+        }.isInstanceOf(CertPathValidatorException::class.java)
    }

    private fun createRegistrationHelper(): NetworkRegistrationHelper {
@ -123,15 +130,11 @@ class NetworkRegistrationHelperTest {
        return NetworkRegistrationHelper(config, certService)
    }

-    private fun saveTrustStoreWithRootCa(rootCa: X509Certificate) {
-        config.trustStoreFile.parent.createDirectories()
+    private fun saveTrustStoreWithRootCa(rootCert: X509Certificate) {
+        config.certificatesDirectory.createDirectories()
        loadOrCreateKeyStore(config.trustStoreFile, config.trustStorePassword).also {
-            it.addOrReplaceCertificate(X509Utilities.CORDA_ROOT_CA, rootCa)
+            it.addOrReplaceCertificate(X509Utilities.CORDA_ROOT_CA, rootCert)
            it.save(config.trustStoreFile, config.trustStorePassword)
        }
    }
-
-    private fun createCaCert(name: CordaX500Name): X509Certificate {
-        return X509Utilities.createSelfSignedCACertificate(name, Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)).cert
-    }
 }