diff --git a/doorman/src/main/kotlin/com/r3/corda/doorman/DoormanWebService.kt b/doorman/src/main/kotlin/com/r3/corda/doorman/DoormanWebService.kt index adc9a29764..f81783e4bf 100644 --- a/doorman/src/main/kotlin/com/r3/corda/doorman/DoormanWebService.kt +++ b/doorman/src/main/kotlin/com/r3/corda/doorman/DoormanWebService.kt @@ -3,7 +3,7 @@ package com.r3.corda.doorman import com.r3.corda.doorman.persistence.CertificateResponse import com.r3.corda.doorman.persistence.CertificationRequestData import com.r3.corda.doorman.persistence.CertificationRequestStorage -import net.corda.core.utilities.CertificateAndKeyPair +import net.corda.node.utilities.CertificateAndKeyPair import net.corda.node.utilities.X509Utilities.CORDA_CLIENT_CA import net.corda.node.utilities.X509Utilities.CORDA_INTERMEDIATE_CA import net.corda.node.utilities.X509Utilities.CORDA_ROOT_CA diff --git a/doorman/src/main/kotlin/com/r3/corda/doorman/Main.kt b/doorman/src/main/kotlin/com/r3/corda/doorman/Main.kt index a85aff8664..2b6e7e6018 100644 --- a/doorman/src/main/kotlin/com/r3/corda/doorman/Main.kt +++ b/doorman/src/main/kotlin/com/r3/corda/doorman/Main.kt @@ -8,11 +8,10 @@ import com.r3.corda.doorman.persistence.DBCertificateRequestStorage import com.r3.corda.doorman.persistence.DoormanSchemaService import com.r3.corda.doorman.persistence.JiraCertificateRequestStorage import net.corda.core.crypto.Crypto +import net.corda.core.identity.CordaX500Name import net.corda.core.internal.createDirectories -import net.corda.core.utilities.CertificateAndKeyPair import net.corda.core.utilities.loggerFor import net.corda.core.utilities.seconds -import net.corda.core.utilities.withCommonName import net.corda.node.utilities.* import net.corda.node.utilities.X509Utilities.CORDA_INTERMEDIATE_CA import net.corda.node.utilities.X509Utilities.CORDA_ROOT_CA @@ -89,11 +88,11 @@ class DoormanServer(webServerAddr: HostAndPort, val caCertAndKey: CertificateAnd // please see [sun.security.x509.X500Name.isWithinSubtree()] for more information. // We assume all attributes in the subject name has been checked prior approval. // TODO: add validation to subject name. - val nameConstraints = NameConstraints(arrayOf(GeneralSubtree(GeneralName(GeneralName.directoryName, request.subject.withCommonName(null)))), arrayOf()) + val nameConstraints = NameConstraints(arrayOf(GeneralSubtree(GeneralName(GeneralName.directoryName, CordaX500Name.build(request.subject).copy(commonName = null).x500Name))), arrayOf()) createCertificate(CertificateType.CLIENT_CA, caCertAndKey.certificate, caCertAndKey.keyPair, - request.subject.withCommonName(X509Utilities.CORDA_CLIENT_CA_CN), + CordaX500Name.build(request.subject).copy(commonName = X509Utilities.CORDA_CLIENT_CA_CN), request.publicKey, nameConstraints = nameConstraints).toX509Certificate() } diff --git a/doorman/src/main/kotlin/com/r3/corda/doorman/persistence/DBCertificateRequestStorage.kt b/doorman/src/main/kotlin/com/r3/corda/doorman/persistence/DBCertificateRequestStorage.kt index e75b33f76d..b66ca7dbf0 100644 --- a/doorman/src/main/kotlin/com/r3/corda/doorman/persistence/DBCertificateRequestStorage.kt +++ b/doorman/src/main/kotlin/com/r3/corda/doorman/persistence/DBCertificateRequestStorage.kt @@ -2,8 +2,7 @@ package com.r3.corda.doorman.persistence import com.r3.corda.doorman.CertificateUtilities import net.corda.core.crypto.SecureHash -import net.corda.core.utilities.validateX500Name -import net.corda.core.utilities.withCommonName +import net.corda.core.identity.CordaX500Name import net.corda.node.utilities.CordaPersistence import org.bouncycastle.pkcs.PKCS10CertificationRequest import java.security.cert.Certificate @@ -50,30 +49,31 @@ class DBCertificateRequestStorage(private val database: CordaPersistence) : Cert ) override fun saveRequest(certificationData: CertificationRequestData): String { - val legalName = certificationData.request.subject.withCommonName(null) val requestId = SecureHash.randomSHA256().toString() - database.transaction { - val query = session.criteriaBuilder.run { - val criteriaQuery = createQuery(CertificateSigningRequest::class.java) - criteriaQuery.from(CertificateSigningRequest::class.java).run { - val nameEq = equal(get(CertificateSigningRequest::legalName.name), legalName.toString()) - val certNotNull = isNotNull(get(CertificateSigningRequest::certificate.name)) - val processTimeIsNull = isNull(get(CertificateSigningRequest::processTimestamp.name)) - criteriaQuery.where(and(nameEq, or(certNotNull, processTimeIsNull))) - } - } - val duplicate = session.createQuery(query).resultList.isNotEmpty() - val rejectReason = if (duplicate) { - "Duplicate legal name" - } else { - try { - validateX500Name(legalName) - null - } catch (e: IllegalArgumentException) { - "Name validation failed with exception : ${e.message}" - } - } + database.transaction { + val (legalName, rejectReason) = try { + // This will fail with IllegalArgumentException if subject name is malformed. + val legalName = CordaX500Name.build(certificationData.request.subject).copy(commonName = null) + // Checks database for duplicate name. + val query = session.criteriaBuilder.run { + val criteriaQuery = createQuery(CertificateSigningRequest::class.java) + criteriaQuery.from(CertificateSigningRequest::class.java).run { + val nameEq = equal(get(CertificateSigningRequest::legalName.name), legalName.toString()) + val certNotNull = isNotNull(get(CertificateSigningRequest::certificate.name)) + val processTimeIsNull = isNull(get(CertificateSigningRequest::processTimestamp.name)) + criteriaQuery.where(and(nameEq, or(certNotNull, processTimeIsNull))) + } + } + val duplicate = session.createQuery(query).resultList.isNotEmpty() + if (duplicate) { + Pair(legalName.x500Name, "Duplicate legal name") + } else { + Pair(legalName.x500Name, null) + } + } catch (e: IllegalArgumentException) { + Pair(certificationData.request.subject, "Name validation failed with exception : ${e.message}") + } val now = Instant.now() val request = CertificateSigningRequest( requestId, diff --git a/doorman/src/test/kotlin/com/r3/corda/doorman/DoormanServiceTest.kt b/doorman/src/test/kotlin/com/r3/corda/doorman/DoormanServiceTest.kt index 37da1fc9e6..b6cc2a4959 100644 --- a/doorman/src/test/kotlin/com/r3/corda/doorman/DoormanServiceTest.kt +++ b/doorman/src/test/kotlin/com/r3/corda/doorman/DoormanServiceTest.kt @@ -7,7 +7,7 @@ import com.r3.corda.doorman.persistence.CertificationRequestData import com.r3.corda.doorman.persistence.CertificationRequestStorage import net.corda.core.crypto.Crypto import net.corda.core.crypto.SecureHash -import net.corda.core.utilities.CertificateAndKeyPair +import net.corda.node.utilities.CertificateAndKeyPair import net.corda.node.utilities.CertificateStream import net.corda.node.utilities.CertificateType import net.corda.node.utilities.X509Utilities