Add certificate subject name check on node startup (#897)

* Add certificate subject name check on node startup * address PR issues
2025-05-28 21:24:24 +00:00 · 2017-07-05 15:34:04 +01:00 · 2017-07-05 15:34:04 +01:00 · 4e355ba95e
commit 4e355ba95e
parent 9e563f9b98
1 changed files with 21 additions and 15 deletions
--- a/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
+++ b/node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
@ -165,12 +165,7 @@ abstract class AbstractNode(open val configuration: NodeConfiguration,
            log.warn("Corda node is running in dev mode.")
            configuration.configureWithDevSSLCertificate()
        }
-        require(hasSSLCertificates()) {
-            "Identity certificate not found. " +
-                    "Please either copy your existing identity key and certificate from another node, " +
-                    "or if you don't have one yet, fill out the config file and run corda.jar --initial-registration. " +
-                    "Read more at: https://docs.corda.net/permissioning.html"
-        }
+        validateKeystore()

        log.info("Node starting up ...")

@ -520,19 +515,30 @@ abstract class AbstractNode(open val configuration: NodeConfiguration,
    @VisibleForTesting
    protected open fun acceptableLiveFiberCountOnStop(): Int = 0

-    private fun hasSSLCertificates(): Boolean {
-        val (sslKeystore, keystore) = try {
+    private fun validateKeystore() {
+        val containCorrectKeys = try {
            // This will throw IOException if key file not found or KeyStoreException if keystore password is incorrect.
-            Pair(
-                    KeyStoreUtilities.loadKeyStore(configuration.sslKeystore, configuration.keyStorePassword),
-                    KeyStoreUtilities.loadKeyStore(configuration.nodeKeystore, configuration.keyStorePassword))
-        } catch (e: IOException) {
-            return false
+            val sslKeystore = KeyStoreUtilities.loadKeyStore(configuration.sslKeystore, configuration.keyStorePassword)
+            val identitiesKeystore = KeyStoreUtilities.loadKeyStore(configuration.nodeKeystore, configuration.keyStorePassword)
+            sslKeystore.containsAlias(X509Utilities.CORDA_CLIENT_TLS) && identitiesKeystore.containsAlias(X509Utilities.CORDA_CLIENT_CA)
        } catch (e: KeyStoreException) {
            log.warn("Certificate key store found but key store password does not match configuration.")
-            return false
+            false
+        } catch (e: IOException) {
+            false
+        }
+        require(containCorrectKeys) {
+            "Identity certificate not found. " +
+                    "Please either copy your existing identity key and certificate from another node, " +
+                    "or if you don't have one yet, fill out the config file and run corda.jar --initial-registration. " +
+                    "Read more at: https://docs.corda.net/permissioning.html"
+        }
+        val identitiesKeystore = KeyStoreUtilities.loadKeyStore(configuration.sslKeystore, configuration.keyStorePassword)
+        val tlsIdentity = identitiesKeystore.getX509Certificate(X509Utilities.CORDA_CLIENT_TLS).subject
+
+        require(tlsIdentity == configuration.myLegalName) {
+            "Expected '${configuration.myLegalName}' but got '$tlsIdentity' from the keystore."
        }
-        return sslKeystore.containsAlias(X509Utilities.CORDA_CLIENT_TLS) && keystore.containsAlias(X509Utilities.CORDA_CLIENT_CA)
    }

    // Specific class so that MockNode can catch it.