ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2025-05-08 19:48:11 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Add certificate subject name check on node startup (#897)

Browse Source 
* Add certificate subject name check on node startup

* address PR issues
This commit is contained in:
Patrick Kuo 2017-07-05 15:34:04 +01:00 committed by GitHub
parent 9e563f9b98
commit 4e355ba95e
1 changed files with 21 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
node/src/main/kotlin/net/corda/node/internal/AbstractNode.kt
View File

@ -165,12 +165,7 @@ abstract class AbstractNode(open val configuration: NodeConfiguration,
log.warn("Corda node is running in dev mode.") log.warn("Corda node is running in dev mode.")
configuration.configureWithDevSSLCertificate() configuration.configureWithDevSSLCertificate()
} }
require(hasSSLCertificates()) { validateKeystore()
"Identity certificate not found. " +
"Please either copy your existing identity key and certificate from another node, " +
"or if you don't have one yet, fill out the config file and run corda.jar --initial-registration. " +
"Read more at: https://docs.corda.net/permissioning.html"
}
log.info("Node starting up ...") log.info("Node starting up ...")
@ -520,19 +515,30 @@ abstract class AbstractNode(open val configuration: NodeConfiguration,
@VisibleForTesting @VisibleForTesting
protected open fun acceptableLiveFiberCountOnStop(): Int = 0 protected open fun acceptableLiveFiberCountOnStop(): Int = 0
private fun hasSSLCertificates(): Boolean { private fun validateKeystore() {
val (sslKeystore, keystore) = try { val containCorrectKeys = try {
// This will throw IOException if key file not found or KeyStoreException if keystore password is incorrect. // This will throw IOException if key file not found or KeyStoreException if keystore password is incorrect.
Pair( val sslKeystore = KeyStoreUtilities.loadKeyStore(configuration.sslKeystore, configuration.keyStorePassword)
KeyStoreUtilities.loadKeyStore(configuration.sslKeystore, configuration.keyStorePassword), val identitiesKeystore = KeyStoreUtilities.loadKeyStore(configuration.nodeKeystore, configuration.keyStorePassword)
KeyStoreUtilities.loadKeyStore(configuration.nodeKeystore, configuration.keyStorePassword)) sslKeystore.containsAlias(X509Utilities.CORDA_CLIENT_TLS) && identitiesKeystore.containsAlias(X509Utilities.CORDA_CLIENT_CA)
} catch (e: IOException) {
return false
} catch (e: KeyStoreException) { } catch (e: KeyStoreException) {
log.warn("Certificate key store found but key store password does not match configuration.") log.warn("Certificate key store found but key store password does not match configuration.")
return false false
} catch (e: IOException) {
false
}
require(containCorrectKeys) {
"Identity certificate not found. " +
"Please either copy your existing identity key and certificate from another node, " +
"or if you don't have one yet, fill out the config file and run corda.jar --initial-registration. " +
"Read more at: https://docs.corda.net/permissioning.html"
}
val identitiesKeystore = KeyStoreUtilities.loadKeyStore(configuration.sslKeystore, configuration.keyStorePassword)
val tlsIdentity = identitiesKeystore.getX509Certificate(X509Utilities.CORDA_CLIENT_TLS).subject
require(tlsIdentity == configuration.myLegalName) {
"Expected '${configuration.myLegalName}' but got '$tlsIdentity' from the keystore."
} }
return sslKeystore.containsAlias(X509Utilities.CORDA_CLIENT_TLS) && keystore.containsAlias(X509Utilities.CORDA_CLIENT_CA)
} }
// Specific class so that MockNode can catch it. // Specific class so that MockNode can catch it.