New module containing Certificate signing server for signing Corda node SSL certificate

2025-01-01 02:36:44 +00:00 · 2016-09-21 10:33:55 +01:00 · 2016-09-21 10:33:55 +01:00 · 5202def6d9
commit 5202def6d9
parent a5774adba1
8 changed files with 422 additions and 1 deletions
--- a/.idea/modules.xml
+++ b/.idea/modules.xml
@ -24,9 +24,15 @@
      <module fileurl="file://$PROJECT_DIR$/.idea/modules/contracts/isolated/isolated.iml" filepath="$PROJECT_DIR$/.idea/modules/contracts/isolated/isolated.iml" group="contracts/isolated" />
      <module fileurl="file://$PROJECT_DIR$/.idea/modules/contracts/isolated/isolated_main.iml" filepath="$PROJECT_DIR$/.idea/modules/contracts/isolated/isolated_main.iml" group="contracts/isolated" />
      <module fileurl="file://$PROJECT_DIR$/.idea/modules/contracts/isolated/isolated_test.iml" filepath="$PROJECT_DIR$/.idea/modules/contracts/isolated/isolated_test.iml" group="contracts/isolated" />
+      <module fileurl="file://$PROJECT_DIR$/.idea/modules/netPermission/netpermission.iml" filepath="$PROJECT_DIR$/.idea/modules/netPermission/netpermission.iml" group="netpermission" />
+      <module fileurl="file://$PROJECT_DIR$/.idea/modules/netPermission/netpermission_main.iml" filepath="$PROJECT_DIR$/.idea/modules/netPermission/netpermission_main.iml" group="netpermission" />
+      <module fileurl="file://$PROJECT_DIR$/.idea/modules/netPermission/netpermission_test.iml" filepath="$PROJECT_DIR$/.idea/modules/netPermission/netpermission_test.iml" group="netpermission" />
      <module fileurl="file://$PROJECT_DIR$/.idea/modules/network-explorer/network-explorer_main.iml" filepath="$PROJECT_DIR$/.idea/modules/network-explorer/network-explorer_main.iml" group="network-explorer" />
      <module fileurl="file://$PROJECT_DIR$/.idea/modules/network-explorer/network-explorer_test.iml" filepath="$PROJECT_DIR$/.idea/modules/network-explorer/network-explorer_test.iml" group="network-explorer" />
      <module fileurl="file://$PROJECT_DIR$/.idea/modules/network-explorer/network-map-visualiser.iml" filepath="$PROJECT_DIR$/.idea/modules/network-explorer/network-map-visualiser.iml" group="network-explorer" />
+      <module fileurl="file://$PROJECT_DIR$/.idea/modules/network-simulator/network-simulator.iml" filepath="$PROJECT_DIR$/.idea/modules/network-simulator/network-simulator.iml" group="network-simulator" />
+      <module fileurl="file://$PROJECT_DIR$/.idea/modules/network-simulator/network-simulator_main.iml" filepath="$PROJECT_DIR$/.idea/modules/network-simulator/network-simulator_main.iml" group="network-simulator" />
+      <module fileurl="file://$PROJECT_DIR$/.idea/modules/network-simulator/network-simulator_test.iml" filepath="$PROJECT_DIR$/.idea/modules/network-simulator/network-simulator_test.iml" group="network-simulator" />
      <module fileurl="file://$PROJECT_DIR$/.idea/modules/node/node.iml" filepath="$PROJECT_DIR$/.idea/modules/node/node.iml" group="node" />
      <module fileurl="file://$PROJECT_DIR$/.idea/modules/node/node_integrationTest.iml" filepath="$PROJECT_DIR$/.idea/modules/node/node_integrationTest.iml" group="node" />
      <module fileurl="file://$PROJECT_DIR$/.idea/modules/node/node_main.iml" filepath="$PROJECT_DIR$/.idea/modules/node/node_main.iml" group="node" />
@ -40,4 +46,4 @@
      <module fileurl="file://$PROJECT_DIR$/.idea/modules/test-utils/test-utils_test.iml" filepath="$PROJECT_DIR$/.idea/modules/test-utils/test-utils_test.iml" group="test-utils" />
    </modules>
  </component>
-</project>
+</project>
--- a/netpermission/build.gradle
+++ b/netpermission/build.gradle
@ -0,0 +1,53 @@
+apply plugin: 'us.kirchmeier.capsule'
+apply plugin: 'kotlin'
+
+repositories {
+    mavenLocal()
+    mavenCentral()
+    maven {
+        url 'http://oss.sonatype.org/content/repositories/snapshots'
+    }
+    jcenter()
+    maven {
+        url 'https://dl.bintray.com/kotlin/exposed'
+    }
+}
+
+task buildCertSignerJAR(type: FatCapsule, dependsOn: 'jar') {
+    applicationClass 'com.r3corda.netpermission.MainKt'
+    archiveName 'certSigner.jar'
+
+    capsuleManifest {
+        systemProperties['log4j.configuration'] = 'log4j2.xml'
+        minJavaVersion = '1.8.0'
+    }
+}
+
+dependencies {
+    compile "org.jetbrains.kotlin:kotlin-stdlib:$kotlin_version"
+
+    compile project(":core")
+
+    // Log4J: logging framework (with SLF4J bindings)
+    compile "org.apache.logging.log4j:log4j-slf4j-impl:${log4j_version}"
+    compile "org.apache.logging.log4j:log4j-core:${log4j_version}"
+    compile "org.apache.logging.log4j:log4j-web:${log4j_version}"
+
+    // Web stuff: for HTTP[S] servlets
+    compile "org.eclipse.jetty:jetty-servlet:${jetty_version}"
+    compile "org.eclipse.jetty:jetty-webapp:${jetty_version}"
+    compile "javax.servlet:javax.servlet-api:3.1.0"
+
+    // Jersey for JAX-RS implementation for use in Jetty
+    compile "org.glassfish.jersey.core:jersey-server:${jersey_version}"
+    compile "org.glassfish.jersey.containers:jersey-container-servlet-core:${jersey_version}"
+    compile "org.glassfish.jersey.containers:jersey-container-jetty-http:${jersey_version}"
+
+    // JOpt: for command line flags.
+    compile "net.sf.jopt-simple:jopt-simple:5.0.2"
+
+    // Unit testing helpers.
+    testCompile 'junit:junit:4.12'
+    testCompile "org.assertj:assertj-core:${assertj_version}"
+    testCompile "com.nhaarman:mockito-kotlin:0.6.1"
+}
--- a/netpermission/src/main/kotlin/com/r3corda/netpermission/Main.kt
+++ b/netpermission/src/main/kotlin/com/r3corda/netpermission/Main.kt
@ -0,0 +1,108 @@
+package com.r3corda.netpermission
+
+import com.google.common.net.HostAndPort
+import com.r3corda.core.crypto.X509Utilities
+import com.r3corda.core.utilities.LogHelper
+import com.r3corda.core.utilities.loggerFor
+import com.r3corda.netpermission.internal.CertificateSigningService
+import com.r3corda.netpermission.internal.persistence.InMemoryCertificationRequestStorage
+import joptsimple.OptionParser
+import org.eclipse.jetty.server.Server
+import org.eclipse.jetty.server.ServerConnector
+import org.eclipse.jetty.server.handler.HandlerCollection
+import org.eclipse.jetty.servlet.ServletContextHandler
+import org.eclipse.jetty.servlet.ServletHolder
+import org.glassfish.jersey.server.ResourceConfig
+import org.glassfish.jersey.servlet.ServletContainer
+import java.io.Closeable
+import java.net.InetSocketAddress
+import java.nio.file.Paths
+import kotlin.system.exitProcess
+
+/**
+ *  CertificateSigningServer runs on Jetty server and provide certificate signing service via http.
+ *  The server will require keystorePath, keystore password and key password via command line input.
+ *  The Intermediate CA certificate,Intermediate CA private key and Root CA Certificate should use alias name specified in [X509Utilities]
+ */
+class CertificateSigningServer(val webServerAddr: HostAndPort, val certSigningService: CertificateSigningService) : Closeable {
+    companion object {
+        val log = loggerFor<CertificateSigningServer>()
+        fun Server.hostAndPort(): HostAndPort {
+            val connector = server.connectors.first() as ServerConnector
+            return HostAndPort.fromParts(connector.host, connector.localPort)
+        }
+    }
+
+    val server: Server = initWebServer()
+
+    override fun close() {
+        log.info("Shutting down CertificateSigningService...")
+        server.stop()
+    }
+
+    private fun initWebServer(): Server {
+        return Server(InetSocketAddress(webServerAddr.hostText, webServerAddr.port)).apply {
+            log.info("Starting CertificateSigningService...")
+            handler = HandlerCollection().apply {
+                addHandler(buildServletContextHandler())
+            }
+            start()
+            log.info("CertificateSigningService started on ${server.hostAndPort()}")
+        }
+    }
+
+    private fun buildServletContextHandler(): ServletContextHandler {
+        return ServletContextHandler().apply {
+            contextPath = "/"
+            val resourceConfig = ResourceConfig().apply {
+                // Add your API provider classes (annotated for JAX-RS) here
+                register(certSigningService)
+            }
+            val jerseyServlet = ServletHolder(ServletContainer(resourceConfig)).apply {
+                initOrder = 0  // Initialise at server start
+            }
+            addServlet(jerseyServlet, "/api/*")
+        }
+    }
+}
+
+object ParamsSpec {
+    val parser = OptionParser()
+    val host = parser.accepts("host", "The hostname permissioning server will be running on.")
+            .withRequiredArg().defaultsTo("localhost")
+    val port = parser.accepts("port", "The port number permissioning server will be running on.")
+            .withRequiredArg().ofType(Int::class.java).defaultsTo(0)
+    val keystorePath = parser.accepts("keystore", "The path to the keyStore containing and root certificate, intermediate CA certificate and private key.")
+            .withRequiredArg().required()
+    val storePassword = parser.accepts("storePassword", "Keystore's password.")
+            .withRequiredArg().required()
+    val caKeyPassword = parser.accepts("caKeyPassword", "Intermediate CA private key password.")
+            .withRequiredArg().required()
+}
+
+fun main(args: Array<String>) {
+    LogHelper.setLevel(CertificateSigningServer::class)
+    val log = CertificateSigningServer.log
+    log.info("Starting certificate signing server.")
+    try {
+        ParamsSpec.parser.parse(*args)
+    } catch (ex: Exception) {
+        log.error("Unable to parse args", ex)
+        ParamsSpec.parser.printHelpOn(System.out)
+        exitProcess(1)
+    }.run {
+        // Load keystore from input path, default to Dev keystore from jar resource if path not defined.
+        val storePassword = valueOf(ParamsSpec.storePassword)
+        val keyPassword = valueOf(ParamsSpec.caKeyPassword)
+        val keystore = X509Utilities.loadKeyStore(Paths.get(valueOf(ParamsSpec.keystorePath)).normalize(), storePassword)
+        val intermediateCACertAndKey = X509Utilities.loadCertificateAndKey(keystore, keyPassword, X509Utilities.CORDA_INTERMEDIATE_CA_PRIVATE_KEY)
+        val rootCA = keystore.getCertificate(X509Utilities.CORDA_ROOT_CA_PRIVATE_KEY)
+
+        // TODO: Create a proper request storage using database or other storage technology.
+        val service = CertificateSigningService(intermediateCACertAndKey, rootCA, InMemoryCertificationRequestStorage())
+
+        CertificateSigningServer(HostAndPort.fromParts(valueOf(ParamsSpec.host), valueOf(ParamsSpec.port)), service).use {
+            it.server.join()
+        }
+    }
+}
--- a/netpermission/src/main/kotlin/com/r3corda/netpermission/internal/CertificateSigningService.kt
+++ b/netpermission/src/main/kotlin/com/r3corda/netpermission/internal/CertificateSigningService.kt
@ -0,0 +1,86 @@
+package com.r3corda.netpermission.internal
+
+import com.r3corda.core.crypto.X509Utilities
+import com.r3corda.core.crypto.X509Utilities.CORDA_CLIENT_CA
+import com.r3corda.core.crypto.X509Utilities.CORDA_INTERMEDIATE_CA
+import com.r3corda.core.crypto.X509Utilities.CORDA_ROOT_CA
+import com.r3corda.netpermission.internal.persistence.CertificationData
+import com.r3corda.netpermission.internal.persistence.CertificationRequestStorage
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest
+import java.io.ByteArrayOutputStream
+import java.io.InputStream
+import java.security.cert.Certificate
+import java.util.zip.ZipEntry
+import java.util.zip.ZipOutputStream
+import javax.servlet.http.HttpServletRequest
+import javax.ws.rs.*
+import javax.ws.rs.core.Context
+import javax.ws.rs.core.MediaType
+import javax.ws.rs.core.Response
+import javax.ws.rs.core.Response.noContent
+import javax.ws.rs.core.Response.ok
+
+/**
+ * Provides functionality for asynchronous submission of certificate signing requests and retrieval of the results.
+ */
+@Path("")
+class CertificateSigningService(val intermediateCACertAndKey: X509Utilities.CACertAndKey, val rootCert: Certificate, val storage: CertificationRequestStorage) {
+    @Context lateinit var request: HttpServletRequest
+    /**
+     * Accept stream of [PKCS10CertificationRequest] from user and persists in [CertificationRequestStorage] for approval.
+     * Server returns HTTP 200 response with random generated request Id after request has been persisted.
+     */
+    @POST
+    @Path("certificate")
+    @Consumes(MediaType.APPLICATION_OCTET_STREAM)
+    @Produces(MediaType.TEXT_PLAIN)
+    fun submitRequest(input: InputStream): Response {
+        val certificationRequest = input.use {
+            JcaPKCS10CertificationRequest(it.readBytes())
+        }
+        // TODO: Certificate signing request verifications.
+        // TODO: Use jira api / slack bot to semi automate the approval process?
+        // TODO: Acknowledge to user we have received the request via email?
+        val requestId = storage.saveRequest(CertificationData(request.remoteHost, request.remoteAddr, certificationRequest))
+        return ok(requestId).build()
+    }
+
+    /**
+     * Retrieve Certificate signing request from storage using the [requestId] and create a signed certificate if request has been approved.
+     * Returns HTTP 200 with DER encoded signed certificates if request has been approved else HTTP 204 No content
+     */
+    @GET
+    @Path("certificate/{var}")
+    @Produces(MediaType.APPLICATION_OCTET_STREAM)
+    fun retrieveCert(@PathParam("var") requestId: String): Response {
+        val data = storage.getApprovedRequest(requestId)
+        return if (data != null) {
+            val clientCert = storage.getOrElseCreateCertificate(requestId) {
+                JcaPKCS10CertificationRequest(data.request).run {
+                    X509Utilities.createServerCert(subject, publicKey, intermediateCACertAndKey,
+                            if (data.ipAddr == data.hostName) listOf() else listOf(data.hostName), listOf(data.ipAddr))
+                }
+            }
+            // Write certificate chain to a zip stream and extract the bit array output.
+            ByteArrayOutputStream().use {
+                ZipOutputStream(it).use {
+                    zipStream ->
+                    // Client certificate must come first and root certificate should come last.
+                    mapOf(CORDA_CLIENT_CA to clientCert,
+                            CORDA_INTERMEDIATE_CA to intermediateCACertAndKey.certificate,
+                            CORDA_ROOT_CA to rootCert).forEach {
+                        zipStream.putNextEntry(ZipEntry("${it.key}.cer"))
+                        zipStream.write(it.value.encoded)
+                        zipStream.setComment(it.key)
+                        zipStream.closeEntry()
+                    }
+                }
+                ok(it.toByteArray())
+                        .type("application/zip")
+                        .header("Content-Disposition", "attachment; filename=\"certificates.zip\"")
+            }
+        } else {
+            noContent()
+        }.build()
+    }
+}
--- a/netpermission/src/main/kotlin/com/r3corda/netpermission/internal/persistence/CertificationRequestStorage.kt
+++ b/netpermission/src/main/kotlin/com/r3corda/netpermission/internal/persistence/CertificationRequestStorage.kt
@ -0,0 +1,27 @@
+package com.r3corda.netpermission.internal.persistence
+
+import org.bouncycastle.pkcs.PKCS10CertificationRequest
+import java.security.cert.Certificate
+/**
+ *  Provide certificate signing request storage for the certificate signing server.
+ */
+interface CertificationRequestStorage {
+    /**
+     * Persist [certificationData] in storage for further approval, returns randomly generated request ID.
+     */
+    fun saveRequest(certificationData: CertificationData): String
+
+    /**
+     * Retrieve approved certificate singing request and Host/IP information using [requestId].
+     * Returns [CertificationData] if request has been approved, else returns null.
+     */
+    fun getApprovedRequest(requestId: String): CertificationData?
+
+    /**
+     * Retrieve client certificate with provided [requestId].
+     * Generate new certificate and store in storage using provided [certificateGenerator] if certificate does not exist.
+     */
+    fun getOrElseCreateCertificate(requestId: String, certificateGenerator: () -> Certificate): Certificate
+}
+
+data class CertificationData(val hostName: String, val ipAddr: String, val request: PKCS10CertificationRequest)
--- a/netpermission/src/main/kotlin/com/r3corda/netpermission/internal/persistence/InMemoryCertificationRequestStorage.kt
+++ b/netpermission/src/main/kotlin/com/r3corda/netpermission/internal/persistence/InMemoryCertificationRequestStorage.kt
@ -0,0 +1,24 @@
+package com.r3corda.netpermission.internal.persistence
+
+import com.r3corda.core.crypto.SecureHash
+import java.security.cert.Certificate
+import java.util.*
+
+class InMemoryCertificationRequestStorage : CertificationRequestStorage {
+    val requestStore = HashMap<String, CertificationData>()
+    val certificateStore = HashMap<String, Certificate>()
+
+    override fun getOrElseCreateCertificate(requestId: String, certificateGenerator: () -> Certificate): Certificate {
+        return certificateStore.getOrPut(requestId, certificateGenerator)
+    }
+
+    override fun getApprovedRequest(requestId: String): CertificationData? {
+        return requestStore[requestId]
+    }
+
+    override fun saveRequest(certificationData: CertificationData): String {
+        val requestId = SecureHash.randomSHA256().toString()
+        requestStore.put(requestId, certificationData)
+        return requestId
+    }
+}
--- a/netpermission/src/test/kotlin/com/r3corda/netpermission/CertificateSigningServiceTest.kt
+++ b/netpermission/src/test/kotlin/com/r3corda/netpermission/CertificateSigningServiceTest.kt
@ -0,0 +1,116 @@
+package com.r3corda.netpermission
+
+import com.google.common.net.HostAndPort
+import com.nhaarman.mockito_kotlin.*
+import com.r3corda.core.crypto.SecureHash
+import com.r3corda.core.crypto.X509Utilities
+import com.r3corda.core.seconds
+import com.r3corda.netpermission.CertificateSigningServer.Companion.hostAndPort
+import com.r3corda.netpermission.internal.CertificateSigningService
+import com.r3corda.netpermission.internal.persistence.CertificationData
+import com.r3corda.netpermission.internal.persistence.CertificationRequestStorage
+import org.junit.Test
+import sun.security.x509.X500Name
+import java.io.IOException
+import java.net.HttpURLConnection
+import java.net.URL
+import java.security.cert.Certificate
+import java.security.cert.CertificateFactory
+import java.security.cert.X509Certificate
+import java.util.*
+import java.util.zip.ZipInputStream
+import kotlin.test.assertEquals
+
+class CertificateSigningServiceTest {
+    private fun getSigningServer(storage: CertificationRequestStorage): CertificateSigningServer {
+        val rootCA = X509Utilities.createSelfSignedCACert("Corda Node Root CA")
+        val intermediateCA = X509Utilities.createSelfSignedCACert("Corda Node Intermediate CA")
+        return CertificateSigningServer(HostAndPort.fromParts("localhost", 0), CertificateSigningService(intermediateCA, rootCA.certificate, storage))
+    }
+
+    @Test
+    fun testSubmitRequest() {
+        val id = SecureHash.randomSHA256().toString()
+
+        val storage: CertificationRequestStorage = mock {
+            on { saveRequest(any()) }.then { id }
+        }
+
+        getSigningServer(storage).use {
+            val keyPair = X509Utilities.generateECDSAKeyPairForSSL()
+            val request = X509Utilities.createCertificateSigningRequest("Test", "London", "admin@test.com", keyPair)
+            // Post request to signing server via http.
+            val submitRequest = {
+                val conn = URL("http://${it.server.hostAndPort()}/api/certificate").openConnection() as HttpURLConnection
+                conn.doOutput = true
+                conn.requestMethod = "POST"
+                conn.setRequestProperty("Content-Type", "application/octet-stream")
+                conn.outputStream.write(request.encoded)
+                conn.inputStream.bufferedReader().readLine()
+            }
+
+            assertEquals(id, submitRequest())
+            verify(storage, times(1)).saveRequest(any())
+            submitRequest()
+            verify(storage, times(2)).saveRequest(any())
+        }
+    }
+
+    @Test
+    fun testRetrieveCertificate() {
+        val keyPair = X509Utilities.generateECDSAKeyPairForSSL()
+        val id = SecureHash.randomSHA256().toString()
+        var count = 0
+        val storage: CertificationRequestStorage = mock {
+            on { getApprovedRequest(eq(id)) }.then {
+                if (count < 5) null else CertificationData("", "", X509Utilities.createCertificateSigningRequest("LegalName",
+                        "London", "admin@test.com", keyPair))
+            }
+            on { getOrElseCreateCertificate(eq(id), any()) }.thenAnswer { (it.arguments[1] as () -> Certificate)() }
+        }
+
+        getSigningServer(storage).use {
+            val poll = {
+                val url = URL("http://${it.server.hostAndPort()}/api/certificate/$id")
+                val conn = url.openConnection() as HttpURLConnection
+                conn.requestMethod = "GET"
+
+                when (conn.responseCode) {
+                    HttpURLConnection.HTTP_OK -> conn.inputStream.use {
+                        ZipInputStream(it).use {
+                            val certificates = ArrayList<Certificate>()
+                            while (it.nextEntry != null) {
+                                certificates.add(CertificateFactory.getInstance("X.509").generateCertificate(it))
+                            }
+                            certificates
+                        }
+                    }
+                    HttpURLConnection.HTTP_NO_CONTENT -> null
+                    else ->
+                        throw IOException("Cannot connect to Certificate Signing Server, HTTP response code : ${conn.responseCode}")
+                }
+            }
+
+            var certificates = poll()
+
+            while (certificates == null) {
+                Thread.sleep(1.seconds.toMillis())
+                count++
+                certificates = poll()
+            }
+
+            verify(storage, times(6)).getApprovedRequest(any())
+            assertEquals(3, certificates.size)
+
+            (certificates.first() as X509Certificate).run {
+                assertEquals("LegalName", (subjectDN as X500Name).commonName)
+                assertEquals("London", (subjectDN as X500Name).locality)
+            }
+
+            (certificates.last() as X509Certificate).run {
+                assertEquals("Corda Node Root CA", (subjectDN as X500Name).commonName)
+                assertEquals("London", (subjectDN as X500Name).locality)
+            }
+        }
+    }
+}
--- a/settings.gradle
+++ b/settings.gradle
@ -7,4 +7,5 @@ include 'client'
 include 'experimental'
 include 'test-utils'
 include 'network-simulator'
+include 'netpermission'
 include 'explorer'