Removing configuration parameter for private key passwords (#395)

2024-12-28 00:38:55 +00:00 · 2018-01-24 12:12:46 +00:00 · 2018-01-24 12:12:46 +00:00 · 55385613ac
commit 55385613ac
parent cef1f9885c
6 changed files with 16 additions and 23 deletions
--- a/docs/source/running-hsm-cert-generator.rst
+++ b/docs/source/running-hsm-cert-generator.rst
@ -46,10 +46,6 @@ Certificate Configuration
 :certificateType: Type of the certificate to be created. Allowed values are:
                  ROOT_CA, INTERMEDIATE_CA, NETWORK_MAP.

-:rootPrivateKeyPassword: Private key of the root certificate.
-
-:privateKeyPassword: Private key password to be used during the key generation process.
-
 :subject: X500Name formatted string to be used as the certificate public key subject.

 :validDays: Days number for certificate validity.
--- a/network-management/generator.conf
+++ b/network-management/generator.conf
@ -6,8 +6,6 @@ trustStorePassword = "trustpass"
 certConfig {
    subject = "CN=Corda Root, O=R3Cev, L=London, C=GB"
    certificateType = ROOT_CA
-    privateKeyPassword = "PASSWORD"
-    rootPrivateKeyPassword = "PASSWORD"
    validDays = 3650
    keyOverride = 0
    keyAlgorithm = 4
--- a/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/hsm/HsmKeyGenerationTest.kt
+++ b/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/hsm/HsmKeyGenerationTest.kt
@ -17,10 +17,6 @@ import kotlin.test.assertNotNull

 class HsmKeyGenerationTest {

-    companion object {
-        val KEY_PASSWORD = "PASSWORD"
-    }
-
    @Rule
    @JvmField
    val tempFolder = TemporaryFolder()
@ -45,8 +41,6 @@ class HsmKeyGenerationTest {
                        keySpecifier = 1,
                        keyGroup = "DEV.DOORMAN",
                        storeKeysExternal = false,
-                        privateKeyPassword = KEY_PASSWORD,
-                        rootPrivateKeyPassword = KEY_PASSWORD,
                        subject = "CN=Corda Root, O=R3Cev, L=London, C=GB",
                        validDays = 3650,
                        keyCurve = "NIST-P256",
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/generator/GeneratorParameters.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/generator/GeneratorParameters.kt
@ -42,8 +42,6 @@ data class CertificateConfiguration(val keyGroup: String,
                                    val keySpecifier: Int,
                                    val storeKeysExternal: Boolean,
                                    val certificateType: CertificateType,
-                                    val rootPrivateKeyPassword: String,
-                                    val privateKeyPassword: String,
                                    val subject: String, // it is certificate [X500Name] subject
                                    val validDays: Int,
                                    val crlDistributionUrl: String?,
@ -71,7 +69,7 @@ fun parseCommandLine(vararg args: String): CommandLineOptions {
            .accepts("config-file", "The path to the config file")
            .withRequiredArg()
            .describedAs("filepath")
-    val helpOption = optionParser.acceptsAll(listOf("h", "?", "help"), "show help").forHelp();
+    val helpOption = optionParser.acceptsAll(listOf("h", "?", "help"), "show help").forHelp()

    val optionSet = optionParser.parse(*args)
    // Print help and exit on help option or if there are missing options.
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/generator/KeyCertificateGenerator.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/generator/KeyCertificateGenerator.kt
@ -19,9 +19,11 @@ import net.corda.nodeapi.internal.crypto.CertificateType.*
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_INTERMEDIATE_CA
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_ROOT_CA
 import java.nio.file.Path
+import java.security.Key
 import java.security.KeyPair
 import java.security.KeyStore
 import java.security.PrivateKey
+import java.security.cert.Certificate
 import java.security.cert.X509Certificate

 data class CertificateNameAndPass(val certificateName: String, val privateKeyPassword: String)
@ -50,11 +52,19 @@ class KeyCertificateGenerator(private val parameters: GeneratorParameters) {
            } else {
                certConfig.generateIntermediateCert(provider, keyPair, keyStore)
            }
-            keyStore.addOrReplaceKey(keyName, keyPair.private, certConfig.privateKeyPassword.toCharArray(), certChain)
+            keyStore.addOrReplaceKey(keyName, keyPair.private, null, certChain)
            logger.info("New certificate and key pair named $keyName have been generated and stored in HSM")
        }
    }

+    // TODO remove this and modify the node-api internal version of this method - nullable password
+    fun KeyStore.addOrReplaceKey(alias: String, key: Key, password: CharArray?, chain: Array<out Certificate>) {
+        if (containsAlias(alias)) {
+            this.deleteEntry(alias)
+        }
+        this.setKeyEntry(alias, key, password, chain)
+    }
+
    private fun CertificateConfiguration.generateRootCert(provider: CryptoServerProvider,
                                                          keyPair: KeyPair,
                                                          trustStoreDirectory: Path,
@ -80,9 +90,7 @@ class KeyCertificateGenerator(private val parameters: GeneratorParameters) {
            provider: CryptoServerProvider,
            keyPair: KeyPair,
            keyStore: KeyStore): Array<X509Certificate> {
-        val rootKeysAndCertChain = retrieveKeysAndCertificateChain(CORDA_ROOT_CA,
-                rootPrivateKeyPassword,
-                keyStore)
+        val rootKeysAndCertChain = retrieveKeysAndCertificateChain(CORDA_ROOT_CA, keyStore)
        val certificateAndKeyPair = createIntermediateCert(
                certificateType,
                CordaX500Name.parse(subject).x500Name,
@ -111,7 +119,7 @@ class KeyCertificateGenerator(private val parameters: GeneratorParameters) {

    private fun CertificateConfiguration.generateEcdsaKeyPair(keyName: String, provider: CryptoServerProvider, keyStore: KeyStore): KeyPair {
        generateECDSAKey(keyName, provider)
-        val privateKey = keyStore.getKey(keyName, privateKeyPassword.toCharArray()) as PrivateKey
+        val privateKey = keyStore.getKey(keyName, null) as PrivateKey
        val publicKey = keyStore.getCertificate(keyName).publicKey
        return getCleanEcdsaKeyPair(publicKey, privateKey)
    }
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/HsmX509Utilities.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/HsmX509Utilities.kt
@ -116,12 +116,11 @@ object HsmX509Utilities {
     * Retrieves key pair and certificate chain from the given key store. Also, the keys retrieved are cleaned in a sense of the
     * [getCleanEcdsaKeyPair] method.
     * @param certificateKeyName certificate and key name (alias) to be used when querying the key store.
-     * @param privateKeyPassword password for the private key.
     * @param keyStore key store that holds the certificate with its keys.
     * @return instance of [KeyPairAndCertificateChain] holding the key pair and the certificate chain.
     */
-    fun retrieveKeysAndCertificateChain(certificateKeyName: String, privateKeyPassword: String, keyStore: KeyStore): KeyPairAndCertificateChain {
-        val privateKey = keyStore.getKey(certificateKeyName, privateKeyPassword.toCharArray()) as PrivateKey
+    fun retrieveKeysAndCertificateChain(certificateKeyName: String, keyStore: KeyStore): KeyPairAndCertificateChain {
+        val privateKey = keyStore.getKey(certificateKeyName, null) as PrivateKey
        val publicKey = keyStore.getCertificate(certificateKeyName).publicKey
        val certificateChain = keyStore.getCertificateChain(certificateKeyName).map { it as X509Certificate }
        return KeyPairAndCertificateChain(getCleanEcdsaKeyPair(publicKey, privateKey), certificateChain.toTypedArray())