From 55385613acfea92833a07d7889faa2c0cd7b2aa7 Mon Sep 17 00:00:00 2001
From: Michal Kit <michal.kit@r3.com>
Date: Wed, 24 Jan 2018 12:12:46 +0000
Subject: [PATCH] Removing configuration parameter for private key passwords
 (#395)

---
 docs/source/running-hsm-cert-generator.rst     |  4 ----
 network-management/generator.conf              |  2 --
 .../networkmanage/hsm/HsmKeyGenerationTest.kt  |  6 ------
 .../hsm/generator/GeneratorParameters.kt       |  4 +---
 .../hsm/generator/KeyCertificateGenerator.kt   | 18 +++++++++++++-----
 .../hsm/utils/HsmX509Utilities.kt              |  5 ++---
 6 files changed, 16 insertions(+), 23 deletions(-)

diff --git a/docs/source/running-hsm-cert-generator.rst b/docs/source/running-hsm-cert-generator.rst
index 20a793554a..0b41f0ac21 100644
--- a/docs/source/running-hsm-cert-generator.rst
+++ b/docs/source/running-hsm-cert-generator.rst
@@ -46,10 +46,6 @@ Certificate Configuration
 :certificateType: Type of the certificate to be created. Allowed values are:
                   ROOT_CA, INTERMEDIATE_CA, NETWORK_MAP.
 
-:rootPrivateKeyPassword: Private key of the root certificate.
-
-:privateKeyPassword: Private key password to be used during the key generation process.
-
 :subject: X500Name formatted string to be used as the certificate public key subject.
 
 :validDays: Days number for certificate validity.
diff --git a/network-management/generator.conf b/network-management/generator.conf
index ab1b09957a..660ce68e8d 100644
--- a/network-management/generator.conf
+++ b/network-management/generator.conf
@@ -6,8 +6,6 @@ trustStorePassword = "trustpass"
 certConfig {
     subject = "CN=Corda Root, O=R3Cev, L=London, C=GB"
     certificateType = ROOT_CA
-    privateKeyPassword = "PASSWORD"
-    rootPrivateKeyPassword = "PASSWORD"
     validDays = 3650
     keyOverride = 0
     keyAlgorithm = 4
diff --git a/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/hsm/HsmKeyGenerationTest.kt b/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/hsm/HsmKeyGenerationTest.kt
index 5ea1cd6017..4fc4248523 100644
--- a/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/hsm/HsmKeyGenerationTest.kt
+++ b/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/hsm/HsmKeyGenerationTest.kt
@@ -17,10 +17,6 @@ import kotlin.test.assertNotNull
 
 class HsmKeyGenerationTest {
 
-    companion object {
-        val KEY_PASSWORD = "PASSWORD"
-    }
-
     @Rule
     @JvmField
     val tempFolder = TemporaryFolder()
@@ -45,8 +41,6 @@ class HsmKeyGenerationTest {
                         keySpecifier = 1,
                         keyGroup = "DEV.DOORMAN",
                         storeKeysExternal = false,
-                        privateKeyPassword = KEY_PASSWORD,
-                        rootPrivateKeyPassword = KEY_PASSWORD,
                         subject = "CN=Corda Root, O=R3Cev, L=London, C=GB",
                         validDays = 3650,
                         keyCurve = "NIST-P256",
diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/generator/GeneratorParameters.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/generator/GeneratorParameters.kt
index 646f866325..5e459a9c14 100644
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/generator/GeneratorParameters.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/generator/GeneratorParameters.kt
@@ -42,8 +42,6 @@ data class CertificateConfiguration(val keyGroup: String,
                                     val keySpecifier: Int,
                                     val storeKeysExternal: Boolean,
                                     val certificateType: CertificateType,
-                                    val rootPrivateKeyPassword: String,
-                                    val privateKeyPassword: String,
                                     val subject: String, // it is certificate [X500Name] subject
                                     val validDays: Int,
                                     val crlDistributionUrl: String?,
@@ -71,7 +69,7 @@ fun parseCommandLine(vararg args: String): CommandLineOptions {
             .accepts("config-file", "The path to the config file")
             .withRequiredArg()
             .describedAs("filepath")
-    val helpOption = optionParser.acceptsAll(listOf("h", "?", "help"), "show help").forHelp();
+    val helpOption = optionParser.acceptsAll(listOf("h", "?", "help"), "show help").forHelp()
 
     val optionSet = optionParser.parse(*args)
     // Print help and exit on help option or if there are missing options.
diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/generator/KeyCertificateGenerator.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/generator/KeyCertificateGenerator.kt
index 4e68aa6330..d21474fda1 100644
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/generator/KeyCertificateGenerator.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/generator/KeyCertificateGenerator.kt
@@ -19,9 +19,11 @@ import net.corda.nodeapi.internal.crypto.CertificateType.*
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_INTERMEDIATE_CA
 import net.corda.nodeapi.internal.crypto.X509Utilities.CORDA_ROOT_CA
 import java.nio.file.Path
+import java.security.Key
 import java.security.KeyPair
 import java.security.KeyStore
 import java.security.PrivateKey
+import java.security.cert.Certificate
 import java.security.cert.X509Certificate
 
 data class CertificateNameAndPass(val certificateName: String, val privateKeyPassword: String)
@@ -50,11 +52,19 @@ class KeyCertificateGenerator(private val parameters: GeneratorParameters) {
             } else {
                 certConfig.generateIntermediateCert(provider, keyPair, keyStore)
             }
-            keyStore.addOrReplaceKey(keyName, keyPair.private, certConfig.privateKeyPassword.toCharArray(), certChain)
+            keyStore.addOrReplaceKey(keyName, keyPair.private, null, certChain)
             logger.info("New certificate and key pair named $keyName have been generated and stored in HSM")
         }
     }
 
+    // TODO remove this and modify the node-api internal version of this method - nullable password
+    fun KeyStore.addOrReplaceKey(alias: String, key: Key, password: CharArray?, chain: Array<out Certificate>) {
+        if (containsAlias(alias)) {
+            this.deleteEntry(alias)
+        }
+        this.setKeyEntry(alias, key, password, chain)
+    }
+
     private fun CertificateConfiguration.generateRootCert(provider: CryptoServerProvider,
                                                           keyPair: KeyPair,
                                                           trustStoreDirectory: Path,
@@ -80,9 +90,7 @@ class KeyCertificateGenerator(private val parameters: GeneratorParameters) {
             provider: CryptoServerProvider,
             keyPair: KeyPair,
             keyStore: KeyStore): Array<X509Certificate> {
-        val rootKeysAndCertChain = retrieveKeysAndCertificateChain(CORDA_ROOT_CA,
-                rootPrivateKeyPassword,
-                keyStore)
+        val rootKeysAndCertChain = retrieveKeysAndCertificateChain(CORDA_ROOT_CA, keyStore)
         val certificateAndKeyPair = createIntermediateCert(
                 certificateType,
                 CordaX500Name.parse(subject).x500Name,
@@ -111,7 +119,7 @@ class KeyCertificateGenerator(private val parameters: GeneratorParameters) {
 
     private fun CertificateConfiguration.generateEcdsaKeyPair(keyName: String, provider: CryptoServerProvider, keyStore: KeyStore): KeyPair {
         generateECDSAKey(keyName, provider)
-        val privateKey = keyStore.getKey(keyName, privateKeyPassword.toCharArray()) as PrivateKey
+        val privateKey = keyStore.getKey(keyName, null) as PrivateKey
         val publicKey = keyStore.getCertificate(keyName).publicKey
         return getCleanEcdsaKeyPair(publicKey, privateKey)
     }
diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/HsmX509Utilities.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/HsmX509Utilities.kt
index 0eb65ccb2c..3702ae43dd 100644
--- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/HsmX509Utilities.kt
+++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/utils/HsmX509Utilities.kt
@@ -116,12 +116,11 @@ object HsmX509Utilities {
      * Retrieves key pair and certificate chain from the given key store. Also, the keys retrieved are cleaned in a sense of the
      * [getCleanEcdsaKeyPair] method.
      * @param certificateKeyName certificate and key name (alias) to be used when querying the key store.
-     * @param privateKeyPassword password for the private key.
      * @param keyStore key store that holds the certificate with its keys.
      * @return instance of [KeyPairAndCertificateChain] holding the key pair and the certificate chain.
      */
-    fun retrieveKeysAndCertificateChain(certificateKeyName: String, privateKeyPassword: String, keyStore: KeyStore): KeyPairAndCertificateChain {
-        val privateKey = keyStore.getKey(certificateKeyName, privateKeyPassword.toCharArray()) as PrivateKey
+    fun retrieveKeysAndCertificateChain(certificateKeyName: String, keyStore: KeyStore): KeyPairAndCertificateChain {
+        val privateKey = keyStore.getKey(certificateKeyName, null) as PrivateKey
         val publicKey = keyStore.getCertificate(certificateKeyName).publicKey
         val certificateChain = keyStore.getCertificateChain(certificateKeyName).map { it as X509Certificate }
         return KeyPairAndCertificateChain(getCleanEcdsaKeyPair(publicKey, privateKey), certificateChain.toTypedArray())