mirror of
https://github.com/corda/corda.git
synced 2024-12-20 21:43:14 +00:00
ENT-2847: Ent port: Make logging pluggable in NetworkRegistrationHelper. (#4477)
This commit is contained in:
Viktor Kolomeyko
GitHub
parent
b4c3fa1948
commit
5e16961fee
@ -43,7 +43,9 @@ open class NetworkRegistrationHelper(
|
||||
networkRootTrustStorePassword: String,
|
||||
private val nodeCaKeyAlias: String,
|
||||
private val certRole: CertRole,
|
||||
private val nextIdleDuration: (Duration?) -> Duration? = FixedPeriodLimitedRetrialStrategy(10, Duration.ofMinutes(1))
|
||||
private val nextIdleDuration: (Duration?) -> Duration? = FixedPeriodLimitedRetrialStrategy(10, Duration.ofMinutes(1)),
|
||||
protected val logProgress: (String) -> Unit = ::println,
|
||||
protected val logError: (String) -> Unit = System.err::println
|
||||
) {
|
||||
|
||||
companion object {
|
||||
@ -86,7 +88,7 @@ open class NetworkRegistrationHelper(
|
||||
|
||||
// SELF_SIGNED_PRIVATE_KEY is used as progress indicator.
|
||||
if (certStore.contains(nodeCaKeyAlias) && !certStore.contains(SELF_SIGNED_PRIVATE_KEY)) {
|
||||
println("Certificate already exists, Corda node will now terminate...")
|
||||
logProgress("Certificate already exists, Corda node will now terminate...")
|
||||
return
|
||||
}
|
||||
|
||||
@ -106,7 +108,7 @@ open class NetworkRegistrationHelper(
|
||||
certStore.setCertPathOnly(nodeCaKeyAlias, nodeCaCertificates)
|
||||
certStore.value.internal.deleteEntry(SELF_SIGNED_PRIVATE_KEY)
|
||||
certStore.value.save()
|
||||
println("Private key '$nodeCaKeyAlias' and its certificate-chain stored successfully.")
|
||||
logProgress("Private key '$nodeCaKeyAlias' and its certificate-chain stored successfully.")
|
||||
|
||||
onSuccess(nodeCaPublicKey, cryptoService.getSigner(nodeCaKeyAlias), nodeCaCertificates, tlsCrlIssuerCert?.subjectX500Principal?.toX500Name())
|
||||
// All done, clean up temp files.
|
||||
@ -124,9 +126,9 @@ open class NetworkRegistrationHelper(
|
||||
private fun getTlsCrlIssuerCert(): X509Certificate? {
|
||||
val tlsCrlIssuerCert = validateAndGetTlsCrlIssuerCert()
|
||||
if (tlsCrlIssuerCert == null && isTlsCrlIssuerCertRequired()) {
|
||||
System.err.println("""tlsCrlIssuerCert config does not match the root certificate issuer and nor is there any other certificate in the trust store with a matching issuer.
|
||||
logError("""tlsCrlIssuerCert config does not match the root certificate issuer and nor is there any other certificate in the trust store with a matching issuer.
|
||||
| Please make sure the config is correct or that the correct certificate for the CRL issuer is added to the node's trust store.
|
||||
| The node will now terminate.""".trimMargin())
|
||||
| The node registration will now terminate.""".trimMargin())
|
||||
throw IllegalArgumentException("TLS CRL issuer certificate not found in the trust store.")
|
||||
}
|
||||
return tlsCrlIssuerCert
|
||||
@ -161,7 +163,7 @@ open class NetworkRegistrationHelper(
|
||||
|
||||
// Validate certificate chain returned from the doorman with the root cert obtained via out-of-band process, to prevent MITM attack on doorman server.
|
||||
X509Utilities.validateCertificateChain(rootCert, certificates)
|
||||
println("Certificate signing request approved, storing private key with the certificate chain.")
|
||||
logProgress("Certificate signing request approved, storing private key with the certificate chain.")
|
||||
}
|
||||
|
||||
private fun CertificateStore.loadOrCreateKeyPair(alias: String, entryPassword: String = password): KeyPair {
|
||||
@ -188,7 +190,7 @@ open class NetworkRegistrationHelper(
|
||||
*/
|
||||
private fun pollServerForCertificates(requestId: String): List<X509Certificate> {
|
||||
try {
|
||||
println("Start polling server for certificate signing approval.")
|
||||
logProgress("Start polling server for certificate signing approval.")
|
||||
// Poll server to download the signed certificate once request has been approved.
|
||||
var idlePeriodDuration: Duration? = null
|
||||
while (true) {
|
||||
@ -209,9 +211,9 @@ open class NetworkRegistrationHelper(
|
||||
}
|
||||
}
|
||||
} catch (certificateRequestException: CertificateRequestException) {
|
||||
System.err.println(certificateRequestException.message)
|
||||
System.err.println("Please make sure the details in configuration file are correct and try again.")
|
||||
System.err.println("Corda node will now terminate.")
|
||||
certificateRequestException.message?.let { logError(it) }
|
||||
logError("Please make sure the details in configuration file are correct and try again.")
|
||||
logError("Corda node registration will now terminate.")
|
||||
requestIdStore.deleteIfExists()
|
||||
throw certificateRequestException
|
||||
}
|
||||
@ -233,24 +235,21 @@ open class NetworkRegistrationHelper(
|
||||
JcaPEMWriter(writer).use {
|
||||
it.writeObject(PemObject("CERTIFICATE REQUEST", request.encoded))
|
||||
}
|
||||
println("Certificate signing request with the following information will be submitted to the Corda certificate signing server.")
|
||||
println()
|
||||
println("Legal Name: $myLegalName")
|
||||
println("Email: $emailAddress")
|
||||
println()
|
||||
println("Public Key: $publicKey")
|
||||
println()
|
||||
println("$writer")
|
||||
logProgress("Certificate signing request with the following information will be submitted to the Corda certificate signing server.")
|
||||
logProgress("Legal Name: $myLegalName")
|
||||
logProgress("Email: $emailAddress")
|
||||
logProgress("Public Key: $publicKey")
|
||||
logProgress("$writer")
|
||||
// Post request to signing server via http.
|
||||
println("Submitting certificate signing request to Corda certificate signing server.")
|
||||
logProgress("Submitting certificate signing request to Corda certificate signing server.")
|
||||
val requestId = certService.submitRequest(request)
|
||||
// Persists request ID to file in case of node shutdown.
|
||||
requestIdStore.writeLines(listOf(requestId))
|
||||
println("Successfully submitted request to Corda certificate signing server, request ID: $requestId.")
|
||||
logProgress("Successfully submitted request to Corda certificate signing server, request ID: $requestId.")
|
||||
requestId
|
||||
} else {
|
||||
val requestId = requestIdStore.readLines { it.findFirst().get() }
|
||||
println("Resuming from previous certificate signing request, request ID: $requestId.")
|
||||
logProgress("Resuming from previous certificate signing request, request ID: $requestId.")
|
||||
requestId
|
||||
}
|
||||
} catch (e: Exception) {
|
||||
@ -274,15 +273,19 @@ class NodeRegistrationException(
|
||||
|
||||
class NodeRegistrationHelper(
|
||||
private val config: NodeConfiguration,
|
||||
certService: NetworkRegistrationService, regConfig: NodeRegistrationOption, computeNextIdleDoormanConnectionPollInterval: (Duration?) -> Duration? = FixedPeriodLimitedRetrialStrategy(10, Duration.ofMinutes(1))) :
|
||||
NetworkRegistrationHelper(
|
||||
config,
|
||||
certService,
|
||||
regConfig.networkRootTrustStorePath,
|
||||
regConfig.networkRootTrustStorePassword,
|
||||
CORDA_CLIENT_CA,
|
||||
CertRole.NODE_CA,
|
||||
computeNextIdleDoormanConnectionPollInterval) {
|
||||
certService: NetworkRegistrationService,
|
||||
regConfig: NodeRegistrationOption,
|
||||
computeNextIdleDoormanConnectionPollInterval: (Duration?) -> Duration? = FixedPeriodLimitedRetrialStrategy(10, Duration.ofMinutes(1)),
|
||||
logProgress: (String) -> Unit = ::println,
|
||||
logError: (String) -> Unit = System.err::println) :
|
||||
NetworkRegistrationHelper(
|
||||
config,
|
||||
certService,
|
||||
regConfig.networkRootTrustStorePath,
|
||||
regConfig.networkRootTrustStorePassword,
|
||||
CORDA_CLIENT_CA,
|
||||
CertRole.NODE_CA,
|
||||
computeNextIdleDoormanConnectionPollInterval, logProgress, logError) {
|
||||
|
||||
companion object {
|
||||
val logger = contextLogger()
|
||||
@ -297,7 +300,7 @@ class NodeRegistrationHelper(
|
||||
val keyStore = config.p2pSslOptions.keyStore
|
||||
val certificateStore = keyStore.get(createNew = true)
|
||||
certificateStore.update {
|
||||
println("Generating SSL certificate for node messaging service.")
|
||||
logProgress("Generating SSL certificate for node messaging service.")
|
||||
val sslKeyPair = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
|
||||
val issuerCertificate = nodeCaCertificateChain.first()
|
||||
val validityWindow = X509Utilities.getCertificateValidityWindow(DEFAULT_VALIDITY_WINDOW.first, DEFAULT_VALIDITY_WINDOW.second, issuerCertificate)
|
||||
@ -319,7 +322,7 @@ class NodeRegistrationHelper(
|
||||
X509Utilities.validateCertificateChain(rootCert, sslCertificateChain)
|
||||
setPrivateKey(CORDA_CLIENT_TLS, sslKeyPair.private, sslCertificateChain, keyStore.entryPassword)
|
||||
}
|
||||
println("SSL private key and certificate chain stored in ${keyStore.path}.")
|
||||
logProgress("SSL private key and certificate chain stored in ${keyStore.path}.")
|
||||
}
|
||||
|
||||
private fun createTruststore(rootCertificate: X509Certificate) {
|
||||
@ -328,7 +331,7 @@ class NodeRegistrationHelper(
|
||||
if (this.aliases().hasNext()) {
|
||||
logger.warn("The node's trust store already exists. The following certificates will be overridden: ${this.aliases().asSequence()}")
|
||||
}
|
||||
println("Generating trust store for corda node.")
|
||||
logProgress("Generating trust store for corda node.")
|
||||
// Assumes certificate chain always starts with client certificate and end with root certificate.
|
||||
setCertificate(CORDA_ROOT_CA, rootCertificate)
|
||||
// Copy remaining certificates from the network-trust-store
|
||||
@ -338,7 +341,7 @@ class NodeRegistrationHelper(
|
||||
setCertificate(it, certificate)
|
||||
}
|
||||
}
|
||||
println("Node trust store stored in ${config.p2pSslOptions.trustStore.path}.")
|
||||
logProgress("Node trust store stored in ${config.p2pSslOptions.trustStore.path}.")
|
||||
}
|
||||
|
||||
override fun validateAndGetTlsCrlIssuerCert(): X509Certificate? {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user