verify with NETWORK_PARAMETERS role and test (#6628)

node-api/src/main/kotlin/net/corda/nodeapi/internal/KeyStoreConfigHelpers.kt

@@ -77,6 +77,16 @@ fun createDevNetworkMapCa(rootCa: CertificateAndKeyPair = DEV_ROOT_CA): Certific
     return CertificateAndKeyPair(cert, keyPair)
 }
 
+fun createDevNetworkParametersCa(rootCa: CertificateAndKeyPair = DEV_ROOT_CA): CertificateAndKeyPair {
+    val keyPair = generateKeyPair()
+    val cert = X509Utilities.createCertificate(
+            CertificateType.NETWORK_PARAMETERS,
+            rootCa.certificate,
+            rootCa.keyPair,
+            X500Principal("CN=Network Parameters,O=R3 Ltd,L=London,C=GB"),
+            keyPair.public)
+    return CertificateAndKeyPair(cert, keyPair)
+}
 /**
  * Create a dev node CA cert, as a sub-cert of the given [intermediateCa], and matching key pair using the given
  * [CordaX500Name] as the cert subject.

node/src/main/kotlin/net/corda/node/internal/DBNetworkParametersStorage.kt

@@ -19,7 +19,6 @@ import net.corda.node.utilities.AppendOnlyPersistentMap
 import net.corda.nodeapi.internal.crypto.X509CertificateFactory
 import net.corda.nodeapi.internal.crypto.X509Utilities
 import net.corda.nodeapi.internal.network.SignedNetworkParameters
-import net.corda.nodeapi.internal.network.verifiedNetworkMapCert
 import net.corda.nodeapi.internal.network.verifiedNetworkParametersCert
 import net.corda.nodeapi.internal.persistence.CordaPersistence
 import net.corda.nodeapi.internal.persistence.NODE_DATABASE_PREFIX
@@ -86,7 +85,7 @@ class DBNetworkParametersStorage(
 
     override fun saveParameters(signedNetworkParameters: SignedNetworkParameters) {
         log.trace { "Saving new network parameters to network parameters storage." }
-        val networkParameters = signedNetworkParameters.verifiedNetworkMapCert(trustRoot)
+        val networkParameters = signedNetworkParameters.verifiedNetworkParametersCert(trustRoot)
         val hash = signedNetworkParameters.raw.hash
         log.trace { "Parameters to save $networkParameters with hash $hash" }
         database.transaction {

node/src/test/kotlin/net/corda/node/services/network/NetworkParametersReaderTest.kt

@@ -2,16 +2,23 @@ package net.corda.node.services.network
 
 import com.google.common.jimfs.Configuration
 import com.google.common.jimfs.Jimfs
+import net.corda.core.identity.CordaX500Name
 import net.corda.core.internal.*
 import net.corda.core.serialization.deserialize
 import net.corda.core.utilities.days
 import net.corda.core.utilities.seconds
+import net.corda.coretesting.internal.DEV_INTERMEDIATE_CA
 import net.corda.node.VersionInfo
 import net.corda.node.internal.NetworkParametersReader
 import net.corda.nodeapi.internal.network.*
 import net.corda.testing.common.internal.testNetworkParameters
 import net.corda.testing.core.SerializationEnvironmentRule
 import net.corda.coretesting.internal.DEV_ROOT_CA
+import net.corda.nodeapi.internal.createDevNetworkMapCa
+import net.corda.nodeapi.internal.createDevNetworkParametersCa
+import net.corda.nodeapi.internal.createDevNodeCa
+import net.corda.nodeapi.internal.crypto.CertificateAndKeyPair
+import net.corda.testing.core.TestIdentity
 import net.corda.testing.node.internal.network.NetworkMapServer
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.After
@@ -21,6 +28,7 @@ import org.junit.Test
 import java.net.URL
 import java.nio.file.FileSystem
 import kotlin.test.assertEquals
+import kotlin.test.assertFailsWith
 import kotlin.test.assertFalse
 import kotlin.test.assertNotNull
 
@@ -84,4 +92,23 @@ class NetworkParametersReaderTest {
         val parameters = inByteArray.deserialize<SignedNetworkParameters>()
         assertThat(parameters.verified().eventHorizon).isEqualTo(Int.MAX_VALUE.days)
     }
+
+    @Test(timeout = 300_000)
+    fun `verifying works with NETWORK_PARAMETERS role and NETWORK_MAP role, but fails for NODE_CA role`() {
+        val netParameters = testNetworkParameters(epoch = 1)
+        val certKeyPairNetworkParameters: CertificateAndKeyPair = createDevNetworkParametersCa()
+        val netParamsForNetworkParameters= certKeyPairNetworkParameters.sign(netParameters)
+        netParamsForNetworkParameters.verifiedNetworkParametersCert(DEV_ROOT_CA.certificate)
+
+        val certKeyPairNetworkMap: CertificateAndKeyPair = createDevNetworkMapCa()
+        val netParamsForNetworkMap = certKeyPairNetworkMap.sign(netParameters)
+        netParamsForNetworkMap.verifiedNetworkParametersCert(DEV_ROOT_CA.certificate)
+
+        val megaCorp = TestIdentity(CordaX500Name("MegaCorp", "London", "GB"))
+        val x = createDevNodeCa(DEV_INTERMEDIATE_CA, megaCorp.name)
+        val netParamsForNode = x.sign(netParameters)
+        assertFailsWith(IllegalArgumentException::class, "Incorrect cert role: NODE_CA") {
+            netParamsForNode.verifiedNetworkParametersCert(DEV_ROOT_CA.certificate)
+        }
+    }
 }

testing/node-driver/src/main/kotlin/net/corda/testing/node/internal/MockNetworkParametersService.kt

@@ -9,7 +9,7 @@ import net.corda.core.node.NetworkParameters
 import net.corda.core.node.NotaryInfo
 import net.corda.core.serialization.serialize
 import net.corda.nodeapi.internal.network.SignedNetworkParameters
-import net.corda.nodeapi.internal.network.verifiedNetworkMapCert
+import net.corda.nodeapi.internal.network.verifiedNetworkParametersCert
 import net.corda.testing.common.internal.testNetworkParameters
 import net.corda.testing.core.ALICE_NAME
 import net.corda.testing.core.TestIdentity
@@ -30,7 +30,7 @@ class MockNetworkParametersStorage(private var currentParameters: NetworkParamet
     }
 
     override fun setCurrentParameters(currentSignedParameters: SignedDataWithCert<NetworkParameters>, trustRoot: X509Certificate) {
-        setCurrentParametersUnverified(currentSignedParameters.verifiedNetworkMapCert(trustRoot))
+        setCurrentParametersUnverified(currentSignedParameters.verifiedNetworkParametersCert(trustRoot))
     }
 
     override fun lookupSigned(hash: SecureHash): SignedDataWithCert<NetworkParameters>? {