Merge branch 'feature-network-parameters' into shams-merge-feature-network-parameters

node-api/src/main/kotlin/net/corda/nodeapi/internal/NetworkMap.kt

@@ -0,0 +1,75 @@
+package net.corda.nodeapi.internal
+
+import net.corda.core.crypto.DigitalSignature
+import net.corda.core.crypto.SecureHash
+import net.corda.core.crypto.verify
+import net.corda.core.identity.Party
+import net.corda.core.serialization.CordaSerializable
+import net.corda.core.serialization.SerializedBytes
+import net.corda.core.serialization.deserialize
+import java.security.SignatureException
+import java.security.cert.CertPathValidatorException
+import java.security.cert.X509Certificate
+import java.time.Duration
+import java.time.Instant
+
+// TODO: Need more discussion on rather we should move this class out of internal.
+/**
+ * Data class containing hash of [NetworkParameters] and network participant's [NodeInfo] hashes.
+ */
+@CordaSerializable
+data class NetworkMap(val nodeInfoHashes: List<SecureHash>, val networkParameterHash: SecureHash)
+
+/**
+ * @property minimumPlatformVersion
+ * @property notaries
+ * @property eventHorizon
+ * @property maxMessageSize Maximum P2P message sent over the wire in bytes.
+ * @property maxTransactionSize Maximum permitted transaction size in bytes.
+ * @property modifiedTime
+ * @property epoch Version number of the network parameters. Starting from 1, this will always increment on each new set
+ * of parameters.
+ */
+// TODO Wire up the parameters
+@CordaSerializable
+data class NetworkParameters(
+        val minimumPlatformVersion: Int,
+        val notaries: List<NotaryInfo>,
+        val eventHorizon: Duration,
+        val maxMessageSize: Int,
+        val maxTransactionSize: Int,
+        val modifiedTime: Instant,
+        val epoch: Int
+) {
+    init {
+        require(minimumPlatformVersion > 0) { "minimumPlatformVersion must be at least 1" }
+        require(notaries.distinctBy { it.identity } == notaries) { "Duplicate notary identities" }
+        require(epoch > 0) { "epoch must be at least 1" }
+    }
+}
+
+@CordaSerializable
+data class NotaryInfo(val identity: Party, val validating: Boolean)
+
+/**
+ * A serialized [NetworkMap] and its signature and certificate. Enforces signature validity in order to deserialize the data
+ * contained within.
+ */
+@CordaSerializable
+class SignedNetworkMap(val raw: SerializedBytes<NetworkMap>, val sig: DigitalSignatureWithCert) {
+    /**
+     * Return the deserialized NetworkMap if the signature and certificate can be verified.
+     *
+     * @throws CertPathValidatorException if the certificate path is invalid.
+     * @throws SignatureException if the signature is invalid.
+     */
+    @Throws(SignatureException::class)
+    fun verified(): NetworkMap {
+        sig.by.publicKey.verify(raw.bytes, sig)
+        return raw.deserialize()
+    }
+}
+
+// TODO: This class should reside in the [DigitalSignature] class.
+/** A digital signature that identifies who the public key is owned by, and the certificate which provides prove of the identity */
+class DigitalSignatureWithCert(val by: X509Certificate, val signatureBytes: ByteArray) : DigitalSignature(signatureBytes)

node-api/src/main/kotlin/net/corda/nodeapi/internal/NetworkParametersCopier.kt

@@ -0,0 +1,32 @@
+package net.corda.nodeapi.internal
+
+import net.corda.core.crypto.SignedData
+import net.corda.core.crypto.entropyToKeyPair
+import net.corda.core.crypto.sign
+import net.corda.core.internal.copyTo
+import net.corda.core.internal.div
+import net.corda.core.serialization.serialize
+import net.corda.nodeapi.internal.NetworkParameters
+import java.math.BigInteger
+import java.nio.file.FileAlreadyExistsException
+import java.nio.file.Path
+
+class NetworkParametersCopier(networkParameters: NetworkParameters) {
+    private companion object {
+        val DUMMY_MAP_KEY = entropyToKeyPair(BigInteger.valueOf(123))
+    }
+
+    private val serializedNetworkParameters = networkParameters.let {
+        val serialize = it.serialize()
+        val signature = DUMMY_MAP_KEY.sign(serialize)
+        SignedData(serialize, signature).serialize()
+    }
+
+    fun install(dir: Path) {
+        try {
+            serializedNetworkParameters.open().copyTo(dir / "network-parameters")
+        } catch (e: FileAlreadyExistsException) {
+            // Leave the file untouched if it already exists
+        }
+    }
+}

node-api/src/main/kotlin/net/corda/nodeapi/internal/NetworkParametersGenerator.kt

@@ -0,0 +1,111 @@
+package net.corda.nodeapi.internal
+
+import com.typesafe.config.ConfigFactory
+import net.corda.core.crypto.SignedData
+import net.corda.core.identity.Party
+import net.corda.core.internal.div
+import net.corda.core.internal.list
+import net.corda.core.internal.readAll
+import net.corda.core.node.NodeInfo
+import net.corda.core.serialization.SerializationContext
+import net.corda.core.serialization.deserialize
+import net.corda.core.serialization.internal.SerializationEnvironmentImpl
+import net.corda.core.serialization.internal._contextSerializationEnv
+import net.corda.core.utilities.ByteSequence
+import net.corda.core.utilities.contextLogger
+import net.corda.core.utilities.days
+import net.corda.nodeapi.internal.serialization.AMQP_P2P_CONTEXT
+import net.corda.nodeapi.internal.serialization.KRYO_P2P_CONTEXT
+import net.corda.nodeapi.internal.serialization.SerializationFactoryImpl
+import net.corda.nodeapi.internal.serialization.amqp.AMQPServerSerializationScheme
+import net.corda.nodeapi.internal.serialization.kryo.AbstractKryoSerializationScheme
+import net.corda.nodeapi.internal.serialization.kryo.KryoHeaderV0_1
+import java.nio.file.Path
+import java.time.Instant
+
+/**
+ * This class is loaded by Cordform using reflection to generate the network parameters. It is assumed that Cordform has
+ * already asked each node to generate its node info file.
+ */
+@Suppress("UNUSED")
+class NetworkParametersGenerator {
+    companion object {
+        private val logger = contextLogger()
+    }
+
+    fun run(nodesDirs: List<Path>) {
+        logger.info("NetworkParameters generation using node directories: $nodesDirs")
+        try {
+            initialiseSerialization()
+            val notaryInfos = gatherNotaryIdentities(nodesDirs)
+            val copier = NetworkParametersCopier(NetworkParameters(
+                    minimumPlatformVersion = 1,
+                    notaries = notaryInfos,
+                    modifiedTime = Instant.now(),
+                    eventHorizon = 10000.days,
+                    maxMessageSize = 40000,
+                    maxTransactionSize = 40000,
+                    epoch = 1
+            ))
+            nodesDirs.forEach(copier::install)
+        } finally {
+            _contextSerializationEnv.set(null)
+        }
+    }
+    
+    private fun gatherNotaryIdentities(nodesDirs: List<Path>): List<NotaryInfo> {
+        return nodesDirs.mapNotNull { nodeDir ->
+            val nodeConfig = ConfigFactory.parseFile((nodeDir / "node.conf").toFile())
+            if (nodeConfig.hasPath("notary")) {
+                val validating = nodeConfig.getConfig("notary").getBoolean("validating")
+                val nodeInfoFile = nodeDir.list { paths -> paths.filter { it.fileName.toString().startsWith("nodeInfo-") }.findFirst().get() }
+                processFile(nodeInfoFile)?.let { NotaryInfo(it.notaryIdentity(), validating) }
+            } else {
+                null
+            }
+        }.distinct() // We need distinct as nodes part of a distributed notary share the same notary identity
+    }
+
+    private fun NodeInfo.notaryIdentity(): Party {
+        return when (legalIdentities.size) {
+            // Single node notaries have just one identity like all other nodes. This identity is the notary identity
+            1 -> legalIdentities[0]
+            // Nodes which are part of a distributed notary have a second identity which is the composite identity of the
+            // cluster and is shared by all the other members. This is the notary identity.
+            2 -> legalIdentities[1]
+            else -> throw IllegalArgumentException("Not sure how to get the notary identity in this scenerio: $this")
+        }
+    }
+
+    private fun processFile(file: Path): NodeInfo? {
+        return try {
+            logger.info("Reading NodeInfo from file: $file")
+            val signedData = file.readAll().deserialize<SignedData<NodeInfo>>()
+            signedData.verified()
+        } catch (e: Exception) {
+            logger.warn("Exception parsing NodeInfo from file. $file", e)
+            null
+        }
+    }
+
+    // We need to to set serialization env, because generation of parameters is run from Cordform.
+    // KryoServerSerializationScheme is not accessible from nodeapi.
+    private fun initialiseSerialization() {
+        val context = if (java.lang.Boolean.getBoolean("net.corda.testing.amqp.enable")) AMQP_P2P_CONTEXT else KRYO_P2P_CONTEXT
+        _contextSerializationEnv.set(SerializationEnvironmentImpl(
+                SerializationFactoryImpl().apply {
+                    registerScheme(KryoParametersSerializationScheme)
+                    registerScheme(AMQPServerSerializationScheme())
+                },
+                context)
+        )
+    }
+
+    private object KryoParametersSerializationScheme : AbstractKryoSerializationScheme() {
+        override fun canDeserializeVersion(byteSequence: ByteSequence, target: SerializationContext.UseCase): Boolean {
+            return byteSequence == KryoHeaderV0_1 && target == SerializationContext.UseCase.P2P
+        }
+        override fun rpcClientKryoPool(context: SerializationContext) = throw UnsupportedOperationException()
+        override fun rpcServerKryoPool(context: SerializationContext) = throw UnsupportedOperationException()
+    }
+}

node-api/src/main/kotlin/net/corda/nodeapi/internal/NodeInfoFilesCopier.kt

@@ -1,4 +1,4 @@
-package net.corda.nodeapi
+package net.corda.nodeapi.internal
 
 import net.corda.cordform.CordformNode
 import net.corda.core.internal.ThreadBox

node-api/src/main/kotlin/net/corda/nodeapi/internal/ServiceIdentityGenerator.kt

@@ -0,0 +1,54 @@
+package net.corda.nodeapi.internal
+
+import net.corda.core.crypto.CompositeKey
+import net.corda.core.crypto.generateKeyPair
+import net.corda.core.identity.CordaX500Name
+import net.corda.core.identity.Party
+import net.corda.core.internal.cert
+import net.corda.core.internal.createDirectories
+import net.corda.core.internal.div
+import net.corda.core.utilities.trace
+import net.corda.nodeapi.internal.crypto.*
+import org.slf4j.LoggerFactory
+import java.nio.file.Path
+import java.security.cert.X509Certificate
+
+object ServiceIdentityGenerator {
+    private val log = LoggerFactory.getLogger(javaClass)
+
+    /**
+     * Generates signing key pairs and a common distributed service identity for a set of nodes.
+     * The key pairs and the group identity get serialized to disk in the corresponding node directories.
+     * This method should be called *before* any of the nodes are started.
+     *
+     * @param dirs List of node directories to place the generated identity and key pairs in.
+     * @param serviceName The legal name of the distributed service.
+     * @param threshold The threshold for the generated group [CompositeKey].
+     * @param customRootCert the certificate to use a Corda root CA. If not specified the one in
+     *      certificates/cordadevcakeys.jks is used.
+     */
+    fun generateToDisk(dirs: List<Path>,
+                       serviceName: CordaX500Name,
+                       serviceId: String,
+                       threshold: Int = 1,
+                       customRootCert: X509Certificate? = null): Party {
+        log.trace { "Generating a group identity \"serviceName\" for nodes: ${dirs.joinToString()}" }
+        val keyPairs = (1..dirs.size).map { generateKeyPair() }
+        val notaryKey = CompositeKey.Builder().addKeys(keyPairs.map { it.public }).build(threshold)
+
+        val caKeyStore = loadKeyStore(javaClass.classLoader.getResourceAsStream("certificates/cordadevcakeys.jks"), "cordacadevpass")
+        val issuer = caKeyStore.getCertificateAndKeyPair(X509Utilities.CORDA_INTERMEDIATE_CA, "cordacadevkeypass")
+        val rootCert = customRootCert ?: caKeyStore.getCertificate(X509Utilities.CORDA_ROOT_CA)
+
+        keyPairs.zip(dirs) { keyPair, dir ->
+            val serviceKeyCert = X509Utilities.createCertificate(CertificateType.NODE_CA, issuer.certificate, issuer.keyPair, serviceName, keyPair.public)
+            val compositeKeyCert = X509Utilities.createCertificate(CertificateType.NODE_CA, issuer.certificate, issuer.keyPair, serviceName, notaryKey)
+            val certPath = (dir / "certificates").createDirectories() / "distributedService.jks"
+            val keystore = loadOrCreateKeyStore(certPath, "cordacadevpass")
+            keystore.setCertificateEntry("$serviceId-composite-key", compositeKeyCert.cert)
+            keystore.setKeyEntry("$serviceId-private-key", keyPair.private, "cordacadevkeypass".toCharArray(), arrayOf(serviceKeyCert.cert, issuer.certificate.cert, rootCert))
+            keystore.save(certPath, "cordacadevpass")
+        }
+        return Party(serviceName, notaryKey)
+    }
+}

node-api/src/main/kotlin/net/corda/nodeapi/internal/config/SSLConfiguration.kt

@@ -15,4 +15,5 @@ interface SSLConfiguration {
 interface NodeSSLConfiguration : SSLConfiguration {
     val baseDirectory: Path
     override val certificatesDirectory: Path get() = baseDirectory / "certificates"
+    val rootCertFile: Path get() = certificatesDirectory / "rootcert.pem"
 }

node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/KeyStoreWrapper.kt

@@ -18,7 +18,7 @@ class KeyStoreWrapper(private val storePath: Path, private val storePassword: St
         val clientCA = certificateAndKeyPair(X509Utilities.CORDA_CLIENT_CA)
         // Create new keys and store in keystore.
         val cert = X509Utilities.createCertificate(CertificateType.WELL_KNOWN_IDENTITY, clientCA.certificate, clientCA.keyPair, serviceName, pubKey)
-        val certPath = X509CertificateFactory().delegate.generateCertPath(listOf(cert.cert) + clientCertPath)
+        val certPath = X509CertificateFactory().generateCertPath(cert.cert, *clientCertPath)
         require(certPath.certificates.isNotEmpty()) { "Certificate path cannot be empty" }
         // TODO: X509Utilities.validateCertificateChain()
         return certPath

node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt

@@ -4,8 +4,8 @@ import net.corda.core.crypto.Crypto
 import net.corda.core.crypto.SignatureScheme
 import net.corda.core.crypto.random63BitValue
 import net.corda.core.identity.CordaX500Name
+import net.corda.core.internal.cert
 import net.corda.core.internal.read
-import net.corda.core.internal.write
 import net.corda.core.internal.x500Name
 import net.corda.core.utilities.days
 import net.corda.core.utilities.millis
@@ -27,10 +27,8 @@ import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder
 import org.bouncycastle.pkcs.PKCS10CertificationRequest
 import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder
 import org.bouncycastle.util.io.pem.PemReader
-import java.io.FileWriter
 import java.io.InputStream
 import java.math.BigInteger
-import java.nio.file.Files
 import java.nio.file.Path
 import java.security.KeyPair
 import java.security.PublicKey
@@ -153,7 +151,7 @@ object X509Utilities {
         require(certificates.isNotEmpty()) { "Certificate path must contain at least one certificate" }
         val params = PKIXParameters(setOf(TrustAnchor(trustedRoot, null)))
         params.isRevocationEnabled = false
-        val certPath = X509CertificateFactory().delegate.generateCertPath(certificates.toList())
+        val certPath = X509CertificateFactory().generateCertPath(*certificates)
         val pathValidator = CertPathValidator.getInstance("PKIX")
         pathValidator.validate(certPath, params)
     }
@@ -164,7 +162,7 @@ object X509Utilities {
      * @param file Target file.
      */
     @JvmStatic
-    fun saveCertificateAsPEMFile(x509Certificate: X509CertificateHolder, file: Path) {
+    fun saveCertificateAsPEMFile(x509Certificate: X509Certificate, file: Path) {
         JcaPEMWriter(file.toFile().writer()).use {
             it.writeObject(x509Certificate)
         }
@@ -176,14 +174,14 @@ object X509Utilities {
      * @return The X509Certificate that was encoded in the file.
      */
     @JvmStatic
-    fun loadCertificateFromPEMFile(file: Path): X509CertificateHolder {
-        val cert = file.read {
+    fun loadCertificateFromPEMFile(file: Path): X509Certificate {
+        return file.read {
             val reader = PemReader(it.reader())
             val pemObject = reader.readPemObject()
-            X509CertificateHolder(pemObject.content)
+            val certHolder = X509CertificateHolder(pemObject.content)
+            certHolder.isValidOn(Date())
+            certHolder.cert
         }
-        cert.isValidOn(Date())
-        return cert
     }
 
     /**
@@ -310,9 +308,18 @@ object X509Utilities {
  */
 class X509CertificateFactory {
     val delegate: CertificateFactory = CertificateFactory.getInstance("X.509")
+
     fun generateCertificate(input: InputStream): X509Certificate {
         return delegate.generateCertificate(input) as X509Certificate
     }
+
+    fun generateCertPath(certificates: List<Certificate>): CertPath {
+        return delegate.generateCertPath(certificates)
+    }
+
+    fun generateCertPath(vararg certificates: Certificate): CertPath {
+        return delegate.generateCertPath(certificates.asList())
+    }
 }
 
 enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurposeId, val isCA: Boolean) {

node-api/src/main/kotlin/net/corda/nodeapi/internal/serialization/DefaultWhitelist.kt

@@ -6,6 +6,7 @@ import net.corda.core.utilities.NetworkHostAndPort
 import org.apache.activemq.artemis.api.core.SimpleString
 import rx.Notification
 import rx.exceptions.OnErrorNotImplementedException
+import sun.security.x509.X509CertImpl
 import java.util.*
 
 /**
@@ -58,6 +59,9 @@ object DefaultWhitelist : SerializationWhitelist {
                     java.util.LinkedHashMap::class.java,
                     BitSet::class.java,
                     OnErrorNotImplementedException::class.java,
-                    StackTraceElement::class.java
-            )
+                    StackTraceElement::class.java,
+
+                    // Implementation of X509Certificate.
+                    X509CertImpl::class.java
+                    )
 }

node-api/src/main/kotlin/net/corda/nodeapi/internal/serialization/kryo/DefaultKryoCustomizer.kt

@@ -44,6 +44,7 @@ import org.objenesis.strategy.StdInstantiatorStrategy
 import org.slf4j.Logger
 import sun.security.ec.ECPublicKeyImpl
 import sun.security.provider.certpath.X509CertPath
+import sun.security.x509.X509CertImpl
 import java.io.BufferedInputStream
 import java.io.ByteArrayOutputStream
 import java.io.FileInputStream
@@ -75,6 +76,7 @@ object DefaultKryoCustomizer {
             addDefaultSerializer(InputStream::class.java, InputStreamSerializer)
             addDefaultSerializer(SerializeAsToken::class.java, SerializeAsTokenSerializer<SerializeAsToken>())
             addDefaultSerializer(Logger::class.java, LoggerSerializer)
+            addDefaultSerializer(X509Certificate::class.java, X509CertificateSerializer)
 
             // WARNING: reordering the registrations here will cause a change in the serialized form, since classes
             // with custom serializers get written as registration ids. This will break backwards-compatibility.
@@ -108,7 +110,6 @@ object DefaultKryoCustomizer {
             register(FileInputStream::class.java, InputStreamSerializer)
             register(CertPath::class.java, CertPathSerializer)
             register(X509CertPath::class.java, CertPathSerializer)
-            register(X509Certificate::class.java, X509CertificateSerializer)
             register(BCECPrivateKey::class.java, PrivateKeySerializer)
             register(BCECPublicKey::class.java, publicKeySerializer)
             register(BCRSAPrivateCrtKey::class.java, PrivateKeySerializer)

node-api/src/test/kotlin/net/corda/nodeapi/NodeInfoFilesCopierTest.kt

@@ -1,6 +1,7 @@
 package net.corda.nodeapi
 
 import net.corda.cordform.CordformNode
+import net.corda.nodeapi.internal.NodeInfoFilesCopier
 import net.corda.testing.eventually
 import org.junit.Before
 import org.junit.Rule

node-api/src/test/kotlin/net/corda/nodeapi/internal/crypto/X509UtilitiesTest.kt

@@ -71,7 +71,7 @@ class X509UtilitiesTest {
     fun `load and save a PEM file certificate`() {
         val tmpCertificateFile = tempFile("cacert.pem")
         val caKey = generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
-        val caCert = X509Utilities.createSelfSignedCACertificate(CordaX500Name(commonName = "Test Cert", organisation = "R3 Ltd", locality = "London", country = "GB"), caKey)
+        val caCert = X509Utilities.createSelfSignedCACertificate(CordaX500Name(commonName = "Test Cert", organisation = "R3 Ltd", locality = "London", country = "GB"), caKey).cert
         X509Utilities.saveCertificateAsPEMFile(caCert, tmpCertificateFile)
         val readCertificate = X509Utilities.loadCertificateFromPEMFile(tmpCertificateFile)
         assertEquals(caCert, readCertificate)
@@ -433,7 +433,7 @@ class X509UtilitiesTest {
         val rootCAKey = Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)
         val rootCACert = X509Utilities.createSelfSignedCACertificate(ALICE.name, rootCAKey)
         val certificate = X509Utilities.createCertificate(CertificateType.TLS, rootCACert, rootCAKey, BOB.name.x500Name, BOB_PUBKEY)
-        val expected = X509CertificateFactory().delegate.generateCertPath(listOf(certificate.cert, rootCACert.cert))
+        val expected = X509CertificateFactory().generateCertPath(certificate.cert, rootCACert.cert)
         val serialized = expected.serialize(factory, context).bytes
         val actual: CertPath = serialized.deserialize(factory, context)
         assertEquals(expected, actual)