From cfb28f6a1fe9df9627f9f80f9a42e0ea26725ddb Mon Sep 17 00:00:00 2001 From: Jerome Gerakis <66950409+J-Gerakis@users.noreply.github.com> Date: Mon, 21 Sep 2020 10:27:12 +0100 Subject: [PATCH 1/2] backport of bugfix ENT-5752 into OS 4.3 (#6724) --- .../net/corda/node/services/network/NetworkMapUpdater.kt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/node/src/main/kotlin/net/corda/node/services/network/NetworkMapUpdater.kt b/node/src/main/kotlin/net/corda/node/services/network/NetworkMapUpdater.kt index d39f6fbc8f..50d284b48e 100644 --- a/node/src/main/kotlin/net/corda/node/services/network/NetworkMapUpdater.kt +++ b/node/src/main/kotlin/net/corda/node/services/network/NetworkMapUpdater.kt @@ -142,6 +142,11 @@ class NetworkMapUpdater(private val networkMapCache: NetworkMapCacheInternal, val nextScheduleDelay = try { updateNetworkMapCache() } catch (e: Exception) { + // Check to see if networkmap was reachable before and cached information exists + if (networkMapCache.allNodeHashes.size > 1) { + logger.debug("Networkmap Service unreachable but more than one nodeInfo entries found in the cache. Allowing node start-up to proceed.") + networkMapCache.nodeReady.set(null) + } logger.warn("Error encountered while updating network map, will retry in $defaultRetryInterval", e) defaultRetryInterval } From 07d9a1ead8f677f1c86bcb488fd55e3625fc99e6 Mon Sep 17 00:00:00 2001 From: Denis Rekalov Date: Thu, 1 Oct 2020 12:26:51 +0100 Subject: [PATCH 2/2] CORDA-4043: Generate 16-octets certificate serial numbers (#6746) (#6755) --- .../nodeapi/internal/crypto/X509Utilities.kt | 17 +++++++++++++++-- .../internal/crypto/X509UtilitiesTest.kt | 12 ++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt index 85c4f440c4..a0d940f0c4 100644 --- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt +++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt @@ -2,7 +2,7 @@ package net.corda.nodeapi.internal.crypto import net.corda.core.CordaOID import net.corda.core.crypto.Crypto -import net.corda.core.crypto.random63BitValue +import net.corda.core.crypto.newSecureRandom import net.corda.core.internal.* import net.corda.core.utilities.days import net.corda.core.utilities.millis @@ -35,6 +35,8 @@ import java.time.Instant import java.time.temporal.ChronoUnit import java.util.* import javax.security.auth.x500.X500Principal +import kotlin.experimental.and +import kotlin.experimental.or object X509Utilities { val DEFAULT_IDENTITY_SIGNATURE_SCHEME = Crypto.EDDSA_ED25519_SHA512 @@ -57,6 +59,8 @@ object X509Utilities { // future and stick to [A-Za-z0-9]. const val DISTRIBUTED_NOTARY_ALIAS_PREFIX = "distributed-notary" + private const val CERTIFICATE_SERIAL_NUMBER_LENGTH = 16 + val DEFAULT_VALIDITY_WINDOW = Pair(0.millis, 3650.days) /** @@ -166,7 +170,7 @@ object X509Utilities { nameConstraints: NameConstraints? = null, crlDistPoint: String? = null, crlIssuer: X500Name? = null): X509v3CertificateBuilder { - val serial = BigInteger.valueOf(random63BitValue()) + val serial = generateCertificateSerialNumber() val keyPurposes = DERSequence(ASN1EncodableVector().apply { certificateType.purposes.forEach { add(it) } }) val subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(subjectPublicKey.encoded)) val role = certificateType.role @@ -346,6 +350,15 @@ object X509Utilities { builder.addExtension(Extension.cRLDistributionPoints, false, CRLDistPoint(arrayOf(distPoint))) } } + + @Suppress("MagicNumber") + private fun generateCertificateSerialNumber(): BigInteger { + val bytes = ByteArray(CERTIFICATE_SERIAL_NUMBER_LENGTH) + newSecureRandom().nextBytes(bytes) + // Set highest byte to 01xxxxxx to ensure positive sign and constant bit length. + bytes[0] = bytes[0].and(0x3F).or(0x40) + return BigInteger(bytes) + } } // Assuming cert type to role is 1:1 diff --git a/node-api/src/test/kotlin/net/corda/nodeapi/internal/crypto/X509UtilitiesTest.kt b/node-api/src/test/kotlin/net/corda/nodeapi/internal/crypto/X509UtilitiesTest.kt index e60be8435e..38d46e0666 100644 --- a/node-api/src/test/kotlin/net/corda/nodeapi/internal/crypto/X509UtilitiesTest.kt +++ b/node-api/src/test/kotlin/net/corda/nodeapi/internal/crypto/X509UtilitiesTest.kt @@ -452,4 +452,16 @@ class X509UtilitiesTest { assertEquals(childKeyPair.public, reloadedPublicKey) assertEquals(childKeyPair.private, reloadedPrivateKey) } + + @Test(timeout = 300_000) + fun `check certificate serial number`() { + val keyPair = generateKeyPair() + val subject = X500Principal("CN=Test,O=R3 Ltd,L=London,C=GB") + val cert = X509Utilities.createSelfSignedCACertificate(subject, keyPair) + assertTrue(cert.serialNumber.signum() > 0) + assertEquals(127, cert.serialNumber.bitLength()) + val serialized = X509Utilities.buildCertPath(cert).encoded + val deserialized = X509CertificateFactory().delegate.generateCertPath(serialized.inputStream()).x509Certificates.first() + assertEquals(cert.serialNumber, deserialized.serialNumber) + } }