Making BasicConstraints a critical extension (#420)

Path length will be decided in another ticket - https://r3-cev.atlassian.net/browse/ENT-1508
2025-06-20 16:10:26 +00:00 · 2018-02-08 14:30:20 +00:00
parent 453029e548
commit 8c5f0ac0ca
13 changed files with 261 additions and 7 deletions
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/KeyStoreConfigHelpers.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/KeyStoreConfigHelpers.kt
@ -95,14 +95,18 @@ fun createDevNodeCa(intermediateCa: CertificateAndKeyPair,
 }

 val DEV_INTERMEDIATE_CA: CertificateAndKeyPair get() = DevCaHelper.loadDevCa(X509Utilities.CORDA_INTERMEDIATE_CA)
-
 val DEV_ROOT_CA: CertificateAndKeyPair get() = DevCaHelper.loadDevCa(X509Utilities.CORDA_ROOT_CA)
+val DEV_CA_PRIVATE_KEY_PASS: String = "cordacadevkeypass"
+val DEV_CA_KEY_STORE_FILE: String = "cordadevcakeys.jks"
+val DEV_CA_KEY_STORE_PASS: String = "cordacadevpass"
+val DEV_CA_TRUST_STORE_FILE: String = "cordatruststore.jks"
+val DEV_CA_TRUST_STORE_PASS: String = "trustpass"

 // We need a class so that we can get hold of the class loader
 internal object DevCaHelper {
    fun loadDevCa(alias: String): CertificateAndKeyPair {
        // TODO: Should be identity scheme
-        val caKeyStore = loadKeyStore(javaClass.classLoader.getResourceAsStream("certificates/cordadevcakeys.jks"), "cordacadevpass")
-        return caKeyStore.getCertificateAndKeyPair(alias, "cordacadevkeypass")
+        val caKeyStore = loadKeyStore(javaClass.classLoader.getResourceAsStream("certificates/$DEV_CA_KEY_STORE_FILE"), "$DEV_CA_KEY_STORE_PASS")
+        return caKeyStore.getCertificateAndKeyPair(alias, "$DEV_CA_PRIVATE_KEY_PASS")
    }
 }
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
@ -159,7 +159,7 @@ object X509Utilities {

        val builder = JcaX509v3CertificateBuilder(issuer, serial, validityWindow.first, validityWindow.second, subject, subjectPublicKey)
                .addExtension(Extension.subjectKeyIdentifier, false, BcX509ExtensionUtils().createSubjectKeyIdentifier(subjectPublicKeyInfo))
-                .addExtension(Extension.basicConstraints, certificateType.isCA, BasicConstraints(certificateType.isCA))
+                .addExtension(Extension.basicConstraints, true, BasicConstraints(certificateType.isCA))
                .addExtension(Extension.keyUsage, false, certificateType.keyUsage)
                .addExtension(Extension.extendedKeyUsage, false, keyPurposes)

--- a/node-api/src/main/resources/certificates/cordadevcakeys.jks
+++ b/node-api/src/main/resources/certificates/cordadevcakeys.jks
--- a/node-api/src/main/resources/certificates/cordatruststore.jks
+++ b/node-api/src/main/resources/certificates/cordatruststore.jks