From 05c2428f2fb76ba73ac195821833d596deca677e Mon Sep 17 00:00:00 2001
From: Ross Nicoll <ross.nicoll@r3.com>
Date: Thu, 23 Jul 2020 15:17:59 +0100
Subject: [PATCH 1/2] NOTICK Add more detail on signature build failures
 (#6510)

Add details of the signature provider and key algorithm if `InvalidKeyException` is thrown when constructing a `ContentSigner`, in order to be able to usefully diagnose incorrect signature providers or similar errors.
---
 .../internal/crypto/ContentSignerBuilder.kt   | 19 +++++++----
 .../crypto/ContentSignerBuilderTest.kt        | 33 +++++++++++++++++++
 2 files changed, 45 insertions(+), 7 deletions(-)
 create mode 100644 node-api/src/test/kotlin/net/corda/nodeapi/internal/crypto/ContentSignerBuilderTest.kt

diff --git a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/ContentSignerBuilder.kt b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/ContentSignerBuilder.kt
index ac60f55764..bbee9e5d2a 100644
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/ContentSignerBuilder.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/ContentSignerBuilder.kt
@@ -6,6 +6,7 @@ import net.corda.core.crypto.internal.Instances
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier
 import org.bouncycastle.operator.ContentSigner
 import java.io.OutputStream
+import java.security.InvalidKeyException
 import java.security.PrivateKey
 import java.security.Provider
 import java.security.SecureRandom
@@ -24,14 +25,18 @@ object ContentSignerBuilder {
         else
             Signature.getInstance(signatureScheme.signatureName, provider)
 
-        val sig = signatureInstance.apply {
-            // TODO special handling for Sphincs due to a known BouncyCastle's Sphincs bug we reported.
-            //      It is fixed in BC 161b12, so consider updating the below if-statement after updating BouncyCastle.
-            if (random != null && signatureScheme != SPHINCS256_SHA256) {
-                initSign(privateKey, random)
-            } else {
-                initSign(privateKey)
+        val sig = try {
+            signatureInstance.apply {
+                // TODO special handling for Sphincs due to a known BouncyCastle's Sphincs bug we reported.
+                //      It is fixed in BC 161b12, so consider updating the below if-statement after updating BouncyCastle.
+                if (random != null && signatureScheme != SPHINCS256_SHA256) {
+                    initSign(privateKey, random)
+                } else {
+                    initSign(privateKey)
+                }
             }
+        } catch(ex: InvalidKeyException) {
+            throw InvalidKeyException("Incorrect key type ${privateKey.algorithm} for signature scheme ${signatureInstance.algorithm}", ex)
         }
         return object : ContentSigner {
             private val stream = SignatureOutputStream(sig, optimised)
diff --git a/node-api/src/test/kotlin/net/corda/nodeapi/internal/crypto/ContentSignerBuilderTest.kt b/node-api/src/test/kotlin/net/corda/nodeapi/internal/crypto/ContentSignerBuilderTest.kt
new file mode 100644
index 0000000000..6920c78093
--- /dev/null
+++ b/node-api/src/test/kotlin/net/corda/nodeapi/internal/crypto/ContentSignerBuilderTest.kt
@@ -0,0 +1,33 @@
+package net.corda.nodeapi.internal.crypto
+
+import net.corda.core.crypto.Crypto
+import org.assertj.core.api.Assertions.assertThatExceptionOfType
+import org.junit.Test
+import java.math.BigInteger
+import java.security.InvalidKeyException
+
+class ContentSignerBuilderTest {
+    companion object {
+        private const val entropy = "20200723"
+    }
+
+    @Test(timeout = 300_000)
+    fun `should build content signer for valid eddsa key`() {
+        val signatureScheme = Crypto.EDDSA_ED25519_SHA512
+        val provider = Crypto.findProvider(signatureScheme.providerName)
+        val issuerKeyPair = Crypto.deriveKeyPairFromEntropy(signatureScheme, BigInteger(entropy))
+        ContentSignerBuilder.build(signatureScheme, issuerKeyPair.private, provider)
+    }
+
+    @Test(timeout = 300_000)
+    fun `should fail to build content signer for incorrect key type`() {
+        val signatureScheme = Crypto.EDDSA_ED25519_SHA512
+        val provider = Crypto.findProvider(signatureScheme.providerName)
+        val issuerKeyPair = Crypto.deriveKeyPairFromEntropy(Crypto.ECDSA_SECP256R1_SHA256, BigInteger(entropy))
+        assertThatExceptionOfType(InvalidKeyException::class.java)
+                .isThrownBy {
+                    ContentSignerBuilder.build(signatureScheme, issuerKeyPair.private, provider)
+                }
+                .withMessage("Incorrect key type EC for signature scheme NONEwithEdDSA")
+    }
+}
\ No newline at end of file

From 13073c300f4db305722946e35bba9828863d041c Mon Sep 17 00:00:00 2001
From: Ross Nicoll <ross.nicoll@r3.com>
Date: Thu, 23 Jul 2020 16:59:42 +0100
Subject: [PATCH 2/2] NOTICK: OS 4.3 to OS 4.4 merge (#6506)

* CORDA-3917 Update to Jackson 2.9.8 (#6493)

* Update to Jackson 2.9.8 to address multiple security issues, and update warning note about
updates to clarify that it refers to 2.10+. When the note was added 2.9.7 as the highest
available version in the 2.9.x series.
* Add PR code checks Jenkinsfile

* CORDA-3916 Update to BouncyCastle 1.61 (#6492)

Update to BouncyCastle 1.61. Updating one version at a time to mitigate risk of a complex breaking change being introduced.

* Added missing collection of JUnit tests and logs

Co-authored-by: Waldemar Zurowski <waldemar.zurowski@r3.com>
---
 .ci/dev/compatibility/JenkinsfileJDK11Compile | 4 ++++
 build.gradle                                  | 4 ++--
 constants.properties                          | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/.ci/dev/compatibility/JenkinsfileJDK11Compile b/.ci/dev/compatibility/JenkinsfileJDK11Compile
index f6e9c43195..d84a91db54 100644
--- a/.ci/dev/compatibility/JenkinsfileJDK11Compile
+++ b/.ci/dev/compatibility/JenkinsfileJDK11Compile
@@ -32,6 +32,10 @@ pipeline {
     }
 
     post {
+        always {
+            archiveArtifacts allowEmptyArchive: true, artifacts: '**/logs/**/*.log'
+            junit testResults: '**/build/test-results/**/*.xml', keepLongStdio: true
+        }
         cleanup {
             deleteDir() /* clean up our workspace */
         }
diff --git a/build.gradle b/build.gradle
index 85fc16a9da..241c85b5a6 100644
--- a/build.gradle
+++ b/build.gradle
@@ -62,8 +62,8 @@ buildscript {
 
     ext.asm_version = '7.1'
     ext.artemis_version = '2.6.2'
-    // TODO Upgrade Jackson only when corda is using kotlin 1.3.10
-    ext.jackson_version = '2.9.7'
+    // TODO Upgrade to Jackson 2.10+ only when corda is using kotlin 1.3.10
+    ext.jackson_version = '2.9.8'
     ext.jetty_version = '9.4.19.v20190610'
     ext.jersey_version = '2.25'
     ext.servlet_version = '4.0.1'
diff --git a/constants.properties b/constants.properties
index 27a3493ced..1ca16d18ee 100644
--- a/constants.properties
+++ b/constants.properties
@@ -20,7 +20,7 @@ quasarClassifier=jdk8
 quasarVersion11=0.8.0_r3
 jdkClassifier11=jdk11
 proguardVersion=6.1.1
-bouncycastleVersion=1.60
+bouncycastleVersion=1.61
 classgraphVersion=4.8.58
 disruptorVersion=3.4.2
 typesafeConfigVersion=1.3.4