CORDA-2199 NetworkParameters certificate role (#4278)

node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt

@@ -465,6 +465,12 @@ enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurpo
             KeyPurposeId.anyExtendedKeyUsage,
             isCA = false,
             role = CertRole.CONFIDENTIAL_LEGAL_IDENTITY
+    ),
+
+    NETWORK_PARAMETERS(
+            KeyUsage(KeyUsage.digitalSignature),
+            isCA = false,
+            role = CertRole.NETWORK_PARAMETERS
     )
 }
 

node-api/src/main/kotlin/net/corda/nodeapi/internal/network/NetworkBootstrapper.kt

@@ -357,7 +357,7 @@ internal constructor(private val initSerEnv: Boolean,
 
         when (netParamsFilesGrouped.size) {
             0 -> return null
-            1 -> return netParamsFilesGrouped.keys.first().deserialize().verifiedNetworkMapCert(DEV_ROOT_CA.certificate)
+            1 -> return netParamsFilesGrouped.keys.first().deserialize().verifiedNetworkParametersCert(DEV_ROOT_CA.certificate)
         }
 
         val msg = StringBuilder("Differing sets of network parameters were found. Make sure all the nodes have the same " +
@@ -367,7 +367,7 @@ internal constructor(private val initSerEnv: Boolean,
             netParamsFiles.map { it.parent.fileName }.joinTo(msg, ", ")
             msg.append(":\n")
             val netParamsString = try {
-                bytes.deserialize().verifiedNetworkMapCert(DEV_ROOT_CA.certificate).toString()
+                bytes.deserialize().verifiedNetworkParametersCert(DEV_ROOT_CA.certificate).toString()
             } catch (e: Exception) {
                 "Invalid network parameters file: $e"
             }

node-api/src/main/kotlin/net/corda/nodeapi/internal/network/NetworkMap.kt

@@ -54,9 +54,9 @@ data class ParametersUpdate(
         val updateDeadline: Instant
 )
 
-/** Verify that a Network Map certificate path and its [CertRole] is correct. */
-fun <T : Any> SignedDataWithCert<T>.verifiedNetworkMapCert(rootCert: X509Certificate): T {
-    require(CertRole.extract(sig.by) == CertRole.NETWORK_MAP) { "Incorrect cert role: ${CertRole.extract(sig.by)}" }
+/** Verify that a certificate path and its [CertRole] is correct. */
+fun <T : Any> SignedDataWithCert<T>.verifiedCertWithRole(rootCert: X509Certificate, vararg certRoles: CertRole): T {
+    require(CertRole.extract(sig.by) in certRoles) { "Incorrect cert role: ${CertRole.extract(sig.by)}" }
     val path = if (sig.parentCertsChain.isEmpty()) {
         listOf(sig.by, rootCert)
     } else {
@@ -65,3 +65,15 @@ fun <T : Any> SignedDataWithCert<T>.verifiedNetworkMapCert(rootCert: X509Certifi
     X509Utilities.validateCertificateChain(rootCert, path)
     return verified()
 }
+
+/** Verify that a Network Map certificate path and its [CertRole] is correct. */
+fun <T : Any> SignedDataWithCert<T>.verifiedNetworkMapCert(rootCert: X509Certificate): T {
+    return verifiedCertWithRole(rootCert, CertRole.NETWORK_MAP)
+}
+
+/** Verify that a Network Parameters certificate path and its [CertRole] is correct. */
+fun <T : Any> SignedDataWithCert<T>.verifiedNetworkParametersCert(rootCert: X509Certificate): T {
+    // for backwards compatibility we allow network parameters to be signed with
+    // the networkmap cert, but going forwards we also accept the specific netparams cert as well
+    return verifiedCertWithRole(rootCert, CertRole.NETWORK_PARAMETERS, CertRole.NETWORK_MAP)
+}

node-api/src/test/kotlin/net/corda/nodeapi/internal/network/NetworkBootstrapperTest.kt

@@ -321,7 +321,7 @@ class NetworkBootstrapperTest {
     }
 
     private val Path.networkParameters: NetworkParameters get() {
-        return (this / NETWORK_PARAMS_FILE_NAME).readObject<SignedNetworkParameters>().verifiedNetworkMapCert(DEV_ROOT_CA.certificate)
+        return (this / NETWORK_PARAMS_FILE_NAME).readObject<SignedNetworkParameters>().verifiedNetworkParametersCert(DEV_ROOT_CA.certificate)
     }
 
     private val Path.nodeInfoFile: Path get() {