diff --git a/confidential-identities/src/test/kotlin/net/corda/confidential/SwapIdentitiesFlowTests.kt b/confidential-identities/src/test/kotlin/net/corda/confidential/SwapIdentitiesFlowTests.kt index 2c94e44717..7d72ec56da 100644 --- a/confidential-identities/src/test/kotlin/net/corda/confidential/SwapIdentitiesFlowTests.kt +++ b/confidential-identities/src/test/kotlin/net/corda/confidential/SwapIdentitiesFlowTests.kt @@ -79,20 +79,19 @@ class SwapIdentitiesFlowTests { @Test fun `verifies signature`() { // Set up values we'll need - val notaryNode = mockNet.defaultNotaryNode val aliceNode = mockNet.createPartyNode(ALICE_NAME) val bobNode = mockNet.createPartyNode(BOB_NAME) val alice: PartyAndCertificate = aliceNode.info.singleIdentityAndCert() val bob: PartyAndCertificate = bobNode.info.singleIdentityAndCert() - val notary: PartyAndCertificate = mockNet.defaultNotaryIdentityAndCert - // Check that the wrong signature is rejected - notaryNode.database.transaction { - notaryNode.services.keyManagementService.freshKeyAndCert(notary, false) - }.let { anonymousNotary -> - val sigData = SwapIdentitiesFlow.buildDataToSign(anonymousNotary) - val signature = notaryNode.services.keyManagementService.sign(sigData, anonymousNotary.owningKey) + // Check that the right name but wrong key is rejected + val evilBobNode = mockNet.createPartyNode(BOB_NAME) + val evilBob = evilBobNode.info.singleIdentityAndCert() + evilBobNode.database.transaction { + val anonymousEvilBob = evilBobNode.services.keyManagementService.freshKeyAndCert(evilBob, false) + val sigData = SwapIdentitiesFlow.buildDataToSign(evilBob) + val signature = evilBobNode.services.keyManagementService.sign(sigData, anonymousEvilBob.owningKey) assertFailsWith("Signature does not match the given identity and nonce") { - SwapIdentitiesFlow.validateAndRegisterIdentity(aliceNode.services.identityService, bob.party, anonymousNotary, signature.withoutKey()) + SwapIdentitiesFlow.validateAndRegisterIdentity(aliceNode.services.identityService, bob.party, anonymousEvilBob, signature.withoutKey()) } } // Check that the right signing key, but wrong identity is rejected diff --git a/core/src/main/kotlin/net/corda/core/CordaOID.kt b/core/src/main/kotlin/net/corda/core/CordaOID.kt new file mode 100644 index 0000000000..c86a7f5269 --- /dev/null +++ b/core/src/main/kotlin/net/corda/core/CordaOID.kt @@ -0,0 +1,17 @@ +package net.corda.core + +/** + * OIDs used for the Corda platform. Entries MUST NOT be removed from this file; if an OID is incorrectly assigned it + * should be marked deprecated. + */ +object CordaOID { + /** Assigned to R3, see http://www.oid-info.com/cgi-bin/display?oid=1.3.6.1.4.1.50530&action=display */ + const val R3_ROOT = "1.3.6.1.4.1.50530" + /** OIDs issued for the Corda platform */ + const val CORDA_PLATFORM = R3_ROOT + ".1" + /** + * Identifier for the X.509 certificate extension specifying the Corda role. See + * https://r3-cev.atlassian.net/wiki/spaces/AWG/pages/156860572/Certificate+identity+type+extension for details. + */ + const val X509_EXTENSION_CORDA_ROLE = CORDA_PLATFORM + ".1" +} \ No newline at end of file diff --git a/core/src/main/kotlin/net/corda/core/identity/PartyAndCertificate.kt b/core/src/main/kotlin/net/corda/core/identity/PartyAndCertificate.kt index 12661d2881..17794be789 100644 --- a/core/src/main/kotlin/net/corda/core/identity/PartyAndCertificate.kt +++ b/core/src/main/kotlin/net/corda/core/identity/PartyAndCertificate.kt @@ -1,5 +1,6 @@ package net.corda.core.identity +import net.corda.core.internal.CertRole import net.corda.core.serialization.CordaSerializable import java.security.PublicKey import java.security.cert.* @@ -19,6 +20,8 @@ class PartyAndCertificate(val certPath: CertPath) { val certs = certPath.certificates require(certs.size >= 2) { "Certificate path must at least include subject and issuing certificates" } certificate = certs[0] as X509Certificate + val role = CertRole.extract(certificate) + require(role?.isIdentity ?: false) { "Party certificate ${certificate.subjectDN} does not have a well known or confidential identity role. Found: $role" } } @Transient @@ -38,6 +41,24 @@ class PartyAndCertificate(val certPath: CertPath) { fun verify(trustAnchor: TrustAnchor): PKIXCertPathValidatorResult { val parameters = PKIXParameters(setOf(trustAnchor)).apply { isRevocationEnabled = false } val validator = CertPathValidator.getInstance("PKIX") - return validator.validate(certPath, parameters) as PKIXCertPathValidatorResult + val result = validator.validate(certPath, parameters) as PKIXCertPathValidatorResult + // Apply Corda-specific validity rules to the chain. This only applies to chains with any roles present, so + // an all-null chain is in theory valid. + var parentRole: CertRole? = CertRole.extract(result.trustAnchor.trustedCert) + for (certIdx in (0 until certPath.certificates.size).reversed()) { + val certificate = certPath.certificates[certIdx] + val role = CertRole.extract(certificate) + if (parentRole != null) { + if (role == null) { + throw CertPathValidatorException("Child certificate whose issuer includes a Corda role, must also specify Corda role") + } + if (!role.isValidParent(parentRole)) { + val certificateString = (certificate as? X509Certificate)?.subjectDN?.toString() ?: certificate.toString() + throw CertPathValidatorException("The issuing certificate for $certificateString has role $parentRole, expected one of ${role.validParents}") + } + } + parentRole = role + } + return result } } diff --git a/core/src/main/kotlin/net/corda/core/internal/CertRole.kt b/core/src/main/kotlin/net/corda/core/internal/CertRole.kt new file mode 100644 index 0000000000..c2224b3c5a --- /dev/null +++ b/core/src/main/kotlin/net/corda/core/internal/CertRole.kt @@ -0,0 +1,109 @@ +package net.corda.core.internal + +import net.corda.core.CordaOID +import org.bouncycastle.asn1.ASN1Encodable +import org.bouncycastle.asn1.ASN1Integer +import org.bouncycastle.asn1.ASN1Primitive +import org.bouncycastle.asn1.DEROctetString +import java.math.BigInteger +import java.security.cert.Certificate +import java.security.cert.X509Certificate + +/** + * Describes the Corda role a certificate is used for. This is used both to verify the hierarchy of certificates is + * correct, and to determine which is the well known identity's certificate. + * + * @property validParents the parent role of this role - must match exactly for the certificate hierarchy to be valid for use + * in Corda. Null indicates the parent certificate must have no role (the extension must be absent). + * @property isIdentity true if the role is valid for use as a [net.corda.core.identity.Party] identity, false otherwise (the role is Corda + * infrastructure of some kind). + * @property isWellKnown true if the role is a well known identity type (legal entity or service). This only makes sense + * where [isIdentity] is true. + */ +// NOTE: The order of the entries in the enum MUST NOT be changed, as their ordinality is used as an identifier. Please +// also note that IDs are numbered from 1 upwards, matching numbering of other enum types in ASN.1 specifications. +// TODO: Link to the specification once it has a permanent URL +enum class CertRole(val validParents: Set, val isIdentity: Boolean, val isWellKnown: Boolean) : ASN1Encodable { + /** + * Intermediate CA (Doorman service). + */ + INTERMEDIATE_CA(setOf(null), false, false), + /** Signing certificate for the network map. */ + NETWORK_MAP(setOf(null), false, false), + /** Well known (publicly visible) identity of a service (such as notary). */ + SERVICE_IDENTITY(setOf(INTERMEDIATE_CA), true, true), + /** Node level CA from which the TLS and well known identity certificates are issued. */ + NODE_CA(setOf(INTERMEDIATE_CA), false, false), + /** Transport layer security certificate for a node. */ + TLS(setOf(NODE_CA), false, false), + /** Well known (publicly visible) identity of a legal entity. */ + LEGAL_IDENTITY(setOf(INTERMEDIATE_CA, NODE_CA), true, true), + /** Confidential (limited visibility) identity of a legal entity. */ + CONFIDENTIAL_LEGAL_IDENTITY(setOf(LEGAL_IDENTITY), true, false); + + companion object { + private var cachedRoles: Array? = null + /** + * Get a role from its ASN.1 encoded form. + * + * @throws IllegalArgumentException if the encoded data is not a valid role. + */ + fun getInstance(id: ASN1Integer): CertRole { + if (cachedRoles == null) { + cachedRoles = CertRole.values() + } + val idVal = id.value + require(idVal.compareTo(BigInteger.ZERO) > 0) { "Invalid role ID" } + return try { + val ordinal = idVal.intValueExact() - 1 + cachedRoles!![ordinal] + } catch (ex: ArithmeticException) { + throw IllegalArgumentException("Invalid role ID") + } catch (ex: ArrayIndexOutOfBoundsException) { + throw IllegalArgumentException("Invalid role ID") + } + } + + /** + * Get a role from its ASN.1 encoded form. + * + * @throws IllegalArgumentException if the encoded data is not a valid role. + */ + fun getInstance(data: ByteArray): CertRole = getInstance(ASN1Integer.getInstance(data)) + + /** + * Get a role from a certificate. + * + * @return the role if the extension is present, or null otherwise. + * @throws IllegalArgumentException if the extension is present but is invalid. + */ + fun extract(cert: Certificate): CertRole? { + val x509Cert = cert as? X509Certificate + return if (x509Cert != null) { + extract(x509Cert) + } else { + null + } + } + + /** + * Get a role from a certificate. + * + * @return the role if the extension is present, or null otherwise. + * @throws IllegalArgumentException if the extension is present but is invalid. + */ + fun extract(cert: X509Certificate): CertRole? { + val extensionData: ByteArray? = cert.getExtensionValue(CordaOID.X509_EXTENSION_CORDA_ROLE) + return if (extensionData != null) { + val extensionString = DEROctetString.getInstance(extensionData) + getInstance(extensionString.octets) + } else { + null + } + } + } + + fun isValidParent(parent: CertRole?): Boolean = parent in validParents + + override fun toASN1Primitive(): ASN1Primitive = ASN1Integer(this.ordinal + 1L) +} \ No newline at end of file diff --git a/core/src/test/kotlin/net/corda/core/crypto/CompositeKeyTests.kt b/core/src/test/kotlin/net/corda/core/crypto/CompositeKeyTests.kt index f20a4b20c9..734505498d 100644 --- a/core/src/test/kotlin/net/corda/core/crypto/CompositeKeyTests.kt +++ b/core/src/test/kotlin/net/corda/core/crypto/CompositeKeyTests.kt @@ -337,7 +337,7 @@ class CompositeKeyTests { val ca = X509Utilities.createSelfSignedCACertificate(caName, caKeyPair) // Sign the composite key with the self sign CA. - val compositeKeyCert = X509Utilities.createCertificate(CertificateType.WELL_KNOWN_IDENTITY, ca, caKeyPair, caName.copy(commonName = "CompositeKey"), compositeKey) + val compositeKeyCert = X509Utilities.createCertificate(CertificateType.LEGAL_IDENTITY, ca, caKeyPair, caName.copy(commonName = "CompositeKey"), compositeKey) // Store certificate to keystore. val keystorePath = tempFolder.root.toPath() / "keystore.jks" diff --git a/core/src/test/kotlin/net/corda/core/identity/PartyAndCertificateTest.kt b/core/src/test/kotlin/net/corda/core/identity/PartyAndCertificateTest.kt index bd6ef220a8..f64ac5440a 100644 --- a/core/src/test/kotlin/net/corda/core/identity/PartyAndCertificateTest.kt +++ b/core/src/test/kotlin/net/corda/core/identity/PartyAndCertificateTest.kt @@ -1,11 +1,14 @@ package net.corda.core.identity import net.corda.core.crypto.entropyToKeyPair +import net.corda.core.internal.cert import net.corda.core.internal.read import net.corda.core.serialization.deserialize import net.corda.core.serialization.serialize import net.corda.nodeapi.internal.crypto.KEYSTORE_TYPE +import net.corda.nodeapi.internal.crypto.X509CertificateFactory import net.corda.nodeapi.internal.crypto.save +import net.corda.testing.DEV_CA import net.corda.testing.SerializationEnvironmentRule import net.corda.testing.getTestPartyAndCertificate import org.assertj.core.api.Assertions.assertThat @@ -14,12 +17,19 @@ import org.junit.Test import java.io.File import java.math.BigInteger import java.security.KeyStore +import kotlin.test.assertFailsWith class PartyAndCertificateTest { @Rule @JvmField val testSerialization = SerializationEnvironmentRule() + @Test + fun `should reject a path with no roles`() { + val path = X509CertificateFactory().generateCertPath(DEV_CA.certificate.cert) + assertFailsWith { PartyAndCertificate(path) } + } + @Test fun `kryo serialisation`() { val original = getTestPartyAndCertificate(Party( diff --git a/core/src/test/kotlin/net/corda/core/internal/CertRoleTests.kt b/core/src/test/kotlin/net/corda/core/internal/CertRoleTests.kt new file mode 100644 index 0000000000..71fba5a51e --- /dev/null +++ b/core/src/test/kotlin/net/corda/core/internal/CertRoleTests.kt @@ -0,0 +1,25 @@ +package net.corda.core.internal + +import org.bouncycastle.asn1.ASN1Integer +import org.junit.Test +import kotlin.test.assertEquals +import kotlin.test.assertFailsWith + +class CertRoleTests { + @Test + fun `should deserialize valid value`() { + val expected = CertRole.INTERMEDIATE_CA + val actual = CertRole.getInstance(ASN1Integer(1L)) + assertEquals(expected, actual) + } + + @Test + fun `should reject invalid values`() { + // Below the lowest used value + assertFailsWith { CertRole.getInstance(ASN1Integer(0L)) } + // Outside of the array size, but a valid integer + assertFailsWith { CertRole.getInstance(ASN1Integer(Integer.MAX_VALUE - 1L)) } + // Outside of the range of integers + assertFailsWith { CertRole.getInstance(ASN1Integer(Integer.MAX_VALUE + 1L)) } + } +} \ No newline at end of file diff --git a/docs/source/changelog.rst b/docs/source/changelog.rst index 60959b5695..d21c3105fe 100644 --- a/docs/source/changelog.rst +++ b/docs/source/changelog.rst @@ -6,6 +6,15 @@ from the previous milestone release. UNRELEASED ---------- + +* X.509 certificates now have an extension that specifies the Corda role the certificate is used for, and the role + hierarchy is now enforced in the validation code. See ``net.corda.core.internal.CertRole`` for the current implementation + until final documentation is prepared. Certificates at ``NODE_CA``, ``WELL_KNOWN_SERVICE_IDENTITY`` and above must + only ever by issued by network services and therefore issuance constraints are not relevant to end users. + The ``TLS``, ``WELL_KNOWN_LEGAL_IDENTITY`` roles must be issued by the ``NODE_CA`` certificate issued by the + Doorman, and ``CONFIDENTIAL_IDENTITY`` certificates must be issued from a ``WELL_KNOWN_LEGAL_IDENTITY`` certificate. + For a detailed specification of the extension please see :doc:`permissioning-certificate-specification`. + * The network map service concept has been re-designed. More information can be found in :doc:`network-map`. * The previous design was never intended to be final but was rather a quick implementation in the earliest days of the diff --git a/docs/source/corda-networks-index.rst b/docs/source/corda-networks-index.rst index 9315a2de09..1ac1c2dc1c 100644 --- a/docs/source/corda-networks-index.rst +++ b/docs/source/corda-networks-index.rst @@ -8,3 +8,4 @@ Corda networks permissioning network-map versioning + permissioning-certificate-spec diff --git a/docs/source/permissioning-certificate-specification.rst b/docs/source/permissioning-certificate-specification.rst new file mode 100644 index 0000000000..d74a84a205 --- /dev/null +++ b/docs/source/permissioning-certificate-specification.rst @@ -0,0 +1,43 @@ +Network Permissioning - Certificate Specification +================================================= + +Certificates used by Corda have additional constraints in their contents and hierarchical structure. In a typical +installation node administrators should not need to be aware of these, however in some cases node certificates may +be managed by external tools (such as an existing PKI solution deployed within an organisation), in which case it is +important to understand these constraints. + +There are a number of roles in Corda that certificates are used for: + +* Doorman (Intermediate CA) +* Well known service identity (network map and notary) +* Node CA +* TLS +* Well known legal identity +* Confidential legal identity + +Extension +--------- + +The Corda role that a certificate relates to is specified by custom X.509 v3 extension. This extension has OID 1.3.6.1.4.1.50530.1.1 +and is non-critical, as it is safe for implementations outside of Corda nodes to ignore the extension. The extension +contains a single ASN.1 integer identifying the type of identity the certificate is for: + +1. Doorman +2. Well known service identity +3. Node CA +4. TLS +5. Well known legal identity +6. Confidential legal identity + +Hierarchy +--------- + +Certificate path validation is extended to enforce that the extension must be present where its issuer's certificate included the extension, and that: + +* Doorman certificates are issued by a certificate without the extension present +* Well known service identity certificates are issued by a certificate marked as Doorman +* Node CA certificates are issued by a certificate marked as Doorman +* Well known legal identity/TLS certificates are issued by a certificate marked as node CA +* Confidential legal identity certificates are issued by a certificate marked as well known legal identity +* Party certificates are marked as either a well known identity or a confidential identity +* The structure of certificates above Doorman/Network map is intentionally left untouched, as they are not relevant to the identity service and therefore there is no advantage in enforcing a specific structure on those certificates. The certificate hierarchy consistency checks are required because nodes can issue their own certificates and can set their own role flags on certificates, and it's important to verify that these are set consistently with the certificate hierarchy design. As as side-effect this also acts as a secondary depth restriction on issued certificates. diff --git a/docs/source/release-notes.rst b/docs/source/release-notes.rst index 2816383bc8..64d9ad8881 100644 --- a/docs/source/release-notes.rst +++ b/docs/source/release-notes.rst @@ -5,6 +5,10 @@ Here are release notes for each snapshot release from M9 onwards. Unreleased ---------- +* X.509 certificates now have an extension that specifies the Corda role the certificate is used for, and the role + hierarchy is now enforced in the validation code. This only has impact on those developing integrations with external + PKI solutions, in most cases it is managed transparently by Corda. A formal specification of the extension can be + found at see :doc:`permissioning-certificate-specification`. * **Enum Class Evolution** With the addition of AMQP serialization Corda now supports enum constant evolution. diff --git a/node-api/src/main/kotlin/net/corda/nodeapi/internal/ServiceIdentityGenerator.kt b/node-api/src/main/kotlin/net/corda/nodeapi/internal/ServiceIdentityGenerator.kt index dd9c37bcba..65b60433c7 100644 --- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/ServiceIdentityGenerator.kt +++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/ServiceIdentityGenerator.kt @@ -37,16 +37,16 @@ object ServiceIdentityGenerator { val notaryKey = CompositeKey.Builder().addKeys(keyPairs.map { it.public }).build(threshold) val caKeyStore = loadKeyStore(javaClass.classLoader.getResourceAsStream("certificates/cordadevcakeys.jks"), "cordacadevpass") - val issuer = caKeyStore.getCertificateAndKeyPair(X509Utilities.CORDA_INTERMEDIATE_CA, "cordacadevkeypass") + val intermediateCa = caKeyStore.getCertificateAndKeyPair(X509Utilities.CORDA_INTERMEDIATE_CA, "cordacadevkeypass") val rootCert = customRootCert ?: caKeyStore.getCertificate(X509Utilities.CORDA_ROOT_CA) keyPairs.zip(dirs) { keyPair, dir -> - val serviceKeyCert = X509Utilities.createCertificate(CertificateType.NODE_CA, issuer.certificate, issuer.keyPair, serviceName, keyPair.public) - val compositeKeyCert = X509Utilities.createCertificate(CertificateType.NODE_CA, issuer.certificate, issuer.keyPair, serviceName, notaryKey) + val serviceKeyCert = X509Utilities.createCertificate(CertificateType.SERVICE_IDENTITY, intermediateCa.certificate, intermediateCa.keyPair, serviceName, keyPair.public) + val compositeKeyCert = X509Utilities.createCertificate(CertificateType.SERVICE_IDENTITY, intermediateCa.certificate, intermediateCa.keyPair, serviceName, notaryKey) val certPath = (dir / "certificates").createDirectories() / "distributedService.jks" val keystore = loadOrCreateKeyStore(certPath, "cordacadevpass") keystore.setCertificateEntry("$serviceId-composite-key", compositeKeyCert.cert) - keystore.setKeyEntry("$serviceId-private-key", keyPair.private, "cordacadevkeypass".toCharArray(), arrayOf(serviceKeyCert.cert, issuer.certificate.cert, rootCert)) + keystore.setKeyEntry("$serviceId-private-key", keyPair.private, "cordacadevkeypass".toCharArray(), arrayOf(serviceKeyCert.cert, intermediateCa.certificate.cert, rootCert)) keystore.save(certPath, "cordacadevpass") } return Party(serviceName, notaryKey) diff --git a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/KeyStoreWrapper.kt b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/KeyStoreWrapper.kt index 7ba6f6268d..211f156a8d 100644 --- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/KeyStoreWrapper.kt +++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/KeyStoreWrapper.kt @@ -17,7 +17,7 @@ class KeyStoreWrapper(private val storePath: Path, private val storePassword: St // Assume key password = store password. val clientCA = certificateAndKeyPair(X509Utilities.CORDA_CLIENT_CA) // Create new keys and store in keystore. - val cert = X509Utilities.createCertificate(CertificateType.WELL_KNOWN_IDENTITY, clientCA.certificate, clientCA.keyPair, serviceName, pubKey) + val cert = X509Utilities.createCertificate(CertificateType.LEGAL_IDENTITY, clientCA.certificate, clientCA.keyPair, serviceName, pubKey) val certPath = X509CertificateFactory().generateCertPath(cert.cert, *clientCertPath) require(certPath.certificates.isNotEmpty()) { "Certificate path cannot be empty" } // TODO: X509Utilities.validateCertificateChain() diff --git a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt index 273ed5fcba..70617daf76 100644 --- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt +++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt @@ -1,18 +1,17 @@ package net.corda.nodeapi.internal.crypto +import net.corda.core.CordaOID import net.corda.core.crypto.Crypto import net.corda.core.crypto.SignatureScheme import net.corda.core.crypto.random63BitValue +import net.corda.core.internal.CertRole import net.corda.core.identity.CordaX500Name import net.corda.core.internal.cert import net.corda.core.internal.read import net.corda.core.internal.x500Name import net.corda.core.utilities.days import net.corda.core.utilities.millis -import org.bouncycastle.asn1.ASN1EncodableVector -import org.bouncycastle.asn1.ASN1Sequence -import org.bouncycastle.asn1.DERSequence -import org.bouncycastle.asn1.DERUTF8String +import org.bouncycastle.asn1.* import org.bouncycastle.asn1.x500.X500Name import org.bouncycastle.asn1.x500.style.BCStyle import org.bouncycastle.asn1.x509.* @@ -221,6 +220,7 @@ object X509Utilities { val serial = BigInteger.valueOf(random63BitValue()) val keyPurposes = DERSequence(ASN1EncodableVector().apply { certificateType.purposes.forEach { add(it) } }) val subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(subjectPublicKey.encoded)) + val role = certificateType.role val builder = JcaX509v3CertificateBuilder(issuer, serial, validityWindow.first, validityWindow.second, subject, subjectPublicKey) @@ -229,9 +229,13 @@ object X509Utilities { .addExtension(Extension.keyUsage, false, certificateType.keyUsage) .addExtension(Extension.extendedKeyUsage, false, keyPurposes) + if (role != null) { + builder.addExtension(ASN1ObjectIdentifier(CordaOID.X509_EXTENSION_CORDA_ROLE), false, role) + } if (nameConstraints != null) { builder.addExtension(Extension.nameConstraints, true, nameConstraints) } + return builder } @@ -322,13 +326,14 @@ class X509CertificateFactory { } } -enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurposeId, val isCA: Boolean) { +enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurposeId, val isCA: Boolean, val role: CertRole?) { ROOT_CA( KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyCertSign or KeyUsage.cRLSign), KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth, KeyPurposeId.anyExtendedKeyUsage, - isCA = true + isCA = true, + role = null ), INTERMEDIATE_CA( @@ -336,7 +341,26 @@ enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurpo KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth, KeyPurposeId.anyExtendedKeyUsage, - isCA = true + isCA = true, + role = CertRole.INTERMEDIATE_CA + ), + + NETWORK_MAP( + KeyUsage(KeyUsage.digitalSignature), + KeyPurposeId.id_kp_serverAuth, + KeyPurposeId.id_kp_clientAuth, + KeyPurposeId.anyExtendedKeyUsage, + isCA = false, + role = CertRole.NETWORK_MAP + ), + + SERVICE_IDENTITY( + KeyUsage(KeyUsage.digitalSignature), + KeyPurposeId.id_kp_serverAuth, + KeyPurposeId.id_kp_clientAuth, + KeyPurposeId.anyExtendedKeyUsage, + isCA = false, + role = CertRole.SERVICE_IDENTITY ), NODE_CA( @@ -344,7 +368,8 @@ enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurpo KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth, KeyPurposeId.anyExtendedKeyUsage, - isCA = true + isCA = true, + role = CertRole.NODE_CA ), TLS( @@ -352,24 +377,27 @@ enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurpo KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth, KeyPurposeId.anyExtendedKeyUsage, - isCA = false + isCA = false, + role = CertRole.TLS ), - // TODO: Identity certs should have only limited depth (i.e. 1) CA signing capability, with tight name constraints - WELL_KNOWN_IDENTITY( + // TODO: Identity certs should have tight name constraints on child certificates + LEGAL_IDENTITY( KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyCertSign), KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth, KeyPurposeId.anyExtendedKeyUsage, - isCA = true + isCA = true, + role = CertRole.LEGAL_IDENTITY ), - CONFIDENTIAL_IDENTITY( + CONFIDENTIAL_LEGAL_IDENTITY( KeyUsage(KeyUsage.digitalSignature), KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth, KeyPurposeId.anyExtendedKeyUsage, - isCA = false + isCA = false, + role = CertRole.CONFIDENTIAL_LEGAL_IDENTITY ) } diff --git a/node/src/main/kotlin/net/corda/node/ArgsParser.kt b/node/src/main/kotlin/net/corda/node/ArgsParser.kt index 63bd5896fa..7bd7850d5d 100644 --- a/node/src/main/kotlin/net/corda/node/ArgsParser.kt +++ b/node/src/main/kotlin/net/corda/node/ArgsParser.kt @@ -1,5 +1,6 @@ package net.corda.node +import com.typesafe.config.ConfigException import joptsimple.OptionParser import joptsimple.util.EnumConverter import net.corda.core.internal.div diff --git a/node/src/main/kotlin/net/corda/node/internal/NodeStartup.kt b/node/src/main/kotlin/net/corda/node/internal/NodeStartup.kt index 652d36ef8a..7d0aa2a69a 100644 --- a/node/src/main/kotlin/net/corda/node/internal/NodeStartup.kt +++ b/node/src/main/kotlin/net/corda/node/internal/NodeStartup.kt @@ -38,37 +38,40 @@ open class NodeStartup(val args: Array) { * @return true if the node startup was successful. This value is intended to be the exit code of the process. */ open fun run(): Boolean { - try { - val startTime = System.currentTimeMillis() - assertCanNormalizeEmptyPath() - val (argsParser, cmdlineOptions) = parseArguments() + val startTime = System.currentTimeMillis() + if (!canNormalizeEmptyPath()) { + println("You are using a version of Java that is not supported (${System.getProperty("java.version")}). Please upgrade to the latest version.") + println("Corda will now exit...") + return false + } + val (argsParser, cmdlineOptions) = parseArguments() - // We do the single node check before we initialise logging so that in case of a double-node start it - // doesn't mess with the running node's logs. - enforceSingleNodeIsRunning(cmdlineOptions.baseDirectory) + // We do the single node check before we initialise logging so that in case of a double-node start it + // doesn't mess with the running node's logs. + enforceSingleNodeIsRunning(cmdlineOptions.baseDirectory) - initLogging(cmdlineOptions) + initLogging(cmdlineOptions) - val versionInfo = getVersionInfo() + val versionInfo = getVersionInfo() - if (cmdlineOptions.isVersion) { - println("${versionInfo.vendor} ${versionInfo.releaseVersion}") - println("Revision ${versionInfo.revision}") - println("Platform Version ${versionInfo.platformVersion}") - return true - } + if (cmdlineOptions.isVersion) { + println("${versionInfo.vendor} ${versionInfo.releaseVersion}") + println("Revision ${versionInfo.revision}") + println("Platform Version ${versionInfo.platformVersion}") + return true + } - // Maybe render command line help. - if (cmdlineOptions.help) { - argsParser.printHelp(System.out) - return true - } + // Maybe render command line help. + if (cmdlineOptions.help) { + argsParser.printHelp(System.out) + return true + } - drawBanner(versionInfo) - Node.printBasicNodeInfo(LOGS_CAN_BE_FOUND_IN_STRING, System.getProperty("log-path")) + drawBanner(versionInfo) + Node.printBasicNodeInfo(LOGS_CAN_BE_FOUND_IN_STRING, System.getProperty("log-path")) + val conf = try { val conf0 = loadConfigFile(cmdlineOptions) - - val conf = if (cmdlineOptions.bootstrapRaftCluster) { + if (cmdlineOptions.bootstrapRaftCluster) { if (conf0 is NodeConfigurationImpl) { println("Bootstrapping raft cluster (starting up as seed node).") // Ignore the configured clusterAddresses to make the node bootstrap a cluster instead of joining. @@ -80,33 +83,39 @@ open class NodeStartup(val args: Array) { } else { conf0 } + } catch (e: Exception) { + logger.error("Exception during node configuration", e) + return false + } - banJavaSerialisation(conf) - preNetworkRegistration(conf) - if (shouldRegisterWithNetwork(cmdlineOptions, conf)) { + try { + banJavaSerialisation(conf) + preNetworkRegistration(conf) + if (shouldRegisterWithNetwork(cmdlineOptions, conf)) { registerWithNetwork(cmdlineOptions, conf) return true } - logStartupInfo(versionInfo, cmdlineOptions, conf) - - try { - cmdlineOptions.baseDirectory.createDirectories() - startNode(conf, versionInfo, startTime, cmdlineOptions) - } catch (e: Exception) { - if (e.message?.startsWith("Unknown named curve:") == true) { - logger.error("Exception during node startup - ${e.message}. " + - "This is a known OpenJDK issue on some Linux distributions, please use OpenJDK from zulu.org or Oracle JDK.") - } else { - logger.error("Exception during node startup", e) - } - return false - } - - logger.info("Node exiting successfully") - return true + logStartupInfo(versionInfo, cmdlineOptions, conf) } catch (e: Exception) { + logger.error("Exception during node registration", e) return false } + + try { + cmdlineOptions.baseDirectory.createDirectories() + startNode(conf, versionInfo, startTime, cmdlineOptions) + } catch (e: Exception) { + if (e.message?.startsWith("Unknown named curve:") == true) { + logger.error("Exception during node startup - ${e.message}. " + + "This is a known OpenJDK issue on some Linux distributions, please use OpenJDK from zulu.org or Oracle JDK.") + } else { + logger.error("Exception during node startup", e) + } + return false + } + + logger.info("Node exiting successfully") + return true } open protected fun preNetworkRegistration(conf: NodeConfiguration) = Unit @@ -190,14 +199,7 @@ open class NodeStartup(val args: Array) { NetworkRegistrationHelper(conf, HTTPNetworkRegistrationService(compatibilityZoneURL)).buildKeystore() } - open protected fun loadConfigFile(cmdlineOptions: CmdLineOptions): NodeConfiguration { - try { - return cmdlineOptions.loadConfig() - } catch (configException: ConfigException) { - println("Unable to load the configuration file: ${configException.rootCause.message}") - throw configException - } - } + open protected fun loadConfigFile(cmdlineOptions: CmdLineOptions): NodeConfiguration = cmdlineOptions.loadConfig() open protected fun banJavaSerialisation(conf: NodeConfiguration) { SerialFilter.install(if (conf.notary?.bftSMaRt != null) ::bftSMaRtSerialFilter else ::defaultSerialFilter) @@ -289,12 +291,13 @@ open class NodeStartup(val args: Array) { return hostName } - private fun assertCanNormalizeEmptyPath() { + private fun canNormalizeEmptyPath(): Boolean { // Check we're not running a version of Java with a known bug: https://github.com/corda/corda/issues/83 - try { + return try { Paths.get("").normalize() + true } catch (e: ArrayIndexOutOfBoundsException) { - Node.failStartUp("You are using a version of Java that is not supported (${System.getProperty("java.version")}). Please upgrade to the latest version.") + false } } diff --git a/node/src/main/kotlin/net/corda/node/services/config/ConfigUtilities.kt b/node/src/main/kotlin/net/corda/node/services/config/ConfigUtilities.kt index 2b05bd6db8..7471d5d5ec 100644 --- a/node/src/main/kotlin/net/corda/node/services/config/ConfigUtilities.kt +++ b/node/src/main/kotlin/net/corda/node/services/config/ConfigUtilities.kt @@ -114,7 +114,7 @@ fun createKeystoreForCordaNode(sslKeyStorePath: Path, val clientName = legalName.copy(commonName = null) val nameConstraints = NameConstraints(arrayOf(GeneralSubtree(GeneralName(GeneralName.directoryName, clientName.x500Name))), arrayOf()) - val clientCACert = X509Utilities.createCertificate(CertificateType.INTERMEDIATE_CA, + val clientCACert = X509Utilities.createCertificate(CertificateType.NODE_CA, intermediateCACert, intermediateCAKeyPair, clientName.copy(commonName = X509Utilities.CORDA_CLIENT_CA_CN), diff --git a/node/src/main/kotlin/net/corda/node/services/identity/InMemoryIdentityService.kt b/node/src/main/kotlin/net/corda/node/services/identity/InMemoryIdentityService.kt index 719eea4b75..bac9ef6902 100644 --- a/node/src/main/kotlin/net/corda/node/services/identity/InMemoryIdentityService.kt +++ b/node/src/main/kotlin/net/corda/node/services/identity/InMemoryIdentityService.kt @@ -3,6 +3,7 @@ package net.corda.node.services.identity import net.corda.core.contracts.PartyAndReference import net.corda.core.crypto.toStringShort import net.corda.core.identity.* +import net.corda.core.internal.CertRole import net.corda.core.internal.cert import net.corda.core.internal.toX509CertHolder import net.corda.core.node.services.UnknownAnonymousPartyException @@ -61,14 +62,10 @@ class InMemoryIdentityService(identities: Array, } // Ensure we record the first identity of the same name, first - val identityPrincipal = identity.name.x500Principal - val firstCertWithThisName: Certificate = identity.certPath.certificates.last { it -> - val principal = (it as? X509Certificate)?.subjectX500Principal - principal == identityPrincipal - } - if (firstCertWithThisName != identity.certificate) { + val wellKnownCert: Certificate = identity.certPath.certificates.single { CertRole.extract(it)?.isWellKnown ?: false } + if (wellKnownCert != identity.certificate) { val certificates = identity.certPath.certificates - val idx = certificates.lastIndexOf(firstCertWithThisName) + val idx = certificates.lastIndexOf(wellKnownCert) val firstPath = X509CertificateFactory().generateCertPath(certificates.slice(idx until certificates.size)) verifyAndRegisterIdentity(PartyAndCertificate(firstPath)) } diff --git a/node/src/main/kotlin/net/corda/node/services/identity/PersistentIdentityService.kt b/node/src/main/kotlin/net/corda/node/services/identity/PersistentIdentityService.kt index 6230d98453..6dd98d0c63 100644 --- a/node/src/main/kotlin/net/corda/node/services/identity/PersistentIdentityService.kt +++ b/node/src/main/kotlin/net/corda/node/services/identity/PersistentIdentityService.kt @@ -4,6 +4,7 @@ import net.corda.core.contracts.PartyAndReference import net.corda.core.crypto.SecureHash import net.corda.core.crypto.toStringShort import net.corda.core.identity.* +import net.corda.core.internal.CertRole import net.corda.core.internal.cert import net.corda.core.internal.toX509CertHolder import net.corda.core.node.services.UnknownAnonymousPartyException @@ -13,8 +14,8 @@ import net.corda.core.utilities.contextLogger import net.corda.core.utilities.debug import net.corda.node.services.api.IdentityServiceInternal import net.corda.node.utilities.AppendOnlyPersistentMap -import net.corda.nodeapi.internal.persistence.NODE_DATABASE_PREFIX import net.corda.nodeapi.internal.crypto.X509CertificateFactory +import net.corda.nodeapi.internal.persistence.NODE_DATABASE_PREFIX import org.bouncycastle.cert.X509CertificateHolder import java.security.InvalidAlgorithmParameterException import java.security.PublicKey @@ -125,14 +126,10 @@ class PersistentIdentityService(override val trustRoot: X509Certificate, } // Ensure we record the first identity of the same name, first - val identityPrincipal = identity.name.x500Principal - val firstCertWithThisName: Certificate = identity.certPath.certificates.last { it -> - val principal = (it as? X509Certificate)?.subjectX500Principal - principal == identityPrincipal - } - if (firstCertWithThisName != identity.certificate) { + val wellKnownCert: Certificate = identity.certPath.certificates.single { CertRole.extract(it)?.isWellKnown ?: false } + if (wellKnownCert != identity.certificate) { val certificates = identity.certPath.certificates - val idx = certificates.lastIndexOf(firstCertWithThisName) + val idx = certificates.lastIndexOf(wellKnownCert) val firstPath = X509CertificateFactory().generateCertPath(certificates.slice(idx until certificates.size)) verifyAndRegisterIdentity(PartyAndCertificate(firstPath)) } diff --git a/node/src/main/kotlin/net/corda/node/services/keys/KMSUtils.kt b/node/src/main/kotlin/net/corda/node/services/keys/KMSUtils.kt index c4bc163ad2..df99435dd3 100644 --- a/node/src/main/kotlin/net/corda/node/services/keys/KMSUtils.kt +++ b/node/src/main/kotlin/net/corda/node/services/keys/KMSUtils.kt @@ -2,6 +2,7 @@ package net.corda.node.services.keys import net.corda.core.crypto.Crypto import net.corda.core.identity.PartyAndCertificate +import net.corda.core.internal.CertRole import net.corda.core.internal.cert import net.corda.core.internal.toX509CertHolder import net.corda.core.utilities.days @@ -33,9 +34,11 @@ fun freshCertificate(identityService: IdentityServiceInternal, issuer: PartyAndCertificate, issuerSigner: ContentSigner, revocationEnabled: Boolean = false): PartyAndCertificate { + val issuerRole = CertRole.extract(issuer.certificate) + require(issuerRole == CertRole.LEGAL_IDENTITY) { "Confidential identities can only be issued from well known identities, provided issuer ${issuer.name} has role $issuerRole" } val issuerCert = issuer.certificate.toX509CertHolder() val window = X509Utilities.getCertificateValidityWindow(Duration.ZERO, 3650.days, issuerCert) - val ourCertificate = X509Utilities.createCertificate(CertificateType.WELL_KNOWN_IDENTITY, issuerCert.subject, + val ourCertificate = X509Utilities.createCertificate(CertificateType.CONFIDENTIAL_LEGAL_IDENTITY, issuerCert.subject, issuerSigner, issuer.name, subjectPublicKey, window) val ourCertPath = X509CertificateFactory().generateCertPath(listOf(ourCertificate.cert) + issuer.certPath.certificates) val anonymisedIdentity = PartyAndCertificate(ourCertPath) diff --git a/node/src/test/kotlin/net/corda/node/services/identity/InMemoryIdentityServiceTests.kt b/node/src/test/kotlin/net/corda/node/services/identity/InMemoryIdentityServiceTests.kt index 09c1041c54..30717cdad4 100644 --- a/node/src/test/kotlin/net/corda/node/services/identity/InMemoryIdentityServiceTests.kt +++ b/node/src/test/kotlin/net/corda/node/services/identity/InMemoryIdentityServiceTests.kt @@ -169,7 +169,7 @@ class InMemoryIdentityServiceTests { val issuerKeyPair = generateKeyPair() val issuer = getTestPartyAndCertificate(x500Name, issuerKeyPair.public) val txKey = Crypto.generateKeyPair() - val txCert = X509Utilities.createCertificate(CertificateType.CONFIDENTIAL_IDENTITY, issuer.certificate.toX509CertHolder(), issuerKeyPair, x500Name, txKey.public) + val txCert = X509Utilities.createCertificate(CertificateType.CONFIDENTIAL_LEGAL_IDENTITY, issuer.certificate.toX509CertHolder(), issuerKeyPair, x500Name, txKey.public) val txCertPath = X509CertificateFactory().generateCertPath(listOf(txCert.cert) + issuer.certPath.certificates) return Pair(issuer, PartyAndCertificate(txCertPath)) } diff --git a/node/src/test/kotlin/net/corda/node/services/identity/PersistentIdentityServiceTests.kt b/node/src/test/kotlin/net/corda/node/services/identity/PersistentIdentityServiceTests.kt index 956bbbb4cf..2553d30ef5 100644 --- a/node/src/test/kotlin/net/corda/node/services/identity/PersistentIdentityServiceTests.kt +++ b/node/src/test/kotlin/net/corda/node/services/identity/PersistentIdentityServiceTests.kt @@ -266,7 +266,7 @@ class PersistentIdentityServiceTests { val issuerKeyPair = generateKeyPair() val issuer = getTestPartyAndCertificate(x500Name, issuerKeyPair.public) val txKey = Crypto.generateKeyPair() - val txCert = X509Utilities.createCertificate(CertificateType.CONFIDENTIAL_IDENTITY, issuer.certificate.toX509CertHolder(), issuerKeyPair, x500Name, txKey.public) + val txCert = X509Utilities.createCertificate(CertificateType.CONFIDENTIAL_LEGAL_IDENTITY, issuer.certificate.toX509CertHolder(), issuerKeyPair, x500Name, txKey.public) val txCertPath = X509CertificateFactory().generateCertPath(listOf(txCert.cert) + issuer.certPath.certificates) return Pair(issuer, PartyAndCertificate(txCertPath)) } diff --git a/node/src/test/kotlin/net/corda/node/services/keys/KMSUtilsTests.kt b/node/src/test/kotlin/net/corda/node/services/keys/KMSUtilsTests.kt new file mode 100644 index 0000000000..1a84373975 --- /dev/null +++ b/node/src/test/kotlin/net/corda/node/services/keys/KMSUtilsTests.kt @@ -0,0 +1,29 @@ +package net.corda.node.services.keys + +import net.corda.core.CordaOID +import net.corda.core.crypto.generateKeyPair +import net.corda.core.internal.CertRole +import net.corda.testing.* +import net.corda.testing.node.MockServices +import net.corda.testing.node.makeTestIdentityService +import org.bouncycastle.asn1.DEROctetString +import org.junit.Test +import kotlin.test.assertEquals + +class KMSUtilsTests { + @Test + fun `should generate certificates with the correct role`() { + val aliceKey = generateKeyPair() + val alice = getTestPartyAndCertificate(ALICE_NAME, aliceKey.public) + val cordappPackages = emptyList() + val ledgerIdentityService = makeTestIdentityService(alice) + val mockServices = MockServices(cordappPackages, ledgerIdentityService, alice.name, aliceKey) + val wellKnownIdentity = mockServices.myInfo.singleIdentityAndCert() + val confidentialIdentity = mockServices.keyManagementService.freshKeyAndCert(wellKnownIdentity, false) + val cert = confidentialIdentity.certificate + val extensionData = DEROctetString.getInstance(cert.getExtensionValue(CordaOID.X509_EXTENSION_CORDA_ROLE)) + val expected = CertRole.CONFIDENTIAL_LEGAL_IDENTITY + val actual = CertRole.getInstance(extensionData.octets) + assertEquals(expected, actual) + } +} \ No newline at end of file diff --git a/testing/test-utils/src/main/kotlin/net/corda/testing/CoreTestUtils.kt b/testing/test-utils/src/main/kotlin/net/corda/testing/CoreTestUtils.kt index aa2dc08533..11e572e2d7 100644 --- a/testing/test-utils/src/main/kotlin/net/corda/testing/CoreTestUtils.kt +++ b/testing/test-utils/src/main/kotlin/net/corda/testing/CoreTestUtils.kt @@ -102,7 +102,7 @@ fun getTestPartyAndCertificate(party: Party): PartyAndCertificate { nameConstraints = NameConstraints(arrayOf(GeneralSubtree(GeneralName(GeneralName.directoryName, party.name.x500Name))), arrayOf())) val identityCert = X509Utilities.createCertificate( - CertificateType.WELL_KNOWN_IDENTITY, + CertificateType.LEGAL_IDENTITY, nodeCaCert, nodeCaKeyPair, party.name, diff --git a/testing/test-utils/src/main/kotlin/net/corda/testing/TestConstants.kt b/testing/test-utils/src/main/kotlin/net/corda/testing/TestConstants.kt index 27c52eb1bc..0f700d9938 100644 --- a/testing/test-utils/src/main/kotlin/net/corda/testing/TestConstants.kt +++ b/testing/test-utils/src/main/kotlin/net/corda/testing/TestConstants.kt @@ -7,7 +7,10 @@ import net.corda.core.contracts.TypeOnlyCommandData import net.corda.core.crypto.generateKeyPair import net.corda.core.identity.CordaX500Name import net.corda.core.internal.toX509CertHolder -import net.corda.nodeapi.internal.crypto.* +import net.corda.nodeapi.internal.crypto.CertificateAndKeyPair +import net.corda.nodeapi.internal.crypto.X509Utilities +import net.corda.nodeapi.internal.crypto.getCertificateAndKeyPair +import net.corda.nodeapi.internal.crypto.loadKeyStore import org.bouncycastle.cert.X509CertificateHolder import java.security.PublicKey import java.time.Instant