ENT-3142: net-params signing tool: include certificate path in signature (#5165)

2025-06-02 07:30:53 +00:00 · 2019-06-21 16:39:33 +01:00 · 2019-06-21 16:39:33 +01:00 · ae877f87ba
commit ae877f87ba
parent 0cd57c81bc
2 changed files with 40 additions and 23 deletions
--- a/core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt
+++ b/core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt
@ -493,6 +493,13 @@ fun <T : Any> T.signWithCert(privateKey: PrivateKey, certificate: X509Certificat
    }
 }

+@DeleteForDJVM
+fun <T : Any> T.signWithCertPath(privateKey: PrivateKey, certPath: List<X509Certificate>): SignedDataWithCert<T> {
+    return signWithCert {
+        val signature = Crypto.doSign(privateKey, it.bytes)
+        DigitalSignatureWithCert(certPath.first(), certPath.takeLast(certPath.size - 1), signature)
+    }
+}
@DeleteForDJVM
 inline fun <T : Any> SerializedBytes<T>.sign(signer: (SerializedBytes<T>) -> DigitalSignature.WithKey): SignedData<T> {
    return SignedData(this, signer(this))
--- a/experimental/netparams/src/main/kotlin/net/corda/netparams/NetParams.kt
+++ b/experimental/netparams/src/main/kotlin/net/corda/netparams/NetParams.kt
@ -5,6 +5,7 @@ import com.typesafe.config.ConfigFactory
 import com.typesafe.config.ConfigParseOptions
 import net.corda.cliutils.CordaCliWrapper
 import net.corda.cliutils.start
+import net.corda.core.crypto.Crypto
 import net.corda.core.identity.Party
 import net.corda.core.internal.*
 import net.corda.core.node.NetworkParameters
@ -17,6 +18,7 @@ import net.corda.core.serialization.internal.nodeSerializationEnv
 import net.corda.core.serialization.serialize
 import net.corda.nodeapi.internal.SignedNodeInfo
 import net.corda.nodeapi.internal.createDevNetworkMapCa
+import net.corda.nodeapi.internal.crypto.CertificateAndKeyPair
 import net.corda.nodeapi.internal.crypto.X509KeyStore
 import net.corda.serialization.internal.*
 import net.corda.serialization.internal.amqp.*
@ -24,6 +26,8 @@ import picocli.CommandLine.*
 import java.io.File
 import java.nio.file.Path
 import java.nio.file.StandardCopyOption
+import java.security.KeyPair
+import java.security.cert.X509Certificate
 import java.time.Instant

 /**
@ -126,6 +130,11 @@ class NetParamsSigner : CordaCliWrapper("netparams-signer", "Sign network parame
                AMQP_P2P_CONTEXT)
    }

+    class CertificatePathAndKeyPair(val certPath: List<X509Certificate>, private val certificateAndKeyPair: CertificateAndKeyPair) {
+        val keyPair: KeyPair
+            get() = certificateAndKeyPair.keyPair
+    }
+
    override fun runProgram(): Int {
        require(configFile != null) { "The --config parameter must be specified" }

@ -158,21 +167,23 @@ class NetParamsSigner : CordaCliWrapper("netparams-signer", "Sign network parame
                keyPass = getInput("Key password (${keyAlias}): ")

            val keyStore = X509KeyStore.fromFile(keyStorePath!!, keyStorePass!!)
-            keyStore.getCertificateAndKeyPair(keyAlias!!, keyPass!!)
-        }
-        else {
+            val signingKey = keyStore.getCertificateAndKeyPair(keyAlias!!, keyPass!!)
+            val x509Chain = keyStore.getCertificateChain(keyAlias!!)
+
+            CertificatePathAndKeyPair(x509Chain, signingKey)
+        } else {
            // issue from the development root
-            createDevNetworkMapCa()
+            CertificatePathAndKeyPair(emptyList(), createDevNetworkMapCa())
        }

-        // sign & serialise
-        val serializedSignedNetParams = signingkey.sign(networkParameters).serialize()
+        // sign and include the certificate path
+        val signedNetParams = networkParameters.signWithCertPath(signingkey.keyPair.private, signingkey.certPath)

        if (outputFile != null) {
            print("\nWriting: " + outputFile)
-            serializedSignedNetParams.open().copyTo(outputFile!!, StandardCopyOption.REPLACE_EXISTING)
-        }
-        else {
+            val ssnp = signedNetParams.serialize()
+            ssnp.open().copyTo(outputFile!!, StandardCopyOption.REPLACE_EXISTING)
+        } else {
            print("\nUse --output to write results")
        }

@ -187,8 +198,7 @@ class NetParamsSigner : CordaCliWrapper("netparams-signer", "Sign network parame

    fun identityFromNodeInfoPath(nodeInfoPath: File): Party {

-        val serializedNodeInfo = SerializedBytes<SignedNodeInfo>(nodeInfoPath.toPath().readAll())
-        val signedNodeInfo = serializedNodeInfo.deserialize()
+        val signedNodeInfo = nodeInfoPath.toPath().readObject<SignedNodeInfo>()
        val nodeInfo = signedNodeInfo.verified()

        return nodeInfo.legalIdentities.last()