From afd3876faff395bf84957fecd11e326263ef4f1c Mon Sep 17 00:00:00 2001
From: Ryan Fowler <fowlerrr@users.noreply.github.com>
Date: Wed, 16 Sep 2020 16:37:16 +0100
Subject: [PATCH] CORDA-4036: Put the identity failures on the same log so they
 aren't missed. (#6717)

---
 .../network/PersistentNetworkMapCacheTest.kt     | 16 +++++++++++++++-
 .../network/PersistentNetworkMapCache.kt         | 15 +++++++++------
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/node/src/integration-test/kotlin/net/corda/node/services/network/PersistentNetworkMapCacheTest.kt b/node/src/integration-test/kotlin/net/corda/node/services/network/PersistentNetworkMapCacheTest.kt
index 9c701ccd3a..bf8d2910b6 100644
--- a/node/src/integration-test/kotlin/net/corda/node/services/network/PersistentNetworkMapCacheTest.kt
+++ b/node/src/integration-test/kotlin/net/corda/node/services/network/PersistentNetworkMapCacheTest.kt
@@ -5,9 +5,15 @@ import net.corda.core.node.NodeInfo
 import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.node.internal.schemas.NodeInfoSchemaV1
 import net.corda.node.services.identity.InMemoryIdentityService
+import net.corda.node.utilities.createKeyPairAndSelfSignedTLSCertificate
 import net.corda.nodeapi.internal.DEV_ROOT_CA
 import net.corda.nodeapi.internal.persistence.DatabaseConfig
-import net.corda.testing.core.*
+import net.corda.testing.core.ALICE_NAME
+import net.corda.testing.core.BOB_NAME
+import net.corda.testing.core.CHARLIE_NAME
+import net.corda.testing.core.DUMMY_NOTARY_NAME
+import net.corda.testing.core.SerializationEnvironmentRule
+import net.corda.testing.core.TestIdentity
 import net.corda.testing.internal.TestingNamedCacheFactory
 import net.corda.testing.internal.configureDatabase
 import net.corda.testing.node.MockServices.Companion.makeTestDataSourceProperties
@@ -159,6 +165,14 @@ class PersistentNetworkMapCacheTest {
         assertThat(charlieNetMapCache.getNodeByLegalName(BOB_NAME)).isNotNull
     }
 
+    @Test(timeout=300_000)
+    fun `negative test - invalid trust root leads to no node added`() {
+        val (_, badCert) = createKeyPairAndSelfSignedTLSCertificate(DEV_ROOT_CA.certificate.issuerX500Principal)
+        val netMapCache = PersistentNetworkMapCache(TestingNamedCacheFactory(), database, InMemoryIdentityService(trustRoot = badCert))
+        netMapCache.addOrUpdateNode(createNodeInfo(listOf(ALICE)))
+        assertThat(netMapCache.allNodes).hasSize(0)
+    }
+
     private fun createNodeInfo(identities: List<TestIdentity>,
                                address: NetworkHostAndPort = NetworkHostAndPort("localhost", portCounter++)): NodeInfo {
         return NodeInfo(
diff --git a/node/src/main/kotlin/net/corda/node/services/network/PersistentNetworkMapCache.kt b/node/src/main/kotlin/net/corda/node/services/network/PersistentNetworkMapCache.kt
index 709e415cdd..bdaa43ea94 100644
--- a/node/src/main/kotlin/net/corda/node/services/network/PersistentNetworkMapCache.kt
+++ b/node/src/main/kotlin/net/corda/node/services/network/PersistentNetworkMapCache.kt
@@ -19,7 +19,6 @@ import net.corda.core.node.services.PartyInfo
 import net.corda.core.serialization.SingletonSerializeAsToken
 import net.corda.core.serialization.serialize
 import net.corda.core.utilities.NetworkHostAndPort
-import net.corda.core.utilities.Try
 import net.corda.core.utilities.contextLogger
 import net.corda.core.utilities.debug
 import net.corda.node.internal.schemas.NodeInfoSchemaV1
@@ -32,6 +31,7 @@ import org.hibernate.Session
 import rx.Observable
 import rx.subjects.PublishSubject
 import java.security.PublicKey
+import java.security.cert.CertPathValidatorException
 import java.util.*
 import javax.annotation.concurrent.ThreadSafe
 import javax.persistence.PersistenceException
@@ -235,12 +235,15 @@ open class PersistentNetworkMapCache(cacheFactory: NamedCacheFactory,
     }
 
     private fun verifyIdentities(node: NodeInfo): Boolean {
-        val failures = node.legalIdentitiesAndCerts.mapNotNull { Try.on { it.verify(identityService.trustAnchor) } as? Try.Failure }
-        if (failures.isNotEmpty()) {
-            logger.warn("$node has ${failures.size} invalid identities:")
-            failures.forEach { logger.warn("", it) }
+        for (identity in node.legalIdentitiesAndCerts) {
+            try {
+                identity.verify(identityService.trustAnchor)
+            } catch (e: CertPathValidatorException) {
+                logger.warn("$node has invalid identity:\nError:$e\nIdentity:${identity.certPath}")
+                return false
+            }
         }
-        return failures.isEmpty()
+        return true
     }
 
     private fun verifyAndRegisterIdentities(node: NodeInfo): Boolean {