CORDA-4036: Put the identity failures on the same log so they aren't missed. (#6717)

node/src/integration-test/kotlin/net/corda/node/services/network/PersistentNetworkMapCacheTest.kt

@@ -5,9 +5,15 @@ import net.corda.core.node.NodeInfo
 import net.corda.core.utilities.NetworkHostAndPort
 import net.corda.node.internal.schemas.NodeInfoSchemaV1
 import net.corda.node.services.identity.InMemoryIdentityService
+import net.corda.node.utilities.createKeyPairAndSelfSignedTLSCertificate
 import net.corda.nodeapi.internal.DEV_ROOT_CA
 import net.corda.nodeapi.internal.persistence.DatabaseConfig
-import net.corda.testing.core.*
+import net.corda.testing.core.ALICE_NAME
+import net.corda.testing.core.BOB_NAME
+import net.corda.testing.core.CHARLIE_NAME
+import net.corda.testing.core.DUMMY_NOTARY_NAME
+import net.corda.testing.core.SerializationEnvironmentRule
+import net.corda.testing.core.TestIdentity
 import net.corda.testing.internal.TestingNamedCacheFactory
 import net.corda.testing.internal.configureDatabase
 import net.corda.testing.node.MockServices.Companion.makeTestDataSourceProperties
@@ -159,6 +165,14 @@ class PersistentNetworkMapCacheTest {
         assertThat(charlieNetMapCache.getNodeByLegalName(BOB_NAME)).isNotNull
     }
 
+    @Test(timeout=300_000)
+    fun `negative test - invalid trust root leads to no node added`() {
+        val (_, badCert) = createKeyPairAndSelfSignedTLSCertificate(DEV_ROOT_CA.certificate.issuerX500Principal)
+        val netMapCache = PersistentNetworkMapCache(TestingNamedCacheFactory(), database, InMemoryIdentityService(trustRoot = badCert))
+        netMapCache.addOrUpdateNode(createNodeInfo(listOf(ALICE)))
+        assertThat(netMapCache.allNodes).hasSize(0)
+    }
+
     private fun createNodeInfo(identities: List<TestIdentity>,
                                address: NetworkHostAndPort = NetworkHostAndPort("localhost", portCounter++)): NodeInfo {
         return NodeInfo(

node/src/main/kotlin/net/corda/node/services/network/PersistentNetworkMapCache.kt

@@ -19,7 +19,6 @@ import net.corda.core.node.services.PartyInfo
 import net.corda.core.serialization.SingletonSerializeAsToken
 import net.corda.core.serialization.serialize
 import net.corda.core.utilities.NetworkHostAndPort
-import net.corda.core.utilities.Try
 import net.corda.core.utilities.contextLogger
 import net.corda.core.utilities.debug
 import net.corda.node.internal.schemas.NodeInfoSchemaV1
@@ -32,6 +31,7 @@ import org.hibernate.Session
 import rx.Observable
 import rx.subjects.PublishSubject
 import java.security.PublicKey
+import java.security.cert.CertPathValidatorException
 import java.util.*
 import javax.annotation.concurrent.ThreadSafe
 import javax.persistence.PersistenceException
@@ -235,12 +235,15 @@ open class PersistentNetworkMapCache(cacheFactory: NamedCacheFactory,
     }
 
     private fun verifyIdentities(node: NodeInfo): Boolean {
-        val failures = node.legalIdentitiesAndCerts.mapNotNull { Try.on { it.verify(identityService.trustAnchor) } as? Try.Failure }
+        for (identity in node.legalIdentitiesAndCerts) {
-        if (failures.isNotEmpty()) {
+            try {
-            logger.warn("$node has ${failures.size} invalid identities:")
+                identity.verify(identityService.trustAnchor)
-            failures.forEach { logger.warn("", it) }
+            } catch (e: CertPathValidatorException) {
+                logger.warn("$node has invalid identity:\nError:$e\nIdentity:${identity.certPath}")
+                return false
             }
-        return failures.isEmpty()
+        }
+        return true
     }
 
     private fun verifyAndRegisterIdentities(node: NodeInfo): Boolean {