Tidy up based upon comments on PR

This commit is contained in:
Matthew Nesbit 2016-07-22 15:13:46 +01:00
parent 196fe57147
commit b042fac905
4 changed files with 38 additions and 17 deletions
core/src
main/kotlin/com/r3corda/core/crypto
test/kotlin/com/r3corda/core/crypto
node/src/main/kotlin/com/r3corda/node
internal
services/messaging

View File

@ -55,7 +55,7 @@ object X509Utilities {
* @param parentNotBefore if provided is used to lower bound the date interval returned
* @param parentNotAfter if provided is used to upper bound the date interval returned
*/
private fun GetCertificateValidityWindow(daysBefore: Int, daysAfter: Int, parentNotBefore: Date? = null, parentNotAfter: Date? = null): Pair<Date, Date> {
private fun getCertificateValidityWindow(daysBefore: Int, daysAfter: Int, parentNotBefore: Date? = null, parentNotAfter: Date? = null): Pair<Date, Date> {
val startOfDayUTC = Instant.now().truncatedTo(ChronoUnit.DAYS)
var notBefore = Date.from(startOfDayUTC.minus(daysBefore.toLong(), ChronoUnit.DAYS))
@ -94,7 +94,7 @@ object X509Utilities {
/**
* Helper method to create Subject field contents
*/
fun GetX509Name(domain: String): X500Name {
fun getDevX509Name(domain: String): X500Name {
val nameBuilder = X500NameBuilder(BCStyle.INSTANCE)
nameBuilder.addRDN(BCStyle.CN, domain)
nameBuilder.addRDN(BCStyle.O, "R3")
@ -121,6 +121,10 @@ object X509Utilities {
}
} else {
keyStore.load(null, pass)
val output = FileOutputStream(keyStoreFilePath.toFile())
output.use {
keyStore.store(output, pass)
}
}
return keyStore
}
@ -231,11 +235,14 @@ object X509Utilities {
fun createSelfSignedCACert(domain: String): CACertAndKey {
val keyPair = generateECDSAKeyPairForSSL()
val issuer = GetX509Name(domain)
val issuer = getDevX509Name(domain)
val serial = BigInteger.valueOf(random63BitValue())
val subject = issuer
val pubKey = keyPair.public
val window = GetCertificateValidityWindow(0, 365 * 10)
// Ten year certificate validity
// TODO how do we manage certificate expiry, revocation and loss
val window = getCertificateValidityWindow(0, 365 * 10)
val builder = JcaX509v3CertificateBuilder(
issuer, serial, window.first, window.second, subject, pubKey)
@ -276,10 +283,12 @@ object X509Utilities {
val issuer = X509CertificateHolder(certificateAuthority.certificate.encoded).subject
val serial = BigInteger.valueOf(random63BitValue())
val subject = GetX509Name(domain)
val subject = getDevX509Name(domain)
val pubKey = keyPair.public
// One year certificate validity
val window = GetCertificateValidityWindow(0, 365, certificateAuthority.certificate.notBefore, certificateAuthority.certificate.notAfter)
// Ten year certificate validity
// TODO how do we manage certificate expiry, revocation and loss
val window = getCertificateValidityWindow(0, 365*10, certificateAuthority.certificate.notBefore, certificateAuthority.certificate.notAfter)
val builder = JcaX509v3CertificateBuilder(
issuer, serial, window.first, window.second, subject, pubKey)
@ -325,7 +334,10 @@ object X509Utilities {
val issuer = X509CertificateHolder(certificateAuthority.certificate.encoded).subject
val serial = BigInteger.valueOf(random63BitValue())
val window = GetCertificateValidityWindow(0, 365, certificateAuthority.certificate.notBefore, certificateAuthority.certificate.notAfter)
// Ten year certificate validity
// TODO how do we manage certificate expiry, revocation and loss
val window = getCertificateValidityWindow(0, 365*10, certificateAuthority.certificate.notBefore, certificateAuthority.certificate.notAfter)
val builder = JcaX509v3CertificateBuilder(issuer, serial, window.first, window.second, subject, publicKey)
builder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(publicKey))
@ -518,7 +530,7 @@ object X509Utilities {
val serverKey = X509Utilities.generateECDSAKeyPairForSSL()
val host = InetAddress.getLocalHost()
val subject = GetX509Name(host.canonicalHostName)
val subject = getDevX509Name(host.canonicalHostName)
val serverCert = X509Utilities.createServerCert(subject,
serverKey.public,
intermediateCA,

View File

@ -54,7 +54,7 @@ class X509UtilitiesTest {
@Test
fun `create valid server certificate chain`() {
val caCertAndKey = X509Utilities.createSelfSignedCACert("Test CA Cert")
val subjectDN = X509Utilities.GetX509Name("Server Cert")
val subjectDN = X509Utilities.getDevX509Name("Server Cert")
val keypair = X509Utilities.generateECDSAKeyPairForSSL()
val serverCert = X509Utilities.createServerCert(subjectDN, keypair.public, caCertAndKey, listOf("alias name"), listOf("10.0.0.54"))
assertTrue { serverCert.subjectDN.name.contains("CN=Server Cert") } // using our subject common name

View File

@ -72,7 +72,7 @@ class Node(dir: Path, val p2pAddr: HostAndPort, val webServerAddr: HostAndPort,
override fun startMessagingService() {
// Start up the MQ service.
(net as ArtemisMessagingService).apply {
configureWithDevSSLCertificate() //Provision a dev certificate and private key if required
configureWithDevSSLCertificate() // TODO Create proper certificate provisioning process
start()
}
}

View File

@ -40,7 +40,7 @@ import javax.annotation.concurrent.ThreadSafe
/**
* This class implements the [MessagingService] API using Apache Artemis, the successor to their ActiveMQ product.
* Artemis is a message queue broker and here, we embed the entire server inside our own process. Nodes communicate
* with each other using an Artemis specific protocol, but it supports other protocols like AQMP/1.0
* with each other using an Artemis specific protocol, but it supports other protocols like AMQP/1.0
* as well for interop.
*
* The current implementation is skeletal and lacks features like security or firewall tunnelling (that is, you must
@ -99,6 +99,14 @@ class ArtemisMessagingService(val directory: Path,
private val keyStorePath = directory.resolve("certificates").resolve("sslkeystore.jks")
private val trustStorePath = directory.resolve("certificates").resolve("truststore.jks")
private val KEYSTORE_PASSWORD = "cordacadevpass" // TODO we need a proper way of managing keystores and passwords
private val CIPHER_SUITES = listOf(
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256")
init {
require(directory.fileSystem == FileSystems.getDefault()) { "Artemis only uses the default file system" }
@ -321,9 +329,10 @@ class ArtemisMessagingService(val directory: Path,
HOST_PROP_NAME to host,
PORT_PROP_NAME to port.toInt(),
// Turn on AMQP support, which needs the protoclo jar on the classpath.
// Turn on AMQP support, which needs the protocol jar on the classpath.
// Unfortunately we cannot disable core protocol as artemis only uses AMQP for interop
// It does not use AMQP messages for its own
// It does not use AMQP messages for its own messages e.g. topology and heartbeats
// TODO further investigate how to ensure we use a well defined wire level protocol for Node to Node communications
PROTOCOLS_PROP_NAME to "CORE,AMQP",
// Enable TLS transport layer with client certs and restrict to at least SHA256 in handshake
@ -335,15 +344,15 @@ class ArtemisMessagingService(val directory: Path,
TRUSTSTORE_PROVIDER_PROP_NAME to "JKS",
TRUSTSTORE_PATH_PROP_NAME to trustStorePath,
TRUSTSTORE_PASSWORD_PROP_NAME to "trustpass",
ENABLED_CIPHER_SUITES_PROP_NAME to "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
ENABLED_CIPHER_SUITES_PROP_NAME to CIPHER_SUITES.joinToString(","),
ENABLED_PROTOCOLS_PROP_NAME to "TLSv1.2",
NEED_CLIENT_AUTH_PROP_NAME to true
)
)
/**
* Strictly for dev only automatically construct a server certificate\private key signed from
* the CA certs in Node resources.
* Strictly for dev only automatically construct a server certificate/private key signed from
* the CA certs in Node resources. Then provision KeyStores into certificates folder under node path.
*/
fun configureWithDevSSLCertificate() {
Files.createDirectories(directory.resolve("certificates"))