Tidy up based upon comments on PR

core/src/main/kotlin/com/r3corda/core/crypto/X509Utilities.kt

@@ -55,7 +55,7 @@ object X509Utilities {
      * @param parentNotBefore if provided is used to lower bound the date interval returned
      * @param parentNotAfter if provided is used to upper bound the date interval returned
      */
-    private fun GetCertificateValidityWindow(daysBefore: Int, daysAfter: Int, parentNotBefore: Date? = null, parentNotAfter: Date? = null): Pair<Date, Date> {
+    private fun getCertificateValidityWindow(daysBefore: Int, daysAfter: Int, parentNotBefore: Date? = null, parentNotAfter: Date? = null): Pair<Date, Date> {
         val startOfDayUTC = Instant.now().truncatedTo(ChronoUnit.DAYS)
 
         var notBefore = Date.from(startOfDayUTC.minus(daysBefore.toLong(), ChronoUnit.DAYS))
@@ -94,7 +94,7 @@ object X509Utilities {
     /**
      * Helper method to create Subject field contents
      */
-    fun GetX509Name(domain: String): X500Name {
+    fun getDevX509Name(domain: String): X500Name {
         val nameBuilder = X500NameBuilder(BCStyle.INSTANCE)
         nameBuilder.addRDN(BCStyle.CN, domain)
         nameBuilder.addRDN(BCStyle.O, "R3")
@@ -121,6 +121,10 @@ object X509Utilities {
             }
         } else {
             keyStore.load(null, pass)
+            val output = FileOutputStream(keyStoreFilePath.toFile())
+            output.use {
+                keyStore.store(output, pass)
+            }
         }
         return keyStore
     }
@@ -231,11 +235,14 @@ object X509Utilities {
     fun createSelfSignedCACert(domain: String): CACertAndKey {
         val keyPair = generateECDSAKeyPairForSSL()
 
-        val issuer = GetX509Name(domain)
+        val issuer = getDevX509Name(domain)
         val serial = BigInteger.valueOf(random63BitValue())
         val subject = issuer
         val pubKey = keyPair.public
-        val window = GetCertificateValidityWindow(0, 365 * 10)
+
+        // Ten year certificate validity
+        // TODO how do we manage certificate expiry, revocation and loss
+        val window = getCertificateValidityWindow(0, 365 * 10)
 
         val builder = JcaX509v3CertificateBuilder(
                 issuer, serial, window.first, window.second, subject, pubKey)
@@ -276,10 +283,12 @@ object X509Utilities {
 
         val issuer = X509CertificateHolder(certificateAuthority.certificate.encoded).subject
         val serial = BigInteger.valueOf(random63BitValue())
-        val subject = GetX509Name(domain)
+        val subject = getDevX509Name(domain)
         val pubKey = keyPair.public
-        // One year certificate validity
+
-        val window = GetCertificateValidityWindow(0, 365, certificateAuthority.certificate.notBefore, certificateAuthority.certificate.notAfter)
+        // Ten year certificate validity
+        // TODO how do we manage certificate expiry, revocation and loss
+        val window = getCertificateValidityWindow(0, 365*10, certificateAuthority.certificate.notBefore, certificateAuthority.certificate.notAfter)
 
         val builder = JcaX509v3CertificateBuilder(
                 issuer, serial, window.first, window.second, subject, pubKey)
@@ -325,7 +334,10 @@ object X509Utilities {
 
         val issuer = X509CertificateHolder(certificateAuthority.certificate.encoded).subject
         val serial = BigInteger.valueOf(random63BitValue())
-        val window = GetCertificateValidityWindow(0, 365, certificateAuthority.certificate.notBefore, certificateAuthority.certificate.notAfter)
+
+        // Ten year certificate validity
+        // TODO how do we manage certificate expiry, revocation and loss
+        val window = getCertificateValidityWindow(0, 365*10, certificateAuthority.certificate.notBefore, certificateAuthority.certificate.notAfter)
 
         val builder = JcaX509v3CertificateBuilder(issuer, serial, window.first, window.second, subject, publicKey)
         builder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(publicKey))
@@ -518,7 +530,7 @@ object X509Utilities {
 
         val serverKey = X509Utilities.generateECDSAKeyPairForSSL()
         val host = InetAddress.getLocalHost()
-        val subject = GetX509Name(host.canonicalHostName)
+        val subject = getDevX509Name(host.canonicalHostName)
         val serverCert = X509Utilities.createServerCert(subject,
                 serverKey.public,
                 intermediateCA,

core/src/test/kotlin/com/r3corda/core/crypto/X509UtilitiesTest.kt

@@ -54,7 +54,7 @@ class X509UtilitiesTest {
     @Test
     fun `create valid server certificate chain`() {
         val caCertAndKey = X509Utilities.createSelfSignedCACert("Test CA Cert")
-        val subjectDN = X509Utilities.GetX509Name("Server Cert")
+        val subjectDN = X509Utilities.getDevX509Name("Server Cert")
         val keypair = X509Utilities.generateECDSAKeyPairForSSL()
         val serverCert = X509Utilities.createServerCert(subjectDN, keypair.public, caCertAndKey, listOf("alias name"), listOf("10.0.0.54"))
         assertTrue { serverCert.subjectDN.name.contains("CN=Server Cert") } // using our subject common name

node/src/main/kotlin/com/r3corda/node/internal/Node.kt

@@ -72,7 +72,7 @@ class Node(dir: Path, val p2pAddr: HostAndPort, val webServerAddr: HostAndPort,
     override fun startMessagingService() {
         // Start up the MQ service.
         (net as ArtemisMessagingService).apply {
-            configureWithDevSSLCertificate() //Provision a dev certificate and private key if required
+            configureWithDevSSLCertificate() // TODO Create proper certificate provisioning process
             start()
         }
     }

node/src/main/kotlin/com/r3corda/node/services/messaging/ArtemisMessagingService.kt

@@ -40,7 +40,7 @@ import javax.annotation.concurrent.ThreadSafe
 /**
  * This class implements the [MessagingService] API using Apache Artemis, the successor to their ActiveMQ product.
  * Artemis is a message queue broker and here, we embed the entire server inside our own process. Nodes communicate
- * with each other using an Artemis specific protocol, but it supports other protocols like AQMP/1.0
+ * with each other using an Artemis specific protocol, but it supports other protocols like AMQP/1.0
  * as well for interop.
  *
  * The current implementation is skeletal and lacks features like security or firewall tunnelling (that is, you must
@@ -99,6 +99,14 @@ class ArtemisMessagingService(val directory: Path,
     private val keyStorePath = directory.resolve("certificates").resolve("sslkeystore.jks")
     private val trustStorePath = directory.resolve("certificates").resolve("truststore.jks")
     private val KEYSTORE_PASSWORD = "cordacadevpass" // TODO we need a proper way of managing keystores and passwords
+    private val CIPHER_SUITES = listOf(
+            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+            "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+            "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256")
 
     init {
         require(directory.fileSystem == FileSystems.getDefault()) { "Artemis only uses the default file system" }
@@ -321,9 +329,10 @@ class ArtemisMessagingService(val directory: Path,
                             HOST_PROP_NAME to host,
                             PORT_PROP_NAME to port.toInt(),
 
-                            // Turn on AMQP support, which needs the protoclo jar on the classpath.
+                            // Turn on AMQP support, which needs the protocol jar on the classpath.
                             // Unfortunately we cannot disable core protocol as artemis only uses AMQP for interop
-                            // It does not use AMQP messages for its own
+                            // It does not use AMQP messages for its own messages e.g. topology and heartbeats
+                            // TODO further investigate how to ensure we use a well defined wire level protocol for Node to Node communications
                             PROTOCOLS_PROP_NAME to "CORE,AMQP",
 
                             // Enable TLS transport layer with client certs and restrict to at least SHA256 in handshake
@@ -335,15 +344,15 @@ class ArtemisMessagingService(val directory: Path,
                             TRUSTSTORE_PROVIDER_PROP_NAME to "JKS",
                             TRUSTSTORE_PATH_PROP_NAME to trustStorePath,
                             TRUSTSTORE_PASSWORD_PROP_NAME to "trustpass",
-                            ENABLED_CIPHER_SUITES_PROP_NAME to "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+                            ENABLED_CIPHER_SUITES_PROP_NAME to CIPHER_SUITES.joinToString(","),
                             ENABLED_PROTOCOLS_PROP_NAME to "TLSv1.2",
                             NEED_CLIENT_AUTH_PROP_NAME to true
                     )
             )
 
     /**
-     * Strictly for dev only automatically construct a server certificate\private key signed from
+     * Strictly for dev only automatically construct a server certificate/private key signed from
-     * the CA certs in Node resources.
+     * the CA certs in Node resources. Then provision KeyStores into certificates folder under node path.
      */
     fun configureWithDevSSLCertificate() {
         Files.createDirectories(directory.resolve("certificates"))