Add DER format encoding for CompositeKey

Add extremely rough DER format encoding for CompositeKey so that they can be used in X.509 certificates, and switch service identity generator to using the proper identity cert for signing.
2025-06-17 22:58:19 +00:00 · 2017-06-20 14:58:26 +01:00
parent 155bb029da
commit b7bec90fae
2 changed files with 34 additions and 16 deletions
--- a/node/src/main/kotlin/net/corda/node/utilities/ServiceIdentityGenerator.kt
+++ b/node/src/main/kotlin/net/corda/node/utilities/ServiceIdentityGenerator.kt
@ -1,9 +1,6 @@
 package net.corda.node.utilities

-import net.corda.core.crypto.CertificateAndKeyPair
-import net.corda.core.crypto.CompositeKey
-import net.corda.core.crypto.X509Utilities
-import net.corda.core.crypto.generateKeyPair
+import net.corda.core.crypto.*
 import net.corda.core.identity.PartyAndCertificate
 import net.corda.core.serialization.serialize
 import net.corda.core.serialization.storageKryo
@ -12,6 +9,7 @@ import net.corda.core.utilities.trace
 import org.bouncycastle.asn1.x500.X500Name
 import java.nio.file.Files
 import java.nio.file.Path
+import java.security.cert.*

 object ServiceIdentityGenerator {
    private val log = loggerFor<ServiceIdentityGenerator>()
@ -36,15 +34,20 @@ object ServiceIdentityGenerator {
        log.trace { "Generating a group identity \"serviceName\" for nodes: ${dirs.joinToString()}" }
        val keyPairs = (1..dirs.size).map { generateKeyPair() }
        val notaryKey = CompositeKey.Builder().addKeys(keyPairs.map { it.public }).build(threshold)
-        // TODO: This doesn't work until we have composite keys in X.509 certificates, so we make up a certificate that nothing checks
-        // val notaryCert = X509Utilities.createCertificate(CertificateType.IDENTITY, serviceCa.certificate,
-        //        serviceCa.keyPair, serviceName, notaryKey)
-        val notaryCert = X509Utilities.createSelfSignedCACertificate(serviceName, generateKeyPair())
+        val notaryCert = X509Utilities.createCertificate(CertificateType.INTERMEDIATE_CA, serviceCa.certificate,
+            serviceCa.keyPair, serviceName, notaryKey)
        val notaryCertPath = X509Utilities.createCertificatePath(serviceCa.certificate, notaryCert, revocationEnabled = false)
        val notaryParty = PartyAndCertificate(serviceName, notaryKey, notaryCert, notaryCertPath)
        val notaryPartyBytes = notaryParty.serialize()
        val privateKeyFile = "$serviceId-private-key"
        val publicKeyFile = "$serviceId-public"
+
+        // Sanity check the certificate and path
+        val validatorParameters = PKIXParameters(setOf(TrustAnchor(serviceCa.certificate.cert, null)))
+        val validator = CertPathValidator.getInstance("PKIX")
+        validatorParameters.isRevocationEnabled = false
+        validator.validate(notaryCertPath, validatorParameters) as PKIXCertPathValidatorResult
+
        keyPairs.zip(dirs) { keyPair, dir ->
            Files.createDirectories(dir)
            notaryPartyBytes.writeToFile(dir.resolve(publicKeyFile))