diff --git a/docs/source/running-signing-service.rst b/docs/source/running-signing-service.rst index 5781dc2054..8ad3d10d6b 100644 --- a/docs/source/running-signing-service.rst +++ b/docs/source/running-signing-service.rst @@ -34,7 +34,7 @@ Allowed parameters are: :dataSourceProperties: Data source properties. It should describe (or point to) the Doorman database. -:doorman: CSR signing process configuration parameters. If specified, the signing service will sign approved CSRs. +:doorman: CSR signing process configuration parameters. If specified, the signing service will sign CRL or approved CSRs depending on the operating mode defined in the mode parameter. :validDays: Number of days issued signatures are valid for. @@ -44,6 +44,12 @@ Allowed parameters are: :keyGroup: HSM key group for the doorman certificate key. This parameter is vendor specific (see Utimaco docs). + :mode: Manual HSM signing mode. Allowed values: + + :CSR: Run the signing service for the certificate signing requests. + + :CRL: Run the signing service for the certificate revocation list. + :crlDistributionPoint: Certificate revocation list location for the node CA certificate. :crlServerSocketAddress: Address of the socket connection serving the certificate revocation list. diff --git a/network-management/hsm-for-doorman.conf b/network-management/hsm-for-doorman.conf index 33cb6795a0..03b05fc267 100644 --- a/network-management/hsm-for-doorman.conf +++ b/network-management/hsm-for-doorman.conf @@ -7,6 +7,7 @@ doorman { crlServerSocketAddress = "test.com:2333" crlUpdatePeriod = 200000 validDays = 3650 + mode = CSR rootKeyStoreFile = "dummyfile.jks" rootKeyStorePassword = "trustpass" keyGroup = "DEV.CORDACONNECT.OPS.CERT" diff --git a/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/common/HsmBaseTest.kt b/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/common/HsmBaseTest.kt index f0490c1984..1608c2d8dd 100644 --- a/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/common/HsmBaseTest.kt +++ b/network-management/src/integration-test/kotlin/com/r3/corda/networkmanage/common/HsmBaseTest.kt @@ -15,10 +15,7 @@ import com.nhaarman.mockito_kotlin.mock import com.nhaarman.mockito_kotlin.whenever import com.r3.corda.networkmanage.HsmSimulator import com.r3.corda.networkmanage.hsm.authentication.InputReader -import com.r3.corda.networkmanage.hsm.configuration.AuthParametersConfig -import com.r3.corda.networkmanage.hsm.configuration.DoormanCertificateConfig -import com.r3.corda.networkmanage.hsm.configuration.NetworkMapCertificateConfig -import com.r3.corda.networkmanage.hsm.configuration.SigningServiceConfig +import com.r3.corda.networkmanage.hsm.configuration.* import com.r3.corda.networkmanage.hsm.generator.CertificateConfiguration import com.r3.corda.networkmanage.hsm.generator.GeneratorParameters import com.r3.corda.networkmanage.hsm.generator.UserAuthenticationParameters @@ -149,6 +146,7 @@ abstract class HsmBaseTest { crlDistributionPoint = URL("http://test.com/revoked.crl"), crlServerSocketAddress = NetworkHostAndPort("test.com", 4555), crlUpdatePeriod = 1000, + mode = ManualMode.CSR, authParameters = AuthParametersConfig( mode = SigningServiceAuthMode.PASSWORD, threshold = 2 @@ -165,7 +163,6 @@ abstract class HsmBaseTest { password = "INTEGRATION_TEST", threshold = 2 ) - ) } diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/Main.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/Main.kt index ec944ad6dc..582161b1d7 100644 --- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/Main.kt +++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/Main.kt @@ -15,6 +15,7 @@ import com.r3.corda.networkmanage.common.persistence.configureDatabase import com.r3.corda.networkmanage.common.utils.ShowHelpException import com.r3.corda.networkmanage.common.utils.initialiseSerialization import com.r3.corda.networkmanage.common.utils.parseConfig +import com.r3.corda.networkmanage.hsm.configuration.ManualMode import com.r3.corda.networkmanage.hsm.configuration.SigningServiceArgsParser import com.r3.corda.networkmanage.hsm.configuration.SigningServiceConfig import com.r3.corda.networkmanage.hsm.processor.CrrProcessor @@ -60,8 +61,9 @@ fun main(args: Array) { if (config.networkMap != null) { NetworkMapProcessor(config.networkMap, config.device, config.keySpecifier, persistence).run() } else if (config.doorman != null) { - CsrProcessor(config.doorman, config.device, config.keySpecifier, persistence).showMenu() - } else if (config.doorman != null) { - CrrProcessor(config.doorman, config.device, config.keySpecifier).showMenu() + when (config.doorman.mode) { + ManualMode.CSR -> CsrProcessor(config.doorman, config.device, config.keySpecifier, persistence).showMenu() + ManualMode.CRL -> CrrProcessor(config.doorman, config.device, config.keySpecifier).showMenu() + } } } diff --git a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/configuration/SigningServiceConfig.kt b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/configuration/SigningServiceConfig.kt index b4f01a1486..1a96e87489 100644 --- a/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/configuration/SigningServiceConfig.kt +++ b/network-management/src/main/kotlin/com/r3/corda/networkmanage/hsm/configuration/SigningServiceConfig.kt @@ -60,6 +60,7 @@ data class NetworkMapCertificateConfig(val username: String, data class DoormanCertificateConfig(val crlDistributionPoint: URL, val crlServerSocketAddress: NetworkHostAndPort, val crlUpdatePeriod: Long, + val mode: ManualMode, val keyGroup:String, val validDays: Int, val rootKeyStoreFile: Path, @@ -70,6 +71,11 @@ data class DoormanCertificateConfig(val crlDistributionPoint: URL, } } +enum class ManualMode { + CRL, // Run manual mode for the certificate revocation list. + CSR // Run manual mode for the certificate signing requests. +} + /** * Authentication related parameters. */