[CORDA-2866] Prevent node startup if legal identity key is lost but node key isn't (#5090)

node-api/src/main/kotlin/net/corda/nodeapi/internal/DevIdentityGenerator.kt

@@ -38,7 +38,7 @@ object DevIdentityGenerator {
         val p2pSslConfig = SslConfiguration.mutual(p2pKeyStore, p2pTrustStore)
 
         certificatesDirectory.createDirectories()
-        val nodeKeyStore = signingCertStore.get(true).also { it.registerDevSigningCertificates(legalName) }
+        val nodeKeyStore = signingCertStore.get(true).also { it.installDevNodeCaCertPath(legalName) }
         p2pSslConfig.keyStore.get(true).also { it.registerDevP2pCertificates(legalName) }
 
         val identity = nodeKeyStore.storeLegalIdentity("$NODE_IDENTITY_ALIAS_PREFIX-private-key")

node-api/src/main/kotlin/net/corda/nodeapi/internal/KeyStoreConfigHelpers.kt

@@ -26,14 +26,14 @@ import javax.security.auth.x500.X500Principal
  * the given legal name), and the SSL key store will store the TLS cert which is a sub-cert of the node CA.
  */
 
-fun CertificateStore.registerDevSigningCertificates(legalName: CordaX500Name,
-                                                    rootCert: X509Certificate = DEV_ROOT_CA.certificate,
-                                                    intermediateCa: CertificateAndKeyPair = DEV_INTERMEDIATE_CA,
-                                                    devNodeCa: CertificateAndKeyPair = createDevNodeCa(intermediateCa, legalName)) {
+fun CertificateStore.installDevNodeCaCertPath(legalName: CordaX500Name,
+                                              rootCert: X509Certificate = DEV_ROOT_CA.certificate,
+                                              intermediateCa: CertificateAndKeyPair = DEV_INTERMEDIATE_CA,
+                                              devNodeCa: CertificateAndKeyPair = createDevNodeCa(intermediateCa, legalName)) {
 
     update {
         setPrivateKey(X509Utilities.CORDA_CLIENT_CA, devNodeCa.keyPair.private, listOf(devNodeCa.certificate, intermediateCa.certificate, rootCert),
-                this@registerDevSigningCertificates.entryPassword)
+                this@installDevNodeCaCertPath.entryPassword)
     }
 }
 

node-api/src/test/kotlin/net/corda/nodeapi/internal/crypto/X509UtilitiesTest.kt

@@ -1,6 +1,6 @@
 package net.corda.nodeapi.internal.crypto
 
-import net.corda.core.crypto.*
+import net.corda.core.crypto.Crypto
 import net.corda.core.crypto.Crypto.COMPOSITE_KEY
 import net.corda.core.crypto.Crypto.ECDSA_SECP256K1_SHA256
 import net.corda.core.crypto.Crypto.ECDSA_SECP256R1_SHA256
@@ -8,6 +8,8 @@ import net.corda.core.crypto.Crypto.EDDSA_ED25519_SHA512
 import net.corda.core.crypto.Crypto.RSA_SHA256
 import net.corda.core.crypto.Crypto.SPHINCS256_SHA256
 import net.corda.core.crypto.Crypto.generateKeyPair
+import net.corda.core.crypto.SignatureScheme
+import net.corda.core.crypto.newSecureRandom
 import net.corda.core.identity.CordaX500Name
 import net.corda.core.internal.div
 import net.corda.core.serialization.SerializationContext
@@ -18,9 +20,9 @@ import net.corda.nodeapi.internal.config.MutualSslConfiguration
 import net.corda.nodeapi.internal.createDevNodeCa
 import net.corda.nodeapi.internal.crypto.X509Utilities.DEFAULT_IDENTITY_SIGNATURE_SCHEME
 import net.corda.nodeapi.internal.crypto.X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME
+import net.corda.nodeapi.internal.installDevNodeCaCertPath
 import net.corda.nodeapi.internal.protonwrapper.netty.init
 import net.corda.nodeapi.internal.registerDevP2pCertificates
-import net.corda.nodeapi.internal.registerDevSigningCertificates
 import net.corda.serialization.internal.AllWhitelist
 import net.corda.serialization.internal.SerializationContextImpl
 import net.corda.serialization.internal.SerializationFactoryImpl
@@ -28,8 +30,8 @@ import net.corda.serialization.internal.amqp.amqpMagic
 import net.corda.testing.core.ALICE_NAME
 import net.corda.testing.core.BOB_NAME
 import net.corda.testing.core.TestIdentity
-import net.corda.testing.internal.stubs.CertificateStoreStubs
 import net.corda.testing.internal.createDevIntermediateCaCertPath
+import net.corda.testing.internal.stubs.CertificateStoreStubs
 import net.i2p.crypto.eddsa.EdDSAPrivateKey
 import org.assertj.core.api.Assertions.assertThat
 import org.bouncycastle.asn1.x509.*
@@ -232,7 +234,7 @@ class X509UtilitiesTest {
 
         // Generate server cert and private key and populate another keystore suitable for SSL
         val nodeCa = createDevNodeCa(intermediateCa, MEGA_CORP.name)
-        signingCertStore.get(createNew = true).also { it.registerDevSigningCertificates(MEGA_CORP.name, rootCa.certificate, intermediateCa, nodeCa) }
+        signingCertStore.get(createNew = true).also { it.installDevNodeCaCertPath(MEGA_CORP.name, rootCa.certificate, intermediateCa, nodeCa) }
         p2pSslConfig.keyStore.get(createNew = true).also { it.registerDevP2pCertificates(MEGA_CORP.name, rootCa.certificate, intermediateCa, nodeCa) }
         // Load back server certificate
         val certStore = signingCertStore.get()