mirror of
https://github.com/corda/corda.git
synced 2024-12-28 00:38:55 +00:00
ENT-1592 Add private network id to CSR (#533)
* * add private network id to CSR * TODO : Doc * TODO : Signing server and network map end points * Remove private network attribute from CSR * revert unnecessary changes * remove private network identifier from node as we are not shipping this to the node in DP3 * revert unnecessary changes * address PR issues
This commit is contained in:
parent
f67c6874f4
commit
d2b29b42fe
@ -230,3 +230,49 @@ Run the following SQL script to archive the node info table (change the timestam
|
||||
delect from node_info where is_current = false and published_at < '2018-03-12'
|
||||
```
|
||||
|
||||
## Private Network Map
|
||||
The private network is a tactical solution to provide temporary privacy to the initial network map.
|
||||
|
||||
### Creating a private network
|
||||
To create a new private network, a entry has to be create in the ``private_network`` table manually.
|
||||
|
||||
Run the following SQL script to create a new private network:
|
||||
|
||||
```
|
||||
insert into private_network (id, name)
|
||||
values (NEWID(), 'Private Network Name')
|
||||
```
|
||||
|
||||
Then use the following SQL to retrieve the private network ID for the private network owner:
|
||||
```
|
||||
select id from private_network where name = 'Private Network Name'
|
||||
```
|
||||
|
||||
### Modify existing private network registration
|
||||
Since this is a tactical solution, any modification will require manual database changes.
|
||||
|
||||
**We should try to keep these changes to the minimal**
|
||||
|
||||
#### Add nodes to a private network
|
||||
|
||||
```
|
||||
update certificate_signing_request
|
||||
set private_network = '<<private_network_id>>'
|
||||
where request_id in ('<<certificate_request_id>>', ...)
|
||||
```
|
||||
|
||||
or this SQL script to add all approved nodes to the private network map.
|
||||
|
||||
```
|
||||
update certificate_signing_request
|
||||
set private_network = '<<private_network_id>>'
|
||||
where status = 'APPROVED'
|
||||
```
|
||||
|
||||
#### Move a node from its private network and into the global network map**
|
||||
|
||||
```
|
||||
update certificate_signing_request
|
||||
set private_network = null
|
||||
where request_id = '<<certificate_request_id>>'
|
||||
```
|
||||
|
@ -56,7 +56,7 @@ interface CertificateSigningRequestStorage {
|
||||
* Persist the fact that a ticket has been created for the given [requestId].
|
||||
*/
|
||||
fun markRequestTicketCreated(requestId: String)
|
||||
|
||||
|
||||
/**
|
||||
* Approve the given request if it has not already been approved. Otherwise do nothing.
|
||||
* @param requestId id of the certificate signing request
|
||||
|
@ -63,6 +63,7 @@ sealed class NetworkManagementSchemaServices {
|
||||
CertificateSigningRequestEntity::class.java,
|
||||
CertificateDataEntity::class.java,
|
||||
CertificateRevocationRequestEntity::class.java,
|
||||
PrivateNetworkEntity::class.java,
|
||||
CertificateRevocationListEntity::class.java,
|
||||
NodeInfoEntity::class.java,
|
||||
NetworkParametersEntity::class.java,
|
||||
|
@ -63,7 +63,7 @@ class PersistentNodeInfoStorage(private val database: CordaPersistence) : NodeIn
|
||||
|
||||
override fun getNodeInfo(nodeInfoHash: SecureHash): SignedNodeInfo? {
|
||||
return database.transaction {
|
||||
session.find(NodeInfoEntity::class.java, nodeInfoHash.toString())?.signedNodeInfo()
|
||||
session.find(NodeInfoEntity::class.java, nodeInfoHash.toString())?.toSignedNodeInfo()
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -26,7 +26,7 @@ import javax.persistence.*
|
||||
|
||||
@Entity
|
||||
@Table(name = "certificate_signing_request", indexes = arrayOf(Index(name = "IDX_PUB_KEY_HASH", columnList = "public_key_hash")))
|
||||
class CertificateSigningRequestEntity(
|
||||
data class CertificateSigningRequestEntity(
|
||||
@Id
|
||||
@Column(name = "request_id", length = 64)
|
||||
val requestId: String,
|
||||
@ -60,7 +60,11 @@ class CertificateSigningRequestEntity(
|
||||
|
||||
@Lob
|
||||
@Column(name = "request_bytes", nullable = false)
|
||||
val requestBytes: ByteArray
|
||||
val requestBytes: ByteArray,
|
||||
|
||||
@ManyToOne
|
||||
@JoinColumn(name = "private_network", foreignKey = ForeignKey(name = "FK_CSR_PN"))
|
||||
val privateNetwork: PrivateNetworkEntity? = null
|
||||
) {
|
||||
fun toCertificateSigningRequest() = CertificateSigningRequest(
|
||||
requestId = requestId,
|
||||
@ -73,36 +77,12 @@ class CertificateSigningRequestEntity(
|
||||
certData = certificateData?.toCertificateData()
|
||||
)
|
||||
|
||||
fun copy(requestId: String = this.requestId,
|
||||
legalName: String = this.legalName,
|
||||
publicKeyHash: String = this.publicKeyHash,
|
||||
status: RequestStatus = this.status,
|
||||
modifiedBy: String = this.modifiedBy,
|
||||
modifiedAt: Instant = this.modifiedAt,
|
||||
remark: String? = this.remark,
|
||||
certificateData: CertificateDataEntity? = this.certificateData,
|
||||
requestBytes: ByteArray = this.requestBytes
|
||||
): CertificateSigningRequestEntity {
|
||||
return CertificateSigningRequestEntity(
|
||||
requestId = requestId,
|
||||
legalName = legalName,
|
||||
publicKeyHash = publicKeyHash,
|
||||
status = status,
|
||||
modifiedAt = modifiedAt,
|
||||
modifiedBy = modifiedBy,
|
||||
remark = remark,
|
||||
certificateData = certificateData,
|
||||
requestBytes = requestBytes
|
||||
)
|
||||
}
|
||||
|
||||
private fun request() = PKCS10CertificationRequest(requestBytes)
|
||||
}
|
||||
|
||||
@Entity
|
||||
@Table(name = "certificate_data")
|
||||
class CertificateDataEntity(
|
||||
|
||||
data class CertificateDataEntity(
|
||||
@Id
|
||||
@GeneratedValue(strategy = GenerationType.SEQUENCE)
|
||||
val id: Long? = null,
|
||||
@ -145,4 +125,15 @@ class CertificateDataEntity(
|
||||
}
|
||||
|
||||
private fun toCertificatePath(): CertPath = buildCertPath(certificatePathBytes)
|
||||
}
|
||||
}
|
||||
|
||||
@Entity
|
||||
@Table(name = "private_network")
|
||||
data class PrivateNetworkEntity(
|
||||
@Id
|
||||
@Column(name = "id")
|
||||
val networkId: String,
|
||||
|
||||
@Column(name = "name")
|
||||
val networkName: String
|
||||
)
|
@ -12,13 +12,12 @@ package com.r3.corda.networkmanage.common.persistence.entity
|
||||
|
||||
import net.corda.core.serialization.deserialize
|
||||
import net.corda.nodeapi.internal.SignedNodeInfo
|
||||
import org.hibernate.annotations.CreationTimestamp
|
||||
import java.time.Instant
|
||||
import javax.persistence.*
|
||||
|
||||
@Entity
|
||||
@Table(name = "node_info")
|
||||
class NodeInfoEntity(
|
||||
data class NodeInfoEntity(
|
||||
// Hash of serialized [NodeInfo] without signatures.
|
||||
@Id
|
||||
@Column(name = "node_info_hash", length = 64)
|
||||
@ -32,29 +31,14 @@ class NodeInfoEntity(
|
||||
@Column(name = "signed_node_info_bytes")
|
||||
val signedNodeInfoBytes: ByteArray,
|
||||
|
||||
@Column(name="is_current")
|
||||
@Column(name = "is_current")
|
||||
val isCurrent: Boolean,
|
||||
|
||||
@Column(name = "published_at")
|
||||
val publishedAt: Instant = Instant.now()
|
||||
) {
|
||||
/**
|
||||
* Deserializes NodeInfoEntity.soignedNodeInfoBytes into the [SignedNodeInfo] instance
|
||||
* Deserialize NodeInfoEntity.signedNodeInfoBytes into the [SignedNodeInfo] instance
|
||||
*/
|
||||
fun signedNodeInfo() = signedNodeInfoBytes.deserialize<SignedNodeInfo>()
|
||||
|
||||
fun copy(nodeInfoHash: String = this.nodeInfoHash,
|
||||
certificateSigningRequest: CertificateSigningRequestEntity = this.certificateSigningRequest,
|
||||
signedNodeInfoBytes: ByteArray = this.signedNodeInfoBytes,
|
||||
isCurrent: Boolean = this.isCurrent,
|
||||
publishedAt: Instant = this.publishedAt
|
||||
): NodeInfoEntity {
|
||||
return NodeInfoEntity(
|
||||
nodeInfoHash = nodeInfoHash,
|
||||
certificateSigningRequest = certificateSigningRequest,
|
||||
signedNodeInfoBytes = signedNodeInfoBytes,
|
||||
isCurrent = isCurrent,
|
||||
publishedAt = publishedAt
|
||||
)
|
||||
}
|
||||
fun toSignedNodeInfo() = signedNodeInfoBytes.deserialize<SignedNodeInfo>()
|
||||
}
|
||||
|
@ -98,7 +98,4 @@ fun PKCS10CertificationRequest.getCertRole(): CertRole {
|
||||
/**
|
||||
* Helper method to extract email from certificate signing request.
|
||||
*/
|
||||
fun PKCS10CertificationRequest.getEmail(): String {
|
||||
// TODO: Add basic email check?
|
||||
return firstAttributeValue(BCStyle.E).toString()
|
||||
}
|
||||
fun PKCS10CertificationRequest.getEmail(): String = firstAttributeValue(BCStyle.E).toString()
|
||||
|
@ -57,6 +57,7 @@
|
||||
</column>
|
||||
<column name="public_key_hash" type="NVARCHAR(64)"/>
|
||||
<column name="modified_by" type="NVARCHAR(512)"/>
|
||||
<column name="private_network" type="NVARCHAR(255)"/>
|
||||
</createTable>
|
||||
</changeSet>
|
||||
<changeSet author="R3.Corda" id="1520338500424-4">
|
||||
@ -285,4 +286,17 @@
|
||||
<column name="rev"/>
|
||||
</createIndex>
|
||||
</changeSet>
|
||||
<changeSet author="R3.Corda" id="1520338500424-36">
|
||||
<createTable tableName="private_network">
|
||||
<column name="id" type="NVARCHAR(255)">
|
||||
<constraints primaryKey="true" primaryKeyName="PK_PRIV_NETWORK_ID"/>
|
||||
</column>
|
||||
<column name="name" type="NVARCHAR(255)"/>
|
||||
</createTable>
|
||||
</changeSet>
|
||||
<changeSet author="R3.Corda" id="1520338500424-37">
|
||||
<addForeignKeyConstraint baseColumnNames="private_network" baseTableName="certificate_signing_request"
|
||||
constraintName="FK_CSR_PN"
|
||||
referencedColumnNames="id" referencedTableName="private_network"/>
|
||||
</changeSet>
|
||||
</databaseChangeLog>
|
||||
|
Loading…
Reference in New Issue
Block a user