mirror of
https://github.com/corda/corda.git
synced 2024-12-29 09:18:58 +00:00
ENT-1592 Add private network id to CSR (#533)
* * add private network id to CSR * TODO : Doc * TODO : Signing server and network map end points * Remove private network attribute from CSR * revert unnecessary changes * remove private network identifier from node as we are not shipping this to the node in DP3 * revert unnecessary changes * address PR issues
This commit is contained in:
parent
f67c6874f4
commit
d2b29b42fe
@ -230,3 +230,49 @@ Run the following SQL script to archive the node info table (change the timestam
|
|||||||
delect from node_info where is_current = false and published_at < '2018-03-12'
|
delect from node_info where is_current = false and published_at < '2018-03-12'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Private Network Map
|
||||||
|
The private network is a tactical solution to provide temporary privacy to the initial network map.
|
||||||
|
|
||||||
|
### Creating a private network
|
||||||
|
To create a new private network, a entry has to be create in the ``private_network`` table manually.
|
||||||
|
|
||||||
|
Run the following SQL script to create a new private network:
|
||||||
|
|
||||||
|
```
|
||||||
|
insert into private_network (id, name)
|
||||||
|
values (NEWID(), 'Private Network Name')
|
||||||
|
```
|
||||||
|
|
||||||
|
Then use the following SQL to retrieve the private network ID for the private network owner:
|
||||||
|
```
|
||||||
|
select id from private_network where name = 'Private Network Name'
|
||||||
|
```
|
||||||
|
|
||||||
|
### Modify existing private network registration
|
||||||
|
Since this is a tactical solution, any modification will require manual database changes.
|
||||||
|
|
||||||
|
**We should try to keep these changes to the minimal**
|
||||||
|
|
||||||
|
#### Add nodes to a private network
|
||||||
|
|
||||||
|
```
|
||||||
|
update certificate_signing_request
|
||||||
|
set private_network = '<<private_network_id>>'
|
||||||
|
where request_id in ('<<certificate_request_id>>', ...)
|
||||||
|
```
|
||||||
|
|
||||||
|
or this SQL script to add all approved nodes to the private network map.
|
||||||
|
|
||||||
|
```
|
||||||
|
update certificate_signing_request
|
||||||
|
set private_network = '<<private_network_id>>'
|
||||||
|
where status = 'APPROVED'
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Move a node from its private network and into the global network map**
|
||||||
|
|
||||||
|
```
|
||||||
|
update certificate_signing_request
|
||||||
|
set private_network = null
|
||||||
|
where request_id = '<<certificate_request_id>>'
|
||||||
|
```
|
||||||
|
@ -63,6 +63,7 @@ sealed class NetworkManagementSchemaServices {
|
|||||||
CertificateSigningRequestEntity::class.java,
|
CertificateSigningRequestEntity::class.java,
|
||||||
CertificateDataEntity::class.java,
|
CertificateDataEntity::class.java,
|
||||||
CertificateRevocationRequestEntity::class.java,
|
CertificateRevocationRequestEntity::class.java,
|
||||||
|
PrivateNetworkEntity::class.java,
|
||||||
CertificateRevocationListEntity::class.java,
|
CertificateRevocationListEntity::class.java,
|
||||||
NodeInfoEntity::class.java,
|
NodeInfoEntity::class.java,
|
||||||
NetworkParametersEntity::class.java,
|
NetworkParametersEntity::class.java,
|
||||||
|
@ -63,7 +63,7 @@ class PersistentNodeInfoStorage(private val database: CordaPersistence) : NodeIn
|
|||||||
|
|
||||||
override fun getNodeInfo(nodeInfoHash: SecureHash): SignedNodeInfo? {
|
override fun getNodeInfo(nodeInfoHash: SecureHash): SignedNodeInfo? {
|
||||||
return database.transaction {
|
return database.transaction {
|
||||||
session.find(NodeInfoEntity::class.java, nodeInfoHash.toString())?.signedNodeInfo()
|
session.find(NodeInfoEntity::class.java, nodeInfoHash.toString())?.toSignedNodeInfo()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -26,7 +26,7 @@ import javax.persistence.*
|
|||||||
|
|
||||||
@Entity
|
@Entity
|
||||||
@Table(name = "certificate_signing_request", indexes = arrayOf(Index(name = "IDX_PUB_KEY_HASH", columnList = "public_key_hash")))
|
@Table(name = "certificate_signing_request", indexes = arrayOf(Index(name = "IDX_PUB_KEY_HASH", columnList = "public_key_hash")))
|
||||||
class CertificateSigningRequestEntity(
|
data class CertificateSigningRequestEntity(
|
||||||
@Id
|
@Id
|
||||||
@Column(name = "request_id", length = 64)
|
@Column(name = "request_id", length = 64)
|
||||||
val requestId: String,
|
val requestId: String,
|
||||||
@ -60,7 +60,11 @@ class CertificateSigningRequestEntity(
|
|||||||
|
|
||||||
@Lob
|
@Lob
|
||||||
@Column(name = "request_bytes", nullable = false)
|
@Column(name = "request_bytes", nullable = false)
|
||||||
val requestBytes: ByteArray
|
val requestBytes: ByteArray,
|
||||||
|
|
||||||
|
@ManyToOne
|
||||||
|
@JoinColumn(name = "private_network", foreignKey = ForeignKey(name = "FK_CSR_PN"))
|
||||||
|
val privateNetwork: PrivateNetworkEntity? = null
|
||||||
) {
|
) {
|
||||||
fun toCertificateSigningRequest() = CertificateSigningRequest(
|
fun toCertificateSigningRequest() = CertificateSigningRequest(
|
||||||
requestId = requestId,
|
requestId = requestId,
|
||||||
@ -73,36 +77,12 @@ class CertificateSigningRequestEntity(
|
|||||||
certData = certificateData?.toCertificateData()
|
certData = certificateData?.toCertificateData()
|
||||||
)
|
)
|
||||||
|
|
||||||
fun copy(requestId: String = this.requestId,
|
|
||||||
legalName: String = this.legalName,
|
|
||||||
publicKeyHash: String = this.publicKeyHash,
|
|
||||||
status: RequestStatus = this.status,
|
|
||||||
modifiedBy: String = this.modifiedBy,
|
|
||||||
modifiedAt: Instant = this.modifiedAt,
|
|
||||||
remark: String? = this.remark,
|
|
||||||
certificateData: CertificateDataEntity? = this.certificateData,
|
|
||||||
requestBytes: ByteArray = this.requestBytes
|
|
||||||
): CertificateSigningRequestEntity {
|
|
||||||
return CertificateSigningRequestEntity(
|
|
||||||
requestId = requestId,
|
|
||||||
legalName = legalName,
|
|
||||||
publicKeyHash = publicKeyHash,
|
|
||||||
status = status,
|
|
||||||
modifiedAt = modifiedAt,
|
|
||||||
modifiedBy = modifiedBy,
|
|
||||||
remark = remark,
|
|
||||||
certificateData = certificateData,
|
|
||||||
requestBytes = requestBytes
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
private fun request() = PKCS10CertificationRequest(requestBytes)
|
private fun request() = PKCS10CertificationRequest(requestBytes)
|
||||||
}
|
}
|
||||||
|
|
||||||
@Entity
|
@Entity
|
||||||
@Table(name = "certificate_data")
|
@Table(name = "certificate_data")
|
||||||
class CertificateDataEntity(
|
data class CertificateDataEntity(
|
||||||
|
|
||||||
@Id
|
@Id
|
||||||
@GeneratedValue(strategy = GenerationType.SEQUENCE)
|
@GeneratedValue(strategy = GenerationType.SEQUENCE)
|
||||||
val id: Long? = null,
|
val id: Long? = null,
|
||||||
@ -146,3 +126,14 @@ class CertificateDataEntity(
|
|||||||
|
|
||||||
private fun toCertificatePath(): CertPath = buildCertPath(certificatePathBytes)
|
private fun toCertificatePath(): CertPath = buildCertPath(certificatePathBytes)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Entity
|
||||||
|
@Table(name = "private_network")
|
||||||
|
data class PrivateNetworkEntity(
|
||||||
|
@Id
|
||||||
|
@Column(name = "id")
|
||||||
|
val networkId: String,
|
||||||
|
|
||||||
|
@Column(name = "name")
|
||||||
|
val networkName: String
|
||||||
|
)
|
@ -12,13 +12,12 @@ package com.r3.corda.networkmanage.common.persistence.entity
|
|||||||
|
|
||||||
import net.corda.core.serialization.deserialize
|
import net.corda.core.serialization.deserialize
|
||||||
import net.corda.nodeapi.internal.SignedNodeInfo
|
import net.corda.nodeapi.internal.SignedNodeInfo
|
||||||
import org.hibernate.annotations.CreationTimestamp
|
|
||||||
import java.time.Instant
|
import java.time.Instant
|
||||||
import javax.persistence.*
|
import javax.persistence.*
|
||||||
|
|
||||||
@Entity
|
@Entity
|
||||||
@Table(name = "node_info")
|
@Table(name = "node_info")
|
||||||
class NodeInfoEntity(
|
data class NodeInfoEntity(
|
||||||
// Hash of serialized [NodeInfo] without signatures.
|
// Hash of serialized [NodeInfo] without signatures.
|
||||||
@Id
|
@Id
|
||||||
@Column(name = "node_info_hash", length = 64)
|
@Column(name = "node_info_hash", length = 64)
|
||||||
@ -32,29 +31,14 @@ class NodeInfoEntity(
|
|||||||
@Column(name = "signed_node_info_bytes")
|
@Column(name = "signed_node_info_bytes")
|
||||||
val signedNodeInfoBytes: ByteArray,
|
val signedNodeInfoBytes: ByteArray,
|
||||||
|
|
||||||
@Column(name="is_current")
|
@Column(name = "is_current")
|
||||||
val isCurrent: Boolean,
|
val isCurrent: Boolean,
|
||||||
|
|
||||||
@Column(name = "published_at")
|
@Column(name = "published_at")
|
||||||
val publishedAt: Instant = Instant.now()
|
val publishedAt: Instant = Instant.now()
|
||||||
) {
|
) {
|
||||||
/**
|
/**
|
||||||
* Deserializes NodeInfoEntity.soignedNodeInfoBytes into the [SignedNodeInfo] instance
|
* Deserialize NodeInfoEntity.signedNodeInfoBytes into the [SignedNodeInfo] instance
|
||||||
*/
|
*/
|
||||||
fun signedNodeInfo() = signedNodeInfoBytes.deserialize<SignedNodeInfo>()
|
fun toSignedNodeInfo() = signedNodeInfoBytes.deserialize<SignedNodeInfo>()
|
||||||
|
|
||||||
fun copy(nodeInfoHash: String = this.nodeInfoHash,
|
|
||||||
certificateSigningRequest: CertificateSigningRequestEntity = this.certificateSigningRequest,
|
|
||||||
signedNodeInfoBytes: ByteArray = this.signedNodeInfoBytes,
|
|
||||||
isCurrent: Boolean = this.isCurrent,
|
|
||||||
publishedAt: Instant = this.publishedAt
|
|
||||||
): NodeInfoEntity {
|
|
||||||
return NodeInfoEntity(
|
|
||||||
nodeInfoHash = nodeInfoHash,
|
|
||||||
certificateSigningRequest = certificateSigningRequest,
|
|
||||||
signedNodeInfoBytes = signedNodeInfoBytes,
|
|
||||||
isCurrent = isCurrent,
|
|
||||||
publishedAt = publishedAt
|
|
||||||
)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
@ -98,7 +98,4 @@ fun PKCS10CertificationRequest.getCertRole(): CertRole {
|
|||||||
/**
|
/**
|
||||||
* Helper method to extract email from certificate signing request.
|
* Helper method to extract email from certificate signing request.
|
||||||
*/
|
*/
|
||||||
fun PKCS10CertificationRequest.getEmail(): String {
|
fun PKCS10CertificationRequest.getEmail(): String = firstAttributeValue(BCStyle.E).toString()
|
||||||
// TODO: Add basic email check?
|
|
||||||
return firstAttributeValue(BCStyle.E).toString()
|
|
||||||
}
|
|
||||||
|
@ -57,6 +57,7 @@
|
|||||||
</column>
|
</column>
|
||||||
<column name="public_key_hash" type="NVARCHAR(64)"/>
|
<column name="public_key_hash" type="NVARCHAR(64)"/>
|
||||||
<column name="modified_by" type="NVARCHAR(512)"/>
|
<column name="modified_by" type="NVARCHAR(512)"/>
|
||||||
|
<column name="private_network" type="NVARCHAR(255)"/>
|
||||||
</createTable>
|
</createTable>
|
||||||
</changeSet>
|
</changeSet>
|
||||||
<changeSet author="R3.Corda" id="1520338500424-4">
|
<changeSet author="R3.Corda" id="1520338500424-4">
|
||||||
@ -285,4 +286,17 @@
|
|||||||
<column name="rev"/>
|
<column name="rev"/>
|
||||||
</createIndex>
|
</createIndex>
|
||||||
</changeSet>
|
</changeSet>
|
||||||
|
<changeSet author="R3.Corda" id="1520338500424-36">
|
||||||
|
<createTable tableName="private_network">
|
||||||
|
<column name="id" type="NVARCHAR(255)">
|
||||||
|
<constraints primaryKey="true" primaryKeyName="PK_PRIV_NETWORK_ID"/>
|
||||||
|
</column>
|
||||||
|
<column name="name" type="NVARCHAR(255)"/>
|
||||||
|
</createTable>
|
||||||
|
</changeSet>
|
||||||
|
<changeSet author="R3.Corda" id="1520338500424-37">
|
||||||
|
<addForeignKeyConstraint baseColumnNames="private_network" baseTableName="certificate_signing_request"
|
||||||
|
constraintName="FK_CSR_PN"
|
||||||
|
referencedColumnNames="id" referencedTableName="private_network"/>
|
||||||
|
</changeSet>
|
||||||
</databaseChangeLog>
|
</databaseChangeLog>
|
||||||
|
Loading…
Reference in New Issue
Block a user