ENT-1592 Add private network id to CSR (#533)

* * add private network id to CSR
* TODO : Doc
* TODO : Signing server and network map end points

* Remove private network attribute from CSR

* revert unnecessary changes

* remove private network identifier from node as we are not shipping this to the node in DP3

* revert unnecessary changes

* address PR issues
This commit is contained in:
Patrick Kuo 2018-03-15 15:20:07 +00:00 committed by GitHub
parent f67c6874f4
commit d2b29b42fe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 87 additions and 54 deletions

View File

@ -230,3 +230,49 @@ Run the following SQL script to archive the node info table (change the timestam
delect from node_info where is_current = false and published_at < '2018-03-12'
```
## Private Network Map
The private network is a tactical solution to provide temporary privacy to the initial network map.
### Creating a private network
To create a new private network, a entry has to be create in the ``private_network`` table manually.
Run the following SQL script to create a new private network:
```
insert into private_network (id, name)
values (NEWID(), 'Private Network Name')
```
Then use the following SQL to retrieve the private network ID for the private network owner:
```
select id from private_network where name = 'Private Network Name'
```
### Modify existing private network registration
Since this is a tactical solution, any modification will require manual database changes.
**We should try to keep these changes to the minimal**
#### Add nodes to a private network
```
update certificate_signing_request
set private_network = '<<private_network_id>>'
where request_id in ('<<certificate_request_id>>', ...)
```
or this SQL script to add all approved nodes to the private network map.
```
update certificate_signing_request
set private_network = '<<private_network_id>>'
where status = 'APPROVED'
```
#### Move a node from its private network and into the global network map**
```
update certificate_signing_request
set private_network = null
where request_id = '<<certificate_request_id>>'
```

View File

@ -63,6 +63,7 @@ sealed class NetworkManagementSchemaServices {
CertificateSigningRequestEntity::class.java,
CertificateDataEntity::class.java,
CertificateRevocationRequestEntity::class.java,
PrivateNetworkEntity::class.java,
CertificateRevocationListEntity::class.java,
NodeInfoEntity::class.java,
NetworkParametersEntity::class.java,

View File

@ -63,7 +63,7 @@ class PersistentNodeInfoStorage(private val database: CordaPersistence) : NodeIn
override fun getNodeInfo(nodeInfoHash: SecureHash): SignedNodeInfo? {
return database.transaction {
session.find(NodeInfoEntity::class.java, nodeInfoHash.toString())?.signedNodeInfo()
session.find(NodeInfoEntity::class.java, nodeInfoHash.toString())?.toSignedNodeInfo()
}
}

View File

@ -26,7 +26,7 @@ import javax.persistence.*
@Entity
@Table(name = "certificate_signing_request", indexes = arrayOf(Index(name = "IDX_PUB_KEY_HASH", columnList = "public_key_hash")))
class CertificateSigningRequestEntity(
data class CertificateSigningRequestEntity(
@Id
@Column(name = "request_id", length = 64)
val requestId: String,
@ -60,7 +60,11 @@ class CertificateSigningRequestEntity(
@Lob
@Column(name = "request_bytes", nullable = false)
val requestBytes: ByteArray
val requestBytes: ByteArray,
@ManyToOne
@JoinColumn(name = "private_network", foreignKey = ForeignKey(name = "FK_CSR_PN"))
val privateNetwork: PrivateNetworkEntity? = null
) {
fun toCertificateSigningRequest() = CertificateSigningRequest(
requestId = requestId,
@ -73,36 +77,12 @@ class CertificateSigningRequestEntity(
certData = certificateData?.toCertificateData()
)
fun copy(requestId: String = this.requestId,
legalName: String = this.legalName,
publicKeyHash: String = this.publicKeyHash,
status: RequestStatus = this.status,
modifiedBy: String = this.modifiedBy,
modifiedAt: Instant = this.modifiedAt,
remark: String? = this.remark,
certificateData: CertificateDataEntity? = this.certificateData,
requestBytes: ByteArray = this.requestBytes
): CertificateSigningRequestEntity {
return CertificateSigningRequestEntity(
requestId = requestId,
legalName = legalName,
publicKeyHash = publicKeyHash,
status = status,
modifiedAt = modifiedAt,
modifiedBy = modifiedBy,
remark = remark,
certificateData = certificateData,
requestBytes = requestBytes
)
}
private fun request() = PKCS10CertificationRequest(requestBytes)
}
@Entity
@Table(name = "certificate_data")
class CertificateDataEntity(
data class CertificateDataEntity(
@Id
@GeneratedValue(strategy = GenerationType.SEQUENCE)
val id: Long? = null,
@ -146,3 +126,14 @@ class CertificateDataEntity(
private fun toCertificatePath(): CertPath = buildCertPath(certificatePathBytes)
}
@Entity
@Table(name = "private_network")
data class PrivateNetworkEntity(
@Id
@Column(name = "id")
val networkId: String,
@Column(name = "name")
val networkName: String
)

View File

@ -12,13 +12,12 @@ package com.r3.corda.networkmanage.common.persistence.entity
import net.corda.core.serialization.deserialize
import net.corda.nodeapi.internal.SignedNodeInfo
import org.hibernate.annotations.CreationTimestamp
import java.time.Instant
import javax.persistence.*
@Entity
@Table(name = "node_info")
class NodeInfoEntity(
data class NodeInfoEntity(
// Hash of serialized [NodeInfo] without signatures.
@Id
@Column(name = "node_info_hash", length = 64)
@ -32,29 +31,14 @@ class NodeInfoEntity(
@Column(name = "signed_node_info_bytes")
val signedNodeInfoBytes: ByteArray,
@Column(name="is_current")
@Column(name = "is_current")
val isCurrent: Boolean,
@Column(name = "published_at")
val publishedAt: Instant = Instant.now()
) {
/**
* Deserializes NodeInfoEntity.soignedNodeInfoBytes into the [SignedNodeInfo] instance
* Deserialize NodeInfoEntity.signedNodeInfoBytes into the [SignedNodeInfo] instance
*/
fun signedNodeInfo() = signedNodeInfoBytes.deserialize<SignedNodeInfo>()
fun copy(nodeInfoHash: String = this.nodeInfoHash,
certificateSigningRequest: CertificateSigningRequestEntity = this.certificateSigningRequest,
signedNodeInfoBytes: ByteArray = this.signedNodeInfoBytes,
isCurrent: Boolean = this.isCurrent,
publishedAt: Instant = this.publishedAt
): NodeInfoEntity {
return NodeInfoEntity(
nodeInfoHash = nodeInfoHash,
certificateSigningRequest = certificateSigningRequest,
signedNodeInfoBytes = signedNodeInfoBytes,
isCurrent = isCurrent,
publishedAt = publishedAt
)
}
fun toSignedNodeInfo() = signedNodeInfoBytes.deserialize<SignedNodeInfo>()
}

View File

@ -98,7 +98,4 @@ fun PKCS10CertificationRequest.getCertRole(): CertRole {
/**
* Helper method to extract email from certificate signing request.
*/
fun PKCS10CertificationRequest.getEmail(): String {
// TODO: Add basic email check?
return firstAttributeValue(BCStyle.E).toString()
}
fun PKCS10CertificationRequest.getEmail(): String = firstAttributeValue(BCStyle.E).toString()

View File

@ -57,6 +57,7 @@
</column>
<column name="public_key_hash" type="NVARCHAR(64)"/>
<column name="modified_by" type="NVARCHAR(512)"/>
<column name="private_network" type="NVARCHAR(255)"/>
</createTable>
</changeSet>
<changeSet author="R3.Corda" id="1520338500424-4">
@ -285,4 +286,17 @@
<column name="rev"/>
</createIndex>
</changeSet>
<changeSet author="R3.Corda" id="1520338500424-36">
<createTable tableName="private_network">
<column name="id" type="NVARCHAR(255)">
<constraints primaryKey="true" primaryKeyName="PK_PRIV_NETWORK_ID"/>
</column>
<column name="name" type="NVARCHAR(255)"/>
</createTable>
</changeSet>
<changeSet author="R3.Corda" id="1520338500424-37">
<addForeignKeyConstraint baseColumnNames="private_network" baseTableName="certificate_signing_request"
constraintName="FK_CSR_PN"
referencedColumnNames="id" referencedTableName="private_network"/>
</changeSet>
</databaseChangeLog>