From dbda50d92e6d494d42030b544356bd8b2edc848a Mon Sep 17 00:00:00 2001 From: Michal Kit Date: Thu, 27 Sep 2018 15:51:24 +0100 Subject: [PATCH] CORDA-2012 - copying all from the network trust store (#3991) --- .../registration/NetworkRegistrationHelper.kt | 8 ++++ .../NetworkRegistrationHelperTest.kt | 42 +++++++++++++++---- 2 files changed, 43 insertions(+), 7 deletions(-) diff --git a/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt b/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt index ac8fc47014..2049519d35 100644 --- a/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt +++ b/node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt @@ -158,8 +158,16 @@ class NetworkRegistrationHelper(private val config: SSLConfiguration, // Save root certificates to trust store. config.loadTrustStore(createNew = true).update { println("Generating trust store for corda node.") + if (this.aliases().hasNext()) { + println("The node's trust store already exists. The following certificates will be overridden: ${this.aliases().asSequence()}") + } // Assumes certificate chain always starts with client certificate and end with root certificate. setCertificate(CORDA_ROOT_CA, certificates.last()) + rootTrustStore.aliases().asSequence().filter { it != CORDA_ROOT_CA }.forEach { + val certificate = rootTrustStore.getCertificate(it) + println("Copying trusted certificate to the node's trust store: Alias: $it, Certificate: $certificate") + setCertificate(it, certificate) + } } println("Node trust store stored in ${config.trustStoreFile}.") // All done, clean up temp files. diff --git a/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt b/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt index d77e61bcae..1907d8e766 100644 --- a/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt +++ b/node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt @@ -32,7 +32,9 @@ import org.junit.Test import java.security.cert.CertPathValidatorException import java.security.cert.X509Certificate import javax.security.auth.x500.X500Principal +import kotlin.test.assertEquals import kotlin.test.assertFalse +import kotlin.test.assertTrue class NetworkRegistrationHelperTest { private val fs = Jimfs.newFileSystem(unix()) @@ -70,7 +72,7 @@ class NetworkRegistrationHelperTest { val nodeCaCertPath = createNodeCaCertPath() - saveNetworkTrustStore(nodeCaCertPath.last()) + saveNetworkTrustStore(X509Utilities.CORDA_ROOT_CA to nodeCaCertPath.last()) createRegistrationHelper(nodeCaCertPath).buildKeystore() val nodeKeystore = config.loadNodeKeyStore() @@ -113,7 +115,7 @@ class NetworkRegistrationHelperTest { @Test fun `node CA with incorrect cert role`() { val nodeCaCertPath = createNodeCaCertPath(type = CertificateType.TLS) - saveNetworkTrustStore(nodeCaCertPath.last()) + saveNetworkTrustStore(X509Utilities.CORDA_ROOT_CA to nodeCaCertPath.last()) val registrationHelper = createRegistrationHelper(nodeCaCertPath) assertThatExceptionOfType(CertificateRequestException::class.java) .isThrownBy { registrationHelper.buildKeystore() } @@ -124,19 +126,37 @@ class NetworkRegistrationHelperTest { fun `node CA with incorrect subject`() { val invalidName = CordaX500Name("Foo", "MU", "GB") val nodeCaCertPath = createNodeCaCertPath(legalName = invalidName) - saveNetworkTrustStore(nodeCaCertPath.last()) + saveNetworkTrustStore(X509Utilities.CORDA_ROOT_CA to nodeCaCertPath.last()) val registrationHelper = createRegistrationHelper(nodeCaCertPath) assertThatExceptionOfType(CertificateRequestException::class.java) .isThrownBy { registrationHelper.buildKeystore() } .withMessageContaining(invalidName.toString()) } + @Test + fun `multiple certificates are copied to the node's trust store`() { + val extraTrustedCertAlias = "trusted_test" + val extraTrustedCert = X509Utilities.createSelfSignedCACertificate( + X500Principal("O=Test Trusted CA,L=MU,C=GB"), + Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)) + val nodeCertPath = createNodeCaCertPath().also { + saveNetworkTrustStore(X509Utilities.CORDA_ROOT_CA to it.last(), extraTrustedCertAlias to extraTrustedCert) + } + val registrationHelper = createRegistrationHelper(nodeCertPath) + registrationHelper.buildKeystore() + config.loadTrustStore().run { + assertTrue(contains(extraTrustedCertAlias)) + assertTrue(contains(X509Utilities.CORDA_ROOT_CA)) + assertEquals(extraTrustedCert, getCertificate(extraTrustedCertAlias)) + } + } + @Test fun `wrong root cert in truststore`() { val wrongRootCert = X509Utilities.createSelfSignedCACertificate( X500Principal("O=Foo,L=MU,C=GB"), Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)) - saveNetworkTrustStore(wrongRootCert) + saveNetworkTrustStore(X509Utilities.CORDA_ROOT_CA to wrongRootCert) val registrationHelper = createRegistrationHelper(createNodeCaCertPath()) assertThatThrownBy { registrationHelper.buildKeystore() @@ -151,7 +171,7 @@ class NetworkRegistrationHelperTest { val serviceIdentityCertPath = createServiceIdentityCertPath() - saveNetworkTrustStore(serviceIdentityCertPath.last()) + saveNetworkTrustStore(X509Utilities.CORDA_ROOT_CA to serviceIdentityCertPath.last()) createRegistrationHelper(serviceIdentityCertPath).buildKeystore() val nodeKeystore = config.loadNodeKeyStore() @@ -211,11 +231,19 @@ class NetworkRegistrationHelperTest { return NetworkRegistrationHelper(config, certService, NodeRegistrationOption(config.certificatesDirectory / networkRootTrustStoreFileName, networkRootTrustStorePassword)) } - private fun saveNetworkTrustStore(rootCert: X509Certificate) { + /** + * Saves given certificates into the truststore. + * + * @param trustedCertificates pairs containing the alias under which the given certificate needs to be stored and + * the certificate itself. + */ + private fun saveNetworkTrustStore(vararg trustedCertificates: Pair) { config.certificatesDirectory.createDirectories() val rootTruststorePath = config.certificatesDirectory / networkRootTrustStoreFileName X509KeyStore.fromFile(rootTruststorePath, networkRootTrustStorePassword, createNew = true).update { - setCertificate(X509Utilities.CORDA_ROOT_CA, rootCert) + trustedCertificates.forEach { + setCertificate(it.first, it.second) + } } } }