ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2025-02-28 20:06:25 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

CORDA-2012 - copying all from the network trust store (#3991)

Browse Source
This commit is contained in:
Michal Kit 2018-09-27 15:51:24 +01:00 committed by Katelyn Baker
parent 4822638533
commit dbda50d92e
2 changed files with 43 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
node/src/main/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelper.kt
View File

@ -158,8 +158,16 @@ class NetworkRegistrationHelper(private val config: SSLConfiguration,
// Save root certificates to trust store. // Save root certificates to trust store.
config.loadTrustStore(createNew = true).update { config.loadTrustStore(createNew = true).update {
println("Generating trust store for corda node.") println("Generating trust store for corda node.")
if (this.aliases().hasNext()) {
println("The node's trust store already exists. The following certificates will be overridden: ${this.aliases().asSequence()}")
}
// Assumes certificate chain always starts with client certificate and end with root certificate. // Assumes certificate chain always starts with client certificate and end with root certificate.
setCertificate(CORDA_ROOT_CA, certificates.last()) setCertificate(CORDA_ROOT_CA, certificates.last())
rootTrustStore.aliases().asSequence().filter { it != CORDA_ROOT_CA }.forEach {
val certificate = rootTrustStore.getCertificate(it)
println("Copying trusted certificate to the node's trust store: Alias: $it, Certificate: $certificate")
setCertificate(it, certificate)
}
} }
println("Node trust store stored in ${config.trustStoreFile}.") println("Node trust store stored in ${config.trustStoreFile}.")
// All done, clean up temp files. // All done, clean up temp files.

42
node/src/test/kotlin/net/corda/node/utilities/registration/NetworkRegistrationHelperTest.kt
View File

@ -32,7 +32,9 @@ import org.junit.Test
import java.security.cert.CertPathValidatorException import java.security.cert.CertPathValidatorException
import java.security.cert.X509Certificate import java.security.cert.X509Certificate
import javax.security.auth.x500.X500Principal import javax.security.auth.x500.X500Principal
import kotlin.test.assertEquals
import kotlin.test.assertFalse import kotlin.test.assertFalse
import kotlin.test.assertTrue
class NetworkRegistrationHelperTest { class NetworkRegistrationHelperTest {
private val fs = Jimfs.newFileSystem(unix()) private val fs = Jimfs.newFileSystem(unix())
@ -70,7 +72,7 @@ class NetworkRegistrationHelperTest {
val nodeCaCertPath = createNodeCaCertPath() val nodeCaCertPath = createNodeCaCertPath()
saveNetworkTrustStore(nodeCaCertPath.last()) saveNetworkTrustStore(X509Utilities.CORDA_ROOT_CA to nodeCaCertPath.last())
createRegistrationHelper(nodeCaCertPath).buildKeystore() createRegistrationHelper(nodeCaCertPath).buildKeystore()
val nodeKeystore = config.loadNodeKeyStore() val nodeKeystore = config.loadNodeKeyStore()
@ -113,7 +115,7 @@ class NetworkRegistrationHelperTest {
@Test @Test
fun `node CA with incorrect cert role`() { fun `node CA with incorrect cert role`() {
val nodeCaCertPath = createNodeCaCertPath(type = CertificateType.TLS) val nodeCaCertPath = createNodeCaCertPath(type = CertificateType.TLS)
saveNetworkTrustStore(nodeCaCertPath.last()) saveNetworkTrustStore(X509Utilities.CORDA_ROOT_CA to nodeCaCertPath.last())
val registrationHelper = createRegistrationHelper(nodeCaCertPath) val registrationHelper = createRegistrationHelper(nodeCaCertPath)
assertThatExceptionOfType(CertificateRequestException::class.java) assertThatExceptionOfType(CertificateRequestException::class.java)
.isThrownBy { registrationHelper.buildKeystore() } .isThrownBy { registrationHelper.buildKeystore() }
@ -124,19 +126,37 @@ class NetworkRegistrationHelperTest {
fun `node CA with incorrect subject`() { fun `node CA with incorrect subject`() {
val invalidName = CordaX500Name("Foo", "MU", "GB") val invalidName = CordaX500Name("Foo", "MU", "GB")
val nodeCaCertPath = createNodeCaCertPath(legalName = invalidName) val nodeCaCertPath = createNodeCaCertPath(legalName = invalidName)
saveNetworkTrustStore(nodeCaCertPath.last()) saveNetworkTrustStore(X509Utilities.CORDA_ROOT_CA to nodeCaCertPath.last())
val registrationHelper = createRegistrationHelper(nodeCaCertPath) val registrationHelper = createRegistrationHelper(nodeCaCertPath)
assertThatExceptionOfType(CertificateRequestException::class.java) assertThatExceptionOfType(CertificateRequestException::class.java)
.isThrownBy { registrationHelper.buildKeystore() } .isThrownBy { registrationHelper.buildKeystore() }
.withMessageContaining(invalidName.toString()) .withMessageContaining(invalidName.toString())
} }
@Test
fun `multiple certificates are copied to the node's trust store`() {
val extraTrustedCertAlias = "trusted_test"
val extraTrustedCert = X509Utilities.createSelfSignedCACertificate(
X500Principal("O=Test Trusted CA,L=MU,C=GB"),
Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME))
val nodeCertPath = createNodeCaCertPath().also {
saveNetworkTrustStore(X509Utilities.CORDA_ROOT_CA to it.last(), extraTrustedCertAlias to extraTrustedCert)
}
val registrationHelper = createRegistrationHelper(nodeCertPath)
registrationHelper.buildKeystore()
config.loadTrustStore().run {
assertTrue(contains(extraTrustedCertAlias))
assertTrue(contains(X509Utilities.CORDA_ROOT_CA))
assertEquals(extraTrustedCert, getCertificate(extraTrustedCertAlias))
}
}
@Test @Test
fun `wrong root cert in truststore`() { fun `wrong root cert in truststore`() {
val wrongRootCert = X509Utilities.createSelfSignedCACertificate( val wrongRootCert = X509Utilities.createSelfSignedCACertificate(
X500Principal("O=Foo,L=MU,C=GB"), X500Principal("O=Foo,L=MU,C=GB"),
Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME)) Crypto.generateKeyPair(X509Utilities.DEFAULT_TLS_SIGNATURE_SCHEME))
saveNetworkTrustStore(wrongRootCert) saveNetworkTrustStore(X509Utilities.CORDA_ROOT_CA to wrongRootCert)
val registrationHelper = createRegistrationHelper(createNodeCaCertPath()) val registrationHelper = createRegistrationHelper(createNodeCaCertPath())
assertThatThrownBy { assertThatThrownBy {
registrationHelper.buildKeystore() registrationHelper.buildKeystore()
@ -151,7 +171,7 @@ class NetworkRegistrationHelperTest {
val serviceIdentityCertPath = createServiceIdentityCertPath() val serviceIdentityCertPath = createServiceIdentityCertPath()
saveNetworkTrustStore(serviceIdentityCertPath.last()) saveNetworkTrustStore(X509Utilities.CORDA_ROOT_CA to serviceIdentityCertPath.last())
createRegistrationHelper(serviceIdentityCertPath).buildKeystore() createRegistrationHelper(serviceIdentityCertPath).buildKeystore()
val nodeKeystore = config.loadNodeKeyStore() val nodeKeystore = config.loadNodeKeyStore()
@ -211,11 +231,19 @@ class NetworkRegistrationHelperTest {
return NetworkRegistrationHelper(config, certService, NodeRegistrationOption(config.certificatesDirectory / networkRootTrustStoreFileName, networkRootTrustStorePassword)) return NetworkRegistrationHelper(config, certService, NodeRegistrationOption(config.certificatesDirectory / networkRootTrustStoreFileName, networkRootTrustStorePassword))
} }
private fun saveNetworkTrustStore(rootCert: X509Certificate) { /**
* Saves given certificates into the truststore.
*
* @param trustedCertificates pairs containing the alias under which the given certificate needs to be stored and
* the certificate itself.
*/
private fun saveNetworkTrustStore(vararg trustedCertificates: Pair<String, X509Certificate>) {
config.certificatesDirectory.createDirectories() config.certificatesDirectory.createDirectories()
val rootTruststorePath = config.certificatesDirectory / networkRootTrustStoreFileName val rootTruststorePath = config.certificatesDirectory / networkRootTrustStoreFileName
X509KeyStore.fromFile(rootTruststorePath, networkRootTrustStorePassword, createNew = true).update { X509KeyStore.fromFile(rootTruststorePath, networkRootTrustStorePassword, createNew = true).update {
setCertificate(X509Utilities.CORDA_ROOT_CA, rootCert) trustedCertificates.forEach {
setCertificate(it.first, it.second)
}
} }
} }
} }