CORDA-831: Add confidential identity certificate type (#2198)

* Rename certificate types * Create separate certificate type for confidential identities * Add name constraints to dev node CA * Move dev node CA into getTestPartyAndCertificate()
2025-06-14 05:08:18 +00:00 · 2017-12-08 13:17:29 +00:00
parent 32ea59d085
commit e6adbe7137
11 changed files with 61 additions and 38 deletions
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/KeyStoreWrapper.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/KeyStoreWrapper.kt
@ -8,7 +8,6 @@ import java.security.KeyPair
 import java.security.PublicKey
 import java.security.cert.CertPath
 import java.security.cert.Certificate
-import java.security.cert.CertificateFactory

 class KeyStoreWrapper(private val storePath: Path, private val storePassword: String) {
    private val keyStore = storePath.read { loadKeyStore(it, storePassword) }
@ -18,7 +17,7 @@ class KeyStoreWrapper(private val storePath: Path, private val storePassword: St
        // Assume key password = store password.
        val clientCA = certificateAndKeyPair(X509Utilities.CORDA_CLIENT_CA)
        // Create new keys and store in keystore.
-        val cert = X509Utilities.createCertificate(CertificateType.IDENTITY, clientCA.certificate, clientCA.keyPair, serviceName, pubKey)
+        val cert = X509Utilities.createCertificate(CertificateType.WELL_KNOWN_IDENTITY, clientCA.certificate, clientCA.keyPair, serviceName, pubKey)
        val certPath = X509CertificateFactory().delegate.generateCertPath(listOf(cert.cert) + clientCertPath)
        require(certPath.certificates.isNotEmpty()) { "Certificate path cannot be empty" }
        // TODO: X509Utilities.validateCertificateChain()
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
@ -332,7 +332,7 @@ enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurpo
            isCA = true
    ),

-    CLIENT_CA(
+    NODE_CA(
            KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyCertSign or KeyUsage.cRLSign),
            KeyPurposeId.id_kp_serverAuth,
            KeyPurposeId.id_kp_clientAuth,
@ -349,12 +349,20 @@ enum class CertificateType(val keyUsage: KeyUsage, vararg val purposes: KeyPurpo
    ),

    // TODO: Identity certs should have only limited depth (i.e. 1) CA signing capability, with tight name constraints
-    IDENTITY(
+    WELL_KNOWN_IDENTITY(
            KeyUsage(KeyUsage.digitalSignature or KeyUsage.keyCertSign),
            KeyPurposeId.id_kp_serverAuth,
            KeyPurposeId.id_kp_clientAuth,
            KeyPurposeId.anyExtendedKeyUsage,
            isCA = true
+    ),
+
+    CONFIDENTIAL_IDENTITY(
+            KeyUsage(KeyUsage.digitalSignature),
+            KeyPurposeId.id_kp_serverAuth,
+            KeyPurposeId.id_kp_clientAuth,
+            KeyPurposeId.anyExtendedKeyUsage,
+            isCA = false
    )
 }