Adding public key verification to the X509Utilities.createCertificateSigningRequest (corda#2784)

mkitR3 · web-flow · commit 27e45bc86552 · 2018-03-15T08:42:36.000Z
diff --git a/core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt b/core/src/main/kotlin/net/corda/core/internal/InternalUtils.kt
@@ -326,13 +326,14 @@ val KClass<*>.packageName: String get() = java.`package`.name
 
 fun URL.openHttpConnection(): HttpURLConnection = openConnection() as HttpURLConnection
 
-fun URL.post(serializedData: OpaqueBytes) {
-    openHttpConnection().apply {
+fun URL.post(serializedData: OpaqueBytes): ByteArray {
+    return openHttpConnection().run {
         doOutput = true
         requestMethod = "POST"
         setRequestProperty("Content-Type", "application/octet-stream")
         outputStream.use { serializedData.open().copyTo(it) }
         checkOkResponse()
+        inputStream.use { it.readBytes() }
     }
 }
 
diff --git a/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt b/node-api/src/main/kotlin/net/corda/nodeapi/internal/crypto/X509Utilities.kt
@@ -4,7 +4,10 @@ import net.corda.core.CordaOID
 import net.corda.core.crypto.Crypto
 import net.corda.core.crypto.SignatureScheme
 import net.corda.core.crypto.random63BitValue
-import net.corda.core.internal.*
+import net.corda.core.internal.CertRole
+import net.corda.core.internal.reader
+import net.corda.core.internal.uncheckedCast
+import net.corda.core.internal.writer
 import net.corda.core.utilities.days
 import net.corda.core.utilities.millis
 import org.bouncycastle.asn1.*
@@ -26,6 +29,7 @@ import java.math.BigInteger
 import java.nio.file.Path
 import java.security.KeyPair
 import java.security.PublicKey
+import java.security.SignatureException
 import java.security.cert.*
 import java.security.cert.Certificate
 import java.time.Duration
@@ -265,7 +269,11 @@ object X509Utilities {
         return JcaPKCS10CertificationRequestBuilder(subject, keyPair.public)
                 .addAttribute(BCStyle.E, DERUTF8String(email))
                 .addAttribute(ASN1ObjectIdentifier(CordaOID.X509_EXTENSION_CORDA_ROLE), certRole)
-                .build(signer)
+                .build(signer).apply {
+            if (!isSignatureValid()) {
+                throw SignatureException("The certificate signing request signature validation failed.")
+            }
+        }
     }
 
     fun createCertificateSigningRequest(subject: X500Principal, email: String, keyPair: KeyPair, certRole: CertRole = CertRole.NODE_CA): PKCS10CertificationRequest {
@@ -311,6 +319,13 @@ val Certificate.x509: X509Certificate get() = requireNotNull(this as? X509Certif
 
 val Array<Certificate>.x509: List<X509Certificate> get() = map { it.x509 }
 
+/**
+ * Validates the signature of the CSR
+ */
+fun PKCS10CertificationRequest.isSignatureValid(): Boolean {
+    return this.isSignatureValid(JcaContentVerifierProviderBuilder().build(this.subjectPublicKeyInfo))
+}
+
 /**
  * Wraps a [CertificateFactory] to remove boilerplate. It's unclear whether [CertificateFactory] is threadsafe so best
  * so assume this class is not.

Original file line number	Diff line number	Diff line change
@@ -326,13 +326,14 @@ val KClass<*>.packageName: String get() = java.`package`.name
`326`	`326`
`327`	`327`	`fun URL.openHttpConnection(): HttpURLConnection = openConnection() as HttpURLConnection`
`328`	`328`
`329`		`-fun URL.post(serializedData: OpaqueBytes) {`
`330`		`- openHttpConnection().apply {`
	`329`	`+fun URL.post(serializedData: OpaqueBytes): ByteArray {`
	`330`	`+ return openHttpConnection().run {`
`331`	`331`	`doOutput = true`
`332`	`332`	`requestMethod = "POST"`
`333`	`333`	`setRequestProperty("Content-Type", "application/octet-stream")`
`334`	`334`	`outputStream.use { serializedData.open().copyTo(it) }`
`335`	`335`	`checkOkResponse()`
	`336`	`+ inputStream.use { it.readBytes() }`
`336`	`337`	`}`
`337`	`338`	`}`
`338`	`339`