【问题标题】:Can a Corda network operator define additional certificate roles?Corda 网络运营商可以定义额外的证书角色吗?
【发布时间】:2018-07-19 02:50:12
【问题描述】:

默认情况下,Corda 网络有七个证书角色:

  1. 门卫
  2. 网络地图
  3. 服务标识
  4. 节点证书颁发机构
  5. 传输层安全性 (TLS)
  6. 知名合法身份
  7. 保密的合法身份

节点证书颁发机构直接创建 TLS 证书,但也向众所周知的合法身份颁发证书,该身份本身就是一个 CA(因为它颁发机密的合法身份证书)。

我们想添加第八个角色。该角色将是负责颁发 TLS 证书的证书颁发机构。它的证书将由节点证书颁发机构(不再颁发 TLS 证书)颁发。

是否可以通过这种方式添加额外的证书角色?还是节点硬编码为只接受七个证书角色?

【问题讨论】:

    标签: corda


    【解决方案1】:

    无法添加您自己的证书角色。 CertRole enum 给出了七种可能的证书角色:

    enum class CertRole(val validParents: NonEmptySet<CertRole?>, val isIdentity: Boolean, val isWellKnown: Boolean) : ASN1Encodable {
        /** Intermediate CA (Doorman service). */
        INTERMEDIATE_CA(NonEmptySet.of(null), false, false),
        /** Signing certificate for the network map. */
        NETWORK_MAP(NonEmptySet.of(null), false, false),
        /** Well known (publicly visible) identity of a service (such as notary). */
        SERVICE_IDENTITY(NonEmptySet.of(INTERMEDIATE_CA), true, true),
        /** Node level CA from which the TLS and well known identity certificates are issued. */
        NODE_CA(NonEmptySet.of(INTERMEDIATE_CA), false, false),
        /** Transport layer security certificate for a node. */
        TLS(NonEmptySet.of(NODE_CA), false, false),
        /** Well known (publicly visible) identity of a legal entity. */
        // TODO: at the moment, Legal Identity certs are issued by Node CA only. However, [INTERMEDIATE_CA] is also added
        //      as a valid parent of [LEGAL_IDENTITY] for backwards compatibility purposes (eg. if we decide TLS has its
        //      own Root CA and Intermediate CA directly issues Legal Identities; thus, there won't be a requirement for
        //      Node CA). Consider removing [INTERMEDIATE_CA] from [validParents] when the model is finalised.
        LEGAL_IDENTITY(NonEmptySet.of(INTERMEDIATE_CA, NODE_CA), true, true),
        /** Confidential (limited visibility) identity of a legal entity. */
        CONFIDENTIAL_LEGAL_IDENTITY(NonEmptySet.of(LEGAL_IDENTITY), true, false);
    

    如果您尝试添加新的证书角色,节点将失败,因为它会尝试将证书角色解析为启动时的枚举值之一。

    【讨论】:

      猜你喜欢
      • 2020-12-16
      • 2020-04-09
      • 1970-01-01
      • 2021-05-15
      • 1970-01-01
      • 2017-02-20
      • 1970-01-01
      • 1970-01-01
      • 2016-01-20
      相关资源
      最近更新 更多