默认情况下,Corda网络有七个证书角色:
- 门卫
- 网络地图
- 服务标识
- 节点证书颁发机构
- 传输层安全性(TLS(
- 众所周知的法律身份
- 保密合法身份
节点证书颁发机构直接创建TLS证书,但也向已知的合法身份颁发证书,该身份本身就是CA(因为它颁发机密的合法身份证书(。
我们想增加第八个角色。此角色将是负责颁发TLS证书的证书颁发机构。其证书将由节点证书颁发机构(不再颁发TLS证书(颁发。
是否可以通过这种方式添加额外的证书角色?还是节点被硬编码为只接受七个证书角色?
无法添加自己的证书角色。CertRole
枚举提供了七个可能的证书角色:
enum class CertRole(val validParents: NonEmptySet<CertRole?>, val isIdentity: Boolean, val isWellKnown: Boolean) : ASN1Encodable {
/** Intermediate CA (Doorman service). */
INTERMEDIATE_CA(NonEmptySet.of(null), false, false),
/** Signing certificate for the network map. */
NETWORK_MAP(NonEmptySet.of(null), false, false),
/** Well known (publicly visible) identity of a service (such as notary). */
SERVICE_IDENTITY(NonEmptySet.of(INTERMEDIATE_CA), true, true),
/** Node level CA from which the TLS and well known identity certificates are issued. */
NODE_CA(NonEmptySet.of(INTERMEDIATE_CA), false, false),
/** Transport layer security certificate for a node. */
TLS(NonEmptySet.of(NODE_CA), false, false),
/** Well known (publicly visible) identity of a legal entity. */
// TODO: at the moment, Legal Identity certs are issued by Node CA only. However, [INTERMEDIATE_CA] is also added
// as a valid parent of [LEGAL_IDENTITY] for backwards compatibility purposes (eg. if we decide TLS has its
// own Root CA and Intermediate CA directly issues Legal Identities; thus, there won't be a requirement for
// Node CA). Consider removing [INTERMEDIATE_CA] from [validParents] when the model is finalised.
LEGAL_IDENTITY(NonEmptySet.of(INTERMEDIATE_CA, NODE_CA), true, true),
/** Confidential (limited visibility) identity of a legal entity. */
CONFIDENTIAL_LEGAL_IDENTITY(NonEmptySet.of(LEGAL_IDENTITY), true, false);
如果尝试添加新的证书角色,则节点将失败,因为它将尝试在启动时将证书角色解析为枚举值之一。