Prevent node from starting if its legal identity key is lost

Description

We encountered an issue where due to how the node was restarted it lost its legal identity key from its keystore (but critically the doorman signed key was intact). It had already successfully published this key to the network map and used in transactions by other participants. On restart the node, detecting no legal identity key, generated a new key pair and published that to the network map. Corda is not designed to handled this (yet) and so it caused a whole load of issues, both for itself and the rest of the network.

The simple solution is before generating the new legal identity key pair, check the identity store in the db to see if the node already has a key pair for the same X.500 name. If so prevent the node from starting up (with a good error message why) as we can't allow it to contaminate everyone.

Status

Assignee

James Higgs

Reporter

Shams Asari

Labels

None

Priority

Medium

Fix versions

None

Ported to...

None

Feature Team

Corda Core

CVSS Vector

None

Severity

Medium

Sprint

None
Configure