Prevent node from starting if its legal identity key is lost

Description

We encountered an issue where due to how the node was restarted it lost its legal identity key from its keystore (but critically the doorman signed key was intact). It had already successfully published this key to the network map and used in transactions by other participants. On restart the node, detecting no legal identity key, generated a new key pair and published that to the network map. Corda is not designed to handled this (yet) and so it caused a whole load of issues, both for itself and the rest of the network.

The simple solution is before generating the new legal identity key pair, check the identity store in the db to see if the node already has a key pair for the same X.500 name. If so prevent the node from starting up (with a good error message why) as we can't allow it to contaminate everyone.

Assignee

James Higgs

Reporter

Shams Asari

Epic Link

None

Priority

Medium

Engineering Teams

None

Fix versions

None

Affects versions

None

Ported to...

None

Sprint

None

Labels

None

Story Points / Dev Days

None

Feature Team

Corda Core

Severity

Medium
Configure