Verify actual expiry

author: Bjørn Christian Seime <bjorncs@oath.com> 2017-11-16 17:06:55 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2017-11-16 17:06:55 +0100
commit: e5d1f5da6124f5e1487c9edad0e3a621440051b8 (patch)
tree: 907cd24a45a9dc841fe4595ba011c51790ce6f13 /athenz-identity-provider-service
parent: 995c01c798d8550bd06bfddd0fc4a7ceaf80af6b (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java
index 685edc05b34..67f07875243 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java
@@ -18,6 +18,7 @@ import java.security.PrivateKey;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
+import java.time.Instant;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
@@ -91,6 +92,7 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements
                 log.log(LogLevel.INFO, "Updating Athenz certificate from ZTS");
                 PrivateKey privateKey = keyProvider.getPrivateKey(zoneConfig.secretVersion());
                 X509Certificate certificate = certificateClient.updateCertificate(privateKey, CERTIFICATE_EXPIRY_TIME);
+                verifyActualExperiy(certificate);
 
                 String dummyPassword = "athenz";
                 KeyStore keyStore = KeyStore.getInstance("JKS");
@@ -102,5 +104,15 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements
                 log.log(LogLevel.ERROR, "Failed to update certificate from ZTS: " + e.getMessage(), e);
             }
         }
+
+        private void verifyActualExperiy(X509Certificate certificate) {
+            Instant notAfter = certificate.getNotAfter().toInstant();
+            Instant notBefore = certificate.getNotBefore().toInstant();
+            if (!notBefore.plus(CERTIFICATE_EXPIRY_TIME).equals(notAfter)) {
+                Duration actualExpiry = Duration.between(notBefore, notAfter);
+                log.log(LogLevel.WARNING,
+                        String.format("Expected expiry %s, got %s", CERTIFICATE_EXPIRY_TIME, actualExpiry));
+            }
+        }
     }
 }
author	Bjørn Christian Seime <bjorncs@oath.com>	2017-11-16 17:06:55 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2017-11-16 17:06:55 +0100
commit	e5d1f5da6124f5e1487c9edad0e3a621440051b8 (patch)
tree	907cd24a45a9dc841fe4595ba011c51790ce6f13 /athenz-identity-provider-service
parent	995c01c798d8550bd06bfddd0fc4a7ceaf80af6b (diff)