diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2017-11-16 17:06:55 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2017-11-16 17:06:55 +0100 |
commit | e5d1f5da6124f5e1487c9edad0e3a621440051b8 (patch) | |
tree | 907cd24a45a9dc841fe4595ba011c51790ce6f13 /athenz-identity-provider-service | |
parent | 995c01c798d8550bd06bfddd0fc4a7ceaf80af6b (diff) |
Verify actual expiry
Diffstat (limited to 'athenz-identity-provider-service')
-rw-r--r-- | athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java index 685edc05b34..67f07875243 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java @@ -18,6 +18,7 @@ import java.security.PrivateKey; import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.time.Duration; +import java.time.Instant; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; @@ -91,6 +92,7 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements log.log(LogLevel.INFO, "Updating Athenz certificate from ZTS"); PrivateKey privateKey = keyProvider.getPrivateKey(zoneConfig.secretVersion()); X509Certificate certificate = certificateClient.updateCertificate(privateKey, CERTIFICATE_EXPIRY_TIME); + verifyActualExperiy(certificate); String dummyPassword = "athenz"; KeyStore keyStore = KeyStore.getInstance("JKS"); @@ -102,5 +104,15 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements log.log(LogLevel.ERROR, "Failed to update certificate from ZTS: " + e.getMessage(), e); } } + + private void verifyActualExperiy(X509Certificate certificate) { + Instant notAfter = certificate.getNotAfter().toInstant(); + Instant notBefore = certificate.getNotBefore().toInstant(); + if (!notBefore.plus(CERTIFICATE_EXPIRY_TIME).equals(notAfter)) { + Duration actualExpiry = Duration.between(notBefore, notAfter); + log.log(LogLevel.WARNING, + String.format("Expected expiry %s, got %s", CERTIFICATE_EXPIRY_TIME, actualExpiry)); + } + } } } |