diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-21 12:14:38 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-21 12:16:15 +0200 |
commit | a44a394efafdd6109b5f87d0054201ca2c83d1ad (patch) | |
tree | 2ca127ac55b63bf39f4253003ccc86c893d707c7 /athenz-identity-provider-service | |
parent | 5258489bf992e8176e136362759ac079494b6f94 (diff) |
Remove CA certificate from keystore
Diffstat (limited to 'athenz-identity-provider-service')
-rw-r--r-- | athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java | 51 |
1 files changed, 13 insertions, 38 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java index 2fc696d722b..801eb04d19c 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java @@ -16,15 +16,11 @@ import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.tls.KeyStoreBuilder; import com.yahoo.vespa.athenz.tls.KeyStoreType; import com.yahoo.vespa.athenz.tls.KeyUtils; -import com.yahoo.vespa.athenz.tls.X509CertificateUtils; import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.defaults.Defaults; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; -import java.io.IOException; -import java.io.UncheckedIOException; import java.net.URI; -import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.security.KeyPair; @@ -35,7 +31,6 @@ import java.security.PublicKey; import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; -import java.util.ArrayList; import java.util.List; import java.util.Optional; import java.util.UUID; @@ -58,7 +53,6 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements private static final String CERTIFICATE_ALIAS = "athenz"; private static final Duration EXPIRATION_MARGIN = Duration.ofHours(6); private static final Path VESPA_SIA_DIRECTORY = Paths.get(Defaults.getDefaults().underVespaHome("var/vespa/sia")); - private static final Path CA_CERT_FILE = VESPA_SIA_DIRECTORY.resolve("ca-certs.pem"); private final ScheduledExecutorService scheduler = Executors.newSingleThreadScheduledExecutor(); private final ZtsClient ztsClient; @@ -97,29 +91,18 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements private static Optional<KeyStoreAndPassword> tryReadKeystoreFile(AthenzService configserverIdentity, Duration updatePeriod) { - try { - Optional<X509Certificate> certificate = SiaUtils.readCertificateFile(VESPA_SIA_DIRECTORY, configserverIdentity); - if (!certificate.isPresent()) return Optional.empty(); - Optional<PrivateKey> privateKey = SiaUtils.readPrivateKeyFile(VESPA_SIA_DIRECTORY, configserverIdentity); - if (!privateKey.isPresent()) return Optional.empty(); - Instant minimumExpiration = Instant.now().plus(updatePeriod).plus(EXPIRATION_MARGIN); - boolean isExpired = certificate.get().getNotAfter().toInstant().isBefore(minimumExpiration); - if (isExpired) return Optional.empty(); - if (Files.notExists(CA_CERT_FILE)) return Optional.empty(); - List<X509Certificate> caCertificates = X509CertificateUtils.certificateListFromPem(new String(Files.readAllBytes(CA_CERT_FILE))); - - List<X509Certificate> chain = new ArrayList<>(); - chain.add(certificate.get()); - chain.addAll(caCertificates); - - char[] password = generateKeystorePassword(); - KeyStore keyStore = KeyStoreBuilder.withType(KeyStoreType.JKS) - .withKeyEntry(CERTIFICATE_ALIAS, privateKey.get(), password, chain) - .build(); - return Optional.of(new KeyStoreAndPassword(keyStore, password)); - } catch (IOException e) { - throw new UncheckedIOException(e); - } + Optional<X509Certificate> certificate = SiaUtils.readCertificateFile(VESPA_SIA_DIRECTORY, configserverIdentity); + if (!certificate.isPresent()) return Optional.empty(); + Optional<PrivateKey> privateKey = SiaUtils.readPrivateKeyFile(VESPA_SIA_DIRECTORY, configserverIdentity); + if (!privateKey.isPresent()) return Optional.empty(); + Instant minimumExpiration = Instant.now().plus(updatePeriod).plus(EXPIRATION_MARGIN); + boolean isExpired = certificate.get().getNotAfter().toInstant().isBefore(minimumExpiration); + if (isExpired) return Optional.empty(); + char[] password = generateKeystorePassword(); + KeyStore keyStore = KeyStoreBuilder.withType(KeyStoreType.JKS) + .withKeyEntry(CERTIFICATE_ALIAS, privateKey.get(), password, certificate.get()) + .build(); + return Optional.of(new KeyStoreAndPassword(keyStore, password)); } @Override @@ -167,12 +150,9 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements Duration expiry = Duration.between(certificate.getNotBefore().toInstant(), expirationTime); log.log(LogLevel.INFO, String.format("Got Athenz x509 certificate with expiry %s (expires %s)", expiry, expirationTime)); - List<X509Certificate> chain = new ArrayList<>(); - chain.add(certificate); - chain.addAll(serviceIdentity.caCertificates()); char[] keystorePassword = generateKeystorePassword(); KeyStore keyStore = KeyStoreBuilder.withType(KeyStoreType.JKS) - .withKeyEntry(CERTIFICATE_ALIAS, privateKey, keystorePassword, chain) + .withKeyEntry(CERTIFICATE_ALIAS, privateKey, keystorePassword, certificate) .build(); return new KeyStoreAndPassword(keyStore, keystorePassword); } @@ -183,11 +163,6 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements PrivateKey privateKey) { SiaUtils.writeCertificateFile(VESPA_SIA_DIRECTORY, configserverIdentity, certificate); SiaUtils.writePrivateKeyFile(VESPA_SIA_DIRECTORY, configserverIdentity, privateKey); - try { - Files.write(CA_CERT_FILE, X509CertificateUtils.toPem(caCertificates).getBytes()); - } catch (IOException e) { - throw new UncheckedIOException(e); - } } private static char[] generateKeystorePassword() { |