Remove CA certificate from keystore

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-06-21 12:14:38 +0200
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-06-21 12:16:15 +0200
commit: a44a394efafdd6109b5f87d0054201ca2c83d1ad (patch)
tree: 2ca127ac55b63bf39f4253003ccc86c893d707c7 /athenz-identity-provider-service
parent: 5258489bf992e8176e136362759ac079494b6f94 (diff)
1 files changed, 13 insertions, 38 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java
index 2fc696d722b..801eb04d19c 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java
@@ -16,15 +16,11 @@ import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
 import com.yahoo.vespa.athenz.tls.KeyStoreBuilder;
 import com.yahoo.vespa.athenz.tls.KeyStoreType;
 import com.yahoo.vespa.athenz.tls.KeyUtils;
-import com.yahoo.vespa.athenz.tls.X509CertificateUtils;
 import com.yahoo.vespa.athenz.utils.SiaUtils;
 import com.yahoo.vespa.defaults.Defaults;
 import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
 
-import java.io.IOException;
-import java.io.UncheckedIOException;
 import java.net.URI;
-import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.KeyPair;
@@ -35,7 +31,6 @@ import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
-import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
 import java.util.UUID;
@@ -58,7 +53,6 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements
     private static final String CERTIFICATE_ALIAS = "athenz";
     private static final Duration EXPIRATION_MARGIN = Duration.ofHours(6);
     private static final Path VESPA_SIA_DIRECTORY = Paths.get(Defaults.getDefaults().underVespaHome("var/vespa/sia"));
-    private static final Path CA_CERT_FILE = VESPA_SIA_DIRECTORY.resolve("ca-certs.pem");
 
     private final ScheduledExecutorService scheduler = Executors.newSingleThreadScheduledExecutor();
     private final ZtsClient ztsClient;
@@ -97,29 +91,18 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements
 
     private static Optional<KeyStoreAndPassword> tryReadKeystoreFile(AthenzService configserverIdentity,
                                                                      Duration updatePeriod) {
-        try {
-            Optional<X509Certificate> certificate = SiaUtils.readCertificateFile(VESPA_SIA_DIRECTORY, configserverIdentity);
-            if (!certificate.isPresent()) return Optional.empty();
-            Optional<PrivateKey> privateKey = SiaUtils.readPrivateKeyFile(VESPA_SIA_DIRECTORY, configserverIdentity);
-            if (!privateKey.isPresent()) return Optional.empty();
-            Instant minimumExpiration = Instant.now().plus(updatePeriod).plus(EXPIRATION_MARGIN);
-            boolean isExpired = certificate.get().getNotAfter().toInstant().isBefore(minimumExpiration);
-            if (isExpired) return Optional.empty();
-            if (Files.notExists(CA_CERT_FILE)) return Optional.empty();
-            List<X509Certificate> caCertificates = X509CertificateUtils.certificateListFromPem(new String(Files.readAllBytes(CA_CERT_FILE)));
-
-            List<X509Certificate> chain = new ArrayList<>();
-            chain.add(certificate.get());
-            chain.addAll(caCertificates);
-
-            char[] password = generateKeystorePassword();
-            KeyStore keyStore = KeyStoreBuilder.withType(KeyStoreType.JKS)
-                    .withKeyEntry(CERTIFICATE_ALIAS, privateKey.get(), password, chain)
-                    .build();
-            return Optional.of(new KeyStoreAndPassword(keyStore, password));
-        } catch (IOException e) {
-            throw new UncheckedIOException(e);
-        }
+        Optional<X509Certificate> certificate = SiaUtils.readCertificateFile(VESPA_SIA_DIRECTORY, configserverIdentity);
+        if (!certificate.isPresent()) return Optional.empty();
+        Optional<PrivateKey> privateKey = SiaUtils.readPrivateKeyFile(VESPA_SIA_DIRECTORY, configserverIdentity);
+        if (!privateKey.isPresent()) return Optional.empty();
+        Instant minimumExpiration = Instant.now().plus(updatePeriod).plus(EXPIRATION_MARGIN);
+        boolean isExpired = certificate.get().getNotAfter().toInstant().isBefore(minimumExpiration);
+        if (isExpired) return Optional.empty();
+        char[] password = generateKeystorePassword();
+        KeyStore keyStore = KeyStoreBuilder.withType(KeyStoreType.JKS)
+                .withKeyEntry(CERTIFICATE_ALIAS, privateKey.get(), password, certificate.get())
+                .build();
+        return Optional.of(new KeyStoreAndPassword(keyStore, password));
     }
 
     @Override
@@ -167,12 +150,9 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements
         Duration expiry = Duration.between(certificate.getNotBefore().toInstant(), expirationTime);
         log.log(LogLevel.INFO, String.format("Got Athenz x509 certificate with expiry %s (expires %s)", expiry, expirationTime));
 
-        List<X509Certificate> chain = new ArrayList<>();
-        chain.add(certificate);
-        chain.addAll(serviceIdentity.caCertificates());
         char[] keystorePassword = generateKeystorePassword();
         KeyStore keyStore = KeyStoreBuilder.withType(KeyStoreType.JKS)
-                .withKeyEntry(CERTIFICATE_ALIAS, privateKey, keystorePassword, chain)
+                .withKeyEntry(CERTIFICATE_ALIAS, privateKey, keystorePassword, certificate)
                 .build();
         return new KeyStoreAndPassword(keyStore, keystorePassword);
     }
@@ -183,11 +163,6 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements
                                          PrivateKey privateKey) {
         SiaUtils.writeCertificateFile(VESPA_SIA_DIRECTORY, configserverIdentity, certificate);
         SiaUtils.writePrivateKeyFile(VESPA_SIA_DIRECTORY, configserverIdentity, privateKey);
-        try {
-            Files.write(CA_CERT_FILE, X509CertificateUtils.toPem(caCertificates).getBytes());
-        } catch (IOException e) {
-            throw new UncheckedIOException(e);
-        }
     }
 
     private static char[] generateKeystorePassword() {
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-06-21 12:14:38 +0200
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-06-21 12:16:15 +0200
commit	a44a394efafdd6109b5f87d0054201ca2c83d1ad (patch)
tree	2ca127ac55b63bf39f4253003ccc86c893d707c7 /athenz-identity-provider-service
parent	5258489bf992e8176e136362759ac079494b6f94 (diff)