diff options
| author | andreer <andreer@verizonmedia.com> | 2020-01-20 11:19:41 +0100 |
|---|---|---|
| committer | andreer <andreer@verizonmedia.com> | 2020-01-20 11:19:41 +0100 |
| commit | c67da739049f3c392b8d6c16953a771fcb1df5fd (patch) | |
| tree | 48e26efd57218088fcd8f4a6e6015636dbf33f4c /configserver | |
| parent | e66e0ba2ccd2b973a13eff8645af66073eba31ed (diff) | |
verify public key matches private key
Diffstat (limited to 'configserver')
| -rw-r--r-- | configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateRetriever.java | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateRetriever.java b/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateRetriever.java index cc757ef7036..5f40e5e1411 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateRetriever.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/tenant/EndpointCertificateRetriever.java @@ -4,7 +4,12 @@ package com.yahoo.vespa.config.server.tenant; import com.yahoo.config.model.api.EndpointCertificateMetadata; import com.yahoo.config.model.api.EndpointCertificateSecrets; import com.yahoo.container.jdisc.secretstore.SecretStore; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.X509CertificateUtils; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.cert.X509Certificate; import java.util.Optional; /** @@ -28,10 +33,24 @@ public class EndpointCertificateRetriever { try { String cert = secretStore.getSecret(endpointCertificateMetadata.certName(), endpointCertificateMetadata.version()); String key = secretStore.getSecret(endpointCertificateMetadata.keyName(), endpointCertificateMetadata.version()); + + verifyKeyMatchesCertificate(endpointCertificateMetadata, cert, key); + return new EndpointCertificateSecrets(cert, key); } catch (RuntimeException e) { // Assume not ready yet return EndpointCertificateSecrets.MISSING; } } + + private void verifyKeyMatchesCertificate(EndpointCertificateMetadata endpointCertificateMetadata, String cert, String key) { + X509Certificate x509Certificate = X509CertificateUtils.fromPem(cert); + + PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(key); + PublicKey publicKey = x509Certificate.getPublicKey(); + + if(!X509CertificateUtils.privateKeyMatchesPublicKey(privateKey, publicKey)) { + throw new IllegalArgumentException("Failed to retrieve endpoint secrets: Certificate and key data do not match for " + endpointCertificateMetadata); + } + } } |