diff options
author | Morten Tokle <mortent@yahooinc.com> | 2023-06-07 11:29:07 +0200 |
---|---|---|
committer | Morten Tokle <mortent@yahooinc.com> | 2023-06-07 11:29:07 +0200 |
commit | e8e31b8f7ff1a77a47a8e9cf1bb884123ca2469a (patch) | |
tree | 55ae69cceca99e955f455348dd18c46f97d8b4fb /container-core/src/main/java/com/yahoo/jdisc/http/server/jetty | |
parent | 17680e5bd51252b282e011e4f9929653f78be016 (diff) |
Generate proxy certificate and inject in trust store
Diffstat (limited to 'container-core/src/main/java/com/yahoo/jdisc/http/server/jetty')
-rw-r--r-- | container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java new file mode 100644 index 00000000000..46c840ad607 --- /dev/null +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java @@ -0,0 +1,70 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.server.jetty; + +import com.yahoo.component.AbstractComponent; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.X509CertificateUtils; +import com.yahoo.security.X509CertificateWithKey; +import com.yahoo.vespa.defaults.Defaults; +import com.yahoo.yolean.Exceptions; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.time.Duration; + +/** + * Generates temporary credentials to be used by a proxy for accessing Jdisc. + * Credentials are written to vespa_home/tmp/. + * + * @author mortent + */ +public class DataplaneProxyCredentials extends AbstractComponent { + + private final Path certificateFile; + private final Path keyFile; + + public DataplaneProxyCredentials() { + certificateFile = Paths.get(Defaults.getDefaults().underVespaHome("tmp/proxy_cert.pem")); + keyFile = Paths.get(Defaults.getDefaults().underVespaHome("tmp/proxy_key.pem")); + if (regenerateCredentials(certificateFile, keyFile)) { + X509CertificateWithKey selfSigned = X509CertificateUtils.createSelfSigned("cn=vespa dataplane proxy", Duration.ofDays(30)); + Exceptions.uncheck(() -> Files.writeString(certificateFile, X509CertificateUtils.toPem(selfSigned.certificate()))); + Exceptions.uncheck(() -> Files.writeString(keyFile, KeyUtils.toPem(selfSigned.privateKey()))); + } + } + + /* + * Returns true if credentials should be regenerated. + */ + private boolean regenerateCredentials(Path certificateFile, Path keyFile) { + if (!Files.exists(certificateFile) || !Files.exists(keyFile)) { + return true; + } + try { + X509Certificate x509Certificate = X509CertificateUtils.fromPem(Files.readString(certificateFile)); + PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(Files.readString(keyFile)); + return !X509CertificateUtils.privateKeyMatchesPublicKey(privateKey, x509Certificate.getPublicKey()); + } catch (IOException e) { + // Some exception occured, assume credentials corrupted and requires a new pair. + return true; + } + } + + public Path certificateFile() { + return certificateFile; + } + + public Path keyFile() { + return keyFile; + } + + @Override + public void deconstruct() { + super.deconstruct(); + } + +} |