diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-06-13 13:54:49 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2023-06-14 15:08:06 +0200 |
commit | fb90dbe11839731c115edb8c06c8e6fe2424183c (patch) | |
tree | c3e135989c2408bd1228967a9a470ffe9c0ba925 /container-core | |
parent | 53dae97c628eb5e33ffe46c8096cfcab8ede03f4 (diff) |
Expose certificate
Diffstat (limited to 'container-core')
-rw-r--r-- | container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java | 36 |
1 files changed, 28 insertions, 8 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java index 46c840ad607..204288a52b7 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java @@ -2,11 +2,11 @@ package com.yahoo.jdisc.http.server.jetty; import com.yahoo.component.AbstractComponent; +import com.yahoo.component.annotation.Inject; import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateUtils; import com.yahoo.security.X509CertificateWithKey; import com.yahoo.vespa.defaults.Defaults; -import com.yahoo.yolean.Exceptions; import java.io.IOException; import java.nio.file.Files; @@ -15,6 +15,11 @@ import java.nio.file.Paths; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.time.Duration; +import java.util.Optional; +import java.util.logging.Level; +import java.util.logging.Logger; + +import static com.yahoo.yolean.Exceptions.uncheck; /** * Generates temporary credentials to be used by a proxy for accessing Jdisc. @@ -24,33 +29,46 @@ import java.time.Duration; */ public class DataplaneProxyCredentials extends AbstractComponent { + private static final Logger log = Logger.getLogger(DataplaneProxyCredentials.class.getName()); + private final Path certificateFile; private final Path keyFile; + private final X509Certificate certificate; + @Inject public DataplaneProxyCredentials() { certificateFile = Paths.get(Defaults.getDefaults().underVespaHome("tmp/proxy_cert.pem")); keyFile = Paths.get(Defaults.getDefaults().underVespaHome("tmp/proxy_key.pem")); - if (regenerateCredentials(certificateFile, keyFile)) { + var existing = regenerateCredentials(certificateFile, keyFile).orElse(null); + if (existing == null) { X509CertificateWithKey selfSigned = X509CertificateUtils.createSelfSigned("cn=vespa dataplane proxy", Duration.ofDays(30)); - Exceptions.uncheck(() -> Files.writeString(certificateFile, X509CertificateUtils.toPem(selfSigned.certificate()))); - Exceptions.uncheck(() -> Files.writeString(keyFile, KeyUtils.toPem(selfSigned.privateKey()))); + uncheck(() -> Files.writeString(certificateFile, X509CertificateUtils.toPem(selfSigned.certificate()))); + uncheck(() -> Files.writeString(keyFile, KeyUtils.toPem(selfSigned.privateKey()))); + this.certificate = selfSigned.certificate(); + } else { + this.certificate = existing; } } /* * Returns true if credentials should be regenerated. + * + * @return old certificate if credentials should not be regenerated, empty otherwise. */ - private boolean regenerateCredentials(Path certificateFile, Path keyFile) { + private Optional<X509Certificate> regenerateCredentials(Path certificateFile, Path keyFile) { if (!Files.exists(certificateFile) || !Files.exists(keyFile)) { - return true; + return Optional.empty(); } try { X509Certificate x509Certificate = X509CertificateUtils.fromPem(Files.readString(certificateFile)); PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(Files.readString(keyFile)); - return !X509CertificateUtils.privateKeyMatchesPublicKey(privateKey, x509Certificate.getPublicKey()); + if (!X509CertificateUtils.privateKeyMatchesPublicKey(privateKey, x509Certificate.getPublicKey())) return Optional.empty(); + return Optional.of(x509Certificate); } catch (IOException e) { // Some exception occured, assume credentials corrupted and requires a new pair. - return true; + log.log(Level.WARNING, "Failed to load credentials: %s".formatted(e.getMessage())); + log.log(Level.FINE, e.toString(), e); + return Optional.empty(); } } @@ -62,6 +80,8 @@ public class DataplaneProxyCredentials extends AbstractComponent { return keyFile; } + public X509Certificate certificate() { return certificate; } + @Override public void deconstruct() { super.deconstruct(); |