diff options
author | Jon Marius Venstad <venstad@gmail.com> | 2019-10-11 09:47:44 +0200 |
---|---|---|
committer | Jon Marius Venstad <venstad@gmail.com> | 2019-10-11 09:47:44 +0200 |
commit | 2529da9d85090faa36ae72bb03052affe871e01d (patch) | |
tree | e5e7b790e92215a556818661cb7e259e11ffce28 /hosted-api | |
parent | 1e95910431b64e2c0653c5a1a2f0be5e40141544 (diff) |
Check validity of certificate before creating controller client
Diffstat (limited to 'hosted-api')
-rw-r--r-- | hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java | 32 |
1 files changed, 14 insertions, 18 deletions
diff --git a/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java b/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java index 1947930285c..e7eb014c91a 100644 --- a/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java +++ b/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java @@ -29,6 +29,8 @@ import java.net.http.HttpRequest; import java.net.http.HttpResponse; import java.nio.file.Files; import java.nio.file.Path; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; import java.util.ArrayList; @@ -75,13 +77,17 @@ public abstract class ControllerHttpClient { } /** Creates an HTTP client against the given endpoint, which uses the given private key and certificate identity. */ - public static ControllerHttpClient withKeyAndCertificate(URI endpoint, String privateKey, String certificate) { - return new MutualTlsControllerHttpClient(endpoint, privateKey, certificate); - } - - /** Creates an HTTP client against the given endpoint, which uses the given private key and certificate identity. */ public static ControllerHttpClient withKeyAndCertificate(URI endpoint, Path privateKeyFile, Path certificateFile) { - return new MutualTlsControllerHttpClient(endpoint, privateKeyFile, certificateFile); + var privateKey = unchecked(() -> KeyUtils.fromPemEncodedPrivateKey(Files.readString(privateKeyFile, UTF_8))); + var certificates = unchecked(() -> X509CertificateUtils.certificateListFromPem(Files.readString(certificateFile, UTF_8))); + + for (var certificate : certificates) + if ( Instant.now().isBefore(certificate.getNotBefore().toInstant()) + || Instant.now().isAfter(certificate.getNotAfter().toInstant())) + throw new IllegalStateException("Certificate at '" + certificateFile + "' is valid between " + + certificate.getNotBefore() + " and " + certificate.getNotAfter() + " — not now."); + + return new MutualTlsControllerHttpClient(endpoint, privateKey, certificates); } /** Sends the given submission to the remote controller and returns the version of the accepted package, or throws if this fails. */ @@ -377,20 +383,10 @@ public abstract class ControllerHttpClient { /** Client that uses a given key / certificate identity to authenticate to the remote controller. */ private static class MutualTlsControllerHttpClient extends ControllerHttpClient { - private MutualTlsControllerHttpClient(URI endpoint, Path privateKeyFile, Path certificateFile) { - super(endpoint, - HttpClient.newBuilder() - .sslContext(new SslContextBuilder().withKeyStore(privateKeyFile, - certificateFile) - .build())); - } - - private MutualTlsControllerHttpClient(URI endpoint, String privateKey, String certificate) { + private MutualTlsControllerHttpClient(URI endpoint, PrivateKey privateKey, List<X509Certificate> certs) { super(endpoint, HttpClient.newBuilder() - .sslContext(new SslContextBuilder().withKeyStore(KeyUtils.fromPemEncodedPrivateKey(privateKey), - X509CertificateUtils.certificateListFromPem(certificate)) - .build())); + .sslContext(new SslContextBuilder().withKeyStore(privateKey, certs).build())); } } |