Check validity of certificate before creating controller client

1 files changed, 14 insertions, 18 deletions

diff --git a/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java b/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java
index 1947930285c..e7eb014c91a 100644
--- a/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java
+++ b/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java
@@ -29,6 +29,8 @@ import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.ArrayList;
@@ -75,13 +77,17 @@ public abstract class ControllerHttpClient {
     }
 
     /** Creates an HTTP client against the given endpoint, which uses the given private key and certificate identity. */
-    public static ControllerHttpClient withKeyAndCertificate(URI endpoint, String privateKey, String certificate) {
-        return new MutualTlsControllerHttpClient(endpoint, privateKey, certificate);
-    }
-
-    /** Creates an HTTP client against the given endpoint, which uses the given private key and certificate identity. */
     public static ControllerHttpClient withKeyAndCertificate(URI endpoint, Path privateKeyFile, Path certificateFile) {
-        return new MutualTlsControllerHttpClient(endpoint, privateKeyFile, certificateFile);
+        var privateKey = unchecked(() -> KeyUtils.fromPemEncodedPrivateKey(Files.readString(privateKeyFile, UTF_8)));
+        var certificates = unchecked(() -> X509CertificateUtils.certificateListFromPem(Files.readString(certificateFile, UTF_8)));
+
+        for (var certificate : certificates)
+        if (   Instant.now().isBefore(certificate.getNotBefore().toInstant())
+            || Instant.now().isAfter(certificate.getNotAfter().toInstant()))
+            throw new IllegalStateException("Certificate at '" + certificateFile + "' is valid between " +
+                                            certificate.getNotBefore() + " and " + certificate.getNotAfter() + " — not now.");
+
+        return new MutualTlsControllerHttpClient(endpoint, privateKey, certificates);
     }
 
     /** Sends the given submission to the remote controller and returns the version of the accepted package, or throws if this fails. */
@@ -377,20 +383,10 @@ public abstract class ControllerHttpClient {
     /** Client that uses a given key / certificate identity to authenticate to the remote controller. */
     private static class MutualTlsControllerHttpClient extends ControllerHttpClient {
 
-        private MutualTlsControllerHttpClient(URI endpoint, Path privateKeyFile, Path certificateFile) {
-            super(endpoint,
-                  HttpClient.newBuilder()
-                            .sslContext(new SslContextBuilder().withKeyStore(privateKeyFile,
-                                                                             certificateFile)
-                                                               .build()));
-        }
-
-        private MutualTlsControllerHttpClient(URI endpoint, String privateKey, String certificate) {
+        private MutualTlsControllerHttpClient(URI endpoint, PrivateKey privateKey, List<X509Certificate> certs) {
             super(endpoint,
                   HttpClient.newBuilder()
-                            .sslContext(new SslContextBuilder().withKeyStore(KeyUtils.fromPemEncodedPrivateKey(privateKey),
-                                                                             X509CertificateUtils.certificateListFromPem(certificate))
-                                                               .build()));
+                            .sslContext(new SslContextBuilder().withKeyStore(privateKey, certs).build()));
         }
 
     }