aboutsummaryrefslogtreecommitdiffstats
path: root/hosted-api
diff options
context:
space:
mode:
authorJon Marius Venstad <venstad@gmail.com>2019-10-11 09:47:44 +0200
committerJon Marius Venstad <venstad@gmail.com>2019-10-11 09:47:44 +0200
commit2529da9d85090faa36ae72bb03052affe871e01d (patch)
treee5e7b790e92215a556818661cb7e259e11ffce28 /hosted-api
parent1e95910431b64e2c0653c5a1a2f0be5e40141544 (diff)
Check validity of certificate before creating controller client
Diffstat (limited to 'hosted-api')
-rw-r--r--hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java32
1 files changed, 14 insertions, 18 deletions
diff --git a/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java b/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java
index 1947930285c..e7eb014c91a 100644
--- a/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java
+++ b/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java
@@ -29,6 +29,8 @@ import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.file.Files;
import java.nio.file.Path;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.util.ArrayList;
@@ -75,13 +77,17 @@ public abstract class ControllerHttpClient {
}
/** Creates an HTTP client against the given endpoint, which uses the given private key and certificate identity. */
- public static ControllerHttpClient withKeyAndCertificate(URI endpoint, String privateKey, String certificate) {
- return new MutualTlsControllerHttpClient(endpoint, privateKey, certificate);
- }
-
- /** Creates an HTTP client against the given endpoint, which uses the given private key and certificate identity. */
public static ControllerHttpClient withKeyAndCertificate(URI endpoint, Path privateKeyFile, Path certificateFile) {
- return new MutualTlsControllerHttpClient(endpoint, privateKeyFile, certificateFile);
+ var privateKey = unchecked(() -> KeyUtils.fromPemEncodedPrivateKey(Files.readString(privateKeyFile, UTF_8)));
+ var certificates = unchecked(() -> X509CertificateUtils.certificateListFromPem(Files.readString(certificateFile, UTF_8)));
+
+ for (var certificate : certificates)
+ if ( Instant.now().isBefore(certificate.getNotBefore().toInstant())
+ || Instant.now().isAfter(certificate.getNotAfter().toInstant()))
+ throw new IllegalStateException("Certificate at '" + certificateFile + "' is valid between " +
+ certificate.getNotBefore() + " and " + certificate.getNotAfter() + " — not now.");
+
+ return new MutualTlsControllerHttpClient(endpoint, privateKey, certificates);
}
/** Sends the given submission to the remote controller and returns the version of the accepted package, or throws if this fails. */
@@ -377,20 +383,10 @@ public abstract class ControllerHttpClient {
/** Client that uses a given key / certificate identity to authenticate to the remote controller. */
private static class MutualTlsControllerHttpClient extends ControllerHttpClient {
- private MutualTlsControllerHttpClient(URI endpoint, Path privateKeyFile, Path certificateFile) {
- super(endpoint,
- HttpClient.newBuilder()
- .sslContext(new SslContextBuilder().withKeyStore(privateKeyFile,
- certificateFile)
- .build()));
- }
-
- private MutualTlsControllerHttpClient(URI endpoint, String privateKey, String certificate) {
+ private MutualTlsControllerHttpClient(URI endpoint, PrivateKey privateKey, List<X509Certificate> certs) {
super(endpoint,
HttpClient.newBuilder()
- .sslContext(new SslContextBuilder().withKeyStore(KeyUtils.fromPemEncodedPrivateKey(privateKey),
- X509CertificateUtils.certificateListFromPem(certificate))
- .build()));
+ .sslContext(new SslContextBuilder().withKeyStore(privateKey, certs).build()));
}
}