diff options
Diffstat (limited to 'hosted-api')
-rw-r--r-- | hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java | 32 |
1 files changed, 14 insertions, 18 deletions
diff --git a/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java b/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java index 1947930285c..e7eb014c91a 100644 --- a/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java +++ b/hosted-api/src/main/java/ai/vespa/hosted/api/ControllerHttpClient.java @@ -29,6 +29,8 @@ import java.net.http.HttpRequest; import java.net.http.HttpResponse; import java.nio.file.Files; import java.nio.file.Path; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; import java.util.ArrayList; @@ -75,13 +77,17 @@ public abstract class ControllerHttpClient { } /** Creates an HTTP client against the given endpoint, which uses the given private key and certificate identity. */ - public static ControllerHttpClient withKeyAndCertificate(URI endpoint, String privateKey, String certificate) { - return new MutualTlsControllerHttpClient(endpoint, privateKey, certificate); - } - - /** Creates an HTTP client against the given endpoint, which uses the given private key and certificate identity. */ public static ControllerHttpClient withKeyAndCertificate(URI endpoint, Path privateKeyFile, Path certificateFile) { - return new MutualTlsControllerHttpClient(endpoint, privateKeyFile, certificateFile); + var privateKey = unchecked(() -> KeyUtils.fromPemEncodedPrivateKey(Files.readString(privateKeyFile, UTF_8))); + var certificates = unchecked(() -> X509CertificateUtils.certificateListFromPem(Files.readString(certificateFile, UTF_8))); + + for (var certificate : certificates) + if ( Instant.now().isBefore(certificate.getNotBefore().toInstant()) + || Instant.now().isAfter(certificate.getNotAfter().toInstant())) + throw new IllegalStateException("Certificate at '" + certificateFile + "' is valid between " + + certificate.getNotBefore() + " and " + certificate.getNotAfter() + " — not now."); + + return new MutualTlsControllerHttpClient(endpoint, privateKey, certificates); } /** Sends the given submission to the remote controller and returns the version of the accepted package, or throws if this fails. */ @@ -377,20 +383,10 @@ public abstract class ControllerHttpClient { /** Client that uses a given key / certificate identity to authenticate to the remote controller. */ private static class MutualTlsControllerHttpClient extends ControllerHttpClient { - private MutualTlsControllerHttpClient(URI endpoint, Path privateKeyFile, Path certificateFile) { - super(endpoint, - HttpClient.newBuilder() - .sslContext(new SslContextBuilder().withKeyStore(privateKeyFile, - certificateFile) - .build())); - } - - private MutualTlsControllerHttpClient(URI endpoint, String privateKey, String certificate) { + private MutualTlsControllerHttpClient(URI endpoint, PrivateKey privateKey, List<X509Certificate> certs) { super(endpoint, HttpClient.newBuilder() - .sslContext(new SslContextBuilder().withKeyStore(KeyUtils.fromPemEncodedPrivateKey(privateKey), - X509CertificateUtils.certificateListFromPem(certificate)) - .build())); + .sslContext(new SslContextBuilder().withKeyStore(privateKey, certs).build())); } } |