blob: 4a1e81b9058b17ff2a6469128ffb7469f1d9b737 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.config.server.tenant;
import com.yahoo.config.model.api.EndpointCertificateMetadata;
import com.yahoo.config.model.api.EndpointCertificateSecrets;
import com.yahoo.container.jdisc.secretstore.SecretStore;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.X509CertificateUtils;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
/**
* Used to retrieve actual endpoint certificate/key from secret store.
*
* @author andreer
*/
public record EndpointCertificateRetriever(SecretStore secretStore) {
private static final Logger log = Logger.getLogger(EndpointCertificateRetriever.class.getName());
public Optional<EndpointCertificateSecrets> readEndpointCertificateSecrets(EndpointCertificateMetadata metadata) {
return Optional.of(readFromSecretStore(metadata));
}
private EndpointCertificateSecrets readFromSecretStore(EndpointCertificateMetadata endpointCertificateMetadata) {
try {
String cert = secretStore.getSecret(endpointCertificateMetadata.certName(), endpointCertificateMetadata.version());
String key = secretStore.getSecret(endpointCertificateMetadata.keyName(), endpointCertificateMetadata.version());
verifyKeyMatchesCertificate(endpointCertificateMetadata, cert, key);
return new EndpointCertificateSecrets(cert, key, endpointCertificateMetadata.version());
} catch (RuntimeException e) {
log.log(Level.WARNING, "Exception thrown during certificate retrieval", e);
// Assume not ready yet
return EndpointCertificateSecrets.missing(endpointCertificateMetadata.version());
}
}
private void verifyKeyMatchesCertificate(EndpointCertificateMetadata endpointCertificateMetadata, String cert, String key) {
X509Certificate x509Certificate = X509CertificateUtils.fromPem(cert);
PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(key);
PublicKey publicKey = x509Certificate.getPublicKey();
if(!X509CertificateUtils.privateKeyMatchesPublicKey(privateKey, publicKey)) {
throw new IllegalArgumentException("Failed to retrieve endpoint secrets: Certificate and key data do not match for " + endpointCertificateMetadata);
}
}
}
|