blob: 46c840ad6071d084df0ab0459782cb1c7dd14cdb (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.jdisc.http.server.jetty;
import com.yahoo.component.AbstractComponent;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.security.X509CertificateWithKey;
import com.yahoo.vespa.defaults.Defaults;
import com.yahoo.yolean.Exceptions;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Duration;
/**
* Generates temporary credentials to be used by a proxy for accessing Jdisc.
* Credentials are written to vespa_home/tmp/.
*
* @author mortent
*/
public class DataplaneProxyCredentials extends AbstractComponent {
private final Path certificateFile;
private final Path keyFile;
public DataplaneProxyCredentials() {
certificateFile = Paths.get(Defaults.getDefaults().underVespaHome("tmp/proxy_cert.pem"));
keyFile = Paths.get(Defaults.getDefaults().underVespaHome("tmp/proxy_key.pem"));
if (regenerateCredentials(certificateFile, keyFile)) {
X509CertificateWithKey selfSigned = X509CertificateUtils.createSelfSigned("cn=vespa dataplane proxy", Duration.ofDays(30));
Exceptions.uncheck(() -> Files.writeString(certificateFile, X509CertificateUtils.toPem(selfSigned.certificate())));
Exceptions.uncheck(() -> Files.writeString(keyFile, KeyUtils.toPem(selfSigned.privateKey())));
}
}
/*
* Returns true if credentials should be regenerated.
*/
private boolean regenerateCredentials(Path certificateFile, Path keyFile) {
if (!Files.exists(certificateFile) || !Files.exists(keyFile)) {
return true;
}
try {
X509Certificate x509Certificate = X509CertificateUtils.fromPem(Files.readString(certificateFile));
PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(Files.readString(keyFile));
return !X509CertificateUtils.privateKeyMatchesPublicKey(privateKey, x509Certificate.getPublicKey());
} catch (IOException e) {
// Some exception occured, assume credentials corrupted and requires a new pair.
return true;
}
}
public Path certificateFile() {
return certificateFile;
}
public Path keyFile() {
return keyFile;
}
@Override
public void deconstruct() {
super.deconstruct();
}
}
|
