You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2013/09/21 21:26:13 UTC
git commit: KNOX-147 throw ServiceLifecycleException if certificate
is not valid for the current date
Updated Branches:
refs/heads/master d3cc6164a -> 7bce170df
KNOX-147 throw ServiceLifecycleException if certificate is not valid for the current date
Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/7bce170d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/7bce170d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/7bce170d
Branch: refs/heads/master
Commit: 7bce170df14d26afb4fb0a3ae6d3799568471e87
Parents: d3cc616
Author: Larry McCay <lm...@hortonworks.com>
Authored: Sat Sep 21 15:25:42 2013 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Sat Sep 21 15:25:42 2013 -0400
----------------------------------------------------------------------
.../services/security/impl/JettySSLService.java | 41 +++++++++++++-------
1 file changed, 28 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/7bce170d/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
index 46df97c..2f5a90e 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
@@ -19,6 +19,8 @@ package org.apache.hadoop.gateway.services.security.impl;
import java.io.File;
import java.security.cert.Certificate;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Map;
@@ -87,23 +89,36 @@ public class JettySSLService implements SSLService {
else {
log.keyStoreForGatewayFoundNotCreating();
}
- // let's log the hostname (CN) and cert expiry from the gateway's public cert to aid in SSL debugging
- Certificate cert = as.getCertificateForGateway("gateway-identity");
- if (cert != null && cert instanceof X509Certificate) {
- X500Principal x500Principal = ((X509Certificate)cert).getSubjectX500Principal();
- X500PrincipalParser parser = new X500PrincipalParser(x500Principal);
- log.certificateHostNameForGateway(parser.getCN());
- Date notBefore = ((X509Certificate) cert).getNotBefore();
- Date notAfter = ((X509Certificate) cert).getNotAfter();
- log.certificateValidityPeriod(notBefore, notAfter);
- }
- else {
- throw new ServiceLifecycleException("Public certificate for the gateway is not of the expected type of X509Certificate. Something is wrong with the gateway keystore.");
- }
+ logAndValidateCertificate();
} catch (KeystoreServiceException e) {
throw new ServiceLifecycleException("Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.", e);
}
}
+
+ private void logAndValidateCertificate() throws ServiceLifecycleException {
+ // let's log the hostname (CN) and cert expiry from the gateway's public cert to aid in SSL debugging
+ Certificate cert = as.getCertificateForGateway("gateway-identity");
+ if (cert != null && cert instanceof X509Certificate) {
+ X500Principal x500Principal = ((X509Certificate)cert).getSubjectX500Principal();
+ X500PrincipalParser parser = new X500PrincipalParser(x500Principal);
+ log.certificateHostNameForGateway(parser.getCN());
+ Date notBefore = ((X509Certificate) cert).getNotBefore();
+ Date notAfter = ((X509Certificate) cert).getNotAfter();
+ log.certificateValidityPeriod(notBefore, notAfter);
+
+ // let's not even start if the current date is not within the validity period for the SSL cert
+ try {
+ ((X509Certificate)cert).checkValidity();
+ } catch (CertificateExpiredException e) {
+ throw new ServiceLifecycleException("Gateway SSL Certificate is Expired. Server will not start.", e);
+ } catch (CertificateNotYetValidException e) {
+ throw new ServiceLifecycleException("Gateway SSL Certificate is not yet valid. Server will not start.", e);
+ }
+ }
+ else {
+ throw new ServiceLifecycleException("Public certificate for the gateway is not of the expected type of X509Certificate. Something is wrong with the gateway keystore.");
+ }
+ }
public Object buildSSlConnector(String gatewayHomeDir) {
SslContextFactory sslContextFactory = new SslContextFactory( true );