You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2013/09/21 21:26:13 UTC

git commit: KNOX-147 throw ServiceLifecycleException if certificate is not valid for the current date

Updated Branches:
  refs/heads/master d3cc6164a -> 7bce170df


KNOX-147 throw ServiceLifecycleException if certificate is not valid for the current date

Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/7bce170d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/7bce170d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/7bce170d

Branch: refs/heads/master
Commit: 7bce170df14d26afb4fb0a3ae6d3799568471e87
Parents: d3cc616
Author: Larry McCay <lm...@hortonworks.com>
Authored: Sat Sep 21 15:25:42 2013 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Sat Sep 21 15:25:42 2013 -0400

----------------------------------------------------------------------
 .../services/security/impl/JettySSLService.java | 41 +++++++++++++-------
 1 file changed, 28 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/7bce170d/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
----------------------------------------------------------------------
diff --git a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
index 46df97c..2f5a90e 100644
--- a/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
+++ b/gateway-server/src/main/java/org/apache/hadoop/gateway/services/security/impl/JettySSLService.java
@@ -19,6 +19,8 @@ package org.apache.hadoop.gateway.services.security.impl;
 
 import java.io.File;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
 import java.util.Date;
 import java.util.Map;
@@ -87,23 +89,36 @@ public class JettySSLService implements SSLService {
       else {
         log.keyStoreForGatewayFoundNotCreating();
       }
-      // let's log the hostname (CN) and cert expiry from the gateway's public cert to aid in SSL debugging
-      Certificate cert = as.getCertificateForGateway("gateway-identity");
-      if (cert != null && cert instanceof X509Certificate) {
-        X500Principal x500Principal = ((X509Certificate)cert).getSubjectX500Principal();
-        X500PrincipalParser parser = new X500PrincipalParser(x500Principal);
-        log.certificateHostNameForGateway(parser.getCN());
-        Date notBefore = ((X509Certificate) cert).getNotBefore();
-        Date notAfter = ((X509Certificate) cert).getNotAfter();
-        log.certificateValidityPeriod(notBefore, notAfter);
-      }
-      else {
-        throw new ServiceLifecycleException("Public certificate for the gateway is not of the expected type of X509Certificate. Something is wrong with the gateway keystore.");
-      }
+      logAndValidateCertificate();
     } catch (KeystoreServiceException e) {
       throw new ServiceLifecycleException("Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.", e);
     }
   }
+
+  private void logAndValidateCertificate() throws ServiceLifecycleException {
+    // let's log the hostname (CN) and cert expiry from the gateway's public cert to aid in SSL debugging
+    Certificate cert = as.getCertificateForGateway("gateway-identity");
+    if (cert != null && cert instanceof X509Certificate) {
+      X500Principal x500Principal = ((X509Certificate)cert).getSubjectX500Principal();
+      X500PrincipalParser parser = new X500PrincipalParser(x500Principal);
+      log.certificateHostNameForGateway(parser.getCN());
+      Date notBefore = ((X509Certificate) cert).getNotBefore();
+      Date notAfter = ((X509Certificate) cert).getNotAfter();
+      log.certificateValidityPeriod(notBefore, notAfter);
+      
+      // let's not even start if the current date is not within the validity period for the SSL cert
+      try {
+        ((X509Certificate)cert).checkValidity();
+      } catch (CertificateExpiredException e) {
+        throw new ServiceLifecycleException("Gateway SSL Certificate is Expired. Server will not start.", e);
+      } catch (CertificateNotYetValidException e) {
+        throw new ServiceLifecycleException("Gateway SSL Certificate is not yet valid. Server will not start.", e);
+      }
+    }
+    else {
+      throw new ServiceLifecycleException("Public certificate for the gateway is not of the expected type of X509Certificate. Something is wrong with the gateway keystore.");
+    }
+  }
   
   public Object buildSSlConnector(String gatewayHomeDir) {
     SslContextFactory sslContextFactory = new SslContextFactory( true );