mirror of https://github.com/apache/cloudstack.git
This is another improvement over the existing code for custom certs. We should ideally validate the cert for being a valid cert file (X.509 spec), instead of persisting it to the db and then validating it whilst constructing the ssl context. I am adding some validation around the same.
This commit is contained in:
abhishek
parent
9b684443bb
commit
71f37ff1c7
|
|
@ -17,6 +17,9 @@
|
|||
*/
|
||||
package com.cloud.server;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.math.BigInteger;
|
||||
import java.net.Inet6Address;
|
||||
import java.net.InetAddress;
|
||||
|
|
@ -26,6 +29,9 @@ import java.net.URLEncoder;
|
|||
import java.net.UnknownHostException;
|
||||
import java.security.MessageDigest;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.CertificateFactory;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Calendar;
|
||||
|
|
@ -5887,6 +5893,16 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
s_logger.debug("No custom certificate exists in the DB, will upload a new one");
|
||||
}
|
||||
String certificatePath = cmd.getPath();
|
||||
//validate if the cert follows X509 format, if not, don't persist to db
|
||||
FileInputStream fis = new FileInputStream(certificatePath);
|
||||
BufferedInputStream bis = new BufferedInputStream(fis);
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
while (bis.available() > 1) {
|
||||
Certificate localCert = cf.generateCertificate(bis);//throws certexception if not valid cert format
|
||||
if(s_logger.isDebugEnabled()){
|
||||
s_logger.debug("The custom certificate generated for validation is:"+localCert.toString());
|
||||
}
|
||||
}
|
||||
CertificateVO lockedCert = _certDao.acquire(cert.getId());
|
||||
//assigned mgmt server id to mark as processing under this ms
|
||||
if(lockedCert == null){
|
||||
|
|
@ -5975,6 +5991,16 @@ public class ManagementServerImpl implements ManagementServer {
|
|||
s_logger.error(msg);
|
||||
throw new ServerApiException(BaseCmd.CUSTOM_CERT_UPDATE_ERROR, msg);
|
||||
}
|
||||
if(e instanceof FileNotFoundException){
|
||||
String msg = "Invalid file path for custom cert found during cert validation";
|
||||
s_logger.error(msg);
|
||||
throw new ServerApiException(BaseCmd.CUSTOM_CERT_UPDATE_ERROR, msg);
|
||||
}
|
||||
if(e instanceof CertificateException){
|
||||
String msg = "The file format for custom cert does not conform to the X.509 specification";
|
||||
s_logger.error(msg);
|
||||
throw new ServerApiException(BaseCmd.CUSTOM_CERT_UPDATE_ERROR, msg);
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue