-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Add certificate validation to check headers #9255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 2 commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -30,6 +30,7 @@ | |
|
|
||
| import javax.inject.Inject; | ||
|
|
||
| import com.cloud.utils.Pair; | ||
| import org.apache.commons.lang3.StringUtils; | ||
| import org.apache.log4j.Logger; | ||
| import org.springframework.stereotype.Component; | ||
|
|
@@ -47,24 +48,38 @@ public class KeystoreManagerImpl extends ManagerBase implements KeystoreManager | |
| private KeystoreDao _ksDao; | ||
|
|
||
| @Override | ||
| public boolean validateCertificate(String certificate, String key, String domainSuffix) { | ||
| public Pair<Boolean, String> validateCertificate(String certificate, String key, String domainSuffix) { | ||
| String errMsg = null; | ||
| if (StringUtils.isAnyEmpty(certificate, key, domainSuffix)) { | ||
| s_logger.error("Invalid parameter found in (certificate, key, domainSuffix) tuple for domain: " + domainSuffix); | ||
| return false; | ||
| errMsg = String.format("Invalid parameter found in (certificate, key, domainSuffix) tuple for domain: %s", domainSuffix); | ||
| s_logger.error(errMsg); | ||
| return new Pair<>(false, errMsg); | ||
| } | ||
|
|
||
| if (!verifyCertificateHeaders(certificate)) { | ||
| errMsg = "Certificate delimiters verification failed: Invalid PEM format."; | ||
| s_logger.error(errMsg); | ||
| return new Pair<>(false, errMsg); | ||
| } | ||
|
|
||
| try { | ||
| String ksPassword = "passwordForValidation"; | ||
| byte[] ksBits = CertificateHelper.buildAndSaveKeystore(domainSuffix, certificate, getKeyContent(key), ksPassword); | ||
| KeyStore ks = CertificateHelper.loadKeystore(ksBits, ksPassword); | ||
| if (ks != null) | ||
| return true; | ||
|
|
||
| s_logger.error("Unabled to construct keystore for domain: " + domainSuffix); | ||
| return new Pair<>(true, errMsg); | ||
| errMsg = String.format("Unable to construct keystore for domain: %s", domainSuffix); | ||
| s_logger.error(errMsg); | ||
| } catch (Exception e) { | ||
| s_logger.error("Certificate validation failed due to exception for domain: " + domainSuffix, e); | ||
| errMsg = String.format("Certificate validation failed due to exception for domain: %s", domainSuffix); | ||
| s_logger.error(errMsg, e); | ||
| } | ||
| return false; | ||
| return new Pair<>(false, errMsg); | ||
| } | ||
|
|
||
| private boolean verifyCertificateHeaders(String certificate) { | ||
| return certificate.startsWith("-----BEGIN CERTIFICATE-----") && | ||
| certificate.endsWith("-----END CERTIFICATE-----"); | ||
| } | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we could re-use the code from That said as is it is already an improvement.
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You are right @DaanHoogland, buildCertificate() actually checking the certificate. Actually we do have that method call down the line in the same method, even without my changes certificate validation is happening, let me check with the issue owner about this.
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. updated the PR based on your comments @DaanHoogland this now validates the root certificates as mentioned by the ticket reporter. |
||
|
|
||
| @Override | ||
|
|
||

Uh oh!
There was an error while loading. Please reload this page.