This is an automated email from the ASF dual-hosted git repository.
ycai pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-analytics.git
The following commit(s) were added to refs/heads/trunk by this push:
new 6ce3360 CASSANDRA-19424 Check for expired certificate during start up
validation (#43)
6ce3360 is described below
commit 6ce33604bbd9acbee092ab3c4f7f11c0d434f730
Author: Saranya Krishnakumar <[email protected]>
AuthorDate: Wed Mar 6 14:32:22 2024 -0800
CASSANDRA-19424 Check for expired certificate during start up validation
(#43)
patch by Saranya Krishnakumar; reviewed by Francisco Guerrero, Yifan Cai
for CASSANDRA-19424
---
CHANGES.txt | 1 +
.../spark/validation/KeyStoreValidation.java | 18 ++++++++++++++++++
.../spark/validation/KeyStoreValidationTests.java | 12 ++++++++++++
.../test/resources/validation/keystore-expired.p12 | Bin 0 -> 2421 bytes
4 files changed, 31 insertions(+)
diff --git a/CHANGES.txt b/CHANGES.txt
index 92620a9..6004ee3 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,4 +1,5 @@
1.0.0
+ * Add certificate expiry check to start up validations done in Cassandra
Analytics library (CASSANDRA-19424)
* Use constant reference time during bulk read process (CASSANDRA-19452)
* Update access of ClearSnapshotStrategy (CASSANDRA-19442)
* Bulk reader fails to produce a row when regular column values are null
(CASSANDRA-19411)
diff --git
a/cassandra-analytics-core/src/main/java/org/apache/cassandra/spark/validation/KeyStoreValidation.java
b/cassandra-analytics-core/src/main/java/org/apache/cassandra/spark/validation/KeyStoreValidation.java
index febb0c8..6926eb8 100644
---
a/cassandra-analytics-core/src/main/java/org/apache/cassandra/spark/validation/KeyStoreValidation.java
+++
b/cassandra-analytics-core/src/main/java/org/apache/cassandra/spark/validation/KeyStoreValidation.java
@@ -25,6 +25,9 @@ import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyStore;
import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.function.Supplier;
@@ -62,6 +65,7 @@ public class KeyStoreValidation implements StartupValidation
@Override
public void validate()
{
+ String latestAlias = null;
try
{
if (!configured)
@@ -81,6 +85,16 @@ public class KeyStoreValidation implements StartupValidation
throw new RuntimeException("KeyStore is empty");
}
+ for (Enumeration<String> aliases = keyStore.aliases();
aliases.hasMoreElements();)
+ {
+ latestAlias = aliases.nextElement();
+ Certificate cert = keyStore.getCertificate(latestAlias);
+ if (cert instanceof X509Certificate)
+ {
+ ((X509Certificate) cert).checkValidity();
+ }
+ }
+
for (Enumeration<String> aliases = keyStore.aliases();
aliases.hasMoreElements();)
{
Key key = keyStore.getKey(aliases.nextElement(), password);
@@ -91,6 +105,10 @@ public class KeyStoreValidation implements StartupValidation
}
throw new RuntimeException("KeyStore contains no private keys");
}
+ catch (CertificateExpiredException exception)
+ {
+ throw new RuntimeException(String.format("Certificate with alias
'%s' is expired.", latestAlias), exception);
+ }
catch (IOException | GeneralSecurityException exception)
{
throw new RuntimeException("KeyStore is misconfigured", exception);
diff --git
a/cassandra-analytics-core/src/test/java/org/apache/cassandra/spark/validation/KeyStoreValidationTests.java
b/cassandra-analytics-core/src/test/java/org/apache/cassandra/spark/validation/KeyStoreValidationTests.java
index 75cf826..f6acb39 100644
---
a/cassandra-analytics-core/src/test/java/org/apache/cassandra/spark/validation/KeyStoreValidationTests.java
+++
b/cassandra-analytics-core/src/test/java/org/apache/cassandra/spark/validation/KeyStoreValidationTests.java
@@ -24,6 +24,7 @@ import org.junit.jupiter.api.Test;
import org.apache.cassandra.secrets.SecretsProvider;
import org.apache.cassandra.secrets.TestSecretsProvider;
+import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertInstanceOf;
import static org.junit.jupiter.api.Assertions.assertNull;
@@ -97,4 +98,15 @@ public class KeyStoreValidationTests
Throwable throwable = validation.perform();
assertNull(throwable);
}
+
+ @Test
+ public void testExpiredKeyStore()
+ {
+ SecretsProvider secrets = TestSecretsProvider.forKeyStore("PKCS12",
"keystore-expired.p12", "qwerty");
+ KeyStoreValidation validation = new KeyStoreValidation(secrets);
+
+ Throwable throwable = validation.perform();
+ assertInstanceOf(RuntimeException.class, throwable);
+ assertThat(throwable.getMessage()).startsWith("Certificate with alias
'1' is expired.");
+ }
}
diff --git
a/cassandra-analytics-core/src/test/resources/validation/keystore-expired.p12
b/cassandra-analytics-core/src/test/resources/validation/keystore-expired.p12
new file mode 100644
index 0000000..891bacd
Binary files /dev/null and
b/cassandra-analytics-core/src/test/resources/validation/keystore-expired.p12
differ
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
