This is an automated email from the ASF dual-hosted git repository.
rob pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new 4940bd1 SSL certificate checks in t3c (#6522)
4940bd1 is described below
commit 4940bd12d7751ed840753c29a842151997e69eff
Author: Joe Pappano <[email protected]>
AuthorDate: Fri Feb 18 10:40:10 2022 -0500
SSL certificate checks in t3c (#6522)
* Collect config warnings and print a summary at the end of t3c apply
* fixed formatting errors
* Added warnings to test
* fixed typo
* Updated to capture remap.config issues, and removed check for append that
is not needed.
* Added function to verify ssl certificates.
* Updated checkConfigFile verify ssl certificate is valid and log
expiration date.
* Added function to insure key and certificate match.
* Removed trailing semicolons on ssl cert message.
* updated function to return error
* added warnings to confgfilewarnings
* keypair check will return an error if there are issues and will store it
in warnings to print in the summary.
---
cache-config/t3c-apply/torequest/cmd.go | 19 +++++++++++++++++++
cache-config/t3c-apply/torequest/torequest.go | 9 +++++++++
cache-config/t3c-generate/cfgfile/sslkeys.go | 21 +++++++++++++++++++--
3 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/cache-config/t3c-apply/torequest/cmd.go
b/cache-config/t3c-apply/torequest/cmd.go
index 420dd2f..fe9d775 100644
--- a/cache-config/t3c-apply/torequest/cmd.go
+++ b/cache-config/t3c-apply/torequest/cmd.go
@@ -23,7 +23,9 @@ package torequest
import (
"bytes"
+ "crypto/x509"
"encoding/json"
+ "encoding/pem"
"errors"
"fmt"
"io/ioutil"
@@ -32,6 +34,7 @@ import (
"os/exec"
"strconv"
"strings"
+ "time"
"github.com/apache/trafficcontrol/cache-config/t3c-apply/config"
"github.com/apache/trafficcontrol/cache-config/t3cutil"
@@ -333,6 +336,22 @@ func checkRefs(cfg config.Cfg, cfgFile []byte, filesAdding
[]string) error {
return nil
}
+//checkCert checks the validity of the ssl certificate
+func checkCert(c []byte) error {
+ block, _ := pem.Decode(c)
+ cert, err := x509.ParseCertificate(block.Bytes)
+ if err != nil {
+ return err
+ }
+ if cert.NotAfter.Unix() < time.Now().Unix() {
+ err = errors.New("Certificate expired: " +
cert.NotAfter.Format("Jan 2, 2006 15:04 MST"))
+ log.Warnf(err.Error())
+ } else {
+ log.Infof("Certificate valid until %s ",
cert.NotAfter.Format("Jan 2, 2006 15:04 MST"))
+ }
+ return err
+}
+
// checkReload is a helper for the sub-command t3c-check-reload.
func checkReload(changedConfigFiles []string) (t3cutil.ServiceNeeds, error) {
log.Infof("t3c-check-reload calling with changedConfigFiles '%v'\n",
changedConfigFiles)
diff --git a/cache-config/t3c-apply/torequest/torequest.go
b/cache-config/t3c-apply/torequest/torequest.go
index d52ceb7..4cc3bff 100644
--- a/cache-config/t3c-apply/torequest/torequest.go
+++ b/cache-config/t3c-apply/torequest/torequest.go
@@ -228,6 +228,15 @@ func (r *TrafficOpsReq) checkConfigFile(cfg *ConfigFile,
filesAdding []string) e
log.Infoln("Successfully verified plugins used by '" + cfg.Name
+ "'")
}
+ if strings.HasSuffix(cfg.Name, ".cer") {
+ if err := checkCert(cfg.Body); err != nil {
+ r.configFileWarnings[cfg.Name] =
append(r.configFileWarnings[cfg.Name], fmt.Sprintln(err))
+ }
+ for _, wrn := range cfg.Warnings {
+ r.configFileWarnings[cfg.Name] =
append(r.configFileWarnings[cfg.Name], wrn)
+ }
+ }
+
changeNeeded, err := diff(r.Cfg, cfg.Body, cfg.Path, r.Cfg.ReportOnly,
cfg.Perm)
if err != nil {
diff --git a/cache-config/t3c-generate/cfgfile/sslkeys.go
b/cache-config/t3c-generate/cfgfile/sslkeys.go
index b9ed4c9..4f3cb58 100644
--- a/cache-config/t3c-generate/cfgfile/sslkeys.go
+++ b/cache-config/t3c-generate/cfgfile/sslkeys.go
@@ -20,7 +20,9 @@ package cfgfile
*/
import (
+ "crypto/tls"
"encoding/base64"
+ "errors"
"github.com/apache/trafficcontrol/cache-config/t3cutil"
"github.com/apache/trafficcontrol/lib/go-atscfg"
@@ -59,6 +61,12 @@ func GetSSLCertsAndKeyFiles(toData *t3cutil.ConfigData)
([]t3cutil.ATSConfigFile
key = append(key, '\n') // it's going to be a file,
needs a trailing newline to be POSIX-compliant.
}
+ var keyPairErr []string
+ pairErr := CheckKeyPair(key, cert, string(dsName))
+ if pairErr != nil {
+ keyPairErr = append(keyPairErr, pairErr.Error())
+ }
+
certName, keyName :=
atscfg.GetSSLMultiCertDotConfigCertAndKeyName(dsName, ds)
keyFile := t3cutil.ATSConfigFile{}
@@ -66,7 +74,7 @@ func GetSSLCertsAndKeyFiles(toData *t3cutil.ConfigData)
([]t3cutil.ATSConfigFile
keyFile.Path = "/opt/trafficserver/etc/trafficserver/ssl/" //
TODO read config, don't hard code
keyFile.Text = string(key)
keyFile.Secure = true
- keyFile.Warnings = dsWarns
+ keyFile.Warnings = keyPairErr
configs = append(configs, keyFile)
certFile := t3cutil.ATSConfigFile{}
@@ -74,9 +82,18 @@ func GetSSLCertsAndKeyFiles(toData *t3cutil.ConfigData)
([]t3cutil.ATSConfigFile
certFile.Path = "/opt/trafficserver/etc/trafficserver/ssl/" //
TODO read config, don't hard code
certFile.Text = string(cert)
certFile.Secure = true
- certFile.Warnings = dsWarns
+ certFile.Warnings = keyPairErr
configs = append(configs, certFile)
}
return configs, nil
}
+
+func CheckKeyPair(keyPem []byte, certPem []byte, ds string) error {
+ _, err := tls.X509KeyPair(certPem, keyPem)
+ if err != nil {
+ log.Warnf("Issue with keypair for %s: %s", ds, err)
+ return errors.New("Issue with keypair for " + ds + ": " +
err.Error())
+ }
+ return nil
+}
