From ea34df8d28e6ce13407c53dde6e96aac089f587c Mon Sep 17 00:00:00 2001 From: ASchmidt Date: Fri, 22 Feb 2019 12:52:25 -0700 Subject: [PATCH 1/8] updated tr docker config so it would work --- .../docker/traffic_router/Dockerfile | 2 ++ infrastructure/docker/traffic_router/run.sh | 3 ++- .../protocol/RouterNioEndpoint.java | 26 +++++++++++++++++++ .../cdns/name/thecdn/sslkeys-missing-1.json | 2 +- .../api/1.3/cdns/name/thecdn/sslkeys.json | 2 +- 5 files changed, 32 insertions(+), 3 deletions(-) diff --git a/infrastructure/docker/traffic_router/Dockerfile b/infrastructure/docker/traffic_router/Dockerfile index 3a6a0f1347..c16dcc0f66 100644 --- a/infrastructure/docker/traffic_router/Dockerfile +++ b/infrastructure/docker/traffic_router/Dockerfile @@ -35,6 +35,8 @@ ARG TC_REPO=traffic-control.repo ADD $TMCAT / ADD $RPM / ADD $TC_REPO /etc/yum.repos.d/ +ADD starttr.sh / +ADD shutdowntr.sh / ### Common for all sub-component builds RUN yum -y install \ diff --git a/infrastructure/docker/traffic_router/run.sh b/infrastructure/docker/traffic_router/run.sh index 1329cdf25c..f0eabf51ab 100755 --- a/infrastructure/docker/traffic_router/run.sh +++ b/infrastructure/docker/traffic_router/run.sh @@ -28,7 +28,8 @@ # ORIGIN_URI # origin server (e.g. hotair), used to create a delivery service start() { - systemctl start traffic_router + chmod 777 starttr.sh + ./starttr.sh touch /opt/traffic_router/var/log/traffic_router.log exec tail -f /opt/traffic_router/var/log/traffic_router.log } diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java index 657e5734f0..5706ad5689 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java @@ -19,6 +19,7 @@ import com.comcast.cdn.traffic_control.traffic_router.secure.HandshakeData; import com.comcast.cdn.traffic_control.traffic_router.secure.KeyManager; import org.apache.log4j.Logger; +import org.apache.tomcat.util.modeler.Registry; import org.apache.tomcat.util.net.NioEndpoint; import org.apache.tomcat.util.net.SSLHostConfig; import org.apache.tomcat.util.net.SSLHostConfigCertificate; @@ -92,4 +93,29 @@ synchronized public void reloadSSLHosts(final Map cr) { protected SSLHostConfig getSSLHostConfig(final String sniHostName) { return super.getSSLHostConfig(sniHostName.toLowerCase()); } + + /*private void unregisterJmx(final SSLHostConfig sslHostConfig) { + final Registry registry = Registry.getRegistry(null, null); + registry.unregisterComponent(sslHostConfig.getObjectName()); + for (final SSLHostConfigCertificate sslHostConfigCert : sslHostConfig.getCertificates()) { + registry.unregisterComponent(sslHostConfigCert.getObjectName()); + } + } + + @Override + public void addSslHostConfig(final SSLHostConfig sslHostConfig, final boolean replace) throws IllegalArgumentException { + final String key = sslHostConfig.getHostName(); + if (key == null || key.length() == 0) { + throw new IllegalArgumentException(sm.getString("endpoint.noSslHostName")); + } + + SSLHostConfig previous = null; + if (replace) { + previous = sslHostConfigs.get(key); + } + super.addSslHostConfig( sslHostConfig, replace); + if (previous != null) { + unregisterJmx(previous); + } + }*/ } diff --git a/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys-missing-1.json b/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys-missing-1.json index 2d6c8825ac..f0a8f23fb0 100644 --- a/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys-missing-1.json +++ b/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys-missing-1.json @@ -22,7 +22,7 @@ "deliveryservice": "http-to-https-test", "certificate": { "comment" : "The following is just a self signed certificate and key to use for testing this is NOT private data from a CA", - "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBc2Y0NnV5OGJ2\nQk5rMGhCaEVsbHdGT0dqREh6M1hJY1hteDRVNThNZG9Fa1JId0VTCjVONnd3NFV6bDAvRDcyMlJV\nODlMeHB4bldvclJmdVZNQldnOGVFcXBUb2NUS2NOZHhtZmdEUWZTcTZ1ODNTWkUKTmFCZFArK2g5\nYTJJRFZXWGFldVRhcVA3Q3lVVG52Sld5Mm1JalJWZkRGQWRWWHNhU1M4RGRYUWdibEJTelJ6NwpL\nMXFHVWt1RlZQc0R0ODZBYVF3TnN5R2ZDN3ltcUkzNU1FQ3hTdzNPd2lXSlAyZTg3U2E5UG9Pdjcr\nZUs2NVJnCmM3dzNkSXQxZUlyS3B6OWpQV1RPTkJOK0JhWFdvcHNXZ3UvdVd4Q1pnUk9qaXBWVUFK\nNHhrNFRGMjd0S28zRDUKSHd4RVZOeStlck9FTGI3VWxuaHMxaG1LdVI2RTZwREpHSyt1UFFJREFR\nQUJBb0lCQURkb1RYNFJkdysvOWNXUwpoYlZCbEN0YjVmYXdQQXhZblZlVE1Lekl4ME1yRzZKTUlr\nYU9yL1hkVkNjSkZKUkd4bE9SbHlRWGNmRDBmNnlCCjBuMW9hbEtENDFwbm4rYURRNERNdXlrelF6\naGZlS1piRUNhbGFnSEtKZCtsaWxHa1VFTVBxMDhxQnE3OGRyUW0KK2kvT0JVenQxeTJ0RHNTYVVw\nOXZmQ01tNkNXT1pKOHN6eWZrSk1ZZVVLdXptOWwzMGNNeW84anF0bi9LQjZWWApEVkZmNGpqU1FM\nTzBYbUo1M012TW1xUzlGaVRUdklpQm9iNnkxMEtWZjZpWk5MZnVnVExoWFhQaDFDNTJTUTVvCjZj\nVWdqanh5NFhmYUdub0Y1NlF4M0FIZWRpd0Z6eEFpWGlKOCswUFB3bWI2Q1FGOU1jSzV0QjQzcVZx\nNWNKNFcKTVF1SWpsMENnWUVBMkM3SFh6OHppODQ0anJHa1VvUmF3NE9QcitBdnFIVGY1NEJ2Ujhz\nTzc2NkljRzEvUytmdQoxbXQ2RnBRQVZGeHJvWmxEWHkrWGtTQ0toaEM3cmh6cHQzaVJuRkhkWFpT\nM25MM2ZjWnIzUCtFSXNyb3hLeVFRCmg3dy8xYnEzd3JwUnNOWjZpdDNVSHJvVlRLU2tZQzZvOUor\nYzRPYjVQRzVGcFRvZk81dmRWWHNDZ1lFQTBzYkYKd3pjYzEvcTdEVXpkTkVTaWtNMFdMMkFZanBH\nOFpEYTY0eUcrZ1JkWjhjWmpJUzlkVFpWWVpUODNFSnp2T2dyWgo1NmFYTVN2QVc2ak1oY1VDR05K\nN3JaaGl1Uk9HNVdWM3FzMnFkbmtkQlgrdGhrUE9HT3lNYnhsN1ltUlZXTG11CjBFV3NMQ3VHVFov\neDV5NG02WmNGQldRZUkreVMxanZTTXVkelVhY0NnWUJvVG1ISjlnK2o1Qk5yM2hCZjlCWnIKQVY1\naHlMU1YvaFpPZDZ5NW9pTUp5RmR5ajVKOUNHSTN1TkhHZFJDWG82UVc2NEVUT3o1Uk9yYzdxblV6\ndENXYwpiYU1zSGwvRm1Fempac1daNWVCb1JPYlNmWDNkeDkvbDdoR0t5VFdDMGkwNk9ySVRzS1o1\nVU9XWC9sU0ZSOTRqCmNhUGE2L2JUam8weUJKSXZTNndHWXdLQmdDN045dkpmbGFjY1JWY3h2MWt3\nK0l5QkRqRWMvTGNFQTdxWk1LenAKUEYxOEt2djJXdUx1bXFCMHpubEZMVndpRFRsdFdYQUlYVUNN\nLzUwYkFiZWV4TlZ3UUFpUGN6UzM4bGVVVFp0LwpLaUEreXNRQzB5eWlkK3l1OG94bE16SHBKODZa\nQlFtNHZ2L2I5bW5jWDZJL2JHS29wM1BJQksxamhrUE9hdUhrCjVZVzNBb0dBVEtVZlhkWTNad0hM\nWlUxSm1lRldKb29kOW10SHNrM1QyT2hCdDBwNUpSU3hVYWxOY0tkZEcvMVgKMFFCN1E1NWxMZEIz\nT1k2b1NDaEtuK1dUMWNwQ1N3d09PQlJNTmZPOVR1c252NkU2ZlNRWWVwdGNmV2lOb3VBWQpYaDVn\nQTRORzJHeUM5TW9tZUxQbUY0NmJsdU5UYzFxREMzeVZVcVQzdDkxY1RwNytWems9Ci0tLS0tRU5E\nIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==", + "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMHBBWXlmamRz\nZ0NSL0ZXeEQvWE1vbDNwYjRWazlHSFdqTnR4bkdvWHA3OGxxM2p1CitLd012ZlU2ZDVScmdXbHp6\nMlJjZnFhMHdjbkYrNU1abkdkbzRGaGwycnhnT3ZBV2NSb3ZXS3BUaXNUUkcrQXcKbnFneUZTWjNT\nalhUcE9YUjV4dUJJOWI1c3ZIN3RhbzdBcWFLR2I0V3d1TnA3cTZzcUtRYlRxaUlXcE9JQWtFKwpS\nVnJXblBVdHRvaHlTV08yL2dIbDQ2NlU1S0czdC9TU3lqZVRPZ1ZFU0xoQUhlWlk2dExyTGd1YmdM\nanlLVWE5CkpDcWJLa1laZ2UrdWlhKzVVMzZ6alhYRUdBUEdwWWNrM2Zqb1pYN01zM3hkUzV6Zit6\nUDQzSnVVWUtheE5KbVMKRXMvaU1Dc1VPK1htZEtQTFhmWGdPWDNoM0NQdC83U05HR3VlS1FJREFR\nQUJBb0lCQUF1REEwZnZpamRVSHFjYwpERDBpSkJqd1ozWElaamVTTGNldnE2dHdoWENQVzhEZk1M\nbDV0b3lnSHAweENSdWZKMHk4WU80dnNRd3pPdGJCCk9SSTYrUm5pMjFhMUc5RzlGSTBFY0hnNWY2\nM0RpdWNxUDU0ODlkZ0FMVjlxUi9Mbythdlg3aHlHZ1VwT1BvTzEKRmRyVVBoS2dPT0JZekk3WEQr\ndDhaVjNNaXYvZ25aWUphR2dYRDYrODFGaU4veXNXaE5SMEVYYW5Vck1wR2ZtdQpSVm1tYnlvRjNr\nWVV1d3V2SUZIMkdPVFo0VjViR3JGQUJUQUowSWt2MkdmcU9TR08xa1NiWVMxclZjb29uMyswClRz\ncGxLejRUT3NVblp5VUk1UVBpbEI5ak93cjVlbGFRM1lndnZCM0k5TUdvQjRTLy9XWkFVRGFQTjlE\nZXYyU1UKUm1jb2dqMENnWUVBN3oxaEh0c21QZmVOOTA3VWV4clVwMGRMOEJtbmJ5V1k0bkYrbFhp\nalRLQ0xpTjdtNGFSNQpTTHhtZ21nVkhrQ0dOZkEybXFVWHA2dTlNL1BXOGx4SjRjNExLRldCbTVJ\nYjFRdlRZM3hOWDNKWVZYZkhTWkNlCitvaDMwaStmcm9oYmNnZzRpaG9QeDU2aGhpbEdlSXZGSS9l\nMDg0M0Z0dU9mWkgrQ0s1dHRKOU1DZ1lFQTRWQnEKTTNUUlhzbUU3ZHQvSFFza2ladGFjTVdkQldx\nOVRXVlBIb3hBK3VjalFoandGVFhBZzhkZGFsbE9TS1hWNjVGawoxMlphU1lTbTd5VnplS3lVRk4w\nazBxNXpRQkRZQ1FNYVA2YjZYbGxiL2VMaWJQQTMxbU5uRGl2WjdkVWM3UUVqClhUUy9nclFLc2Zl\nenRVMXUwNG1SMTZ5THhZSHh3MW5IL3NselFKTUNnWUVBMHF6S2lkR1NxNThFZFhRRnlTS24KZ1dk\nWGgrZ1BlZUV4OExiaE1kODZicEF5VUNWNlM5bjZ0QUswZ3NJRlZzNmJZWVJYa1hjd2pZYSs1ckVq\nNStrOQpab3Q3Wjlsa2VRc0JWMnRDaTZrNnVZS0lKenVEVTFUM3FzZmlQRVdUNks1TFdPL0VXbGo0\nN0dEVS9MLzhQc3RXCm40WFM0MmRGWlBpdHRHSlV6dkhmL2VFQ2dZQXVpR3dXaW5hL0s4RmZXbWly\nTitUbzRvUFFMSS9jVVlvZEZPSTkKUGR3aHRXREx3dGk2bUtwVXpQVFhCUEN0QWtybTV0VTd3ekM4\nWkVBUnZkdFdQZFlyWk95NDhqeHRLODFpTnhqUgpzb3VjdHJuUCttNm03d21wSmtoZlhlRVpSRjAv\nK1c4elRiU0xxdUZXbGdDd1hmaVlpWjNzTy85MTMvdHRTL3FJCi9WUG5Md0tCZ1FDNGQ4OXNUL3E3\nNjZMREt6bEhySzVEUkE2TTRENEhMbjEwTWJQVExNdWNweEJlQkY1YnhvQkEKeHRFcVhBRCtyaWVr\nT3IybjJSRHlxeGt0MS9FY2JhcTI5bmNXVFFwZjZ2NkV3cTFGT3JhUDlpdTJFbERBcUcyMApXbmdG\nOUttM0VETUpBQkd5VHhieFgxZTZMRG1LaFcwWFFxRWptVmpGQi9uMFVQOGxJd2F2aGc9PQotLS0t\nLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=", "crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZuakNDQTRhZ0F3SUJBZ0lDRUFFd0RRWUpL\nb1pJaHZjTkFRRUxCUUF3WkRFTE1Ba0dBMVVFQmhNQ1ZWTXgKRVRBUEJnTlZCQWdNQ0VOdmJHOXlZ\nV1J2TVJBd0RnWURWUVFLREFkRGIyMWpZWE4wTVE0d0RBWURWUVFMREFWSgpVRU5FVGpFZ01CNEdB\nMVVFQXd3WFZHVnpkR2x1WnlCSmJuUmxjbTFsWkdsaGRHVWdRMEV3SGhjTk1UWXdPVEl6Ck1qSXpO\nREl4V2hjTk16VXhNVEl6TWpJek5ESXhXakNCaFRFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJB\nZ1QKQ0VOdmJHOXlZV1J2TVE4d0RRWURWUVFIRXdaRVpXNTJaWEl4RURBT0JnTlZCQW9UQjBOdmJX\nTmhjM1F4RGpBTQpCZ05WQkFzVEJVbFFRMFJPTVRBd0xnWURWUVFERkNjcUxtaDBkSEF0ZEc4dGFI\nUjBjSE10ZEdWemRDNTBhR1ZqClpHNHVaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RR\nRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3gKL2pxN0x4dThFMlRTRUdFU1dYQVU0YU1NZlBkY2h4\nZWJIaFRud3gyZ1NSRWZBUkxrM3JERGhUT1hUOFB2YlpGVAp6MHZHbkdkYWl0Ris1VXdGYUR4NFNx\nbE9oeE1wdzEzR1orQU5COUtycTd6ZEprUTFvRjAvNzZIMXJZZ05WWmRwCjY1TnFvL3NMSlJPZThs\nYkxhWWlORlY4TVVCMVZleHBKTHdOMWRDQnVVRkxOSFBzcldvWlNTNFZVK3dPM3pvQnAKREEyekla\nOEx2S2FvamZrd1FMRkxEYzdDSllrL1o3enRKcjArZzYvdjU0cnJsR0J6dkRkMGkzVjRpc3FuUDJN\nOQpaTTQwRTM0RnBkYWlteGFDNys1YkVKbUJFNk9LbFZRQW5qR1RoTVhidTBxamNQa2ZERVJVM0w1\nNnM0UXR2dFNXCmVHeldHWXE1SG9UcWtNa1lyNjQ5QWdNQkFBR2pnZ0UyTUlJQk1qQUpCZ05WSFJN\nRUFqQUFNQkVHQ1dDR1NBR0cKK0VJQkFRUUVBd0lHUURBekJnbGdoa2dCaHZoQ0FRMEVKaFlrVDNC\nbGJsTlRUQ0JIWlc1bGNtRjBaV1FnVTJWeQpkbVZ5SUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdR\nV0JCVHlRTUw1UzdMbW5PeTlpRUQxdkUwL1ZzN1FTRENCCm1BWURWUjBqQklHUU1JR05nQlNqY1VG\nK01rSUtnSjN5ZmFESHdMTFBremZDdWFGeHBHOHdiVEVMTUFrR0ExVUUKQmhNQ1ZWTXhFVEFQQmdO\nVkJBZ01DRU52Ykc5eVlXUnZNUTh3RFFZRFZRUUhEQVpFWlc1MlpYSXhFREFPQmdOVgpCQW9NQjBO\ndmJXTmhjM1F4RGpBTUJnTlZCQXNNQlVsUVEwUk9NUmd3RmdZRFZRUUREQTlVWlhOMGFXNW5JRkp2\nCmIzUWdRMEdDQWhBQU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VG\nQlFjREFUQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBQWJpN09yQUNDbldKd3dDM2dmWUVBMmpI\nZ0FNMDRoK1FGQ1hRUnhCZApkd0ZLNDNTaVIwME1CTUdObVl1YUd0RWNTMGZacTVORFp1eFVOZHVM\nMmZselQzbkJ3Sm5DbEZ3aXd0YWwrcTE2CkV2QWtBbUQvU2pxNm5CYm5qNUlqNkRlRE5kOHRJd0ps\ncDMrdCs0RE9rNWt2a2FxS2ptd29EM3RlNG1QdnNIeXQKNElpRG1wRnpqeG83b2o5VkY0RTVtMjZV\nM240aENUYnJ2Ui9RNWlCdDhpT3M1YU8rVlpuTWNyQ3htbmhSYU1sVQpOaXkwTGxCZVVJQ213TE95\nNERQeDc1WVdDMzZEUVhMS2dMcnZ4RktIRmI2SlJoMmNLYzNpcVc3allhNjJwbmhHCllXb1pDdkJO\neXZqbkpIbGZYVDBUNitDN3Btb0ZLNTV5dGNhdFByQk82VEI3TFhUcjlJN2JIN0R2aU9SS1MwMFoK\nOHlPMktva1M1WVZ0T2c4NnNHT2lFOFQxMDFzc0xSNUhWZmVDTVJqc0J4eXdUdUxNRyt1cE9lWDhk\nMGhlUjZNbgp3RlFxUDR0V1A0WEZkSGd0cHlaZHBVYTBXVkZTVXJueDAvV1pDbXZLNFNQcmhzUG5s\nWUptaGtTRldkWHczcnJRCjZaL2tZZFM5VDM2SG9EMW1rcmdiMWRPTnNNd0Zpb1BqZ2RmRU1Xb001\nVWJ6L1p4RHp2V2ZDQWovVnloOVc0VFoKcEljUG8xZmhNQVJQcVVDY2N1ZVc3ckpOSDhwSm5yY0VU\nZ2xLdDY3SnZ2S1dKdzhLcEo1ajNzSERkUG56N1Z3NgpsNnRwVWJYU2U2SzY1Zy9Fc25EYkFDS21v\neldQNFVnSGY5akJ0c2FLK0hnUHVKRlYvMlBzMG96bW1XWGxQU0JJCitxQT0KLS0tLS1FTkQgQ0VS\nVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRnN6Q0NBNXVnQXdJ\nQkFnSUNFQUF3RFFZSktvWklodmNOQVFFTEJRQXdiVEVMTUFrR0ExVUVCaE1DVlZNeApFVEFQQmdO\nVkJBZ01DRU52Ykc5eVlXUnZNUTh3RFFZRFZRUUhEQVpFWlc1MlpYSXhFREFPQmdOVkJBb01CME52\nCmJXTmhjM1F4RGpBTUJnTlZCQXNNQlVsUVEwUk9NUmd3RmdZRFZRUUREQTlVWlhOMGFXNW5JRkp2\nYjNRZ1EwRXcKSGhjTk1UWXdPVEl6TWpFeE56SXdXaGNOTXpnd09ERTVNakV4TnpJd1dqQmtNUXN3\nQ1FZRFZRUUdFd0pWVXpFUgpNQThHQTFVRUNBd0lRMjlzYjNKaFpHOHhFREFPQmdOVkJBb01CME52\nYldOaGMzUXhEakFNQmdOVkJBc01CVWxRClEwUk9NU0F3SGdZRFZRUUREQmRVWlhOMGFXNW5JRWx1\nZEdWeWJXVmthV0YwWlNCRFFUQ0NBaUl3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dJUEFEQ0NBZ29D\nZ2dJQkFPQ2lCV09BOE15andReTFzRVc4SDNVME1CaWlyU2xyUjk0aApDOU9mQjc5TnVWQVQ3U29q\nNkVYK0RkeDQxeGhyY1lUSDArRk5BVW15RFJuUkticlFRTlJ1alpPZytud0VTcXNxCmUxRmJ2cXJK\nZUZSdStGQmxXSTBCTlNnSEVWdFo4cjZtY0ZuV3V2cXBrOHF2Q1BSemJGUjhKSU1kRisxbzkzZzYK\naDdxanlOdk5zNjZ0UkRieFRHbnpDaEMrNXVVRElubTU5ekdiMnVFdXFlbldkNFZMaXRQVGRyQjRm\nTkFXODhiaApCWDhpSWVCV0xDUGRWT1NLUW9VeEFkaEplM1R4RXlnd1ZYV3dsUHpONjhmL2NyY0FZ\nTmNrVFo1YzdmTzdNV0JCCkR6T0kzcUxRc2R2L1lzR1dSM2g4Z2ZwaDcwMlBndW50Q25PbWhzdjVk\nZCtwcTAxR20zMzJzT0V4dHdONEF3bkoKeFk4REdmbDZYNmVNS2ZoQmt4VmVrbytLaTJEdW1vcWxr\nN2xIOGcvTXg3VCtvTDNDbkR2SHJUZy9Oa0YrV1hzcQphMUFuTGZyRGtyQjRnRVJLSHMrVzhjMVhy\nNXZNM1hMR2lZTEtkVGw5aFp6ejFaRU1OaUozYXE2aW5TOGlVNkxiCmIxeHhDZldjdGV0Q0Vabklx\nbGlSMkszODlGVHI3SDdQdldOTVhGb3M3ek5Ldm81WS81RjIwYjlkRXZJWnFjUnMKYVJhTXFYYmxq\nbnZUOHpiWFpnVTI4YzJpMnZmU2YxSEIrSkFaSTYzVG5oZlVybExDTDRGc3YrRnJNKzduSjdaOQoy\nY2lYR3ZaUG9TL0FWRzdvUW91cEx1UGk0VW1rYUM1RzVsSVpaNXhNbzBIV2oraXN0bVZVOGtkZmlt\nalNVZy9ZCjI5azl1RzBSQWdNQkFBR2paakJrTUIwR0ExVWREZ1FXQkJTamNVRitNa0lLZ0ozeWZh\nREh3TExQa3pmQ3VUQWYKQmdOVkhTTUVHREFXZ0JTbXB2bEJPZXJ6NEJ6c2hYUVlKR3VqeVNEVmJU\nQVNCZ05WSFJNQkFmOEVDREFHQVFILwpBZ0VBTUE0R0ExVWREd0VCL3dRRUF3SUJoakFOQmdrcWhr\naUc5dzBCQVFzRkFBT0NBZ0VBb1o2V0w2YjlPWjdpCm0xTTdLQ0Q5ZHhPbFBUWEp0bGpJMTlIWWNv\ndW9panRIckRoMjRnVHdsTzlkOWxRSWVIa1ovVzhNVjYwRHZOQ2QKUEtrajMzYXNBdG1NaEtHeTI0\nalRGcGF3WXRaaytON3p3MnlHY2gwR0J0UWk3dkZpSmIvaWpGRHI5bzM3cDJWZQp0QU5KUm5WNFEw\nVWhYTUJId0VOdFZZemVjUVhVbWV3c1ErTGkvZnAwb3hUaVppekhXMUlkalM5c2hQcmFJUE9BCmNV\nL0F4enc5ZFphOXkxc1RudnI4RmRkTUZLV01oOFlubHIyajRjQTM5R0kzVmt3c0RaN2EyUnhLTGpE\nY2FWNTkKUXpGOEFFUnMvNFJ4bXVaWTVCVW5oWTNDQ2EwdzZiWGV5d1cxS0hlN0tlUkI1bDVaNkRH\nWU0yUVlJRy9rZUhKcgowb0VXUzE3ZjNtSlZzampQMVlMenV1cnJVQ3Mxc2xjbTZYM3Y2M2FjTm5u\nbitncGhzM2Y4MmdzS0xhOUJWcW05CnJHM1BNTUg0VzlvazFlUUl0bEswMzNEclBrN1RqNnpLVGRH\nWjJMbDY5U0VZMzZCQ0RSaEd5R0tUZ1RnNU5LZHAKT2g0QWJPNzgreHBCTUV2NW4xZCsvSFg2Zi9C\nL2l3dFdCbVA5TmduZTU1RW5LRHR3V1k3T201My9KM21iMXNrNwpJb2FuYzdMaHN2clozRWgwV3dU\nMi9XK3lEVkFZbVVLTHd6bVQ5aUtPbm1FUWdMWE1GbmRjMERrQTIwRjVCZWhVCmNwUnI1WmFhaUZq\nWDZiRU1adHFURVo4dUZFSmorcElCUlExYUlybHZiMlo2bjZsV3NrekcwRlp1cFRUeUluZVYKT1pO\nUEhMRDhZY2Fvc1J3czBrTG03VGcyMXYyNnRvMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" }, "hostname": "*.http-to-https-test.thecdn.example.com" diff --git a/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys.json b/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys.json index 804c83a6c9..c5a9b3d173 100644 --- a/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys.json +++ b/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys.json @@ -31,7 +31,7 @@ "deliveryservice": "http-to-https-test", "certificate": { "comment" : "The following is just a self signed certificate and key to use for testing this is NOT private data from a CA", - "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBc2Y0NnV5OGJ2\nQk5rMGhCaEVsbHdGT0dqREh6M1hJY1hteDRVNThNZG9Fa1JId0VTCjVONnd3NFV6bDAvRDcyMlJV\nODlMeHB4bldvclJmdVZNQldnOGVFcXBUb2NUS2NOZHhtZmdEUWZTcTZ1ODNTWkUKTmFCZFArK2g5\nYTJJRFZXWGFldVRhcVA3Q3lVVG52Sld5Mm1JalJWZkRGQWRWWHNhU1M4RGRYUWdibEJTelJ6NwpL\nMXFHVWt1RlZQc0R0ODZBYVF3TnN5R2ZDN3ltcUkzNU1FQ3hTdzNPd2lXSlAyZTg3U2E5UG9Pdjcr\nZUs2NVJnCmM3dzNkSXQxZUlyS3B6OWpQV1RPTkJOK0JhWFdvcHNXZ3UvdVd4Q1pnUk9qaXBWVUFK\nNHhrNFRGMjd0S28zRDUKSHd4RVZOeStlck9FTGI3VWxuaHMxaG1LdVI2RTZwREpHSyt1UFFJREFR\nQUJBb0lCQURkb1RYNFJkdysvOWNXUwpoYlZCbEN0YjVmYXdQQXhZblZlVE1Lekl4ME1yRzZKTUlr\nYU9yL1hkVkNjSkZKUkd4bE9SbHlRWGNmRDBmNnlCCjBuMW9hbEtENDFwbm4rYURRNERNdXlrelF6\naGZlS1piRUNhbGFnSEtKZCtsaWxHa1VFTVBxMDhxQnE3OGRyUW0KK2kvT0JVenQxeTJ0RHNTYVVw\nOXZmQ01tNkNXT1pKOHN6eWZrSk1ZZVVLdXptOWwzMGNNeW84anF0bi9LQjZWWApEVkZmNGpqU1FM\nTzBYbUo1M012TW1xUzlGaVRUdklpQm9iNnkxMEtWZjZpWk5MZnVnVExoWFhQaDFDNTJTUTVvCjZj\nVWdqanh5NFhmYUdub0Y1NlF4M0FIZWRpd0Z6eEFpWGlKOCswUFB3bWI2Q1FGOU1jSzV0QjQzcVZx\nNWNKNFcKTVF1SWpsMENnWUVBMkM3SFh6OHppODQ0anJHa1VvUmF3NE9QcitBdnFIVGY1NEJ2Ujhz\nTzc2NkljRzEvUytmdQoxbXQ2RnBRQVZGeHJvWmxEWHkrWGtTQ0toaEM3cmh6cHQzaVJuRkhkWFpT\nM25MM2ZjWnIzUCtFSXNyb3hLeVFRCmg3dy8xYnEzd3JwUnNOWjZpdDNVSHJvVlRLU2tZQzZvOUor\nYzRPYjVQRzVGcFRvZk81dmRWWHNDZ1lFQTBzYkYKd3pjYzEvcTdEVXpkTkVTaWtNMFdMMkFZanBH\nOFpEYTY0eUcrZ1JkWjhjWmpJUzlkVFpWWVpUODNFSnp2T2dyWgo1NmFYTVN2QVc2ak1oY1VDR05K\nN3JaaGl1Uk9HNVdWM3FzMnFkbmtkQlgrdGhrUE9HT3lNYnhsN1ltUlZXTG11CjBFV3NMQ3VHVFov\neDV5NG02WmNGQldRZUkreVMxanZTTXVkelVhY0NnWUJvVG1ISjlnK2o1Qk5yM2hCZjlCWnIKQVY1\naHlMU1YvaFpPZDZ5NW9pTUp5RmR5ajVKOUNHSTN1TkhHZFJDWG82UVc2NEVUT3o1Uk9yYzdxblV6\ndENXYwpiYU1zSGwvRm1Fempac1daNWVCb1JPYlNmWDNkeDkvbDdoR0t5VFdDMGkwNk9ySVRzS1o1\nVU9XWC9sU0ZSOTRqCmNhUGE2L2JUam8weUJKSXZTNndHWXdLQmdDN045dkpmbGFjY1JWY3h2MWt3\nK0l5QkRqRWMvTGNFQTdxWk1LenAKUEYxOEt2djJXdUx1bXFCMHpubEZMVndpRFRsdFdYQUlYVUNN\nLzUwYkFiZWV4TlZ3UUFpUGN6UzM4bGVVVFp0LwpLaUEreXNRQzB5eWlkK3l1OG94bE16SHBKODZa\nQlFtNHZ2L2I5bW5jWDZJL2JHS29wM1BJQksxamhrUE9hdUhrCjVZVzNBb0dBVEtVZlhkWTNad0hM\nWlUxSm1lRldKb29kOW10SHNrM1QyT2hCdDBwNUpSU3hVYWxOY0tkZEcvMVgKMFFCN1E1NWxMZEIz\nT1k2b1NDaEtuK1dUMWNwQ1N3d09PQlJNTmZPOVR1c252NkU2ZlNRWWVwdGNmV2lOb3VBWQpYaDVn\nQTRORzJHeUM5TW9tZUxQbUY0NmJsdU5UYzFxREMzeVZVcVQzdDkxY1RwNytWems9Ci0tLS0tRU5E\nIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==", + "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMHBBWXlmamRz\nZ0NSL0ZXeEQvWE1vbDNwYjRWazlHSFdqTnR4bkdvWHA3OGxxM2p1CitLd012ZlU2ZDVScmdXbHp6\nMlJjZnFhMHdjbkYrNU1abkdkbzRGaGwycnhnT3ZBV2NSb3ZXS3BUaXNUUkcrQXcKbnFneUZTWjNT\nalhUcE9YUjV4dUJJOWI1c3ZIN3RhbzdBcWFLR2I0V3d1TnA3cTZzcUtRYlRxaUlXcE9JQWtFKwpS\nVnJXblBVdHRvaHlTV08yL2dIbDQ2NlU1S0czdC9TU3lqZVRPZ1ZFU0xoQUhlWlk2dExyTGd1YmdM\nanlLVWE5CkpDcWJLa1laZ2UrdWlhKzVVMzZ6alhYRUdBUEdwWWNrM2Zqb1pYN01zM3hkUzV6Zit6\nUDQzSnVVWUtheE5KbVMKRXMvaU1Dc1VPK1htZEtQTFhmWGdPWDNoM0NQdC83U05HR3VlS1FJREFR\nQUJBb0lCQUF1REEwZnZpamRVSHFjYwpERDBpSkJqd1ozWElaamVTTGNldnE2dHdoWENQVzhEZk1M\nbDV0b3lnSHAweENSdWZKMHk4WU80dnNRd3pPdGJCCk9SSTYrUm5pMjFhMUc5RzlGSTBFY0hnNWY2\nM0RpdWNxUDU0ODlkZ0FMVjlxUi9Mbythdlg3aHlHZ1VwT1BvTzEKRmRyVVBoS2dPT0JZekk3WEQr\ndDhaVjNNaXYvZ25aWUphR2dYRDYrODFGaU4veXNXaE5SMEVYYW5Vck1wR2ZtdQpSVm1tYnlvRjNr\nWVV1d3V2SUZIMkdPVFo0VjViR3JGQUJUQUowSWt2MkdmcU9TR08xa1NiWVMxclZjb29uMyswClRz\ncGxLejRUT3NVblp5VUk1UVBpbEI5ak93cjVlbGFRM1lndnZCM0k5TUdvQjRTLy9XWkFVRGFQTjlE\nZXYyU1UKUm1jb2dqMENnWUVBN3oxaEh0c21QZmVOOTA3VWV4clVwMGRMOEJtbmJ5V1k0bkYrbFhp\nalRLQ0xpTjdtNGFSNQpTTHhtZ21nVkhrQ0dOZkEybXFVWHA2dTlNL1BXOGx4SjRjNExLRldCbTVJ\nYjFRdlRZM3hOWDNKWVZYZkhTWkNlCitvaDMwaStmcm9oYmNnZzRpaG9QeDU2aGhpbEdlSXZGSS9l\nMDg0M0Z0dU9mWkgrQ0s1dHRKOU1DZ1lFQTRWQnEKTTNUUlhzbUU3ZHQvSFFza2ladGFjTVdkQldx\nOVRXVlBIb3hBK3VjalFoandGVFhBZzhkZGFsbE9TS1hWNjVGawoxMlphU1lTbTd5VnplS3lVRk4w\nazBxNXpRQkRZQ1FNYVA2YjZYbGxiL2VMaWJQQTMxbU5uRGl2WjdkVWM3UUVqClhUUy9nclFLc2Zl\nenRVMXUwNG1SMTZ5THhZSHh3MW5IL3NselFKTUNnWUVBMHF6S2lkR1NxNThFZFhRRnlTS24KZ1dk\nWGgrZ1BlZUV4OExiaE1kODZicEF5VUNWNlM5bjZ0QUswZ3NJRlZzNmJZWVJYa1hjd2pZYSs1ckVq\nNStrOQpab3Q3Wjlsa2VRc0JWMnRDaTZrNnVZS0lKenVEVTFUM3FzZmlQRVdUNks1TFdPL0VXbGo0\nN0dEVS9MLzhQc3RXCm40WFM0MmRGWlBpdHRHSlV6dkhmL2VFQ2dZQXVpR3dXaW5hL0s4RmZXbWly\nTitUbzRvUFFMSS9jVVlvZEZPSTkKUGR3aHRXREx3dGk2bUtwVXpQVFhCUEN0QWtybTV0VTd3ekM4\nWkVBUnZkdFdQZFlyWk95NDhqeHRLODFpTnhqUgpzb3VjdHJuUCttNm03d21wSmtoZlhlRVpSRjAv\nK1c4elRiU0xxdUZXbGdDd1hmaVlpWjNzTy85MTMvdHRTL3FJCi9WUG5Md0tCZ1FDNGQ4OXNUL3E3\nNjZMREt6bEhySzVEUkE2TTRENEhMbjEwTWJQVExNdWNweEJlQkY1YnhvQkEKeHRFcVhBRCtyaWVr\nT3IybjJSRHlxeGt0MS9FY2JhcTI5bmNXVFFwZjZ2NkV3cTFGT3JhUDlpdTJFbERBcUcyMApXbmdG\nOUttM0VETUpBQkd5VHhieFgxZTZMRG1LaFcwWFFxRWptVmpGQi9uMFVQOGxJd2F2aGc9PQotLS0t\nLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=", "crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZuakNDQTRhZ0F3SUJBZ0lDRUFFd0RRWUpL\nb1pJaHZjTkFRRUxCUUF3WkRFTE1Ba0dBMVVFQmhNQ1ZWTXgKRVRBUEJnTlZCQWdNQ0VOdmJHOXlZ\nV1J2TVJBd0RnWURWUVFLREFkRGIyMWpZWE4wTVE0d0RBWURWUVFMREFWSgpVRU5FVGpFZ01CNEdB\nMVVFQXd3WFZHVnpkR2x1WnlCSmJuUmxjbTFsWkdsaGRHVWdRMEV3SGhjTk1UWXdPVEl6Ck1qSXpO\nREl4V2hjTk16VXhNVEl6TWpJek5ESXhXakNCaFRFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJB\nZ1QKQ0VOdmJHOXlZV1J2TVE4d0RRWURWUVFIRXdaRVpXNTJaWEl4RURBT0JnTlZCQW9UQjBOdmJX\nTmhjM1F4RGpBTQpCZ05WQkFzVEJVbFFRMFJPTVRBd0xnWURWUVFERkNjcUxtaDBkSEF0ZEc4dGFI\nUjBjSE10ZEdWemRDNTBhR1ZqClpHNHVaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RR\nRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3gKL2pxN0x4dThFMlRTRUdFU1dYQVU0YU1NZlBkY2h4\nZWJIaFRud3gyZ1NSRWZBUkxrM3JERGhUT1hUOFB2YlpGVAp6MHZHbkdkYWl0Ris1VXdGYUR4NFNx\nbE9oeE1wdzEzR1orQU5COUtycTd6ZEprUTFvRjAvNzZIMXJZZ05WWmRwCjY1TnFvL3NMSlJPZThs\nYkxhWWlORlY4TVVCMVZleHBKTHdOMWRDQnVVRkxOSFBzcldvWlNTNFZVK3dPM3pvQnAKREEyekla\nOEx2S2FvamZrd1FMRkxEYzdDSllrL1o3enRKcjArZzYvdjU0cnJsR0J6dkRkMGkzVjRpc3FuUDJN\nOQpaTTQwRTM0RnBkYWlteGFDNys1YkVKbUJFNk9LbFZRQW5qR1RoTVhidTBxamNQa2ZERVJVM0w1\nNnM0UXR2dFNXCmVHeldHWXE1SG9UcWtNa1lyNjQ5QWdNQkFBR2pnZ0UyTUlJQk1qQUpCZ05WSFJN\nRUFqQUFNQkVHQ1dDR1NBR0cKK0VJQkFRUUVBd0lHUURBekJnbGdoa2dCaHZoQ0FRMEVKaFlrVDNC\nbGJsTlRUQ0JIWlc1bGNtRjBaV1FnVTJWeQpkbVZ5SUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdR\nV0JCVHlRTUw1UzdMbW5PeTlpRUQxdkUwL1ZzN1FTRENCCm1BWURWUjBqQklHUU1JR05nQlNqY1VG\nK01rSUtnSjN5ZmFESHdMTFBremZDdWFGeHBHOHdiVEVMTUFrR0ExVUUKQmhNQ1ZWTXhFVEFQQmdO\nVkJBZ01DRU52Ykc5eVlXUnZNUTh3RFFZRFZRUUhEQVpFWlc1MlpYSXhFREFPQmdOVgpCQW9NQjBO\ndmJXTmhjM1F4RGpBTUJnTlZCQXNNQlVsUVEwUk9NUmd3RmdZRFZRUUREQTlVWlhOMGFXNW5JRkp2\nCmIzUWdRMEdDQWhBQU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VG\nQlFjREFUQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBQWJpN09yQUNDbldKd3dDM2dmWUVBMmpI\nZ0FNMDRoK1FGQ1hRUnhCZApkd0ZLNDNTaVIwME1CTUdObVl1YUd0RWNTMGZacTVORFp1eFVOZHVM\nMmZselQzbkJ3Sm5DbEZ3aXd0YWwrcTE2CkV2QWtBbUQvU2pxNm5CYm5qNUlqNkRlRE5kOHRJd0ps\ncDMrdCs0RE9rNWt2a2FxS2ptd29EM3RlNG1QdnNIeXQKNElpRG1wRnpqeG83b2o5VkY0RTVtMjZV\nM240aENUYnJ2Ui9RNWlCdDhpT3M1YU8rVlpuTWNyQ3htbmhSYU1sVQpOaXkwTGxCZVVJQ213TE95\nNERQeDc1WVdDMzZEUVhMS2dMcnZ4RktIRmI2SlJoMmNLYzNpcVc3allhNjJwbmhHCllXb1pDdkJO\neXZqbkpIbGZYVDBUNitDN3Btb0ZLNTV5dGNhdFByQk82VEI3TFhUcjlJN2JIN0R2aU9SS1MwMFoK\nOHlPMktva1M1WVZ0T2c4NnNHT2lFOFQxMDFzc0xSNUhWZmVDTVJqc0J4eXdUdUxNRyt1cE9lWDhk\nMGhlUjZNbgp3RlFxUDR0V1A0WEZkSGd0cHlaZHBVYTBXVkZTVXJueDAvV1pDbXZLNFNQcmhzUG5s\nWUptaGtTRldkWHczcnJRCjZaL2tZZFM5VDM2SG9EMW1rcmdiMWRPTnNNd0Zpb1BqZ2RmRU1Xb001\nVWJ6L1p4RHp2V2ZDQWovVnloOVc0VFoKcEljUG8xZmhNQVJQcVVDY2N1ZVc3ckpOSDhwSm5yY0VU\nZ2xLdDY3SnZ2S1dKdzhLcEo1ajNzSERkUG56N1Z3NgpsNnRwVWJYU2U2SzY1Zy9Fc25EYkFDS21v\neldQNFVnSGY5akJ0c2FLK0hnUHVKRlYvMlBzMG96bW1XWGxQU0JJCitxQT0KLS0tLS1FTkQgQ0VS\nVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRnN6Q0NBNXVnQXdJ\nQkFnSUNFQUF3RFFZSktvWklodmNOQVFFTEJRQXdiVEVMTUFrR0ExVUVCaE1DVlZNeApFVEFQQmdO\nVkJBZ01DRU52Ykc5eVlXUnZNUTh3RFFZRFZRUUhEQVpFWlc1MlpYSXhFREFPQmdOVkJBb01CME52\nCmJXTmhjM1F4RGpBTUJnTlZCQXNNQlVsUVEwUk9NUmd3RmdZRFZRUUREQTlVWlhOMGFXNW5JRkp2\nYjNRZ1EwRXcKSGhjTk1UWXdPVEl6TWpFeE56SXdXaGNOTXpnd09ERTVNakV4TnpJd1dqQmtNUXN3\nQ1FZRFZRUUdFd0pWVXpFUgpNQThHQTFVRUNBd0lRMjlzYjNKaFpHOHhFREFPQmdOVkJBb01CME52\nYldOaGMzUXhEakFNQmdOVkJBc01CVWxRClEwUk9NU0F3SGdZRFZRUUREQmRVWlhOMGFXNW5JRWx1\nZEdWeWJXVmthV0YwWlNCRFFUQ0NBaUl3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dJUEFEQ0NBZ29D\nZ2dJQkFPQ2lCV09BOE15andReTFzRVc4SDNVME1CaWlyU2xyUjk0aApDOU9mQjc5TnVWQVQ3U29q\nNkVYK0RkeDQxeGhyY1lUSDArRk5BVW15RFJuUkticlFRTlJ1alpPZytud0VTcXNxCmUxRmJ2cXJK\nZUZSdStGQmxXSTBCTlNnSEVWdFo4cjZtY0ZuV3V2cXBrOHF2Q1BSemJGUjhKSU1kRisxbzkzZzYK\naDdxanlOdk5zNjZ0UkRieFRHbnpDaEMrNXVVRElubTU5ekdiMnVFdXFlbldkNFZMaXRQVGRyQjRm\nTkFXODhiaApCWDhpSWVCV0xDUGRWT1NLUW9VeEFkaEplM1R4RXlnd1ZYV3dsUHpONjhmL2NyY0FZ\nTmNrVFo1YzdmTzdNV0JCCkR6T0kzcUxRc2R2L1lzR1dSM2g4Z2ZwaDcwMlBndW50Q25PbWhzdjVk\nZCtwcTAxR20zMzJzT0V4dHdONEF3bkoKeFk4REdmbDZYNmVNS2ZoQmt4VmVrbytLaTJEdW1vcWxr\nN2xIOGcvTXg3VCtvTDNDbkR2SHJUZy9Oa0YrV1hzcQphMUFuTGZyRGtyQjRnRVJLSHMrVzhjMVhy\nNXZNM1hMR2lZTEtkVGw5aFp6ejFaRU1OaUozYXE2aW5TOGlVNkxiCmIxeHhDZldjdGV0Q0Vabklx\nbGlSMkszODlGVHI3SDdQdldOTVhGb3M3ek5Ldm81WS81RjIwYjlkRXZJWnFjUnMKYVJhTXFYYmxq\nbnZUOHpiWFpnVTI4YzJpMnZmU2YxSEIrSkFaSTYzVG5oZlVybExDTDRGc3YrRnJNKzduSjdaOQoy\nY2lYR3ZaUG9TL0FWRzdvUW91cEx1UGk0VW1rYUM1RzVsSVpaNXhNbzBIV2oraXN0bVZVOGtkZmlt\nalNVZy9ZCjI5azl1RzBSQWdNQkFBR2paakJrTUIwR0ExVWREZ1FXQkJTamNVRitNa0lLZ0ozeWZh\nREh3TExQa3pmQ3VUQWYKQmdOVkhTTUVHREFXZ0JTbXB2bEJPZXJ6NEJ6c2hYUVlKR3VqeVNEVmJU\nQVNCZ05WSFJNQkFmOEVDREFHQVFILwpBZ0VBTUE0R0ExVWREd0VCL3dRRUF3SUJoakFOQmdrcWhr\naUc5dzBCQVFzRkFBT0NBZ0VBb1o2V0w2YjlPWjdpCm0xTTdLQ0Q5ZHhPbFBUWEp0bGpJMTlIWWNv\ndW9panRIckRoMjRnVHdsTzlkOWxRSWVIa1ovVzhNVjYwRHZOQ2QKUEtrajMzYXNBdG1NaEtHeTI0\nalRGcGF3WXRaaytON3p3MnlHY2gwR0J0UWk3dkZpSmIvaWpGRHI5bzM3cDJWZQp0QU5KUm5WNFEw\nVWhYTUJId0VOdFZZemVjUVhVbWV3c1ErTGkvZnAwb3hUaVppekhXMUlkalM5c2hQcmFJUE9BCmNV\nL0F4enc5ZFphOXkxc1RudnI4RmRkTUZLV01oOFlubHIyajRjQTM5R0kzVmt3c0RaN2EyUnhLTGpE\nY2FWNTkKUXpGOEFFUnMvNFJ4bXVaWTVCVW5oWTNDQ2EwdzZiWGV5d1cxS0hlN0tlUkI1bDVaNkRH\nWU0yUVlJRy9rZUhKcgowb0VXUzE3ZjNtSlZzampQMVlMenV1cnJVQ3Mxc2xjbTZYM3Y2M2FjTm5u\nbitncGhzM2Y4MmdzS0xhOUJWcW05CnJHM1BNTUg0VzlvazFlUUl0bEswMzNEclBrN1RqNnpLVGRH\nWjJMbDY5U0VZMzZCQ0RSaEd5R0tUZ1RnNU5LZHAKT2g0QWJPNzgreHBCTUV2NW4xZCsvSFg2Zi9C\nL2l3dFdCbVA5TmduZTU1RW5LRHR3V1k3T201My9KM21iMXNrNwpJb2FuYzdMaHN2clozRWgwV3dU\nMi9XK3lEVkFZbVVLTHd6bVQ5aUtPbm1FUWdMWE1GbmRjMERrQTIwRjVCZWhVCmNwUnI1WmFhaUZq\nWDZiRU1adHFURVo4dUZFSmorcElCUlExYUlybHZiMlo2bjZsV3NrekcwRlp1cFRUeUluZVYKT1pO\nUEhMRDhZY2Fvc1J3czBrTG03VGcyMXYyNnRvMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" }, "hostname": "*.http-to-https-test.thecdn.example.com" From ce6ed87fed75c51fe549d247b6da1f8d0f7553f0 Mon Sep 17 00:00:00 2001 From: ASchmidt Date: Fri, 22 Feb 2019 13:07:43 -0700 Subject: [PATCH 2/8] added start and stop scripts for TR docker containers --- .../docker/traffic_router/shutdowntr.sh | 36 +++++++++++++++ .../docker/traffic_router/starttr.sh | 44 +++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 infrastructure/docker/traffic_router/shutdowntr.sh create mode 100644 infrastructure/docker/traffic_router/starttr.sh diff --git a/infrastructure/docker/traffic_router/shutdowntr.sh b/infrastructure/docker/traffic_router/shutdowntr.sh new file mode 100644 index 0000000000..e6ffa5e2b3 --- /dev/null +++ b/infrastructure/docker/traffic_router/shutdowntr.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Script for running the Dockerfile for Traffic Router. +# The Dockerfile sets up a Docker image which can be used for any new container; +# This script, which should be run when the container is run (it's the ENTRYPOINT), will configure the container. +# +# The following environment variables must be set (ordinarily by `docker run -e` arguments): +# TRAFFIC_OPS_URI +# TRAFFIC_OPS_USER +# TRAFFIC_OPS_PASS +# TRAFFIC_MONITORS # list of semicolon-delimited FQDN:port monitors. E.g. `monitor.foo.com:80;monitor2.bar.org:80` +# ORIGIN_URI # origin server (e.g. hotair), used to create a delivery service + +export JAVA_HOME=/usr/java/jdk1.8.0_92/jre +export CATALINA_PID=/opt/traffic_router/temp/tomcat.pid +export CATALINA_HOME=/opt/tomcat +export CATALINA_BASE=/opt/traffic_router +export CATALINA_OUT=/opt/tomcat/logs/catalina.log +source /opt/traffic_router/conf/startup.properties +/opt/tomcat/bin/shutdown.sh diff --git a/infrastructure/docker/traffic_router/starttr.sh b/infrastructure/docker/traffic_router/starttr.sh new file mode 100644 index 0000000000..adbb9ab634 --- /dev/null +++ b/infrastructure/docker/traffic_router/starttr.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Script for running the Dockerfile for Traffic Router. +# The Dockerfile sets up a Docker image which can be used for any new container; +# This script simulates the systemd unit file that is used to start traffic router on +# servers in the real world, but in Docker containers systemd is disabled. +# Therefore it is important to keep this script up to date with any changes that are +# made to traffic_router/build/build_rpm.sh and traffic_router/build/pom.xml + +export JAVA_HOME=/usr/java/jdk1.8.0_92/jre +export CATALINA_PID=/opt/traffic_router/temp/tomcat.pid +export CATALINA_HOME=/opt/tomcat +export CATALINA_BASE=/opt/traffic_router +export CATALINA_OUT=/opt/tomcat/logs/catalina.log +export CATALINA_OPTS="\ + -server -Xms512m -Xmx1g \ + -Dlog4j.configuration=file://$CATALINA_BASE/conf/log4j.properties \ + -Djava.library.path=/usr/lib64 \ + -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=false \ + -XX:+UseG1GC \ + -XX:+UnlockExperimentalVMOptions \ + -XX:InitiatingHeapOccupancyPercent=30" +export JAVA_OPTS="\ + -Djava.awt.headless=true \ + -Djava.security.egd=file:/dev/./urandom" + +ulimit -c unlimited +/opt/tomcat/bin/startup.sh From 7ae40c175f01d885bf600c5c73369c7187d7fd7a Mon Sep 17 00:00:00 2001 From: ASchmidt Date: Fri, 22 Feb 2019 13:20:39 -0700 Subject: [PATCH 3/8] fixed bug in Tomcat which wasn't unregistering old SslHostConfigs --- .../traffic_router/protocol/RouterNioEndpoint.java | 5 +++-- .../traffic_router/secure/CertificateRegistry.java | 10 +++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java index 5706ad5689..5d548611f3 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java @@ -19,6 +19,7 @@ import com.comcast.cdn.traffic_control.traffic_router.secure.HandshakeData; import com.comcast.cdn.traffic_control.traffic_router.secure.KeyManager; import org.apache.log4j.Logger; +//import org.apache.tomcat.util.modeler.Registry; import org.apache.tomcat.util.modeler.Registry; import org.apache.tomcat.util.net.NioEndpoint; import org.apache.tomcat.util.net.SSLHostConfig; @@ -94,7 +95,7 @@ protected SSLHostConfig getSSLHostConfig(final String sniHostName) { return super.getSSLHostConfig(sniHostName.toLowerCase()); } - /*private void unregisterJmx(final SSLHostConfig sslHostConfig) { + private void unregisterJmx(final SSLHostConfig sslHostConfig) { final Registry registry = Registry.getRegistry(null, null); registry.unregisterComponent(sslHostConfig.getObjectName()); for (final SSLHostConfigCertificate sslHostConfigCert : sslHostConfig.getCertificates()) { @@ -117,5 +118,5 @@ public void addSslHostConfig(final SSLHostConfig sslHostConfig, final boolean re if (previous != null) { unregisterJmx(previous); } - }*/ + } } diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java index e3f773c084..04306dc8f3 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java @@ -71,18 +71,18 @@ synchronized public void importCertificateDataList(final List c try { final String alias = certificateData.alias(); - if (!master.containsKey(alias)) { + //if (!master.containsKey(alias)) { final HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); master.put(alias, handshakeData); - if (!certificateData.equals(previousData.get(alias))) { + //if (!certificateData.equals(previousData.get(alias))) { changes.put(alias, handshakeData); log.warn("Imported handshake data with alias " + alias); - } - } + //} + /*} else { log.error("An TLS certificate already exists in the registry for host: "+alias+" There can be " + "only one!" ); - } + }*/ } catch (Exception e) { log.error("Failed to import certificate data for delivery service: '" + certificateData.getDeliveryservice() + "', hostname: '" + certificateData.getHostname() + "'"); } From a13a769eb84667ff78eca2e7e002664851d37666 Mon Sep 17 00:00:00 2001 From: ASchmidt Date: Tue, 5 Mar 2019 14:36:33 -0700 Subject: [PATCH 4/8] Added validation checks of SSL certs while being loaded by CertificateRegistry --- .../secure/CertificateDataConverter.java | 123 +++++++++++++++- .../secure/CertificateRegistry.java | 20 +-- .../secure/CertificateDataConverterTest.java | 138 +++++++++++++----- traffic_router/shared/pom.xml | 14 -- .../test/java/secure/BindPrivateKeyTest.java | 3 +- .../DeliveryServiceCertificatesTest.java | 3 +- 6 files changed, 232 insertions(+), 69 deletions(-) diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java index 9324145643..6cebd3e7e1 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java @@ -17,30 +17,65 @@ import com.comcast.cdn.traffic_control.traffic_router.shared.CertificateData; import org.apache.log4j.Logger; +import org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey; +import sun.security.rsa.RSAPrivateCrtKeyImpl; +import sun.security.rsa.RSAPublicKeyImpl; +import java.math.BigInteger; import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.List; -import java.util.stream.Collectors; +@SuppressWarnings({"PMD.CyclomaticComplexity", "PMD.AvoidDeeplyNestedIfStmts", "PMD.NPathComplexity"}) public class CertificateDataConverter { private static final Logger log = Logger.getLogger(CertificateDataConverter.class); private PrivateKeyDecoder privateKeyDecoder = new PrivateKeyDecoder(); private CertificateDecoder certificateDecoder = new CertificateDecoder(); + @SuppressWarnings({"PMD.CyclomaticComplexity", "PMD.AvoidDeeplyNestedIfStmts", "PMD.NPathComplexity"}) public HandshakeData toHandshakeData(final CertificateData certificateData) { try { final PrivateKey privateKey = privateKeyDecoder.decode(certificateData.getCertificate().getKey()); final List encodedCertificates = certificateDecoder.doubleDecode(certificateData.getCertificate().getCrt()); - final List x509Chain = encodedCertificates.stream() - .map(encodedCertificate -> certificateDecoder.toCertificate(encodedCertificate)) - .collect(Collectors.toList()); - - return new HandshakeData(certificateData.getDeliveryservice(), certificateData.getHostname(), - x509Chain.toArray(new X509Certificate[x509Chain.size()]), privateKey); + final List x509Chain = new ArrayList<>(); + boolean hostMatch = false; + boolean modMatch = false; + for ( final String encodedCertificate : encodedCertificates) { + final X509Certificate certificate = certificateDecoder.toCertificate(encodedCertificate); + certificate.checkValidity(); + if (!hostMatch && verifySubject(certificate, certificateData.alias())) { + hostMatch = true; + } + if (!modMatch && verifyModulus(privateKey, certificate)) { + modMatch = true; + } + x509Chain.add(certificate); + } + if ( hostMatch && modMatch) { + return new HandshakeData(certificateData.getDeliveryservice(), certificateData.getHostname(), + x509Chain.toArray(new X509Certificate[x509Chain.size()]), privateKey); + } + else if(!hostMatch){ + log.warn("Service name doesn't match the subject of the certificate = "+certificateData.getHostname()); + } + else if (!modMatch) { + log.error("Modulus not == for host: "+certificateData.getHostname()); + } + } catch ( CertificateNotYetValidException er) { + log.error("Failed to convert certificate data for delivery service = " + certificateData.getHostname() + + ", because the certificate is not valid yet: "+ er.getClass().getSimpleName() + ": " + er.getMessage(), + er); + } catch (CertificateExpiredException ex ) { + log.error("Failed to convert certificate data for delivery service = " + certificateData.getHostname() + + ", because the certificate has expired: "+ ex.getClass().getSimpleName() + ": " + ex.getMessage(), + ex); } catch (Exception e) { log.error("Failed to convert certificate data (delivery service = " + certificateData.getDeliveryservice() + ", hostname = " + certificateData.getHostname() + ") from traffic ops to handshake data! " @@ -49,6 +84,80 @@ public HandshakeData toHandshakeData(final CertificateData certificateData) { return null; } + @SuppressWarnings({"PMD.CyclomaticComplexity", "PMD.AvoidDeeplyNestedIfStmts", "PMD.NPathComplexity"}) + public boolean verifySubject(final X509Certificate certificate, final String hostAlias ) { + final String host = certificate.getSubjectDN().getName(); + if (hostCompare(hostAlias,host)) { + return true; + } + + try { + // This approach is probably the only one that is JDK independent + if (certificate.getSubjectAlternativeNames() != null) { + for (final List altName : certificate.getSubjectAlternativeNames()) { + if (hostCompare(hostAlias, (String) altName.get(1))) { + return true; + } + } + } + } + catch (Exception e) { + log.error("Encountered an error while validating the certificate subject for service: "+hostAlias+", " + + "error: "+e.getClass().getSimpleName()+": " + e.getMessage(), e); + return false; + } + + return false; + } + + private boolean hostCompare(final String hostAlias, final String subject) { + if (hostAlias.contains(subject) || subject.contains(hostAlias)) { + return true; + } + final String[] chopped = subject.split("CN=", 2); + String chop = null; + if (chopped != null && chopped.length > 1) { + chop = chopped[1]; + } + if (chop != null) { + chop = chop.replaceFirst("\\*\\.", "."); + chop = chop.split(",", 2)[0]; + if (hostAlias.contains(chop) || chop.contains(hostAlias)) { + return true; + } + } + return false; + } + + public boolean verifyModulus(final PrivateKey privateKey, final X509Certificate certificate) { + BigInteger privModulus = null; + if (privateKey instanceof BCRSAPrivateCrtKey) { + privModulus = ((BCRSAPrivateCrtKey) privateKey).getModulus(); + } else if (privateKey instanceof RSAPrivateCrtKeyImpl) { + privModulus = ((RSAPrivateCrtKeyImpl) privateKey).getModulus(); + } + BigInteger pubModulus = null; + final PublicKey publicKey = certificate.getPublicKey(); + if ((publicKey instanceof RSAPublicKeyImpl)) { + pubModulus = ((RSAPublicKeyImpl) publicKey).getModulus(); + } else { + final String[] keyparts = publicKey.toString().split(System.getProperty("line.separator")); + for (final String part : keyparts) { + final int start = part.indexOf("modulus: ") + 9; + if (start < 9) { + continue; + } else { + pubModulus = new BigInteger(part.substring(start)); + break; + } + } + } + if (privModulus.equals(pubModulus)) { + return true; + } + return false; + } + public PrivateKeyDecoder getPrivateKeyDecoder() { return privateKeyDecoder; } diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java index 04306dc8f3..848c8b09ed 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java @@ -71,18 +71,20 @@ synchronized public void importCertificateDataList(final List c try { final String alias = certificateData.alias(); - //if (!master.containsKey(alias)) { + if (!master.containsKey(alias)) { final HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); - master.put(alias, handshakeData); - //if (!certificateData.equals(previousData.get(alias))) { - changes.put(alias, handshakeData); - log.warn("Imported handshake data with alias " + alias); - //} - /*} + if (handshakeData != null) { + master.put(alias, handshakeData); + if (!certificateData.equals(previousData.get(alias))) { + changes.put(alias, handshakeData); + log.warn("Imported handshake data with alias " + alias); + } + } + } else { log.error("An TLS certificate already exists in the registry for host: "+alias+" There can be " + "only one!" ); - }*/ + } } catch (Exception e) { log.error("Failed to import certificate data for delivery service: '" + certificateData.getDeliveryservice() + "', hostname: '" + certificateData.getHostname() + "'"); } @@ -103,7 +105,7 @@ synchronized public void importCertificateDataList(final List c previousData.clear(); for (final CertificateData certificateData : certificateDataList) { final String alias = certificateData.alias(); - if (!previousData.containsKey(alias)) { + if (!previousData.containsKey(alias) && master.containsKey(alias)) { previousData.put(alias, certificateData); } } diff --git a/traffic_router/connector/src/test/java/secure/CertificateDataConverterTest.java b/traffic_router/connector/src/test/java/secure/CertificateDataConverterTest.java index 6de4ae9037..0554de6b35 100644 --- a/traffic_router/connector/src/test/java/secure/CertificateDataConverterTest.java +++ b/traffic_router/connector/src/test/java/secure/CertificateDataConverterTest.java @@ -16,73 +16,137 @@ package secure; import com.comcast.cdn.traffic_control.traffic_router.secure.CertificateDataConverter; -import com.comcast.cdn.traffic_control.traffic_router.secure.CertificateDecoder; import com.comcast.cdn.traffic_control.traffic_router.secure.HandshakeData; -import com.comcast.cdn.traffic_control.traffic_router.secure.PrivateKeyDecoder; import com.comcast.cdn.traffic_control.traffic_router.shared.Certificate; import com.comcast.cdn.traffic_control.traffic_router.shared.CertificateData; +import com.fasterxml.jackson.core.type.TypeReference; +import com.fasterxml.jackson.databind.ObjectMapper; import org.junit.Before; import org.junit.Test; +import org.powermock.core.classloader.annotations.PrepareForTest; -import java.security.PrivateKey; -import java.security.cert.X509Certificate; -import java.util.Arrays; +import java.time.Instant; +import java.util.Date; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.equalTo; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; +import static org.hamcrest.Matchers.notNullValue; +import static org.hamcrest.Matchers.nullValue; +import static org.junit.Assert.fail; public class CertificateDataConverterTest { private CertificateDataConverter certificateDataConverter; private CertificateData certificateData; - private X509Certificate x509Certificate1; - private X509Certificate x509Certificate2; - private X509Certificate x509Certificate3; - private PrivateKey privateKey; + private Date certDate; + private final static String SUBJECT_MISS_CERT_DATA = + " {\n" + + " \"deliveryservice\": \"https-subject-miss\",\n" + + " \"certificate\": {\n" + + " \"comment\" : \"The following is a self-signed key for *.subject-miss.thecdn.example.com\",\n" + + " \"key\": \"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQzhBWVVFYk1YcHZiVUMKaDBrNWRxYURnTHJGL3Y5VDdtOFNLUnVuRldYYUhFalVvcWlZc29tekhuZjNyUkVNRWpkVXB0M0lCVzk3M090cApqNmlkNUNLTHlFVDNUQ3h2ZHNERzhiYXB3UEdNT0dzQWhTMGxucmlrRll6ejArZXpxMWhzczcxRDBqN3o1TzlLCmxPVUJxSUgzOG16YU1JaFN3VXpsSGdFRzJjdlJiK1RwajhpU0k3Z3psek8rMVM1OEExS21UbjVDMC9ia0lvcFYKREJ5V3FySmpqSXZuWjBvK2I1MkRMcExzdlVnRU5BOVdHRzkycG8wS0RDZnFmNjN0RW5oRGYvZStFT0o5NUs5UQpCUG45YW82OVJaM0V3cDk5bnlveDJ6cmtHLzcvMTVIV3Z5aUVzQUR2TWxNaTg4bTJRTzBOaDA5ZWlrWWFRWDlVCkUzbTM4VDVkQWdNQkFBRUNnZ0VBT2UxNTc4Z1lIeElkMEw2Z2VEMHZ4enNGMFhYbGRCWDJVVEVyWFFzQnkvZUYKRlVkZERWZU5pQXd1U0xraGxJZVVWdGZuWS9jUXg2aGxQS3hQOXY1UkNxTFZaU0VxVzluS1FrSTkxd1lsSnVCSApUK3k0NFd1TFZydHhKN3UyRzYwQzNOTncwSkhhWmNtM1ZWS1ZVVEo3Z1V0SDhONmRVbXBPNkJXYm1XSElKQ3AvCnRjL29QVTZzTWc2RGh2MVFxeUpJeHQ5MWRmSnpBZVdkV01MM3ZmNnRVUDF6bTh2M2g0WXBZSGR5LzZBMzZjZkQKa0xnZkkybktkVEhLUDBldlZFS3M5L3hQWVlxQWVyTnlCV2NFWCtjVy93ZzVSVUVrT2lpajZUY0h1cmVnV09VbQp5cWlCOFNoQWVwdEtnN0VVaHZ2V2ZLSEtMTmJURUV5UE5GOXVPR1VqL1FLQmdRRGZUdy9IbS9oUDJYZUFGeEhZCnViUTBIN2xHQWxLZEhydTIvVXlFK3d0WDlEYXU1UTZRVzVkVzJJMTdkOG5TL2taUkloQnhSM08rMGMxN3VUaHoKWDFseWtmT3ZZb3NlSGhhN0IrN21rL2RVTkJZYVJ1UG1IcEEvTkx6ekI3OWdhU2JPVk9lOVQ5cVovb2lndlRXYQp0TG0rOFIzeVhyUktOdUZtNk1kbnFYdSswd0tCZ1FEWGgybU5EQW9sMHJlcFY0MnYvaSt1QmF4bkozZlJVU284ClpkUk5GczVWTFlxUnh0c1BubkNwcTh3OWtKK2paZWNWTkRNelB3dmpBdUdqYXkyUHVRclF5MEUyckk5RExITEIKTVVxVHJENHBSN0NrK3VFVGQ3ZlBEOHNRdEJmUkp6amdBa3pvWUk1djZ1dzlpUFF6U2tzT2d5WFlNV0ZUU1ZJNwplVVhHWDRDd0R3S0JnRjduemhBS2xKenpFcHVvc2xnR2pMUythdEo3T0RzNGpaVDIwQ2VRUGtEeU5LOWVBRE9RCkNhREtSazhjR1BXSVJjQkRsdk5kNTY1SW9ta2J6Z2NTbGdSZ1RVM1R0c1psQ1VvUjFCSEEveE9WVTNOMWYzUVUKdHo5MW5YdzRaYmlHMkF4Ry8zcHd6cm8xK0VGQVNPRG9RQzBMY3F2SVhoMVFkN2x4NHhXR2JXWXJBb0dBQjhZKwpySFBPdWVhTDhYUFRESklpcmloT083cFV2Qnd0WmRoV2ZDRmlkL2dZazRHVXpVOXR5UEVGZ1FNQ2Z5WmgyNFh5Cmd0cTNWd3ozanFtRER6Z2hoNzZOTDZleDB6NTdOVFROOTkyeXNGS0JzTEhNQktQQTRaczBPL29ERWV4VVJPQlEKWGVGOXdkTzdpY3l5NGxhL3RscE10eXV3MHd4R0J4Y3N5U2NRd1VrQ2dZQng0UGk4NkhmWkVnT3p4bU9NYkhGTApmeFFWbXpZL0Y3eCsyOGMrQWQ3VVZRMVVjcDRUdEdMT1pHUGRIYnZzR2dZeXY4cSs0MTcwK1M0YkY4bC9JRThnCjJBNzl6VzNjMjhVNzR0KytxQ0p4bS82SmxtR3RCQkt0Mk9ZSE5ocUdRQ2Z4Y0krWGFPQUgyUUFNSS9zZ3JzOXQKM3dZNlY2VUQ2K1lCTDVFRFp6T2NMQT09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K\",\n" + + " \"crt\": \"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvakNDQW9vQ0NRQ1JFTVdLWEhZYkhUQU5CZ2txaGtpRzl3MEJBUXNGQURDQmtURUxNQWtHQTFVRUJoTUMKVlZNeEN6QUpCZ05WQkFnTUFrTlBNUXd3Q2dZRFZRUUhEQU5FUlU0eEN6QUpCZ05WQkFvTUFsUkRNUXN3Q1FZRApWUVFMREFKVVF6RXFNQ2dHQTFVRUF3d2hLaTV6ZFdKcVpXTjBMVzFwYzNNdWRHaGxZMlJ1TG1WNFlXMXdiR1V1ClkyOXRNU0V3SHdZSktvWklodmNOQVFrQkZoSjBZMEJ6Wld4bUxYTnBaMjVsWkM1amIyMHdJQmNOTVRrd016QTEKTVRjME1ETXhXaGdQTWpFeE9UQXlNRGt4TnpRd016RmFNSUdSTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRQpDQXdDUTA4eEREQUtCZ05WQkFjTUEwUkZUakVMTUFrR0ExVUVDZ3dDVkVNeEN6QUpCZ05WQkFzTUFsUkRNU293CktBWURWUVFERENFcUxuTjFZbXBsWTNRdGJXbHpjeTUwYUdWalpHNHVaWGhoYlhCc1pTNWpiMjB4SVRBZkJna3EKaGtpRzl3MEJDUUVXRW5SalFITmxiR1l0YzJsbmJtVmtMbU52YlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQUx3QmhRUnN4ZW05dFFLSFNUbDJwb09BdXNYKy8xUHVieElwRzZjVlpkb2NTTlNpCnFKaXlpYk1lZC9ldEVRd1NOMVNtM2NnRmIzdmM2Mm1QcUoza0lvdklSUGRNTEc5MndNYnh0cW5BOFl3NGF3Q0YKTFNXZXVLUVZqUFBUNTdPcldHeXp2VVBTUHZQazcwcVU1UUdvZ2ZmeWJOb3dpRkxCVE9VZUFRYlp5OUZ2NU9tUAp5SklqdURPWE03N1ZMbndEVXFaT2ZrTFQ5dVFpaWxVTUhKYXFzbU9NaStkblNqNXZuWU11a3V5OVNBUTBEMVlZCmIzYW1qUW9NSitwL3JlMFNlRU4vOTc0UTRuM2tyMUFFK2YxcWpyMUZuY1RDbjMyZktqSGJPdVFiL3YvWGtkYS8KS0lTd0FPOHlVeUx6eWJaQTdRMkhUMTZLUmhwQmYxUVRlYmZ4UGwwQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQXJBTWNyZWY0bTNVTlNSRU54dW0xWTNXYlgzWU91VTdLVyt4bEV2UGVHLzFmYitFRUNrcjg5dXFZCm95OWFWTjYvK3RMTWd5Y1QxL1cxVnhSNkl5bFpZcE9SRFRVZ1c4L3ZvSUROVUZack1VekR6RmZNVlFwdUxyUzkKSk5kejk2aTFrNjdBMGRrdFBURjExam5DZEY2VVhKMHdZTmZCVEIvbXo1T2diWVdaQWsrYW5pTTR5NUwyb3ZaKwpLOEZUVi8wUHpIUWRVTkVGVjN4QzVRcVB3aW1oY3BrbDU1bzJnTjVUNXllVnBDekRYeHhSWWR0YjRUYmsvVDF5CnlBVkhQQ3ZFeENnbXcrUW5TS1VweXRKQ0NqM3pOS01FY1V5dkxFOUFNTmlrdFJpY2c4NG5UTk9hWWRnM1ZaUk8KMVRYY3ZNb0l5NFNOZUk0NEszTkhsQW1IdEJkY0VBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\"\n" + + " },\n" + + " \"hostname\": \"*.https-subject-miss.thecdn.example.com\"\n" + + " }"; + private final static String VALID_CERT_DATA = + " {\n" + + " \"deliveryservice\": \"https-valid-test\",\n" + + " \"certificate\": {\n" + + " \"comment\" : \"The following is just a self signed certificate and key to use for testing this is NOT private data from a CA\",\n" + + " \"key\": " + + "\"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQzVEMVhNbXJiQy9CT1gKUkZMVkczbTNSbmhWZ0ZJdUQ5dXhWSEJDYXR2TEFuc2ZyalhCM2tyZjVNTDVuS3dZRWl3OCtkQWo2N1Z2QkR4cwpDMTYvbFFBbFM4YnBxT1NRbzU5T0RDcVBNZmZaYzVVazdVdjUzN0R5MWFHMjRiT1R0eUxjQzIxc2MxSm1YWHVjCkVlQlZUZldFWUVLdS9McHEvZDZZUlNsa1lXUUt2TDBmUzRja0FtcUJkRVk2Q0s3ajZyYnphZGJIVHB2SXdQWGgKWVNTOWlJOFQxKzRTYTZDOTljcnRUR2ZZb21BL2hFWVFPTnVSVk42VUl5c1Bob2RCVndsVTJEV1pYNndyZm5DZApNOFBCajNHSXVVMWVwV0RMUVZYa2cvdUxmZERaaU8xZ1p5UWhNN3V0ekE5WVMzK3VXaGtmczRUdFE1Q3ZVdEx1ClI0enlMVkQ3QWdNQkFBRUNnZ0VBYkd4a3EzeVZ5WVdoQU1aQjlhT2tXMUhKWE9iU3Z6UUJWbE1QZG9wZS9nRVYKSEFtWWExNk81Y0NFejNRUWpBWFJyMlA1bzZJTTZkOUVlMVRxRFRzQ0c5ZmEwYmxuT0tyMHdlaDA0dksyc010OApQV2RlVlNiTzZHZHIyTmRCdkREWEZxOEhURHdBc2dMaFVoNVRIZ2VQNmgvdjBkQTJkRXNMS0pHVTM4QUR1aG05ClpKRCthbm5KQ1BFVXNvMmtqeE40UjFHUmQwb2ZLSWFZeTg3dlhiK3FleXpsL1lreUEvYU9wMkh1S1RENmVpRGkKbTZrWUp6Q1k3ZEluYjlCNlZTTm52UlAzNyttM0JLSFlRaE5kbVJKQlp4c1pFQTRKaFYrQVYwNHlWUE1la3FoMgpqeVVxRFBEaGVMVW5FalJmc0FnOFVNU0JXQU5sLzkyNzNoR2FGeHQvTVFLQmdRRGVhNUhFd2oyVVBhcS9yMzdsCm90cFhBUU9qeEFLb2tyMWZNVTlaWksyTWdLY2hoSks0c1R0Uk5VbE03M2lDeHBPZTJTbW5ZeG5GcldrOVRkRjEKQ3habFJyVDBKZGxHOXJEMlNCSUR6b3FBaytWbHE5YzIxNE12NXdQZkpLZEpxaCtaVGZKdmZtNU9halhjeXFMZQpRSVRmdGVpdFRNWFJpQjBsaFpNSEo0RzVVd0tCZ1FEVS84OFo0UUxGa0xnWDMvMUMxcit4V3NuVUY5UGtHVXpSCm9USmg0enVXNHpwSkRDNitLS0lwckVZajIzdEdFUWxEZHJGcFBIWFZtMGVqV2QrRGN6THlmNFdZdWIxTTBuRksKbUpSaGhOMXhFRitNVmtPYjlWS2ZOU2xFUG16WHptcTlpdjVxUVlmZHJPLzhhQ0JMUW5UcUYveTJUUVVNN2tsNQpXbGo3Si9lTXVRS0JnUUNxTmJXNjFrN2JxQW1JWVp3QnpndTY4enErMDV5Wk5wcVhRNXdPcy80Zi9NQnA1Uk9ICkpaSllSaWdQS1YrVzdMSkJxTHk0clIwbTZ0c1RuLzYvekRsYVRhN2kvQ2YzcDRlcklXSXY2WnFTWlJ2ekgzczIKSzl6b0Jxa3UxZFR6aWE1ZTJvakNEQVlNR2ptWCtyYUMwT3NlYkE1Z3VOVFYwWTFFanFFQ281Z2hvd0tCZ1FDRQo5MnlCNjBXZnI4ZzhuMGVyQWdTSTR2UTd3dVF6OE5kVHhoMTluaTBFOUxUZUJRenBDTlN5enlpNkdibks4N2VrCnRlUHFuaU94UlU1ald5ZDlGOTBtSlJWeFVnSXFndlRXYkltMGx3em1HQ0tOcVF4cnY2bmtXWHQ1YnI3anVhaEkKeXd3bnFPRDRNWTFmTkdGMG1mZ0NheGNIZHUxQU5VRUkwSzNibkFlZGdRS0JnR1Y5VGxOSmtQZ2xma1A5dFRDTApldWtPVkNiTmNFc1dSRHYzMTFQa3pKemw3OHNRbENXL0NWK2NnK2JHOXB5ZEJJWUx3ZVRrUnp0d3FoVFE1L2JECmw1cWM1MVVKSkxJeEJ1TEIwZGJnMVh0eDF0VUdTaEV5UTFDc2U5SEwzKzgrbVRCN2drNDdpb2NzUEFuNXMxVnoKQ1ZjUVFQRnVmYWkrRzNwakI1Q0gvUEtnCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K\",\n" + + " \"crt\": " + + "\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzakNDQXBvQ0NRRHpibHduYzNBLzVqQU5CZ2txaGtpRzl3MEJBUXNGQURDQm1URUxNQWtHQTFVRUJoTUMKVlZNeEN6QUpCZ05WQkFnTUFrTlBNUXd3Q2dZRFZRUUhEQU5FUlU0eER6QU5CZ05WQkFvTUJrRndZV05vWlRFTApNQWtHQTFVRUN3d0NWRU14TGpBc0JnTlZCQU1NSlNvdWFIUjBjSE10ZG1Gc2FXUXRkR1Z6ZEM1MGFHVmpaRzR1ClpYaGhiWEJzWlM1amIyMHhJVEFmQmdrcWhraUc5dzBCQ1FFV0VuUmpRSE5sYkdZdGMybG5ibVZrTG1OdmJUQWcKRncweE9UQXpNRFV4TnpRMk1UTmFHQTh5TVRFNU1ESXdPVEUzTkRZeE0xb3dnWmt4Q3pBSkJnTlZCQVlUQWxWVApNUXN3Q1FZRFZRUUlEQUpEVHpFTU1Bb0dBMVVFQnd3RFJFVk9NUTh3RFFZRFZRUUtEQVpCY0dGamFHVXhDekFKCkJnTlZCQXNNQWxSRE1TNHdMQVlEVlFRRERDVXFMbWgwZEhCekxYWmhiR2xrTFhSbGMzUXVkR2hsWTJSdUxtVjQKWVcxd2JHVXVZMjl0TVNFd0h3WUpLb1pJaHZjTkFRa0JGaEowWTBCelpXeG1MWE5wWjI1bFpDNWpiMjB3Z2dFaQpNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM1RDFYTW1yYkMvQk9YUkZMVkczbTNSbmhWCmdGSXVEOXV4VkhCQ2F0dkxBbnNmcmpYQjNrcmY1TUw1bkt3WUVpdzgrZEFqNjdWdkJEeHNDMTYvbFFBbFM4YnAKcU9TUW81OU9EQ3FQTWZmWmM1VWs3VXY1MzdEeTFhRzI0Yk9UdHlMY0MyMXNjMUptWFh1Y0VlQlZUZldFWUVLdQovTHBxL2Q2WVJTbGtZV1FLdkwwZlM0Y2tBbXFCZEVZNkNLN2o2cmJ6YWRiSFRwdkl3UFhoWVNTOWlJOFQxKzRTCmE2Qzk5Y3J0VEdmWW9tQS9oRVlRT051UlZONlVJeXNQaG9kQlZ3bFUyRFdaWDZ3cmZuQ2RNOFBCajNHSXVVMWUKcFdETFFWWGtnL3VMZmREWmlPMWdaeVFoTTd1dHpBOVlTMyt1V2hrZnM0VHRRNUN2VXRMdVI0enlMVkQ3QWdNQgpBQUV3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUh0clNXMUE5em83K1NkTkM0RGVFeXdQOTZOeE95eDdobHNzCk9UVjhET1NZcE1yYUNkUGhVUHBWZmpLYmdnOVZTd0lmL0tOamRFZVNKS08vYXhqNVNNM3F5aE9obGUzdXdlMGEKWWlpa21saVU3Wkc5THhJTTFVZ0ZaN24wNURVV2MyN0RWTHYwUSttNVdGZ2VPSi82WklqTTg1RStYcDJ0c0svZwprNDVsbm1iMVNGb1l2LzJuWHEzdkJNaGJPUUVrNDY1WE5OZmRDU1c3RDhCcVJHYitoU1NmT0NHQVlDQkNxVjhKCnBNNHBadFhZZkczT0tCUmRXSTR6VU5JazdiU3lWQW1LWU5Pc3Frby9UMi90NmM0em1ZbU4wTjdMMVljOTk1algKLzBlbE51NW1vMjNOKzJwSzRuaFZjQXZ3VE5HdnhMbWdlcVV4cW44TVdPS29LVGdYNys0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==\"\n"+ + " },\n" + + " \"hostname\": \"*.https-valid-test.thecdn.example.com\"\n" + + " }"; + private final static String EXPIRED_CERT_DATA = + " {\n" + + " \"deliveryservice\": \"http-to-https-test\",\n" + + " \"certificate\": {\n" + + " \"comment\" : \"The following self signed certificate which expired on 3/5/2019 \",\n" + + " \"key\": " + + "\"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2paZ0xpTHNRS0o0UXgKS0F5WnFqT0NOL2lXUmgzdXkyZCtyd0J1VWJ2NTBIVEk0QUdnOHE2eG9pbzNtZHFHZXRXdVJIemUvSmQ5ckxJSQpvWDFXOGNFeTVybW0wV0xXYnJDbzlJQUE5K0dHcTgyNXUreGplemdiSHg3TEt1N3lqdUJVVjI4SyszTXNOQUhGCjZsemZNdTJ5VEFUMExvU25waDRWeHZLRDlzM05rNzdtaW5vcVR0aGFlSldxWXVEQlZ4WTBNS3JGbWJuQkEybkcKV295ZHIrelBROHB2N3Fka0FmcXlnZ0loWjloM0JBNnVESHRtcDNueWlsc2ZSMHpGeFR4QnRhaVhTbnRZdXM4NAphVUNwaHVjWkIvYW5tVHJvMHFSSG82czFhcWd1alJIK2xtWXNySjRjQ01QSmd4eG5YWTM0MUpDZm42T0N3c1FXClNhS3huaS9EQWdNQkFBRUNnZ0VBQytQamQ5UVJYZS9NTmN1RlJ6VlVkRGhnZFliNnJLTE9rREJwNXAwNkFZN0MKd005VUx3TVo1VUU0c3owVjRzMVRlVS93aWtWMVBLYnhlYUZPdnFIdS9pWStBajZnWTV4QWJMc0dDWXdBTkUyUwpOZDdQNzlsS2x1YW4xZjcwemwvSlFUbnZrYXdFa0lYa1R5T2p5SFlyUjlzeVRSYUpmcTJlNk5UR1Z3WUJxZURsCnJvTFByYkp4OXh4TXdPb2ZoN0tHSkZMQ0E4Q1JheGd2U3RJU2JpT1RGTWN5UThOcmhvNlNpOVJJVHNtT3kvTHcKVjF5d2JFaVpoOG5LNFdxd2pSYmR4NzJ5SWxMZ2RUeC90bkFiOUNLM1BqdkZyRTRZajFqbjc0NGF3NGZYUTMyOApiSC9uYWRENmlCeWQ0dmpLUjBLUWlRK0E4ZmViRW5EZzFSVW8rQndpWVFLQmdRRFRDbGQxV20vN3ZqdzFUMkx5Cnhlb3NFdlloYW1DclVRVjRyTCtRcmg0S0JTckVHVEZoZXMrclhBNUxEY29iS01hY1RwSS9LMXVVaHg5K3ZLV1kKVWk0blVKVjAyU283UnEwbW5tWVo2aXhLd0NQQWpESEwrQmxlcVgycFR1SU1hYUpWV2NleFI5dkNneTZVUmJLOQp4OUtWdzVqcE5HYVloK3RSRlV3cE5hR1Nzd0tCZ1FER05XT1d5MXJUdVNlM2hUTG0yakhTVGRlV0RSWlE5eEo3CkFQSmNtaW9xRHIxV1JVR3ZxV3Rkd1kySEl2blNzbDRSa2wxUU03bnpQNHNqN2ZSUjllY2dMcDRXcGFXMTVGKzgKOHlGMXBOcVFSWjZYNkd1Z3JZdUZlT1J5YnZTdGFYLzR6bklQUUpadmJVOVF3OUZnU051cFgwTXJPMCtJWDdXQwpRRWQvR3pJMnNRS0JnR3dVSU1RbDQ3RytOQ0Z0SFpTTlRTYnpNdi9iOWRQbXMzR2dycDZPdlMyT2hkOVZzNWRqCmlOVU9XUGVSQVU4MWE3bUM5NXpJUEtkdEovRUU5WjF6Z05WN2pIOEI5SUhVNlRvYzV0Y2d1VHd5K0Z4VXIrL3cKaURXVmdaaGlvSnVRd2FVS1RKMTYybzNjRnMreWZoNTVKbHl5aGkzd094YWtqUnZDVjNYSFZJN0hBb0dCQUp0SAowbGlkd2U5aS9CR1RnWmhIMG9aT3c1bmpjTnRIWlN3R1J0bHpVWnNYWncvQ1BENnhQTkw3d3JQZkc5Y01OQlFTCkZaYXluM2hKRE9tK0R3MXkxM3BuNnlRVTYraS9ISjM3My9lNWloMUMzWWRtNTRLKzB6Sml6cDR6L080cVc3NkIKaGV3YkRvQUhJLzlER2JJVUFqc0R6YXg5ejhZb0xSdjQzY3BmZFF4UkFvR0Fabm9iSnhJMWVybERsSHBrN0pibApUVnBhUWgvZVBNajgxYXQvNjcxdXRUb3RMdHlvTEZkRE5sb0JlNUVSc2luOXBjaHhSbkNNVVdsRzUxZjNaTmViCkNmbEtVN053UjNZVWRZYU9OVWdEZVp3RkhqOExYMGVPUVQrMENjamR2L2FoWVVIb2JLNWdvdkxXd1ljSHdIY2wKL09vTjhmODVBVDBIaTJ1VldwS2VrZmc9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K\",\n" + + " \"crt\": " + + "\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxakNDQXBJQ0NRQ0Q1OFZ3U2IrNWJqQU5CZ2txaGtpRzl3MEJBUXNGQURDQmxqRUxNQWtHQTFVRUJoTUMKVlZNeEN6QUpCZ05WQkFnTUFrTlBNUXd3Q2dZRFZRUUhEQU5FUlU0eER6QU5CZ05WQkFvTUJrRndZV05vWlRFTApNQWtHQTFVRUN3d0NWRU14TURBdUJnTlZCQU1NSnlvdWFIUjBjQzEwYnkxb2RIUndjeTEwWlhOMExuUm9aV05rCmJpNWxlR0Z0Y0d4bExtTnZiVEVjTUJvR0NTcUdTSWIzRFFFSkFSWU5kR05BWVhCaFkyaGxMbU52YlRBZUZ3MHgKT1RBek1EUXlNekl6TkRKYUZ3MHhPVEF6TURVeU16SXpOREphTUlHV01Rc3dDUVlEVlFRR0V3SlZVekVMTUFrRwpBMVVFQ0F3Q1EwOHhEREFLQmdOVkJBY01BMFJGVGpFUE1BMEdBMVVFQ2d3R1FYQmhZMmhsTVFzd0NRWURWUVFMCkRBSlVRekV3TUM0R0ExVUVBd3duS2k1b2RIUndMWFJ2TFdoMGRIQnpMWFJsYzNRdWRHaGxZMlJ1TG1WNFlXMXcKYkdVdVkyOXRNUnd3R2dZSktvWklodmNOQVFrQkZnMTBZMEJoY0dGamFHVXVZMjl0TUlJQklqQU5CZ2txaGtpRwo5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbzJZQzRpN0VDaWVFTVNnTW1hb3pnamY0bGtZZDdzdG5mcThBCmJsRzcrZEIweU9BQm9QS3VzYUlxTjVuYWhuclZya1I4M3Z5WGZheXlDS0Y5VnZIQk11YTVwdEZpMW02d3FQU0EKQVBmaGhxdk51YnZzWTNzNEd4OGV5eXJ1OG83Z1ZGZHZDdnR6TERRQnhlcGMzekx0c2t3RTlDNkVwNlllRmNieQpnL2JOelpPKzVvcDZLazdZV25pVnFtTGd3VmNXTkRDcXhabTV3UU5weGxxTW5hL3N6MFBLYis2blpBSDZzb0lDCklXZllkd1FPcmd4N1pxZDU4b3BiSDBkTXhjVThRYldvbDBwN1dMclBPR2xBcVlibkdRZjJwNWs2Nk5La1I2T3IKTldxb0xvMFIvcFptTEt5ZUhBakR5WU1jWjEyTitOU1FuNStqZ3NMRUZrbWlzWjR2d3dJREFRQUJNQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFCNUhCTFgvWU01QnQvTEVWUmFvazFBL1pSSzAvTmZjVzJLb0VQMk80VklvSEM0CnhqaGFzaERqWWdrME44d1NRTTd2UGxzR1NnUzZzSC9yM3NSeUt0bmZvNzFGMFh1K0lLSXV0Ylh2bmhjdXNXd0QKWXJUMExGaWQzUXl5TUNUTXRBMEpxTVdma3lIOWhlTk16cFI1blg3ODIyUFZzekhEUmpVZUhTSTZwbzB0TUNxZwpyVE10SHVSbVdJaGhhZzY1a29PMUNYTG81R3pkdGdmdTFwb2YzTnRWKzBqQWVidlFtUktqcWZBZUc3WXJTVEpwCk5yalVHdmZJMnpDZElDY1dIbUdTbndXNktSYXFOUFpoVHN2UWhyTEdMZDB0SU02MXZ0NjhPZWNFWXA0eWhlYnQKZFpjQmYxYkdMRWtiWlphTVVuaW9VZW1XSDJoYVVNcDdueWJxV2VQWQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==\"\n" + + " },\n" + + " \"hostname\": \"*.http-to-https-test.thecdn.example.com\"\n" + + " }"; + private final static String MOD_MISS_CERT_DATA = + " {\n" + + " \"deliveryservice\": \"https-mod-miss\",\n" + + " \"certificate\": {\n" + + " \"comment\" : \"The following certificate and key are for the same subject but have " + + "mismatched modulus between the private and public keys\",\n" + + " \"key\": " + + "\"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ3lIMW91SmpXcE5SeVAKdE1nVDM3emhCc0tYM1VhTWlhdm5CUHNJUDhidmdaUnNicFNYeVVSdTJsaWdsYWZpWlAybTZxZE1LZ3BHcUo4ZgpwZHQzODFsMHduakI5YURleU92NzZrcnJBdzhlME9VOW9ZU0Q1VVlWMU11M0I4ZTV1UGFLYkdNcDZvc3o1WDJSCmlDYnRjcTAvUzJaeWhWNXIvRkJqNUtsN2I0UlBNTjdPVXJNVW5LcHlXZ2hZNzdXOXpzVm96cTg5cldOL0g5VUEKZjFMRmFSdU1mckNvYVVKZHRKZEIyY2FGblkwWmI1MDhzcmFGWXplaFUvK3FjZE9heWtVa0hMMTVweDVFbS9mOQpYVlpNcmVJeFlobVdCK1I5MWJ5d3dsVmZCSm4zU3dIT3ZGMzVqSTh4d1dpMEx6V0x0Qk9pVm4yYlV3ZUN3dlVQCkdKb1VqbEJ0QWdNQkFBRUNnZ0VBRmpvWFZMN3IzMHVEWHVOZVBDeWxNeWRXelFDTnR5Zk96YXN2Y0I0VlF2blcKZlpsbTdYSHVHaThnOUJqNHRDV0tDWFFxb0RSMng4NXUzTklqaXRwUkJXTG5FcjBGOEFiK2U1Y0c5a0NSZUhUMAp4allMaFRIdEJ2aGcyMXdiTGkvSWhBbDJibHFZT0VlZzNiSXh1VnVnQnMvdjNzYUp1OHZtZERDcWZYNnk4ZmFmCnNFYmVTT2dkRFltRTg1SHZXUFFDTVVNV0MyZzJEekw2a0U1eCtxMmt5VkNlc1hSVTl6c3BtRkxsMGw5cndIN0sKbU9jMUVJZ3J0THExeUt6b3BKTUFTbVZPVmxTd1FUdGlOS3RGN3FZVXVudmpDdC8wWDM1clFIcDMwWXBCbVpHUApUQ0swMEFZMUZteDhUK2p5MENvdmVOWm9lM2JVTk5RM2l0MEhObWNWdVFLQmdRRHFiNVRFQmQ3aGw2cVRaS09xCkx3T1M5M2xJcU5nbFZnbzN2S09HUkF1MWpFYm9IaktDOTdudUdGSGNGdXZzTldISEpQaHRQUTJEcXUzREM1NHkKSXBOZ2Q4dVUwZWVBNjdxM2g2cWpJRjQ2c1pMZWdpaTh0aWlOZTJUK0dQVjBHYngyNU1XYjJtTVNXSjJUQU1UWAp3eHNEb1d5QkZEajU2MEJacXBqbzFTQTdkd0tCZ1FEQ2diaklUNWI0TWpFcHlyTEJKeUwvc1BjQzFUOWczUHdECjlvSGk0aXJFSWJzeDk3NTNhZnRpM3VOUlFZUHI1WW9qdkNQSHNibnQ2SXpaYUZaQUViem9Zc1ExSUJ3UkhDbVUKbWhiS0p2MDRhckVScTZtV1hIZng4MkszUC92a1VraFZSTzZHNzJ4eFB3UFJ6b3dteDZDbU9uUWVadkYrZTZNRwptc0xlQjVORU93S0JnQVp2YjY3OTFrTnREV0trWlpXN1dxYkRJbElyU0Z1bUEvdkpzdGR4c0x5WUVDNDQvZnY0Clh1TTVTYTMzOXh2eHp6QlBSSDZES1liT3YxNFdTSTVwd28vb1dlOUkzOGo3TDVId0tHLzM2SDVGOTVraUM0bzYKbWR4Z1ljSlQzeEVEejllWHFoRUFLcTRMUHJBVldsSHQ2aVRzWG5VZ24vdkVTR3p0c09yYlJ0bzdBb0dBR1VsVQpCSGFVWWQva2xGSk51dDZqcGlvVGNzTFdZbmxZS2d1NkJ3endFbDl3UHFhK2xEZXEvc2VMTmQwV2tXeGQ4UmRjCmIzR2pnbEpoUFVKYk5Da2FMZnZwRmg3K2h4cnFMTzk3VnZ5S252TC80aFEzRDkwbG1zYlJacEZpNWVQc2sybEsKdVRBWElRSFlOVVpzNGYzQjNOcHNqaWREN2ZXVTFCNzZobkxscWxFQ2dZQU5HOWZ2WFNhOWlnUC9acmdBQW55KwpLdlZUb1NOK0I3UDhGSUk4QW4zNTdzYXY3K0ZVWnZwZkQ1S1hkSHBZUEIxTk9tQVhGcE9FYjVvQTErZUNFRTh4Ck4wdktEaHoyK3VBSEFyczBud1ppUHBXbkZoaE5sLzJ5b1pUZHB0VWp1K0ZhSVg4RHFtSUovNGVMdVNERUR4MmUKcUVDTGt0SUxJWkk3eXVaNFIwNGFxZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K\",\n" + + " \"crt\": " + + "\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURyRENDQXBRQ0NRQ0pZQWd0a1JtN3hUQU5CZ2txaGtpRzl3MEJBUXNGQURDQmxqRUxNQWtHQTFVRUJoTUMKVlZNeEN6QUpCZ05WQkFnTUFrTlBNUXd3Q2dZRFZRUUhEQU5FUlU0eER6QU5CZ05WQkFvTUJrRndZV05vWlRFTApNQWtHQTFVRUN3d0NWRU14S3pBcEJnTlZCQU1NSWlvdWFIUjBjQzF0YjJRdGJXbHpjeTUwYUdWalpHNHVaWGhoCmJYQnNaUzVqYjIweElUQWZCZ2txaGtpRzl3MEJDUUVXRW5SalFITmxiR1l0YzJsbmJtVmtMbU52YlRBZ0Z3MHgKT1RBek1EVXhPREE0TkRsYUdBOHlNVEU1TURJd09URTRNRGcwT1Zvd2daWXhDekFKQmdOVkJBWVRBbFZUTVFzdwpDUVlEVlFRSURBSkRUekVNTUFvR0ExVUVCd3dEUkVWT01ROHdEUVlEVlFRS0RBWkJjR0ZqYUdVeEN6QUpCZ05WCkJBc01BbFJETVNzd0tRWURWUVFERENJcUxtaDBkSEF0Ylc5a0xXMXBjM011ZEdobFkyUnVMbVY0WVcxd2JHVXUKWTI5dE1TRXdId1lKS29aSWh2Y05BUWtCRmhKMFkwQnpaV3htTFhOcFoyNWxaQzVqYjIwd2dnRWlNQTBHQ1NxRwpTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEZ0Noa3J2SFMwK21uWUtUR1Y0NTl2N2ZURXA1ekVsMW4xClViQlI2aFNVbXZ6eUJYYWVpdU5wQ2NubUhSd01ma3c4dTNuNVVvMFhDOGY3Nllkc3gyRzlkL1h2dVdlMUFNdDQKWGF0SjVLa1AvNVNpVS9reWVhR3VwbmFTWWtvRHBKRlEzbTJ0cXhJeGh6ZklteUIzTFdJdEFUU3kzMGxtd0E5Ywp1cTRZaWNrSjVXUWxNYklNVW00OHlCcU5NOXlma1lRSy90WWwyb3l6Q1ZrN2s5MTdQdDFKS3JpcThrRTFKdDhlCkNqbUtxUXZMTjRLdzJ5dm9aNTZvTWtuaDlhRVAzRm55RDIzRWNtdGlXbWI0Q0hrSXowL20vczVGV0tLUDhzTHkKOHhCeUlUWjZPVUNzNEZUeVNiVGk3ODlGaVJ1WjljcE9rZVdDMFdQMkV0L1g5MmlZRnZIckFnTUJBQUV3RFFZSgpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFITGJRczNrMnhpdVBpMjdWNVJnVFFHdytZb2YyNXQvcjBMVVVPOTE0TlZBClh1MjAyUDVMNy9wSTVFZTVLTi9ZVHQ2SnVoWWl2M0ZiQnZBd3FTaE43N2pHTGNFQi94VDhCVWxsbzBISzJteTYKR2YyL3BHZWxNL2syTFpxZEpMTXhCL2JsL3JGZUJCVHhWVkdJd3M4ZFZ3d1BuY0x0bnBEVmQzRnlOMGx5UzdMNQovVXQ2Wm00QTBlVEpxZUVlcnprRDZMQWVEY21vTXg1cGphZDNodldGTCsrdjdkazQ5T3QrSkNtSGx5ZTR6eEE1Cmc5RUQ0VXpaYnFZcmZ4Uk9lY25zTWJzUmllVlcyekh5dDQyVTVUSmtKK3JNdE9DempROUwrTGRDVTZhOENVVjUKWlBnYm1vMTJkN1NIUDBaY1FtOTg5THpEcXRRblMyRnJrS3pSdEh3ZHBjND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\"\n"+ + " },\n" + + " \"hostname\": \"*.http-mod-miss.thecdn.example.com\"\n" + + " }"; @Before + @PrepareForTest({Instant.class}) public void before() throws Exception { - PrivateKeyDecoder privateKeyDecoder = mock(PrivateKeyDecoder.class); - CertificateDecoder certificateDecoder = mock(CertificateDecoder.class); - Certificate certificate = new Certificate(); certificate.setCrt("encodedchaindata"); certificate.setKey("encodedkeydata"); - certificateData = new CertificateData(); certificateData.setCertificate(certificate); certificateData.setDeliveryservice("some-delivery-service"); certificateData.setHostname("example.com"); + certificateDataConverter = new CertificateDataConverter(); + } - privateKey = mock(PrivateKey.class); - when(privateKeyDecoder.decode("encodedkeydata")).thenReturn(privateKey); - - when(certificateDecoder.doubleDecode("encodedchaindata")).thenReturn(Arrays.asList( - "encodedcert1", "encodedcert2", "encodedcert3" - )); - - x509Certificate1 = mock(X509Certificate.class); - x509Certificate2 = mock(X509Certificate.class); - x509Certificate3 = mock(X509Certificate.class); - - when(certificateDecoder.toCertificate("encodedcert1")).thenReturn(x509Certificate1); - when(certificateDecoder.toCertificate("encodedcert2")).thenReturn(x509Certificate2); - when(certificateDecoder.toCertificate("encodedcert3")).thenReturn(x509Certificate3); + @Test + public void itConvertsValidCertToHandshakeData() throws Exception { + try { + certificateData = ((CertificateData) new ObjectMapper().readValue(VALID_CERT_DATA, + new TypeReference() { })); + } catch (Exception e) { + fail("Failed parsing json data: " + e.getMessage()); + } + HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); + assertThat(handshakeData, notNullValue()); + assertThat(handshakeData.getDeliveryService(), equalTo(certificateData.getDeliveryservice())); + assertThat(handshakeData.getHostname(), equalTo(certificateData.getHostname())); + } - certificateDataConverter = new CertificateDataConverter(); - certificateDataConverter.setCertificateDecoder(certificateDecoder); - certificateDataConverter.setPrivateKeyDecoder(privateKeyDecoder); + @Test + public void itRejectsExpiredCert() throws Exception { + try { + certificateData = ((CertificateData) new ObjectMapper().readValue(EXPIRED_CERT_DATA, + new TypeReference() { })); + } catch (Exception e) { + fail("Failed parsing json data: " + e.getMessage()); + } + HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); + assertThat(handshakeData, nullValue()); } @Test - public void itConvertsToHandshakeData() throws Exception { + public void itRejectsModulusMismatch() throws Exception { + try { + certificateData = ((CertificateData) new ObjectMapper().readValue(MOD_MISS_CERT_DATA, + new TypeReference() { })); + } catch (Exception e) { + fail("Failed parsing json data: " + e.getMessage()); + } HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); + assertThat(handshakeData, nullValue()); + } - assertThat(handshakeData.getDeliveryService(), equalTo("some-delivery-service")); - assertThat(handshakeData.getHostname(), equalTo("example.com")); - assertThat(handshakeData.getPrivateKey(), equalTo(privateKey)); - assertThat(handshakeData.getCertificateChain(), equalTo(new X509Certificate[]{x509Certificate1, x509Certificate2, x509Certificate3})); + @Test + public void itRejectsSubjectMismatch() throws Exception { + try { + certificateData = ((CertificateData) new ObjectMapper().readValue(SUBJECT_MISS_CERT_DATA, + new TypeReference() { })); + } catch (Exception e) { + fail("Failed parsing json data: " + e.getMessage()); + } + HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); + assertThat(handshakeData, nullValue()); } } diff --git a/traffic_router/shared/pom.xml b/traffic_router/shared/pom.xml index 59a381924c..7f0af1181b 100644 --- a/traffic_router/shared/pom.xml +++ b/traffic_router/shared/pom.xml @@ -108,20 +108,6 @@ under the License. bcprov-jdk15on 1.57 - - dnsjava - dnsjava - 2.1.7 - - - junit - junit - - - org.hamcrest - hamcrest-all - compile - org.slf4j slf4j-log4j12 diff --git a/traffic_router/shared/src/test/java/secure/BindPrivateKeyTest.java b/traffic_router/shared/src/test/java/secure/BindPrivateKeyTest.java index 9da514537a..9d149ec570 100644 --- a/traffic_router/shared/src/test/java/secure/BindPrivateKeyTest.java +++ b/traffic_router/shared/src/test/java/secure/BindPrivateKeyTest.java @@ -19,6 +19,7 @@ import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.mockito.Mockito; import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; @@ -69,7 +70,7 @@ public void before() throws Exception { "Exponent2: " + encode(privateCrtKey.getPrimeExponentQ())+ "\n" + "Coefficient: " + encode(privateCrtKey.getCrtCoefficient())+ "\n"; - privateKey = mock(PrivateKey.class); + privateKey = Mockito.mock(PrivateKey.class); KeyFactory keyFactory = PowerMockito.mock(KeyFactory.class); PowerMockito.mockStatic(KeyFactory.class); diff --git a/traffic_router/shared/src/test/java/shared/DeliveryServiceCertificatesTest.java b/traffic_router/shared/src/test/java/shared/DeliveryServiceCertificatesTest.java index d78af4a13e..6670b0aaa1 100644 --- a/traffic_router/shared/src/test/java/shared/DeliveryServiceCertificatesTest.java +++ b/traffic_router/shared/src/test/java/shared/DeliveryServiceCertificatesTest.java @@ -21,6 +21,7 @@ import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.ArgumentCaptor; +import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; @@ -41,7 +42,7 @@ public class DeliveryServiceCertificatesTest { @Before public void before() throws Exception { - mockStatic(System.class); + PowerMockito.mockStatic(System.class); when(System.currentTimeMillis()).thenReturn(1234L); } From da25f4e72b7a24e7f1886f8ceb2c8ab39f49a6f3 Mon Sep 17 00:00:00 2001 From: ASchmidt Date: Wed, 6 Mar 2019 10:08:27 -0700 Subject: [PATCH 5/8] Changed error message for Certificate Expired --- .../traffic_router/secure/CertificateDataConverter.java | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java index 6cebd3e7e1..1e9f4f77f5 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java @@ -70,12 +70,10 @@ else if (!modMatch) { } catch ( CertificateNotYetValidException er) { log.error("Failed to convert certificate data for delivery service = " + certificateData.getHostname() - + ", because the certificate is not valid yet: "+ er.getClass().getSimpleName() + ": " + er.getMessage(), - er); + + ", because the certificate is not valid yet. "); } catch (CertificateExpiredException ex ) { log.error("Failed to convert certificate data for delivery service = " + certificateData.getHostname() - + ", because the certificate has expired: "+ ex.getClass().getSimpleName() + ": " + ex.getMessage(), - ex); + + ", because the certificate has expired. "); } catch (Exception e) { log.error("Failed to convert certificate data (delivery service = " + certificateData.getDeliveryservice() + ", hostname = " + certificateData.getHostname() + ") from traffic ops to handshake data! " From 516528796a53b17a0bd85306d3dd54dec41ccadd Mon Sep 17 00:00:00 2001 From: ASchmidt Date: Fri, 8 Mar 2019 17:59:47 -0800 Subject: [PATCH 6/8] Corrected a parsing error in certificate validation checking Set the startup/shutdown scripts for the TR docker container to executable --- infrastructure/docker/traffic_router/run.sh | 1 - infrastructure/docker/traffic_router/shutdowntr.sh | 0 infrastructure/docker/traffic_router/starttr.sh | 0 .../secure/CertificateDataConverter.java | 11 +++-------- 4 files changed, 3 insertions(+), 9 deletions(-) mode change 100644 => 100755 infrastructure/docker/traffic_router/shutdowntr.sh mode change 100644 => 100755 infrastructure/docker/traffic_router/starttr.sh diff --git a/infrastructure/docker/traffic_router/run.sh b/infrastructure/docker/traffic_router/run.sh index f0eabf51ab..3c03f6c7c1 100755 --- a/infrastructure/docker/traffic_router/run.sh +++ b/infrastructure/docker/traffic_router/run.sh @@ -28,7 +28,6 @@ # ORIGIN_URI # origin server (e.g. hotair), used to create a delivery service start() { - chmod 777 starttr.sh ./starttr.sh touch /opt/traffic_router/var/log/traffic_router.log exec tail -f /opt/traffic_router/var/log/traffic_router.log diff --git a/infrastructure/docker/traffic_router/shutdowntr.sh b/infrastructure/docker/traffic_router/shutdowntr.sh old mode 100644 new mode 100755 diff --git a/infrastructure/docker/traffic_router/starttr.sh b/infrastructure/docker/traffic_router/starttr.sh old mode 100644 new mode 100755 diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java index 1e9f4f77f5..536e50f8fb 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java @@ -30,14 +30,13 @@ import java.util.ArrayList; import java.util.List; -@SuppressWarnings({"PMD.CyclomaticComplexity", "PMD.AvoidDeeplyNestedIfStmts", "PMD.NPathComplexity"}) public class CertificateDataConverter { private static final Logger log = Logger.getLogger(CertificateDataConverter.class); private PrivateKeyDecoder privateKeyDecoder = new PrivateKeyDecoder(); private CertificateDecoder certificateDecoder = new CertificateDecoder(); - @SuppressWarnings({"PMD.CyclomaticComplexity", "PMD.AvoidDeeplyNestedIfStmts", "PMD.NPathComplexity"}) + @SuppressWarnings({"PMD.CyclomaticComplexity"}) public HandshakeData toHandshakeData(final CertificateData certificateData) { try { final PrivateKey privateKey = privateKeyDecoder.decode(certificateData.getCertificate().getKey()); @@ -82,7 +81,6 @@ else if (!modMatch) { return null; } - @SuppressWarnings({"PMD.CyclomaticComplexity", "PMD.AvoidDeeplyNestedIfStmts", "PMD.NPathComplexity"}) public boolean verifySubject(final X509Certificate certificate, final String hostAlias ) { final String host = certificate.getSubjectDN().getName(); if (hostCompare(hostAlias,host)) { @@ -113,14 +111,11 @@ private boolean hostCompare(final String hostAlias, final String subject) { return true; } final String[] chopped = subject.split("CN=", 2); - String chop = null; if (chopped != null && chopped.length > 1) { - chop = chopped[1]; - } - if (chop != null) { + String chop = chopped[1]; chop = chop.replaceFirst("\\*\\.", "."); chop = chop.split(",", 2)[0]; - if (hostAlias.contains(chop) || chop.contains(hostAlias)) { + if (chop.length()>0 && (hostAlias.contains(chop) || chop.contains(hostAlias))) { return true; } } From b1d89f03ccda3e745b6406fb422e05c3eaa6e83c Mon Sep 17 00:00:00 2001 From: ASchmidt Date: Tue, 12 Mar 2019 00:03:34 -0600 Subject: [PATCH 7/8] Corrected some code formatting and one NullPointerException --- .../traffic_router/protocol/RouterNioEndpoint.java | 3 +-- .../secure/CertificateDataConverter.java | 12 +++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java index 5d548611f3..85f8c0731a 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java @@ -19,7 +19,6 @@ import com.comcast.cdn.traffic_control.traffic_router.secure.HandshakeData; import com.comcast.cdn.traffic_control.traffic_router.secure.KeyManager; import org.apache.log4j.Logger; -//import org.apache.tomcat.util.modeler.Registry; import org.apache.tomcat.util.modeler.Registry; import org.apache.tomcat.util.net.NioEndpoint; import org.apache.tomcat.util.net.SSLHostConfig; @@ -114,7 +113,7 @@ public void addSslHostConfig(final SSLHostConfig sslHostConfig, final boolean re if (replace) { previous = sslHostConfigs.get(key); } - super.addSslHostConfig( sslHostConfig, replace); + super.addSslHostConfig(sslHostConfig, replace); if (previous != null) { unregisterJmx(previous); } diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java index 536e50f8fb..b3990fbe54 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java @@ -45,7 +45,7 @@ public HandshakeData toHandshakeData(final CertificateData certificateData) { final List x509Chain = new ArrayList<>(); boolean hostMatch = false; boolean modMatch = false; - for ( final String encodedCertificate : encodedCertificates) { + for (final String encodedCertificate : encodedCertificates) { final X509Certificate certificate = certificateDecoder.toCertificate(encodedCertificate); certificate.checkValidity(); if (!hostMatch && verifySubject(certificate, certificateData.alias())) { @@ -56,18 +56,18 @@ public HandshakeData toHandshakeData(final CertificateData certificateData) { } x509Chain.add(certificate); } - if ( hostMatch && modMatch) { + if (hostMatch && modMatch) { return new HandshakeData(certificateData.getDeliveryservice(), certificateData.getHostname(), x509Chain.toArray(new X509Certificate[x509Chain.size()]), privateKey); } - else if(!hostMatch){ + else if (!hostMatch) { log.warn("Service name doesn't match the subject of the certificate = "+certificateData.getHostname()); } else if (!modMatch) { - log.error("Modulus not == for host: "+certificateData.getHostname()); + log.error("Modulus of the private key does not match the public key modulus for certificate host: "+certificateData.getHostname()); } - } catch ( CertificateNotYetValidException er) { + } catch (CertificateNotYetValidException er) { log.error("Failed to convert certificate data for delivery service = " + certificateData.getHostname() + ", because the certificate is not valid yet. "); } catch (CertificateExpiredException ex ) { @@ -128,6 +128,8 @@ public boolean verifyModulus(final PrivateKey privateKey, final X509Certificate privModulus = ((BCRSAPrivateCrtKey) privateKey).getModulus(); } else if (privateKey instanceof RSAPrivateCrtKeyImpl) { privModulus = ((RSAPrivateCrtKeyImpl) privateKey).getModulus(); + } else { + return false; } BigInteger pubModulus = null; final PublicKey publicKey = certificate.getPublicKey(); From 6d2da08650a2763769ac35f8d35422766ac64402 Mon Sep 17 00:00:00 2001 From: ASchmidt Date: Tue, 12 Mar 2019 13:33:48 -0600 Subject: [PATCH 8/8] Added info to CHANGELOG.md --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e4bd379ca..91d2c4c988 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,10 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - Snapshotting the CRConfig now deletes HTTPS certificates in Riak for delivery services which have been deleted in Traffic Ops. ### Changed +- Traffic Router, added TLS certificate validation on certificates imported from Traffic Ops + - validates modulus of private and public keys + - validates current timestamp falls within the certificate date bracket + - validates certificate subjects against the DS URL - Traffic Ops Golang Endpoints - Updated /api/1.1/cachegroups: Cache Group Fallbacks are included - Updated /api/1.1/cachegroups: fixed so fallbackToClosest can be set through API