From 04dac711da49956c6ea8f33785be592cb4591388 Mon Sep 17 00:00:00 2001 From: ajschmidt Date: Wed, 20 Feb 2019 13:16:01 -0700 Subject: [PATCH 1/4] Make SSL Cert lookup case-insensitive (#3331) * Fix case-sensitive SSL cert lookup * Set SSL certificate key names to lower case * Set requested SNI to lower case (cherry picked from commit 6504e7fa1af038371d086ed941c3847e7ae17207) --- .../protocol/RouterNioEndpoint.java | 5 +++ .../secure/CertificateRegistry.java | 42 ++++++++++++------- .../java/secure/CertificateRegistryTest.java | 3 ++ .../shared/CertificateData.java | 6 ++- 4 files changed, 39 insertions(+), 17 deletions(-) diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java index d604e81497..657e5734f0 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java @@ -87,4 +87,9 @@ synchronized public void reloadSSLHosts(final Map cr) { createSSLContext(sslHostConfig); } } + + @Override + protected SSLHostConfig getSSLHostConfig(final String sniHostName) { + return super.getSSLHostConfig(sniHostName.toLowerCase()); + } } diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java index b3bfd3ce2e..e3f773c084 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java @@ -17,12 +17,12 @@ import com.comcast.cdn.traffic_control.traffic_router.protocol.RouterNioEndpoint; import com.comcast.cdn.traffic_control.traffic_router.shared.CertificateData; +import org.apache.log4j.Logger; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; -import org.apache.log4j.Logger; public class CertificateRegistry { private static final Logger log = Logger.getLogger(CertificateRegistry.class); @@ -61,6 +61,7 @@ private static class CertificateRegistryHolder { private static final CertificateRegistry DELIVERY_SERVICE_CERTIFICATES = new CertificateRegistry(); } + @SuppressWarnings({"PMD.CyclomaticComplexity", "PMD.AvoidDeeplyNestedIfStmts", "PMD.NPathComplexity"}) synchronized public void importCertificateDataList(final List certificateDataList) { final Map changes = new HashMap<>(); final Map master = new HashMap<>(); @@ -68,34 +69,43 @@ synchronized public void importCertificateDataList(final List c // find CertificateData which has changed for (final CertificateData certificateData : certificateDataList) { try { - final HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); - final String alias = handshakeData.getHostname().replaceFirst("\\*\\.", ""); - master.put(alias, handshakeData); - - if (certificateData.equals(previousData.get(certificateData.getHostname()))) { - continue; - } - changes.put(alias, handshakeData); - log.warn("Imported handshake data with alias " + alias); - } catch (Exception e) { + final String alias = certificateData.alias(); + + if (!master.containsKey(alias)) { + final HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); + master.put(alias, handshakeData); + if (!certificateData.equals(previousData.get(alias))) { + changes.put(alias, handshakeData); + log.warn("Imported handshake data with alias " + alias); + } + } + else { + log.error("An TLS certificate already exists in the registry for host: "+alias+" There can be " + + "only one!" ); + } + } catch (Exception e) { log.error("Failed to import certificate data for delivery service: '" + certificateData.getDeliveryservice() + "', hostname: '" + certificateData.getHostname() + "'"); } } // find CertificateData which has been removed - for (final String hostname : previousData.keySet()) + for (final String alias : previousData.keySet()) { - if (!master.containsKey(hostname.replaceFirst("\\*\\.", "")) && sslEndpoint != null) + if (!master.containsKey(alias) && sslEndpoint != null) { - sslEndpoint.removeSslHostConfig(hostname); - log.warn("Removed handshake data with hostname " + hostname); + final String hostname = previousData.get(alias).getHostname(); + sslEndpoint.removeSslHostConfig(hostname); + log.warn("Removed handshake data with hostname " + hostname); } } // store the result for the next import previousData.clear(); for (final CertificateData certificateData : certificateDataList) { - previousData.put(certificateData.getHostname(), certificateData); + final String alias = certificateData.alias(); + if (!previousData.containsKey(alias)) { + previousData.put(alias, certificateData); + } } handshakeDataMap = master; diff --git a/traffic_router/connector/src/test/java/secure/CertificateRegistryTest.java b/traffic_router/connector/src/test/java/secure/CertificateRegistryTest.java index 555e4abf9a..d01da22e93 100644 --- a/traffic_router/connector/src/test/java/secure/CertificateRegistryTest.java +++ b/traffic_router/connector/src/test/java/secure/CertificateRegistryTest.java @@ -50,6 +50,9 @@ public void before() throws Exception { certificateData1 = mock(CertificateData.class); certificateData2 = mock(CertificateData.class); certificateData3 = mock(CertificateData.class); + when(certificateData1.alias()).thenReturn("ds-1.some-cdn.example.com"); + when(certificateData2.alias()).thenReturn("ds-2.some-cdn.example.com"); + when(certificateData3.alias()).thenReturn("ds-3.some-cdn.example.com"); certificateDataList = Arrays.asList(certificateData1, certificateData2, certificateData3); diff --git a/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/shared/CertificateData.java b/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/shared/CertificateData.java index 202908f01d..f9726f36d3 100644 --- a/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/shared/CertificateData.java +++ b/traffic_router/shared/src/main/java/com/comcast/cdn/traffic_control/traffic_router/shared/CertificateData.java @@ -49,8 +49,12 @@ public String getHostname() { return hostname; } + public String alias() { + return getHostname().replaceFirst("\\*\\.", ""); + } + public void setHostname(final String hostname) { - this.hostname = hostname; + this.hostname = hostname.toLowerCase(); } @SuppressWarnings("PMD.IfStmtsMustUseBraces") From 6410d4630010efe5eb807229a15db14165897123 Mon Sep 17 00:00:00 2001 From: Andy Schmidt Date: Tue, 12 Mar 2019 14:36:10 -0700 Subject: [PATCH 2/4] Add SSL Certificate Validation to Traffic Router (#3380) * updated tr docker config so it would work * added start and stop scripts for TR docker containers * fixed bug in Tomcat which wasn't unregistering old SslHostConfigs * Added validation checks of SSL certs while being loaded by CertificateRegistry * Changed error message for Certificate Expired * Corrected a parsing error in certificate validation checking Set the startup/shutdown scripts for the TR docker container to executable * Corrected some code formatting and one NullPointerException * Added info to CHANGELOG.md (cherry picked from commit 0d2560d98795202088ea058c095b4ad32cd49840) --- CHANGELOG.md | 34 +++++ .../docker/traffic_router/Dockerfile | 2 + infrastructure/docker/traffic_router/run.sh | 2 +- .../docker/traffic_router/shutdowntr.sh | 36 +++++ .../docker/traffic_router/starttr.sh | 44 ++++++ .../protocol/RouterNioEndpoint.java | 26 ++++ .../secure/CertificateDataConverter.java | 118 ++++++++++++++- .../secure/CertificateRegistry.java | 12 +- .../secure/CertificateDataConverterTest.java | 138 +++++++++++++----- .../cdns/name/thecdn/sslkeys-missing-1.json | 2 +- .../api/1.3/cdns/name/thecdn/sslkeys.json | 2 +- traffic_router/shared/pom.xml | 14 -- .../test/java/secure/BindPrivateKeyTest.java | 3 +- .../DeliveryServiceCertificatesTest.java | 3 +- 14 files changed, 368 insertions(+), 68 deletions(-) create mode 100755 infrastructure/docker/traffic_router/shutdowntr.sh create mode 100755 infrastructure/docker/traffic_router/starttr.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index e56c0d657f..102ff6a6df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,40 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). ## [3.0.0] - 2019-02-13 ### Added +- Traffic Ops Golang Endpoints + - /api/1.4/users `(GET,POST,PUT)` + - /api/1.1/deliveryservices/xmlId/:xmlid/sslkeys `GET` + - /api/1.1/deliveryservices/hostname/:hostname/sslkeys `GET` + - /api/1.1/deliveryservices/sslkeys/add `POST` + - /api/1.1/deliveryservices/xmlId/:xmlid/sslkeys/delete `GET` + - /api/1.4/cdns/dnsseckeys/refresh `GET` + - /api/1.1/cdns/name/:name/dnsseckeys `GET` + - /api/1.4/cdns/name/:name/dnsseckeys `GET` +- To support reusing a single riak cluster connection, an optional parameter is added to riak.conf: "HealthCheckInterval". This options takes a 'Duration' value (ie: 10s, 5m) which affects how often the riak cluster is health checked. Default is currently set to: "HealthCheckInterval": "5s". +- Added a new Go db/admin binary to replace the Perl db/admin.pl script which is now deprecated and will be removed in a future release. The new db/admin binary is essentially a drop-in replacement for db/admin.pl since it supports all of the same commands and options; therefore, it should be used in place of db/admin.pl for all the same tasks. +- Added an API 1.4 endpoint, /api/1.4/cdns/dnsseckeys/refresh, to perform necessary behavior previously served outside the API under `/internal`. +- Adds the DS Record text to the cdn dnsseckeys endpoint in 1.4. +- Added monitoring.json snapshotting. This stores the monitoring json in the same table as the crconfig snapshot. Snapshotting is now required in order to push out monitoring changes. +- To traffic_ops_ort.pl added the ability to handle ##OVERRIDE## delivery service ANY_MAP raw remap text to replace and comment out a base delivery service remap rules. THIS IS A TEMPORARY HACK until versioned delivery services are implemented. +- Snapshotting the CRConfig now deletes HTTPS certificates in Riak for delivery services which have been deleted in Traffic Ops. + +### Changed +- Traffic Router, added TLS certificate validation on certificates imported from Traffic Ops + - validates modulus of private and public keys + - validates current timestamp falls within the certificate date bracket + - validates certificate subjects against the DS URL +- Traffic Ops Golang Endpoints + - Updated /api/1.1/cachegroups: Cache Group Fallbacks are included + - Updated /api/1.1/cachegroups: fixed so fallbackToClosest can be set through API + - Warning: a PUT of an old Cache Group JSON without the fallbackToClosest field will result in a `null` value for that field +- Issue 2821: Fixed "Traffic Router may choose wrong certificate when SNI names overlap" +- traffic_ops/app/bin/checks/ToDnssecRefresh.pl now requires "user" and "pass" parameters of an operations-level user! Update your scripts accordingly! This was necessary to move to an API endpoint with proper authentication, which may be safely exposed. +- Traffic Monitor UI updated to support HTTP or HTTPS traffic. +- Modified Traffic Router logging format to include an additional field for DNS log entries, namely `rhi`. This defaults to '-' and is only used when EDNS0 client subnet extensions are enabled and a client subnet is present in the request. When enabled and a subnet is present, the subnet appears in the `chi` field and the resolver address is in the `rhi` field. + +## [3.0.0] - 2018-10-30 +>>>>>>> 0d2560d98... Add SSL Certificate Validation to Traffic Router (#3380) +### Added - Removed MySQL-to-Postgres migration tools. This tool is supported for 1.x to 2.x upgrades only and should not be used with 3.x. - Backup Edge Cache group: If the matched group in the CZF is not available, this list of backup edge cache group configured via Traffic Ops API can be used as backup. In the event of all backup edge cache groups not available, GEO location can be optionally used as further backup. APIs detailed [here](http://traffic-control-cdn.readthedocs.io/en/latest/development/traffic_ops_api/v12/cachegroup_fallbacks.html) - Traffic Ops Golang Proxy Endpoints diff --git a/infrastructure/docker/traffic_router/Dockerfile b/infrastructure/docker/traffic_router/Dockerfile index 3a6a0f1347..c16dcc0f66 100644 --- a/infrastructure/docker/traffic_router/Dockerfile +++ b/infrastructure/docker/traffic_router/Dockerfile @@ -35,6 +35,8 @@ ARG TC_REPO=traffic-control.repo ADD $TMCAT / ADD $RPM / ADD $TC_REPO /etc/yum.repos.d/ +ADD starttr.sh / +ADD shutdowntr.sh / ### Common for all sub-component builds RUN yum -y install \ diff --git a/infrastructure/docker/traffic_router/run.sh b/infrastructure/docker/traffic_router/run.sh index 1329cdf25c..3c03f6c7c1 100755 --- a/infrastructure/docker/traffic_router/run.sh +++ b/infrastructure/docker/traffic_router/run.sh @@ -28,7 +28,7 @@ # ORIGIN_URI # origin server (e.g. hotair), used to create a delivery service start() { - systemctl start traffic_router + ./starttr.sh touch /opt/traffic_router/var/log/traffic_router.log exec tail -f /opt/traffic_router/var/log/traffic_router.log } diff --git a/infrastructure/docker/traffic_router/shutdowntr.sh b/infrastructure/docker/traffic_router/shutdowntr.sh new file mode 100755 index 0000000000..e6ffa5e2b3 --- /dev/null +++ b/infrastructure/docker/traffic_router/shutdowntr.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Script for running the Dockerfile for Traffic Router. +# The Dockerfile sets up a Docker image which can be used for any new container; +# This script, which should be run when the container is run (it's the ENTRYPOINT), will configure the container. +# +# The following environment variables must be set (ordinarily by `docker run -e` arguments): +# TRAFFIC_OPS_URI +# TRAFFIC_OPS_USER +# TRAFFIC_OPS_PASS +# TRAFFIC_MONITORS # list of semicolon-delimited FQDN:port monitors. E.g. `monitor.foo.com:80;monitor2.bar.org:80` +# ORIGIN_URI # origin server (e.g. hotair), used to create a delivery service + +export JAVA_HOME=/usr/java/jdk1.8.0_92/jre +export CATALINA_PID=/opt/traffic_router/temp/tomcat.pid +export CATALINA_HOME=/opt/tomcat +export CATALINA_BASE=/opt/traffic_router +export CATALINA_OUT=/opt/tomcat/logs/catalina.log +source /opt/traffic_router/conf/startup.properties +/opt/tomcat/bin/shutdown.sh diff --git a/infrastructure/docker/traffic_router/starttr.sh b/infrastructure/docker/traffic_router/starttr.sh new file mode 100755 index 0000000000..adbb9ab634 --- /dev/null +++ b/infrastructure/docker/traffic_router/starttr.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Script for running the Dockerfile for Traffic Router. +# The Dockerfile sets up a Docker image which can be used for any new container; +# This script simulates the systemd unit file that is used to start traffic router on +# servers in the real world, but in Docker containers systemd is disabled. +# Therefore it is important to keep this script up to date with any changes that are +# made to traffic_router/build/build_rpm.sh and traffic_router/build/pom.xml + +export JAVA_HOME=/usr/java/jdk1.8.0_92/jre +export CATALINA_PID=/opt/traffic_router/temp/tomcat.pid +export CATALINA_HOME=/opt/tomcat +export CATALINA_BASE=/opt/traffic_router +export CATALINA_OUT=/opt/tomcat/logs/catalina.log +export CATALINA_OPTS="\ + -server -Xms512m -Xmx1g \ + -Dlog4j.configuration=file://$CATALINA_BASE/conf/log4j.properties \ + -Djava.library.path=/usr/lib64 \ + -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=false \ + -XX:+UseG1GC \ + -XX:+UnlockExperimentalVMOptions \ + -XX:InitiatingHeapOccupancyPercent=30" +export JAVA_OPTS="\ + -Djava.awt.headless=true \ + -Djava.security.egd=file:/dev/./urandom" + +ulimit -c unlimited +/opt/tomcat/bin/startup.sh diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java index 657e5734f0..85f8c0731a 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/protocol/RouterNioEndpoint.java @@ -19,6 +19,7 @@ import com.comcast.cdn.traffic_control.traffic_router.secure.HandshakeData; import com.comcast.cdn.traffic_control.traffic_router.secure.KeyManager; import org.apache.log4j.Logger; +import org.apache.tomcat.util.modeler.Registry; import org.apache.tomcat.util.net.NioEndpoint; import org.apache.tomcat.util.net.SSLHostConfig; import org.apache.tomcat.util.net.SSLHostConfigCertificate; @@ -92,4 +93,29 @@ synchronized public void reloadSSLHosts(final Map cr) { protected SSLHostConfig getSSLHostConfig(final String sniHostName) { return super.getSSLHostConfig(sniHostName.toLowerCase()); } + + private void unregisterJmx(final SSLHostConfig sslHostConfig) { + final Registry registry = Registry.getRegistry(null, null); + registry.unregisterComponent(sslHostConfig.getObjectName()); + for (final SSLHostConfigCertificate sslHostConfigCert : sslHostConfig.getCertificates()) { + registry.unregisterComponent(sslHostConfigCert.getObjectName()); + } + } + + @Override + public void addSslHostConfig(final SSLHostConfig sslHostConfig, final boolean replace) throws IllegalArgumentException { + final String key = sslHostConfig.getHostName(); + if (key == null || key.length() == 0) { + throw new IllegalArgumentException(sm.getString("endpoint.noSslHostName")); + } + + SSLHostConfig previous = null; + if (replace) { + previous = sslHostConfigs.get(key); + } + super.addSslHostConfig(sslHostConfig, replace); + if (previous != null) { + unregisterJmx(previous); + } + } } diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java index 9324145643..b3990fbe54 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateDataConverter.java @@ -17,11 +17,18 @@ import com.comcast.cdn.traffic_control.traffic_router.shared.CertificateData; import org.apache.log4j.Logger; +import org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey; +import sun.security.rsa.RSAPrivateCrtKeyImpl; +import sun.security.rsa.RSAPublicKeyImpl; +import java.math.BigInteger; import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.List; -import java.util.stream.Collectors; public class CertificateDataConverter { private static final Logger log = Logger.getLogger(CertificateDataConverter.class); @@ -29,18 +36,43 @@ public class CertificateDataConverter { private PrivateKeyDecoder privateKeyDecoder = new PrivateKeyDecoder(); private CertificateDecoder certificateDecoder = new CertificateDecoder(); + @SuppressWarnings({"PMD.CyclomaticComplexity"}) public HandshakeData toHandshakeData(final CertificateData certificateData) { try { final PrivateKey privateKey = privateKeyDecoder.decode(certificateData.getCertificate().getKey()); final List encodedCertificates = certificateDecoder.doubleDecode(certificateData.getCertificate().getCrt()); - final List x509Chain = encodedCertificates.stream() - .map(encodedCertificate -> certificateDecoder.toCertificate(encodedCertificate)) - .collect(Collectors.toList()); - - return new HandshakeData(certificateData.getDeliveryservice(), certificateData.getHostname(), - x509Chain.toArray(new X509Certificate[x509Chain.size()]), privateKey); + final List x509Chain = new ArrayList<>(); + boolean hostMatch = false; + boolean modMatch = false; + for (final String encodedCertificate : encodedCertificates) { + final X509Certificate certificate = certificateDecoder.toCertificate(encodedCertificate); + certificate.checkValidity(); + if (!hostMatch && verifySubject(certificate, certificateData.alias())) { + hostMatch = true; + } + if (!modMatch && verifyModulus(privateKey, certificate)) { + modMatch = true; + } + x509Chain.add(certificate); + } + if (hostMatch && modMatch) { + return new HandshakeData(certificateData.getDeliveryservice(), certificateData.getHostname(), + x509Chain.toArray(new X509Certificate[x509Chain.size()]), privateKey); + } + else if (!hostMatch) { + log.warn("Service name doesn't match the subject of the certificate = "+certificateData.getHostname()); + } + else if (!modMatch) { + log.error("Modulus of the private key does not match the public key modulus for certificate host: "+certificateData.getHostname()); + } + } catch (CertificateNotYetValidException er) { + log.error("Failed to convert certificate data for delivery service = " + certificateData.getHostname() + + ", because the certificate is not valid yet. "); + } catch (CertificateExpiredException ex ) { + log.error("Failed to convert certificate data for delivery service = " + certificateData.getHostname() + + ", because the certificate has expired. "); } catch (Exception e) { log.error("Failed to convert certificate data (delivery service = " + certificateData.getDeliveryservice() + ", hostname = " + certificateData.getHostname() + ") from traffic ops to handshake data! " @@ -49,6 +81,78 @@ public HandshakeData toHandshakeData(final CertificateData certificateData) { return null; } + public boolean verifySubject(final X509Certificate certificate, final String hostAlias ) { + final String host = certificate.getSubjectDN().getName(); + if (hostCompare(hostAlias,host)) { + return true; + } + + try { + // This approach is probably the only one that is JDK independent + if (certificate.getSubjectAlternativeNames() != null) { + for (final List altName : certificate.getSubjectAlternativeNames()) { + if (hostCompare(hostAlias, (String) altName.get(1))) { + return true; + } + } + } + } + catch (Exception e) { + log.error("Encountered an error while validating the certificate subject for service: "+hostAlias+", " + + "error: "+e.getClass().getSimpleName()+": " + e.getMessage(), e); + return false; + } + + return false; + } + + private boolean hostCompare(final String hostAlias, final String subject) { + if (hostAlias.contains(subject) || subject.contains(hostAlias)) { + return true; + } + final String[] chopped = subject.split("CN=", 2); + if (chopped != null && chopped.length > 1) { + String chop = chopped[1]; + chop = chop.replaceFirst("\\*\\.", "."); + chop = chop.split(",", 2)[0]; + if (chop.length()>0 && (hostAlias.contains(chop) || chop.contains(hostAlias))) { + return true; + } + } + return false; + } + + public boolean verifyModulus(final PrivateKey privateKey, final X509Certificate certificate) { + BigInteger privModulus = null; + if (privateKey instanceof BCRSAPrivateCrtKey) { + privModulus = ((BCRSAPrivateCrtKey) privateKey).getModulus(); + } else if (privateKey instanceof RSAPrivateCrtKeyImpl) { + privModulus = ((RSAPrivateCrtKeyImpl) privateKey).getModulus(); + } else { + return false; + } + BigInteger pubModulus = null; + final PublicKey publicKey = certificate.getPublicKey(); + if ((publicKey instanceof RSAPublicKeyImpl)) { + pubModulus = ((RSAPublicKeyImpl) publicKey).getModulus(); + } else { + final String[] keyparts = publicKey.toString().split(System.getProperty("line.separator")); + for (final String part : keyparts) { + final int start = part.indexOf("modulus: ") + 9; + if (start < 9) { + continue; + } else { + pubModulus = new BigInteger(part.substring(start)); + break; + } + } + } + if (privModulus.equals(pubModulus)) { + return true; + } + return false; + } + public PrivateKeyDecoder getPrivateKeyDecoder() { return privateKeyDecoder; } diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java index e3f773c084..848c8b09ed 100644 --- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java +++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/CertificateRegistry.java @@ -73,10 +73,12 @@ synchronized public void importCertificateDataList(final List c if (!master.containsKey(alias)) { final HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); - master.put(alias, handshakeData); - if (!certificateData.equals(previousData.get(alias))) { - changes.put(alias, handshakeData); - log.warn("Imported handshake data with alias " + alias); + if (handshakeData != null) { + master.put(alias, handshakeData); + if (!certificateData.equals(previousData.get(alias))) { + changes.put(alias, handshakeData); + log.warn("Imported handshake data with alias " + alias); + } } } else { @@ -103,7 +105,7 @@ synchronized public void importCertificateDataList(final List c previousData.clear(); for (final CertificateData certificateData : certificateDataList) { final String alias = certificateData.alias(); - if (!previousData.containsKey(alias)) { + if (!previousData.containsKey(alias) && master.containsKey(alias)) { previousData.put(alias, certificateData); } } diff --git a/traffic_router/connector/src/test/java/secure/CertificateDataConverterTest.java b/traffic_router/connector/src/test/java/secure/CertificateDataConverterTest.java index 6de4ae9037..0554de6b35 100644 --- a/traffic_router/connector/src/test/java/secure/CertificateDataConverterTest.java +++ b/traffic_router/connector/src/test/java/secure/CertificateDataConverterTest.java @@ -16,73 +16,137 @@ package secure; import com.comcast.cdn.traffic_control.traffic_router.secure.CertificateDataConverter; -import com.comcast.cdn.traffic_control.traffic_router.secure.CertificateDecoder; import com.comcast.cdn.traffic_control.traffic_router.secure.HandshakeData; -import com.comcast.cdn.traffic_control.traffic_router.secure.PrivateKeyDecoder; import com.comcast.cdn.traffic_control.traffic_router.shared.Certificate; import com.comcast.cdn.traffic_control.traffic_router.shared.CertificateData; +import com.fasterxml.jackson.core.type.TypeReference; +import com.fasterxml.jackson.databind.ObjectMapper; import org.junit.Before; import org.junit.Test; +import org.powermock.core.classloader.annotations.PrepareForTest; -import java.security.PrivateKey; -import java.security.cert.X509Certificate; -import java.util.Arrays; +import java.time.Instant; +import java.util.Date; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.equalTo; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; +import static org.hamcrest.Matchers.notNullValue; +import static org.hamcrest.Matchers.nullValue; +import static org.junit.Assert.fail; public class CertificateDataConverterTest { private CertificateDataConverter certificateDataConverter; private CertificateData certificateData; - private X509Certificate x509Certificate1; - private X509Certificate x509Certificate2; - private X509Certificate x509Certificate3; - private PrivateKey privateKey; + private Date certDate; + private final static String SUBJECT_MISS_CERT_DATA = + " {\n" + + " \"deliveryservice\": \"https-subject-miss\",\n" + + " \"certificate\": {\n" + + " \"comment\" : \"The following is a self-signed key for *.subject-miss.thecdn.example.com\",\n" + + " \"key\": \"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQzhBWVVFYk1YcHZiVUMKaDBrNWRxYURnTHJGL3Y5VDdtOFNLUnVuRldYYUhFalVvcWlZc29tekhuZjNyUkVNRWpkVXB0M0lCVzk3M090cApqNmlkNUNLTHlFVDNUQ3h2ZHNERzhiYXB3UEdNT0dzQWhTMGxucmlrRll6ejArZXpxMWhzczcxRDBqN3o1TzlLCmxPVUJxSUgzOG16YU1JaFN3VXpsSGdFRzJjdlJiK1RwajhpU0k3Z3psek8rMVM1OEExS21UbjVDMC9ia0lvcFYKREJ5V3FySmpqSXZuWjBvK2I1MkRMcExzdlVnRU5BOVdHRzkycG8wS0RDZnFmNjN0RW5oRGYvZStFT0o5NUs5UQpCUG45YW82OVJaM0V3cDk5bnlveDJ6cmtHLzcvMTVIV3Z5aUVzQUR2TWxNaTg4bTJRTzBOaDA5ZWlrWWFRWDlVCkUzbTM4VDVkQWdNQkFBRUNnZ0VBT2UxNTc4Z1lIeElkMEw2Z2VEMHZ4enNGMFhYbGRCWDJVVEVyWFFzQnkvZUYKRlVkZERWZU5pQXd1U0xraGxJZVVWdGZuWS9jUXg2aGxQS3hQOXY1UkNxTFZaU0VxVzluS1FrSTkxd1lsSnVCSApUK3k0NFd1TFZydHhKN3UyRzYwQzNOTncwSkhhWmNtM1ZWS1ZVVEo3Z1V0SDhONmRVbXBPNkJXYm1XSElKQ3AvCnRjL29QVTZzTWc2RGh2MVFxeUpJeHQ5MWRmSnpBZVdkV01MM3ZmNnRVUDF6bTh2M2g0WXBZSGR5LzZBMzZjZkQKa0xnZkkybktkVEhLUDBldlZFS3M5L3hQWVlxQWVyTnlCV2NFWCtjVy93ZzVSVUVrT2lpajZUY0h1cmVnV09VbQp5cWlCOFNoQWVwdEtnN0VVaHZ2V2ZLSEtMTmJURUV5UE5GOXVPR1VqL1FLQmdRRGZUdy9IbS9oUDJYZUFGeEhZCnViUTBIN2xHQWxLZEhydTIvVXlFK3d0WDlEYXU1UTZRVzVkVzJJMTdkOG5TL2taUkloQnhSM08rMGMxN3VUaHoKWDFseWtmT3ZZb3NlSGhhN0IrN21rL2RVTkJZYVJ1UG1IcEEvTkx6ekI3OWdhU2JPVk9lOVQ5cVovb2lndlRXYQp0TG0rOFIzeVhyUktOdUZtNk1kbnFYdSswd0tCZ1FEWGgybU5EQW9sMHJlcFY0MnYvaSt1QmF4bkozZlJVU284ClpkUk5GczVWTFlxUnh0c1BubkNwcTh3OWtKK2paZWNWTkRNelB3dmpBdUdqYXkyUHVRclF5MEUyckk5RExITEIKTVVxVHJENHBSN0NrK3VFVGQ3ZlBEOHNRdEJmUkp6amdBa3pvWUk1djZ1dzlpUFF6U2tzT2d5WFlNV0ZUU1ZJNwplVVhHWDRDd0R3S0JnRjduemhBS2xKenpFcHVvc2xnR2pMUythdEo3T0RzNGpaVDIwQ2VRUGtEeU5LOWVBRE9RCkNhREtSazhjR1BXSVJjQkRsdk5kNTY1SW9ta2J6Z2NTbGdSZ1RVM1R0c1psQ1VvUjFCSEEveE9WVTNOMWYzUVUKdHo5MW5YdzRaYmlHMkF4Ry8zcHd6cm8xK0VGQVNPRG9RQzBMY3F2SVhoMVFkN2x4NHhXR2JXWXJBb0dBQjhZKwpySFBPdWVhTDhYUFRESklpcmloT083cFV2Qnd0WmRoV2ZDRmlkL2dZazRHVXpVOXR5UEVGZ1FNQ2Z5WmgyNFh5Cmd0cTNWd3ozanFtRER6Z2hoNzZOTDZleDB6NTdOVFROOTkyeXNGS0JzTEhNQktQQTRaczBPL29ERWV4VVJPQlEKWGVGOXdkTzdpY3l5NGxhL3RscE10eXV3MHd4R0J4Y3N5U2NRd1VrQ2dZQng0UGk4NkhmWkVnT3p4bU9NYkhGTApmeFFWbXpZL0Y3eCsyOGMrQWQ3VVZRMVVjcDRUdEdMT1pHUGRIYnZzR2dZeXY4cSs0MTcwK1M0YkY4bC9JRThnCjJBNzl6VzNjMjhVNzR0KytxQ0p4bS82SmxtR3RCQkt0Mk9ZSE5ocUdRQ2Z4Y0krWGFPQUgyUUFNSS9zZ3JzOXQKM3dZNlY2VUQ2K1lCTDVFRFp6T2NMQT09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K\",\n" + + " \"crt\": \"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvakNDQW9vQ0NRQ1JFTVdLWEhZYkhUQU5CZ2txaGtpRzl3MEJBUXNGQURDQmtURUxNQWtHQTFVRUJoTUMKVlZNeEN6QUpCZ05WQkFnTUFrTlBNUXd3Q2dZRFZRUUhEQU5FUlU0eEN6QUpCZ05WQkFvTUFsUkRNUXN3Q1FZRApWUVFMREFKVVF6RXFNQ2dHQTFVRUF3d2hLaTV6ZFdKcVpXTjBMVzFwYzNNdWRHaGxZMlJ1TG1WNFlXMXdiR1V1ClkyOXRNU0V3SHdZSktvWklodmNOQVFrQkZoSjBZMEJ6Wld4bUxYTnBaMjVsWkM1amIyMHdJQmNOTVRrd016QTEKTVRjME1ETXhXaGdQTWpFeE9UQXlNRGt4TnpRd016RmFNSUdSTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRQpDQXdDUTA4eEREQUtCZ05WQkFjTUEwUkZUakVMTUFrR0ExVUVDZ3dDVkVNeEN6QUpCZ05WQkFzTUFsUkRNU293CktBWURWUVFERENFcUxuTjFZbXBsWTNRdGJXbHpjeTUwYUdWalpHNHVaWGhoYlhCc1pTNWpiMjB4SVRBZkJna3EKaGtpRzl3MEJDUUVXRW5SalFITmxiR1l0YzJsbmJtVmtMbU52YlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRApnZ0VQQURDQ0FRb0NnZ0VCQUx3QmhRUnN4ZW05dFFLSFNUbDJwb09BdXNYKy8xUHVieElwRzZjVlpkb2NTTlNpCnFKaXlpYk1lZC9ldEVRd1NOMVNtM2NnRmIzdmM2Mm1QcUoza0lvdklSUGRNTEc5MndNYnh0cW5BOFl3NGF3Q0YKTFNXZXVLUVZqUFBUNTdPcldHeXp2VVBTUHZQazcwcVU1UUdvZ2ZmeWJOb3dpRkxCVE9VZUFRYlp5OUZ2NU9tUAp5SklqdURPWE03N1ZMbndEVXFaT2ZrTFQ5dVFpaWxVTUhKYXFzbU9NaStkblNqNXZuWU11a3V5OVNBUTBEMVlZCmIzYW1qUW9NSitwL3JlMFNlRU4vOTc0UTRuM2tyMUFFK2YxcWpyMUZuY1RDbjMyZktqSGJPdVFiL3YvWGtkYS8KS0lTd0FPOHlVeUx6eWJaQTdRMkhUMTZLUmhwQmYxUVRlYmZ4UGwwQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQXJBTWNyZWY0bTNVTlNSRU54dW0xWTNXYlgzWU91VTdLVyt4bEV2UGVHLzFmYitFRUNrcjg5dXFZCm95OWFWTjYvK3RMTWd5Y1QxL1cxVnhSNkl5bFpZcE9SRFRVZ1c4L3ZvSUROVUZack1VekR6RmZNVlFwdUxyUzkKSk5kejk2aTFrNjdBMGRrdFBURjExam5DZEY2VVhKMHdZTmZCVEIvbXo1T2diWVdaQWsrYW5pTTR5NUwyb3ZaKwpLOEZUVi8wUHpIUWRVTkVGVjN4QzVRcVB3aW1oY3BrbDU1bzJnTjVUNXllVnBDekRYeHhSWWR0YjRUYmsvVDF5CnlBVkhQQ3ZFeENnbXcrUW5TS1VweXRKQ0NqM3pOS01FY1V5dkxFOUFNTmlrdFJpY2c4NG5UTk9hWWRnM1ZaUk8KMVRYY3ZNb0l5NFNOZUk0NEszTkhsQW1IdEJkY0VBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\"\n" + + " },\n" + + " \"hostname\": \"*.https-subject-miss.thecdn.example.com\"\n" + + " }"; + private final static String VALID_CERT_DATA = + " {\n" + + " \"deliveryservice\": \"https-valid-test\",\n" + + " \"certificate\": {\n" + + " \"comment\" : \"The following is just a self signed certificate and key to use for testing this is NOT private data from a CA\",\n" + + " \"key\": " + + "\"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQzVEMVhNbXJiQy9CT1gKUkZMVkczbTNSbmhWZ0ZJdUQ5dXhWSEJDYXR2TEFuc2ZyalhCM2tyZjVNTDVuS3dZRWl3OCtkQWo2N1Z2QkR4cwpDMTYvbFFBbFM4YnBxT1NRbzU5T0RDcVBNZmZaYzVVazdVdjUzN0R5MWFHMjRiT1R0eUxjQzIxc2MxSm1YWHVjCkVlQlZUZldFWUVLdS9McHEvZDZZUlNsa1lXUUt2TDBmUzRja0FtcUJkRVk2Q0s3ajZyYnphZGJIVHB2SXdQWGgKWVNTOWlJOFQxKzRTYTZDOTljcnRUR2ZZb21BL2hFWVFPTnVSVk42VUl5c1Bob2RCVndsVTJEV1pYNndyZm5DZApNOFBCajNHSXVVMWVwV0RMUVZYa2cvdUxmZERaaU8xZ1p5UWhNN3V0ekE5WVMzK3VXaGtmczRUdFE1Q3ZVdEx1ClI0enlMVkQ3QWdNQkFBRUNnZ0VBYkd4a3EzeVZ5WVdoQU1aQjlhT2tXMUhKWE9iU3Z6UUJWbE1QZG9wZS9nRVYKSEFtWWExNk81Y0NFejNRUWpBWFJyMlA1bzZJTTZkOUVlMVRxRFRzQ0c5ZmEwYmxuT0tyMHdlaDA0dksyc010OApQV2RlVlNiTzZHZHIyTmRCdkREWEZxOEhURHdBc2dMaFVoNVRIZ2VQNmgvdjBkQTJkRXNMS0pHVTM4QUR1aG05ClpKRCthbm5KQ1BFVXNvMmtqeE40UjFHUmQwb2ZLSWFZeTg3dlhiK3FleXpsL1lreUEvYU9wMkh1S1RENmVpRGkKbTZrWUp6Q1k3ZEluYjlCNlZTTm52UlAzNyttM0JLSFlRaE5kbVJKQlp4c1pFQTRKaFYrQVYwNHlWUE1la3FoMgpqeVVxRFBEaGVMVW5FalJmc0FnOFVNU0JXQU5sLzkyNzNoR2FGeHQvTVFLQmdRRGVhNUhFd2oyVVBhcS9yMzdsCm90cFhBUU9qeEFLb2tyMWZNVTlaWksyTWdLY2hoSks0c1R0Uk5VbE03M2lDeHBPZTJTbW5ZeG5GcldrOVRkRjEKQ3habFJyVDBKZGxHOXJEMlNCSUR6b3FBaytWbHE5YzIxNE12NXdQZkpLZEpxaCtaVGZKdmZtNU9halhjeXFMZQpRSVRmdGVpdFRNWFJpQjBsaFpNSEo0RzVVd0tCZ1FEVS84OFo0UUxGa0xnWDMvMUMxcit4V3NuVUY5UGtHVXpSCm9USmg0enVXNHpwSkRDNitLS0lwckVZajIzdEdFUWxEZHJGcFBIWFZtMGVqV2QrRGN6THlmNFdZdWIxTTBuRksKbUpSaGhOMXhFRitNVmtPYjlWS2ZOU2xFUG16WHptcTlpdjVxUVlmZHJPLzhhQ0JMUW5UcUYveTJUUVVNN2tsNQpXbGo3Si9lTXVRS0JnUUNxTmJXNjFrN2JxQW1JWVp3QnpndTY4enErMDV5Wk5wcVhRNXdPcy80Zi9NQnA1Uk9ICkpaSllSaWdQS1YrVzdMSkJxTHk0clIwbTZ0c1RuLzYvekRsYVRhN2kvQ2YzcDRlcklXSXY2WnFTWlJ2ekgzczIKSzl6b0Jxa3UxZFR6aWE1ZTJvakNEQVlNR2ptWCtyYUMwT3NlYkE1Z3VOVFYwWTFFanFFQ281Z2hvd0tCZ1FDRQo5MnlCNjBXZnI4ZzhuMGVyQWdTSTR2UTd3dVF6OE5kVHhoMTluaTBFOUxUZUJRenBDTlN5enlpNkdibks4N2VrCnRlUHFuaU94UlU1ald5ZDlGOTBtSlJWeFVnSXFndlRXYkltMGx3em1HQ0tOcVF4cnY2bmtXWHQ1YnI3anVhaEkKeXd3bnFPRDRNWTFmTkdGMG1mZ0NheGNIZHUxQU5VRUkwSzNibkFlZGdRS0JnR1Y5VGxOSmtQZ2xma1A5dFRDTApldWtPVkNiTmNFc1dSRHYzMTFQa3pKemw3OHNRbENXL0NWK2NnK2JHOXB5ZEJJWUx3ZVRrUnp0d3FoVFE1L2JECmw1cWM1MVVKSkxJeEJ1TEIwZGJnMVh0eDF0VUdTaEV5UTFDc2U5SEwzKzgrbVRCN2drNDdpb2NzUEFuNXMxVnoKQ1ZjUVFQRnVmYWkrRzNwakI1Q0gvUEtnCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K\",\n" + + " \"crt\": " + + "\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzakNDQXBvQ0NRRHpibHduYzNBLzVqQU5CZ2txaGtpRzl3MEJBUXNGQURDQm1URUxNQWtHQTFVRUJoTUMKVlZNeEN6QUpCZ05WQkFnTUFrTlBNUXd3Q2dZRFZRUUhEQU5FUlU0eER6QU5CZ05WQkFvTUJrRndZV05vWlRFTApNQWtHQTFVRUN3d0NWRU14TGpBc0JnTlZCQU1NSlNvdWFIUjBjSE10ZG1Gc2FXUXRkR1Z6ZEM1MGFHVmpaRzR1ClpYaGhiWEJzWlM1amIyMHhJVEFmQmdrcWhraUc5dzBCQ1FFV0VuUmpRSE5sYkdZdGMybG5ibVZrTG1OdmJUQWcKRncweE9UQXpNRFV4TnpRMk1UTmFHQTh5TVRFNU1ESXdPVEUzTkRZeE0xb3dnWmt4Q3pBSkJnTlZCQVlUQWxWVApNUXN3Q1FZRFZRUUlEQUpEVHpFTU1Bb0dBMVVFQnd3RFJFVk9NUTh3RFFZRFZRUUtEQVpCY0dGamFHVXhDekFKCkJnTlZCQXNNQWxSRE1TNHdMQVlEVlFRRERDVXFMbWgwZEhCekxYWmhiR2xrTFhSbGMzUXVkR2hsWTJSdUxtVjQKWVcxd2JHVXVZMjl0TVNFd0h3WUpLb1pJaHZjTkFRa0JGaEowWTBCelpXeG1MWE5wWjI1bFpDNWpiMjB3Z2dFaQpNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM1RDFYTW1yYkMvQk9YUkZMVkczbTNSbmhWCmdGSXVEOXV4VkhCQ2F0dkxBbnNmcmpYQjNrcmY1TUw1bkt3WUVpdzgrZEFqNjdWdkJEeHNDMTYvbFFBbFM4YnAKcU9TUW81OU9EQ3FQTWZmWmM1VWs3VXY1MzdEeTFhRzI0Yk9UdHlMY0MyMXNjMUptWFh1Y0VlQlZUZldFWUVLdQovTHBxL2Q2WVJTbGtZV1FLdkwwZlM0Y2tBbXFCZEVZNkNLN2o2cmJ6YWRiSFRwdkl3UFhoWVNTOWlJOFQxKzRTCmE2Qzk5Y3J0VEdmWW9tQS9oRVlRT051UlZONlVJeXNQaG9kQlZ3bFUyRFdaWDZ3cmZuQ2RNOFBCajNHSXVVMWUKcFdETFFWWGtnL3VMZmREWmlPMWdaeVFoTTd1dHpBOVlTMyt1V2hrZnM0VHRRNUN2VXRMdVI0enlMVkQ3QWdNQgpBQUV3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUh0clNXMUE5em83K1NkTkM0RGVFeXdQOTZOeE95eDdobHNzCk9UVjhET1NZcE1yYUNkUGhVUHBWZmpLYmdnOVZTd0lmL0tOamRFZVNKS08vYXhqNVNNM3F5aE9obGUzdXdlMGEKWWlpa21saVU3Wkc5THhJTTFVZ0ZaN24wNURVV2MyN0RWTHYwUSttNVdGZ2VPSi82WklqTTg1RStYcDJ0c0svZwprNDVsbm1iMVNGb1l2LzJuWHEzdkJNaGJPUUVrNDY1WE5OZmRDU1c3RDhCcVJHYitoU1NmT0NHQVlDQkNxVjhKCnBNNHBadFhZZkczT0tCUmRXSTR6VU5JazdiU3lWQW1LWU5Pc3Frby9UMi90NmM0em1ZbU4wTjdMMVljOTk1algKLzBlbE51NW1vMjNOKzJwSzRuaFZjQXZ3VE5HdnhMbWdlcVV4cW44TVdPS29LVGdYNys0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==\"\n"+ + " },\n" + + " \"hostname\": \"*.https-valid-test.thecdn.example.com\"\n" + + " }"; + private final static String EXPIRED_CERT_DATA = + " {\n" + + " \"deliveryservice\": \"http-to-https-test\",\n" + + " \"certificate\": {\n" + + " \"comment\" : \"The following self signed certificate which expired on 3/5/2019 \",\n" + + " \"key\": " + + "\"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2paZ0xpTHNRS0o0UXgKS0F5WnFqT0NOL2lXUmgzdXkyZCtyd0J1VWJ2NTBIVEk0QUdnOHE2eG9pbzNtZHFHZXRXdVJIemUvSmQ5ckxJSQpvWDFXOGNFeTVybW0wV0xXYnJDbzlJQUE5K0dHcTgyNXUreGplemdiSHg3TEt1N3lqdUJVVjI4SyszTXNOQUhGCjZsemZNdTJ5VEFUMExvU25waDRWeHZLRDlzM05rNzdtaW5vcVR0aGFlSldxWXVEQlZ4WTBNS3JGbWJuQkEybkcKV295ZHIrelBROHB2N3Fka0FmcXlnZ0loWjloM0JBNnVESHRtcDNueWlsc2ZSMHpGeFR4QnRhaVhTbnRZdXM4NAphVUNwaHVjWkIvYW5tVHJvMHFSSG82czFhcWd1alJIK2xtWXNySjRjQ01QSmd4eG5YWTM0MUpDZm42T0N3c1FXClNhS3huaS9EQWdNQkFBRUNnZ0VBQytQamQ5UVJYZS9NTmN1RlJ6VlVkRGhnZFliNnJLTE9rREJwNXAwNkFZN0MKd005VUx3TVo1VUU0c3owVjRzMVRlVS93aWtWMVBLYnhlYUZPdnFIdS9pWStBajZnWTV4QWJMc0dDWXdBTkUyUwpOZDdQNzlsS2x1YW4xZjcwemwvSlFUbnZrYXdFa0lYa1R5T2p5SFlyUjlzeVRSYUpmcTJlNk5UR1Z3WUJxZURsCnJvTFByYkp4OXh4TXdPb2ZoN0tHSkZMQ0E4Q1JheGd2U3RJU2JpT1RGTWN5UThOcmhvNlNpOVJJVHNtT3kvTHcKVjF5d2JFaVpoOG5LNFdxd2pSYmR4NzJ5SWxMZ2RUeC90bkFiOUNLM1BqdkZyRTRZajFqbjc0NGF3NGZYUTMyOApiSC9uYWRENmlCeWQ0dmpLUjBLUWlRK0E4ZmViRW5EZzFSVW8rQndpWVFLQmdRRFRDbGQxV20vN3ZqdzFUMkx5Cnhlb3NFdlloYW1DclVRVjRyTCtRcmg0S0JTckVHVEZoZXMrclhBNUxEY29iS01hY1RwSS9LMXVVaHg5K3ZLV1kKVWk0blVKVjAyU283UnEwbW5tWVo2aXhLd0NQQWpESEwrQmxlcVgycFR1SU1hYUpWV2NleFI5dkNneTZVUmJLOQp4OUtWdzVqcE5HYVloK3RSRlV3cE5hR1Nzd0tCZ1FER05XT1d5MXJUdVNlM2hUTG0yakhTVGRlV0RSWlE5eEo3CkFQSmNtaW9xRHIxV1JVR3ZxV3Rkd1kySEl2blNzbDRSa2wxUU03bnpQNHNqN2ZSUjllY2dMcDRXcGFXMTVGKzgKOHlGMXBOcVFSWjZYNkd1Z3JZdUZlT1J5YnZTdGFYLzR6bklQUUpadmJVOVF3OUZnU051cFgwTXJPMCtJWDdXQwpRRWQvR3pJMnNRS0JnR3dVSU1RbDQ3RytOQ0Z0SFpTTlRTYnpNdi9iOWRQbXMzR2dycDZPdlMyT2hkOVZzNWRqCmlOVU9XUGVSQVU4MWE3bUM5NXpJUEtkdEovRUU5WjF6Z05WN2pIOEI5SUhVNlRvYzV0Y2d1VHd5K0Z4VXIrL3cKaURXVmdaaGlvSnVRd2FVS1RKMTYybzNjRnMreWZoNTVKbHl5aGkzd094YWtqUnZDVjNYSFZJN0hBb0dCQUp0SAowbGlkd2U5aS9CR1RnWmhIMG9aT3c1bmpjTnRIWlN3R1J0bHpVWnNYWncvQ1BENnhQTkw3d3JQZkc5Y01OQlFTCkZaYXluM2hKRE9tK0R3MXkxM3BuNnlRVTYraS9ISjM3My9lNWloMUMzWWRtNTRLKzB6Sml6cDR6L080cVc3NkIKaGV3YkRvQUhJLzlER2JJVUFqc0R6YXg5ejhZb0xSdjQzY3BmZFF4UkFvR0Fabm9iSnhJMWVybERsSHBrN0pibApUVnBhUWgvZVBNajgxYXQvNjcxdXRUb3RMdHlvTEZkRE5sb0JlNUVSc2luOXBjaHhSbkNNVVdsRzUxZjNaTmViCkNmbEtVN053UjNZVWRZYU9OVWdEZVp3RkhqOExYMGVPUVQrMENjamR2L2FoWVVIb2JLNWdvdkxXd1ljSHdIY2wKL09vTjhmODVBVDBIaTJ1VldwS2VrZmc9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K\",\n" + + " \"crt\": " + + "\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURxakNDQXBJQ0NRQ0Q1OFZ3U2IrNWJqQU5CZ2txaGtpRzl3MEJBUXNGQURDQmxqRUxNQWtHQTFVRUJoTUMKVlZNeEN6QUpCZ05WQkFnTUFrTlBNUXd3Q2dZRFZRUUhEQU5FUlU0eER6QU5CZ05WQkFvTUJrRndZV05vWlRFTApNQWtHQTFVRUN3d0NWRU14TURBdUJnTlZCQU1NSnlvdWFIUjBjQzEwYnkxb2RIUndjeTEwWlhOMExuUm9aV05rCmJpNWxlR0Z0Y0d4bExtTnZiVEVjTUJvR0NTcUdTSWIzRFFFSkFSWU5kR05BWVhCaFkyaGxMbU52YlRBZUZ3MHgKT1RBek1EUXlNekl6TkRKYUZ3MHhPVEF6TURVeU16SXpOREphTUlHV01Rc3dDUVlEVlFRR0V3SlZVekVMTUFrRwpBMVVFQ0F3Q1EwOHhEREFLQmdOVkJBY01BMFJGVGpFUE1BMEdBMVVFQ2d3R1FYQmhZMmhsTVFzd0NRWURWUVFMCkRBSlVRekV3TUM0R0ExVUVBd3duS2k1b2RIUndMWFJ2TFdoMGRIQnpMWFJsYzNRdWRHaGxZMlJ1TG1WNFlXMXcKYkdVdVkyOXRNUnd3R2dZSktvWklodmNOQVFrQkZnMTBZMEJoY0dGamFHVXVZMjl0TUlJQklqQU5CZ2txaGtpRwo5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBbzJZQzRpN0VDaWVFTVNnTW1hb3pnamY0bGtZZDdzdG5mcThBCmJsRzcrZEIweU9BQm9QS3VzYUlxTjVuYWhuclZya1I4M3Z5WGZheXlDS0Y5VnZIQk11YTVwdEZpMW02d3FQU0EKQVBmaGhxdk51YnZzWTNzNEd4OGV5eXJ1OG83Z1ZGZHZDdnR6TERRQnhlcGMzekx0c2t3RTlDNkVwNlllRmNieQpnL2JOelpPKzVvcDZLazdZV25pVnFtTGd3VmNXTkRDcXhabTV3UU5weGxxTW5hL3N6MFBLYis2blpBSDZzb0lDCklXZllkd1FPcmd4N1pxZDU4b3BiSDBkTXhjVThRYldvbDBwN1dMclBPR2xBcVlibkdRZjJwNWs2Nk5La1I2T3IKTldxb0xvMFIvcFptTEt5ZUhBakR5WU1jWjEyTitOU1FuNStqZ3NMRUZrbWlzWjR2d3dJREFRQUJNQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFCNUhCTFgvWU01QnQvTEVWUmFvazFBL1pSSzAvTmZjVzJLb0VQMk80VklvSEM0CnhqaGFzaERqWWdrME44d1NRTTd2UGxzR1NnUzZzSC9yM3NSeUt0bmZvNzFGMFh1K0lLSXV0Ylh2bmhjdXNXd0QKWXJUMExGaWQzUXl5TUNUTXRBMEpxTVdma3lIOWhlTk16cFI1blg3ODIyUFZzekhEUmpVZUhTSTZwbzB0TUNxZwpyVE10SHVSbVdJaGhhZzY1a29PMUNYTG81R3pkdGdmdTFwb2YzTnRWKzBqQWVidlFtUktqcWZBZUc3WXJTVEpwCk5yalVHdmZJMnpDZElDY1dIbUdTbndXNktSYXFOUFpoVHN2UWhyTEdMZDB0SU02MXZ0NjhPZWNFWXA0eWhlYnQKZFpjQmYxYkdMRWtiWlphTVVuaW9VZW1XSDJoYVVNcDdueWJxV2VQWQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==\"\n" + + " },\n" + + " \"hostname\": \"*.http-to-https-test.thecdn.example.com\"\n" + + " }"; + private final static String MOD_MISS_CERT_DATA = + " {\n" + + " \"deliveryservice\": \"https-mod-miss\",\n" + + " \"certificate\": {\n" + + " \"comment\" : \"The following certificate and key are for the same subject but have " + + "mismatched modulus between the private and public keys\",\n" + + " \"key\": " + + "\"LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ3lIMW91SmpXcE5SeVAKdE1nVDM3emhCc0tYM1VhTWlhdm5CUHNJUDhidmdaUnNicFNYeVVSdTJsaWdsYWZpWlAybTZxZE1LZ3BHcUo4ZgpwZHQzODFsMHduakI5YURleU92NzZrcnJBdzhlME9VOW9ZU0Q1VVlWMU11M0I4ZTV1UGFLYkdNcDZvc3o1WDJSCmlDYnRjcTAvUzJaeWhWNXIvRkJqNUtsN2I0UlBNTjdPVXJNVW5LcHlXZ2hZNzdXOXpzVm96cTg5cldOL0g5VUEKZjFMRmFSdU1mckNvYVVKZHRKZEIyY2FGblkwWmI1MDhzcmFGWXplaFUvK3FjZE9heWtVa0hMMTVweDVFbS9mOQpYVlpNcmVJeFlobVdCK1I5MWJ5d3dsVmZCSm4zU3dIT3ZGMzVqSTh4d1dpMEx6V0x0Qk9pVm4yYlV3ZUN3dlVQCkdKb1VqbEJ0QWdNQkFBRUNnZ0VBRmpvWFZMN3IzMHVEWHVOZVBDeWxNeWRXelFDTnR5Zk96YXN2Y0I0VlF2blcKZlpsbTdYSHVHaThnOUJqNHRDV0tDWFFxb0RSMng4NXUzTklqaXRwUkJXTG5FcjBGOEFiK2U1Y0c5a0NSZUhUMAp4allMaFRIdEJ2aGcyMXdiTGkvSWhBbDJibHFZT0VlZzNiSXh1VnVnQnMvdjNzYUp1OHZtZERDcWZYNnk4ZmFmCnNFYmVTT2dkRFltRTg1SHZXUFFDTVVNV0MyZzJEekw2a0U1eCtxMmt5VkNlc1hSVTl6c3BtRkxsMGw5cndIN0sKbU9jMUVJZ3J0THExeUt6b3BKTUFTbVZPVmxTd1FUdGlOS3RGN3FZVXVudmpDdC8wWDM1clFIcDMwWXBCbVpHUApUQ0swMEFZMUZteDhUK2p5MENvdmVOWm9lM2JVTk5RM2l0MEhObWNWdVFLQmdRRHFiNVRFQmQ3aGw2cVRaS09xCkx3T1M5M2xJcU5nbFZnbzN2S09HUkF1MWpFYm9IaktDOTdudUdGSGNGdXZzTldISEpQaHRQUTJEcXUzREM1NHkKSXBOZ2Q4dVUwZWVBNjdxM2g2cWpJRjQ2c1pMZWdpaTh0aWlOZTJUK0dQVjBHYngyNU1XYjJtTVNXSjJUQU1UWAp3eHNEb1d5QkZEajU2MEJacXBqbzFTQTdkd0tCZ1FEQ2diaklUNWI0TWpFcHlyTEJKeUwvc1BjQzFUOWczUHdECjlvSGk0aXJFSWJzeDk3NTNhZnRpM3VOUlFZUHI1WW9qdkNQSHNibnQ2SXpaYUZaQUViem9Zc1ExSUJ3UkhDbVUKbWhiS0p2MDRhckVScTZtV1hIZng4MkszUC92a1VraFZSTzZHNzJ4eFB3UFJ6b3dteDZDbU9uUWVadkYrZTZNRwptc0xlQjVORU93S0JnQVp2YjY3OTFrTnREV0trWlpXN1dxYkRJbElyU0Z1bUEvdkpzdGR4c0x5WUVDNDQvZnY0Clh1TTVTYTMzOXh2eHp6QlBSSDZES1liT3YxNFdTSTVwd28vb1dlOUkzOGo3TDVId0tHLzM2SDVGOTVraUM0bzYKbWR4Z1ljSlQzeEVEejllWHFoRUFLcTRMUHJBVldsSHQ2aVRzWG5VZ24vdkVTR3p0c09yYlJ0bzdBb0dBR1VsVQpCSGFVWWQva2xGSk51dDZqcGlvVGNzTFdZbmxZS2d1NkJ3endFbDl3UHFhK2xEZXEvc2VMTmQwV2tXeGQ4UmRjCmIzR2pnbEpoUFVKYk5Da2FMZnZwRmg3K2h4cnFMTzk3VnZ5S252TC80aFEzRDkwbG1zYlJacEZpNWVQc2sybEsKdVRBWElRSFlOVVpzNGYzQjNOcHNqaWREN2ZXVTFCNzZobkxscWxFQ2dZQU5HOWZ2WFNhOWlnUC9acmdBQW55KwpLdlZUb1NOK0I3UDhGSUk4QW4zNTdzYXY3K0ZVWnZwZkQ1S1hkSHBZUEIxTk9tQVhGcE9FYjVvQTErZUNFRTh4Ck4wdktEaHoyK3VBSEFyczBud1ppUHBXbkZoaE5sLzJ5b1pUZHB0VWp1K0ZhSVg4RHFtSUovNGVMdVNERUR4MmUKcUVDTGt0SUxJWkk3eXVaNFIwNGFxZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K\",\n" + + " \"crt\": " + + "\"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURyRENDQXBRQ0NRQ0pZQWd0a1JtN3hUQU5CZ2txaGtpRzl3MEJBUXNGQURDQmxqRUxNQWtHQTFVRUJoTUMKVlZNeEN6QUpCZ05WQkFnTUFrTlBNUXd3Q2dZRFZRUUhEQU5FUlU0eER6QU5CZ05WQkFvTUJrRndZV05vWlRFTApNQWtHQTFVRUN3d0NWRU14S3pBcEJnTlZCQU1NSWlvdWFIUjBjQzF0YjJRdGJXbHpjeTUwYUdWalpHNHVaWGhoCmJYQnNaUzVqYjIweElUQWZCZ2txaGtpRzl3MEJDUUVXRW5SalFITmxiR1l0YzJsbmJtVmtMbU52YlRBZ0Z3MHgKT1RBek1EVXhPREE0TkRsYUdBOHlNVEU1TURJd09URTRNRGcwT1Zvd2daWXhDekFKQmdOVkJBWVRBbFZUTVFzdwpDUVlEVlFRSURBSkRUekVNTUFvR0ExVUVCd3dEUkVWT01ROHdEUVlEVlFRS0RBWkJjR0ZqYUdVeEN6QUpCZ05WCkJBc01BbFJETVNzd0tRWURWUVFERENJcUxtaDBkSEF0Ylc5a0xXMXBjM011ZEdobFkyUnVMbVY0WVcxd2JHVXUKWTI5dE1TRXdId1lKS29aSWh2Y05BUWtCRmhKMFkwQnpaV3htTFhOcFoyNWxaQzVqYjIwd2dnRWlNQTBHQ1NxRwpTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEZ0Noa3J2SFMwK21uWUtUR1Y0NTl2N2ZURXA1ekVsMW4xClViQlI2aFNVbXZ6eUJYYWVpdU5wQ2NubUhSd01ma3c4dTNuNVVvMFhDOGY3Nllkc3gyRzlkL1h2dVdlMUFNdDQKWGF0SjVLa1AvNVNpVS9reWVhR3VwbmFTWWtvRHBKRlEzbTJ0cXhJeGh6ZklteUIzTFdJdEFUU3kzMGxtd0E5Ywp1cTRZaWNrSjVXUWxNYklNVW00OHlCcU5NOXlma1lRSy90WWwyb3l6Q1ZrN2s5MTdQdDFKS3JpcThrRTFKdDhlCkNqbUtxUXZMTjRLdzJ5dm9aNTZvTWtuaDlhRVAzRm55RDIzRWNtdGlXbWI0Q0hrSXowL20vczVGV0tLUDhzTHkKOHhCeUlUWjZPVUNzNEZUeVNiVGk3ODlGaVJ1WjljcE9rZVdDMFdQMkV0L1g5MmlZRnZIckFnTUJBQUV3RFFZSgpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFITGJRczNrMnhpdVBpMjdWNVJnVFFHdytZb2YyNXQvcjBMVVVPOTE0TlZBClh1MjAyUDVMNy9wSTVFZTVLTi9ZVHQ2SnVoWWl2M0ZiQnZBd3FTaE43N2pHTGNFQi94VDhCVWxsbzBISzJteTYKR2YyL3BHZWxNL2syTFpxZEpMTXhCL2JsL3JGZUJCVHhWVkdJd3M4ZFZ3d1BuY0x0bnBEVmQzRnlOMGx5UzdMNQovVXQ2Wm00QTBlVEpxZUVlcnprRDZMQWVEY21vTXg1cGphZDNodldGTCsrdjdkazQ5T3QrSkNtSGx5ZTR6eEE1Cmc5RUQ0VXpaYnFZcmZ4Uk9lY25zTWJzUmllVlcyekh5dDQyVTVUSmtKK3JNdE9DempROUwrTGRDVTZhOENVVjUKWlBnYm1vMTJkN1NIUDBaY1FtOTg5THpEcXRRblMyRnJrS3pSdEh3ZHBjND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\"\n"+ + " },\n" + + " \"hostname\": \"*.http-mod-miss.thecdn.example.com\"\n" + + " }"; @Before + @PrepareForTest({Instant.class}) public void before() throws Exception { - PrivateKeyDecoder privateKeyDecoder = mock(PrivateKeyDecoder.class); - CertificateDecoder certificateDecoder = mock(CertificateDecoder.class); - Certificate certificate = new Certificate(); certificate.setCrt("encodedchaindata"); certificate.setKey("encodedkeydata"); - certificateData = new CertificateData(); certificateData.setCertificate(certificate); certificateData.setDeliveryservice("some-delivery-service"); certificateData.setHostname("example.com"); + certificateDataConverter = new CertificateDataConverter(); + } - privateKey = mock(PrivateKey.class); - when(privateKeyDecoder.decode("encodedkeydata")).thenReturn(privateKey); - - when(certificateDecoder.doubleDecode("encodedchaindata")).thenReturn(Arrays.asList( - "encodedcert1", "encodedcert2", "encodedcert3" - )); - - x509Certificate1 = mock(X509Certificate.class); - x509Certificate2 = mock(X509Certificate.class); - x509Certificate3 = mock(X509Certificate.class); - - when(certificateDecoder.toCertificate("encodedcert1")).thenReturn(x509Certificate1); - when(certificateDecoder.toCertificate("encodedcert2")).thenReturn(x509Certificate2); - when(certificateDecoder.toCertificate("encodedcert3")).thenReturn(x509Certificate3); + @Test + public void itConvertsValidCertToHandshakeData() throws Exception { + try { + certificateData = ((CertificateData) new ObjectMapper().readValue(VALID_CERT_DATA, + new TypeReference() { })); + } catch (Exception e) { + fail("Failed parsing json data: " + e.getMessage()); + } + HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); + assertThat(handshakeData, notNullValue()); + assertThat(handshakeData.getDeliveryService(), equalTo(certificateData.getDeliveryservice())); + assertThat(handshakeData.getHostname(), equalTo(certificateData.getHostname())); + } - certificateDataConverter = new CertificateDataConverter(); - certificateDataConverter.setCertificateDecoder(certificateDecoder); - certificateDataConverter.setPrivateKeyDecoder(privateKeyDecoder); + @Test + public void itRejectsExpiredCert() throws Exception { + try { + certificateData = ((CertificateData) new ObjectMapper().readValue(EXPIRED_CERT_DATA, + new TypeReference() { })); + } catch (Exception e) { + fail("Failed parsing json data: " + e.getMessage()); + } + HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); + assertThat(handshakeData, nullValue()); } @Test - public void itConvertsToHandshakeData() throws Exception { + public void itRejectsModulusMismatch() throws Exception { + try { + certificateData = ((CertificateData) new ObjectMapper().readValue(MOD_MISS_CERT_DATA, + new TypeReference() { })); + } catch (Exception e) { + fail("Failed parsing json data: " + e.getMessage()); + } HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); + assertThat(handshakeData, nullValue()); + } - assertThat(handshakeData.getDeliveryService(), equalTo("some-delivery-service")); - assertThat(handshakeData.getHostname(), equalTo("example.com")); - assertThat(handshakeData.getPrivateKey(), equalTo(privateKey)); - assertThat(handshakeData.getCertificateChain(), equalTo(new X509Certificate[]{x509Certificate1, x509Certificate2, x509Certificate3})); + @Test + public void itRejectsSubjectMismatch() throws Exception { + try { + certificateData = ((CertificateData) new ObjectMapper().readValue(SUBJECT_MISS_CERT_DATA, + new TypeReference() { })); + } catch (Exception e) { + fail("Failed parsing json data: " + e.getMessage()); + } + HandshakeData handshakeData = certificateDataConverter.toHandshakeData(certificateData); + assertThat(handshakeData, nullValue()); } } diff --git a/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys-missing-1.json b/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys-missing-1.json index 2d6c8825ac..f0a8f23fb0 100644 --- a/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys-missing-1.json +++ b/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys-missing-1.json @@ -22,7 +22,7 @@ "deliveryservice": "http-to-https-test", "certificate": { "comment" : "The following is just a self signed certificate and key to use for testing this is NOT private data from a CA", - "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBc2Y0NnV5OGJ2\nQk5rMGhCaEVsbHdGT0dqREh6M1hJY1hteDRVNThNZG9Fa1JId0VTCjVONnd3NFV6bDAvRDcyMlJV\nODlMeHB4bldvclJmdVZNQldnOGVFcXBUb2NUS2NOZHhtZmdEUWZTcTZ1ODNTWkUKTmFCZFArK2g5\nYTJJRFZXWGFldVRhcVA3Q3lVVG52Sld5Mm1JalJWZkRGQWRWWHNhU1M4RGRYUWdibEJTelJ6NwpL\nMXFHVWt1RlZQc0R0ODZBYVF3TnN5R2ZDN3ltcUkzNU1FQ3hTdzNPd2lXSlAyZTg3U2E5UG9Pdjcr\nZUs2NVJnCmM3dzNkSXQxZUlyS3B6OWpQV1RPTkJOK0JhWFdvcHNXZ3UvdVd4Q1pnUk9qaXBWVUFK\nNHhrNFRGMjd0S28zRDUKSHd4RVZOeStlck9FTGI3VWxuaHMxaG1LdVI2RTZwREpHSyt1UFFJREFR\nQUJBb0lCQURkb1RYNFJkdysvOWNXUwpoYlZCbEN0YjVmYXdQQXhZblZlVE1Lekl4ME1yRzZKTUlr\nYU9yL1hkVkNjSkZKUkd4bE9SbHlRWGNmRDBmNnlCCjBuMW9hbEtENDFwbm4rYURRNERNdXlrelF6\naGZlS1piRUNhbGFnSEtKZCtsaWxHa1VFTVBxMDhxQnE3OGRyUW0KK2kvT0JVenQxeTJ0RHNTYVVw\nOXZmQ01tNkNXT1pKOHN6eWZrSk1ZZVVLdXptOWwzMGNNeW84anF0bi9LQjZWWApEVkZmNGpqU1FM\nTzBYbUo1M012TW1xUzlGaVRUdklpQm9iNnkxMEtWZjZpWk5MZnVnVExoWFhQaDFDNTJTUTVvCjZj\nVWdqanh5NFhmYUdub0Y1NlF4M0FIZWRpd0Z6eEFpWGlKOCswUFB3bWI2Q1FGOU1jSzV0QjQzcVZx\nNWNKNFcKTVF1SWpsMENnWUVBMkM3SFh6OHppODQ0anJHa1VvUmF3NE9QcitBdnFIVGY1NEJ2Ujhz\nTzc2NkljRzEvUytmdQoxbXQ2RnBRQVZGeHJvWmxEWHkrWGtTQ0toaEM3cmh6cHQzaVJuRkhkWFpT\nM25MM2ZjWnIzUCtFSXNyb3hLeVFRCmg3dy8xYnEzd3JwUnNOWjZpdDNVSHJvVlRLU2tZQzZvOUor\nYzRPYjVQRzVGcFRvZk81dmRWWHNDZ1lFQTBzYkYKd3pjYzEvcTdEVXpkTkVTaWtNMFdMMkFZanBH\nOFpEYTY0eUcrZ1JkWjhjWmpJUzlkVFpWWVpUODNFSnp2T2dyWgo1NmFYTVN2QVc2ak1oY1VDR05K\nN3JaaGl1Uk9HNVdWM3FzMnFkbmtkQlgrdGhrUE9HT3lNYnhsN1ltUlZXTG11CjBFV3NMQ3VHVFov\neDV5NG02WmNGQldRZUkreVMxanZTTXVkelVhY0NnWUJvVG1ISjlnK2o1Qk5yM2hCZjlCWnIKQVY1\naHlMU1YvaFpPZDZ5NW9pTUp5RmR5ajVKOUNHSTN1TkhHZFJDWG82UVc2NEVUT3o1Uk9yYzdxblV6\ndENXYwpiYU1zSGwvRm1Fempac1daNWVCb1JPYlNmWDNkeDkvbDdoR0t5VFdDMGkwNk9ySVRzS1o1\nVU9XWC9sU0ZSOTRqCmNhUGE2L2JUam8weUJKSXZTNndHWXdLQmdDN045dkpmbGFjY1JWY3h2MWt3\nK0l5QkRqRWMvTGNFQTdxWk1LenAKUEYxOEt2djJXdUx1bXFCMHpubEZMVndpRFRsdFdYQUlYVUNN\nLzUwYkFiZWV4TlZ3UUFpUGN6UzM4bGVVVFp0LwpLaUEreXNRQzB5eWlkK3l1OG94bE16SHBKODZa\nQlFtNHZ2L2I5bW5jWDZJL2JHS29wM1BJQksxamhrUE9hdUhrCjVZVzNBb0dBVEtVZlhkWTNad0hM\nWlUxSm1lRldKb29kOW10SHNrM1QyT2hCdDBwNUpSU3hVYWxOY0tkZEcvMVgKMFFCN1E1NWxMZEIz\nT1k2b1NDaEtuK1dUMWNwQ1N3d09PQlJNTmZPOVR1c252NkU2ZlNRWWVwdGNmV2lOb3VBWQpYaDVn\nQTRORzJHeUM5TW9tZUxQbUY0NmJsdU5UYzFxREMzeVZVcVQzdDkxY1RwNytWems9Ci0tLS0tRU5E\nIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==", + "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMHBBWXlmamRz\nZ0NSL0ZXeEQvWE1vbDNwYjRWazlHSFdqTnR4bkdvWHA3OGxxM2p1CitLd012ZlU2ZDVScmdXbHp6\nMlJjZnFhMHdjbkYrNU1abkdkbzRGaGwycnhnT3ZBV2NSb3ZXS3BUaXNUUkcrQXcKbnFneUZTWjNT\nalhUcE9YUjV4dUJJOWI1c3ZIN3RhbzdBcWFLR2I0V3d1TnA3cTZzcUtRYlRxaUlXcE9JQWtFKwpS\nVnJXblBVdHRvaHlTV08yL2dIbDQ2NlU1S0czdC9TU3lqZVRPZ1ZFU0xoQUhlWlk2dExyTGd1YmdM\nanlLVWE5CkpDcWJLa1laZ2UrdWlhKzVVMzZ6alhYRUdBUEdwWWNrM2Zqb1pYN01zM3hkUzV6Zit6\nUDQzSnVVWUtheE5KbVMKRXMvaU1Dc1VPK1htZEtQTFhmWGdPWDNoM0NQdC83U05HR3VlS1FJREFR\nQUJBb0lCQUF1REEwZnZpamRVSHFjYwpERDBpSkJqd1ozWElaamVTTGNldnE2dHdoWENQVzhEZk1M\nbDV0b3lnSHAweENSdWZKMHk4WU80dnNRd3pPdGJCCk9SSTYrUm5pMjFhMUc5RzlGSTBFY0hnNWY2\nM0RpdWNxUDU0ODlkZ0FMVjlxUi9Mbythdlg3aHlHZ1VwT1BvTzEKRmRyVVBoS2dPT0JZekk3WEQr\ndDhaVjNNaXYvZ25aWUphR2dYRDYrODFGaU4veXNXaE5SMEVYYW5Vck1wR2ZtdQpSVm1tYnlvRjNr\nWVV1d3V2SUZIMkdPVFo0VjViR3JGQUJUQUowSWt2MkdmcU9TR08xa1NiWVMxclZjb29uMyswClRz\ncGxLejRUT3NVblp5VUk1UVBpbEI5ak93cjVlbGFRM1lndnZCM0k5TUdvQjRTLy9XWkFVRGFQTjlE\nZXYyU1UKUm1jb2dqMENnWUVBN3oxaEh0c21QZmVOOTA3VWV4clVwMGRMOEJtbmJ5V1k0bkYrbFhp\nalRLQ0xpTjdtNGFSNQpTTHhtZ21nVkhrQ0dOZkEybXFVWHA2dTlNL1BXOGx4SjRjNExLRldCbTVJ\nYjFRdlRZM3hOWDNKWVZYZkhTWkNlCitvaDMwaStmcm9oYmNnZzRpaG9QeDU2aGhpbEdlSXZGSS9l\nMDg0M0Z0dU9mWkgrQ0s1dHRKOU1DZ1lFQTRWQnEKTTNUUlhzbUU3ZHQvSFFza2ladGFjTVdkQldx\nOVRXVlBIb3hBK3VjalFoandGVFhBZzhkZGFsbE9TS1hWNjVGawoxMlphU1lTbTd5VnplS3lVRk4w\nazBxNXpRQkRZQ1FNYVA2YjZYbGxiL2VMaWJQQTMxbU5uRGl2WjdkVWM3UUVqClhUUy9nclFLc2Zl\nenRVMXUwNG1SMTZ5THhZSHh3MW5IL3NselFKTUNnWUVBMHF6S2lkR1NxNThFZFhRRnlTS24KZ1dk\nWGgrZ1BlZUV4OExiaE1kODZicEF5VUNWNlM5bjZ0QUswZ3NJRlZzNmJZWVJYa1hjd2pZYSs1ckVq\nNStrOQpab3Q3Wjlsa2VRc0JWMnRDaTZrNnVZS0lKenVEVTFUM3FzZmlQRVdUNks1TFdPL0VXbGo0\nN0dEVS9MLzhQc3RXCm40WFM0MmRGWlBpdHRHSlV6dkhmL2VFQ2dZQXVpR3dXaW5hL0s4RmZXbWly\nTitUbzRvUFFMSS9jVVlvZEZPSTkKUGR3aHRXREx3dGk2bUtwVXpQVFhCUEN0QWtybTV0VTd3ekM4\nWkVBUnZkdFdQZFlyWk95NDhqeHRLODFpTnhqUgpzb3VjdHJuUCttNm03d21wSmtoZlhlRVpSRjAv\nK1c4elRiU0xxdUZXbGdDd1hmaVlpWjNzTy85MTMvdHRTL3FJCi9WUG5Md0tCZ1FDNGQ4OXNUL3E3\nNjZMREt6bEhySzVEUkE2TTRENEhMbjEwTWJQVExNdWNweEJlQkY1YnhvQkEKeHRFcVhBRCtyaWVr\nT3IybjJSRHlxeGt0MS9FY2JhcTI5bmNXVFFwZjZ2NkV3cTFGT3JhUDlpdTJFbERBcUcyMApXbmdG\nOUttM0VETUpBQkd5VHhieFgxZTZMRG1LaFcwWFFxRWptVmpGQi9uMFVQOGxJd2F2aGc9PQotLS0t\nLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=", "crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZuakNDQTRhZ0F3SUJBZ0lDRUFFd0RRWUpL\nb1pJaHZjTkFRRUxCUUF3WkRFTE1Ba0dBMVVFQmhNQ1ZWTXgKRVRBUEJnTlZCQWdNQ0VOdmJHOXlZ\nV1J2TVJBd0RnWURWUVFLREFkRGIyMWpZWE4wTVE0d0RBWURWUVFMREFWSgpVRU5FVGpFZ01CNEdB\nMVVFQXd3WFZHVnpkR2x1WnlCSmJuUmxjbTFsWkdsaGRHVWdRMEV3SGhjTk1UWXdPVEl6Ck1qSXpO\nREl4V2hjTk16VXhNVEl6TWpJek5ESXhXakNCaFRFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJB\nZ1QKQ0VOdmJHOXlZV1J2TVE4d0RRWURWUVFIRXdaRVpXNTJaWEl4RURBT0JnTlZCQW9UQjBOdmJX\nTmhjM1F4RGpBTQpCZ05WQkFzVEJVbFFRMFJPTVRBd0xnWURWUVFERkNjcUxtaDBkSEF0ZEc4dGFI\nUjBjSE10ZEdWemRDNTBhR1ZqClpHNHVaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RR\nRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3gKL2pxN0x4dThFMlRTRUdFU1dYQVU0YU1NZlBkY2h4\nZWJIaFRud3gyZ1NSRWZBUkxrM3JERGhUT1hUOFB2YlpGVAp6MHZHbkdkYWl0Ris1VXdGYUR4NFNx\nbE9oeE1wdzEzR1orQU5COUtycTd6ZEprUTFvRjAvNzZIMXJZZ05WWmRwCjY1TnFvL3NMSlJPZThs\nYkxhWWlORlY4TVVCMVZleHBKTHdOMWRDQnVVRkxOSFBzcldvWlNTNFZVK3dPM3pvQnAKREEyekla\nOEx2S2FvamZrd1FMRkxEYzdDSllrL1o3enRKcjArZzYvdjU0cnJsR0J6dkRkMGkzVjRpc3FuUDJN\nOQpaTTQwRTM0RnBkYWlteGFDNys1YkVKbUJFNk9LbFZRQW5qR1RoTVhidTBxamNQa2ZERVJVM0w1\nNnM0UXR2dFNXCmVHeldHWXE1SG9UcWtNa1lyNjQ5QWdNQkFBR2pnZ0UyTUlJQk1qQUpCZ05WSFJN\nRUFqQUFNQkVHQ1dDR1NBR0cKK0VJQkFRUUVBd0lHUURBekJnbGdoa2dCaHZoQ0FRMEVKaFlrVDNC\nbGJsTlRUQ0JIWlc1bGNtRjBaV1FnVTJWeQpkbVZ5SUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdR\nV0JCVHlRTUw1UzdMbW5PeTlpRUQxdkUwL1ZzN1FTRENCCm1BWURWUjBqQklHUU1JR05nQlNqY1VG\nK01rSUtnSjN5ZmFESHdMTFBremZDdWFGeHBHOHdiVEVMTUFrR0ExVUUKQmhNQ1ZWTXhFVEFQQmdO\nVkJBZ01DRU52Ykc5eVlXUnZNUTh3RFFZRFZRUUhEQVpFWlc1MlpYSXhFREFPQmdOVgpCQW9NQjBO\ndmJXTmhjM1F4RGpBTUJnTlZCQXNNQlVsUVEwUk9NUmd3RmdZRFZRUUREQTlVWlhOMGFXNW5JRkp2\nCmIzUWdRMEdDQWhBQU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VG\nQlFjREFUQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBQWJpN09yQUNDbldKd3dDM2dmWUVBMmpI\nZ0FNMDRoK1FGQ1hRUnhCZApkd0ZLNDNTaVIwME1CTUdObVl1YUd0RWNTMGZacTVORFp1eFVOZHVM\nMmZselQzbkJ3Sm5DbEZ3aXd0YWwrcTE2CkV2QWtBbUQvU2pxNm5CYm5qNUlqNkRlRE5kOHRJd0ps\ncDMrdCs0RE9rNWt2a2FxS2ptd29EM3RlNG1QdnNIeXQKNElpRG1wRnpqeG83b2o5VkY0RTVtMjZV\nM240aENUYnJ2Ui9RNWlCdDhpT3M1YU8rVlpuTWNyQ3htbmhSYU1sVQpOaXkwTGxCZVVJQ213TE95\nNERQeDc1WVdDMzZEUVhMS2dMcnZ4RktIRmI2SlJoMmNLYzNpcVc3allhNjJwbmhHCllXb1pDdkJO\neXZqbkpIbGZYVDBUNitDN3Btb0ZLNTV5dGNhdFByQk82VEI3TFhUcjlJN2JIN0R2aU9SS1MwMFoK\nOHlPMktva1M1WVZ0T2c4NnNHT2lFOFQxMDFzc0xSNUhWZmVDTVJqc0J4eXdUdUxNRyt1cE9lWDhk\nMGhlUjZNbgp3RlFxUDR0V1A0WEZkSGd0cHlaZHBVYTBXVkZTVXJueDAvV1pDbXZLNFNQcmhzUG5s\nWUptaGtTRldkWHczcnJRCjZaL2tZZFM5VDM2SG9EMW1rcmdiMWRPTnNNd0Zpb1BqZ2RmRU1Xb001\nVWJ6L1p4RHp2V2ZDQWovVnloOVc0VFoKcEljUG8xZmhNQVJQcVVDY2N1ZVc3ckpOSDhwSm5yY0VU\nZ2xLdDY3SnZ2S1dKdzhLcEo1ajNzSERkUG56N1Z3NgpsNnRwVWJYU2U2SzY1Zy9Fc25EYkFDS21v\neldQNFVnSGY5akJ0c2FLK0hnUHVKRlYvMlBzMG96bW1XWGxQU0JJCitxQT0KLS0tLS1FTkQgQ0VS\nVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRnN6Q0NBNXVnQXdJ\nQkFnSUNFQUF3RFFZSktvWklodmNOQVFFTEJRQXdiVEVMTUFrR0ExVUVCaE1DVlZNeApFVEFQQmdO\nVkJBZ01DRU52Ykc5eVlXUnZNUTh3RFFZRFZRUUhEQVpFWlc1MlpYSXhFREFPQmdOVkJBb01CME52\nCmJXTmhjM1F4RGpBTUJnTlZCQXNNQlVsUVEwUk9NUmd3RmdZRFZRUUREQTlVWlhOMGFXNW5JRkp2\nYjNRZ1EwRXcKSGhjTk1UWXdPVEl6TWpFeE56SXdXaGNOTXpnd09ERTVNakV4TnpJd1dqQmtNUXN3\nQ1FZRFZRUUdFd0pWVXpFUgpNQThHQTFVRUNBd0lRMjlzYjNKaFpHOHhFREFPQmdOVkJBb01CME52\nYldOaGMzUXhEakFNQmdOVkJBc01CVWxRClEwUk9NU0F3SGdZRFZRUUREQmRVWlhOMGFXNW5JRWx1\nZEdWeWJXVmthV0YwWlNCRFFUQ0NBaUl3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dJUEFEQ0NBZ29D\nZ2dJQkFPQ2lCV09BOE15andReTFzRVc4SDNVME1CaWlyU2xyUjk0aApDOU9mQjc5TnVWQVQ3U29q\nNkVYK0RkeDQxeGhyY1lUSDArRk5BVW15RFJuUkticlFRTlJ1alpPZytud0VTcXNxCmUxRmJ2cXJK\nZUZSdStGQmxXSTBCTlNnSEVWdFo4cjZtY0ZuV3V2cXBrOHF2Q1BSemJGUjhKSU1kRisxbzkzZzYK\naDdxanlOdk5zNjZ0UkRieFRHbnpDaEMrNXVVRElubTU5ekdiMnVFdXFlbldkNFZMaXRQVGRyQjRm\nTkFXODhiaApCWDhpSWVCV0xDUGRWT1NLUW9VeEFkaEplM1R4RXlnd1ZYV3dsUHpONjhmL2NyY0FZ\nTmNrVFo1YzdmTzdNV0JCCkR6T0kzcUxRc2R2L1lzR1dSM2g4Z2ZwaDcwMlBndW50Q25PbWhzdjVk\nZCtwcTAxR20zMzJzT0V4dHdONEF3bkoKeFk4REdmbDZYNmVNS2ZoQmt4VmVrbytLaTJEdW1vcWxr\nN2xIOGcvTXg3VCtvTDNDbkR2SHJUZy9Oa0YrV1hzcQphMUFuTGZyRGtyQjRnRVJLSHMrVzhjMVhy\nNXZNM1hMR2lZTEtkVGw5aFp6ejFaRU1OaUozYXE2aW5TOGlVNkxiCmIxeHhDZldjdGV0Q0Vabklx\nbGlSMkszODlGVHI3SDdQdldOTVhGb3M3ek5Ldm81WS81RjIwYjlkRXZJWnFjUnMKYVJhTXFYYmxq\nbnZUOHpiWFpnVTI4YzJpMnZmU2YxSEIrSkFaSTYzVG5oZlVybExDTDRGc3YrRnJNKzduSjdaOQoy\nY2lYR3ZaUG9TL0FWRzdvUW91cEx1UGk0VW1rYUM1RzVsSVpaNXhNbzBIV2oraXN0bVZVOGtkZmlt\nalNVZy9ZCjI5azl1RzBSQWdNQkFBR2paakJrTUIwR0ExVWREZ1FXQkJTamNVRitNa0lLZ0ozeWZh\nREh3TExQa3pmQ3VUQWYKQmdOVkhTTUVHREFXZ0JTbXB2bEJPZXJ6NEJ6c2hYUVlKR3VqeVNEVmJU\nQVNCZ05WSFJNQkFmOEVDREFHQVFILwpBZ0VBTUE0R0ExVWREd0VCL3dRRUF3SUJoakFOQmdrcWhr\naUc5dzBCQVFzRkFBT0NBZ0VBb1o2V0w2YjlPWjdpCm0xTTdLQ0Q5ZHhPbFBUWEp0bGpJMTlIWWNv\ndW9panRIckRoMjRnVHdsTzlkOWxRSWVIa1ovVzhNVjYwRHZOQ2QKUEtrajMzYXNBdG1NaEtHeTI0\nalRGcGF3WXRaaytON3p3MnlHY2gwR0J0UWk3dkZpSmIvaWpGRHI5bzM3cDJWZQp0QU5KUm5WNFEw\nVWhYTUJId0VOdFZZemVjUVhVbWV3c1ErTGkvZnAwb3hUaVppekhXMUlkalM5c2hQcmFJUE9BCmNV\nL0F4enc5ZFphOXkxc1RudnI4RmRkTUZLV01oOFlubHIyajRjQTM5R0kzVmt3c0RaN2EyUnhLTGpE\nY2FWNTkKUXpGOEFFUnMvNFJ4bXVaWTVCVW5oWTNDQ2EwdzZiWGV5d1cxS0hlN0tlUkI1bDVaNkRH\nWU0yUVlJRy9rZUhKcgowb0VXUzE3ZjNtSlZzampQMVlMenV1cnJVQ3Mxc2xjbTZYM3Y2M2FjTm5u\nbitncGhzM2Y4MmdzS0xhOUJWcW05CnJHM1BNTUg0VzlvazFlUUl0bEswMzNEclBrN1RqNnpLVGRH\nWjJMbDY5U0VZMzZCQ0RSaEd5R0tUZ1RnNU5LZHAKT2g0QWJPNzgreHBCTUV2NW4xZCsvSFg2Zi9C\nL2l3dFdCbVA5TmduZTU1RW5LRHR3V1k3T201My9KM21iMXNrNwpJb2FuYzdMaHN2clozRWgwV3dU\nMi9XK3lEVkFZbVVLTHd6bVQ5aUtPbm1FUWdMWE1GbmRjMERrQTIwRjVCZWhVCmNwUnI1WmFhaUZq\nWDZiRU1adHFURVo4dUZFSmorcElCUlExYUlybHZiMlo2bjZsV3NrekcwRlp1cFRUeUluZVYKT1pO\nUEhMRDhZY2Fvc1J3czBrTG03VGcyMXYyNnRvMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" }, "hostname": "*.http-to-https-test.thecdn.example.com" diff --git a/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys.json b/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys.json index 804c83a6c9..c5a9b3d173 100644 --- a/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys.json +++ b/traffic_router/core/src/test/resources/api/1.3/cdns/name/thecdn/sslkeys.json @@ -31,7 +31,7 @@ "deliveryservice": "http-to-https-test", "certificate": { "comment" : "The following is just a self signed certificate and key to use for testing this is NOT private data from a CA", - "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBc2Y0NnV5OGJ2\nQk5rMGhCaEVsbHdGT0dqREh6M1hJY1hteDRVNThNZG9Fa1JId0VTCjVONnd3NFV6bDAvRDcyMlJV\nODlMeHB4bldvclJmdVZNQldnOGVFcXBUb2NUS2NOZHhtZmdEUWZTcTZ1ODNTWkUKTmFCZFArK2g5\nYTJJRFZXWGFldVRhcVA3Q3lVVG52Sld5Mm1JalJWZkRGQWRWWHNhU1M4RGRYUWdibEJTelJ6NwpL\nMXFHVWt1RlZQc0R0ODZBYVF3TnN5R2ZDN3ltcUkzNU1FQ3hTdzNPd2lXSlAyZTg3U2E5UG9Pdjcr\nZUs2NVJnCmM3dzNkSXQxZUlyS3B6OWpQV1RPTkJOK0JhWFdvcHNXZ3UvdVd4Q1pnUk9qaXBWVUFK\nNHhrNFRGMjd0S28zRDUKSHd4RVZOeStlck9FTGI3VWxuaHMxaG1LdVI2RTZwREpHSyt1UFFJREFR\nQUJBb0lCQURkb1RYNFJkdysvOWNXUwpoYlZCbEN0YjVmYXdQQXhZblZlVE1Lekl4ME1yRzZKTUlr\nYU9yL1hkVkNjSkZKUkd4bE9SbHlRWGNmRDBmNnlCCjBuMW9hbEtENDFwbm4rYURRNERNdXlrelF6\naGZlS1piRUNhbGFnSEtKZCtsaWxHa1VFTVBxMDhxQnE3OGRyUW0KK2kvT0JVenQxeTJ0RHNTYVVw\nOXZmQ01tNkNXT1pKOHN6eWZrSk1ZZVVLdXptOWwzMGNNeW84anF0bi9LQjZWWApEVkZmNGpqU1FM\nTzBYbUo1M012TW1xUzlGaVRUdklpQm9iNnkxMEtWZjZpWk5MZnVnVExoWFhQaDFDNTJTUTVvCjZj\nVWdqanh5NFhmYUdub0Y1NlF4M0FIZWRpd0Z6eEFpWGlKOCswUFB3bWI2Q1FGOU1jSzV0QjQzcVZx\nNWNKNFcKTVF1SWpsMENnWUVBMkM3SFh6OHppODQ0anJHa1VvUmF3NE9QcitBdnFIVGY1NEJ2Ujhz\nTzc2NkljRzEvUytmdQoxbXQ2RnBRQVZGeHJvWmxEWHkrWGtTQ0toaEM3cmh6cHQzaVJuRkhkWFpT\nM25MM2ZjWnIzUCtFSXNyb3hLeVFRCmg3dy8xYnEzd3JwUnNOWjZpdDNVSHJvVlRLU2tZQzZvOUor\nYzRPYjVQRzVGcFRvZk81dmRWWHNDZ1lFQTBzYkYKd3pjYzEvcTdEVXpkTkVTaWtNMFdMMkFZanBH\nOFpEYTY0eUcrZ1JkWjhjWmpJUzlkVFpWWVpUODNFSnp2T2dyWgo1NmFYTVN2QVc2ak1oY1VDR05K\nN3JaaGl1Uk9HNVdWM3FzMnFkbmtkQlgrdGhrUE9HT3lNYnhsN1ltUlZXTG11CjBFV3NMQ3VHVFov\neDV5NG02WmNGQldRZUkreVMxanZTTXVkelVhY0NnWUJvVG1ISjlnK2o1Qk5yM2hCZjlCWnIKQVY1\naHlMU1YvaFpPZDZ5NW9pTUp5RmR5ajVKOUNHSTN1TkhHZFJDWG82UVc2NEVUT3o1Uk9yYzdxblV6\ndENXYwpiYU1zSGwvRm1Fempac1daNWVCb1JPYlNmWDNkeDkvbDdoR0t5VFdDMGkwNk9ySVRzS1o1\nVU9XWC9sU0ZSOTRqCmNhUGE2L2JUam8weUJKSXZTNndHWXdLQmdDN045dkpmbGFjY1JWY3h2MWt3\nK0l5QkRqRWMvTGNFQTdxWk1LenAKUEYxOEt2djJXdUx1bXFCMHpubEZMVndpRFRsdFdYQUlYVUNN\nLzUwYkFiZWV4TlZ3UUFpUGN6UzM4bGVVVFp0LwpLaUEreXNRQzB5eWlkK3l1OG94bE16SHBKODZa\nQlFtNHZ2L2I5bW5jWDZJL2JHS29wM1BJQksxamhrUE9hdUhrCjVZVzNBb0dBVEtVZlhkWTNad0hM\nWlUxSm1lRldKb29kOW10SHNrM1QyT2hCdDBwNUpSU3hVYWxOY0tkZEcvMVgKMFFCN1E1NWxMZEIz\nT1k2b1NDaEtuK1dUMWNwQ1N3d09PQlJNTmZPOVR1c252NkU2ZlNRWWVwdGNmV2lOb3VBWQpYaDVn\nQTRORzJHeUM5TW9tZUxQbUY0NmJsdU5UYzFxREMzeVZVcVQzdDkxY1RwNytWems9Ci0tLS0tRU5E\nIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==", + "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMHBBWXlmamRz\nZ0NSL0ZXeEQvWE1vbDNwYjRWazlHSFdqTnR4bkdvWHA3OGxxM2p1CitLd012ZlU2ZDVScmdXbHp6\nMlJjZnFhMHdjbkYrNU1abkdkbzRGaGwycnhnT3ZBV2NSb3ZXS3BUaXNUUkcrQXcKbnFneUZTWjNT\nalhUcE9YUjV4dUJJOWI1c3ZIN3RhbzdBcWFLR2I0V3d1TnA3cTZzcUtRYlRxaUlXcE9JQWtFKwpS\nVnJXblBVdHRvaHlTV08yL2dIbDQ2NlU1S0czdC9TU3lqZVRPZ1ZFU0xoQUhlWlk2dExyTGd1YmdM\nanlLVWE5CkpDcWJLa1laZ2UrdWlhKzVVMzZ6alhYRUdBUEdwWWNrM2Zqb1pYN01zM3hkUzV6Zit6\nUDQzSnVVWUtheE5KbVMKRXMvaU1Dc1VPK1htZEtQTFhmWGdPWDNoM0NQdC83U05HR3VlS1FJREFR\nQUJBb0lCQUF1REEwZnZpamRVSHFjYwpERDBpSkJqd1ozWElaamVTTGNldnE2dHdoWENQVzhEZk1M\nbDV0b3lnSHAweENSdWZKMHk4WU80dnNRd3pPdGJCCk9SSTYrUm5pMjFhMUc5RzlGSTBFY0hnNWY2\nM0RpdWNxUDU0ODlkZ0FMVjlxUi9Mbythdlg3aHlHZ1VwT1BvTzEKRmRyVVBoS2dPT0JZekk3WEQr\ndDhaVjNNaXYvZ25aWUphR2dYRDYrODFGaU4veXNXaE5SMEVYYW5Vck1wR2ZtdQpSVm1tYnlvRjNr\nWVV1d3V2SUZIMkdPVFo0VjViR3JGQUJUQUowSWt2MkdmcU9TR08xa1NiWVMxclZjb29uMyswClRz\ncGxLejRUT3NVblp5VUk1UVBpbEI5ak93cjVlbGFRM1lndnZCM0k5TUdvQjRTLy9XWkFVRGFQTjlE\nZXYyU1UKUm1jb2dqMENnWUVBN3oxaEh0c21QZmVOOTA3VWV4clVwMGRMOEJtbmJ5V1k0bkYrbFhp\nalRLQ0xpTjdtNGFSNQpTTHhtZ21nVkhrQ0dOZkEybXFVWHA2dTlNL1BXOGx4SjRjNExLRldCbTVJ\nYjFRdlRZM3hOWDNKWVZYZkhTWkNlCitvaDMwaStmcm9oYmNnZzRpaG9QeDU2aGhpbEdlSXZGSS9l\nMDg0M0Z0dU9mWkgrQ0s1dHRKOU1DZ1lFQTRWQnEKTTNUUlhzbUU3ZHQvSFFza2ladGFjTVdkQldx\nOVRXVlBIb3hBK3VjalFoandGVFhBZzhkZGFsbE9TS1hWNjVGawoxMlphU1lTbTd5VnplS3lVRk4w\nazBxNXpRQkRZQ1FNYVA2YjZYbGxiL2VMaWJQQTMxbU5uRGl2WjdkVWM3UUVqClhUUy9nclFLc2Zl\nenRVMXUwNG1SMTZ5THhZSHh3MW5IL3NselFKTUNnWUVBMHF6S2lkR1NxNThFZFhRRnlTS24KZ1dk\nWGgrZ1BlZUV4OExiaE1kODZicEF5VUNWNlM5bjZ0QUswZ3NJRlZzNmJZWVJYa1hjd2pZYSs1ckVq\nNStrOQpab3Q3Wjlsa2VRc0JWMnRDaTZrNnVZS0lKenVEVTFUM3FzZmlQRVdUNks1TFdPL0VXbGo0\nN0dEVS9MLzhQc3RXCm40WFM0MmRGWlBpdHRHSlV6dkhmL2VFQ2dZQXVpR3dXaW5hL0s4RmZXbWly\nTitUbzRvUFFMSS9jVVlvZEZPSTkKUGR3aHRXREx3dGk2bUtwVXpQVFhCUEN0QWtybTV0VTd3ekM4\nWkVBUnZkdFdQZFlyWk95NDhqeHRLODFpTnhqUgpzb3VjdHJuUCttNm03d21wSmtoZlhlRVpSRjAv\nK1c4elRiU0xxdUZXbGdDd1hmaVlpWjNzTy85MTMvdHRTL3FJCi9WUG5Md0tCZ1FDNGQ4OXNUL3E3\nNjZMREt6bEhySzVEUkE2TTRENEhMbjEwTWJQVExNdWNweEJlQkY1YnhvQkEKeHRFcVhBRCtyaWVr\nT3IybjJSRHlxeGt0MS9FY2JhcTI5bmNXVFFwZjZ2NkV3cTFGT3JhUDlpdTJFbERBcUcyMApXbmdG\nOUttM0VETUpBQkd5VHhieFgxZTZMRG1LaFcwWFFxRWptVmpGQi9uMFVQOGxJd2F2aGc9PQotLS0t\nLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=", "crt": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZuakNDQTRhZ0F3SUJBZ0lDRUFFd0RRWUpL\nb1pJaHZjTkFRRUxCUUF3WkRFTE1Ba0dBMVVFQmhNQ1ZWTXgKRVRBUEJnTlZCQWdNQ0VOdmJHOXlZ\nV1J2TVJBd0RnWURWUVFLREFkRGIyMWpZWE4wTVE0d0RBWURWUVFMREFWSgpVRU5FVGpFZ01CNEdB\nMVVFQXd3WFZHVnpkR2x1WnlCSmJuUmxjbTFsWkdsaGRHVWdRMEV3SGhjTk1UWXdPVEl6Ck1qSXpO\nREl4V2hjTk16VXhNVEl6TWpJek5ESXhXakNCaFRFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJB\nZ1QKQ0VOdmJHOXlZV1J2TVE4d0RRWURWUVFIRXdaRVpXNTJaWEl4RURBT0JnTlZCQW9UQjBOdmJX\nTmhjM1F4RGpBTQpCZ05WQkFzVEJVbFFRMFJPTVRBd0xnWURWUVFERkNjcUxtaDBkSEF0ZEc4dGFI\nUjBjSE10ZEdWemRDNTBhR1ZqClpHNHVaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RR\nRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3gKL2pxN0x4dThFMlRTRUdFU1dYQVU0YU1NZlBkY2h4\nZWJIaFRud3gyZ1NSRWZBUkxrM3JERGhUT1hUOFB2YlpGVAp6MHZHbkdkYWl0Ris1VXdGYUR4NFNx\nbE9oeE1wdzEzR1orQU5COUtycTd6ZEprUTFvRjAvNzZIMXJZZ05WWmRwCjY1TnFvL3NMSlJPZThs\nYkxhWWlORlY4TVVCMVZleHBKTHdOMWRDQnVVRkxOSFBzcldvWlNTNFZVK3dPM3pvQnAKREEyekla\nOEx2S2FvamZrd1FMRkxEYzdDSllrL1o3enRKcjArZzYvdjU0cnJsR0J6dkRkMGkzVjRpc3FuUDJN\nOQpaTTQwRTM0RnBkYWlteGFDNys1YkVKbUJFNk9LbFZRQW5qR1RoTVhidTBxamNQa2ZERVJVM0w1\nNnM0UXR2dFNXCmVHeldHWXE1SG9UcWtNa1lyNjQ5QWdNQkFBR2pnZ0UyTUlJQk1qQUpCZ05WSFJN\nRUFqQUFNQkVHQ1dDR1NBR0cKK0VJQkFRUUVBd0lHUURBekJnbGdoa2dCaHZoQ0FRMEVKaFlrVDNC\nbGJsTlRUQ0JIWlc1bGNtRjBaV1FnVTJWeQpkbVZ5SUVObGNuUnBabWxqWVhSbE1CMEdBMVVkRGdR\nV0JCVHlRTUw1UzdMbW5PeTlpRUQxdkUwL1ZzN1FTRENCCm1BWURWUjBqQklHUU1JR05nQlNqY1VG\nK01rSUtnSjN5ZmFESHdMTFBremZDdWFGeHBHOHdiVEVMTUFrR0ExVUUKQmhNQ1ZWTXhFVEFQQmdO\nVkJBZ01DRU52Ykc5eVlXUnZNUTh3RFFZRFZRUUhEQVpFWlc1MlpYSXhFREFPQmdOVgpCQW9NQjBO\ndmJXTmhjM1F4RGpBTUJnTlZCQXNNQlVsUVEwUk9NUmd3RmdZRFZRUUREQTlVWlhOMGFXNW5JRkp2\nCmIzUWdRMEdDQWhBQU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VG\nQlFjREFUQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBQWJpN09yQUNDbldKd3dDM2dmWUVBMmpI\nZ0FNMDRoK1FGQ1hRUnhCZApkd0ZLNDNTaVIwME1CTUdObVl1YUd0RWNTMGZacTVORFp1eFVOZHVM\nMmZselQzbkJ3Sm5DbEZ3aXd0YWwrcTE2CkV2QWtBbUQvU2pxNm5CYm5qNUlqNkRlRE5kOHRJd0ps\ncDMrdCs0RE9rNWt2a2FxS2ptd29EM3RlNG1QdnNIeXQKNElpRG1wRnpqeG83b2o5VkY0RTVtMjZV\nM240aENUYnJ2Ui9RNWlCdDhpT3M1YU8rVlpuTWNyQ3htbmhSYU1sVQpOaXkwTGxCZVVJQ213TE95\nNERQeDc1WVdDMzZEUVhMS2dMcnZ4RktIRmI2SlJoMmNLYzNpcVc3allhNjJwbmhHCllXb1pDdkJO\neXZqbkpIbGZYVDBUNitDN3Btb0ZLNTV5dGNhdFByQk82VEI3TFhUcjlJN2JIN0R2aU9SS1MwMFoK\nOHlPMktva1M1WVZ0T2c4NnNHT2lFOFQxMDFzc0xSNUhWZmVDTVJqc0J4eXdUdUxNRyt1cE9lWDhk\nMGhlUjZNbgp3RlFxUDR0V1A0WEZkSGd0cHlaZHBVYTBXVkZTVXJueDAvV1pDbXZLNFNQcmhzUG5s\nWUptaGtTRldkWHczcnJRCjZaL2tZZFM5VDM2SG9EMW1rcmdiMWRPTnNNd0Zpb1BqZ2RmRU1Xb001\nVWJ6L1p4RHp2V2ZDQWovVnloOVc0VFoKcEljUG8xZmhNQVJQcVVDY2N1ZVc3ckpOSDhwSm5yY0VU\nZ2xLdDY3SnZ2S1dKdzhLcEo1ajNzSERkUG56N1Z3NgpsNnRwVWJYU2U2SzY1Zy9Fc25EYkFDS21v\neldQNFVnSGY5akJ0c2FLK0hnUHVKRlYvMlBzMG96bW1XWGxQU0JJCitxQT0KLS0tLS1FTkQgQ0VS\nVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRnN6Q0NBNXVnQXdJ\nQkFnSUNFQUF3RFFZSktvWklodmNOQVFFTEJRQXdiVEVMTUFrR0ExVUVCaE1DVlZNeApFVEFQQmdO\nVkJBZ01DRU52Ykc5eVlXUnZNUTh3RFFZRFZRUUhEQVpFWlc1MlpYSXhFREFPQmdOVkJBb01CME52\nCmJXTmhjM1F4RGpBTUJnTlZCQXNNQlVsUVEwUk9NUmd3RmdZRFZRUUREQTlVWlhOMGFXNW5JRkp2\nYjNRZ1EwRXcKSGhjTk1UWXdPVEl6TWpFeE56SXdXaGNOTXpnd09ERTVNakV4TnpJd1dqQmtNUXN3\nQ1FZRFZRUUdFd0pWVXpFUgpNQThHQTFVRUNBd0lRMjlzYjNKaFpHOHhFREFPQmdOVkJBb01CME52\nYldOaGMzUXhEakFNQmdOVkJBc01CVWxRClEwUk9NU0F3SGdZRFZRUUREQmRVWlhOMGFXNW5JRWx1\nZEdWeWJXVmthV0YwWlNCRFFUQ0NBaUl3RFFZSktvWkkKaHZjTkFRRUJCUUFEZ2dJUEFEQ0NBZ29D\nZ2dJQkFPQ2lCV09BOE15andReTFzRVc4SDNVME1CaWlyU2xyUjk0aApDOU9mQjc5TnVWQVQ3U29q\nNkVYK0RkeDQxeGhyY1lUSDArRk5BVW15RFJuUkticlFRTlJ1alpPZytud0VTcXNxCmUxRmJ2cXJK\nZUZSdStGQmxXSTBCTlNnSEVWdFo4cjZtY0ZuV3V2cXBrOHF2Q1BSemJGUjhKSU1kRisxbzkzZzYK\naDdxanlOdk5zNjZ0UkRieFRHbnpDaEMrNXVVRElubTU5ekdiMnVFdXFlbldkNFZMaXRQVGRyQjRm\nTkFXODhiaApCWDhpSWVCV0xDUGRWT1NLUW9VeEFkaEplM1R4RXlnd1ZYV3dsUHpONjhmL2NyY0FZ\nTmNrVFo1YzdmTzdNV0JCCkR6T0kzcUxRc2R2L1lzR1dSM2g4Z2ZwaDcwMlBndW50Q25PbWhzdjVk\nZCtwcTAxR20zMzJzT0V4dHdONEF3bkoKeFk4REdmbDZYNmVNS2ZoQmt4VmVrbytLaTJEdW1vcWxr\nN2xIOGcvTXg3VCtvTDNDbkR2SHJUZy9Oa0YrV1hzcQphMUFuTGZyRGtyQjRnRVJLSHMrVzhjMVhy\nNXZNM1hMR2lZTEtkVGw5aFp6ejFaRU1OaUozYXE2aW5TOGlVNkxiCmIxeHhDZldjdGV0Q0Vabklx\nbGlSMkszODlGVHI3SDdQdldOTVhGb3M3ek5Ldm81WS81RjIwYjlkRXZJWnFjUnMKYVJhTXFYYmxq\nbnZUOHpiWFpnVTI4YzJpMnZmU2YxSEIrSkFaSTYzVG5oZlVybExDTDRGc3YrRnJNKzduSjdaOQoy\nY2lYR3ZaUG9TL0FWRzdvUW91cEx1UGk0VW1rYUM1RzVsSVpaNXhNbzBIV2oraXN0bVZVOGtkZmlt\nalNVZy9ZCjI5azl1RzBSQWdNQkFBR2paakJrTUIwR0ExVWREZ1FXQkJTamNVRitNa0lLZ0ozeWZh\nREh3TExQa3pmQ3VUQWYKQmdOVkhTTUVHREFXZ0JTbXB2bEJPZXJ6NEJ6c2hYUVlKR3VqeVNEVmJU\nQVNCZ05WSFJNQkFmOEVDREFHQVFILwpBZ0VBTUE0R0ExVWREd0VCL3dRRUF3SUJoakFOQmdrcWhr\naUc5dzBCQVFzRkFBT0NBZ0VBb1o2V0w2YjlPWjdpCm0xTTdLQ0Q5ZHhPbFBUWEp0bGpJMTlIWWNv\ndW9panRIckRoMjRnVHdsTzlkOWxRSWVIa1ovVzhNVjYwRHZOQ2QKUEtrajMzYXNBdG1NaEtHeTI0\nalRGcGF3WXRaaytON3p3MnlHY2gwR0J0UWk3dkZpSmIvaWpGRHI5bzM3cDJWZQp0QU5KUm5WNFEw\nVWhYTUJId0VOdFZZemVjUVhVbWV3c1ErTGkvZnAwb3hUaVppekhXMUlkalM5c2hQcmFJUE9BCmNV\nL0F4enc5ZFphOXkxc1RudnI4RmRkTUZLV01oOFlubHIyajRjQTM5R0kzVmt3c0RaN2EyUnhLTGpE\nY2FWNTkKUXpGOEFFUnMvNFJ4bXVaWTVCVW5oWTNDQ2EwdzZiWGV5d1cxS0hlN0tlUkI1bDVaNkRH\nWU0yUVlJRy9rZUhKcgowb0VXUzE3ZjNtSlZzampQMVlMenV1cnJVQ3Mxc2xjbTZYM3Y2M2FjTm5u\nbitncGhzM2Y4MmdzS0xhOUJWcW05CnJHM1BNTUg0VzlvazFlUUl0bEswMzNEclBrN1RqNnpLVGRH\nWjJMbDY5U0VZMzZCQ0RSaEd5R0tUZ1RnNU5LZHAKT2g0QWJPNzgreHBCTUV2NW4xZCsvSFg2Zi9C\nL2l3dFdCbVA5TmduZTU1RW5LRHR3V1k3T201My9KM21iMXNrNwpJb2FuYzdMaHN2clozRWgwV3dU\nMi9XK3lEVkFZbVVLTHd6bVQ5aUtPbm1FUWdMWE1GbmRjMERrQTIwRjVCZWhVCmNwUnI1WmFhaUZq\nWDZiRU1adHFURVo4dUZFSmorcElCUlExYUlybHZiMlo2bjZsV3NrekcwRlp1cFRUeUluZVYKT1pO\nUEhMRDhZY2Fvc1J3czBrTG03VGcyMXYyNnRvMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" }, "hostname": "*.http-to-https-test.thecdn.example.com" diff --git a/traffic_router/shared/pom.xml b/traffic_router/shared/pom.xml index 59a381924c..7f0af1181b 100644 --- a/traffic_router/shared/pom.xml +++ b/traffic_router/shared/pom.xml @@ -108,20 +108,6 @@ under the License. bcprov-jdk15on 1.57 - - dnsjava - dnsjava - 2.1.7 - - - junit - junit - - - org.hamcrest - hamcrest-all - compile - org.slf4j slf4j-log4j12 diff --git a/traffic_router/shared/src/test/java/secure/BindPrivateKeyTest.java b/traffic_router/shared/src/test/java/secure/BindPrivateKeyTest.java index 9da514537a..9d149ec570 100644 --- a/traffic_router/shared/src/test/java/secure/BindPrivateKeyTest.java +++ b/traffic_router/shared/src/test/java/secure/BindPrivateKeyTest.java @@ -19,6 +19,7 @@ import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.mockito.Mockito; import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; @@ -69,7 +70,7 @@ public void before() throws Exception { "Exponent2: " + encode(privateCrtKey.getPrimeExponentQ())+ "\n" + "Coefficient: " + encode(privateCrtKey.getCrtCoefficient())+ "\n"; - privateKey = mock(PrivateKey.class); + privateKey = Mockito.mock(PrivateKey.class); KeyFactory keyFactory = PowerMockito.mock(KeyFactory.class); PowerMockito.mockStatic(KeyFactory.class); diff --git a/traffic_router/shared/src/test/java/shared/DeliveryServiceCertificatesTest.java b/traffic_router/shared/src/test/java/shared/DeliveryServiceCertificatesTest.java index d78af4a13e..6670b0aaa1 100644 --- a/traffic_router/shared/src/test/java/shared/DeliveryServiceCertificatesTest.java +++ b/traffic_router/shared/src/test/java/shared/DeliveryServiceCertificatesTest.java @@ -21,6 +21,7 @@ import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.ArgumentCaptor; +import org.powermock.api.mockito.PowerMockito; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; @@ -41,7 +42,7 @@ public class DeliveryServiceCertificatesTest { @Before public void before() throws Exception { - mockStatic(System.class); + PowerMockito.mockStatic(System.class); when(System.currentTimeMillis()).thenReturn(1234L); } From 7dd8c23a29152af6553a8dada484da0656d889f6 Mon Sep 17 00:00:00 2001 From: ASchmidt Date: Thu, 14 Mar 2019 14:06:19 -0600 Subject: [PATCH 3/4] Corrected CHANGELOG --- CHANGELOG.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 102ff6a6df..7b6a684269 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). -## [3.0.0] - 2019-02-13 +## [3.0.1] - 2019-03-14 ### Added - Traffic Ops Golang Endpoints - /api/1.4/users `(GET,POST,PUT)` @@ -36,8 +36,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - Traffic Monitor UI updated to support HTTP or HTTPS traffic. - Modified Traffic Router logging format to include an additional field for DNS log entries, namely `rhi`. This defaults to '-' and is only used when EDNS0 client subnet extensions are enabled and a client subnet is present in the request. When enabled and a subnet is present, the subnet appears in the `chi` field and the resolver address is in the `rhi` field. -## [3.0.0] - 2018-10-30 ->>>>>>> 0d2560d98... Add SSL Certificate Validation to Traffic Router (#3380) +## [3.0.0] - 2019-02-13 ### Added - Removed MySQL-to-Postgres migration tools. This tool is supported for 1.x to 2.x upgrades only and should not be used with 3.x. - Backup Edge Cache group: If the matched group in the CZF is not available, this list of backup edge cache group configured via Traffic Ops API can be used as backup. In the event of all backup edge cache groups not available, GEO location can be optionally used as further backup. APIs detailed [here](http://traffic-control-cdn.readthedocs.io/en/latest/development/traffic_ops_api/v12/cachegroup_fallbacks.html) From bb6d613c1ad680f9c57b795ae0ffebea75e03d9e Mon Sep 17 00:00:00 2001 From: ASchmidt Date: Thu, 14 Mar 2019 14:17:49 -0600 Subject: [PATCH 4/4] Another CHANGELOG correction --- CHANGELOG.md | 25 +------------------------ 1 file changed, 1 insertion(+), 24 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b6a684269..2f55dc53c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,36 +5,13 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). ## [3.0.1] - 2019-03-14 ### Added -- Traffic Ops Golang Endpoints - - /api/1.4/users `(GET,POST,PUT)` - - /api/1.1/deliveryservices/xmlId/:xmlid/sslkeys `GET` - - /api/1.1/deliveryservices/hostname/:hostname/sslkeys `GET` - - /api/1.1/deliveryservices/sslkeys/add `POST` - - /api/1.1/deliveryservices/xmlId/:xmlid/sslkeys/delete `GET` - - /api/1.4/cdns/dnsseckeys/refresh `GET` - - /api/1.1/cdns/name/:name/dnsseckeys `GET` - - /api/1.4/cdns/name/:name/dnsseckeys `GET` -- To support reusing a single riak cluster connection, an optional parameter is added to riak.conf: "HealthCheckInterval". This options takes a 'Duration' value (ie: 10s, 5m) which affects how often the riak cluster is health checked. Default is currently set to: "HealthCheckInterval": "5s". -- Added a new Go db/admin binary to replace the Perl db/admin.pl script which is now deprecated and will be removed in a future release. The new db/admin binary is essentially a drop-in replacement for db/admin.pl since it supports all of the same commands and options; therefore, it should be used in place of db/admin.pl for all the same tasks. -- Added an API 1.4 endpoint, /api/1.4/cdns/dnsseckeys/refresh, to perform necessary behavior previously served outside the API under `/internal`. -- Adds the DS Record text to the cdn dnsseckeys endpoint in 1.4. -- Added monitoring.json snapshotting. This stores the monitoring json in the same table as the crconfig snapshot. Snapshotting is now required in order to push out monitoring changes. -- To traffic_ops_ort.pl added the ability to handle ##OVERRIDE## delivery service ANY_MAP raw remap text to replace and comment out a base delivery service remap rules. THIS IS A TEMPORARY HACK until versioned delivery services are implemented. -- Snapshotting the CRConfig now deletes HTTPS certificates in Riak for delivery services which have been deleted in Traffic Ops. ### Changed - Traffic Router, added TLS certificate validation on certificates imported from Traffic Ops - validates modulus of private and public keys - validates current timestamp falls within the certificate date bracket - validates certificate subjects against the DS URL -- Traffic Ops Golang Endpoints - - Updated /api/1.1/cachegroups: Cache Group Fallbacks are included - - Updated /api/1.1/cachegroups: fixed so fallbackToClosest can be set through API - - Warning: a PUT of an old Cache Group JSON without the fallbackToClosest field will result in a `null` value for that field -- Issue 2821: Fixed "Traffic Router may choose wrong certificate when SNI names overlap" -- traffic_ops/app/bin/checks/ToDnssecRefresh.pl now requires "user" and "pass" parameters of an operations-level user! Update your scripts accordingly! This was necessary to move to an API endpoint with proper authentication, which may be safely exposed. -- Traffic Monitor UI updated to support HTTP or HTTPS traffic. -- Modified Traffic Router logging format to include an additional field for DNS log entries, namely `rhi`. This defaults to '-' and is only used when EDNS0 client subnet extensions are enabled and a client subnet is present in the request. When enabled and a subnet is present, the subnet appears in the `chi` field and the resolver address is in the `rhi` field. +- Traffic Router, changed lookup of TLS certificates to be case-insensitive ## [3.0.0] - 2019-02-13 ### Added