From cf52dc26d25d5cb91601c129cfc78d0d46081f92 Mon Sep 17 00:00:00 2001 From: Srijeet Chatterjee Date: Thu, 13 Oct 2022 13:20:07 -0600 Subject: [PATCH 1/7] Add the ability to traffic Router to customize default https cert --- CHANGELOG.md | 1 + .../traffic_router/traffic_router_api.rst | 27 ++++++++++++++ .../secure/CertificateRegistry.java | 37 +++++++++++++++---- .../traffic_router/utils/HttpsProperties.java | 36 ++++++++++++++---- .../src/test/java/conf/https.properties | 24 ++++++++++++ .../test/java/utils/HttpsPropertiesTest.java | 26 +++++++++++++ 6 files changed, 137 insertions(+), 14 deletions(-) create mode 100644 traffic_router/connector/src/test/java/conf/https.properties create mode 100644 traffic_router/connector/src/test/java/utils/HttpsPropertiesTest.java diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b24e6bba9..268834b04d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). ## [unreleased] ### Added +- [#7089](https://github.com/apache/trafficcontrol/issues/7089) *Traffic Router* Added the ability to specify HTTPS certificate attributes. - [#7109](https://github.com/apache/trafficcontrol/pull/7109) *Traffic Router* Removed `dnssec.zone.diffing.enabled` and `dnssec.rrsig.cache.enabled` parameters. - [#7075](https://github.com/apache/trafficcontrol/pull/7075) *Traffic Portal* Added the `lastUpdated` field to all delivery service forms. - [#7055](https://github.com/apache/trafficcontrol/issues/7055) *Traffic Portal* Made `Clear Table Filters` option visible to the user. diff --git a/docs/source/development/traffic_router/traffic_router_api.rst b/docs/source/development/traffic_router/traffic_router_api.rst index b6047d1ebd..fc6e4cdc8a 100644 --- a/docs/source/development/traffic_router/traffic_router_api.rst +++ b/docs/source/development/traffic_router/traffic_router_api.rst @@ -27,6 +27,33 @@ To override the self signed certificates with new ones from a certificate author The API can be configured via HTTPS on port 3443 in :file:`/opt/traffic_router/conf/server.xml` or by setting a :term:`Parameter` named ``secure.api.port`` with ``configFile`` ``server.xml`` on the Traffic Router's :term:`Profile`. When ``systemctl start traffic_router`` is run, it will generate self signed certificates at ``/opt/traffic_router/conf/``, create a new Java Keystore named :file:`/opt/traffic_router/conf/keyStore.jks`, and add the new certificate to the Keystore. The password for the Java Keystore and the Keystore location are stored in :file:`/opt/traffic_router/conf/https.properties`. To override the self signed certificates with new ones from a certificate authority, either replace the Java Keystore in the default location or update the properties for the new Keystore location and password at :file:`/opt/traffic_router/conf/https.properties` and then restart the Traffic Router using ``systemctl``. +Other attributes of the default certificate can also be customized by specifying appropriate values for the following properties in :file:`/opt/traffic_router/conf/https.properties`. These properties are listed below: + +.. table:: HTTPS Certificate Attributes + + +------------------------------------------+------------------------------------------------------------------------+---------------------------------------------------------+ + | Name | Description | Default | + +==========================================+========================================================================+=========================================================+ + | https.certificate.location | The location of the certificate key store | | + +------------------------------------------+------------------------------------------------------------------------+---------------------------------------------------------+ + | https.password | The password for the certificate key store | | + +------------------------------------------+------------------------------------------------------------------------+---------------------------------------------------------+ + | https.key.size | The size for the HTTPS keys | 2048 | + +------------------------------------------+------------------------------------------------------------------------+---------------------------------------------------------+ + | https.signature.algorithm | The HTTPS signing algorithm to be used | SHA1WithRSA | + +------------------------------------------+------------------------------------------------------------------------+---------------------------------------------------------+ + | https.validity.years | The amount of time (in years) for which the cert is valid | 3 | + +------------------------------------------+------------------------------------------------------------------------+---------------------------------------------------------+ + | https.certificate.country | The country of the certificate | US | + +------------------------------------------+------------------------------------------------------------------------+---------------------------------------------------------+ + | https.certificate.state | The state of the certificate | CO | + +------------------------------------------+------------------------------------------------------------------------+---------------------------------------------------------+ + | https.certificate.locality | The locality of the certificate | Denver | + +------------------------------------------+------------------------------------------------------------------------+---------------------------------------------------------+ + | https.certificate.organization | The organization of the certificate | Apache Traffic Control | + +------------------------------------------+------------------------------------------------------------------------+---------------------------------------------------------+ + | https.certificate.organizational.unit | The organizational unit of the certificate | Apache Foundation, Hosted by Traffic Control, CDNDefault| + +------------------------------------------+------------------------------------------------------------------------+---------------------------------------------------------+ Traffic Router API endpoints only respond to ``GET`` requests. diff --git a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java index c9d1514ab3..d9ac13b48e 100644 --- a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java +++ b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java @@ -55,6 +55,15 @@ import java.util.Map; public class CertificateRegistry { + private static final String HTTPS_PROPERTIES_FILE = "/opt/traffic_router/conf/https.properties"; + private static final String HTTPS_KEY_SIZE = "https.key.size"; + private static final String HTTPS_SIGNATURE_ALGORITHM = "https.signature.algorithm"; + private static final String HTTPS_VALIDITY_YEARS = "https.validity.years"; + private static final String HTTPS_CERTIFICATE_COUNTRY = "https.certificate.country"; + private static final String HTTPS_CERTIFICATE_STATE = "https.certificate.state"; + private static final String HTTPS_CERTIFICATE_LOCALITY = "https.certificate.locality"; + private static final String HTTPS_CERTIFICATE_ORGANIZATION = "https.certificate.organization"; + private static final String HTTPS_CERTIFICATE_OU = "https.certificate.organizational.unit"; public static final String DEFAULT_SSL_KEY = "default.invalid"; private static final Logger log = LogManager.getLogger(CertificateRegistry.class); private CertificateDataConverter certificateDataConverter = new CertificateDataConverter(); @@ -80,8 +89,11 @@ public static CertificateRegistry getInstance() { @SuppressWarnings({"PMD.UseArrayListInsteadOfVector", "PMD.AvoidUsingHardCodedIP"}) private static HandshakeData createDefaultSsl() { try { + final Map httpsProperties = (new HttpsProperties(HTTPS_PROPERTIES_FILE)).getHttpsPropertiesMap(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); - keyPairGenerator.initialize(2048); + int keysize = 2048; + keysize = Integer.parseInt(httpsProperties.getOrDefault(HTTPS_KEY_SIZE, String.valueOf(keysize))); + keyPairGenerator.initialize(keysize); final KeyPair keyPair = keyPairGenerator.generateKeyPair(); //Generate self signed certificate @@ -94,19 +106,30 @@ private static HandshakeData createDefaultSsl() { final long now = System.currentTimeMillis(); final Date startDate = new Date(System.currentTimeMillis()); - final X500Name dnName = new X500Name("C=US; ST=CO; L=Denver; " + - "O=Apache Traffic Control; OU=Apache Foundation; OU=Hosted by Traffic Control; " + - "OU=CDNDefault; CN="+DEFAULT_SSL_KEY); + String country = "US", state = "CO", locality = "Denver", organization = "Apache Traffic Control", + organizationalUnit = "OU=Apache Foundation; OU=Hosted by Traffic Control; OU=CDNDefault", + signingAlgorithm = "SHA1WithRSA"; + int validityLength = 3; + + country = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_COUNTRY, country); + state = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_STATE, state); + locality = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_LOCALITY, locality); + organization = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_ORGANIZATION, organization); + organizationalUnit = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_OU, organizationalUnit); + final String certAttributes = "C=" + country + "; ST=" + state + "; L=" + locality + "; O=" + organization + organizationalUnit + "; CN=" + DEFAULT_SSL_KEY; + final X500Name dnName = new X500Name(certAttributes); final BigInteger certSerialNumber = new BigInteger(Long.toString(now)); final Calendar calendar = Calendar.getInstance(); calendar.setTime(startDate); - calendar.add(Calendar.YEAR, 3); + validityLength = Integer.parseInt(httpsProperties.getOrDefault(HTTPS_VALIDITY_YEARS, String.valueOf(validityLength))); + calendar.add(Calendar.YEAR, validityLength); final Date endDate = calendar.getTime(); + signingAlgorithm = httpsProperties.getOrDefault(HTTPS_SIGNATURE_ALGORITHM, signingAlgorithm); // Build certificate - final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1WithRSA").build(keyPair.getPrivate()); + final ContentSigner contentSigner = new JcaContentSignerBuilder(signingAlgorithm).build(keyPair.getPrivate()); final JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate, dnName, keyPair.getPublic()); @@ -151,7 +174,7 @@ public void setEndPoint(final RouterNioEndpoint routerNioEndpoint) { private HandshakeData createApiDefaultSsl() { try { - final Map httpsProperties = (new HttpsProperties()).getHttpsPropertiesMap(); + final Map httpsProperties = (new HttpsProperties(HTTPS_PROPERTIES_FILE)).getHttpsPropertiesMap(); final KeyStore ks = KeyStore.getInstance("JKS"); final String selfSignedKeystoreFile = httpsProperties.get("https.certificate.location"); diff --git a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java index 1e1a297e6c..295531dbe5 100644 --- a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java +++ b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java @@ -25,24 +25,46 @@ public class HttpsProperties { private static final Logger log = LogManager.getLogger(HttpsProperties.class); - private static final String HTTPS_PROPERTIES_FILE = "/opt/traffic_router/conf/https.properties"; + private static final String HTTPS_CERTIFICATE_OU = "https.certificate.organizational.unit"; + private final Map httpsPropertiesMap; - public HttpsProperties() { - this.httpsPropertiesMap = loadHttpsProperties(); + public HttpsProperties(final String fileName) { + this.httpsPropertiesMap = loadHttpsProperties(fileName); } public Map getHttpsPropertiesMap() { return httpsPropertiesMap; } - private static Map loadHttpsProperties() { + private static Map loadHttpsProperties(final String fileName) { try { final Map httpsProperties = new HashMap<>(); - Files.readAllLines(Paths.get(HTTPS_PROPERTIES_FILE)).forEach(propString -> { + Files.readAllLines(Paths.get(fileName)).forEach(propString -> { if (!propString.startsWith("#")) { // Ignores comments in properties file - final String[] prop = propString.split("="); - httpsProperties.put(prop[0], prop[1]); + final String[] props = propString.split("="); + if (props.length < 2) { + log.error("Property malformed, should be in the form key=value"); + } else { + final String key = props[0]; + final String val = props[1]; + if (key.equals(HTTPS_CERTIFICATE_OU)) { + if (val.equals("") || val.length() < 2) { + log.error("Malformed " + HTTPS_CERTIFICATE_OU + " property value"); + } else { + final String[] orgUnits = val.split(","); + String organizationalUnit = ""; + StringBuilder sb = new StringBuilder(organizationalUnit); + for (final String ou : orgUnits) { + sb = sb.append("; OU=" + ou); + } + organizationalUnit = sb.toString(); + httpsProperties.put(key, organizationalUnit); + } + } else { + httpsProperties.put(key, val); + } + } } }); return httpsProperties; diff --git a/traffic_router/connector/src/test/java/conf/https.properties b/traffic_router/connector/src/test/java/conf/https.properties new file mode 100644 index 0000000000..2c781e5ba8 --- /dev/null +++ b/traffic_router/connector/src/test/java/conf/https.properties @@ -0,0 +1,24 @@ +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +https.certificate.location=/opt/traffic_router/conf/keyStore.jks +https.password=changeit +https.key.size=1024 +https.signature.algorithm=TestAlgorithm +https.validity.years=TestValidity +https.certificate.country=TestCountry +https.certificate.state=TestState +https.certificate.locality=TestLocality +https.certificate.organization=TestOrg +https.certificate.organizational.unit=Test Org Unit, Test Org Unit 2 \ No newline at end of file diff --git a/traffic_router/connector/src/test/java/utils/HttpsPropertiesTest.java b/traffic_router/connector/src/test/java/utils/HttpsPropertiesTest.java new file mode 100644 index 0000000000..ebc1d6c00e --- /dev/null +++ b/traffic_router/connector/src/test/java/utils/HttpsPropertiesTest.java @@ -0,0 +1,26 @@ +package utils; + +import org.apache.traffic_control.traffic_router.utils.HttpsProperties; +import org.junit.Test; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.equalTo; +import java.util.Map; + +public class HttpsPropertiesTest { + @Test + public void checkGetHttpsProperties() throws Exception { + final String fileName = "src/test/java/conf/https.properties"; + HttpsProperties httpsProperties = new HttpsProperties(fileName); + Map propsMap = httpsProperties.getHttpsPropertiesMap(); + assertThat(propsMap.get("https.certificate.location"), equalTo("/opt/traffic_router/conf/keyStore.jks")); + assertThat(propsMap.get("https.password"), equalTo("changeit")); + assertThat(propsMap.get("https.key.size"), equalTo("1024")); + assertThat(propsMap.get("https.signature.algorithm"), equalTo("TestAlgorithm")); + assertThat(propsMap.get("https.validity.years"), equalTo("TestValidity")); + assertThat(propsMap.get("https.certificate.country"), equalTo("TestCountry")); + assertThat(propsMap.get("https.certificate.state"), equalTo("TestState")); + assertThat(propsMap.get("https.certificate.locality"), equalTo("TestLocality")); + assertThat(propsMap.get("https.certificate.organization"), equalTo("TestOrg")); + assertThat(propsMap.get("https.certificate.organizational.unit"), equalTo("; OU=Test Org Unit; OU= Test Org Unit 2")); + } +} From 196ec26e2069fd06b535e3d4ea87d6626006edcb Mon Sep 17 00:00:00 2001 From: Srijeet Chatterjee Date: Thu, 13 Oct 2022 15:26:59 -0600 Subject: [PATCH 2/7] Add license --- .../src/test/java/utils/HttpsPropertiesTest.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/traffic_router/connector/src/test/java/utils/HttpsPropertiesTest.java b/traffic_router/connector/src/test/java/utils/HttpsPropertiesTest.java index ebc1d6c00e..3683e076e6 100644 --- a/traffic_router/connector/src/test/java/utils/HttpsPropertiesTest.java +++ b/traffic_router/connector/src/test/java/utils/HttpsPropertiesTest.java @@ -1,3 +1,18 @@ +/* + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + package utils; import org.apache.traffic_control.traffic_router.utils.HttpsProperties; From d0950128f91ab04c5982ad5871879a1e0abd0ed8 Mon Sep 17 00:00:00 2001 From: Srijeet Chatterjee Date: Thu, 13 Oct 2022 15:39:33 -0600 Subject: [PATCH 3/7] Add debug --- .../traffic_router/secure/CertificateRegistry.java | 2 +- .../traffic_control/traffic_router/utils/HttpsProperties.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java index d9ac13b48e..75a7e05696 100644 --- a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java +++ b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java @@ -151,7 +151,7 @@ private static HandshakeData createDefaultSsl() { return new HandshakeData(DEFAULT_SSL_KEY, DEFAULT_SSL_KEY, chain, keyPair.getPrivate()); } catch (Exception e) { - log.error("Could not generate the default certificate: "+e.getMessage(),e); + log.error("Could not generate the default certificate: " + e + " message is: " + e.getMessage()); return null; } } diff --git a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java index 295531dbe5..9d0c688882 100644 --- a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java +++ b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java @@ -69,7 +69,7 @@ private static Map loadHttpsProperties(final String fileName) { }); return httpsProperties; } catch (Exception e) { - log.error("Error loading https properties file."); + log.error("Error loading https properties file at " + fileName + ", error: " + e.getMessage()); return null; } } From 2295a86ba8100d9772dba9e94a1900d37356808d Mon Sep 17 00:00:00 2001 From: Srijeet Chatterjee Date: Thu, 13 Oct 2022 15:48:33 -0600 Subject: [PATCH 4/7] stacktrace --- .../traffic_router/secure/CertificateRegistry.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java index 75a7e05696..7a03836c1f 100644 --- a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java +++ b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java @@ -151,7 +151,8 @@ private static HandshakeData createDefaultSsl() { return new HandshakeData(DEFAULT_SSL_KEY, DEFAULT_SSL_KEY, chain, keyPair.getPrivate()); } catch (Exception e) { - log.error("Could not generate the default certificate: " + e + " message is: " + e.getMessage()); + log.error("Could not generate the default certificate: " + e); + e.printStackTrace(); return null; } } From c1238b39590a3bebe1f4ce68f845239107321599 Mon Sep 17 00:00:00 2001 From: Srijeet Chatterjee Date: Thu, 13 Oct 2022 15:54:07 -0600 Subject: [PATCH 5/7] fix error log --- .../traffic_control/traffic_router/utils/HttpsProperties.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java index 9d0c688882..55b66ea047 100644 --- a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java +++ b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java @@ -69,7 +69,7 @@ private static Map loadHttpsProperties(final String fileName) { }); return httpsProperties; } catch (Exception e) { - log.error("Error loading https properties file at " + fileName + ", error: " + e.getMessage()); + log.error("Error loading https properties file at ", fileName, ", error: ",e.getMessage()); return null; } } From 8221495bbc7ef568b753c2ecba94ad6a2cc90c6e Mon Sep 17 00:00:00 2001 From: Srijeet Chatterjee Date: Thu, 13 Oct 2022 15:57:09 -0600 Subject: [PATCH 6/7] fix error log --- .../traffic_router/secure/CertificateRegistry.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java index 7a03836c1f..8f98311060 100644 --- a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java +++ b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java @@ -151,8 +151,7 @@ private static HandshakeData createDefaultSsl() { return new HandshakeData(DEFAULT_SSL_KEY, DEFAULT_SSL_KEY, chain, keyPair.getPrivate()); } catch (Exception e) { - log.error("Could not generate the default certificate: " + e); - e.printStackTrace(); + log.error("Could not generate the default certificate: ", e); return null; } } From 3f2883edc0779f766cfa256a853fed170c2fa637 Mon Sep 17 00:00:00 2001 From: Srijeet Chatterjee Date: Thu, 13 Oct 2022 16:42:56 -0600 Subject: [PATCH 7/7] fix tests --- .../secure/CertificateRegistry.java | 30 +++++++++---------- .../traffic_router/utils/HttpsProperties.java | 2 +- 2 files changed, 15 insertions(+), 17 deletions(-) diff --git a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java index 8f98311060..ded6481c62 100644 --- a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java +++ b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/secure/CertificateRegistry.java @@ -91,8 +91,20 @@ private static HandshakeData createDefaultSsl() { try { final Map httpsProperties = (new HttpsProperties(HTTPS_PROPERTIES_FILE)).getHttpsPropertiesMap(); final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); - int keysize = 2048; - keysize = Integer.parseInt(httpsProperties.getOrDefault(HTTPS_KEY_SIZE, String.valueOf(keysize))); + int keysize = 2048, validityLength = 3; + String country = "US", state = "CO", locality = "Denver", organization = "Apache Traffic Control", + organizationalUnit = ";OU=Apache Foundation; OU=Hosted by Traffic Control; OU=CDNDefault", + signingAlgorithm = "SHA1WithRSA"; + if (httpsProperties != null) { + keysize = Integer.parseInt(httpsProperties.getOrDefault(HTTPS_KEY_SIZE, String.valueOf(keysize))); + country = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_COUNTRY, country); + state = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_STATE, state); + locality = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_LOCALITY, locality); + organization = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_ORGANIZATION, organization); + organizationalUnit = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_OU, organizationalUnit); + validityLength = Integer.parseInt(httpsProperties.getOrDefault(HTTPS_VALIDITY_YEARS, String.valueOf(validityLength))); + signingAlgorithm = httpsProperties.getOrDefault(HTTPS_SIGNATURE_ALGORITHM, signingAlgorithm); + } keyPairGenerator.initialize(keysize); final KeyPair keyPair = keyPairGenerator.generateKeyPair(); @@ -105,29 +117,15 @@ private static HandshakeData createDefaultSsl() { // Generate cert details final long now = System.currentTimeMillis(); final Date startDate = new Date(System.currentTimeMillis()); - - String country = "US", state = "CO", locality = "Denver", organization = "Apache Traffic Control", - organizationalUnit = "OU=Apache Foundation; OU=Hosted by Traffic Control; OU=CDNDefault", - signingAlgorithm = "SHA1WithRSA"; - int validityLength = 3; - - country = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_COUNTRY, country); - state = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_STATE, state); - locality = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_LOCALITY, locality); - organization = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_ORGANIZATION, organization); - organizationalUnit = httpsProperties.getOrDefault(HTTPS_CERTIFICATE_OU, organizationalUnit); final String certAttributes = "C=" + country + "; ST=" + state + "; L=" + locality + "; O=" + organization + organizationalUnit + "; CN=" + DEFAULT_SSL_KEY; final X500Name dnName = new X500Name(certAttributes); final BigInteger certSerialNumber = new BigInteger(Long.toString(now)); final Calendar calendar = Calendar.getInstance(); calendar.setTime(startDate); - validityLength = Integer.parseInt(httpsProperties.getOrDefault(HTTPS_VALIDITY_YEARS, String.valueOf(validityLength))); calendar.add(Calendar.YEAR, validityLength); final Date endDate = calendar.getTime(); - signingAlgorithm = httpsProperties.getOrDefault(HTTPS_SIGNATURE_ALGORITHM, signingAlgorithm); - // Build certificate final ContentSigner contentSigner = new JcaContentSignerBuilder(signingAlgorithm).build(keyPair.getPrivate()); diff --git a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java index 55b66ea047..d4f19141fd 100644 --- a/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java +++ b/traffic_router/connector/src/main/java/org/apache/traffic_control/traffic_router/utils/HttpsProperties.java @@ -69,7 +69,7 @@ private static Map loadHttpsProperties(final String fileName) { }); return httpsProperties; } catch (Exception e) { - log.error("Error loading https properties file at ", fileName, ", error: ",e.getMessage()); + log.error("Error loading https properties file at "+ fileName+ ", error: " +e.getMessage()); return null; } }