add validation for keystore certificates

NASA-AMMOS · Nov 8, 2023 · 6c93870 · 6c93870
1 parent bc9888c
commit 6c93870
Showing 1 changed file with 64 additions and 1 deletion.
diff --git a/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java b/cws-installer/src/main/java/jpl/cws/task/CwsInstaller.java
@@ -42,13 +42,19 @@
 import org.w3c.dom.*;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.DocumentBuilder;
+import java.io.FileInputStream;
+import java.util.Enumeration;
+import java.io.IOException;
 
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.lang.Math;
+import java.util.Date;
+import java.text.SimpleDateFormat;
+import java.util.*;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.sql.Connection;
@@ -65,8 +71,14 @@
 import java.util.TimeZone;
 import javax.naming.AuthenticationNotSupportedException;
 import javax.naming.AuthenticationException;
-import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableEntryException;
 
 import javax.tools.ToolProvider;
 
@@ -1766,6 +1778,9 @@ private static void validateConfig() {
 		// Check that user provided Elasticsearch service is up and healthy
 		warningCount += validateElasticsearch();
 
+		// Check that keystore and truststore is valid, not expired
+		warningCount += validateKeystoreTruststore();
+
 		if (installWorker && !installConsole) {
 			// Validate the AMQ host/port for worker only installations.
 			warningCount += validateAmqConfig();
@@ -2371,6 +2386,54 @@ private static int validateElasticsearch() {
 		}
 	}
 
+	/**
+	 * Validates the .keystore file in tomcat_lab. Checks for correct file name and expiration
+	 */
+	private static int validateKeystoreTruststore() {
+		print("checking that user provided valid .keystore file and certificate chain...");
+		Path filePath;
+		filePath = Paths.get(cws_tomcat_conf + SEP + ".keystore");
+		String keystoreFilePath = filePath.toString();
+		long ONE_DAY_MS  = 24 * 60 * 60 * 1000;	// 24 hours
+		try {
+			KeyStore ks = KeyStore.getInstance("JKS");
+			ks.load(new FileInputStream(keystoreFilePath), "changeit".toCharArray());
+			Enumeration aliases = ks.aliases();
+			while(aliases.hasMoreElements()) {
+				String keystoreRoot = (String) aliases.nextElement();
+				Date expirationDate = ((X509Certificate) ks.getCertificate(keystoreRoot)).getNotAfter();
+				Date currentTime = new Date();
+				long daysInterval = expirationDate.getTime() - currentTime.getTime();
+				long numDays = daysInterval / (ONE_DAY_MS);
+				if (numDays <= 0) {
+					print("   [WARNING]");
+					print("       The Certificate Chain in Keystore '" + keystoreFilePath + "' is expired. ");
+					print("       Expiration Date: " + expirationDate);
+					print("");
+					return 1;
+				} else if (numDays > 0 && numDays < 90) {
+					print("   [OK]");
+					print("       NOTICE: Make sure to renew the certificates within the .keystore certificate chain soon.");
+					print("               Certificate(s): '" + keystoreFilePath + "' ");
+					print("               Expiration Date: " + expirationDate);
+					print("               Days Until expiration: " + numDays + " days");
+					print("");
+					return 0;
+				} else {
+					print("   [OK]");
+					print("");
+				}
+			}
+		} catch (Exception e) {
+			print("   [WARNING]");
+			print("       The path '" + cws_tomcat_conf + SEP + "' may not contain .keystore file or holds an invalid keystore.");
+			print("");
+			e.printStackTrace();
+			return 1;
+		}
+		return 0; // OK
+	}
+
 	/**
 	 * Validates that some sort of time syncing service
 	 * such as NTP or chrony is running on this installation machine.