Add certificate validation to check headers

harikrishna-patnala · harikrishna-patnala · commit 4d6e190659d3 · 2024-06-14T15:36:44.000+05:30
diff --git a/framework/security/src/main/java/org/apache/cloudstack/framework/security/keystore/KeystoreManager.java b/framework/security/src/main/java/org/apache/cloudstack/framework/security/keystore/KeystoreManager.java
@@ -18,6 +18,7 @@
 
 import com.cloud.agent.api.LogLevel;
 import com.cloud.agent.api.LogLevel.Log4jLevel;
+import com.cloud.utils.Pair;
 import com.cloud.utils.component.Manager;
 
 public interface KeystoreManager extends Manager {
@@ -59,7 +60,7 @@ public String getRootCACert() {
         }
     }
 
-    boolean validateCertificate(String certificate, String key, String domainSuffix);
+    Pair<Boolean, String> validateCertificate(String certificate, String key, String domainSuffix);
 
     void saveCertificate(String name, String certificate, String key, String domainSuffix);
 
diff --git a/framework/security/src/main/java/org/apache/cloudstack/framework/security/keystore/KeystoreManagerImpl.java b/framework/security/src/main/java/org/apache/cloudstack/framework/security/keystore/KeystoreManagerImpl.java
@@ -30,6 +30,7 @@
 
 import javax.inject.Inject;
 
+import com.cloud.utils.Pair;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
 import org.springframework.stereotype.Component;
@@ -47,24 +48,38 @@ public class KeystoreManagerImpl extends ManagerBase implements KeystoreManager
     private KeystoreDao _ksDao;
 
     @Override
-    public boolean validateCertificate(String certificate, String key, String domainSuffix) {
+    public Pair<Boolean, String> validateCertificate(String certificate, String key, String domainSuffix) {
+        String errMsg = null;
         if (StringUtils.isAnyEmpty(certificate, key, domainSuffix)) {
-            s_logger.error("Invalid parameter found in (certificate, key, domainSuffix) tuple for domain: " + domainSuffix);
-            return false;
+            errMsg = String.format("Invalid parameter found in (certificate, key, domainSuffix) tuple for domain: %s", domainSuffix);
+            s_logger.error(errMsg);
+            return new Pair<>(false, errMsg);
+        }
+
+        if (!verifyCertificateHeaders(certificate)) {
+            errMsg = "Certificate headers verification failed: Invalid PEM format.";
+            s_logger.error(errMsg);
+            return new Pair<>(false, errMsg);
         }
 
         try {
             String ksPassword = "passwordForValidation";
             byte[] ksBits = CertificateHelper.buildAndSaveKeystore(domainSuffix, certificate, getKeyContent(key), ksPassword);
             KeyStore ks = CertificateHelper.loadKeystore(ksBits, ksPassword);
             if (ks != null)
-                return true;
-
-            s_logger.error("Unabled to construct keystore for domain: " + domainSuffix);
+                return new Pair<>(true, errMsg);
+            errMsg = String.format("Unable to construct keystore for domain: %s", domainSuffix);
+            s_logger.error(errMsg);
         } catch (Exception e) {
-            s_logger.error("Certificate validation failed due to exception for domain: " + domainSuffix, e);
+            errMsg = String.format("Certificate validation failed due to exception for domain: %d", domainSuffix);
+            s_logger.error(errMsg, e);
         }
-        return false;
+        return new Pair<>(false, errMsg);
+    }
+
+    public boolean verifyCertificateHeaders(String certificate) {
+        return certificate.startsWith("-----BEGIN CERTIFICATE-----") &&
+                certificate.endsWith("-----END CERTIFICATE-----");
     }
 
     @Override
diff --git a/server/src/main/java/com/cloud/server/ManagementServerImpl.java b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
@@ -4484,8 +4484,11 @@ public String uploadCertificate(final UploadCustomCertificateCmd cmd) {
         final String certificate = cmd.getCertificate();
         final String key = cmd.getPrivateKey();
 
-        if (cmd.getPrivateKey() != null && !_ksMgr.validateCertificate(certificate, key, cmd.getDomainSuffix())) {
-            throw new InvalidParameterValueException("Failed to pass certificate validation check");
+        if (key != null) {
+            Pair<Boolean, String> result = _ksMgr.validateCertificate(certificate, key, cmd.getDomainSuffix());
+            if (!result.first()) {
+                throw new InvalidParameterValueException(String.format("Failed to pass certificate validation check with error: %s", result.second()));
+            }
         }
 
         if (cmd.getPrivateKey() != null) {

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@`
`18`	`18`
`19`	`19`	`import com.cloud.agent.api.LogLevel;`
`20`	`20`	`import com.cloud.agent.api.LogLevel.Log4jLevel;`
	`21`	`+import com.cloud.utils.Pair;`
`21`	`22`	`import com.cloud.utils.component.Manager;`
`22`	`23`
`23`	`24`	`public interface KeystoreManager extends Manager {`
`@@ -59,7 +60,7 @@ public String getRootCACert() {`
`59`	`60`	`}`
`60`	`61`	`}`
`61`	`62`
`62`		`- boolean validateCertificate(String certificate, String key, String domainSuffix);`
	`63`	`+ Pair<Boolean, String> validateCertificate(String certificate, String key, String domainSuffix);`
`63`	`64`
`64`	`65`	`void saveCertificate(String name, String certificate, String key, String domainSuffix);`
`65`	`66`