Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check certificate validity on startup #3902

Open
1000TurquoisePogs opened this issue Jul 8, 2024 · 0 comments
Open

Check certificate validity on startup #3902

1000TurquoisePogs opened this issue Jul 8, 2024 · 0 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@1000TurquoisePogs
Copy link
Member

1000TurquoisePogs commented Jul 8, 2024
edited
Loading

It would be helpful if Zowe could validate your certificate both at init time and at runtime.
It's not uncommon to have a certificate with wrong EKU requirements, but its als possible to have your certificate be valid at one point, but then expire when you arent looking.

Keytool seems like a good way to check this. It can print out PKCS12 and keyring content, including ICSF keys (via hwkeyring instead.)

Prototype: if you added this logic here

zowe-install-packaging/bin/commands/internal/start/prepare/index.ts

Line 490 in f39938f

common.printFormattedInfo("ZWELS", "zwe-internal-start-prepare", "Zowe runtime environment prepared"); 

    let certAlias = ZOWE_CONFIG.zowe.certificate.keystore.alias;
    let keystore = ZOWE_CONFIG.zowe.certificate.keystore.file;
    let keystoreType = ZOWE_CONFIG.zowe.certificate.keystore.type;
    let javaHome = ZOWE_CONFIG.java.home;
    let pass = ZOWE_CONFIG.zowe.certificate.keystore.password;

    if (ZOWE_CONFIG.zowe.verifyCertificates != "DISABLED") {
      const errOut = shell.execOutSync('sh', '-c', `${javaHome}/bin/keytool -J-Djava.protocol.handler.pkgs=com.ibmkeytool -J-Djava.protocol.handler.pkgs=com.ibm.crypto.provider -list -v -keystore ${keystore} -storetype ${keystoreType} ${keystoreType != 'PKCS12' ? '' : '-storepass '+pass} -alias `+ certAlias);
      if (errOut.out.indexOf('ExtKeyUsage') != -1) {
        let fail = false;
        if (errOut.out.indexOf('1.3.6.1.5.5.7.3.1') == -1) {
          common.printFormattedError('ZWELS', "zwe-internal-start-prepare", "Missing TLS Web Server Authentication property for Extended Key Usage of certificate "+certAlias);
          fail=true;
        }
        if (errOut.out.indexOf('1.3.6.1.5.5.7.3.2') == -1) {
          common.printFormattedError('ZWELS', "zwe-internal-start-prepare", "Missing TLS Web Client Authentication property for Extended Key Usage of certificate "+ certAlias);
          fail=true;
        }
        if (fail) {
          common.printErrorAndExit('Error ZWEL0999E: Certificate invalid for Zowe. Correct or remove the Extended Key Usage property of '+certAlias, undefined, 999);
        }
      }
  
      let expirationText = errOut.out.split('Valid from:')[1].split('until: ')[1].split('\n')[0];
      let expireDate = new Date(expirationText);
      let currentTime = new Date();
      if (expireDate.getTime() < currentTime.getTime()) {
        common.printErrorAndExit(`Error ZWEL0999E: Certificate expired on ${expireDate}`, undefined, 999);
      }
    }

This will print out if you're missing EKU properties, or if your certificate has expired.
May need adjustment for timezones, hwkeytool, and pkcs12.
@jp669844 jp669844 added enhancement New feature or request good first issue Good for newcomers labels Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@1000TurquoisePogs @jp669844