Skip to content

WFCORE-5744 - improve keystore certificate health check #6420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

WFCORE-5744 - improve keystore certificate health check #6420

wants to merge 6 commits into from

Conversation

baranowb
Copy link
Contributor

@baranowb baranowb commented May 9, 2025

@baranowb baranowb added Feature This PR adds a new feature to WildFly 29.x hold Do not merge this PR labels May 9, 2025
@baranowb baranowb requested a review from fjuma May 9, 2025 09:27
@baranowb baranowb changed the title Wfcore 5744 29.x WFCORE-5744 - improve keystore certificate health check May 9, 2025
darranl
darranl requested changes May 9, 2025
View reviewed changes
Copy link
Contributor

@darranl darranl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the pull request, I have added some comments specific to this pull request but I think we also need to step back and get the WildFly feature development process started so we can begin to discuss the general proposed solution to the problem.

elytron/src/main/resources/schema/wildfly-elytron_community_18_1.xsd Outdated
-->

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="urn:wildfly:elytron:community:18.1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to think about what is the correct updates needed here but we avoid minor bumps.

elytron/src/main/java/org/wildfly/extension/elytron/KeyStoreService.java
//delay in ms between service start and periodical check of certificate health
//if set to '0', this will mean one-time off warning, as prior to RFE
private long expirationCheckDelay = DEFAULT_DELAY;
private ScheduledExecutorService scheduledExecutorService;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI as part of the CVE I am working on I am adding the scheduled executor service to the root of the Elytron subsystem so all Elytron services can share the same executor.

elytron/src/main/java/org/wildfly/extension/elytron/KeyStoreService.java
pathResolver = null;
}
} finally {
this.scheduledExecutorService.shutdownNow();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at how this is handled for the executors elsewhere a more complete shutdown solution is needed but the shared executor I am adding will have that,

elytron/src/main/java/org/wildfly/extension/elytron/KeyStoreService.java
final CertificateValidity certificateValidity = CertificateValidity.getValidity(xCertificate.getNotBefore(), xCertificate.getNotAfter());
switch(certificateValidity) {
case ABOUT_TO_EXPIRE:
ROOT_LOGGER.certificateAboutToExpire(keyStoreName, alias);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably need a mechanism to avoid spamming the logs for the same certificate, especially if they want a frequent check.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, whats the point of check than ?

@baranowb baranowb force-pushed the WFCORE-5744_29.x branch from f90129f to 8a54d77 Compare May 16, 2025 09:47
@baranowb baranowb force-pushed the WFCORE-5744_29.x branch from 8a54d77 to 7445a58 Compare May 16, 2025 10:21
@wildfly-ci
Copy link

Core -> Full Integration Build 14455 outcome was FAILURE using a merge of 7445a58
Summary: Execution timeout (new); tests passed: 210, ignored: 4 Build time: 10:00:33

@wildfly-ci
Copy link

Core -> Full Integration Build 14461 outcome was UNKNOWN using a merge of 7445a58
Summary: Canceled (Error while applying patch; cannot find commit 4f4c712 in the https://github.com/wildfly/wildfly-core.git repository, possible reason: refs/pull/6420/merge branch was updated and the commit selected for the ... Build time: 00:00:16

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darranl darranl darranl requested changes

@fjuma fjuma Awaiting requested review from fjuma

Assignees
No one assigned
Labels
29.x Feature This PR adds a new feature to WildFly hold Do not merge this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@baranowb @wildfly-ci @darranl