Fail gracefully on missing certificate (#527)

ibm-messaging · Oct 6, 2023 · ff8a0bc · ff8a0bc
1 parent 71b2516
commit ff8a0bc
Show file tree

Hide file tree

Showing 3 changed files with 82 additions and 4 deletions.
diff --git a/internal/tls/tls.go b/internal/tls/tls.go
@@ -246,6 +246,12 @@ func processKeys(tlsStore *TLSStore, keystoreDir string, keyDir string) (string,
 				return "", err
 			}
 
+			// Return an error if corresponding public certificate was not found. Both private key and
+			// it's corresponding public certificate are required.
+			if publicCertificate == nil {
+				return "", fmt.Errorf("Failed to find public certificate in directory %s", keyDir)
+			}
+
 			// Validate certificates for duplicate Subject DNs
 			if len(caCertificate) > 0 {
 				errCertValid := validateCertificates(publicCertificate, caCertificate)
@@ -411,7 +417,7 @@ func processCertificates(keyDir string, keySetName, keyPrefix string, keys []os.
 			// Add to known certificates for the CMS Keystore
 			err = addToKnownCertificates(block, cmsKeystore, false)
 			if err != nil {
-				return nil, nil, fmt.Errorf("Failed to add to know certificates for CMS Keystore")
+				return nil, nil, fmt.Errorf("Failed to add to known certificates for CMS Keystore")
 			}
 
 		} else if strings.HasSuffix(key.Name(), ".crt") {
@@ -431,14 +437,14 @@ func processCertificates(keyDir string, keySetName, keyPrefix string, keys []os.
 				// Add to known certificates for the CMS Keystore
 				err = addToKnownCertificates(block, cmsKeystore, false)
 				if err != nil {
-					return nil, nil, fmt.Errorf("Failed to add to know certificates for CMS Keystore")
+					return nil, nil, fmt.Errorf("Failed to add to known certificates for CMS Keystore")
 				}
 
 				if p12Truststore.Keystore != nil {
 					// Add to known certificates for the PKCS#12 Truststore
 					err = addToKnownCertificates(block, p12Truststore, true)
 					if err != nil {
-						return nil, nil, fmt.Errorf("Failed to add to know certificates for PKCS#12 Truststore")
+						return nil, nil, fmt.Errorf("Failed to add to known certificates for PKCS#12 Truststore")
 					}
 				}
 

diff --git a/test/container/docker_api_test.go b/test/container/docker_api_test.go
@@ -1428,7 +1428,7 @@ func TestLoggingConsoleSource(t *testing.T) {
 	if errJson != nil {
 		t.Errorf("%v", errJson)
 	}
-	
+
 	//Check for web server logs existence in console logs since its visibility is default along with qmgr logs
 	jsonLogs, errJson = waitForMessageInLog(t, cli, id, "CWWKF0011I")
 	if errJson != nil {
@@ -2026,3 +2026,47 @@ func TestRORFSVerifySymLinks(t *testing.T) {
 	// Stop the container cleanly
 	stopContainer(t, cli, ID)
 }
+
+// Quick test to check expected error message is displayed on the
+// console if only key file is provided and no certificate.
+func TestMissingCertError(t *testing.T) {
+	t.Parallel()
+
+	cli := ce.NewContainerClient()
+
+	containerConfig := ce.ContainerConfig{
+		Env: []string{
+			"LICENSE=accept",
+			"MQ_QMGR_NAME=QM1",
+		},
+		Image: imageName(),
+	}
+	hostConfig := ce.ContainerHostConfig{
+		Binds: []string{
+			coverageBind(t),
+			tlsDirDN(t, false, "../tlsnocert") + ":/etc/mqm/pki/keys/QM1",
+		},
+	}
+
+	networkingConfig := ce.ContainerNetworkSettings{}
+	ctrID, err := cli.ContainerCreate(&containerConfig, &hostConfig, &networkingConfig, t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer cleanContainer(t, cli, ctrID)
+	startContainer(t, cli, ctrID)
+
+	rc := waitForContainer(t, cli, ctrID, 30*time.Second)
+	// Expect return code 1 if container failed to create.
+	if rc == 1 {
+		// Get container logs and search for specific message.
+		logs := inspectLogs(t, cli, ctrID)
+		expectedMessage := "Failed to find public certificate in directory"
+		if !strings.Contains(logs, expectedMessage) {
+			t.Errorf("Expected to find '%s' but was not found", expectedMessage)
+		}
+	} else {
+		// Some other error occurred
+		t.Errorf("Some other error occurred %v", rc)
+	}
+}
diff --git a/test/tlsnocert/server.key b/test/tlsnocert/server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCy5g19zgf+A5cy
+cys/xHXOalXY3SDf7vKQKUkD3r09JgLEitbsNjDm3jqOAgwgZmm2Hrrxs2eLd0on
+o3bByvqgGDBVudZcU27pb+ZFD70wTmNiQhDZFQxY6nCvEvSLSP1M05pwaJb2ZlCs
+0Th8wP6RW/45IZc6iTvk6iAVyixeYHRRU4hx3Kn6FMlTlZ/uPVfM+ltq6JM+ECFm
+uQ5YelUtQelV3YoSb+T/R1fD/BTrXn4QPOcmklSpRUvwAl0W+RZrZmBwZ4IS5LR0
+u9bPynD3l9u0NTXCoZmTLx0R/eYahHD9uUukhruvXogi5MaWySqht357X6KC1A30
+djx0FCe1AgMBAAECggEAagD5A49+mtwjzigB+4H80Def8KVuomIi5psgAaQM+9u3
+DiC6ozKlHVeW2KiL6PLmNpzU5v0IINKpZP1uE/yjLxPGKDW6t/BUKww8JLXjw2jf
+aMx+0TKwo0sfRA32S0YPmWNVAsBmm1AbA5vhXcK51QXuiInH406H5+d25ZJrYevF
+liKWSjx9CM/0XO7t20j18mCa8RjBEdsZoHxHsoWNvFJ6DCR25cFShAhR7s4OtkUk
+yELm1tYYrFOffUM0Q/Fp9uSlCHWMSqPtf/6NEfnszfFEtzDh/N+YqC1Bexv0XPsD
+dBPOkUZjWA2Sc8Se1t2GLfrRURzj3GvWH1+GssjsAQKBgQDeIdyzQSqce4Kn0opa
+vdS5moCiv3pyfNd0nYe0awgVos4kHY7/nBq0eyMZAatRHeD3DunVsw3LmvWyEw53
+app7MTTjVrYaadoBlB6jy2elyF5RcW2jGchZExoNh+0ZQWUiMbYEozPLQTy9ZxMz
+t0OcZ1hHPngGgmj5TELZKkwEtQKBgQDOLLh7pdKrdudtim+o4H20jl5yYKl25Iq/
+DKVodwUd94cM7xAIOQJrx2XK/YPCfRkKRN1wxzAhYdIVkaaKDVhI8Jeu+H18QOa6
+5OlzzZcqJCtACpbVqLaDcmq8pRrAYekiwMIKwC95llvktjilvLfoUnQoXAaX8E8B
+yCSUvDh3AQKBgQCxa0h04DLho4Da/D3HdmHHERF3bAqoEPCh0wTF5MsjRNLzY6yI
+mq11w/hni77C3mOF0SKRrh7xpcZiQfhHBx12EfpVLjfq5uraYe0LFHanol87G6bf
+I8Oy6Z/geNW2W1YktqHUGGpRCL0z5nUe1FyrOpv2431Ibbbcj73A6JipFQKBgHdl
+vJyWpk73+AQe1JUnFIU4oYd5ZQpeRd9n8m5x5ru4+jPKSi2I3lcOTWvlrqU2Dwc8
+ZEUIhV3/qUsmYxy1p7ft5NnGO912NGhtYqjWmcEk2wsmVr17C99JpniC4OAik4G1
+wWm6bIPsSGFGCb4pcROQlIY+7O6WkxqEDnM4ITcBAoGAHXBKmadFpupUeGSkCwEo
+/VjeI4QoKKcWj9K8z8ifCVPz1FiQ1AJ91WMTM7PAmpEDX058Hor9xxJ2bEtQFwUS
+QKvjeU+/Ig0TWjsJBgBPvc0xYLaJptAbjvG4a5nBn7hwbRzLTcKx2OVTmdAkz00H
+1lq8cwizfwNgt8ldFFDDRvw=
+-----END PRIVATE KEY-----