diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2018-05-07 13:47:14 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-05-07 13:47:14 +0200 |
commit | a103f81ffe357db9c6ae2a2f99877d5a2ed5449f (patch) | |
tree | 5f3833731a210d7d6c80f4c78f464a3de5f0b8a6 | |
parent | c58fa11663f1c5d1ed782f433e6eb8025670c496 (diff) | |
parent | abd49c24b3b1eee2cf8601a71063538debf73223 (diff) |
Merge pull request #5805 from vespa-engine/bjorncs/node-agent-sia
Bjorncs/node agent sia
3 files changed, 56 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzIdentity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzIdentity.java index a02653fbda7..f9eff903425 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzIdentity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzIdentity.java @@ -11,4 +11,5 @@ public interface AthenzIdentity { default String getFullName() { return getDomain().getName() + "." + getName(); } + default String getDomainName() { return getDomain().getName(); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java new file mode 100644 index 00000000000..70227eae91c --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java @@ -0,0 +1,50 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.identityprovider.client; + +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; +import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; +import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; +import com.yahoo.vespa.athenz.tls.SubjectAlternativeName; + +import javax.security.auth.x500.X500Principal; +import java.security.KeyPair; +import java.util.Set; + +import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS; + +/** + * Generates a {@link Pkcs10Csr} for an instance. + * + * @author bjorncs + */ +public class InstanceCsrGenerator { + + private final String dnsSuffix; + + public InstanceCsrGenerator(String dnsSuffix) { + this.dnsSuffix = dnsSuffix; + } + + public Pkcs10Csr generateCsr(AthenzIdentity instanceIdentity, + VespaUniqueInstanceId instanceId, + Set<String> ipAddresses, + KeyPair keyPair) { + X500Principal subject = new X500Principal("CN=" + instanceIdentity.getFullName()); + // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix> + // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> + Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA) + .addSubjectAlternativeName( + DNS_NAME, + String.format( + "%s.%s.%s", + instanceIdentity.getName(), + instanceIdentity.getDomainName().replace(".", "-"), + dnsSuffix)) + .addSubjectAlternativeName(DNS_NAME, String.format("%s.instanceid.athenz.%s", instanceId.asDottedString(), dnsSuffix)); + ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip))); + return pkcs10CsrBuilder.build(); + } +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java index 29be201fb43..2135f569aeb 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java @@ -57,6 +57,11 @@ public class Pkcs10CsrBuilder { return this; } + public Pkcs10CsrBuilder addSubjectAlternativeName(SubjectAlternativeName.Type type, String value) { + this.subjectAlternativeNames.add(new SubjectAlternativeName(type, value)); + return this; + } + public Pkcs10CsrBuilder setBasicConstraints(boolean isCritical, boolean isCertAuthorityCertificate) { this.basicConstraintsExtension = new BasicConstraintsExtension(isCritical, isCertAuthorityCertificate); return this; |