Merge pull request #5805 from vespa-engine/bjorncs/node-agent-sia

Bjorncs/node agent sia
author: Bjørn Christian Seime <bjorn.christian@seime.no> 2018-05-07 13:47:14 +0200
committer: GitHub <noreply@github.com> 2018-05-07 13:47:14 +0200
commit: a103f81ffe357db9c6ae2a2f99877d5a2ed5449f (patch)
tree: 5f3833731a210d7d6c80f4c78f464a3de5f0b8a6
parent: c58fa11663f1c5d1ed782f433e6eb8025670c496 (diff)
parent: abd49c24b3b1eee2cf8601a71063538debf73223 (diff)
3 files changed, 56 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzIdentity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzIdentity.java
index a02653fbda7..f9eff903425 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzIdentity.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzIdentity.java
@@ -11,4 +11,5 @@ public interface AthenzIdentity {
     default String getFullName() {
         return getDomain().getName() + "." + getName();
     }
+    default String getDomainName() { return getDomain().getName(); }
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java
new file mode 100644
index 00000000000..70227eae91c
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java
@@ -0,0 +1,50 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.identityprovider.client;
+
+import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
+import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
+import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder;
+import com.yahoo.vespa.athenz.tls.SignatureAlgorithm;
+import com.yahoo.vespa.athenz.tls.SubjectAlternativeName;
+
+import javax.security.auth.x500.X500Principal;
+import java.security.KeyPair;
+import java.util.Set;
+
+import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME;
+import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS;
+
+/**
+ * Generates a {@link Pkcs10Csr} for an instance.
+ *
+ * @author bjorncs
+ */
+public class InstanceCsrGenerator {
+
+    private final String dnsSuffix;
+
+    public InstanceCsrGenerator(String dnsSuffix) {
+        this.dnsSuffix = dnsSuffix;
+    }
+
+    public Pkcs10Csr generateCsr(AthenzIdentity instanceIdentity,
+                                 VespaUniqueInstanceId instanceId,
+                                 Set<String> ipAddresses,
+                                 KeyPair keyPair) {
+        X500Principal subject = new X500Principal("CN=" + instanceIdentity.getFullName());
+        // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix>
+        // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
+        Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA)
+                .addSubjectAlternativeName(
+                        DNS_NAME,
+                        String.format(
+                                "%s.%s.%s",
+                                instanceIdentity.getName(),
+                                instanceIdentity.getDomainName().replace(".", "-"),
+                                dnsSuffix))
+                .addSubjectAlternativeName(DNS_NAME, String.format("%s.instanceid.athenz.%s", instanceId.asDottedString(), dnsSuffix));
+        ipAddresses.forEach(ip ->  pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip)));
+        return pkcs10CsrBuilder.build();
+    }
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java
index 29be201fb43..2135f569aeb 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java
@@ -57,6 +57,11 @@ public class Pkcs10CsrBuilder {
         return this;
     }
 
+    public Pkcs10CsrBuilder addSubjectAlternativeName(SubjectAlternativeName.Type type, String value) {
+        this.subjectAlternativeNames.add(new SubjectAlternativeName(type, value));
+        return this;
+    }
+
     public Pkcs10CsrBuilder setBasicConstraints(boolean isCritical, boolean isCertAuthorityCertificate) {
         this.basicConstraintsExtension = new BasicConstraintsExtension(isCritical, isCertAuthorityCertificate);
         return this;
author	Bjørn Christian Seime <bjorn.christian@seime.no>	2018-05-07 13:47:14 +0200
committer	GitHub <noreply@github.com>	2018-05-07 13:47:14 +0200
commit	a103f81ffe357db9c6ae2a2f99877d5a2ed5449f (patch)
tree	5f3833731a210d7d6c80f4c78f464a3de5f0b8a6
parent	c58fa11663f1c5d1ed782f433e6eb8025670c496 (diff)
parent	abd49c24b3b1eee2cf8601a71063538debf73223 (diff)