diff options
author | Valerij Fredriksen <valerijf@oath.com> | 2017-11-10 13:32:46 +0100 |
---|---|---|
committer | Valerij Fredriksen <valerijf@oath.com> | 2017-11-10 13:32:46 +0100 |
commit | 93d94fff227927c306bd0432fca50be46addd945 (patch) | |
tree | 96a5d44dff2d71890bd23b018bb2f58f2b24ef29 | |
parent | 0a77a592073d219fe8dbabf527a95cd9b46b477e (diff) |
Store provider and certificate converter as instance fields
-rw-r--r-- | athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java index 3cb530b9088..0806ac6225b 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java @@ -24,6 +24,7 @@ import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; import java.math.BigInteger; import java.security.PrivateKey; +import java.security.Provider; import java.security.PublicKey; import java.security.cert.X509Certificate; import java.time.Clock; @@ -54,6 +55,9 @@ public class CertificateSigner { private static final List<ASN1ObjectIdentifier> ILLEGAL_EXTENSIONS = ImmutableList.of( Extension.basicConstraints, Extension.subjectAlternativeName); + private final JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter(); + private final Provider provider = new BouncyCastleProvider(); + private final PrivateKey caPrivateKey; private final X500Name issuer; private final Clock clock; @@ -90,12 +94,12 @@ public class CertificateSigner { issuer, BigInteger.valueOf(clock.millis()), notBefore, notAfter, certReq.getSubject(), publicKey) // Set Basic Constraints to false - .addExtension(Extension.basicConstraints, false, new BasicConstraints(false)); + .addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); ContentSigner caSigner = new JcaContentSignerBuilder(SIGNER_ALGORITHM).build(caPrivateKey); - return new JcaX509CertificateConverter() - .setProvider(new BouncyCastleProvider()) + return certificateConverter + .setProvider(provider) .getCertificate(caBuilder.build(caSigner)); } catch (Exception ex) { log.log(LogLevel.ERROR, "Failed to generate X509 Certificate", ex); |