diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2017-10-24 11:10:16 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2017-10-24 12:44:04 +0200 |
commit | af797df442133621d681e2c2d0b4ea5661964348 (patch) | |
tree | 0a57efc1b23ec8f19e1b897860fd28e7ddadb986 | |
parent | d0bc14f3761a7f86c0286f62a99d20a531305e17 (diff) |
Use BouncyCastle directly instead through athenz-auth-core
-rw-r--r-- | container-dev/pom.xml | 8 | ||||
-rw-r--r-- | container-disc/pom.xml | 21 | ||||
-rw-r--r-- | container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java | 44 | ||||
-rw-r--r-- | container-test/pom.xml | 4 |
4 files changed, 44 insertions, 33 deletions
diff --git a/container-dev/pom.xml b/container-dev/pom.xml index c6cbeacd2c0..8eb8cab1677 100644 --- a/container-dev/pom.xml +++ b/container-dev/pom.xml @@ -116,8 +116,12 @@ <artifactId>httpclient</artifactId> </exclusion> <exclusion> - <groupId>com.yahoo.athenz</groupId> - <artifactId>athenz-auth-core</artifactId> + <groupId>org.bouncycastle</groupId> + <artifactId>bcpkix-jdk15on</artifactId> + </exclusion> + <exclusion> + <groupId>org.bouncycastle</groupId> + <artifactId>bcprov-jdk15on</artifactId> </exclusion> </exclusions> </dependency> diff --git a/container-disc/pom.xml b/container-disc/pom.xml index b9ce5a1b7ac..bd8a3340622 100644 --- a/container-disc/pom.xml +++ b/container-disc/pom.xml @@ -136,25 +136,10 @@ <artifactId>httpclient</artifactId> <scope>compile</scope> </dependency> - <!-- TODO Use BouncyCastle directly --> <dependency> - <groupId>com.yahoo.athenz</groupId> - <artifactId>athenz-auth-core</artifactId> - <version>${athenz.version}</version> - <exclusions> - <exclusion> - <groupId>com.amazonaws</groupId> - <artifactId>aws-java-sdk-s3</artifactId> - </exclusion> - <exclusion> - <groupId>org.kohsuke</groupId> - <artifactId>libpam4j</artifactId> - </exclusion> - <exclusion> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </exclusion> - </exclusions> + <groupId>org.bouncycastle</groupId> + <artifactId>bcpkix-jdk15on</artifactId> + <scope>compile</scope> </dependency> </dependencies> <properties> diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java index 63b0accbdd2..1ccbaaa35f4 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java @@ -4,7 +4,6 @@ import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; import com.google.common.annotations.Beta; import com.google.inject.Inject; -import com.yahoo.athenz.auth.util.Crypto; import com.yahoo.cloud.config.ConfigserverConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.container.core.identity.IdentityConfig; @@ -12,10 +11,22 @@ import com.yahoo.container.jdisc.athenz.impl.AthenzService; import com.yahoo.container.jdisc.athenz.impl.InstanceIdentity; import com.yahoo.container.jdisc.athenz.impl.InstanceRegisterInformation; import com.yahoo.container.jdisc.athenz.impl.ServiceProviderApi; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.ExtensionsGenerator; import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.openssl.jcajce.JcaPEMWriter; import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder; +import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; +import org.bouncycastle.util.io.pem.PemObject; +import javax.security.auth.x500.X500Principal; import java.io.IOException; +import java.io.StringWriter; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.NoSuchAlgorithmException; @@ -86,7 +97,6 @@ public final class AthenzIdentityProvider extends AbstractComponent { KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); return kpg.generateKeyPair(); } catch (NoSuchAlgorithmException e) { - e.printStackTrace(); throw new RuntimeException(e); } } @@ -96,7 +106,7 @@ public final class AthenzIdentityProvider extends AbstractComponent { try { // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix> // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> - GeneralName[] sanDnsNames = new GeneralName[]{ + GeneralNames subjectAltNames = new GeneralNames(new GeneralName[]{ new GeneralName(GeneralName.dNSName, String.format("%s.%s.%s", identityConfig.serviceName(), identityConfig.domain().replace(".", "-"), @@ -104,14 +114,28 @@ public final class AthenzIdentityProvider extends AbstractComponent { new GeneralName(GeneralName.dNSName, String.format("%s.instanceid.athenz.%s", providerUniqueId, dnsSuffix)) - }; - - return Crypto.generateX509CSR(keyPair.getPrivate(), - keyPair.getPublic(), - String.format("CN=%s.%s", identityConfig.domain(), identityConfig.serviceName()), - sanDnsNames); + }); + + ExtensionsGenerator extGen = new ExtensionsGenerator(); + extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); + + X500Principal subject = new X500Principal( + String.format("CN=%s.%s", identityConfig.domain(), identityConfig.serviceName())); + + PKCS10CertificationRequestBuilder requestBuilder = + new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic()); + requestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate()); + PKCS10CertificationRequest csr = requestBuilder.build( + new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate())); + + PemObject pemObject = new PemObject("CERTIFICATE REQUEST", csr.getEncoded()); + try (StringWriter stringWriter = new StringWriter()) { + try (JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) { + pemWriter.writeObject(pemObject); + return stringWriter.toString(); + } + } } catch (OperatorCreationException e) { - e.printStackTrace(); throw new RuntimeException(e); } } diff --git a/container-test/pom.xml b/container-test/pom.xml index 262fdc9da14..7aaffed652e 100644 --- a/container-test/pom.xml +++ b/container-test/pom.xml @@ -100,16 +100,14 @@ <artifactId>commons-digester</artifactId> <version>1.8</version> </dependency> + <!-- Required for both jdisc_http_service and container-disc --> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcpkix-jdk15on</artifactId> - <version>${bouncycastle.version}</version> </dependency> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk15on</artifactId> - <version>${bouncycastle.version}</version> </dependency> - </dependencies> </project> |