diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-20 13:15:32 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-20 13:56:34 +0200 |
commit | b0a11043f8ac63ae543c9dfc8b1a7e40bf58f19d (patch) | |
tree | 41b8782def3665db66c2b084b737b9aaf9ca6aa9 | |
parent | ead5f9f883bce032c13f4615ad98a25ac91fae7d (diff) |
Simplify type definition for subject alternative names
16 files changed, 52 insertions, 54 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java index 61dc67bd7d4..df904bf8010 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java @@ -17,7 +17,7 @@ import java.util.Optional; import java.util.stream.Collectors; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; /** * Helper class for creating {@link X509Certificate}s. @@ -66,7 +66,7 @@ public class Certificates { private static Optional<String> getInstanceIdFromSAN(List<SubjectAlternativeName> subjectAlternativeNames) { return subjectAlternativeNames.stream() - .filter(san -> san.getType() == DNS_NAME) + .filter(san -> san.getType() == DNS) .map(SubjectAlternativeName::getValue) .map(Certificates::parseInstanceId) .flatMap(Optional::stream) diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java index 9bd6153f159..f5dbcb6a699 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java @@ -97,8 +97,8 @@ public class CertificateAuthorityApiHandler extends ThreadedHttpRequestHandler { var instanceRegistration = deserializeRequest(request, InstanceSerializer::registrationFromSlime); InstanceConfirmation confirmation = new InstanceConfirmation(instanceRegistration.provider(), instanceRegistration.domain(), instanceRegistration.service(), EntityBindingsMapper.toSignedIdentityDocumentEntity(instanceRegistration.attestationData())); - confirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.IP_ADDRESS)); - confirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.DNS_NAME)); + confirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.IP)); + confirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.DNS)); if (!instanceValidator.isValidInstance(confirmation)) { log.log(Level.INFO, "Invalid instance registration for " + instanceRegistration.toString()); return ErrorResponse.forbidden("Unable to launch service: " +instanceRegistration.service()); @@ -130,8 +130,8 @@ public class CertificateAuthorityApiHandler extends ThreadedHttpRequestHandler { refreshesSameService(instanceRefresh, athenzService); InstanceConfirmation instanceConfirmation = new InstanceConfirmation(provider, athenzService.getDomain().getName(), athenzService.getName(), null); - instanceConfirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.IP_ADDRESS)); - instanceConfirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.DNS_NAME)); + instanceConfirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.IP)); + instanceConfirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.DNS)); if(!instanceValidator.isValidRefresh(instanceConfirmation)) { return ErrorResponse.forbidden("Unable to refresh cert: " + instanceRefresh.csr().getSubject().toString()); } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java index b225cbef21c..4012776949e 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java @@ -68,10 +68,10 @@ public class CertificateTester { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); var builder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA512_WITH_ECDSA); for (var dnsName : dnsNames) { - builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.DNS_NAME, dnsName); + builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.DNS, dnsName); } for (var ipAddress : ipAddresses) { - builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.IP_ADDRESS, ipAddress); + builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.IP, ipAddress); } return builder.build(); } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java index 613ced895e9..19ee3d22330 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java @@ -48,9 +48,9 @@ public class CertificatesTest { assertEquals(2, certificate.getSubjectAlternativeNames().size()); var subjectAlternativeNames = List.copyOf(certificate.getSubjectAlternativeNames()); - assertEquals(List.of(SubjectAlternativeName.Type.DNS_NAME.getTag(), dnsName), + assertEquals(List.of(SubjectAlternativeName.Type.DNS.getTag(), dnsName), subjectAlternativeNames.get(0)); - assertEquals(List.of(SubjectAlternativeName.Type.IP_ADDRESS.getTag(), ip), + assertEquals(List.of(SubjectAlternativeName.Type.IP.getTag(), ip), subjectAlternativeNames.get(1)); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java index 9bfd8f9d34e..ecea1ce6913 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/certificates/EndpointCertificateValidatorImpl.java @@ -59,7 +59,7 @@ public class EndpointCertificateValidatorImpl implements EndpointCertificateVali X509Certificate endEntityCertificate = x509CertificateList.get(0); Set<String> subjectAlternativeNames = X509CertificateUtils.getSubjectAlternativeNames(endEntityCertificate).stream() - .filter(san -> san.getType().equals(SubjectAlternativeName.Type.DNS_NAME)) + .filter(san -> san.getType().equals(SubjectAlternativeName.Type.DNS)) .map(SubjectAlternativeName::getValue).collect(Collectors.toSet()); if (!subjectAlternativeNames.containsAll(requiredNamesForZone)) diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java index 63223f3c221..d74075831f1 100644 --- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java @@ -37,7 +37,7 @@ import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFil import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFilter.MATCHED_ROLE_ATTRIBUTE; import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFilter.RESULT_ATTRIBUTE; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; -import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.EMAIL; import static com.yahoo.vespa.athenz.zpe.AuthorizationResult.Type; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; @@ -262,7 +262,7 @@ public class AthenzAuthorizationFilterTest { Instant now = Instant.now(); return X509CertificateBuilder .fromKeypair(keyPair, x500Name, now, now.plus(Duration.ofDays(30)), SHA256_WITH_ECDSA, BigInteger.ONE) - .addSubjectAlternativeName(new SubjectAlternativeName(RFC822_NAME, identity.getFullName() + "@my.domain.my-identity-provider")) + .addSubjectAlternativeName(new SubjectAlternativeName(EMAIL, identity.getFullName() + "@my.domain.my-identity-provider")) .build(); } diff --git a/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java b/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java index 9b999e056e0..d7353711a2a 100644 --- a/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/Pkcs10CsrBuilder.java @@ -21,7 +21,7 @@ import java.security.KeyPair; import java.util.ArrayList; import java.util.List; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; /** * @author bjorncs @@ -49,7 +49,7 @@ public class Pkcs10CsrBuilder { } public Pkcs10CsrBuilder addSubjectAlternativeName(String dns) { - this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS_NAME, dns)); + this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS, dns)); return this; } diff --git a/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java b/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java index 92dd41f7f88..c01de58987c 100644 --- a/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java +++ b/security-utils/src/main/java/com/yahoo/security/SubjectAlternativeName.java @@ -99,15 +99,15 @@ public class SubjectAlternativeName { } public enum Type { - OTHER_NAME(0), - RFC822_NAME(1), - DNS_NAME(2), - X400_ADDRESS(3), - DIRECTORY_NAME(4), - EDI_PARITY_NAME(5), - UNIFORM_RESOURCE_IDENTIFIER(6), - IP_ADDRESS(7), - REGISTERED_ID(8); + OTHER(0), + EMAIL(1), + DNS(2), + X400(3), + DIRECTORY(4), + EDI_PARITY(5), + URI(6), + IP(7), + REGISTERED(8); final int tag; diff --git a/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java b/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java index 6ec10a2f803..f59d34ebb10 100644 --- a/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java +++ b/security-utils/src/main/java/com/yahoo/security/X509CertificateBuilder.java @@ -28,7 +28,7 @@ import java.util.ArrayList; import java.util.Date; import java.util.List; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; /** @@ -116,7 +116,7 @@ public class X509CertificateBuilder { } public X509CertificateBuilder addSubjectAlternativeName(String dnsName) { - this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS_NAME, dnsName)); + this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS, dnsName)); return this; } diff --git a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java index e026c611d0c..608a8c9c933 100644 --- a/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java +++ b/security-utils/src/main/java/com/yahoo/security/tls/PeerAuthorizer.java @@ -11,9 +11,9 @@ import java.util.Optional; import java.util.Set; import java.util.logging.Logger; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; -import static com.yahoo.security.SubjectAlternativeName.Type.IP_ADDRESS; -import static com.yahoo.security.SubjectAlternativeName.Type.UNIFORM_RESOURCE_IDENTIFIER; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; +import static com.yahoo.security.SubjectAlternativeName.Type.IP; +import static com.yahoo.security.SubjectAlternativeName.Type.URI; import static java.util.stream.Collectors.toList; /** @@ -78,7 +78,7 @@ public class PeerAuthorizer { private static List<String> getSubjectAlternativeNames(X509Certificate peerCertificate) { return X509CertificateUtils.getSubjectAlternativeNames(peerCertificate).stream() - .filter(san -> san.getType() == DNS_NAME || san.getType() == IP_ADDRESS || san.getType() == UNIFORM_RESOURCE_IDENTIFIER) + .filter(san -> san.getType() == DNS || san.getType() == IP || san.getType() == URI) .map(SubjectAlternativeName::getValue) .collect(toList()); } diff --git a/security-utils/src/test/java/com/yahoo/security/Pkcs10CsrTest.java b/security-utils/src/test/java/com/yahoo/security/Pkcs10CsrTest.java index 6dd5eb52373..d03c52027bf 100644 --- a/security-utils/src/test/java/com/yahoo/security/Pkcs10CsrTest.java +++ b/security-utils/src/test/java/com/yahoo/security/Pkcs10CsrTest.java @@ -8,7 +8,7 @@ import java.security.KeyPair; import java.util.Arrays; import java.util.List; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; @@ -21,8 +21,8 @@ public class Pkcs10CsrTest { public void can_read_subject_alternative_names() { X500Principal subject = new X500Principal("CN=subject"); KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); - SubjectAlternativeName san1 = new SubjectAlternativeName(DNS_NAME, "san1.com"); - SubjectAlternativeName san2 = new SubjectAlternativeName(DNS_NAME, "san2.com"); + SubjectAlternativeName san1 = new SubjectAlternativeName(DNS, "san1.com"); + SubjectAlternativeName san2 = new SubjectAlternativeName(DNS, "san2.com"); Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA) .addSubjectAlternativeName(san1) .addSubjectAlternativeName(san2) diff --git a/security-utils/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java b/security-utils/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java index b2e800542b8..6bb87554de3 100644 --- a/security-utils/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java +++ b/security-utils/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java @@ -12,7 +12,7 @@ import java.time.temporal.ChronoUnit; import java.util.Arrays; import java.util.List; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; @@ -54,7 +54,7 @@ public class X509CertificateUtilsTest { public void can_list_subject_alternative_names() { KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); X500Principal subject = new X500Principal("CN=myservice"); - SubjectAlternativeName san = new SubjectAlternativeName(DNS_NAME, "dns-san"); + SubjectAlternativeName san = new SubjectAlternativeName(DNS, "dns-san"); X509Certificate cert = X509CertificateBuilder .fromKeypair( keypair, diff --git a/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java b/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java index 42a69fd18b0..94b0dc4f83e 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/PeerAuthorizerTest.java @@ -131,8 +131,8 @@ public class PeerAuthorizerTest { Instant.EPOCH.plus(100000, ChronoUnit.DAYS), SHA256_WITH_ECDSA, BigInteger.ONE); - sanDns.forEach(san -> builder.addSubjectAlternativeName(Type.DNS_NAME, san)); - sanUri.forEach(san -> builder.addSubjectAlternativeName(Type.UNIFORM_RESOURCE_IDENTIFIER, san)); + sanDns.forEach(san -> builder.addSubjectAlternativeName(Type.DNS, san)); + sanUri.forEach(san -> builder.addSubjectAlternativeName(Type.URI, san)); return builder.build(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java index 92be935d293..5b129de412d 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java @@ -29,10 +29,10 @@ public class RoleCsrGenerator { public Pkcs10Csr generateCsr(AthenzIdentity identity, AthenzRole role, KeyPair keyPair) { return Pkcs10CsrBuilder.fromKeypair(new X500Principal("CN=" + role.toResourceNameString()), keyPair, SHA256_WITH_RSA) .addSubjectAlternativeName( - Type.DNS_NAME, + Type.DNS, String.format("%s.%s.%s", identity.getName(), identity.getDomainName().replace(".", "-"), dnsSuffix)) .addSubjectAlternativeName( - Type.RFC822_NAME, + Type.EMAIL, String.format("%s@%s", identity.getFullName(), dnsSuffix)) .build(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java index 518f77ae79c..21ce30fd244 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java @@ -13,9 +13,9 @@ import java.security.KeyPair; import java.util.Set; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; -import static com.yahoo.security.SubjectAlternativeName.Type.IP_ADDRESS; -import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; +import static com.yahoo.security.SubjectAlternativeName.Type.IP; +import static com.yahoo.security.SubjectAlternativeName.Type.EMAIL; /** * Generates a {@link Pkcs10Csr} for an instance. @@ -41,14 +41,14 @@ public class CsrGenerator { // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SHA256_WITH_RSA) .addSubjectAlternativeName( - DNS_NAME, + DNS, String.format( "%s.%s.%s", instanceIdentity.getName(), instanceIdentity.getDomainName().replace(".", "-"), dnsSuffix)) - .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId)); - ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip))); + .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)); + ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP, ip))); return pkcs10CsrBuilder.build(); } @@ -58,8 +58,8 @@ public class CsrGenerator { KeyPair keyPair) { X500Principal principal = new X500Principal(String.format("OU=%s, cn=%s:role.%s", providerService, role.domain().getName(), role.roleName())); return Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA) - .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId)) - .addSubjectAlternativeName(RFC822_NAME, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix)) + .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)) + .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix)) .build(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java index bb62dc51603..7542e976260 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java @@ -12,9 +12,7 @@ import java.security.cert.X509Certificate; import java.util.List; import java.util.Optional; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; -import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME; -import static com.yahoo.security.SubjectAlternativeName.Type.UNIFORM_RESOURCE_IDENTIFIER; +import static com.yahoo.security.SubjectAlternativeName.Type; /** * Utility methods for Athenz issued x509 certificates @@ -34,7 +32,7 @@ public class AthenzX509CertificateUtils { private static Optional<AthenzIdentity> getRoleIdentityFromEmail(List<SubjectAlternativeName> sans) { return sans.stream() - .filter(san -> san.getType() == RFC822_NAME) + .filter(san -> san.getType() == Type.EMAIL) .map(com.yahoo.security.SubjectAlternativeName::getValue) .map(AthenzX509CertificateUtils::getIdentityFromSanEmail) .findFirst(); @@ -43,7 +41,7 @@ public class AthenzX509CertificateUtils { private static Optional<AthenzIdentity> getRoleIdentityFromUri(List<SubjectAlternativeName> sans) { String uriPrefix = "athenz://principal/"; return sans.stream() - .filter(s -> s.getType() == UNIFORM_RESOURCE_IDENTIFIER && s.getValue().startsWith(uriPrefix)) + .filter(s -> s.getType() == Type.URI && s.getValue().startsWith(uriPrefix)) .map(san -> { String uriPath = URI.create(san.getValue()).getPath(); return AthenzIdentities.from(uriPath.substring(uriPrefix.length())); @@ -78,7 +76,7 @@ public class AthenzX509CertificateUtils { String uriPrefix = "athenz://instanceid/"; return sans.stream() .filter(san -> { - if (san.getType() != UNIFORM_RESOURCE_IDENTIFIER) return false; + if (san.getType() != Type.URI) return false; return san.getValue().startsWith(uriPrefix); }) .map(san -> { @@ -92,7 +90,7 @@ public class AthenzX509CertificateUtils { String dnsNameDelimiter = ".instanceid.athenz."; return sans.stream() .filter(san -> { - if (san.getType() != DNS_NAME) return false; + if (san.getType() != Type.DNS) return false; return san.getValue().contains(dnsNameDelimiter); }) .map(san -> { |