diff options
author | Arnstein Ressem <aressem@gmail.com> | 2017-12-05 00:53:58 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-12-05 00:53:58 +0100 |
commit | 841483e86a553f953c39d287465b3daddec5d65f (patch) | |
tree | be8f9abe4b7eceab7e2163ab313935c54720f0b7 /athenz-identity-provider-service | |
parent | a0a932e9d4f300821dce413a19208c154bafa8a8 (diff) |
Revert "Add trust store configurator with config server's CA cert"
Diffstat (limited to 'athenz-identity-provider-service')
3 files changed, 1 insertions, 115 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java deleted file mode 100644 index 059c91aecd3..00000000000 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java +++ /dev/null @@ -1,108 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.athenz.instanceproviderservice; - -import com.google.inject.Inject; -import com.yahoo.cloud.config.ConfigserverConfig; -import com.yahoo.jdisc.http.ssl.SslTrustStoreConfigurator; -import com.yahoo.jdisc.http.ssl.SslTrustStoreContext; -import com.yahoo.log.LogLevel; -import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; -import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x509.BasicConstraints; -import org.bouncycastle.asn1.x509.Extension; -import org.bouncycastle.asn1.x509.GeneralName; -import org.bouncycastle.asn1.x509.GeneralNames; -import org.bouncycastle.cert.X509v3CertificateBuilder; -import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.operator.ContentSigner; -import org.bouncycastle.operator.OperatorCreationException; -import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; - -import java.io.IOException; -import java.math.BigInteger; -import java.security.KeyPair; -import java.security.KeyStore; -import java.security.Provider; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.time.Duration; -import java.time.Instant; -import java.util.Date; -import java.util.logging.Logger; - -/** - * @author bjorncs - */ -// TODO Add Athenz CA certificates to trust store -public class AthenzSslTrustStoreConfigurator implements SslTrustStoreConfigurator { - - private static final Logger log = Logger.getLogger(AthenzSslTrustStoreConfigurator.class.getName()); - - private static final Provider provider = new BouncyCastleProvider(); - private final KeyStore trustStore; - - @Inject - public AthenzSslTrustStoreConfigurator(KeyProvider keyProvider, - ConfigserverConfig configserverConfig, - AthenzProviderServiceConfig athenzProviderServiceConfig) { - this.trustStore = createTrustStore(keyProvider, configserverConfig, athenzProviderServiceConfig); - } - - @Override - public void configure(SslTrustStoreContext sslTrustStoreContext) { - sslTrustStoreContext.updateTrustStore(trustStore); - log.log(LogLevel.INFO, "Configured JDisc trust store with self-signed certificate"); - } - - private static KeyStore createTrustStore(KeyProvider keyProvider, - ConfigserverConfig configserverConfig, - AthenzProviderServiceConfig athenzProviderServiceConfig) { - try { - KeyPair keyPair = getKeyPair(keyProvider, configserverConfig, athenzProviderServiceConfig); - X509Certificate selfSignedCertificate = createSelfSignedCertificate(keyPair, configserverConfig); - log.log(LogLevel.FINE, "Generated self-signed certificate: " + selfSignedCertificate); - KeyStore trustStore = KeyStore.getInstance("JKS"); - trustStore.load(null); - trustStore.setCertificateEntry("cfgselfsigned", selfSignedCertificate); - return trustStore; - } catch (Exception e) { - throw new RuntimeException(e); - } - } - - private static KeyPair getKeyPair(KeyProvider keyProvider, - ConfigserverConfig configserverConfig, - AthenzProviderServiceConfig athenzProviderServiceConfig) { - String key = configserverConfig.environment() + "." + configserverConfig.region(); - AthenzProviderServiceConfig.Zones zoneConfig = athenzProviderServiceConfig.zones(key); - return keyProvider.getKeyPair(zoneConfig.secretVersion()); - } - - private static X509Certificate createSelfSignedCertificate(KeyPair keyPair, ConfigserverConfig config) - throws IOException, CertificateException, OperatorCreationException { - ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSA").build(keyPair.getPrivate()); - X500Name x500Name = new X500Name("CN="+ config.loadBalancerAddress()); - Instant now = Instant.now(); - Date notBefore = Date.from(now); - Date notAfter = Date.from(now.plus(Duration.ofDays(30))); - - GeneralNames generalNames = new GeneralNames( - config.zookeeperserver().stream() - .map(server -> new GeneralName(GeneralName.dNSName, server.hostname())) - .toArray(GeneralName[]::new)); - - X509v3CertificateBuilder certificateBuilder = - new JcaX509v3CertificateBuilder( - x500Name, BigInteger.valueOf(now.toEpochMilli()), notBefore, notAfter, x500Name, keyPair.getPublic() - ) - .addExtension(Extension.basicConstraints, true, new BasicConstraints(true)) - .addExtension(Extension.subjectAlternativeName, false, generalNames); - - return new JcaX509CertificateConverter() - .setProvider(provider) - .getCertificate(certificateBuilder.build(contentSigner)); - } - -} diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/KeyProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/KeyProvider.java index 1d141099428..a72a2fcbc6c 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/KeyProvider.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/KeyProvider.java @@ -1,7 +1,6 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.athenz.instanceproviderservice; -import java.security.KeyPair; import java.security.PrivateKey; import java.security.PublicKey; @@ -12,8 +11,4 @@ public interface KeyProvider { PrivateKey getPrivateKey(int version); PublicKey getPublicKey(int version); - - default KeyPair getKeyPair(int version) { - return new KeyPair(getPublicKey(version), getPrivateKey(version)); - } } diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/SecretStoreKeyProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/SecretStoreKeyProvider.java index ac8c0eabf31..e66131b6cf7 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/SecretStoreKeyProvider.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/SecretStoreKeyProvider.java @@ -45,8 +45,7 @@ public class SecretStoreKeyProvider implements KeyProvider { return getKeyPair(version).getPublic(); } - @Override - public KeyPair getKeyPair(int version) { + private KeyPair getKeyPair(int version) { synchronized (secrets) { KeyPair keyPair = secrets.get(version); if (keyPair == null) { |