Store provider and certificate converter as instance fields

author: Valerij Fredriksen <valerijf@oath.com> 2017-11-10 13:32:46 +0100
committer: Valerij Fredriksen <valerijf@oath.com> 2017-11-10 13:32:46 +0100
commit: 93d94fff227927c306bd0432fca50be46addd945 (patch)
tree: 96a5d44dff2d71890bd23b018bb2f58f2b24ef29 /athenz-identity-provider-service
parent: 0a77a592073d219fe8dbabf527a95cd9b46b477e (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java
index 3cb530b9088..0806ac6225b 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java
@@ -24,6 +24,7 @@ import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
 
 import java.math.BigInteger;
 import java.security.PrivateKey;
+import java.security.Provider;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.time.Clock;
@@ -54,6 +55,9 @@ public class CertificateSigner {
     private static final List<ASN1ObjectIdentifier> ILLEGAL_EXTENSIONS = ImmutableList.of(
             Extension.basicConstraints, Extension.subjectAlternativeName);
 
+    private final JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter();
+    private final Provider provider = new BouncyCastleProvider();
+
     private final PrivateKey caPrivateKey;
     private final X500Name issuer;
     private final Clock clock;
@@ -90,12 +94,12 @@ public class CertificateSigner {
                     issuer, BigInteger.valueOf(clock.millis()), notBefore, notAfter, certReq.getSubject(), publicKey)
 
                     // Set Basic Constraints to false
-                    .addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
+                    .addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
 
             ContentSigner caSigner = new JcaContentSignerBuilder(SIGNER_ALGORITHM).build(caPrivateKey);
 
-            return new JcaX509CertificateConverter()
-                    .setProvider(new BouncyCastleProvider())
+            return certificateConverter
+                    .setProvider(provider)
                     .getCertificate(caBuilder.build(caSigner));
         } catch (Exception ex) {
             log.log(LogLevel.ERROR, "Failed to generate X509 Certificate", ex);
author	Valerij Fredriksen <valerijf@oath.com>	2017-11-10 13:32:46 +0100
committer	Valerij Fredriksen <valerijf@oath.com>	2017-11-10 13:32:46 +0100
commit	93d94fff227927c306bd0432fca50be46addd945 (patch)
tree	96a5d44dff2d71890bd23b018bb2f58f2b24ef29 /athenz-identity-provider-service
parent	0a77a592073d219fe8dbabf527a95cd9b46b477e (diff)