diff options
| author | Valerij Fredriksen <valerijf@oath.com> | 2017-11-10 09:40:44 +0100 |
|---|---|---|
| committer | Valerij Fredriksen <valerijf@oath.com> | 2017-11-10 09:40:44 +0100 |
| commit | c6a91ed5430892fbab4147a0adcbc0dcb5fbff38 (patch) | |
| tree | 13e59a24217edbccacc2ade99b275f02c7748c33 /athenz-identity-provider-service | |
| parent | 37cc09fe39b65d1838982c5d49e0a9533242acb6 (diff) | |
Added javadoc
Diffstat (limited to 'athenz-identity-provider-service')
| -rw-r--r-- | athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java index ad7eeb90f1c..4f192e7551a 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java @@ -1,5 +1,6 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice.ca; +import com.google.common.collect.ImmutableList; import com.yahoo.log.LogLevel; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.KeyProvider; @@ -38,6 +39,10 @@ import java.util.stream.Stream; /** + * Signs Certificate Signing Reqest from tenant nodes. This certificate will be used + * by nodes to authenticate themselves when performing operations against the config + * server, such as updating node-repository or orchestrator. + * * @author freva */ public class CertificateSigner { @@ -46,7 +51,7 @@ public class CertificateSigner { static final String SIGNER_ALGORITHM = "SHA256withRSA"; static final Duration CERTIIFICATE_DURATION = Duration.ofDays(30); - private static final List<ASN1ObjectIdentifier> ILLEGAL_EXTENSIONS = Arrays.asList( + private static final List<ASN1ObjectIdentifier> ILLEGAL_EXTENSIONS = ImmutableList.of( Extension.basicConstraints, Extension.subjectAlternativeName); private final PrivateKey caPrivateKey; @@ -65,6 +70,13 @@ public class CertificateSigner { this.clock = clock; } + /** + * Signs the CSR if: + * <ul> + * <li>Common Name matches {@code remoteHostname}</li> + * <li>CSR does not contain any any of the extensions in {@code ILLEGAL_EXTENSIONS}</li> + * </ul> + */ X509Certificate generateX509Certificate(PKCS10CertificationRequest certReq, String remoteHostname) { assertCertificateCommonName(certReq.getSubject(), remoteHostname); assertCertificateExtensions(certReq); |