summaryrefslogtreecommitdiffstats
path: root/athenz-identity-provider-service
diff options
context:
space:
mode:
authorMartin Polden <mpolden@mpolden.no>2019-10-07 13:48:24 +0200
committerMartin Polden <mpolden@mpolden.no>2019-10-07 13:48:24 +0200
commitbd64dc62bfc7800c570f36514e98ac04b4c07988 (patch)
tree8f513d96b86b749c2c5182e28af1441e1fdf6293 /athenz-identity-provider-service
parent385ff3f0d79e76eba8c6cf688bc730fb14b0dd38 (diff)
Decode SAN IP address field from CSR
Diffstat (limited to 'athenz-identity-provider-service')
-rw-r--r--athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java2
-rw-r--r--athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java5
-rw-r--r--athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java11
3 files changed, 13 insertions, 5 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java
index 447b6efb09b..a4cf54063ec 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java
@@ -43,7 +43,7 @@ public class Certificates {
SHA256_WITH_ECDSA,
X509CertificateBuilder.generateRandomSerialNumber());
for (var san : csr.getSubjectAlternativeNames()) {
- builder = builder.addSubjectAlternativeName(san.getValue());
+ builder = builder.addSubjectAlternativeName(san.decode());
}
return builder.build();
}
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java
index 4946de93f6d..130a4ec5e66 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificateTester.java
@@ -47,13 +47,16 @@ public class CertificateTester {
return createCsr(null);
}
- public static Pkcs10Csr createCsr(String dnsName) {
+ public static Pkcs10Csr createCsr(String dnsName, String... ipAddresses) {
X500Principal subject = new X500Principal("CN=subject");
KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
var builder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA512_WITH_ECDSA);
if (dnsName != null) {
builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.DNS_NAME, dnsName);
}
+ for (var ipAddress : ipAddresses) {
+ builder = builder.addSubjectAlternativeName(SubjectAlternativeName.Type.IP_ADDRESS, ipAddress);
+ }
return builder.build();
}
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java
index 80940dcd02c..fa86979656d 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java
@@ -40,13 +40,18 @@ public class CertificatesTest {
public void add_san_from_csr() throws Exception {
var certificates = new Certificates(new ManualClock());
var dnsName = "host.example.com";
- var csr = CertificateTester.createCsr(dnsName);
+ var ip = "192.0.2.42";
+ var csr = CertificateTester.createCsr(dnsName, ip);
var certificate = certificates.create(csr, caCertificate, keyPair.getPrivate());
assertNotNull(certificate.getSubjectAlternativeNames());
- assertEquals(1, certificate.getSubjectAlternativeNames().size());
+ assertEquals(2, certificate.getSubjectAlternativeNames().size());
+
+ var subjectAlternativeNames = List.copyOf(certificate.getSubjectAlternativeNames());
assertEquals(List.of(SubjectAlternativeName.Type.DNS_NAME.getTag(), dnsName),
- certificate.getSubjectAlternativeNames().iterator().next());
+ subjectAlternativeNames.get(0));
+ assertEquals(List.of(SubjectAlternativeName.Type.IP_ADDRESS.getTag(), ip),
+ subjectAlternativeNames.get(1));
}
}