diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-08-06 17:03:55 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-08-16 12:16:18 +0200 |
commit | 5040f6e9d25580688b718dc452c6b1b64c5053e3 (patch) | |
tree | 7072fc9bd31a390bd1791c07b341344aacccaf75 /athenz-identity-provider-service | |
parent | 75201698983e22570805d1e4e697575ebcd7fb99 (diff) |
Remove self-signed certificate from configserver truststore
Diffstat (limited to 'athenz-identity-provider-service')
-rw-r--r-- | athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java | 52 |
1 files changed, 6 insertions, 46 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java index 3091321c47a..a440f96cc49 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java @@ -2,47 +2,37 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice; import com.google.inject.Inject; -import com.yahoo.cloud.config.ConfigserverConfig; import com.yahoo.jdisc.http.ssl.SslTrustStoreConfigurator; import com.yahoo.jdisc.http.ssl.SslTrustStoreContext; -import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.tls.KeyStoreBuilder; import com.yahoo.vespa.athenz.tls.KeyStoreType; -import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; -import com.yahoo.vespa.athenz.tls.X509CertificateBuilder; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; -import javax.security.auth.x500.X500Principal; import java.io.File; -import java.security.KeyPair; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.cert.X509Certificate; -import java.time.Duration; import java.time.Instant; -import java.util.logging.Logger; /** + * Programmatic configuration of configserver's truststore + * * @author bjorncs */ public class AthenzSslTrustStoreConfigurator implements SslTrustStoreConfigurator { - private static final Logger log = Logger.getLogger(AthenzSslTrustStoreConfigurator.class.getName()); private static final String CERTIFICATE_ALIAS = "cfgselfsigned"; private final KeyStore trustStore; @Inject - public AthenzSslTrustStoreConfigurator(KeyProvider keyProvider, - ConfigserverConfig configserverConfig, - AthenzProviderServiceConfig athenzProviderServiceConfig) { - this.trustStore = createTrustStore(keyProvider, configserverConfig, athenzProviderServiceConfig); + public AthenzSslTrustStoreConfigurator(AthenzProviderServiceConfig athenzProviderServiceConfig) { + this.trustStore = createTrustStore(athenzProviderServiceConfig); } @Override public void configure(SslTrustStoreContext sslTrustStoreContext) { sslTrustStoreContext.updateTrustStore(trustStore); - log.log(LogLevel.INFO, "Configured JDisc trust store with self-signed certificate"); } Instant getTrustStoreExpiry() throws KeyStoreException { @@ -50,44 +40,14 @@ public class AthenzSslTrustStoreConfigurator implements SslTrustStoreConfigurato return certificate.getNotAfter().toInstant(); } - private static KeyStore createTrustStore(KeyProvider keyProvider, - ConfigserverConfig configserverConfig, - AthenzProviderServiceConfig athenzProviderServiceConfig) { + private static KeyStore createTrustStore(AthenzProviderServiceConfig athenzProviderServiceConfig) { try { - KeyPair keyPair = getKeyPair(keyProvider, configserverConfig, athenzProviderServiceConfig); - X509Certificate selfSignedCertificate = createSelfSignedCertificate(keyPair, configserverConfig); - log.log(LogLevel.FINE, "Generated self-signed certificate: " + selfSignedCertificate); return KeyStoreBuilder.withType(KeyStoreType.JKS) - .fromFile(new File(athenzProviderServiceConfig.athenzCaTrustStore()), "changeit".toCharArray()) - .withCertificateEntry(CERTIFICATE_ALIAS, selfSignedCertificate) + .fromFile(new File(athenzProviderServiceConfig.athenzCaTrustStore())) .build(); } catch (Exception e) { throw new RuntimeException(e); } } - private static KeyPair getKeyPair(KeyProvider keyProvider, - ConfigserverConfig configserverConfig, - AthenzProviderServiceConfig athenzProviderServiceConfig) { - String key = configserverConfig.environment() + "." + configserverConfig.region(); - AthenzProviderServiceConfig.Zones zoneConfig = athenzProviderServiceConfig.zones(key); - return keyProvider.getKeyPair(zoneConfig.secretVersion()); - } - - private static X509Certificate createSelfSignedCertificate(KeyPair keyPair, ConfigserverConfig config) { - X500Principal subject = new X500Principal("CN="+ config.loadBalancerAddress()); - Instant now = Instant.now(); - X509CertificateBuilder builder = X509CertificateBuilder - .fromKeypair( - keyPair, - subject, - now, - now.plus(Duration.ofDays(30)), - SignatureAlgorithm.SHA256_WITH_RSA, - now.toEpochMilli()) - .setBasicConstraints(true, true); - config.zookeeperserver().forEach(server -> builder.addSubjectAlternativeName(server.hostname())); - return builder.build(); - } - } |