diff options
author | Martin Polden <mpolden@mpolden.no> | 2019-10-04 13:06:41 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2019-10-04 13:06:41 +0200 |
commit | d5f0162c69e3f1cb1a8f16553fa0564754681ad1 (patch) | |
tree | cbb80709384baf5bfbb837074044d55213ebcc75 /athenz-identity-provider-service | |
parent | 6fe52f2ed1665f6fe29b74bbaec4db2c889ebacf (diff) |
Add SAN from CSR to certificate
Diffstat (limited to 'athenz-identity-provider-service')
2 files changed, 27 insertions, 5 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java index 6d121657a40..447b6efb09b 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/Certificates.java @@ -35,14 +35,17 @@ public class Certificates { var now = clock.instant(); var notBefore = now.minus(Duration.ofHours(1)); var notAfter = now.plus(CERTIFICATE_TTL); - return X509CertificateBuilder.fromCsr(csr, + var builder = X509CertificateBuilder.fromCsr(csr, x500principal, notBefore, notAfter, caPrivateKey, SHA256_WITH_ECDSA, - X509CertificateBuilder.generateRandomSerialNumber()) - .build(); + X509CertificateBuilder.generateRandomSerialNumber()); + for (var san : csr.getSubjectAlternativeNames()) { + builder = builder.addSubjectAlternativeName(san.getValue()); + } + return builder.build(); } /** Returns the DNS name field from Subject Alternative Names in given csr */ diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java index 4e306d9a70e..80940dcd02c 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/CertificatesTest.java @@ -3,26 +3,32 @@ package com.yahoo.vespa.hosted.ca; import com.yahoo.security.KeyAlgorithm; import com.yahoo.security.KeyUtils; +import com.yahoo.security.SubjectAlternativeName; import com.yahoo.test.ManualClock; import org.junit.Test; +import java.security.KeyPair; +import java.security.cert.X509Certificate; import java.time.Duration; +import java.util.List; import static java.time.temporal.ChronoUnit.SECONDS; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; /** * @author mpolden */ public class CertificatesTest { + private final KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); + private final X509Certificate caCertificate = CertificateTester.createCertificate("CA", keyPair); + @Test public void expiry() { var clock = new ManualClock(); var certificates = new Certificates(clock); var csr = CertificateTester.createCsr(); - var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); - var caCertificate = CertificateTester.createCertificate("CA", keyPair); var certificate = certificates.create(csr, caCertificate, keyPair.getPrivate()); var now = clock.instant(); @@ -30,4 +36,17 @@ public class CertificatesTest { assertEquals(now.plus(Duration.ofDays(30)).truncatedTo(SECONDS), certificate.getNotAfter().toInstant()); } + @Test + public void add_san_from_csr() throws Exception { + var certificates = new Certificates(new ManualClock()); + var dnsName = "host.example.com"; + var csr = CertificateTester.createCsr(dnsName); + var certificate = certificates.create(csr, caCertificate, keyPair.getPrivate()); + + assertNotNull(certificate.getSubjectAlternativeNames()); + assertEquals(1, certificate.getSubjectAlternativeNames().size()); + assertEquals(List.of(SubjectAlternativeName.Type.DNS_NAME.getTag(), dnsName), + certificate.getSubjectAlternativeNames().iterator().next()); + } + } |