diff options
author | Bjørn Christian Seime <bjorn.christian@seime.no> | 2018-08-28 09:53:22 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-08-28 09:53:22 +0200 |
commit | 2e09b98495b4511f1a9e10f378cba30471178935 (patch) | |
tree | a233511139f1ad0bca2181a2eec3170e8ee4c53f /athenz-identity-provider-service | |
parent | 64128383875b1b3a4e0bbf44a90a29fe2ea33cff (diff) | |
parent | 95abce019d97868f802570c733312f9bbebae624 (diff) |
Merge pull request #6600 from vespa-engine/bjorncs/remove-self-signed-cert
Bjorncs/remove self signed cert
Diffstat (limited to 'athenz-identity-provider-service')
8 files changed, 7 insertions, 483 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java index 801eb04d19c..5a509d77431 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java @@ -71,7 +71,7 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements AthenzProviderServiceConfig.Zones zoneConfig = getZoneConfig(config, zone); AthenzService configserverIdentity = new AthenzService(zoneConfig.domain(), zoneConfig.serviceName()); Duration updatePeriod = Duration.ofDays(config.updatePeriodDays()); - DefaultZtsClient ztsClient = new DefaultZtsClient(URI.create(zoneConfig.ztsUrl()).resolve("/zts/v1"), bootstrapIdentity); // TODO Remove URI.resolve() once config in hosted is updated + DefaultZtsClient ztsClient = new DefaultZtsClient(URI.create(zoneConfig.ztsUrl()), bootstrapIdentity); this.ztsClient = ztsClient; this.keyProvider = keyProvider; this.zoneConfig = zoneConfig; diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java index 3091321c47a..a440f96cc49 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java @@ -2,47 +2,37 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice; import com.google.inject.Inject; -import com.yahoo.cloud.config.ConfigserverConfig; import com.yahoo.jdisc.http.ssl.SslTrustStoreConfigurator; import com.yahoo.jdisc.http.ssl.SslTrustStoreContext; -import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.tls.KeyStoreBuilder; import com.yahoo.vespa.athenz.tls.KeyStoreType; -import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; -import com.yahoo.vespa.athenz.tls.X509CertificateBuilder; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; -import javax.security.auth.x500.X500Principal; import java.io.File; -import java.security.KeyPair; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.cert.X509Certificate; -import java.time.Duration; import java.time.Instant; -import java.util.logging.Logger; /** + * Programmatic configuration of configserver's truststore + * * @author bjorncs */ public class AthenzSslTrustStoreConfigurator implements SslTrustStoreConfigurator { - private static final Logger log = Logger.getLogger(AthenzSslTrustStoreConfigurator.class.getName()); private static final String CERTIFICATE_ALIAS = "cfgselfsigned"; private final KeyStore trustStore; @Inject - public AthenzSslTrustStoreConfigurator(KeyProvider keyProvider, - ConfigserverConfig configserverConfig, - AthenzProviderServiceConfig athenzProviderServiceConfig) { - this.trustStore = createTrustStore(keyProvider, configserverConfig, athenzProviderServiceConfig); + public AthenzSslTrustStoreConfigurator(AthenzProviderServiceConfig athenzProviderServiceConfig) { + this.trustStore = createTrustStore(athenzProviderServiceConfig); } @Override public void configure(SslTrustStoreContext sslTrustStoreContext) { sslTrustStoreContext.updateTrustStore(trustStore); - log.log(LogLevel.INFO, "Configured JDisc trust store with self-signed certificate"); } Instant getTrustStoreExpiry() throws KeyStoreException { @@ -50,44 +40,14 @@ public class AthenzSslTrustStoreConfigurator implements SslTrustStoreConfigurato return certificate.getNotAfter().toInstant(); } - private static KeyStore createTrustStore(KeyProvider keyProvider, - ConfigserverConfig configserverConfig, - AthenzProviderServiceConfig athenzProviderServiceConfig) { + private static KeyStore createTrustStore(AthenzProviderServiceConfig athenzProviderServiceConfig) { try { - KeyPair keyPair = getKeyPair(keyProvider, configserverConfig, athenzProviderServiceConfig); - X509Certificate selfSignedCertificate = createSelfSignedCertificate(keyPair, configserverConfig); - log.log(LogLevel.FINE, "Generated self-signed certificate: " + selfSignedCertificate); return KeyStoreBuilder.withType(KeyStoreType.JKS) - .fromFile(new File(athenzProviderServiceConfig.athenzCaTrustStore()), "changeit".toCharArray()) - .withCertificateEntry(CERTIFICATE_ALIAS, selfSignedCertificate) + .fromFile(new File(athenzProviderServiceConfig.athenzCaTrustStore())) .build(); } catch (Exception e) { throw new RuntimeException(e); } } - private static KeyPair getKeyPair(KeyProvider keyProvider, - ConfigserverConfig configserverConfig, - AthenzProviderServiceConfig athenzProviderServiceConfig) { - String key = configserverConfig.environment() + "." + configserverConfig.region(); - AthenzProviderServiceConfig.Zones zoneConfig = athenzProviderServiceConfig.zones(key); - return keyProvider.getKeyPair(zoneConfig.secretVersion()); - } - - private static X509Certificate createSelfSignedCertificate(KeyPair keyPair, ConfigserverConfig config) { - X500Principal subject = new X500Principal("CN="+ config.loadBalancerAddress()); - Instant now = Instant.now(); - X509CertificateBuilder builder = X509CertificateBuilder - .fromKeypair( - keyPair, - subject, - now, - now.plus(Duration.ofDays(30)), - SignatureAlgorithm.SHA256_WITH_RSA, - now.toEpochMilli()) - .setBasicConstraints(true, true); - config.zookeeperserver().forEach(server -> builder.addSubjectAlternativeName(server.hostname())); - return builder.build(); - } - } diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSerializedPayload.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSerializedPayload.java deleted file mode 100644 index cfef2bc0e33..00000000000 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSerializedPayload.java +++ /dev/null @@ -1,59 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.athenz.instanceproviderservice.ca; - -import com.fasterxml.jackson.annotation.JsonCreator; -import com.fasterxml.jackson.annotation.JsonProperty; -import com.fasterxml.jackson.core.JsonGenerator; -import com.fasterxml.jackson.databind.JsonSerializer; -import com.fasterxml.jackson.databind.SerializerProvider; -import com.fasterxml.jackson.databind.annotation.JsonSerialize; -import com.yahoo.vespa.athenz.tls.X509CertificateUtils; - -import java.io.IOException; -import java.security.cert.X509Certificate; - -/** - * Contains PEM formatted signed certificate - * - * @author freva - */ -public class CertificateSerializedPayload { - - @JsonProperty("certificate") @JsonSerialize(using = CertificateSerializer.class) - public final X509Certificate certificate; - - @JsonCreator - public CertificateSerializedPayload(@JsonProperty("certificate") X509Certificate certificate) { - this.certificate = certificate; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - - CertificateSerializedPayload that = (CertificateSerializedPayload) o; - - return certificate.equals(that.certificate); - } - - @Override - public int hashCode() { - return certificate.hashCode(); - } - - @Override - public String toString() { - return "CertificateSerializedPayload{" + - "certificate='" + certificate + '\'' + - '}'; - } - - public static class CertificateSerializer extends JsonSerializer<X509Certificate> { - @Override - public void serialize( - X509Certificate certificate, JsonGenerator gen, SerializerProvider serializers) throws IOException { - gen.writeString(X509CertificateUtils.toPem(certificate)); - } - } -} diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java deleted file mode 100644 index 7b4a599d5dd..00000000000 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java +++ /dev/null @@ -1,115 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.athenz.instanceproviderservice.ca; - -import com.google.common.collect.ImmutableList; -import com.google.inject.Inject; -import com.yahoo.cloud.config.ConfigserverConfig; -import com.yahoo.config.provision.Zone; -import com.yahoo.log.LogLevel; -import com.yahoo.vespa.athenz.tls.Extension; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; -import com.yahoo.vespa.athenz.tls.X509CertificateBuilder; -import com.yahoo.vespa.athenz.tls.X509CertificateUtils; -import com.yahoo.vespa.hosted.athenz.instanceproviderservice.KeyProvider; -import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; - -import javax.security.auth.x500.X500Principal; -import java.security.PrivateKey; -import java.security.cert.X509Certificate; -import java.time.Clock; -import java.time.Duration; -import java.time.Instant; -import java.util.List; -import java.util.logging.Logger; -import java.util.stream.Collectors; - -import static com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils.getZoneConfig; - - -/** - * Signs Certificate Signing Reqest from tenant nodes. This certificate will be used - * by nodes to authenticate themselves when performing operations against the config - * server, such as updating node-repository or orchestrator. - * - * @author freva - */ -public class CertificateSigner { - - private static final Logger log = Logger.getLogger(CertificateSigner.class.getName()); - - static final SignatureAlgorithm SIGNER_ALGORITHM = SignatureAlgorithm.SHA256_WITH_RSA; - static final Duration CERTIFICATE_EXPIRATION = Duration.ofDays(30); - private static final List<Extension> ILLEGAL_EXTENSIONS = ImmutableList.of( - Extension.BASIC_CONSTRAINS, Extension.SUBJECT_ALTERNATIVE_NAMES); - - private final PrivateKey caPrivateKey; - private final X500Principal issuer; - private final Clock clock; - - @Inject - public CertificateSigner(KeyProvider keyProvider, - ConfigserverConfig configserverConfig, - AthenzProviderServiceConfig config, - Zone zone) { - this(getPrivateKey(keyProvider, config, zone), configserverConfig.loadBalancerAddress(), Clock.systemUTC()); - } - - CertificateSigner(PrivateKey caPrivateKey, String loadBalancerAddress, Clock clock) { - this.caPrivateKey = caPrivateKey; - this.issuer = new X500Principal("CN=" + loadBalancerAddress); - this.clock = clock; - } - - /** - * Signs the CSR if: - * <ul> - * <li>Common Name matches {@code remoteHostname}</li> - * <li>CSR does not contain any any of the extensions in {@code ILLEGAL_EXTENSIONS}</li> - * </ul> - */ - X509Certificate generateX509Certificate(Pkcs10Csr csr, String remoteHostname) { - verifyCertificateCommonName(csr.getSubject(), remoteHostname); - verifyCertificateExtensions(csr); - - Instant now = clock.instant(); - try { - return X509CertificateBuilder.fromCsr(csr, issuer, now, now.plus(CERTIFICATE_EXPIRATION), caPrivateKey, SIGNER_ALGORITHM, now.toEpochMilli()) - .setBasicConstraints(true, false) - .build(); - } catch (Exception ex) { - log.log(LogLevel.ERROR, "Failed to generate X509 Certificate", ex); - throw new RuntimeException("Failed to generate X509 Certificate", ex); - } - } - - static void verifyCertificateCommonName(X500Principal subject, String remoteHostname) { - List<String> commonNames = X509CertificateUtils.getCommonNames(subject); - if (commonNames.size() != 1) { - throw new IllegalArgumentException("Only 1 common name should be set"); - } - - String actualCommonName = commonNames.get(0); - if (! actualCommonName.equals(remoteHostname)) { - throw new IllegalArgumentException("Remote hostname " + remoteHostname + - " does not match common name " + actualCommonName); - } - } - - @SuppressWarnings("unchecked") - static void verifyCertificateExtensions(Pkcs10Csr csr) { - List<String> extensionOIds = csr.getExtensionOIds(); - List<String> illegalExt = ILLEGAL_EXTENSIONS.stream() - .map(Extension::getOId) - .filter(extensionOIds::contains) - .collect(Collectors.toList()); - if (! illegalExt.isEmpty()) { - throw new IllegalArgumentException("CSR contains illegal extensions: " + String.join(", ", illegalExt)); - } - } - - private static PrivateKey getPrivateKey(KeyProvider keyProvider, AthenzProviderServiceConfig config, Zone zone) { - AthenzProviderServiceConfig.Zones zoneConfig = getZoneConfig(config, zone); - return keyProvider.getPrivateKey(zoneConfig.secretVersion()); - } -} diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerResource.java deleted file mode 100644 index 1dd452866a5..00000000000 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerResource.java +++ /dev/null @@ -1,65 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.athenz.instanceproviderservice.ca; - -import com.google.inject.Inject; -import com.yahoo.container.jaxrs.annotation.Component; -import com.yahoo.log.LogLevel; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; - -import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.BadRequestException; -import javax.ws.rs.Consumes; -import javax.ws.rs.ForbiddenException; -import javax.ws.rs.InternalServerErrorException; -import javax.ws.rs.POST; -import javax.ws.rs.Path; -import javax.ws.rs.Produces; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.MediaType; -import java.net.InetAddress; -import java.net.UnknownHostException; -import java.security.cert.X509Certificate; -import java.util.logging.Logger; - -/** - * @author bjorncs - * @author freva - */ -@Path("/sign") -public class CertificateSignerResource { - - private static final Logger log = Logger.getLogger(CertificateSignerResource.class.getName()); - - private final CertificateSigner certificateSigner; - - @Inject - public CertificateSignerResource(@Component CertificateSigner certificateSigner) { - this.certificateSigner = certificateSigner; - } - - @POST - @Produces(MediaType.APPLICATION_JSON) - @Consumes(MediaType.APPLICATION_JSON) - public CertificateSerializedPayload generateCertificate(CsrSerializedPayload csrPayload, - @Context HttpServletRequest req) { - try { - InetAddress addr = InetAddress.getByName(req.getRemoteAddr()); - String remoteHostname = addr.getHostName(); - Pkcs10Csr csr = csrPayload.csr; - log.log(LogLevel.DEBUG, "Certification request from " + remoteHostname + ": " + csr); - X509Certificate certificate = certificateSigner.generateX509Certificate(csr, remoteHostname); - return new CertificateSerializedPayload(certificate); - } catch (IllegalArgumentException e) { - log.log(LogLevel.WARNING, e.getMessage()); - throw new ForbiddenException(e.getMessage(), e); - } catch (RuntimeException e) { - log.log(LogLevel.ERROR, e.getMessage(), e); - throw new InternalServerErrorException(e.getMessage(), e); - } catch (UnknownHostException e) { - String message = "Failed to resolve remote address " + req.getRemoteAddr() + - ", must resolve to match value in Common Name"; - log.log(LogLevel.ERROR, message); - throw new BadRequestException(message); - } - } -} diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CsrSerializedPayload.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CsrSerializedPayload.java deleted file mode 100644 index 375a4c3e17d..00000000000 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CsrSerializedPayload.java +++ /dev/null @@ -1,59 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.athenz.instanceproviderservice.ca; - -import com.fasterxml.jackson.annotation.JsonCreator; -import com.fasterxml.jackson.annotation.JsonProperty; -import com.fasterxml.jackson.core.JsonParser; -import com.fasterxml.jackson.databind.DeserializationContext; -import com.fasterxml.jackson.databind.JsonDeserializer; -import com.fasterxml.jackson.databind.annotation.JsonDeserialize; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.Pkcs10CsrUtils; - -import java.io.IOException; - -/** - * Contains PEM formatted Certificate Signing Request (CSR) - * - * @author freva - */ -public class CsrSerializedPayload { - - @JsonProperty("csr") public final Pkcs10Csr csr; - - @JsonCreator - public CsrSerializedPayload(@JsonProperty("csr") @JsonDeserialize(using = CertificateRequestDeserializer.class) - Pkcs10Csr csr) { - this.csr = csr; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - - CsrSerializedPayload that = (CsrSerializedPayload) o; - - return csr.equals(that.csr); - } - - @Override - public int hashCode() { - return csr.hashCode(); - } - - @Override - public String toString() { - return "CsrSerializedPayload{" + - "csr='" + csr + '\'' + - '}'; - } - - public static class CertificateRequestDeserializer extends JsonDeserializer<Pkcs10Csr> { - @Override - public Pkcs10Csr deserialize( - JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException { - return Pkcs10CsrUtils.fromPem(jsonParser.getValueAsString()); - } - } -} diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerTest.java deleted file mode 100644 index 6c624eb1da0..00000000000 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerTest.java +++ /dev/null @@ -1,105 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.athenz.instanceproviderservice.ca; - -import com.yahoo.test.ManualClock; -import com.yahoo.vespa.athenz.tls.Extension; -import com.yahoo.vespa.athenz.tls.KeyAlgorithm; -import com.yahoo.vespa.athenz.tls.KeyUtils; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; -import org.junit.Test; - -import javax.security.auth.x500.X500Principal; -import java.math.BigInteger; -import java.security.KeyPair; -import java.security.cert.X509Certificate; -import java.time.Instant; -import java.util.Collection; -import java.util.Collections; -import java.util.Set; -import java.util.stream.Collectors; -import java.util.stream.Stream; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.fail; - -/** - * @author freva - */ -public class CertificateSignerTest { - - private final long startTime = 1234567890000L; - private final KeyPair caKeyPair = getKeyPair(); - private final String cfgServerHostname = "cfg1.us-north-1.vespa.domain.tld"; - private final ManualClock clock = new ManualClock(Instant.ofEpochMilli(startTime)); - private final CertificateSigner signer = new CertificateSigner(caKeyPair.getPrivate(), cfgServerHostname, clock); - - private final String requestersHostname = "tenant-123.us-north-1.vespa.domain.tld"; - - @Test - public void test_signing() throws Exception { - String subject = String.format("CN=%s,OU=Vespa,C=NO", requestersHostname); - Pkcs10Csr csr = createCsrBuilder(subject).build(); - - X509Certificate certificate = signer.generateX509Certificate(csr, requestersHostname); - assertCertificate(certificate, subject, Collections.singleton(Extension.BASIC_CONSTRAINS.getOId())); - } - - @Test - public void common_name_test() throws Exception { - CertificateSigner.verifyCertificateCommonName( - new X500Principal("CN=" + requestersHostname), requestersHostname); - CertificateSigner.verifyCertificateCommonName( - new X500Principal("C=NO,OU=Vespa,CN=" + requestersHostname), requestersHostname); - CertificateSigner.verifyCertificateCommonName( - new X500Principal("C=NO+OU=org,CN=" + requestersHostname), requestersHostname); - - assertCertificateCommonNameException("C=NO", "Only 1 common name should be set"); - assertCertificateCommonNameException("C=US+CN=abc123.domain.tld,C=NO+CN=" + requestersHostname, "Only 1 common name should be set"); - assertCertificateCommonNameException("CN=evil.hostname.domain.tld", - "Remote hostname tenant-123.us-north-1.vespa.domain.tld does not match common name evil.hostname.domain.tld"); - } - - @Test(expected = IllegalArgumentException.class) - public void extensions_test_subject_alternative_names() throws Exception { - Pkcs10Csr csr = createCsrBuilder("OU=Vespa") - .addSubjectAlternativeName("some.other.domain.tld") - .build(); - CertificateSigner.verifyCertificateExtensions(csr); - } - - private void assertCertificateCommonNameException(String subject, String expectedMessage) { - try { - CertificateSigner.verifyCertificateCommonName(new X500Principal(subject), requestersHostname); - fail("Expected to fail"); - } catch (IllegalArgumentException e) { - assertEquals(expectedMessage, e.getMessage()); - } - } - - private void assertCertificate(X509Certificate certificate, String expectedSubjectName, Set<String> expectedExtensions) throws Exception { - assertEquals(3, certificate.getVersion()); - assertEquals(BigInteger.valueOf(startTime), certificate.getSerialNumber()); - assertEquals(startTime, certificate.getNotBefore().getTime()); - assertEquals(startTime + CertificateSigner.CERTIFICATE_EXPIRATION.toMillis(), certificate.getNotAfter().getTime()); - assertEquals(CertificateSigner.SIGNER_ALGORITHM.getAlgorithmName(), certificate.getSigAlgName()); - assertEquals(new X500Principal(expectedSubjectName), certificate.getSubjectX500Principal()); - assertEquals("CN=" + cfgServerHostname, certificate.getIssuerX500Principal().getName()); - - Set<String> extensions = Stream.of(certificate.getNonCriticalExtensionOIDs(), - certificate.getCriticalExtensionOIDs()) - .flatMap(Collection::stream) - .collect(Collectors.toSet()); - assertEquals(expectedExtensions, extensions); - - certificate.verify(caKeyPair.getPublic()); - } - - private Pkcs10CsrBuilder createCsrBuilder(String subject) { - return Pkcs10CsrBuilder.fromKeypair(new X500Principal(subject), caKeyPair, CertificateSigner.SIGNER_ALGORITHM); - } - - private static KeyPair getKeyPair() { - return KeyUtils.generateKeypair(KeyAlgorithm.RSA); - } -} diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CsrSerializedPayloadTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CsrSerializedPayloadTest.java deleted file mode 100644 index b12ef70b1dc..00000000000 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CsrSerializedPayloadTest.java +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.athenz.instanceproviderservice.ca; - -import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils; -import org.junit.Test; - -import java.io.IOException; - -import static org.hamcrest.Matchers.notNullValue; -import static org.junit.Assert.assertThat; - -/** - * @author bjorncs - */ -public class CsrSerializedPayloadTest { - - @Test - public void it_can_be_deserialized() throws IOException { - String serialized = "{\"csr\":\"-----BEGIN CERTIFICATE REQUEST-----\\nMIICVDCCATwCAQAwDzENMAsGA1UEAwwEdGV" + - "zdDCCASIwDQYJKoZIhvcNAQEBBQAD\\nggEPADCCAQoCggEBAL7xra4De9B54yY6lw8Ka/lt7lDEKQRp42RYzpXjHIQXFgr8" + - "\\n+EvJCLEldFoqfOm728KAWQq/8YdFR4hBwOz8Rr8khJKMBCQ2DWvGYz2705nr3j3v\\nsd3RE5i8n8cUdKiHRuOf305xgy" + - "970TFb+s5/tQOfDMDfvC/BdHNhB4pc0P04CVs/\\nzusKvghdSXFVufAuVaY30ZyviqrDVlBZnI158MmRzfINwP70ZYn5wsq" + - "crKzgSUBp\\nH/WjxaklSzGOH8Uk/EKVx0luzAxtTU8jO7MU1+EG8H4E+FI9ijdjftYyko5UAOQO\\nJGiI9/qHJIMVOIcQa" + - "k1PA5+2/0NbtVxihQi/uJcCAwEAAaAAMA0GCSqGSIb3DQEB\\nCwUAA4IBAQAelFvM6PyDFufv9pNmFigNqOO+r8ats9Xak9" + - "JVtGERo9KFcNDAkawD\\nMPzWQeB87oPnB5dlSdkI2J/jIV7/zR9Qoa2qZlKeL4vUIvfMTj5EOmQLn4ofoBwa\\n50D8Ro3D" + - "06Ohb1KE3seOK2FfVybiATpoaICCjb0ibhx4lNsJGZXpw6F2OdTRi8Fb\\n7kfgLiLPCH+UiHDeVnjVVr/PUKeSImgv44mb4" + - "c6EU29MYkM4LxCY9/c4scG7Pq+s\\nuHU5Tepjsnmkdtip5NzS7csPXENEygKyksPHWFFojPrtF6nFkMzzIPUgKbsmm4+H\\" + - "nfJihCYL3pc3+bVYl87TIcdohJ1GYvfw7\\n-----END CERTIFICATE REQUEST-----\\n\"}"; - CsrSerializedPayload csrSerializedPayload = Utils.getMapper().readValue(serialized, CsrSerializedPayload.class); - assertThat(csrSerializedPayload.csr, notNullValue()); - } - -} |