Use BouncyCastle directly instead through athenz-auth-core

author: Bjørn Christian Seime <bjorncs@oath.com> 2017-10-24 11:10:16 +0200
committer: Bjørn Christian Seime <bjorncs@oath.com> 2017-10-24 12:44:04 +0200
commit: af797df442133621d681e2c2d0b4ea5661964348 (patch)
tree: 0a57efc1b23ec8f19e1b897860fd28e7ddadb986 /container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
parent: d0bc14f3761a7f86c0286f62a99d20a531305e17 (diff)
1 files changed, 34 insertions, 10 deletions
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
index 63b0accbdd2..1ccbaaa35f4 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
@@ -4,7 +4,6 @@ import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.annotations.Beta;
 import com.google.inject.Inject;
-import com.yahoo.athenz.auth.util.Crypto;
 import com.yahoo.cloud.config.ConfigserverConfig;
 import com.yahoo.component.AbstractComponent;
 import com.yahoo.container.core.identity.IdentityConfig;
@@ -12,10 +11,22 @@ import com.yahoo.container.jdisc.athenz.impl.AthenzService;
 import com.yahoo.container.jdisc.athenz.impl.InstanceIdentity;
 import com.yahoo.container.jdisc.athenz.impl.InstanceRegisterInformation;
 import com.yahoo.container.jdisc.athenz.impl.ServiceProviderApi;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.ExtensionsGenerator;
 import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
 import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.bouncycastle.util.io.pem.PemObject;
 
+import javax.security.auth.x500.X500Principal;
 import java.io.IOException;
+import java.io.StringWriter;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
@@ -86,7 +97,6 @@ public final class AthenzIdentityProvider extends AbstractComponent {
             KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
             return kpg.generateKeyPair();
         } catch (NoSuchAlgorithmException e) {
-            e.printStackTrace();
             throw new RuntimeException(e);
         }
     }
@@ -96,7 +106,7 @@ public final class AthenzIdentityProvider extends AbstractComponent {
         try {
             // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix>
             // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
-            GeneralName[] sanDnsNames = new GeneralName[]{
+            GeneralNames subjectAltNames = new GeneralNames(new GeneralName[]{
                     new GeneralName(GeneralName.dNSName, String.format("%s.%s.%s",
                                                                           identityConfig.serviceName(),
                                                                           identityConfig.domain().replace(".", "-"),
@@ -104,14 +114,28 @@ public final class AthenzIdentityProvider extends AbstractComponent {
                     new GeneralName(GeneralName.dNSName, String.format("%s.instanceid.athenz.%s",
                                                                        providerUniqueId,
                                                                        dnsSuffix))
-            };
-
-            return Crypto.generateX509CSR(keyPair.getPrivate(),
-                                          keyPair.getPublic(),
-                                          String.format("CN=%s.%s", identityConfig.domain(), identityConfig.serviceName()),
-                                          sanDnsNames);
+            });
+
+            ExtensionsGenerator extGen = new ExtensionsGenerator();
+            extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
+
+            X500Principal subject = new X500Principal(
+                    String.format("CN=%s.%s", identityConfig.domain(), identityConfig.serviceName()));
+
+            PKCS10CertificationRequestBuilder requestBuilder =
+                    new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic());
+            requestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate());
+            PKCS10CertificationRequest csr = requestBuilder.build(
+                    new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate()));
+
+            PemObject pemObject = new PemObject("CERTIFICATE REQUEST", csr.getEncoded());
+            try (StringWriter stringWriter = new StringWriter()) {
+                try (JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) {
+                    pemWriter.writeObject(pemObject);
+                    return stringWriter.toString();
+                }
+            }
         } catch (OperatorCreationException e) {
-            e.printStackTrace();
             throw new RuntimeException(e);
         }
     }
author	Bjørn Christian Seime <bjorncs@oath.com>	2017-10-24 11:10:16 +0200
committer	Bjørn Christian Seime <bjorncs@oath.com>	2017-10-24 12:44:04 +0200
commit	af797df442133621d681e2c2d0b4ea5661964348 (patch)
tree	0a57efc1b23ec8f19e1b897860fd28e7ddadb986 /container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java
parent	d0bc14f3761a7f86c0286f62a99d20a531305e17 (diff)