Use helpers in vespa-athenz instead of BouncyCastle

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-03-22 17:40:44 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-03-22 17:40:44 +0100
commit: 513844e78fb39601f0783ec4286838bee3776b8d (patch)
tree: bd66eb723fcff356a8932691f40dc6cab51a96aa /node-repository
parent: bb0908d6d4aeb60ea24171db134e81874e02803c (diff)
3 files changed, 16 insertions, 53 deletions
diff --git a/node-repository/pom.xml b/node-repository/pom.xml
index 8efd4099773..6741163c19c 100644
--- a/node-repository/pom.xml
+++ b/node-repository/pom.xml
@@ -78,13 +78,9 @@
             <scope>provided</scope>
         </dependency>
         <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bcpkix-jdk15on</artifactId>
-            <scope>provided</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk15on</artifactId>
+            <groupId>com.yahoo.vespa</groupId>
+            <artifactId>vespa-athenz</artifactId>
+            <version>${project.version}</version>
             <scope>provided</scope>
         </dependency>
 
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
index d4435e84de9..4daa9d417dd 100644
--- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
+++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java
@@ -7,18 +7,13 @@ import com.yahoo.config.provision.Zone;
 import com.yahoo.jdisc.handler.ResponseHandler;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
 import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
+import com.yahoo.vespa.athenz.tls.X509CertificateUtils;
 import com.yahoo.vespa.hosted.provision.NodeRepository;
 import com.yahoo.vespa.hosted.provision.restapi.v2.Authorizer;
 import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse;
-import org.bouncycastle.asn1.x500.RDN;
-import org.bouncycastle.asn1.x500.X500Name;
-import org.bouncycastle.asn1.x500.style.BCStyle;
-import org.bouncycastle.asn1.x500.style.IETFUtils;
-import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
 
 import java.net.URI;
 import java.security.Principal;
-import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.Optional;
 import java.util.function.BiConsumer;
@@ -84,13 +79,7 @@ public class AuthorizationFilter implements SecurityRequestFilter {
 
     /** Read common name (CN) from certificate */
     private static String commonName(X509Certificate certificate) {
-        try {
-            X500Name subject = new JcaX509CertificateHolder(certificate).getSubject();
-            RDN cn = subject.getRDNs(BCStyle.CN)[0];
-            return IETFUtils.valueToString(cn.getFirst().getValue());
-        } catch (CertificateEncodingException e) {
-            throw new RuntimeException(e);
-        }
+        return X509CertificateUtils.getCommonNames(certificate).get(0);
     }
 
 }
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java
index cb3810eeef0..5cd01755c26 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java
@@ -5,33 +5,22 @@ import com.yahoo.application.container.handler.Request.Method;
 import com.yahoo.container.jdisc.RequestHandlerTestDriver;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
 import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
-import org.bouncycastle.asn1.x500.X500Name;
-import org.bouncycastle.asn1.x509.BasicConstraints;
-import org.bouncycastle.asn1.x509.Extension;
-import org.bouncycastle.cert.X509v3CertificateBuilder;
-import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
-import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.operator.ContentSigner;
-import org.bouncycastle.operator.OperatorCreationException;
-import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
-
-import java.io.IOException;
-import java.math.BigInteger;
+import com.yahoo.vespa.athenz.tls.X509CertificateBuilder;
+
+import javax.security.auth.x500.X500Principal;
 import java.net.URI;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Collections;
-import java.util.Date;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 
+import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
@@ -95,24 +84,13 @@ public class FilterTester {
 
     /** Create a self signed certificate for commonName using given public/private key pair */
     private static X509Certificate certificateFor(String commonName, KeyPair keyPair) {
-        try {
-            ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSA")
-                    .build(keyPair.getPrivate());
-            X500Name x500Name = new X500Name("CN=" + commonName);
-            Instant now = Instant.now();
-            Date notBefore = Date.from(now);
-            Date notAfter = Date.from(now.plus(Duration.ofDays(30)));
-            X509v3CertificateBuilder certificateBuilder =
-                    new JcaX509v3CertificateBuilder(
-                            x500Name,
-                            BigInteger.valueOf(now.toEpochMilli()), notBefore, notAfter, x500Name, keyPair.getPublic()
-                    ).addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
-            return new JcaX509CertificateConverter()
-                    .setProvider(new BouncyCastleProvider())
-                    .getCertificate(certificateBuilder.build(contentSigner));
-        } catch (OperatorCreationException |IOException |CertificateException e) {
-            throw new RuntimeException(e);
-        }
+        Instant now = Instant.now();
+        X500Principal subject = new X500Principal("CN=" + commonName);
+        return X509CertificateBuilder
+                .fromKeypair(
+                        keyPair, subject, now, now.plus(Duration.ofDays(30)), SHA256_WITH_RSA, now.toEpochMilli())
+                .setBasicConstraints(true, true)
+                .build();
     }
 
     private static class Response {
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-03-22 17:40:44 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-03-22 17:40:44 +0100
commit	513844e78fb39601f0783ec4286838bee3776b8d (patch)
tree	bd66eb723fcff356a8932691f40dc6cab51a96aa /node-repository
parent	bb0908d6d4aeb60ea24171db134e81874e02803c (diff)