diff options
author | Morten Tokle <mortent@oath.com> | 2018-10-05 12:27:50 +0200 |
---|---|---|
committer | Morten Tokle <mortent@oath.com> | 2018-10-05 12:27:50 +0200 |
commit | ac951c8a7359da2ea99a80cd4bd1d3dfe23b5376 (patch) | |
tree | 5278a332b61fa45f0704e07c3ddbbb7342c26171 /vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts | |
parent | ab53bb75dc2d56f75ba10a6a1dc127b7d0fa0ba6 (diff) |
Implement role CSR requirements
Diffstat (limited to 'vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts')
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java | 21 | ||||
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java | 16 |
2 files changed, 7 insertions, 30 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java index 7d4901f163a..dc82ed7fcb9 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java @@ -24,7 +24,6 @@ import com.yahoo.vespa.athenz.client.zts.utils.IdentityCsrGenerator; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.identity.ServiceIdentitySslSocketFactory; import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; import org.apache.http.HttpResponse; import org.apache.http.client.ResponseHandler; import org.apache.http.client.config.RequestConfig; @@ -40,7 +39,6 @@ import org.eclipse.jetty.http.HttpStatus; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; -import javax.security.auth.x500.X500Principal; import java.io.IOException; import java.io.UncheckedIOException; import java.net.URI; @@ -50,9 +48,6 @@ import java.time.Duration; import java.util.List; import java.util.function.Supplier; -import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.RFC822_NAME; import static java.util.stream.Collectors.toList; /** @@ -163,15 +158,7 @@ public class DefaultZtsClient implements ZtsClient { } @Override - public X509Certificate getRoleCertificate(AthenzRole role, - Duration expiry, - KeyPair keyPair, - String cloud) { - X500Principal principal = new X500Principal(String.format("cn=%s:role.%s", role.domain().getName(), role.roleName())); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA) - .addSubjectAlternativeName(DNS_NAME, String.format("%s.%s.%s", identity.getName(), identity.getDomainName().replace('.', '-'), cloud)) - .addSubjectAlternativeName(RFC822_NAME, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), cloud)) - .build(); + public X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr, Duration expiry) { RoleCertificateRequestEntity requestEntity = new RoleCertificateRequestEntity(csr, expiry); URI uri = ztsUrl.resolve(String.format("domain/%s/role/%s/token", role.domain().getName(), role.roleName())); HttpUriRequest request = RequestBuilder.post(uri) @@ -184,10 +171,8 @@ public class DefaultZtsClient implements ZtsClient { } @Override - public X509Certificate getRoleCertificate(AthenzRole role, - KeyPair keyPair, - String cloud) { - return getRoleCertificate(role, null, keyPair, cloud); + public X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr) { + return getRoleCertificate(role, csr, null); } @Override diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java index 5c0e21bfa97..2ef6039ddc8 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java @@ -1,7 +1,6 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.client.zts; -import com.yahoo.athenz.zts.TenantDomains; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzRole; @@ -84,27 +83,20 @@ public interface ZtsClient extends AutoCloseable { * Fetch role certificate for the target domain and role * * @param role Target role + * @param csr Certificate signing request matching role * @param expiry Certificate expiry - * @param keyPair Key pair which will be used to generate CSR (certificate signing request) - * @param cloud The cloud suffix used in DNS SAN entries * @return A role certificate */ - X509Certificate getRoleCertificate(AthenzRole role, - Duration expiry, - KeyPair keyPair, - String cloud); + X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr, Duration expiry); /** * Fetch role certificate for the target domain and role * * @param role Target role - * @param keyPair Key pair which will be used to generate CSR (certificate signing request) - * @param cloud The cloud suffix used in DNS SAN entries + * @param csr Certificate signing request matching role * @return A role certificate */ - X509Certificate getRoleCertificate(AthenzRole role, - KeyPair keyPair, - String cloud); + X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr); /** * For a given provider, get a list of tenant domains that the user is a member of |