diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-20 13:15:32 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-07-20 13:56:34 +0200 |
commit | b0a11043f8ac63ae543c9dfc8b1a7e40bf58f19d (patch) | |
tree | 41b8782def3665db66c2b084b737b9aaf9ca6aa9 /vespa-athenz | |
parent | ead5f9f883bce032c13f4615ad98a25ac91fae7d (diff) |
Simplify type definition for subject alternative names
Diffstat (limited to 'vespa-athenz')
3 files changed, 15 insertions, 17 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java index 92be935d293..5b129de412d 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java @@ -29,10 +29,10 @@ public class RoleCsrGenerator { public Pkcs10Csr generateCsr(AthenzIdentity identity, AthenzRole role, KeyPair keyPair) { return Pkcs10CsrBuilder.fromKeypair(new X500Principal("CN=" + role.toResourceNameString()), keyPair, SHA256_WITH_RSA) .addSubjectAlternativeName( - Type.DNS_NAME, + Type.DNS, String.format("%s.%s.%s", identity.getName(), identity.getDomainName().replace(".", "-"), dnsSuffix)) .addSubjectAlternativeName( - Type.RFC822_NAME, + Type.EMAIL, String.format("%s@%s", identity.getFullName(), dnsSuffix)) .build(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java index 518f77ae79c..21ce30fd244 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java @@ -13,9 +13,9 @@ import java.security.KeyPair; import java.util.Set; import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; -import static com.yahoo.security.SubjectAlternativeName.Type.IP_ADDRESS; -import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS; +import static com.yahoo.security.SubjectAlternativeName.Type.IP; +import static com.yahoo.security.SubjectAlternativeName.Type.EMAIL; /** * Generates a {@link Pkcs10Csr} for an instance. @@ -41,14 +41,14 @@ public class CsrGenerator { // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SHA256_WITH_RSA) .addSubjectAlternativeName( - DNS_NAME, + DNS, String.format( "%s.%s.%s", instanceIdentity.getName(), instanceIdentity.getDomainName().replace(".", "-"), dnsSuffix)) - .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId)); - ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip))); + .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)); + ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP, ip))); return pkcs10CsrBuilder.build(); } @@ -58,8 +58,8 @@ public class CsrGenerator { KeyPair keyPair) { X500Principal principal = new X500Principal(String.format("OU=%s, cn=%s:role.%s", providerService, role.domain().getName(), role.roleName())); return Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA) - .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId)) - .addSubjectAlternativeName(RFC822_NAME, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix)) + .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId)) + .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix)) .build(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java index bb62dc51603..7542e976260 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java @@ -12,9 +12,7 @@ import java.security.cert.X509Certificate; import java.util.List; import java.util.Optional; -import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; -import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME; -import static com.yahoo.security.SubjectAlternativeName.Type.UNIFORM_RESOURCE_IDENTIFIER; +import static com.yahoo.security.SubjectAlternativeName.Type; /** * Utility methods for Athenz issued x509 certificates @@ -34,7 +32,7 @@ public class AthenzX509CertificateUtils { private static Optional<AthenzIdentity> getRoleIdentityFromEmail(List<SubjectAlternativeName> sans) { return sans.stream() - .filter(san -> san.getType() == RFC822_NAME) + .filter(san -> san.getType() == Type.EMAIL) .map(com.yahoo.security.SubjectAlternativeName::getValue) .map(AthenzX509CertificateUtils::getIdentityFromSanEmail) .findFirst(); @@ -43,7 +41,7 @@ public class AthenzX509CertificateUtils { private static Optional<AthenzIdentity> getRoleIdentityFromUri(List<SubjectAlternativeName> sans) { String uriPrefix = "athenz://principal/"; return sans.stream() - .filter(s -> s.getType() == UNIFORM_RESOURCE_IDENTIFIER && s.getValue().startsWith(uriPrefix)) + .filter(s -> s.getType() == Type.URI && s.getValue().startsWith(uriPrefix)) .map(san -> { String uriPath = URI.create(san.getValue()).getPath(); return AthenzIdentities.from(uriPath.substring(uriPrefix.length())); @@ -78,7 +76,7 @@ public class AthenzX509CertificateUtils { String uriPrefix = "athenz://instanceid/"; return sans.stream() .filter(san -> { - if (san.getType() != UNIFORM_RESOURCE_IDENTIFIER) return false; + if (san.getType() != Type.URI) return false; return san.getValue().startsWith(uriPrefix); }) .map(san -> { @@ -92,7 +90,7 @@ public class AthenzX509CertificateUtils { String dnsNameDelimiter = ".instanceid.athenz."; return sans.stream() .filter(san -> { - if (san.getType() != DNS_NAME) return false; + if (san.getType() != Type.DNS) return false; return san.getValue().contains(dnsNameDelimiter); }) .map(san -> { |