diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-09-05 11:21:09 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-09-05 12:47:16 +0200 |
commit | e437b35c7520bf73078864dab297374211ad57ca (patch) | |
tree | 76e9c470a2cb842df570fc7434a3c989abce0e1a /vespa-athenz | |
parent | 987f479a89b8ccc2d39bb6e99fde683e5f82c517 (diff) |
Replace use of com.yahoo.vespa.athenz.tls with com.yahoo.security
- Use replace RSA with EC in unit tests where possible
Diffstat (limited to 'vespa-athenz')
8 files changed, 43 insertions, 48 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java index b06ae089b2a..d8fa910aa73 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java @@ -5,8 +5,8 @@ import com.google.inject.Inject; import com.yahoo.component.AbstractComponent; import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.athenz.tls.KeyStoreType; -import com.yahoo.vespa.athenz.tls.SslContextBuilder; +import com.yahoo.security.KeyStoreType; +import com.yahoo.security.SslContextBuilder; import com.yahoo.vespa.athenz.utils.SiaUtils; import javax.net.ssl.SSLContext; @@ -92,8 +92,8 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde private SSLContext createIdentitySslContext() { return new SslContextBuilder() - .withTrustStore(trustStoreFile, KeyStoreType.JKS) - .withKeyStore(privateKeyFile, certificateFile) + .withTrustStore(trustStoreFile.toPath(), KeyStoreType.JKS) + .withKeyStore(privateKeyFile.toPath(), certificateFile.toPath()) .build(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index 5567831d49d..4a189c872bc 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -11,10 +11,10 @@ import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier; -import com.yahoo.vespa.athenz.tls.KeyAlgorithm; -import com.yahoo.vespa.athenz.tls.KeyUtils; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.SslContextBuilder; import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.SslContextBuilder; import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.defaults.Defaults; @@ -31,7 +31,7 @@ import java.time.Clock; import java.time.Duration; import java.util.Optional; -import static com.yahoo.vespa.athenz.tls.KeyStoreType.JKS; +import static com.yahoo.security.KeyStoreType.JKS; import static java.util.Collections.singleton; /** @@ -153,7 +153,7 @@ class AthenzCredentialsService { private SSLContext createIdentitySslContext(PrivateKey privateKey, X509Certificate certificate) { return new SslContextBuilder() .withKeyStore(privateKey, certificate) - .withTrustStore(trustStoreJks, JKS) + .withTrustStore(trustStoreJks.toPath(), JKS) .build(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java index 266e2ebcefd..e318ebeb7fd 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java @@ -19,8 +19,8 @@ import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient; import com.yahoo.vespa.athenz.client.zts.ZtsClient; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.identity.SiaIdentityProvider; -import com.yahoo.vespa.athenz.tls.KeyStoreType; -import com.yahoo.vespa.athenz.tls.SslContextBuilder; +import com.yahoo.security.KeyStoreType; +import com.yahoo.security.SslContextBuilder; import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.defaults.Defaults; @@ -177,7 +177,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen X509Certificate roleCertificate = client.getRoleCertificate(role, credentials.getKeyPair(), dnsSuffix); return new SslContextBuilder() .withKeyStore(credentials.getKeyPair().getPrivate(), roleCertificate) - .withTrustStore(getDefaultTrustStoreLocation(), KeyStoreType.JKS) + .withTrustStore(getDefaultTrustStoreLocation().toPath(), KeyStoreType.JKS) .build(); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java index 46aca707be1..33e5552eaf6 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java @@ -8,7 +8,7 @@ import com.yahoo.vespa.athenz.utils.AthenzIdentities; import java.security.cert.X509Certificate; import java.util.List; -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.RFC822_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME; /** * Utility methods for Athenz issued x509 certificates @@ -23,26 +23,26 @@ public class AthenzX509CertificateUtils { public static boolean isAthenzRoleCertificate(X509Certificate certificate) { return isAthenzIssuedCertificate(certificate) && - X509CertificateUtils.getSubjectCommonNames(certificate).get(0).contains(COMMON_NAME_ROLE_DELIMITER); + com.yahoo.security.X509CertificateUtils.getSubjectCommonNames(certificate).get(0).contains(COMMON_NAME_ROLE_DELIMITER); } public static boolean isAthenzIssuedCertificate(X509Certificate certificate) { - return X509CertificateUtils.getIssuerCommonNames(certificate).stream() + return com.yahoo.security.X509CertificateUtils.getIssuerCommonNames(certificate).stream() .anyMatch(cn -> cn.equalsIgnoreCase("Yahoo Athenz CA") || cn.equalsIgnoreCase("Athenz AWS CA")); } public static AthenzIdentity getIdentityFromRoleCertificate(X509Certificate certificate) { - List<SubjectAlternativeName> sans = X509CertificateUtils.getSubjectAlternativeNames(certificate); + List<com.yahoo.security.SubjectAlternativeName> sans = com.yahoo.security.X509CertificateUtils.getSubjectAlternativeNames(certificate); return sans.stream() .filter(san -> san.getType() == RFC822_NAME) - .map(SubjectAlternativeName::getValue) + .map(com.yahoo.security.SubjectAlternativeName::getValue) .map(AthenzX509CertificateUtils::getIdentityFromSanEmail) .findFirst() .orElseThrow(() -> new IllegalArgumentException("Could not find identity in SAN: " + sans)); } public static AthenzRole getRolesFromRoleCertificate(X509Certificate certificate) { - String commonName = X509CertificateUtils.getSubjectCommonNames(certificate).get(0); + String commonName = com.yahoo.security.X509CertificateUtils.getSubjectCommonNames(certificate).get(0); int delimiterIndex = commonName.indexOf(COMMON_NAME_ROLE_DELIMITER); String domain = commonName.substring(0, delimiterIndex); String roleName = commonName.substring(delimiterIndex + COMMON_NAME_ROLE_DELIMITER.length()); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java index 05459e5488b..98d9061be02 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java @@ -2,8 +2,8 @@ package com.yahoo.vespa.athenz.utils; import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.athenz.tls.KeyUtils; -import com.yahoo.vespa.athenz.tls.X509CertificateUtils; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.X509CertificateUtils; import java.io.IOException; import java.io.UncheckedIOException; diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java index 7b93ffb035d..6217d6fb2ee 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java @@ -1,15 +1,14 @@ package com.yahoo.vespa.athenz.identity; -import com.google.common.io.Files; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyStoreBuilder; +import com.yahoo.security.KeyStoreType; +import com.yahoo.security.KeyStoreUtils; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.SignatureAlgorithm; +import com.yahoo.security.X509CertificateBuilder; +import com.yahoo.security.X509CertificateUtils; import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.athenz.tls.KeyAlgorithm; -import com.yahoo.vespa.athenz.tls.KeyStoreBuilder; -import com.yahoo.vespa.athenz.tls.KeyStoreType; -import com.yahoo.vespa.athenz.tls.KeyStoreUtils; -import com.yahoo.vespa.athenz.tls.KeyUtils; -import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; -import com.yahoo.vespa.athenz.tls.X509CertificateBuilder; -import com.yahoo.vespa.athenz.tls.X509CertificateUtils; import org.junit.Rule; import org.junit.Test; import org.junit.rules.TemporaryFolder; @@ -17,7 +16,8 @@ import org.junit.rules.TemporaryFolder; import javax.security.auth.x500.X500Principal; import java.io.File; import java.io.IOException; -import java.nio.charset.StandardCharsets; +import java.math.BigInteger; +import java.nio.file.Files; import java.security.KeyPair; import java.security.KeyStore; import java.security.cert.X509Certificate; @@ -62,12 +62,12 @@ public class SiaIdentityProviderTest { private void createPrivateKeyFile(File keyFile, KeyPair keypair) throws IOException { String privateKeyPem = KeyUtils.toPem(keypair.getPrivate()); - Files.write(privateKeyPem, keyFile, StandardCharsets.UTF_8); + Files.write(keyFile.toPath(), privateKeyPem.getBytes()); } private void createCertificateFile(X509Certificate certificate, File certificateFile) throws IOException { String certificatePem = X509CertificateUtils.toPem(certificate); - Files.write(certificatePem, certificateFile, StandardCharsets.UTF_8); + Files.write(certificateFile.toPath(), certificatePem.getBytes()); } private X509Certificate createCertificate(KeyPair keypair) { @@ -79,7 +79,7 @@ public class SiaIdentityProviderTest { now, now.plus(Duration.ofDays(1)), SignatureAlgorithm.SHA256_WITH_RSA, - 1) + BigInteger.ONE) .build(); } @@ -87,7 +87,7 @@ public class SiaIdentityProviderTest { KeyStore keystore = KeyStoreBuilder.withType(KeyStoreType.JKS) .withCertificateEntry("dummy-cert", certificate) .build(); - KeyStoreUtils.writeKeyStoreToFile(keystore, trustStoreFile); + KeyStoreUtils.writeKeyStoreToFile(keystore, trustStoreFile.toPath()); } }
\ No newline at end of file diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/AthenzIdentityVerifierTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/AthenzIdentityVerifierTest.java index 73382d267be..679476abe12 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/AthenzIdentityVerifierTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/AthenzIdentityVerifierTest.java @@ -1,24 +1,25 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.utils; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.X509CertificateBuilder; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier; -import com.yahoo.vespa.athenz.tls.X509CertificateBuilder; import org.junit.Test; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; import javax.security.auth.x500.X500Principal; +import java.math.BigInteger; import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.NoSuchAlgorithmException; import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; -import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; import static java.util.Collections.singleton; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -34,23 +35,17 @@ public class AthenzIdentityVerifierTest { public void verifies_certificate_with_athenz_service_as_common_name() throws Exception { AthenzIdentity trustedIdentity = new AthenzService("mydomain", "alice"); AthenzIdentity unknownIdentity = new AthenzService("mydomain", "mallory"); - KeyPair keyPair = createKeyPair(); + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC); AthenzIdentityVerifier verifier = new AthenzIdentityVerifier(singleton(trustedIdentity)); assertTrue(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, trustedIdentity)))); assertFalse(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, unknownIdentity)))); } - private static KeyPair createKeyPair() throws NoSuchAlgorithmException { - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(512); - return keyGen.generateKeyPair(); - } - private static X509Certificate createSelfSignedCertificate(KeyPair keyPair, AthenzIdentity identity) { X500Principal x500Name = new X500Principal("CN="+ identity.getFullName()); Instant now = Instant.now(); return X509CertificateBuilder - .fromKeypair(keyPair, x500Name, now, now.plus(Duration.ofDays(30)), SHA256_WITH_RSA, 1) + .fromKeypair(keyPair, x500Name, now, now.plus(Duration.ofDays(30)), SHA256_WITH_ECDSA, BigInteger.ONE) .setBasicConstraints(true, true) .build(); } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java index 22f97ca8b60..750968a437e 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java @@ -6,8 +6,8 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzPrincipal; import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.athenz.api.NToken; -import com.yahoo.vespa.athenz.tls.KeyAlgorithm; -import com.yahoo.vespa.athenz.tls.KeyUtils; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; import com.yahoo.vespa.athenz.utils.ntoken.NTokenValidator.InvalidTokenException; import org.junit.Rule; import org.junit.Test; |