aboutsummaryrefslogtreecommitdiffstats
path: root/vespa-athenz
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@oath.com>2018-03-19 15:23:01 +0100
committerBjørn Christian Seime <bjorncs@oath.com>2018-03-22 13:01:04 +0100
commit09af91a66fbfd7d56610d135a33a5013683da869 (patch)
tree01b59812094b22e75fa45050e829b58599f23d61 /vespa-athenz
parentdf5042fb804e6374b621bfd858039f331e2fea7e (diff)
Remove CryptoUtils
Diffstat (limited to 'vespa-athenz')
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/AthenzCredentialsService.java54
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtils.java113
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/InstanceIdentity.java3
-rw-r--r--vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtilsTest.java28
-rw-r--r--vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java9
5 files changed, 48 insertions, 159 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/AthenzCredentialsService.java
index b9fb7e94782..e73cd2f2bdd 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/AthenzCredentialsService.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/AthenzCredentialsService.java
@@ -3,8 +3,14 @@ package com.yahoo.vespa.athenz.identityprovider;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.yahoo.container.core.identity.IdentityConfig;
-import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import com.yahoo.vespa.athenz.tls.KeyAlgorithm;
+import com.yahoo.vespa.athenz.tls.KeyUtils;
+import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
+import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder;
+import com.yahoo.vespa.athenz.tls.Pkcs10CsrUtils;
+import com.yahoo.vespa.athenz.tls.SignatureAlgorithm;
+import javax.security.auth.x500.X500Principal;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.security.KeyPair;
@@ -34,20 +40,20 @@ class AthenzCredentialsService {
}
AthenzCredentials registerInstance() {
- KeyPair keyPair = CryptoUtils.createKeyPair();
+ KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
String rawDocument = identityDocumentService.getSignedIdentityDocument();
SignedIdentityDocument document = parseSignedIdentityDocument(rawDocument);
- PKCS10CertificationRequest csr = CryptoUtils.createCSR(identityConfig.domain(),
- identityConfig.service(),
- document.dnsSuffix,
- document.providerUniqueId,
- keyPair);
+ Pkcs10Csr csr = createCSR(identityConfig.domain(),
+ identityConfig.service(),
+ document.dnsSuffix,
+ document.providerUniqueId,
+ keyPair);
InstanceRegisterInformation instanceRegisterInformation =
new InstanceRegisterInformation(document.providerService,
identityConfig.domain(),
identityConfig.service(),
rawDocument,
- CryptoUtils.toPem(csr));
+ Pkcs10CsrUtils.toPem(csr));
InstanceIdentity instanceIdentity = athenzService.sendInstanceRegisterRequest(instanceRegisterInformation,
document.ztsEndpoint);
return toAthenzCredentials(instanceIdentity, keyPair, document);
@@ -55,13 +61,13 @@ class AthenzCredentialsService {
AthenzCredentials updateCredentials(AthenzCredentials currentCredentials) {
SignedIdentityDocument document = currentCredentials.getIdentityDocument();
- KeyPair newKeyPair = CryptoUtils.createKeyPair();
- PKCS10CertificationRequest csr = CryptoUtils.createCSR(identityConfig.domain(),
- identityConfig.service(),
- document.dnsSuffix,
- document.providerUniqueId,
- newKeyPair);
- InstanceRefreshInformation refreshInfo = new InstanceRefreshInformation(CryptoUtils.toPem(csr));
+ KeyPair newKeyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
+ Pkcs10Csr csr = createCSR(identityConfig.domain(),
+ identityConfig.service(),
+ document.dnsSuffix,
+ document.providerUniqueId,
+ newKeyPair);
+ InstanceRefreshInformation refreshInfo = new InstanceRefreshInformation(Pkcs10CsrUtils.toPem(csr));
InstanceIdentity instanceIdentity =
athenzService.sendInstanceRefreshRequest(document.providerService,
identityConfig.domain(),
@@ -90,4 +96,22 @@ class AthenzCredentialsService {
}
}
+ private static Pkcs10Csr createCSR(String identityDomain,
+ String identityService,
+ String dnsSuffix,
+ String providerUniqueId,
+ KeyPair keyPair) {
+ X500Principal subject = new X500Principal(String.format("CN=%s.%s", identityDomain, identityService));
+ // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix>
+ // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
+ return Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA)
+ .addSubjectAlternativeName(String.format("%s.%s.%s",
+ identityService,
+ identityDomain.replace(".", "-"),
+ dnsSuffix))
+ .addSubjectAlternativeName(String.format("%s.instanceid.athenz.%s",
+ providerUniqueId,
+ dnsSuffix))
+ .build();
+ }
}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtils.java
deleted file mode 100644
index 6e74d3bc8b1..00000000000
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtils.java
+++ /dev/null
@@ -1,113 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.athenz.identityprovider;
-
-import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
-import org.bouncycastle.asn1.x509.Extension;
-import org.bouncycastle.asn1.x509.ExtensionsGenerator;
-import org.bouncycastle.asn1.x509.GeneralName;
-import org.bouncycastle.asn1.x509.GeneralNames;
-import org.bouncycastle.cert.X509CertificateHolder;
-import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.openssl.PEMParser;
-import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
-import org.bouncycastle.operator.OperatorCreationException;
-import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
-import org.bouncycastle.pkcs.PKCS10CertificationRequest;
-import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
-import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
-import org.bouncycastle.util.io.pem.PemObject;
-
-import javax.security.auth.x500.X500Principal;
-import java.io.IOException;
-import java.io.StringReader;
-import java.io.StringWriter;
-import java.io.UncheckedIOException;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-
-/**
- * @author bjorncs
- */
-class CryptoUtils {
-
- private static final BouncyCastleProvider bouncyCastleProvider = new BouncyCastleProvider();
-
- private CryptoUtils() {}
-
- static KeyPair createKeyPair() {
- try {
- KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
- return kpg.generateKeyPair();
- } catch (NoSuchAlgorithmException e) {
- throw new RuntimeException(e);
- }
- }
-
- static PKCS10CertificationRequest createCSR(String identityDomain,
- String identityService,
- String dnsSuffix,
- String providerUniqueId,
- KeyPair keyPair) {
- try {
- // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix>
- // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
- GeneralNames subjectAltNames = new GeneralNames(new GeneralName[]{
- new GeneralName(GeneralName.dNSName, String.format("%s.%s.%s",
- identityService,
- identityDomain.replace(".", "-"),
- dnsSuffix)),
- new GeneralName(GeneralName.dNSName, String.format("%s.instanceid.athenz.%s",
- providerUniqueId,
- dnsSuffix))
- });
-
- ExtensionsGenerator extGen = new ExtensionsGenerator();
- extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
-
- X500Principal subject = new X500Principal(
- String.format("CN=%s.%s", identityDomain, identityService));
-
- PKCS10CertificationRequestBuilder requestBuilder =
- new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic());
- requestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate());
- return requestBuilder.build(new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate()));
- } catch (OperatorCreationException e) {
- throw new RuntimeException(e);
- } catch (IOException e) {
- throw new UncheckedIOException(e);
- }
- }
-
- static String toPem(PKCS10CertificationRequest csr) {
- try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) {
- pemWriter.writeObject(new PemObject("CERTIFICATE REQUEST", csr.getEncoded()));
- pemWriter.flush();
- return stringWriter.toString();
- } catch (IOException e) {
- throw new UncheckedIOException(e);
- }
- }
-
- static X509Certificate parseCertificate(String pemEncodedCertificate) {
- try (PEMParser parser = new PEMParser(new StringReader(pemEncodedCertificate))) {
- Object pemObject = parser.readObject();
- if (pemObject instanceof X509Certificate) {
- return (X509Certificate) pemObject;
- }
- if (pemObject instanceof X509CertificateHolder) {
- return new JcaX509CertificateConverter()
- .setProvider(bouncyCastleProvider)
- .getCertificate((X509CertificateHolder) pemObject);
- }
- throw new IllegalArgumentException("Invalid type of PEM object: " + pemObject);
- } catch (IOException e) {
- throw new UncheckedIOException(e);
- } catch (CertificateException e) {
- throw new RuntimeException(e);
- }
- }
-}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/InstanceIdentity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/InstanceIdentity.java
index b90ce56ca7e..899ff7a95d7 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/InstanceIdentity.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/InstanceIdentity.java
@@ -8,6 +8,7 @@ import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.databind.DeserializationContext;
import com.fasterxml.jackson.databind.JsonDeserializer;
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.yahoo.vespa.athenz.tls.X509CertificateUtils;
import java.io.IOException;
import java.security.cert.X509Certificate;
@@ -41,7 +42,7 @@ public class InstanceIdentity {
public static class X509CertificateDeserializer extends JsonDeserializer<X509Certificate> {
@Override
public X509Certificate deserialize(JsonParser parser, DeserializationContext context) throws IOException {
- return CryptoUtils.parseCertificate(parser.getValueAsString());
+ return X509CertificateUtils.fromPem(parser.getValueAsString());
}
}
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtilsTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtilsTest.java
deleted file mode 100644
index 353c5d3c504..00000000000
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtilsTest.java
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.athenz.identityprovider;
-
-import org.bouncycastle.pkcs.PKCS10CertificationRequest;
-import org.junit.Test;
-
-import java.io.IOException;
-import java.security.KeyPair;
-
-import static org.hamcrest.CoreMatchers.containsString;
-import static org.junit.Assert.assertThat;
-
-/**
- * @author bjorncs
- */
-public class CryptoUtilsTest {
-
- @Test
- public void certificate_signing_request_is_correct_and_can_be_serialized_to_pem() throws IOException {
- KeyPair keyPair = CryptoUtils.createKeyPair();
- PKCS10CertificationRequest csr = CryptoUtils.createCSR(
- "identity-domain", "identity-service", "vespa.cloud.com", "unique.instance.id", keyPair);
- String pem = CryptoUtils.toPem(csr);
- assertThat(pem, containsString("BEGIN CERTIFICATE REQUEST"));
- assertThat(pem, containsString("END CERTIFICATE REQUEST"));
- }
-
-}
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java
index 1927e18eba0..5b5a57f1fcc 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java
@@ -5,7 +5,9 @@ import org.junit.Test;
import javax.security.auth.x500.X500Principal;
import java.security.KeyPair;
-import static org.junit.Assert.*;
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThat;
/**
* @author bjorncs
@@ -17,7 +19,10 @@ public class Pkcs10CsrUtilsTest {
X500Principal subject = new X500Principal("CN=subject");
KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA).build();
- Pkcs10Csr deserializedCsr = Pkcs10CsrUtils.fromPem(Pkcs10CsrUtils.toPem(csr));
+ String pem = Pkcs10CsrUtils.toPem(csr);
+ Pkcs10Csr deserializedCsr = Pkcs10CsrUtils.fromPem(pem);
+ assertThat(pem, containsString("BEGIN CERTIFICATE REQUEST"));
+ assertThat(pem, containsString("END CERTIFICATE REQUEST"));
assertEquals(subject, deserializedCsr.getSubject());
}