diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-03-19 15:23:01 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-03-19 16:03:31 +0100 |
commit | 887ca736783a8f70bfaa1be04b56bf2a9bc461fd (patch) | |
tree | c77a393bcebf08e179c74be370ad7cb854f8f773 /vespa-athenz | |
parent | 47827f56ef6c6dc8947925e5d32ab9d4cde2b91b (diff) |
Remove CryptoUtils
Diffstat (limited to 'vespa-athenz')
5 files changed, 48 insertions, 159 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/AthenzCredentialsService.java index b9fb7e94782..e73cd2f2bdd 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/AthenzCredentialsService.java @@ -3,8 +3,14 @@ package com.yahoo.vespa.athenz.identityprovider; import com.fasterxml.jackson.databind.ObjectMapper; import com.yahoo.container.core.identity.IdentityConfig; -import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import com.yahoo.vespa.athenz.tls.KeyAlgorithm; +import com.yahoo.vespa.athenz.tls.KeyUtils; +import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; +import com.yahoo.vespa.athenz.tls.Pkcs10CsrUtils; +import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; +import javax.security.auth.x500.X500Principal; import java.io.IOException; import java.io.UncheckedIOException; import java.security.KeyPair; @@ -34,20 +40,20 @@ class AthenzCredentialsService { } AthenzCredentials registerInstance() { - KeyPair keyPair = CryptoUtils.createKeyPair(); + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); String rawDocument = identityDocumentService.getSignedIdentityDocument(); SignedIdentityDocument document = parseSignedIdentityDocument(rawDocument); - PKCS10CertificationRequest csr = CryptoUtils.createCSR(identityConfig.domain(), - identityConfig.service(), - document.dnsSuffix, - document.providerUniqueId, - keyPair); + Pkcs10Csr csr = createCSR(identityConfig.domain(), + identityConfig.service(), + document.dnsSuffix, + document.providerUniqueId, + keyPair); InstanceRegisterInformation instanceRegisterInformation = new InstanceRegisterInformation(document.providerService, identityConfig.domain(), identityConfig.service(), rawDocument, - CryptoUtils.toPem(csr)); + Pkcs10CsrUtils.toPem(csr)); InstanceIdentity instanceIdentity = athenzService.sendInstanceRegisterRequest(instanceRegisterInformation, document.ztsEndpoint); return toAthenzCredentials(instanceIdentity, keyPair, document); @@ -55,13 +61,13 @@ class AthenzCredentialsService { AthenzCredentials updateCredentials(AthenzCredentials currentCredentials) { SignedIdentityDocument document = currentCredentials.getIdentityDocument(); - KeyPair newKeyPair = CryptoUtils.createKeyPair(); - PKCS10CertificationRequest csr = CryptoUtils.createCSR(identityConfig.domain(), - identityConfig.service(), - document.dnsSuffix, - document.providerUniqueId, - newKeyPair); - InstanceRefreshInformation refreshInfo = new InstanceRefreshInformation(CryptoUtils.toPem(csr)); + KeyPair newKeyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); + Pkcs10Csr csr = createCSR(identityConfig.domain(), + identityConfig.service(), + document.dnsSuffix, + document.providerUniqueId, + newKeyPair); + InstanceRefreshInformation refreshInfo = new InstanceRefreshInformation(Pkcs10CsrUtils.toPem(csr)); InstanceIdentity instanceIdentity = athenzService.sendInstanceRefreshRequest(document.providerService, identityConfig.domain(), @@ -90,4 +96,22 @@ class AthenzCredentialsService { } } + private static Pkcs10Csr createCSR(String identityDomain, + String identityService, + String dnsSuffix, + String providerUniqueId, + KeyPair keyPair) { + X500Principal subject = new X500Principal(String.format("CN=%s.%s", identityDomain, identityService)); + // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix> + // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> + return Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA) + .addSubjectAlternativeName(String.format("%s.%s.%s", + identityService, + identityDomain.replace(".", "-"), + dnsSuffix)) + .addSubjectAlternativeName(String.format("%s.instanceid.athenz.%s", + providerUniqueId, + dnsSuffix)) + .build(); + } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtils.java deleted file mode 100644 index 6e74d3bc8b1..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtils.java +++ /dev/null @@ -1,113 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.identityprovider; - -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.asn1.x509.Extension; -import org.bouncycastle.asn1.x509.ExtensionsGenerator; -import org.bouncycastle.asn1.x509.GeneralName; -import org.bouncycastle.asn1.x509.GeneralNames; -import org.bouncycastle.cert.X509CertificateHolder; -import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.openssl.PEMParser; -import org.bouncycastle.openssl.jcajce.JcaPEMWriter; -import org.bouncycastle.operator.OperatorCreationException; -import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; -import org.bouncycastle.pkcs.PKCS10CertificationRequest; -import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder; -import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; -import org.bouncycastle.util.io.pem.PemObject; - -import javax.security.auth.x500.X500Principal; -import java.io.IOException; -import java.io.StringReader; -import java.io.StringWriter; -import java.io.UncheckedIOException; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; - -/** - * @author bjorncs - */ -class CryptoUtils { - - private static final BouncyCastleProvider bouncyCastleProvider = new BouncyCastleProvider(); - - private CryptoUtils() {} - - static KeyPair createKeyPair() { - try { - KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); - return kpg.generateKeyPair(); - } catch (NoSuchAlgorithmException e) { - throw new RuntimeException(e); - } - } - - static PKCS10CertificationRequest createCSR(String identityDomain, - String identityService, - String dnsSuffix, - String providerUniqueId, - KeyPair keyPair) { - try { - // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix> - // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> - GeneralNames subjectAltNames = new GeneralNames(new GeneralName[]{ - new GeneralName(GeneralName.dNSName, String.format("%s.%s.%s", - identityService, - identityDomain.replace(".", "-"), - dnsSuffix)), - new GeneralName(GeneralName.dNSName, String.format("%s.instanceid.athenz.%s", - providerUniqueId, - dnsSuffix)) - }); - - ExtensionsGenerator extGen = new ExtensionsGenerator(); - extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); - - X500Principal subject = new X500Principal( - String.format("CN=%s.%s", identityDomain, identityService)); - - PKCS10CertificationRequestBuilder requestBuilder = - new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic()); - requestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate()); - return requestBuilder.build(new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate())); - } catch (OperatorCreationException e) { - throw new RuntimeException(e); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } - - static String toPem(PKCS10CertificationRequest csr) { - try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) { - pemWriter.writeObject(new PemObject("CERTIFICATE REQUEST", csr.getEncoded())); - pemWriter.flush(); - return stringWriter.toString(); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } - - static X509Certificate parseCertificate(String pemEncodedCertificate) { - try (PEMParser parser = new PEMParser(new StringReader(pemEncodedCertificate))) { - Object pemObject = parser.readObject(); - if (pemObject instanceof X509Certificate) { - return (X509Certificate) pemObject; - } - if (pemObject instanceof X509CertificateHolder) { - return new JcaX509CertificateConverter() - .setProvider(bouncyCastleProvider) - .getCertificate((X509CertificateHolder) pemObject); - } - throw new IllegalArgumentException("Invalid type of PEM object: " + pemObject); - } catch (IOException e) { - throw new UncheckedIOException(e); - } catch (CertificateException e) { - throw new RuntimeException(e); - } - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/InstanceIdentity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/InstanceIdentity.java index b90ce56ca7e..899ff7a95d7 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/InstanceIdentity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/InstanceIdentity.java @@ -8,6 +8,7 @@ import com.fasterxml.jackson.core.JsonParser; import com.fasterxml.jackson.databind.DeserializationContext; import com.fasterxml.jackson.databind.JsonDeserializer; import com.fasterxml.jackson.databind.annotation.JsonDeserialize; +import com.yahoo.vespa.athenz.tls.X509CertificateUtils; import java.io.IOException; import java.security.cert.X509Certificate; @@ -41,7 +42,7 @@ public class InstanceIdentity { public static class X509CertificateDeserializer extends JsonDeserializer<X509Certificate> { @Override public X509Certificate deserialize(JsonParser parser, DeserializationContext context) throws IOException { - return CryptoUtils.parseCertificate(parser.getValueAsString()); + return X509CertificateUtils.fromPem(parser.getValueAsString()); } } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtilsTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtilsTest.java deleted file mode 100644 index 353c5d3c504..00000000000 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/CryptoUtilsTest.java +++ /dev/null @@ -1,28 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.identityprovider; - -import org.bouncycastle.pkcs.PKCS10CertificationRequest; -import org.junit.Test; - -import java.io.IOException; -import java.security.KeyPair; - -import static org.hamcrest.CoreMatchers.containsString; -import static org.junit.Assert.assertThat; - -/** - * @author bjorncs - */ -public class CryptoUtilsTest { - - @Test - public void certificate_signing_request_is_correct_and_can_be_serialized_to_pem() throws IOException { - KeyPair keyPair = CryptoUtils.createKeyPair(); - PKCS10CertificationRequest csr = CryptoUtils.createCSR( - "identity-domain", "identity-service", "vespa.cloud.com", "unique.instance.id", keyPair); - String pem = CryptoUtils.toPem(csr); - assertThat(pem, containsString("BEGIN CERTIFICATE REQUEST")); - assertThat(pem, containsString("END CERTIFICATE REQUEST")); - } - -} diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java index 1927e18eba0..5b5a57f1fcc 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java @@ -5,7 +5,9 @@ import org.junit.Test; import javax.security.auth.x500.X500Principal; import java.security.KeyPair; -import static org.junit.Assert.*; +import static org.hamcrest.CoreMatchers.containsString; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertThat; /** * @author bjorncs @@ -17,7 +19,10 @@ public class Pkcs10CsrUtilsTest { X500Principal subject = new X500Principal("CN=subject"); KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA).build(); - Pkcs10Csr deserializedCsr = Pkcs10CsrUtils.fromPem(Pkcs10CsrUtils.toPem(csr)); + String pem = Pkcs10CsrUtils.toPem(csr); + Pkcs10Csr deserializedCsr = Pkcs10CsrUtils.fromPem(pem); + assertThat(pem, containsString("BEGIN CERTIFICATE REQUEST")); + assertThat(pem, containsString("END CERTIFICATE REQUEST")); assertEquals(subject, deserializedCsr.getSubject()); } |