diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-05-07 12:32:32 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-05-07 12:32:32 +0200 |
commit | abd49c24b3b1eee2cf8601a71063538debf73223 (patch) | |
tree | 0e675f34d35a652d6eb02f24a9e43cb23d4691db /vespa-athenz | |
parent | 983791087282e03a28f0f278b18c61a4479ca9d8 (diff) |
Add InstanceCsrGenerator
Diffstat (limited to 'vespa-athenz')
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java new file mode 100644 index 00000000000..70227eae91c --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java @@ -0,0 +1,50 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.identityprovider.client; + +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; +import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; +import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; +import com.yahoo.vespa.athenz.tls.SubjectAlternativeName; + +import javax.security.auth.x500.X500Principal; +import java.security.KeyPair; +import java.util.Set; + +import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS; + +/** + * Generates a {@link Pkcs10Csr} for an instance. + * + * @author bjorncs + */ +public class InstanceCsrGenerator { + + private final String dnsSuffix; + + public InstanceCsrGenerator(String dnsSuffix) { + this.dnsSuffix = dnsSuffix; + } + + public Pkcs10Csr generateCsr(AthenzIdentity instanceIdentity, + VespaUniqueInstanceId instanceId, + Set<String> ipAddresses, + KeyPair keyPair) { + X500Principal subject = new X500Principal("CN=" + instanceIdentity.getFullName()); + // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix> + // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> + Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA) + .addSubjectAlternativeName( + DNS_NAME, + String.format( + "%s.%s.%s", + instanceIdentity.getName(), + instanceIdentity.getDomainName().replace(".", "-"), + dnsSuffix)) + .addSubjectAlternativeName(DNS_NAME, String.format("%s.instanceid.athenz.%s", instanceId.asDottedString(), dnsSuffix)); + ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip))); + return pkcs10CsrBuilder.build(); + } +} |