diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-09-11 16:43:41 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-09-11 17:59:47 +0200 |
commit | 8468d13195cc5f5ff841f1d5de34655509349735 (patch) | |
tree | 42100d62678f9829cfc078e4111f7ace295d7dbe /vespa-athenz | |
parent | bdb057ecfac68acaaeecc2fe54ae989e0fba2c75 (diff) |
Remove most deprecated types from com.yahoo.vespa.athenz.tls
Pkcs10Csr and related classes are not removed as they are currently in use.
Diffstat (limited to 'vespa-athenz')
18 files changed, 17 insertions, 1034 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Extension.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Extension.java deleted file mode 100644 index 9a6c20018b8..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Extension.java +++ /dev/null @@ -1,24 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import org.bouncycastle.asn1.ASN1ObjectIdentifier; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public enum Extension { - BASIC_CONSTRAINS(org.bouncycastle.asn1.x509.Extension.basicConstraints), - SUBJECT_ALTERNATIVE_NAMES(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName); - - final ASN1ObjectIdentifier extensionOId; - - Extension(ASN1ObjectIdentifier extensionOId) { - this.extensionOId = extensionOId; - } - - public String getOId() { - return extensionOId.getId(); - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyAlgorithm.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyAlgorithm.java deleted file mode 100644 index d685f85b206..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyAlgorithm.java +++ /dev/null @@ -1,21 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public enum KeyAlgorithm { - RSA("RSA"); - - private final String algorithmName; - - KeyAlgorithm(String algorithmName) { - this.algorithmName = algorithmName; - } - - String getAlgorithmName() { - return algorithmName; - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreBuilder.java deleted file mode 100644 index 3e63e441396..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreBuilder.java +++ /dev/null @@ -1,123 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import java.io.BufferedInputStream; -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.UncheckedIOException; -import java.security.GeneralSecurityException; -import java.security.KeyStore; -import java.security.PrivateKey; -import java.security.cert.Certificate; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.List; - -import static java.util.Collections.singletonList; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public class KeyStoreBuilder { - - private final List<KeyEntry> keyEntries = new ArrayList<>(); - private final List<CertificateEntry> certificateEntries = new ArrayList<>(); - - private final KeyStoreType keyStoreType; - private File inputFile; - private char[] inputFilePassword; - - private KeyStoreBuilder(KeyStoreType keyStoreType) { - this.keyStoreType = keyStoreType; - } - - public static KeyStoreBuilder withType(KeyStoreType type) { - return new KeyStoreBuilder(type); - } - - public KeyStoreBuilder fromFile(File file, char[] password) { - this.inputFile = file; - this.inputFilePassword = password; - return this; - } - - public KeyStoreBuilder fromFile(File file) { - return fromFile(file, null); - } - - public KeyStoreBuilder withKeyEntry(String alias, PrivateKey privateKey, char[] password, List<X509Certificate> certificateChain) { - keyEntries.add(new KeyEntry(alias, privateKey, certificateChain, password)); - return this; - } - - public KeyStoreBuilder withKeyEntry(String alias, PrivateKey privateKey, char[] password, X509Certificate certificate) { - return withKeyEntry(alias, privateKey, password, singletonList(certificate)); - } - - public KeyStoreBuilder withKeyEntry(String alias, PrivateKey privateKey, X509Certificate certificate) { - return withKeyEntry(alias, privateKey, null, certificate); - } - - public KeyStoreBuilder withKeyEntry(String alias, PrivateKey privateKey, List<X509Certificate> certificateChain) { - return withKeyEntry(alias, privateKey, null, certificateChain); - } - - public KeyStoreBuilder withCertificateEntry(String alias, X509Certificate certificate) { - certificateEntries.add(new CertificateEntry(alias, certificate)); - return this; - } - - public KeyStore build() { - try { - KeyStore keystore = this.keyStoreType.createKeystore(); - if (this.inputFile != null) { - try (InputStream in = new BufferedInputStream(new FileInputStream(this.inputFile))) { - keystore.load(in, this.inputFilePassword); - } - } else { - keystore.load(null); - } - for (KeyEntry entry : keyEntries) { - char[] password = entry.password != null ? entry.password : new char[0]; - Certificate[] certificateChain = entry.certificateChain.toArray(new Certificate[entry.certificateChain.size()]); - keystore.setKeyEntry(entry.alias, entry.privateKey, password, certificateChain); - } - for (CertificateEntry entry : certificateEntries) { - keystore.setCertificateEntry(entry.alias, entry.certificate); - } - return keystore; - } catch (GeneralSecurityException e) { - throw new RuntimeException(e); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } - - private static class KeyEntry { - final String alias; - final PrivateKey privateKey; - final List<X509Certificate> certificateChain; - final char[] password; - - KeyEntry(String alias, PrivateKey privateKey, List<X509Certificate> certificateChain, char[] password) { - this.alias = alias; - this.privateKey = privateKey; - this.certificateChain = certificateChain; - this.password = password; - } - } - - private static class CertificateEntry { - final String alias; - final X509Certificate certificate; - - CertificateEntry(String alias, X509Certificate certificate) { - this.alias = alias; - this.certificate = certificate; - } - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreType.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreType.java deleted file mode 100644 index b0bfe170789..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreType.java +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import org.bouncycastle.jce.provider.BouncyCastleProvider; - -import java.security.GeneralSecurityException; -import java.security.KeyStore; -import java.security.KeyStoreException; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public enum KeyStoreType { - JKS { - KeyStore createKeystore() throws KeyStoreException { - return KeyStore.getInstance("JKS"); - } - }, - PKCS12 { - KeyStore createKeystore() throws KeyStoreException { - return KeyStore.getInstance("PKCS12", BouncyCastleProviderHolder.getInstance()); - } - }; - abstract KeyStore createKeystore() throws GeneralSecurityException; -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreUtils.java deleted file mode 100644 index 96fe76a1f73..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreUtils.java +++ /dev/null @@ -1,36 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import java.io.BufferedOutputStream; -import java.io.File; -import java.io.FileOutputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.io.UncheckedIOException; -import java.security.GeneralSecurityException; -import java.security.KeyStore; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public class KeyStoreUtils { - private KeyStoreUtils() {} - - public static void writeKeyStoreToFile(KeyStore keyStore, File file, char[] password) { - try (OutputStream out = new BufferedOutputStream(new FileOutputStream(file))) { - keyStore.store(out, password); - } catch (IOException e) { - throw new UncheckedIOException(e); - } catch (GeneralSecurityException e) { - throw new RuntimeException(e); - } - - } - - public static void writeKeyStoreToFile(KeyStore keyStore, File file) { - writeKeyStoreToFile(keyStore, file, new char[0]); - } - -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyUtils.java deleted file mode 100644 index fc4734d16ca..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyUtils.java +++ /dev/null @@ -1,94 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import com.yahoo.athenz.auth.util.Crypto; -import org.bouncycastle.asn1.ASN1Encodable; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; -import org.bouncycastle.openssl.PEMKeyPair; -import org.bouncycastle.openssl.PEMParser; -import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; -import org.bouncycastle.openssl.jcajce.JcaPEMWriter; -import org.bouncycastle.util.io.pem.PemObject; - -import java.io.IOException; -import java.io.StringReader; -import java.io.StringWriter; -import java.io.UncheckedIOException; -import java.security.GeneralSecurityException; -import java.security.KeyFactory; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.spec.PKCS8EncodedKeySpec; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public class KeyUtils { - private KeyUtils() {} - - public static KeyPair generateKeypair(KeyAlgorithm algorithm, int keySize) { - try { - KeyPairGenerator keyGen = KeyPairGenerator.getInstance(algorithm.getAlgorithmName()); - if (keySize != -1) { - keyGen.initialize(keySize); - } - return keyGen.genKeyPair(); - } catch (GeneralSecurityException e) { - throw new RuntimeException(e); - } - } - - public static KeyPair generateKeypair(KeyAlgorithm algorithm) { - return generateKeypair(algorithm, -1); - } - - public static PublicKey extractPublicKey(PrivateKey privateKey) { - return Crypto.extractPublicKey(privateKey); - } - - public static PrivateKey fromPemEncodedPrivateKey(String pem) { - try (PEMParser parser = new PEMParser(new StringReader(pem))) { - Object pemObject = parser.readObject(); - if (pemObject instanceof PrivateKeyInfo) { - PrivateKeyInfo keyInfo = (PrivateKeyInfo) pemObject; - PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyInfo.getEncoded()); - return KeyFactory.getInstance(KeyAlgorithm.RSA.getAlgorithmName()).generatePrivate(keySpec); - } else if (pemObject instanceof PEMKeyPair) { - PEMKeyPair pemKeypair = (PEMKeyPair) pemObject; - PrivateKeyInfo keyInfo = pemKeypair.getPrivateKeyInfo(); - JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter(); - return pemConverter.getPrivateKey(keyInfo); - } - throw new IllegalArgumentException("Unexpected type of PEM type: " + pemObject); - } catch (IOException e) { - throw new UncheckedIOException(e); - } catch (GeneralSecurityException e) { - throw new RuntimeException(e); - } - } - - public static String toPem(PrivateKey privateKey) { - try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) { - // Note: Encoding using PKCS#1 as this is to be read by tools only supporting PKCS#1 - pemWriter.writeObject(new PemObject("RSA PRIVATE KEY", getPkcs1Bytes(privateKey))); - pemWriter.flush(); - return stringWriter.toString(); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } - - private static byte[] getPkcs1Bytes(PrivateKey privateKey) throws IOException{ - - byte[] privBytes = privateKey.getEncoded(); - PrivateKeyInfo pkInfo = PrivateKeyInfo.getInstance(privBytes); - ASN1Encodable encodable = pkInfo.parsePrivateKey(); - ASN1Primitive primitive = encodable.toASN1Primitive(); - return primitive.getEncoded(); - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SslContextBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SslContextBuilder.java deleted file mode 100644 index 63262eac048..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SslContextBuilder.java +++ /dev/null @@ -1,114 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import javax.net.ssl.KeyManager; -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.SSLContext; -import javax.net.ssl.TrustManager; -import javax.net.ssl.TrustManagerFactory; -import java.io.File; -import java.io.IOException; -import java.io.UncheckedIOException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.security.GeneralSecurityException; -import java.security.KeyStore; -import java.security.PrivateKey; -import java.security.cert.X509Certificate; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public class SslContextBuilder { - - private KeyStoreSupplier trustStoreSupplier; - private KeyStoreSupplier keyStoreSupplier; - private char[] keyStorePassword; - - public SslContextBuilder() {} - - public SslContextBuilder withTrustStore(File file, KeyStoreType trustStoreType) { - this.trustStoreSupplier = () -> KeyStoreBuilder.withType(trustStoreType).fromFile(file).build(); - return this; - } - - public SslContextBuilder withTrustStore(KeyStore trustStore) { - this.trustStoreSupplier = () -> trustStore; - return this; - } - - public SslContextBuilder withKeyStore(PrivateKey privateKey, X509Certificate certificate) { - char[] pwd = new char[0]; - this.keyStoreSupplier = () -> KeyStoreBuilder.withType(KeyStoreType.JKS).withKeyEntry("default", privateKey, certificate).build(); - this.keyStorePassword = pwd; - return this; - } - - public SslContextBuilder withKeyStore(KeyStore keyStore, char[] password) { - this.keyStoreSupplier = () -> keyStore; - this.keyStorePassword = password; - return this; - } - - public SslContextBuilder withKeyStore(File file, char[] password, KeyStoreType keyStoreType) { - this.keyStoreSupplier = () -> KeyStoreBuilder.withType(keyStoreType).fromFile(file, password).build(); - this.keyStorePassword = password; - return this; - } - - public SslContextBuilder withKeyStore(File privateKeyPemFile, File certificatePemFile) { - return withKeyStore(privateKeyPemFile.toPath(), certificatePemFile.toPath()); - } - - public SslContextBuilder withKeyStore(Path privateKeyPemFile, Path certificatePemFile) { - this.keyStoreSupplier = - () -> { - PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(new String(Files.readAllBytes(privateKeyPemFile))); - X509Certificate certificate = X509CertificateUtils.fromPem(new String(Files.readAllBytes(certificatePemFile))); - return KeyStoreBuilder.withType(KeyStoreType.JKS) - .withKeyEntry("default", privateKey, certificate) - .build(); - }; - this.keyStorePassword = new char[0]; - return this; - } - - public SSLContext build() { - try { - SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); - TrustManager[] trustManagers = - trustStoreSupplier != null ? createTrustManagers(trustStoreSupplier) : null; - KeyManager[] keyManagers = - keyStoreSupplier != null ? createKeyManagers(keyStoreSupplier, keyStorePassword) : null; - sslContext.init(keyManagers, trustManagers, null); - return sslContext; - } catch (GeneralSecurityException e) { - throw new RuntimeException(e); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } - - private static TrustManager[] createTrustManagers(KeyStoreSupplier trustStoreSupplier) - throws GeneralSecurityException, IOException { - TrustManagerFactory trustManagerFactory = - TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); - trustManagerFactory.init(trustStoreSupplier.get()); - return trustManagerFactory.getTrustManagers(); - } - - private static KeyManager[] createKeyManagers(KeyStoreSupplier keyStoreSupplier, char[] password) - throws GeneralSecurityException, IOException { - KeyManagerFactory keyManagerFactory = - KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - keyManagerFactory.init(keyStoreSupplier.get(), password); - return keyManagerFactory.getKeyManagers(); - } - - private interface KeyStoreSupplier { - KeyStore get() throws IOException, GeneralSecurityException; - } - -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateBuilder.java deleted file mode 100644 index de593f25f61..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateBuilder.java +++ /dev/null @@ -1,154 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import org.bouncycastle.asn1.x509.BasicConstraints; -import org.bouncycastle.asn1.x509.Extension; -import org.bouncycastle.asn1.x509.GeneralName; -import org.bouncycastle.asn1.x509.GeneralNames; -import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; -import org.bouncycastle.operator.ContentSigner; -import org.bouncycastle.operator.OperatorException; -import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; -import org.bouncycastle.pkcs.PKCS10CertificationRequest; -import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; - -import javax.security.auth.x500.X500Principal; -import java.io.IOException; -import java.io.UncheckedIOException; -import java.math.BigInteger; -import java.security.GeneralSecurityException; -import java.security.KeyPair; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.cert.X509Certificate; -import java.sql.Date; -import java.time.Instant; -import java.util.ArrayList; -import java.util.List; - -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public class X509CertificateBuilder { - - private final long serialNumber; - private final SignatureAlgorithm signingAlgorithm; - private final PrivateKey caPrivateKey; - private final Instant notBefore; - private final Instant notAfter; - private final List<SubjectAlternativeName> subjectAlternativeNames = new ArrayList<>(); - private final X500Principal issuer; - private final X500Principal subject; - private final PublicKey certPublicKey; - private BasicConstraintsExtension basicConstraintsExtension; - - private X509CertificateBuilder(X500Principal issuer, - X500Principal subject, - Instant notBefore, - Instant notAfter, - PublicKey certPublicKey, - PrivateKey caPrivateKey, - SignatureAlgorithm signingAlgorithm, - long serialNumber) { - this.issuer = issuer; - this.subject = subject; - this.notBefore = notBefore; - this.notAfter = notAfter; - this.certPublicKey = certPublicKey; - this.caPrivateKey = caPrivateKey; - this.signingAlgorithm = signingAlgorithm; - this.serialNumber = serialNumber; - } - - public static X509CertificateBuilder fromCsr(Pkcs10Csr csr, - X500Principal caIssuer, - Instant notBefore, - Instant notAfter, - PrivateKey caPrivateKey, - SignatureAlgorithm signingAlgorithm, - long serialNumber) { - try { - PKCS10CertificationRequest bcCsr = csr.getBcCsr(); - PublicKey publicKey = new JcaPKCS10CertificationRequest(bcCsr).getPublicKey(); - return new X509CertificateBuilder(caIssuer, - new X500Principal(bcCsr.getSubject().getEncoded()), - notBefore, - notAfter, - publicKey, - caPrivateKey, - signingAlgorithm, - serialNumber); - } catch (GeneralSecurityException e) { - throw new RuntimeException(e); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } - - public static X509CertificateBuilder fromKeypair(KeyPair keyPair, - X500Principal subject, - Instant notBefore, - Instant notAfter, - SignatureAlgorithm signingAlgorithm, - long serialNumber) { - return new X509CertificateBuilder(subject, - subject, - notBefore, - notAfter, - keyPair.getPublic(), - keyPair.getPrivate(), - signingAlgorithm, - serialNumber); - } - - public X509CertificateBuilder addSubjectAlternativeName(String dnsName) { - this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS_NAME, dnsName)); - return this; - } - - public X509CertificateBuilder addSubjectAlternativeName(SubjectAlternativeName san) { - this.subjectAlternativeNames.add(san); - return this; - } - - public X509CertificateBuilder setBasicConstraints(boolean isCritical, boolean isCertAuthorityCertificate) { - this.basicConstraintsExtension = new BasicConstraintsExtension(isCritical, isCertAuthorityCertificate); - return this; - } - - public X509Certificate build() { - try { - JcaX509v3CertificateBuilder jcaCertBuilder = new JcaX509v3CertificateBuilder( - issuer, BigInteger.valueOf(serialNumber), Date.from(notBefore), Date.from(notAfter), subject, certPublicKey); - if (basicConstraintsExtension != null) { - jcaCertBuilder.addExtension( - Extension.basicConstraints, - basicConstraintsExtension.isCritical, - new BasicConstraints(basicConstraintsExtension.isCertAuthorityCertificate)); - } - if (!subjectAlternativeNames.isEmpty()) { - GeneralNames generalNames = new GeneralNames( - subjectAlternativeNames.stream() - .map(SubjectAlternativeName::toGeneralName) - .toArray(GeneralName[]::new)); - jcaCertBuilder.addExtension(Extension.subjectAlternativeName, false, generalNames); - } - ContentSigner contentSigner = new JcaContentSignerBuilder(signingAlgorithm.getAlgorithmName()) - .setProvider(BouncyCastleProviderHolder.getInstance()) - .build(caPrivateKey); - return new JcaX509CertificateConverter() - .setProvider(BouncyCastleProviderHolder.getInstance()) - .getCertificate(jcaCertBuilder.build(contentSigner)); - } catch (OperatorException | GeneralSecurityException e) { - throw new RuntimeException(e); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } - -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateUtils.java deleted file mode 100644 index 8fc25ab06a4..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateUtils.java +++ /dev/null @@ -1,138 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import org.bouncycastle.asn1.ASN1Encodable; -import org.bouncycastle.asn1.ASN1OctetString; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.x509.GeneralNames; -import org.bouncycastle.cert.X509CertificateHolder; -import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.openssl.PEMParser; -import org.bouncycastle.openssl.jcajce.JcaPEMWriter; -import org.bouncycastle.util.io.pem.PemObject; - -import javax.naming.NamingException; -import javax.naming.ldap.LdapName; -import javax.security.auth.x500.X500Principal; -import java.io.IOException; -import java.io.StringReader; -import java.io.StringWriter; -import java.io.UncheckedIOException; -import java.security.GeneralSecurityException; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Collections; -import java.util.List; - -import static com.yahoo.vespa.athenz.tls.Extension.SUBJECT_ALTERNATIVE_NAMES; -import static java.util.stream.Collectors.toList; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public class X509CertificateUtils { - - private X509CertificateUtils() {} - - public static X509Certificate fromPem(String pem) { - try (PEMParser parser = new PEMParser(new StringReader(pem))) { - return toX509Certificate(parser.readObject()); - } catch (IOException e) { - throw new UncheckedIOException(e); - } catch (CertificateException e) { - throw new RuntimeException(e); - } - } - - public static List<X509Certificate> certificateListFromPem(String pem) { - try (PEMParser parser = new PEMParser(new StringReader(pem))) { - List<X509Certificate> list = new ArrayList<>(); - Object pemObject; - while ((pemObject = parser.readObject()) != null) { - list.add(toX509Certificate(pemObject)); - } - return list; - } catch (IOException e) { - throw new UncheckedIOException(e); - } catch (CertificateException e) { - throw new RuntimeException(e); - } - } - - private static X509Certificate toX509Certificate(Object pemObject) throws CertificateException { - if (pemObject instanceof X509Certificate) { - return (X509Certificate) pemObject; - } - if (pemObject instanceof X509CertificateHolder) { - return new JcaX509CertificateConverter() - .setProvider(BouncyCastleProviderHolder.getInstance()) - .getCertificate((X509CertificateHolder) pemObject); - } - throw new IllegalArgumentException("Invalid type of PEM object: " + pemObject); - } - - public static String toPem(X509Certificate certificate) { - try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) { - pemWriter.writeObject(new PemObject("CERTIFICATE", certificate.getEncoded())); - pemWriter.flush(); - return stringWriter.toString(); - } catch (GeneralSecurityException e) { - throw new RuntimeException(e); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } - - public static String toPem(List<X509Certificate> certificates) { - try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) { - for (X509Certificate certificate : certificates) { - pemWriter.writeObject(new PemObject("CERTIFICATE", certificate.getEncoded())); - } - pemWriter.flush(); - return stringWriter.toString(); - } catch (GeneralSecurityException e) { - throw new RuntimeException(e); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } - - public static List<String> getSubjectCommonNames(X509Certificate certificate) { - return getCommonNames(certificate.getSubjectX500Principal()); - } - - public static List<String> getIssuerCommonNames(X509Certificate certificate) { - return getCommonNames(certificate.getIssuerX500Principal()); - } - - public static List<String> getCommonNames(X500Principal subject) { - try { - String subjectPrincipal = subject.getName(); - return new LdapName(subjectPrincipal).getRdns().stream() - .filter(rdn -> rdn.getType().equalsIgnoreCase("cn")) - .map(rdn -> rdn.getValue().toString()) - .collect(toList()); - } catch (NamingException e) { - throw new IllegalArgumentException("Invalid CN: " + e, e); - } - - } - - public static List<SubjectAlternativeName> getSubjectAlternativeNames(X509Certificate certificate) { - try { - byte[] extensionValue = certificate.getExtensionValue(SUBJECT_ALTERNATIVE_NAMES.getOId()); - if (extensionValue == null) return Collections.emptyList(); - ASN1Encodable asn1Encodable = ASN1Primitive.fromByteArray(extensionValue); - if (asn1Encodable instanceof ASN1OctetString) { - asn1Encodable = ASN1Primitive.fromByteArray(((ASN1OctetString) asn1Encodable).getOctets()); - } - GeneralNames names = GeneralNames.getInstance(asn1Encodable); - return SubjectAlternativeName.fromGeneralNames(names); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } -} diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/KeyStoreBuilderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/KeyStoreBuilderTest.java deleted file mode 100644 index 6060f6f3521..00000000000 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/KeyStoreBuilderTest.java +++ /dev/null @@ -1,53 +0,0 @@ -package com.yahoo.vespa.athenz.tls; - -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.TemporaryFolder; - -import java.io.File; -import java.security.KeyPair; -import java.security.cert.X509Certificate; - -import static com.yahoo.vespa.athenz.tls.TestUtils.createCertificate; -import static com.yahoo.vespa.athenz.tls.TestUtils.createKeystoreFile; - -/** - * @author bjorncs - */ -public class KeyStoreBuilderTest { - - private static final char[] PASSWORD = new char[0]; - - @Rule - public TemporaryFolder tempDirectory = new TemporaryFolder(); - - @Test - public void can_create_jks_keystore_from_privatekey_and_certificate() throws Exception { - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 4096); - X509Certificate certificate = createCertificate(keyPair); - KeyStoreBuilder.withType(KeyStoreType.JKS) - .withKeyEntry("key", keyPair.getPrivate(), certificate) - .build(); - } - - @Test - public void can_build_jks_keystore_from_file() throws Exception { - File keystoreFile = tempDirectory.newFile(); - createKeystoreFile(keystoreFile, KeyStoreType.JKS, PASSWORD); - - KeyStoreBuilder.withType(KeyStoreType.JKS) - .fromFile(keystoreFile, PASSWORD) - .build(); - } - - @Test - public void can_build_pcks12_keystore_from_file() throws Exception { - File keystoreFile = tempDirectory.newFile(); - createKeystoreFile(keystoreFile, KeyStoreType.PKCS12, PASSWORD); - - KeyStoreBuilder.withType(KeyStoreType.PKCS12) - .fromFile(keystoreFile, PASSWORD) - .build(); - } - -}
\ No newline at end of file diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/KeyUtilsTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/KeyUtilsTest.java deleted file mode 100644 index fbdc6f1e3bd..00000000000 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/KeyUtilsTest.java +++ /dev/null @@ -1,36 +0,0 @@ -package com.yahoo.vespa.athenz.tls; - -import org.junit.Test; - -import java.security.KeyPair; -import java.security.PrivateKey; -import java.security.PublicKey; - -import static org.hamcrest.CoreMatchers.containsString; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertThat; - -/** - * @author bjorncs - */ -public class KeyUtilsTest { - - @Test - public void can_extract_public_key_from_private() { - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); - PublicKey publicKey = KeyUtils.extractPublicKey(keyPair.getPrivate()); - assertNotNull(publicKey); - } - - @Test - public void can_serialize_deserialize_pem() { - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); - String pem = KeyUtils.toPem(keyPair.getPrivate()); - assertThat(pem, containsString("BEGIN RSA PRIVATE KEY")); - assertThat(pem, containsString("END RSA PRIVATE KEY")); - PrivateKey deserializedKey = KeyUtils.fromPemEncodedPrivateKey(pem); - assertEquals(keyPair.getPrivate(), deserializedKey); - } - -}
\ No newline at end of file diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilderTest.java index e3aaba66efe..3a00ad6a7a4 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilderTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilderTest.java @@ -1,5 +1,7 @@ package com.yahoo.vespa.athenz.tls; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; import org.junit.Test; import javax.security.auth.x500.X500Principal; diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrTest.java index ea60511f39c..8213856512d 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrTest.java @@ -1,5 +1,8 @@ package com.yahoo.vespa.athenz.tls; +import com.yahoo.security.Extension; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; import org.junit.Test; import javax.security.auth.x500.X500Principal; @@ -48,7 +51,7 @@ public class Pkcs10CsrTest { .addSubjectAlternativeName("san") .setBasicConstraints(true, true) .build(); - List<String> expected = Arrays.asList(Extension.BASIC_CONSTRAINS.getOId(), Extension.SUBJECT_ALTERNATIVE_NAMES.getOId()); + List<String> expected = Arrays.asList(Extension.BASIC_CONSTRAINTS.getOId(), Extension.SUBJECT_ALTERNATIVE_NAMES.getOId()); List<String> actual = csr.getExtensionOIds(); assertEquals(expected, actual); } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java index 5b5a57f1fcc..fcbc6d00a8e 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java @@ -1,5 +1,7 @@ package com.yahoo.vespa.athenz.tls; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; import org.junit.Test; import javax.security.auth.x500.X500Principal; diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/SslContextBuilderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/SslContextBuilderTest.java deleted file mode 100644 index 2f750d915d4..00000000000 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/SslContextBuilderTest.java +++ /dev/null @@ -1,77 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.TemporaryFolder; - -import java.io.File; -import java.security.KeyPair; -import java.security.cert.X509Certificate; - -import static com.yahoo.vespa.athenz.tls.TestUtils.createCertificate; -import static com.yahoo.vespa.athenz.tls.TestUtils.createKeystore; -import static com.yahoo.vespa.athenz.tls.TestUtils.createKeystoreFile; - -/** - * @author bjorncs - */ -public class SslContextBuilderTest { - - private static final char[] PASSWORD = new char[0]; - - @Rule - public TemporaryFolder tempDirectory = new TemporaryFolder(); - - @Test - public void can_build_sslcontext_with_truststore_only() throws Exception { - new SslContextBuilder() - .withTrustStore(createKeystore(KeyStoreType.JKS, PASSWORD)) - .build(); - } - - @Test - public void can_build_sslcontext_with_keystore_only() throws Exception { - new SslContextBuilder() - .withKeyStore(createKeystore(KeyStoreType.JKS, PASSWORD), PASSWORD) - .build(); - } - - @Test - public void can_build_sslcontext_with_truststore_and_keystore() throws Exception { - new SslContextBuilder() - .withKeyStore(createKeystore(KeyStoreType.JKS, PASSWORD), PASSWORD) - .withTrustStore(createKeystore(KeyStoreType.JKS, PASSWORD)) - .build(); - } - - @Test - public void can_build_sslcontext_with_keystore_from_private_key_and_certificate() throws Exception { - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - X509Certificate certificate = createCertificate(keyPair); - new SslContextBuilder() - .withKeyStore(keyPair.getPrivate(), certificate) - .build(); - } - - @Test - public void can_build_sslcontext_with_jks_keystore_from_file() throws Exception { - File keystoreFile = tempDirectory.newFile(); - createKeystoreFile(keystoreFile, KeyStoreType.JKS, PASSWORD); - - new SslContextBuilder() - .withKeyStore(keystoreFile, PASSWORD, KeyStoreType.JKS) - .build(); - } - - @Test - public void can_build_sslcontext_with_pcks12_keystore_from_file() throws Exception { - File keystoreFile = tempDirectory.newFile(); - createKeystoreFile(keystoreFile, KeyStoreType.PKCS12, PASSWORD); - - new SslContextBuilder() - .withKeyStore(keystoreFile, PASSWORD, KeyStoreType.PKCS12) - .build(); - } - -} diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/TestUtils.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/TestUtils.java index 2a9b54f9e9e..048538c1a33 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/TestUtils.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/TestUtils.java @@ -1,15 +1,21 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.tls; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyStoreBuilder; +import com.yahoo.security.KeyStoreType; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.X509CertificateBuilder; + import javax.security.auth.x500.X500Principal; -import java.io.File; +import java.math.BigInteger; import java.security.KeyPair; import java.security.KeyStore; import java.security.cert.X509Certificate; import java.time.Instant; import java.time.temporal.ChronoUnit; -import static com.yahoo.vespa.athenz.tls.KeyStoreUtils.writeKeyStoreToFile; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; /** * @author bjorncs @@ -30,11 +36,8 @@ class TestUtils { static X509Certificate createCertificate(KeyPair keyPair, X500Principal subject) { return X509CertificateBuilder .fromKeypair( - keyPair, subject, Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), SignatureAlgorithm.SHA256_WITH_RSA, 1) + keyPair, subject, Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), SHA256_WITH_RSA, BigInteger.ONE) .build(); } - static void createKeystoreFile(File file, KeyStoreType type, char[] password) { - writeKeyStoreToFile(createKeystore(type, password), file, password); - } } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/X509CertificateBuilderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/X509CertificateBuilderTest.java deleted file mode 100644 index 81ff4fdb208..00000000000 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/X509CertificateBuilderTest.java +++ /dev/null @@ -1,58 +0,0 @@ -package com.yahoo.vespa.athenz.tls; - -import org.junit.Test; - -import javax.security.auth.x500.X500Principal; -import java.security.KeyPair; -import java.security.NoSuchAlgorithmException; -import java.security.cert.X509Certificate; -import java.time.Instant; -import java.time.temporal.ChronoUnit; - -import static org.junit.Assert.assertEquals; - -/** - * @author bjorncs - */ -public class X509CertificateBuilderTest { - - @Test - public void can_build_self_signed_certificate() throws NoSuchAlgorithmException { - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - X500Principal subject = new X500Principal("CN=myservice"); - X509Certificate cert = - X509CertificateBuilder.fromKeypair( - keyPair, - subject, - Instant.now(), - Instant.now().plus(1, ChronoUnit.DAYS), - SignatureAlgorithm.SHA256_WITH_RSA, - 1) - .setBasicConstraints(true, true) - .build(); - assertEquals(subject, cert.getSubjectX500Principal()); - } - - @Test - public void can_build_certificate_from_csr() { - X500Principal subject = new X500Principal("CN=subject"); - X500Principal issuer = new X500Principal("CN=issuer"); - KeyPair csrKeypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, csrKeypair, SignatureAlgorithm.SHA256_WITH_RSA).build(); - KeyPair caKeypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - X509Certificate cert = X509CertificateBuilder - .fromCsr( - csr, - issuer, - Instant.now(), - Instant.now().plus(1, ChronoUnit.DAYS), - caKeypair.getPrivate(), - SignatureAlgorithm.SHA256_WITH_RSA, - 1) - .addSubjectAlternativeName("subject1.alt") - .addSubjectAlternativeName("subject2.alt") - .build(); - assertEquals(subject, cert.getSubjectX500Principal()); - } - -}
\ No newline at end of file diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/X509CertificateUtilsTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/X509CertificateUtilsTest.java deleted file mode 100644 index 4039bf36a5f..00000000000 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/X509CertificateUtilsTest.java +++ /dev/null @@ -1,72 +0,0 @@ -package com.yahoo.vespa.athenz.tls; - -import org.junit.Test; - -import javax.security.auth.x500.X500Principal; -import java.security.KeyPair; -import java.security.cert.X509Certificate; -import java.time.Instant; -import java.time.temporal.ChronoUnit; -import java.util.Arrays; -import java.util.List; - -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; -import static org.hamcrest.CoreMatchers.containsString; -import static org.hamcrest.CoreMatchers.equalTo; -import static org.hamcrest.Matchers.is; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertThat; - -/** - * @author bjorncs - */ -public class X509CertificateUtilsTest { - @Test - public void can_deserialize_serialized_pem_certificate() { - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - X500Principal subject = new X500Principal("CN=myservice"); - X509Certificate cert = TestUtils.createCertificate(keypair, subject); - assertEquals(subject, cert.getSubjectX500Principal()); - String pem = X509CertificateUtils.toPem(cert); - assertThat(pem, containsString("BEGIN CERTIFICATE")); - assertThat(pem, containsString("END CERTIFICATE")); - X509Certificate deserializedCert = X509CertificateUtils.fromPem(pem); - assertEquals(subject, deserializedCert.getSubjectX500Principal()); - } - - @Test - public void can_deserialize_serialized_pem_certificate_list() { - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - X500Principal subject1 = new X500Principal("CN=myservice"); - X509Certificate cert1 = TestUtils.createCertificate(keypair, subject1); - X500Principal subject2 = new X500Principal("CN=myservice"); - X509Certificate cert2 = TestUtils.createCertificate(keypair, subject2); - List<X509Certificate> certificateList = Arrays.asList(cert1, cert2); - String pem = X509CertificateUtils.toPem(certificateList); - List<X509Certificate> deserializedCertificateList = X509CertificateUtils.certificateListFromPem(pem); - assertEquals(2, certificateList.size()); - assertEquals(subject1, deserializedCertificateList.get(0).getSubjectX500Principal()); - assertEquals(subject2, deserializedCertificateList.get(1).getSubjectX500Principal()); - } - - @Test - public void can_list_subject_alternative_names() { - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - X500Principal subject = new X500Principal("CN=myservice"); - SubjectAlternativeName san = new SubjectAlternativeName(DNS_NAME, "dns-san"); - X509Certificate cert = X509CertificateBuilder - .fromKeypair( - keypair, - subject, - Instant.now(), - Instant.now().plus(1, ChronoUnit.DAYS), - SignatureAlgorithm.SHA256_WITH_RSA, - 1) - .addSubjectAlternativeName(san) - .build(); - - List<SubjectAlternativeName> sans = X509CertificateUtils.getSubjectAlternativeNames(cert); - assertThat(sans.size(), is(1)); - assertThat(sans.get(0), equalTo(san)); - } -}
\ No newline at end of file |