Add OU field to csr

author: Morten Tokle <mortent@oath.com> 2018-10-04 14:32:09 +0200
committer: Morten Tokle <mortent@oath.com> 2018-10-04 14:32:09 +0200
commit: ab53bb75dc2d56f75ba10a6a1dc127b7d0fa0ba6 (patch)
tree: d23cebba1119e018bb421d8e9059b2752697bf37 /vespa-athenz
parent: 34ba19e18306f2432c61d4bcaa3a296dd38c7d7b (diff)
4 files changed, 47 insertions, 7 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
index 4a189c872bc..afbdb7fed6c 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
@@ -2,6 +2,9 @@
 package com.yahoo.vespa.athenz.identityprovider.client;
 
 import com.yahoo.container.core.identity.IdentityConfig;
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.SslContextBuilder;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient;
 import com.yahoo.vespa.athenz.client.zts.InstanceIdentity;
@@ -11,9 +14,6 @@ import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
 import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier;
-import com.yahoo.security.KeyAlgorithm;
-import com.yahoo.security.KeyUtils;
-import com.yahoo.security.SslContextBuilder;
 import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
 import com.yahoo.vespa.athenz.utils.SiaUtils;
 import com.yahoo.vespa.defaults.Defaults;
@@ -66,7 +66,7 @@ class AthenzCredentialsService {
         this.nodeIdentityProvider = nodeIdentityProvider;
         this.trustStoreJks = trustStoreJks;
         this.hostname = hostname;
-        this.instanceCsrGenerator = new InstanceCsrGenerator(identityConfig.athenzDnsSuffix());
+        this.instanceCsrGenerator = new InstanceCsrGenerator(identityConfig.athenzDnsSuffix(), identityConfig.configserverIdentityName());
         this.clock = clock;
     }
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java
index 70227eae91c..cb97c4fb99c 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java
@@ -23,16 +23,18 @@ import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS;
 public class InstanceCsrGenerator {
 
     private final String dnsSuffix;
+    private final String providerService;
 
-    public InstanceCsrGenerator(String dnsSuffix) {
+    public InstanceCsrGenerator(String dnsSuffix, String providerService) {
         this.dnsSuffix = dnsSuffix;
+        this.providerService = providerService;
     }
 
     public Pkcs10Csr generateCsr(AthenzIdentity instanceIdentity,
                                  VespaUniqueInstanceId instanceId,
                                  Set<String> ipAddresses,
                                  KeyPair keyPair) {
-        X500Principal subject = new X500Principal("CN=" + instanceIdentity.getFullName());
+        X500Principal subject = new X500Principal(String.format("OU=%s, CN=%s", providerService, instanceIdentity.getFullName()));
         // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix>
         // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
         Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA)
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java
index 702b2f6cd4b..607bec90dee 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.athenz.tls;
 
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.Extension;
 import org.bouncycastle.asn1.x509.ExtensionsGenerator;
@@ -72,7 +73,7 @@ public class Pkcs10CsrBuilder {
     public Pkcs10Csr build() {
         try {
             PKCS10CertificationRequestBuilder requestBuilder =
-                    new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic());
+                    new JcaPKCS10CertificationRequestBuilder(new X500Name(subject.getName()), keyPair.getPublic());
             ExtensionsGenerator extGen = new ExtensionsGenerator();
             if (basicConstraintsExtension != null) {
                 extGen.addExtension(
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
new file mode 100644
index 00000000000..d401696015e
--- /dev/null
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java
@@ -0,0 +1,37 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.identityprovider.client;
+
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.vespa.athenz.api.AthenzService;
+import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
+import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
+import org.junit.Test;
+
+import javax.security.auth.x500.X500Principal;
+import java.security.KeyPair;
+import java.util.Collections;
+
+import static org.junit.Assert.assertEquals;
+
+/**
+ * @author mortent
+ */
+public class InstanceCsrGeneratorTest {
+
+    private static final String DNS_SUFFIX = "prod-us-north-1.vespa.yahoo.cloud";
+    private static final String PROVIDER_SERVICE = "vespa.vespa.provider_prod_us-north-1";
+    private static final String ATHENZ_SERVICE = "foo.bar";
+
+    @Test
+    public void it_generates_csr_with_correct_subject() {
+        InstanceCsrGenerator instanceCsrGenerator = new InstanceCsrGenerator(DNS_SUFFIX, PROVIDER_SERVICE);
+
+        AthenzService service = new AthenzService(ATHENZ_SERVICE);
+        VespaUniqueInstanceId vespaUniqueInstanceId = VespaUniqueInstanceId.fromDottedString("0.default.default.foo-app.vespa.us-north-1.prod.node");
+        KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
+
+        Pkcs10Csr csr = instanceCsrGenerator.generateCsr(service, vespaUniqueInstanceId, Collections.emptySet(), keyPair);
+        assertEquals(new X500Principal(String.format("OU=%s, CN=%s", PROVIDER_SERVICE, ATHENZ_SERVICE)), csr.getSubject());
+    }
+}
author	Morten Tokle <mortent@oath.com>	2018-10-04 14:32:09 +0200
committer	Morten Tokle <mortent@oath.com>	2018-10-04 14:32:09 +0200
commit	ab53bb75dc2d56f75ba10a6a1dc127b7d0fa0ba6 (patch)
tree	d23cebba1119e018bb421d8e9059b2752697bf37 /vespa-athenz
parent	34ba19e18306f2432c61d4bcaa3a296dd38c7d7b (diff)