Simplify type definition for subject alternative names

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-07-20 13:15:32 +0200
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-07-20 13:56:34 +0200
commit: b0a11043f8ac63ae543c9dfc8b1a7e40bf58f19d (patch)
tree: 41b8782def3665db66c2b084b737b9aaf9ca6aa9 /vespa-athenz
parent: ead5f9f883bce032c13f4615ad98a25ac91fae7d (diff)
3 files changed, 15 insertions, 17 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java
index 92be935d293..5b129de412d 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java
@@ -29,10 +29,10 @@ public class RoleCsrGenerator {
     public Pkcs10Csr generateCsr(AthenzIdentity identity, AthenzRole role, KeyPair keyPair) {
         return Pkcs10CsrBuilder.fromKeypair(new X500Principal("CN=" + role.toResourceNameString()), keyPair, SHA256_WITH_RSA)
                 .addSubjectAlternativeName(
-                        Type.DNS_NAME,
+                        Type.DNS,
                         String.format("%s.%s.%s", identity.getName(), identity.getDomainName().replace(".", "-"), dnsSuffix))
                 .addSubjectAlternativeName(
-                        Type.RFC822_NAME,
+                        Type.EMAIL,
                         String.format("%s@%s", identity.getFullName(), dnsSuffix))
                 .build();
     }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
index 518f77ae79c..21ce30fd244 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java
@@ -13,9 +13,9 @@ import java.security.KeyPair;
 import java.util.Set;
 
 import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA;
-import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME;
-import static com.yahoo.security.SubjectAlternativeName.Type.IP_ADDRESS;
-import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME;
+import static com.yahoo.security.SubjectAlternativeName.Type.DNS;
+import static com.yahoo.security.SubjectAlternativeName.Type.IP;
+import static com.yahoo.security.SubjectAlternativeName.Type.EMAIL;
 
 /**
  * Generates a {@link Pkcs10Csr} for an instance.
@@ -41,14 +41,14 @@ public class CsrGenerator {
         // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
         Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SHA256_WITH_RSA)
                 .addSubjectAlternativeName(
-                        DNS_NAME,
+                        DNS,
                         String.format(
                                 "%s.%s.%s",
                                 instanceIdentity.getName(),
                                 instanceIdentity.getDomainName().replace(".", "-"),
                                 dnsSuffix))
-                .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId));
-        ipAddresses.forEach(ip ->  pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip)));
+                .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId));
+        ipAddresses.forEach(ip ->  pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP, ip)));
         return pkcs10CsrBuilder.build();
     }
 
@@ -58,8 +58,8 @@ public class CsrGenerator {
                                      KeyPair keyPair) {
         X500Principal principal = new X500Principal(String.format("OU=%s, cn=%s:role.%s", providerService, role.domain().getName(), role.roleName()));
         return Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA)
-                .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId))
-                .addSubjectAlternativeName(RFC822_NAME, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix))
+                .addSubjectAlternativeName(DNS, getIdentitySAN(instanceId))
+                .addSubjectAlternativeName(EMAIL, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix))
                 .build();
     }
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
index bb62dc51603..7542e976260 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
@@ -12,9 +12,7 @@ import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
 
-import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME;
-import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME;
-import static com.yahoo.security.SubjectAlternativeName.Type.UNIFORM_RESOURCE_IDENTIFIER;
+import static com.yahoo.security.SubjectAlternativeName.Type;
 
 /**
  * Utility methods for Athenz issued x509 certificates
@@ -34,7 +32,7 @@ public class AthenzX509CertificateUtils {
 
     private static Optional<AthenzIdentity> getRoleIdentityFromEmail(List<SubjectAlternativeName> sans) {
         return sans.stream()
-                .filter(san -> san.getType() == RFC822_NAME)
+                .filter(san -> san.getType() == Type.EMAIL)
                 .map(com.yahoo.security.SubjectAlternativeName::getValue)
                 .map(AthenzX509CertificateUtils::getIdentityFromSanEmail)
                 .findFirst();
@@ -43,7 +41,7 @@ public class AthenzX509CertificateUtils {
     private static Optional<AthenzIdentity> getRoleIdentityFromUri(List<SubjectAlternativeName> sans) {
         String uriPrefix = "athenz://principal/";
         return sans.stream()
-                .filter(s -> s.getType() == UNIFORM_RESOURCE_IDENTIFIER && s.getValue().startsWith(uriPrefix))
+                .filter(s -> s.getType() == Type.URI && s.getValue().startsWith(uriPrefix))
                 .map(san -> {
                     String uriPath = URI.create(san.getValue()).getPath();
                     return AthenzIdentities.from(uriPath.substring(uriPrefix.length()));
@@ -78,7 +76,7 @@ public class AthenzX509CertificateUtils {
         String uriPrefix = "athenz://instanceid/";
         return sans.stream()
                 .filter(san -> {
-                    if (san.getType() != UNIFORM_RESOURCE_IDENTIFIER) return false;
+                    if (san.getType() != Type.URI) return false;
                     return san.getValue().startsWith(uriPrefix);
                 })
                 .map(san -> {
@@ -92,7 +90,7 @@ public class AthenzX509CertificateUtils {
         String dnsNameDelimiter = ".instanceid.athenz.";
         return sans.stream()
                 .filter(san -> {
-                    if (san.getType() != DNS_NAME) return false;
+                    if (san.getType() != Type.DNS) return false;
                     return san.getValue().contains(dnsNameDelimiter);
                 })
                 .map(san -> {
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-07-20 13:15:32 +0200
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-07-20 13:56:34 +0200
commit	b0a11043f8ac63ae543c9dfc8b1a7e40bf58f19d (patch)
tree	41b8782def3665db66c2b084b737b9aaf9ca6aa9 /vespa-athenz
parent	ead5f9f883bce032c13f4615ad98a25ac91fae7d (diff)