Add CSR generator for role certificates

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-04-15 15:51:21 +0200
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-04-15 15:51:21 +0200
commit: 4482e8310ddb4a6dd63c17d72ac9df0f1f36e009 (patch)
tree: 3b0df41ac437f96194ef906cb22ed52b8c58b417 /vespa-athenz
parent: 43f1f598ad89f7a787a311ddb8a4e86dc0958055 (diff)
1 files changed, 39 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java
new file mode 100644
index 00000000000..102bfd82646
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java
@@ -0,0 +1,39 @@
+// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.client.zts.utils;
+
+import com.yahoo.security.Pkcs10Csr;
+import com.yahoo.security.Pkcs10CsrBuilder;
+import com.yahoo.security.SubjectAlternativeName.Type;
+import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzRole;
+import com.yahoo.vespa.athenz.client.zts.ZtsClient;
+
+import javax.security.auth.x500.X500Principal;
+import java.security.KeyPair;
+
+import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA;
+
+/**
+ * Generates a {@link Pkcs10Csr} instance for use with {@link ZtsClient#getRoleCertificate(AthenzRole, Pkcs10Csr)}.
+ *
+ * @author bjorncs
+ */
+public class RoleCsrGenerator {
+
+    private final String dnsSuffix;
+
+    public RoleCsrGenerator(String dnsSuffix) {
+        this.dnsSuffix = dnsSuffix;
+    }
+
+    public Pkcs10Csr generateCsr(AthenzIdentity identity, AthenzRole role, KeyPair keyPair) {
+        return Pkcs10CsrBuilder.fromKeypair(new X500Principal("CN=" + role.toResourceNameString()), keyPair, SHA256_WITH_RSA)
+                .addSubjectAlternativeName(
+                        Type.DNS_NAME,
+                        String.format("%s.%s.%s", identity.getName(), identity.getDomainName().replace(".", "-"), dnsSuffix))
+                .addSubjectAlternativeName(
+                        Type.RFC822_NAME,
+                        String.format("%s@%s", identity.getFullName(), dnsSuffix))
+                .build();
+    }
+}
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-04-15 15:51:21 +0200
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-04-15 15:51:21 +0200
commit	4482e8310ddb4a6dd63c17d72ac9df0f1f36e009 (patch)
tree	3b0df41ac437f96194ef906cb22ed52b8c58b417 /vespa-athenz
parent	43f1f598ad89f7a787a311ddb8a4e86dc0958055 (diff)