Replace use of com.yahoo.vespa.athenz.tls with com.yahoo.security

- Use replace RSA with EC in unit tests where possible
author: Bjørn Christian Seime <bjorncs@oath.com> 2018-09-05 11:21:09 +0200
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-09-05 12:47:16 +0200
commit: e437b35c7520bf73078864dab297374211ad57ca (patch)
tree: 76e9c470a2cb842df570fc7434a3c989abce0e1a /vespa-athenz
parent: 987f479a89b8ccc2d39bb6e99fde683e5f82c517 (diff)
8 files changed, 43 insertions, 48 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
index b06ae089b2a..d8fa910aa73 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
@@ -5,8 +5,8 @@ import com.google.inject.Inject;
 import com.yahoo.component.AbstractComponent;
 import com.yahoo.log.LogLevel;
 import com.yahoo.vespa.athenz.api.AthenzService;
-import com.yahoo.vespa.athenz.tls.KeyStoreType;
-import com.yahoo.vespa.athenz.tls.SslContextBuilder;
+import com.yahoo.security.KeyStoreType;
+import com.yahoo.security.SslContextBuilder;
 import com.yahoo.vespa.athenz.utils.SiaUtils;
 
 import javax.net.ssl.SSLContext;
@@ -92,8 +92,8 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde
 
     private SSLContext createIdentitySslContext() {
         return new SslContextBuilder()
-                .withTrustStore(trustStoreFile, KeyStoreType.JKS)
-                .withKeyStore(privateKeyFile, certificateFile)
+                .withTrustStore(trustStoreFile.toPath(), KeyStoreType.JKS)
+                .withKeyStore(privateKeyFile.toPath(), certificateFile.toPath())
                 .build();
     }
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
index 5567831d49d..4a189c872bc 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
@@ -11,10 +11,10 @@ import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
 import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier;
-import com.yahoo.vespa.athenz.tls.KeyAlgorithm;
-import com.yahoo.vespa.athenz.tls.KeyUtils;
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.SslContextBuilder;
 import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
-import com.yahoo.vespa.athenz.tls.SslContextBuilder;
 import com.yahoo.vespa.athenz.utils.SiaUtils;
 import com.yahoo.vespa.defaults.Defaults;
 
@@ -31,7 +31,7 @@ import java.time.Clock;
 import java.time.Duration;
 import java.util.Optional;
 
-import static com.yahoo.vespa.athenz.tls.KeyStoreType.JKS;
+import static com.yahoo.security.KeyStoreType.JKS;
 import static java.util.Collections.singleton;
 
 /**
@@ -153,7 +153,7 @@ class AthenzCredentialsService {
     private SSLContext createIdentitySslContext(PrivateKey privateKey, X509Certificate certificate) {
         return new SslContextBuilder()
                 .withKeyStore(privateKey, certificate)
-                .withTrustStore(trustStoreJks, JKS)
+                .withTrustStore(trustStoreJks.toPath(), JKS)
                 .build();
     }
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
index 266e2ebcefd..e318ebeb7fd 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
@@ -19,8 +19,8 @@ import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient;
 import com.yahoo.vespa.athenz.client.zts.ZtsClient;
 import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
 import com.yahoo.vespa.athenz.identity.SiaIdentityProvider;
-import com.yahoo.vespa.athenz.tls.KeyStoreType;
-import com.yahoo.vespa.athenz.tls.SslContextBuilder;
+import com.yahoo.security.KeyStoreType;
+import com.yahoo.security.SslContextBuilder;
 import com.yahoo.vespa.athenz.utils.SiaUtils;
 import com.yahoo.vespa.defaults.Defaults;
 
@@ -177,7 +177,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
             X509Certificate roleCertificate = client.getRoleCertificate(role, credentials.getKeyPair(), dnsSuffix);
             return new SslContextBuilder()
                     .withKeyStore(credentials.getKeyPair().getPrivate(), roleCertificate)
-                    .withTrustStore(getDefaultTrustStoreLocation(), KeyStoreType.JKS)
+                    .withTrustStore(getDefaultTrustStoreLocation().toPath(), KeyStoreType.JKS)
                     .build();
         }
     }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
index 46aca707be1..33e5552eaf6 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
@@ -8,7 +8,7 @@ import com.yahoo.vespa.athenz.utils.AthenzIdentities;
 import java.security.cert.X509Certificate;
 import java.util.List;
 
-import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.RFC822_NAME;
+import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME;
 
 /**
  * Utility methods for Athenz issued x509 certificates
@@ -23,26 +23,26 @@ public class AthenzX509CertificateUtils {
 
     public static boolean isAthenzRoleCertificate(X509Certificate certificate) {
         return isAthenzIssuedCertificate(certificate) &&
-                X509CertificateUtils.getSubjectCommonNames(certificate).get(0).contains(COMMON_NAME_ROLE_DELIMITER);
+                com.yahoo.security.X509CertificateUtils.getSubjectCommonNames(certificate).get(0).contains(COMMON_NAME_ROLE_DELIMITER);
     }
 
     public static boolean isAthenzIssuedCertificate(X509Certificate certificate) {
-        return X509CertificateUtils.getIssuerCommonNames(certificate).stream()
+        return com.yahoo.security.X509CertificateUtils.getIssuerCommonNames(certificate).stream()
                 .anyMatch(cn -> cn.equalsIgnoreCase("Yahoo Athenz CA") || cn.equalsIgnoreCase("Athenz AWS CA"));
     }
 
     public static AthenzIdentity getIdentityFromRoleCertificate(X509Certificate certificate) {
-        List<SubjectAlternativeName> sans = X509CertificateUtils.getSubjectAlternativeNames(certificate);
+        List<com.yahoo.security.SubjectAlternativeName> sans = com.yahoo.security.X509CertificateUtils.getSubjectAlternativeNames(certificate);
         return sans.stream()
                 .filter(san -> san.getType() == RFC822_NAME)
-                .map(SubjectAlternativeName::getValue)
+                .map(com.yahoo.security.SubjectAlternativeName::getValue)
                 .map(AthenzX509CertificateUtils::getIdentityFromSanEmail)
                 .findFirst()
                 .orElseThrow(() -> new IllegalArgumentException("Could not find identity in SAN: " + sans));
     }
 
     public static AthenzRole getRolesFromRoleCertificate(X509Certificate certificate) {
-        String commonName = X509CertificateUtils.getSubjectCommonNames(certificate).get(0);
+        String commonName = com.yahoo.security.X509CertificateUtils.getSubjectCommonNames(certificate).get(0);
         int delimiterIndex = commonName.indexOf(COMMON_NAME_ROLE_DELIMITER);
         String domain = commonName.substring(0, delimiterIndex);
         String roleName = commonName.substring(delimiterIndex + COMMON_NAME_ROLE_DELIMITER.length());
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java
index 05459e5488b..98d9061be02 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java
@@ -2,8 +2,8 @@
 package com.yahoo.vespa.athenz.utils;
 
 import com.yahoo.vespa.athenz.api.AthenzService;
-import com.yahoo.vespa.athenz.tls.KeyUtils;
-import com.yahoo.vespa.athenz.tls.X509CertificateUtils;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.X509CertificateUtils;
 
 import java.io.IOException;
 import java.io.UncheckedIOException;
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java
index 7b93ffb035d..6217d6fb2ee 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java
@@ -1,15 +1,14 @@
 package com.yahoo.vespa.athenz.identity;
 
-import com.google.common.io.Files;
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyStoreBuilder;
+import com.yahoo.security.KeyStoreType;
+import com.yahoo.security.KeyStoreUtils;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.SignatureAlgorithm;
+import com.yahoo.security.X509CertificateBuilder;
+import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.vespa.athenz.api.AthenzService;
-import com.yahoo.vespa.athenz.tls.KeyAlgorithm;
-import com.yahoo.vespa.athenz.tls.KeyStoreBuilder;
-import com.yahoo.vespa.athenz.tls.KeyStoreType;
-import com.yahoo.vespa.athenz.tls.KeyStoreUtils;
-import com.yahoo.vespa.athenz.tls.KeyUtils;
-import com.yahoo.vespa.athenz.tls.SignatureAlgorithm;
-import com.yahoo.vespa.athenz.tls.X509CertificateBuilder;
-import com.yahoo.vespa.athenz.tls.X509CertificateUtils;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
@@ -17,7 +16,8 @@ import org.junit.rules.TemporaryFolder;
 import javax.security.auth.x500.X500Principal;
 import java.io.File;
 import java.io.IOException;
-import java.nio.charset.StandardCharsets;
+import java.math.BigInteger;
+import java.nio.file.Files;
 import java.security.KeyPair;
 import java.security.KeyStore;
 import java.security.cert.X509Certificate;
@@ -62,12 +62,12 @@ public class SiaIdentityProviderTest {
 
     private void createPrivateKeyFile(File keyFile, KeyPair keypair) throws IOException {
         String privateKeyPem = KeyUtils.toPem(keypair.getPrivate());
-        Files.write(privateKeyPem, keyFile, StandardCharsets.UTF_8);
+        Files.write(keyFile.toPath(), privateKeyPem.getBytes());
     }
 
     private void createCertificateFile(X509Certificate certificate, File certificateFile) throws IOException {
         String certificatePem = X509CertificateUtils.toPem(certificate);
-        Files.write(certificatePem, certificateFile, StandardCharsets.UTF_8);
+        Files.write(certificateFile.toPath(), certificatePem.getBytes());
     }
 
     private X509Certificate createCertificate(KeyPair keypair) {
@@ -79,7 +79,7 @@ public class SiaIdentityProviderTest {
                         now,
                         now.plus(Duration.ofDays(1)),
                         SignatureAlgorithm.SHA256_WITH_RSA,
-                        1)
+                        BigInteger.ONE)
                 .build();
     }
 
@@ -87,7 +87,7 @@ public class SiaIdentityProviderTest {
         KeyStore keystore = KeyStoreBuilder.withType(KeyStoreType.JKS)
                 .withCertificateEntry("dummy-cert", certificate)
                 .build();
-        KeyStoreUtils.writeKeyStoreToFile(keystore, trustStoreFile);
+        KeyStoreUtils.writeKeyStoreToFile(keystore, trustStoreFile.toPath());
     }
 
 }
 \ No newline at end of file
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/AthenzIdentityVerifierTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/AthenzIdentityVerifierTest.java
index 73382d267be..679476abe12 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/AthenzIdentityVerifierTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/AthenzIdentityVerifierTest.java
@@ -1,24 +1,25 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.utils;
 
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyUtils;
+import com.yahoo.security.X509CertificateBuilder;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier;
-import com.yahoo.vespa.athenz.tls.X509CertificateBuilder;
 import org.junit.Test;
 
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import javax.security.auth.x500.X500Principal;
+import java.math.BigInteger;
 import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
 
-import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA;
+import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
 import static java.util.Collections.singleton;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
@@ -34,23 +35,17 @@ public class AthenzIdentityVerifierTest {
     public void verifies_certificate_with_athenz_service_as_common_name() throws Exception {
         AthenzIdentity trustedIdentity = new AthenzService("mydomain", "alice");
         AthenzIdentity unknownIdentity = new AthenzService("mydomain", "mallory");
-        KeyPair keyPair = createKeyPair();
+        KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC);
         AthenzIdentityVerifier verifier = new AthenzIdentityVerifier(singleton(trustedIdentity));
         assertTrue(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, trustedIdentity))));
         assertFalse(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, unknownIdentity))));
     }
 
-    private static KeyPair createKeyPair() throws NoSuchAlgorithmException {
-        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
-        keyGen.initialize(512);
-        return keyGen.generateKeyPair();
-    }
-
     private static X509Certificate createSelfSignedCertificate(KeyPair keyPair, AthenzIdentity identity) {
         X500Principal x500Name = new X500Principal("CN="+ identity.getFullName());
         Instant now = Instant.now();
         return X509CertificateBuilder
-                .fromKeypair(keyPair, x500Name, now, now.plus(Duration.ofDays(30)), SHA256_WITH_RSA, 1)
+                .fromKeypair(keyPair, x500Name, now, now.plus(Duration.ofDays(30)), SHA256_WITH_ECDSA, BigInteger.ONE)
                 .setBasicConstraints(true, true)
                 .build();
     }
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java
index 22f97ca8b60..750968a437e 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java
@@ -6,8 +6,8 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzPrincipal;
 import com.yahoo.vespa.athenz.api.AthenzUser;
 import com.yahoo.vespa.athenz.api.NToken;
-import com.yahoo.vespa.athenz.tls.KeyAlgorithm;
-import com.yahoo.vespa.athenz.tls.KeyUtils;
+import com.yahoo.security.KeyAlgorithm;
+import com.yahoo.security.KeyUtils;
 import com.yahoo.vespa.athenz.utils.ntoken.NTokenValidator.InvalidTokenException;
 import org.junit.Rule;
 import org.junit.Test;
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-09-05 11:21:09 +0200
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-09-05 12:47:16 +0200
commit	e437b35c7520bf73078864dab297374211ad57ca (patch)
tree	76e9c470a2cb842df570fc7434a3c989abce0e1a /vespa-athenz
parent	987f479a89b8ccc2d39bb6e99fde683e5f82c517 (diff)