diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-01-07 16:24:45 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2022-01-07 16:24:45 +0100 |
commit | dd77c1ed1c3546383a943293e2241f8d9f3dcfbc (patch) | |
tree | 1a14e077486e306f848452266fdb1cafd3356baf /vespa-athenz | |
parent | cdb6a8521b56ff30ff8abda7b5342986df977f2e (diff) |
Support new SAN format for principal name in Athenz role certificates
Diffstat (limited to 'vespa-athenz')
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java index 4b54b392d12..bb62dc51603 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java @@ -26,13 +26,29 @@ public class AthenzX509CertificateUtils { private AthenzX509CertificateUtils() {} public static AthenzIdentity getIdentityFromRoleCertificate(X509Certificate certificate) { - List<com.yahoo.security.SubjectAlternativeName> sans = com.yahoo.security.X509CertificateUtils.getSubjectAlternativeNames(certificate); + List<SubjectAlternativeName> sans = X509CertificateUtils.getSubjectAlternativeNames(certificate); + return getRoleIdentityFromEmail(sans) + .or(() -> getRoleIdentityFromUri(sans)) + .orElseThrow(() -> new IllegalArgumentException("Could not find identity in SAN: " + sans)); + } + + private static Optional<AthenzIdentity> getRoleIdentityFromEmail(List<SubjectAlternativeName> sans) { return sans.stream() .filter(san -> san.getType() == RFC822_NAME) .map(com.yahoo.security.SubjectAlternativeName::getValue) .map(AthenzX509CertificateUtils::getIdentityFromSanEmail) - .findFirst() - .orElseThrow(() -> new IllegalArgumentException("Could not find identity in SAN: " + sans)); + .findFirst(); + } + + private static Optional<AthenzIdentity> getRoleIdentityFromUri(List<SubjectAlternativeName> sans) { + String uriPrefix = "athenz://principal/"; + return sans.stream() + .filter(s -> s.getType() == UNIFORM_RESOURCE_IDENTIFIER && s.getValue().startsWith(uriPrefix)) + .map(san -> { + String uriPath = URI.create(san.getValue()).getPath(); + return AthenzIdentities.from(uriPath.substring(uriPrefix.length())); + }) + .findFirst(); } public static AthenzRole getRolesFromRoleCertificate(X509Certificate certificate) { |