diff options
Diffstat (limited to 'athenz-identity-provider-service')
3 files changed, 9 insertions, 3 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java index 059c91aecd3..8c8b5de2a30 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java @@ -20,6 +20,7 @@ import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import java.io.FileInputStream; import java.io.IOException; import java.math.BigInteger; import java.security.KeyPair; @@ -35,7 +36,6 @@ import java.util.logging.Logger; /** * @author bjorncs */ -// TODO Add Athenz CA certificates to trust store public class AthenzSslTrustStoreConfigurator implements SslTrustStoreConfigurator { private static final Logger log = Logger.getLogger(AthenzSslTrustStoreConfigurator.class.getName()); @@ -64,7 +64,9 @@ public class AthenzSslTrustStoreConfigurator implements SslTrustStoreConfigurato X509Certificate selfSignedCertificate = createSelfSignedCertificate(keyPair, configserverConfig); log.log(LogLevel.FINE, "Generated self-signed certificate: " + selfSignedCertificate); KeyStore trustStore = KeyStore.getInstance("JKS"); - trustStore.load(null); + try (FileInputStream in = new FileInputStream(athenzProviderServiceConfig.athenzCaTrustStore())) { + trustStore.load(in, "changeit".toCharArray()); + } trustStore.setCertificateEntry("cfgselfsigned", selfSignedCertificate); return trustStore; } catch (Exception e) { diff --git a/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def b/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def index 13cc78b0bd0..21f2aea6ab0 100644 --- a/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def +++ b/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def @@ -21,3 +21,6 @@ ztsUrl string # Certificate DNS suffix certDnsSuffix string + +# Path to Athenz CA JKS trust store +athenzCaTrustStore string diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java index c09a9fb1740..da2bf929e82 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/TestUtils.java @@ -25,7 +25,8 @@ public class TestUtils { .zones(ImmutableMap.of(zone.environment().value() + "." + zone.region().value(), zoneConfig)) .certDnsSuffix(dnsSuffix) .ztsUrl("localhost/zts") - .athenzPrincipalHeaderName("Athenz-Principal-Auth")); + .athenzPrincipalHeaderName("Athenz-Principal-Auth") + .athenzCaTrustStore("/dummy/path/to/athenz-ca.jks")); } } |