summaryrefslogtreecommitdiffstats
path: root/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java
diff options
context:
space:
mode:
Diffstat (limited to 'container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java')
-rw-r--r--container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java23
1 files changed, 19 insertions, 4 deletions
diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java
index 1b109e4bacb..388b40a1fe0 100644
--- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java
+++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/CryptoUtils.java
@@ -6,6 +6,9 @@ import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.OperatorCreationException;
@@ -23,6 +26,7 @@ import java.io.UncheckedIOException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
@@ -30,6 +34,8 @@ import java.security.cert.X509Certificate;
*/
class CryptoUtils {
+ private static final BouncyCastleProvider bouncyCastleProvider = new BouncyCastleProvider();
+
private CryptoUtils() {}
static KeyPair createKeyPair() {
@@ -45,7 +51,7 @@ class CryptoUtils {
String identityService,
String dnsSuffix,
String providerUniqueId,
- KeyPair keyPair) throws IOException {
+ KeyPair keyPair) {
try {
// Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix>
// and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix>
@@ -71,6 +77,8 @@ class CryptoUtils {
return requestBuilder.build(new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate()));
} catch (OperatorCreationException e) {
throw new RuntimeException(e);
+ } catch (IOException e) {
+ throw new UncheckedIOException(e);
}
}
@@ -87,12 +95,19 @@ class CryptoUtils {
static X509Certificate parseCertificate(String pemEncodedCertificate) {
try (PEMParser parser = new PEMParser(new StringReader(pemEncodedCertificate))) {
Object pemObject = parser.readObject();
- if (!(pemObject instanceof X509Certificate)) {
- throw new IllegalArgumentException("Expeceted X509Certificate instance, got " + pemObject);
+ if (pemObject instanceof X509Certificate) {
+ return (X509Certificate) pemObject;
}
- return (X509Certificate) pemObject;
+ if (pemObject instanceof X509CertificateHolder) {
+ return new JcaX509CertificateConverter()
+ .setProvider(bouncyCastleProvider)
+ .getCertificate((X509CertificateHolder) pemObject);
+ }
+ throw new IllegalArgumentException("Invalid type of PEM object: " + pemObject);
} catch (IOException e) {
throw new UncheckedIOException(e);
+ } catch (CertificateException e) {
+ throw new RuntimeException(e);
}
}
}