diff options
Diffstat (limited to 'vespa-athenz/src/main/java/com/yahoo')
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java new file mode 100644 index 00000000000..102bfd82646 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/RoleCsrGenerator.java @@ -0,0 +1,39 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.client.zts.utils; + +import com.yahoo.security.Pkcs10Csr; +import com.yahoo.security.Pkcs10CsrBuilder; +import com.yahoo.security.SubjectAlternativeName.Type; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzRole; +import com.yahoo.vespa.athenz.client.zts.ZtsClient; + +import javax.security.auth.x500.X500Principal; +import java.security.KeyPair; + +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; + +/** + * Generates a {@link Pkcs10Csr} instance for use with {@link ZtsClient#getRoleCertificate(AthenzRole, Pkcs10Csr)}. + * + * @author bjorncs + */ +public class RoleCsrGenerator { + + private final String dnsSuffix; + + public RoleCsrGenerator(String dnsSuffix) { + this.dnsSuffix = dnsSuffix; + } + + public Pkcs10Csr generateCsr(AthenzIdentity identity, AthenzRole role, KeyPair keyPair) { + return Pkcs10CsrBuilder.fromKeypair(new X500Principal("CN=" + role.toResourceNameString()), keyPair, SHA256_WITH_RSA) + .addSubjectAlternativeName( + Type.DNS_NAME, + String.format("%s.%s.%s", identity.getName(), identity.getDomainName().replace(".", "-"), dnsSuffix)) + .addSubjectAlternativeName( + Type.RFC822_NAME, + String.format("%s@%s", identity.getFullName(), dnsSuffix)) + .build(); + } +} |