diff options
Diffstat (limited to 'vespa-athenz/src')
24 files changed, 23 insertions, 571 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java index dc82ed7fcb9..e9aba31cf56 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java @@ -23,7 +23,7 @@ import com.yahoo.vespa.athenz.client.zts.bindings.TenantDomainsResponseEntity; import com.yahoo.vespa.athenz.client.zts.utils.IdentityCsrGenerator; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.identity.ServiceIdentitySslSocketFactory; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import com.yahoo.security.Pkcs10Csr; import org.apache.http.HttpResponse; import org.apache.http.client.ResponseHandler; import org.apache.http.client.config.RequestConfig; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java index 2ef6039ddc8..0ca2ea2fe69 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java @@ -6,7 +6,7 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.api.ZToken; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import com.yahoo.security.Pkcs10Csr; import java.security.KeyPair; import java.security.cert.X509Certificate; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/IdentityRefreshRequestEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/IdentityRefreshRequestEntity.java index 47ae9cd2d3f..808c1162ef1 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/IdentityRefreshRequestEntity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/IdentityRefreshRequestEntity.java @@ -4,7 +4,7 @@ package com.yahoo.vespa.athenz.client.zts.bindings; import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.databind.annotation.JsonSerialize; import com.yahoo.vespa.athenz.client.zts.bindings.serializers.Pkcs10CsrSerializer; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import com.yahoo.security.Pkcs10Csr; /** * @author bjorncs diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java index b842ef43500..0e7e94e96ac 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRefreshInformation.java @@ -6,7 +6,7 @@ import com.fasterxml.jackson.annotation.JsonInclude; import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.databind.annotation.JsonSerialize; import com.yahoo.vespa.athenz.client.zts.bindings.serializers.Pkcs10CsrSerializer; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import com.yahoo.security.Pkcs10Csr; /** * @author bjorncs diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java index a70083f9556..49d9bb1ec5c 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/InstanceRegisterInformation.java @@ -5,8 +5,8 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonInclude; import com.fasterxml.jackson.annotation.JsonProperty; import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.Pkcs10CsrUtils; +import com.yahoo.security.Pkcs10Csr; +import com.yahoo.security.Pkcs10CsrUtils; /** * Used for serializing request to ZTS diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/RoleCertificateRequestEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/RoleCertificateRequestEntity.java index f329ffbbd2c..1b974bcc6fc 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/RoleCertificateRequestEntity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/RoleCertificateRequestEntity.java @@ -9,7 +9,7 @@ import com.fasterxml.jackson.databind.JsonSerializer; import com.fasterxml.jackson.databind.SerializerProvider; import com.fasterxml.jackson.databind.annotation.JsonSerialize; import com.yahoo.vespa.athenz.client.zts.bindings.serializers.Pkcs10CsrSerializer; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import com.yahoo.security.Pkcs10Csr; import java.io.IOException; import java.time.Duration; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/serializers/Pkcs10CsrSerializer.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/serializers/Pkcs10CsrSerializer.java index 24825792953..ca33962c7c8 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/serializers/Pkcs10CsrSerializer.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/serializers/Pkcs10CsrSerializer.java @@ -4,8 +4,8 @@ package com.yahoo.vespa.athenz.client.zts.bindings.serializers; import com.fasterxml.jackson.core.JsonGenerator; import com.fasterxml.jackson.databind.JsonSerializer; import com.fasterxml.jackson.databind.SerializerProvider; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.Pkcs10CsrUtils; +import com.yahoo.security.Pkcs10Csr; +import com.yahoo.security.Pkcs10CsrUtils; import java.io.IOException; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/IdentityCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/IdentityCsrGenerator.java index 2f152fafba8..b2af2d732bf 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/IdentityCsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/utils/IdentityCsrGenerator.java @@ -3,13 +3,13 @@ package com.yahoo.vespa.athenz.client.zts.utils; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.client.zts.ZtsClient; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; +import com.yahoo.security.Pkcs10Csr; +import com.yahoo.security.Pkcs10CsrBuilder; import javax.security.auth.x500.X500Principal; import java.security.KeyPair; -import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; /** * Generates a {@link Pkcs10Csr} instance for use with {@link ZtsClient#getServiceIdentity(AthenzService, String, Pkcs10Csr)} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index 907c262e4d3..39d0db4affd 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -14,7 +14,7 @@ import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import com.yahoo.security.Pkcs10Csr; import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.defaults.Defaults; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java index e330fef66cc..ac255289883 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java @@ -22,7 +22,7 @@ import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient; import com.yahoo.vespa.athenz.client.zts.ZtsClient; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.identity.SiaIdentityProvider; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import com.yahoo.security.Pkcs10Csr; import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.defaults.Defaults; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java index e22c8621e99..f73a52b373b 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/CsrGenerator.java @@ -4,18 +4,18 @@ package com.yahoo.vespa.athenz.identityprovider.client; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; -import com.yahoo.vespa.athenz.tls.SubjectAlternativeName; +import com.yahoo.security.Pkcs10Csr; +import com.yahoo.security.Pkcs10CsrBuilder; +import com.yahoo.security.SubjectAlternativeName; import javax.security.auth.x500.X500Principal; import java.security.KeyPair; import java.util.Set; -import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS; -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.RFC822_NAME; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.IP_ADDRESS; +import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME; /** * Generates a {@link Pkcs10Csr} for an instance. diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java index b3b5df0e68b..e63cd9750fb 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java @@ -5,7 +5,7 @@ import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; -import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; +import com.yahoo.security.SignatureAlgorithm; import java.nio.ByteBuffer; import java.security.GeneralSecurityException; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/BasicConstraintsExtension.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/BasicConstraintsExtension.java deleted file mode 100644 index 008268dbfe0..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/BasicConstraintsExtension.java +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -/** - * @author bjorncs - */ -class BasicConstraintsExtension { - final boolean isCritical, isCertAuthorityCertificate; - - BasicConstraintsExtension(boolean isCritical, boolean isCertAuthorityCertificate) { - this.isCritical = isCritical; - this.isCertAuthorityCertificate = isCertAuthorityCertificate; - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/BouncyCastleProviderHolder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/BouncyCastleProviderHolder.java deleted file mode 100644 index 03049961dc0..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/BouncyCastleProviderHolder.java +++ /dev/null @@ -1,14 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import org.bouncycastle.jce.provider.BouncyCastleProvider; - -/** - * @author bjorncs - */ -class BouncyCastleProviderHolder { - - private static final BouncyCastleProvider bcProvider = new BouncyCastleProvider(); - - static BouncyCastleProvider getInstance() { return bcProvider; } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10Csr.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10Csr.java deleted file mode 100644 index 8138be9d7d8..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10Csr.java +++ /dev/null @@ -1,73 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.asn1.x509.BasicConstraints; -import org.bouncycastle.asn1.x509.Extension; -import org.bouncycastle.asn1.x509.Extensions; -import org.bouncycastle.asn1.x509.GeneralNames; -import org.bouncycastle.pkcs.PKCS10CertificationRequest; - -import javax.security.auth.x500.X500Principal; -import java.util.Arrays; -import java.util.List; -import java.util.Optional; - -import static java.util.Collections.emptyList; -import static java.util.stream.Collectors.toList; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public class Pkcs10Csr { - - private final PKCS10CertificationRequest csr; - - Pkcs10Csr(PKCS10CertificationRequest csr) { - this.csr = csr; - } - - PKCS10CertificationRequest getBcCsr() { - return csr; - } - - public X500Principal getSubject() { - return new X500Principal(csr.getSubject().toString()); - } - - public List<SubjectAlternativeName> getSubjectAlternativeNames() { - return getExtensions() - .map(extensions -> GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName)) - .map(SubjectAlternativeName::fromGeneralNames) - .orElse(emptyList()); - } - - /** - * @return If basic constraints extension is present: returns true if CA cert, false otherwise. Returns empty if the extension is not present. - */ - public Optional<Boolean> getBasicConstraints() { - return getExtensions() - .map(BasicConstraints::fromExtensions) - .map(BasicConstraints::isCA); - } - - public List<String> getExtensionOIds() { - return getExtensions() - .map(extensions -> Arrays.stream(extensions.getExtensionOIDs()) - .map(ASN1ObjectIdentifier::getId) - .collect(toList())) - .orElse(emptyList()); - - } - - private Optional<Extensions> getExtensions() { - return Optional.of(csr.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) - .filter(attributes -> attributes.length > 0) - .map(attributes -> attributes[0]) - .map(attribute -> Extensions.getInstance(attribute.getAttrValues().getObjectAt(0))); - } - -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java deleted file mode 100644 index 607bec90dee..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java +++ /dev/null @@ -1,104 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x509.BasicConstraints; -import org.bouncycastle.asn1.x509.Extension; -import org.bouncycastle.asn1.x509.ExtensionsGenerator; -import org.bouncycastle.asn1.x509.GeneralName; -import org.bouncycastle.asn1.x509.GeneralNames; -import org.bouncycastle.operator.ContentSigner; -import org.bouncycastle.operator.OperatorCreationException; -import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; -import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder; -import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder; - -import javax.security.auth.x500.X500Principal; -import java.io.IOException; -import java.io.UncheckedIOException; -import java.security.KeyPair; -import java.util.ArrayList; -import java.util.List; - -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public class Pkcs10CsrBuilder { - - private final X500Principal subject; - private final KeyPair keyPair; - private final List<SubjectAlternativeName> subjectAlternativeNames = new ArrayList<>(); - private final SignatureAlgorithm signatureAlgorithm; - private BasicConstraintsExtension basicConstraintsExtension; - - private Pkcs10CsrBuilder(X500Principal subject, - KeyPair keyPair, - SignatureAlgorithm signatureAlgorithm) { - this.subject = subject; - this.keyPair = keyPair; - this.signatureAlgorithm = signatureAlgorithm; - } - - public static Pkcs10CsrBuilder fromKeypair(X500Principal subject, - KeyPair keyPair, - SignatureAlgorithm signatureAlgorithm) { - return new Pkcs10CsrBuilder(subject, keyPair, signatureAlgorithm); - } - - public Pkcs10CsrBuilder addSubjectAlternativeName(String dns) { - this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS_NAME, dns)); - return this; - } - - public Pkcs10CsrBuilder addSubjectAlternativeName(SubjectAlternativeName san) { - this.subjectAlternativeNames.add(san); - return this; - } - - public Pkcs10CsrBuilder addSubjectAlternativeName(SubjectAlternativeName.Type type, String value) { - this.subjectAlternativeNames.add(new SubjectAlternativeName(type, value)); - return this; - } - - public Pkcs10CsrBuilder setBasicConstraints(boolean isCritical, boolean isCertAuthorityCertificate) { - this.basicConstraintsExtension = new BasicConstraintsExtension(isCritical, isCertAuthorityCertificate); - return this; - } - - public Pkcs10Csr build() { - try { - PKCS10CertificationRequestBuilder requestBuilder = - new JcaPKCS10CertificationRequestBuilder(new X500Name(subject.getName()), keyPair.getPublic()); - ExtensionsGenerator extGen = new ExtensionsGenerator(); - if (basicConstraintsExtension != null) { - extGen.addExtension( - Extension.basicConstraints, - basicConstraintsExtension.isCritical, - new BasicConstraints(basicConstraintsExtension.isCertAuthorityCertificate)); - } - if (!subjectAlternativeNames.isEmpty()) { - GeneralNames generalNames = new GeneralNames( - subjectAlternativeNames.stream() - .map(SubjectAlternativeName::toGeneralName) - .toArray(GeneralName[]::new)); - extGen.addExtension(Extension.subjectAlternativeName, false, generalNames); - } - requestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate()); - ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm.getAlgorithmName()) - .setProvider(BouncyCastleProviderHolder.getInstance()) - .build(keyPair.getPrivate()); - return new Pkcs10Csr(requestBuilder.build(contentSigner)); - } catch (OperatorCreationException e) { - throw new RuntimeException(e); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - - } - -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtils.java deleted file mode 100644 index be7bb3690bd..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtils.java +++ /dev/null @@ -1,40 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import org.bouncycastle.openssl.PEMParser; -import org.bouncycastle.openssl.jcajce.JcaPEMWriter; -import org.bouncycastle.pkcs.PKCS10CertificationRequest; -import org.bouncycastle.util.io.pem.PemObject; - -import java.io.IOException; -import java.io.StringReader; -import java.io.StringWriter; -import java.io.UncheckedIOException; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public class Pkcs10CsrUtils { - - private Pkcs10CsrUtils() {} - - public static Pkcs10Csr fromPem(String pem) { - try (PEMParser pemParser = new PEMParser(new StringReader(pem))) { - return new Pkcs10Csr((PKCS10CertificationRequest) pemParser.readObject()); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } - - public static String toPem(Pkcs10Csr csr) { - try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) { - pemWriter.writeObject(new PemObject("CERTIFICATE REQUEST", csr.getBcCsr().getEncoded())); - pemWriter.flush(); - return stringWriter.toString(); - } catch (IOException e) { - throw new UncheckedIOException(e); - } - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SignatureAlgorithm.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SignatureAlgorithm.java deleted file mode 100644 index 1ff8ebbe78a..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SignatureAlgorithm.java +++ /dev/null @@ -1,22 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public enum SignatureAlgorithm { - SHA256_WITH_RSA("SHA256withRSA"), - SHA512_WITH_RSA("SHA512withRSA"); - - private final String algorithmName; - - SignatureAlgorithm(String algorithmName) { - this.algorithmName = algorithmName; - } - - public String getAlgorithmName() { - return algorithmName; - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SubjectAlternativeName.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SubjectAlternativeName.java deleted file mode 100644 index f5b0c7aa1c6..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SubjectAlternativeName.java +++ /dev/null @@ -1,116 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import org.bouncycastle.asn1.ASN1Encodable; -import org.bouncycastle.asn1.DERIA5String; -import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x509.GeneralName; -import org.bouncycastle.asn1.x509.GeneralNames; - -import java.util.Arrays; -import java.util.List; -import java.util.Objects; - -import static java.util.stream.Collectors.toList; - -/** - * @author bjorncs - * @deprecated Use com.yahoo.security.* - */ -@Deprecated -public class SubjectAlternativeName { - - private final Type type; - private final String value; - - public SubjectAlternativeName(Type type, String value) { - this.type = type; - this.value = value; - } - - SubjectAlternativeName(GeneralName bcGeneralName) { - this.type = Type.fromTag(bcGeneralName.getTagNo()); - this.value = getValue(bcGeneralName); - } - - public Type getType() { - return type; - } - - public String getValue() { - return value; - } - - GeneralName toGeneralName() { - return new GeneralName(type.tag, value); - } - - static List<SubjectAlternativeName> fromGeneralNames(GeneralNames generalNames) { - return Arrays.stream(generalNames.getNames()).map(SubjectAlternativeName::new).collect(toList()); - } - - private String getValue(GeneralName bcGeneralName) { - ASN1Encodable name = bcGeneralName.getName(); - switch (bcGeneralName.getTagNo()) { - case GeneralName.rfc822Name: - case GeneralName.dNSName: - case GeneralName.uniformResourceIdentifier: - return DERIA5String.getInstance(name).getString(); - case GeneralName.directoryName: - return X500Name.getInstance(name).toString(); - default: - return name.toString(); - } - } - - @Override - public String toString() { - return "SubjectAlternativeName{" + - "type=" + type + - ", value='" + value + '\'' + - '}'; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - SubjectAlternativeName that = (SubjectAlternativeName) o; - return type == that.type && - Objects.equals(value, that.value); - } - - @Override - public int hashCode() { - return Objects.hash(type, value); - } - - public enum Type { - OTHER_NAME(0), - RFC822_NAME(1), - DNS_NAME(2), - X400_ADDRESS(3), - DIRECTORY_NAME(4), - EDI_PARITY_NAME(5), - UNIFORM_RESOURCE_IDENTIFIER(6), - IP_ADDRESS(7), - REGISTERED_ID(8); - - final int tag; - - Type(int tag) { - this.tag = tag; - } - - public static Type fromTag(int tag) { - return Arrays.stream(Type.values()) - .filter(type -> type.tag == tag) - .findAny() - .orElseThrow(() -> new IllegalArgumentException("Invalid tag: " + tag)); - } - - public int getTag() { - return tag; - } - } -} diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java index ed5c5586d6d..8b6d2f06777 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java @@ -5,7 +5,7 @@ import com.yahoo.security.KeyAlgorithm; import com.yahoo.security.KeyUtils; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import com.yahoo.security.Pkcs10Csr; import org.junit.Test; import javax.security.auth.x500.X500Principal; diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilderTest.java deleted file mode 100644 index dde21631456..00000000000 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilderTest.java +++ /dev/null @@ -1,30 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import com.yahoo.security.KeyAlgorithm; -import com.yahoo.security.KeyUtils; -import org.junit.Test; - -import javax.security.auth.x500.X500Principal; - -import java.security.KeyPair; - -import static org.junit.Assert.*; - -/** - * @author bjorncs - */ -public class Pkcs10CsrBuilderTest { - - @Test - public void can_build_csr_with_sans() { - X500Principal subject = new X500Principal("CN=subject"); - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA) - .addSubjectAlternativeName("san1.com") - .addSubjectAlternativeName("san2.com") - .build(); - assertEquals(subject, csr.getSubject()); - } - -} diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrTest.java deleted file mode 100644 index 3fef568aef8..00000000000 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrTest.java +++ /dev/null @@ -1,60 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import com.yahoo.security.Extension; -import com.yahoo.security.KeyAlgorithm; -import com.yahoo.security.KeyUtils; -import org.junit.Test; - -import javax.security.auth.x500.X500Principal; -import java.security.KeyPair; -import java.util.Arrays; -import java.util.List; - -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertTrue; - -/** - * @author bjorncs - */ -public class Pkcs10CsrTest { - - @Test - public void can_read_subject_alternative_names() { - X500Principal subject = new X500Principal("CN=subject"); - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - SubjectAlternativeName san1 = new SubjectAlternativeName(DNS_NAME, "san1.com"); - SubjectAlternativeName san2 = new SubjectAlternativeName(DNS_NAME, "san2.com"); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA) - .addSubjectAlternativeName(san1) - .addSubjectAlternativeName(san2) - .build(); - assertEquals(Arrays.asList(san1, san2), csr.getSubjectAlternativeNames()); - } - - @Test - public void can_read_basic_constraints() { - X500Principal subject = new X500Principal("CN=subject"); - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA) - .setBasicConstraints(true, true) - .build(); - assertTrue(csr.getBasicConstraints().isPresent()); - assertTrue(csr.getBasicConstraints().get()); - } - - @Test - public void can_read_extensions() { - X500Principal subject = new X500Principal("CN=subject"); - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA) - .addSubjectAlternativeName("san") - .setBasicConstraints(true, true) - .build(); - List<String> expected = Arrays.asList(Extension.BASIC_CONSTRAINTS.getOId(), Extension.SUBJECT_ALTERNATIVE_NAMES.getOId()); - List<String> actual = csr.getExtensionOIds(); - assertEquals(expected, actual); - } - -} diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java deleted file mode 100644 index 801031dd9ff..00000000000 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtilsTest.java +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import com.yahoo.security.KeyAlgorithm; -import com.yahoo.security.KeyUtils; -import org.junit.Test; - -import javax.security.auth.x500.X500Principal; -import java.security.KeyPair; - -import static org.hamcrest.CoreMatchers.containsString; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertThat; - -/** - * @author bjorncs - */ -public class Pkcs10CsrUtilsTest { - - @Test - public void can_deserialize_serialized_pem_csr() { - X500Principal subject = new X500Principal("CN=subject"); - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA).build(); - String pem = Pkcs10CsrUtils.toPem(csr); - Pkcs10Csr deserializedCsr = Pkcs10CsrUtils.fromPem(pem); - assertThat(pem, containsString("BEGIN CERTIFICATE REQUEST")); - assertThat(pem, containsString("END CERTIFICATE REQUEST")); - assertEquals(subject, deserializedCsr.getSubject()); - } - -} diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/TestUtils.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/TestUtils.java deleted file mode 100644 index 048538c1a33..00000000000 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/TestUtils.java +++ /dev/null @@ -1,43 +0,0 @@ -// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.tls; - -import com.yahoo.security.KeyAlgorithm; -import com.yahoo.security.KeyStoreBuilder; -import com.yahoo.security.KeyStoreType; -import com.yahoo.security.KeyUtils; -import com.yahoo.security.X509CertificateBuilder; - -import javax.security.auth.x500.X500Principal; -import java.math.BigInteger; -import java.security.KeyPair; -import java.security.KeyStore; -import java.security.cert.X509Certificate; -import java.time.Instant; -import java.time.temporal.ChronoUnit; - -import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; - -/** - * @author bjorncs - */ -class TestUtils { - - static KeyStore createKeystore(KeyStoreType type, char[] password) { - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 4096); - return KeyStoreBuilder.withType(type) - .withKeyEntry("entry-name", keyPair.getPrivate(), password, createCertificate(keyPair)) - .build(); - } - - static X509Certificate createCertificate(KeyPair keyPair) { - return createCertificate(keyPair, new X500Principal("CN=mysubject")); - } - - static X509Certificate createCertificate(KeyPair keyPair, X500Principal subject) { - return X509CertificateBuilder - .fromKeypair( - keyPair, subject, Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), SHA256_WITH_RSA, BigInteger.ONE) - .build(); - } - -} |