From 987f479a89b8ccc2d39bb6e99fde683e5f82c517 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Wed, 5 Sep 2018 11:19:17 +0200 Subject: Deprecate crypto utilities in com.yahoo.vespa.athenz.tls --- vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Extension.java | 2 ++ vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyAlgorithm.java | 2 ++ .../src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreBuilder.java | 2 ++ vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreType.java | 2 ++ .../src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreUtils.java | 2 ++ vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyUtils.java | 2 ++ vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10Csr.java | 2 ++ .../src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java | 2 ++ .../src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtils.java | 2 ++ .../src/main/java/com/yahoo/vespa/athenz/tls/SignatureAlgorithm.java | 2 ++ .../src/main/java/com/yahoo/vespa/athenz/tls/SslContextBuilder.java | 2 ++ .../main/java/com/yahoo/vespa/athenz/tls/SubjectAlternativeName.java | 2 ++ .../main/java/com/yahoo/vespa/athenz/tls/X509CertificateBuilder.java | 2 ++ .../src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateUtils.java | 2 ++ 14 files changed, 28 insertions(+) diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Extension.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Extension.java index 18403669c4d..9a6c20018b8 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Extension.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Extension.java @@ -5,7 +5,9 @@ import org.bouncycastle.asn1.ASN1ObjectIdentifier; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public enum Extension { BASIC_CONSTRAINS(org.bouncycastle.asn1.x509.Extension.basicConstraints), SUBJECT_ALTERNATIVE_NAMES(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyAlgorithm.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyAlgorithm.java index 4c4198adaac..d685f85b206 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyAlgorithm.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyAlgorithm.java @@ -3,7 +3,9 @@ package com.yahoo.vespa.athenz.tls; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public enum KeyAlgorithm { RSA("RSA"); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreBuilder.java index a9279f45129..3e63e441396 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreBuilder.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreBuilder.java @@ -19,7 +19,9 @@ import static java.util.Collections.singletonList; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public class KeyStoreBuilder { private final List keyEntries = new ArrayList<>(); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreType.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreType.java index 6c08a60ff5b..b0bfe170789 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreType.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreType.java @@ -9,7 +9,9 @@ import java.security.KeyStoreException; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public enum KeyStoreType { JKS { KeyStore createKeystore() throws KeyStoreException { diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreUtils.java index 12aaa40cce4..96fe76a1f73 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyStoreUtils.java @@ -12,7 +12,9 @@ import java.security.KeyStore; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public class KeyStoreUtils { private KeyStoreUtils() {} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyUtils.java index c2be1a40893..fc4734d16ca 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/KeyUtils.java @@ -25,7 +25,9 @@ import java.security.spec.PKCS8EncodedKeySpec; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public class KeyUtils { private KeyUtils() {} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10Csr.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10Csr.java index e0029681b23..8138be9d7d8 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10Csr.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10Csr.java @@ -19,7 +19,9 @@ import static java.util.stream.Collectors.toList; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public class Pkcs10Csr { private final PKCS10CertificationRequest csr; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java index 2135f569aeb..702b2f6cd4b 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java @@ -24,7 +24,9 @@ import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public class Pkcs10CsrBuilder { private final X500Principal subject; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtils.java index 2289c9ac0ee..be7bb3690bd 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrUtils.java @@ -13,7 +13,9 @@ import java.io.UncheckedIOException; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public class Pkcs10CsrUtils { private Pkcs10CsrUtils() {} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SignatureAlgorithm.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SignatureAlgorithm.java index 2f3e2721751..1ff8ebbe78a 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SignatureAlgorithm.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SignatureAlgorithm.java @@ -3,7 +3,9 @@ package com.yahoo.vespa.athenz.tls; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public enum SignatureAlgorithm { SHA256_WITH_RSA("SHA256withRSA"), SHA512_WITH_RSA("SHA512withRSA"); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SslContextBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SslContextBuilder.java index ba5785043da..63262eac048 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SslContextBuilder.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SslContextBuilder.java @@ -18,7 +18,9 @@ import java.security.cert.X509Certificate; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public class SslContextBuilder { private KeyStoreSupplier trustStoreSupplier; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SubjectAlternativeName.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SubjectAlternativeName.java index 8b89fc6fe7f..f5b0c7aa1c6 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SubjectAlternativeName.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/SubjectAlternativeName.java @@ -15,7 +15,9 @@ import static java.util.stream.Collectors.toList; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public class SubjectAlternativeName { private final Type type; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateBuilder.java index c27b704f6a3..de593f25f61 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateBuilder.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateBuilder.java @@ -31,7 +31,9 @@ import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public class X509CertificateBuilder { private final long serialNumber; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateUtils.java index d96ed17765c..8fc25ab06a4 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/X509CertificateUtils.java @@ -30,7 +30,9 @@ import static java.util.stream.Collectors.toList; /** * @author bjorncs + * @deprecated Use com.yahoo.security.* */ +@Deprecated public class X509CertificateUtils { private X509CertificateUtils() {} -- cgit v1.2.3 From e437b35c7520bf73078864dab297374211ad57ca Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Wed, 5 Sep 2018 11:21:09 +0200 Subject: Replace use of com.yahoo.vespa.athenz.tls with com.yahoo.security - Use replace RSA with EC in unit tests where possible --- .../AthenzSslKeyStoreConfigurator.java | 6 +-- .../AthenzSslTrustStoreConfigurator.java | 8 ++-- .../impl/CkmsKeyProvider.java | 2 +- .../filter/AthenzTrustStoreConfigurator.java | 16 +++---- .../security/athenz/AthenzPrincipalFilterTest.java | 14 +++--- .../restapi/v2/filter/NodeIdentifier.java | 6 +-- .../provision/restapi/v2/filter/FilterTester.java | 22 ++++----- .../restapi/v2/filter/NodeIdentifierTest.java | 53 ++++++++++++---------- .../vespa/athenz/identity/SiaIdentityProvider.java | 8 ++-- .../client/AthenzCredentialsService.java | 10 ++-- .../client/AthenzIdentityProviderImpl.java | 6 +-- .../athenz/tls/AthenzX509CertificateUtils.java | 12 ++--- .../com/yahoo/vespa/athenz/utils/SiaUtils.java | 4 +- .../athenz/identity/SiaIdentityProviderTest.java | 28 ++++++------ .../athenz/utils/AthenzIdentityVerifierTest.java | 19 +++----- .../athenz/utils/ntoken/NTokenValidatorTest.java | 4 +- 16 files changed, 104 insertions(+), 114 deletions(-) diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java index 5a509d77431..0b64f206267 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java @@ -13,9 +13,9 @@ import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient; import com.yahoo.vespa.athenz.client.zts.Identity; import com.yahoo.vespa.athenz.client.zts.ZtsClient; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; -import com.yahoo.vespa.athenz.tls.KeyStoreBuilder; -import com.yahoo.vespa.athenz.tls.KeyStoreType; -import com.yahoo.vespa.athenz.tls.KeyUtils; +import com.yahoo.security.KeyStoreBuilder; +import com.yahoo.security.KeyStoreType; +import com.yahoo.security.KeyUtils; import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.defaults.Defaults; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java index a440f96cc49..da5fd430f1c 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslTrustStoreConfigurator.java @@ -4,11 +4,11 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice; import com.google.inject.Inject; import com.yahoo.jdisc.http.ssl.SslTrustStoreConfigurator; import com.yahoo.jdisc.http.ssl.SslTrustStoreContext; -import com.yahoo.vespa.athenz.tls.KeyStoreBuilder; -import com.yahoo.vespa.athenz.tls.KeyStoreType; +import com.yahoo.security.KeyStoreBuilder; +import com.yahoo.security.KeyStoreType; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; -import java.io.File; +import java.nio.file.Paths; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.cert.X509Certificate; @@ -43,7 +43,7 @@ public class AthenzSslTrustStoreConfigurator implements SslTrustStoreConfigurato private static KeyStore createTrustStore(AthenzProviderServiceConfig athenzProviderServiceConfig) { try { return KeyStoreBuilder.withType(KeyStoreType.JKS) - .fromFile(new File(athenzProviderServiceConfig.athenzCaTrustStore())) + .fromFile(Paths.get(athenzProviderServiceConfig.athenzCaTrustStore())) .build(); } catch (Exception e) { throw new RuntimeException(e); diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/CkmsKeyProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/CkmsKeyProvider.java index 183a52f782c..40003d4ccf3 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/CkmsKeyProvider.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/CkmsKeyProvider.java @@ -4,7 +4,7 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl; import com.google.inject.Inject; import com.yahoo.config.provision.Zone; import com.yahoo.container.jdisc.secretstore.SecretStore; -import com.yahoo.vespa.athenz.tls.KeyUtils; +import com.yahoo.security.KeyUtils; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.KeyProvider; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzTrustStoreConfigurator.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzTrustStoreConfigurator.java index 909104d1731..e805332429b 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzTrustStoreConfigurator.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzTrustStoreConfigurator.java @@ -4,17 +4,13 @@ package com.yahoo.vespa.hosted.controller.athenz.filter; import com.google.inject.Inject; import com.yahoo.jdisc.http.ssl.SslTrustStoreConfigurator; import com.yahoo.jdisc.http.ssl.SslTrustStoreContext; -import com.yahoo.vespa.athenz.tls.KeyStoreBuilder; -import com.yahoo.vespa.athenz.tls.KeyStoreType; +import com.yahoo.security.KeyStoreBuilder; +import com.yahoo.security.KeyStoreType; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; +import java.nio.file.Path; +import java.nio.file.Paths; import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; /** * Load trust store with Athenz CA certificates @@ -27,10 +23,10 @@ public class AthenzTrustStoreConfigurator implements SslTrustStoreConfigurator { @Inject public AthenzTrustStoreConfigurator(AthenzConfig config) { - this.trustStore = createTrustStore(new File(config.athenzCaTrustStore())); + this.trustStore = createTrustStore(Paths.get(config.athenzCaTrustStore())); } - private static KeyStore createTrustStore(File trustStoreFile) { + private static KeyStore createTrustStore(Path trustStoreFile) { return KeyStoreBuilder.withType(KeyStoreType.JKS) .fromFile(trustStoreFile, "changeit".toCharArray()) .build(); diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java index be5ab9c1d77..fdab450b435 100644 --- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzPrincipalFilterTest.java @@ -10,9 +10,9 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzPrincipal; import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.athenz.api.NToken; -import com.yahoo.vespa.athenz.tls.KeyAlgorithm; -import com.yahoo.vespa.athenz.tls.KeyUtils; -import com.yahoo.vespa.athenz.tls.X509CertificateBuilder; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.X509CertificateBuilder; import com.yahoo.vespa.athenz.utils.ntoken.NTokenValidator; import org.junit.Before; import org.junit.Test; @@ -22,6 +22,7 @@ import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; import java.io.UncheckedIOException; +import java.math.BigInteger; import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Duration; @@ -30,7 +31,8 @@ import java.util.Objects; import java.util.Set; import static com.yahoo.jdisc.Response.Status.UNAUTHORIZED; -import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; import static java.util.Collections.emptyList; import static java.util.Collections.singleton; import static java.util.Collections.singletonList; @@ -189,11 +191,11 @@ public class AthenzPrincipalFilterTest { } private static X509Certificate createSelfSignedCertificate(AthenzIdentity identity) { - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 512); + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); X500Principal x500Name = new X500Principal("CN="+ identity.getFullName()); Instant now = Instant.now(); return X509CertificateBuilder - .fromKeypair(keyPair, x500Name, now, now.plus(Duration.ofDays(30)), SHA256_WITH_RSA, 1) + .fromKeypair(keyPair, x500Name, now, now.plus(Duration.ofDays(30)), SHA256_WITH_ECDSA, BigInteger.ONE) .build(); } diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java index 90c24f6bb23..0891279f30c 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java @@ -6,8 +6,8 @@ import com.google.common.base.Suppliers; import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.Zone; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; -import com.yahoo.vespa.athenz.tls.SubjectAlternativeName; -import com.yahoo.vespa.athenz.tls.X509CertificateUtils; +import com.yahoo.security.SubjectAlternativeName; +import com.yahoo.security.X509CertificateUtils; import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.NodeRepository; @@ -16,7 +16,7 @@ import java.util.List; import java.util.concurrent.TimeUnit; import java.util.stream.Collectors; -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; /** * Resolve node from various types of x509 identity certificates. diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java index 6420a5237e8..caecce1634d 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java @@ -5,9 +5,12 @@ import com.yahoo.application.container.handler.Request.Method; import com.yahoo.container.jdisc.RequestHandlerTestDriver; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.jdisc.http.filter.SecurityRequestFilter; -import com.yahoo.vespa.athenz.tls.X509CertificateBuilder; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.X509CertificateBuilder; import javax.security.auth.x500.X500Principal; +import java.math.BigInteger; import java.net.URI; import java.security.KeyPair; import java.security.KeyPairGenerator; @@ -20,7 +23,8 @@ import java.util.List; import java.util.Map; import java.util.Optional; -import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -65,7 +69,7 @@ public class FilterTester { when(r.getRemoteAddr()).thenReturn(request.remoteAddr()); when(r.getLocalAddr()).thenReturn(request.localAddr()); if (request.commonName().isPresent()) { - X509Certificate cert = certificateFor(request.commonName().get(), keyPair()); + X509Certificate cert = certificateFor(request.commonName().get(), KeyUtils.generateKeypair(KeyAlgorithm.EC)); List certs = Collections.singletonList(cert); when(r.getClientCertificateChain()).thenReturn(certs); when(r.getUserPrincipal()).thenReturn(NodePrincipal.withLegacyIdentity(request.commonName().get(), certs)); @@ -73,23 +77,13 @@ public class FilterTester { return r; } - /** Create a RSA public/private key pair */ - private static KeyPair keyPair() { - try { - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(2048); - return keyGen.generateKeyPair(); - } catch (NoSuchAlgorithmException e) { - throw new RuntimeException(e); - } - } /** Create a self signed certificate for commonName using given public/private key pair */ private static X509Certificate certificateFor(String commonName, KeyPair keyPair) { Instant now = Instant.now(); X500Principal subject = new X500Principal("CN=" + commonName); return X509CertificateBuilder - .fromKeypair(keyPair, subject, now, now.plus(Duration.ofDays(30)), SHA256_WITH_RSA, now.toEpochMilli()) + .fromKeypair(keyPair, subject, now, now.plus(Duration.ofDays(30)), SHA256_WITH_ECDSA, BigInteger.valueOf(now.toEpochMilli())) .setBasicConstraints(true, true) .build(); } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java index d02a666eb69..f7d4a9603e7 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java @@ -12,10 +12,10 @@ import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.Zone; import com.yahoo.config.provisioning.FlavorsConfig; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; -import com.yahoo.vespa.athenz.tls.KeyUtils; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; -import com.yahoo.vespa.athenz.tls.X509CertificateBuilder; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.Pkcs10Csr; +import com.yahoo.security.Pkcs10CsrBuilder; +import com.yahoo.security.X509CertificateBuilder; import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.NodeRepositoryTester; import com.yahoo.vespa.hosted.provision.node.Allocation; @@ -26,14 +26,17 @@ import org.junit.Test; import org.junit.rules.ExpectedException; import javax.security.auth.x500.X500Principal; +import java.math.BigInteger; import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Instant; import java.util.Optional; +import static com.yahoo.security.KeyAlgorithm.EC; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; import static com.yahoo.vespa.athenz.identityprovider.api.IdentityType.*; -import static com.yahoo.vespa.athenz.tls.KeyAlgorithm.RSA; -import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; +import static com.yahoo.security.KeyAlgorithm.RSA; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifier.CONFIGSERVER_HOST_IDENTITY; import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifier.PROXY_HOST_IDENTITY; import static com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodeIdentifier.TENANT_DOCKER_CONTAINER_IDENTITY; @@ -64,7 +67,7 @@ public class NodeIdentifierTest { private static final String INSTANCE_ID = "default"; private static final Zone ZONE = new Zone(SystemName.main, Environment.prod, RegionName.defaultName()); - private static final KeyPair KEYPAIR = KeyUtils.generateKeypair(RSA); + private static final KeyPair KEYPAIR = KeyUtils.generateKeypair(EC); private static final X509Certificate ATHENZ_YAHOO_CA_CERT = createDummyCaCertificate("Yahoo Athenz CA"); private static final X509Certificate ATHENZ_AWS_CA_CERT = createDummyCaCertificate("Athenz AWS CA"); @@ -73,7 +76,7 @@ public class NodeIdentifierTest { NodeRepositoryTester nodeRepositoryDummy = new NodeRepositoryTester(); X509Certificate certificate = X509CertificateBuilder .fromKeypair( - KEYPAIR, new X500Principal("CN=" + HOSTNAME), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), SHA256_WITH_RSA, 1) + KEYPAIR, new X500Principal("CN=" + HOSTNAME), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), SHA256_WITH_ECDSA, BigInteger.ONE) .build(); NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); expectedException.expect(NodeIdentifier.NodeIdentifierException.class); @@ -87,10 +90,10 @@ public class NodeIdentifierTest { nodeRepositoryDummy.addNode(OPENSTACK_ID, HOSTNAME, INSTANCE_ID, NodeType.host); nodeRepositoryDummy.setNodeState(HOSTNAME, Node.State.active); Pkcs10Csr csr = Pkcs10CsrBuilder - .fromKeypair(new X500Principal("CN=" + TENANT_DOCKER_HOST_IDENTITY), KEYPAIR, SHA256_WITH_RSA) + .fromKeypair(new X500Principal("CN=" + TENANT_DOCKER_HOST_IDENTITY), KEYPAIR, SHA256_WITH_ECDSA) .build(); X509Certificate certificate = X509CertificateBuilder - .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1) + .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_ECDSA, BigInteger.ONE) .addSubjectAlternativeName(OPENSTACK_ID + ".instanceid.athenz.provider-name.ostk.yahoo.cloud") .build(); NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); @@ -106,10 +109,10 @@ public class NodeIdentifierTest { nodeRepositoryDummy.addNode(AWS_INSTANCE_ID, HOSTNAME, INSTANCE_ID, NodeType.host); nodeRepositoryDummy.setNodeState(HOSTNAME, Node.State.active); Pkcs10Csr csr = Pkcs10CsrBuilder - .fromKeypair(new X500Principal("CN=" + TENANT_DOCKER_HOST_IDENTITY), KEYPAIR, SHA256_WITH_RSA) + .fromKeypair(new X500Principal("CN=" + TENANT_DOCKER_HOST_IDENTITY), KEYPAIR, SHA256_WITH_ECDSA) .build(); X509Certificate certificate = X509CertificateBuilder - .fromCsr(csr, ATHENZ_AWS_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1) + .fromCsr(csr, ATHENZ_AWS_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_ECDSA, BigInteger.ONE) .addSubjectAlternativeName(AWS_INSTANCE_ID + ".instanceid.athenz.aws.oath.cloud") .build(); NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); @@ -125,10 +128,10 @@ public class NodeIdentifierTest { nodeRepositoryDummy.addNode(AWS_INSTANCE_ID, PROXY_HOSTNAME, INSTANCE_ID, NodeType.proxyhost); nodeRepositoryDummy.setNodeState(PROXY_HOSTNAME, Node.State.active); Pkcs10Csr csr = Pkcs10CsrBuilder - .fromKeypair(new X500Principal("CN=" + PROXY_HOST_IDENTITY), KEYPAIR, SHA256_WITH_RSA) + .fromKeypair(new X500Principal("CN=" + PROXY_HOST_IDENTITY), KEYPAIR, SHA256_WITH_ECDSA) .build(); X509Certificate certificate = X509CertificateBuilder - .fromCsr(csr, ATHENZ_AWS_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1) + .fromCsr(csr, ATHENZ_AWS_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_ECDSA, BigInteger.ONE) .addSubjectAlternativeName(AWS_INSTANCE_ID + ".instanceid.athenz.aws.oath.cloud") .build(); NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); @@ -142,10 +145,10 @@ public class NodeIdentifierTest { public void accepts_aws_configserver_host_certificate() { NodeRepositoryTester nodeRepositoryDummy = new NodeRepositoryTester(); Pkcs10Csr csr = Pkcs10CsrBuilder - .fromKeypair(new X500Principal("CN=" + CONFIGSERVER_HOST_IDENTITY), KEYPAIR, SHA256_WITH_RSA) + .fromKeypair(new X500Principal("CN=" + CONFIGSERVER_HOST_IDENTITY), KEYPAIR, SHA256_WITH_ECDSA) .build(); X509Certificate certificate = X509CertificateBuilder - .fromCsr(csr, ATHENZ_AWS_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1) + .fromCsr(csr, ATHENZ_AWS_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_ECDSA, BigInteger.ONE) .addSubjectAlternativeName(AWS_INSTANCE_ID + ".instanceid.athenz.aws.oath.cloud") .build(); NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); @@ -156,7 +159,7 @@ public class NodeIdentifierTest { @Test public void accepts_zts_certificate() { X509Certificate certificate = X509CertificateBuilder - .fromKeypair(KEYPAIR, new X500Principal("CN=" + ZTS_AWS_IDENTITY), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), SHA256_WITH_RSA, 1) + .fromKeypair(KEYPAIR, new X500Principal("CN=" + ZTS_AWS_IDENTITY), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), SHA256_WITH_ECDSA, BigInteger.ONE) .build(); NodeIdentifier identifier = new NodeIdentifier(ZONE, new NodeRepositoryTester().nodeRepository()); NodePrincipal identity = identifier.resolveNode(singletonList(certificate)); @@ -176,11 +179,11 @@ public class NodeIdentifierTest { Node node = createNode(clusterId, clusterIndex, tenant, application); nodeRepositoryDummy.nodeRepository().addDockerNodes(singletonList(node)); Pkcs10Csr csr = Pkcs10CsrBuilder - .fromKeypair(new X500Principal("CN=" + TENANT_DOCKER_CONTAINER_IDENTITY), KEYPAIR, SHA256_WITH_RSA) + .fromKeypair(new X500Principal("CN=" + TENANT_DOCKER_CONTAINER_IDENTITY), KEYPAIR, SHA256_WITH_ECDSA) .build(); VespaUniqueInstanceId vespaUniqueInstanceId = new VespaUniqueInstanceId(clusterIndex, clusterId, INSTANCE_ID, application, tenant, region, environment, NODE); X509Certificate certificate = X509CertificateBuilder - .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1) + .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_ECDSA, BigInteger.ONE) .addSubjectAlternativeName(vespaUniqueInstanceId.asDottedString() + ".instanceid.athenz.provider-name.vespa.yahoo.cloud") .build(); NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); @@ -194,10 +197,10 @@ public class NodeIdentifierTest { public void accepts_controller_certificate() { NodeRepositoryTester nodeRepositoryDummy = new NodeRepositoryTester(); Pkcs10Csr csr = Pkcs10CsrBuilder - .fromKeypair(new X500Principal("CN=" + CONTROLLER_IDENTITY), KEYPAIR, SHA256_WITH_RSA) + .fromKeypair(new X500Principal("CN=" + CONTROLLER_IDENTITY), KEYPAIR, SHA256_WITH_ECDSA) .build(); X509Certificate certificate = X509CertificateBuilder - .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1) + .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_ECDSA, BigInteger.ONE) .build(); NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); NodePrincipal identity = identifier.resolveNode(singletonList(certificate)); @@ -211,10 +214,10 @@ public class NodeIdentifierTest { nodeRepositoryDummy.addNode(OPENSTACK_ID, HOSTNAME, INSTANCE_ID, NodeType.tenant); nodeRepositoryDummy.setNodeState(HOSTNAME, Node.State.active); Pkcs10Csr csr = Pkcs10CsrBuilder - .fromKeypair(new X500Principal("CN=" + TENANT_DOCKER_CONTAINER_IDENTITY), KEYPAIR, SHA256_WITH_RSA) + .fromKeypair(new X500Principal("CN=" + TENANT_DOCKER_CONTAINER_IDENTITY), KEYPAIR, SHA256_WITH_ECDSA) .build(); X509Certificate certificate = X509CertificateBuilder - .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1) + .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_ECDSA, BigInteger.ONE) .addSubjectAlternativeName(OPENSTACK_ID + ".instanceid.athenz.ostk.yahoo.cloud") .build(); NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); @@ -251,10 +254,10 @@ public class NodeIdentifierTest { } private static X509Certificate createDummyCaCertificate(String caCommonName) { - KeyPair keyPair = KeyUtils.generateKeypair(RSA); + KeyPair keyPair = KeyUtils.generateKeypair(EC); return X509CertificateBuilder .fromKeypair( - keyPair, new X500Principal("CN=" + caCommonName), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), SHA256_WITH_RSA, 1) + keyPair, new X500Principal("CN=" + caCommonName), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), SHA256_WITH_ECDSA, BigInteger.ONE) .setBasicConstraints(true, true) .build(); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java index b06ae089b2a..d8fa910aa73 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java @@ -5,8 +5,8 @@ import com.google.inject.Inject; import com.yahoo.component.AbstractComponent; import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.athenz.tls.KeyStoreType; -import com.yahoo.vespa.athenz.tls.SslContextBuilder; +import com.yahoo.security.KeyStoreType; +import com.yahoo.security.SslContextBuilder; import com.yahoo.vespa.athenz.utils.SiaUtils; import javax.net.ssl.SSLContext; @@ -92,8 +92,8 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde private SSLContext createIdentitySslContext() { return new SslContextBuilder() - .withTrustStore(trustStoreFile, KeyStoreType.JKS) - .withKeyStore(privateKeyFile, certificateFile) + .withTrustStore(trustStoreFile.toPath(), KeyStoreType.JKS) + .withKeyStore(privateKeyFile.toPath(), certificateFile.toPath()) .build(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index 5567831d49d..4a189c872bc 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -11,10 +11,10 @@ import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier; -import com.yahoo.vespa.athenz.tls.KeyAlgorithm; -import com.yahoo.vespa.athenz.tls.KeyUtils; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.SslContextBuilder; import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.SslContextBuilder; import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.defaults.Defaults; @@ -31,7 +31,7 @@ import java.time.Clock; import java.time.Duration; import java.util.Optional; -import static com.yahoo.vespa.athenz.tls.KeyStoreType.JKS; +import static com.yahoo.security.KeyStoreType.JKS; import static java.util.Collections.singleton; /** @@ -153,7 +153,7 @@ class AthenzCredentialsService { private SSLContext createIdentitySslContext(PrivateKey privateKey, X509Certificate certificate) { return new SslContextBuilder() .withKeyStore(privateKey, certificate) - .withTrustStore(trustStoreJks, JKS) + .withTrustStore(trustStoreJks.toPath(), JKS) .build(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java index 266e2ebcefd..e318ebeb7fd 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java @@ -19,8 +19,8 @@ import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient; import com.yahoo.vespa.athenz.client.zts.ZtsClient; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.identity.SiaIdentityProvider; -import com.yahoo.vespa.athenz.tls.KeyStoreType; -import com.yahoo.vespa.athenz.tls.SslContextBuilder; +import com.yahoo.security.KeyStoreType; +import com.yahoo.security.SslContextBuilder; import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.defaults.Defaults; @@ -177,7 +177,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen X509Certificate roleCertificate = client.getRoleCertificate(role, credentials.getKeyPair(), dnsSuffix); return new SslContextBuilder() .withKeyStore(credentials.getKeyPair().getPrivate(), roleCertificate) - .withTrustStore(getDefaultTrustStoreLocation(), KeyStoreType.JKS) + .withTrustStore(getDefaultTrustStoreLocation().toPath(), KeyStoreType.JKS) .build(); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java index 46aca707be1..33e5552eaf6 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java @@ -8,7 +8,7 @@ import com.yahoo.vespa.athenz.utils.AthenzIdentities; import java.security.cert.X509Certificate; import java.util.List; -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.RFC822_NAME; +import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME; /** * Utility methods for Athenz issued x509 certificates @@ -23,26 +23,26 @@ public class AthenzX509CertificateUtils { public static boolean isAthenzRoleCertificate(X509Certificate certificate) { return isAthenzIssuedCertificate(certificate) && - X509CertificateUtils.getSubjectCommonNames(certificate).get(0).contains(COMMON_NAME_ROLE_DELIMITER); + com.yahoo.security.X509CertificateUtils.getSubjectCommonNames(certificate).get(0).contains(COMMON_NAME_ROLE_DELIMITER); } public static boolean isAthenzIssuedCertificate(X509Certificate certificate) { - return X509CertificateUtils.getIssuerCommonNames(certificate).stream() + return com.yahoo.security.X509CertificateUtils.getIssuerCommonNames(certificate).stream() .anyMatch(cn -> cn.equalsIgnoreCase("Yahoo Athenz CA") || cn.equalsIgnoreCase("Athenz AWS CA")); } public static AthenzIdentity getIdentityFromRoleCertificate(X509Certificate certificate) { - List sans = X509CertificateUtils.getSubjectAlternativeNames(certificate); + List sans = com.yahoo.security.X509CertificateUtils.getSubjectAlternativeNames(certificate); return sans.stream() .filter(san -> san.getType() == RFC822_NAME) - .map(SubjectAlternativeName::getValue) + .map(com.yahoo.security.SubjectAlternativeName::getValue) .map(AthenzX509CertificateUtils::getIdentityFromSanEmail) .findFirst() .orElseThrow(() -> new IllegalArgumentException("Could not find identity in SAN: " + sans)); } public static AthenzRole getRolesFromRoleCertificate(X509Certificate certificate) { - String commonName = X509CertificateUtils.getSubjectCommonNames(certificate).get(0); + String commonName = com.yahoo.security.X509CertificateUtils.getSubjectCommonNames(certificate).get(0); int delimiterIndex = commonName.indexOf(COMMON_NAME_ROLE_DELIMITER); String domain = commonName.substring(0, delimiterIndex); String roleName = commonName.substring(delimiterIndex + COMMON_NAME_ROLE_DELIMITER.length()); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java index 05459e5488b..98d9061be02 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java @@ -2,8 +2,8 @@ package com.yahoo.vespa.athenz.utils; import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.athenz.tls.KeyUtils; -import com.yahoo.vespa.athenz.tls.X509CertificateUtils; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.X509CertificateUtils; import java.io.IOException; import java.io.UncheckedIOException; diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java index 7b93ffb035d..6217d6fb2ee 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java @@ -1,15 +1,14 @@ package com.yahoo.vespa.athenz.identity; -import com.google.common.io.Files; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyStoreBuilder; +import com.yahoo.security.KeyStoreType; +import com.yahoo.security.KeyStoreUtils; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.SignatureAlgorithm; +import com.yahoo.security.X509CertificateBuilder; +import com.yahoo.security.X509CertificateUtils; import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.athenz.tls.KeyAlgorithm; -import com.yahoo.vespa.athenz.tls.KeyStoreBuilder; -import com.yahoo.vespa.athenz.tls.KeyStoreType; -import com.yahoo.vespa.athenz.tls.KeyStoreUtils; -import com.yahoo.vespa.athenz.tls.KeyUtils; -import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; -import com.yahoo.vespa.athenz.tls.X509CertificateBuilder; -import com.yahoo.vespa.athenz.tls.X509CertificateUtils; import org.junit.Rule; import org.junit.Test; import org.junit.rules.TemporaryFolder; @@ -17,7 +16,8 @@ import org.junit.rules.TemporaryFolder; import javax.security.auth.x500.X500Principal; import java.io.File; import java.io.IOException; -import java.nio.charset.StandardCharsets; +import java.math.BigInteger; +import java.nio.file.Files; import java.security.KeyPair; import java.security.KeyStore; import java.security.cert.X509Certificate; @@ -62,12 +62,12 @@ public class SiaIdentityProviderTest { private void createPrivateKeyFile(File keyFile, KeyPair keypair) throws IOException { String privateKeyPem = KeyUtils.toPem(keypair.getPrivate()); - Files.write(privateKeyPem, keyFile, StandardCharsets.UTF_8); + Files.write(keyFile.toPath(), privateKeyPem.getBytes()); } private void createCertificateFile(X509Certificate certificate, File certificateFile) throws IOException { String certificatePem = X509CertificateUtils.toPem(certificate); - Files.write(certificatePem, certificateFile, StandardCharsets.UTF_8); + Files.write(certificateFile.toPath(), certificatePem.getBytes()); } private X509Certificate createCertificate(KeyPair keypair) { @@ -79,7 +79,7 @@ public class SiaIdentityProviderTest { now, now.plus(Duration.ofDays(1)), SignatureAlgorithm.SHA256_WITH_RSA, - 1) + BigInteger.ONE) .build(); } @@ -87,7 +87,7 @@ public class SiaIdentityProviderTest { KeyStore keystore = KeyStoreBuilder.withType(KeyStoreType.JKS) .withCertificateEntry("dummy-cert", certificate) .build(); - KeyStoreUtils.writeKeyStoreToFile(keystore, trustStoreFile); + KeyStoreUtils.writeKeyStoreToFile(keystore, trustStoreFile.toPath()); } } \ No newline at end of file diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/AthenzIdentityVerifierTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/AthenzIdentityVerifierTest.java index 73382d267be..679476abe12 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/AthenzIdentityVerifierTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/AthenzIdentityVerifierTest.java @@ -1,24 +1,25 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.utils; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.X509CertificateBuilder; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier; -import com.yahoo.vespa.athenz.tls.X509CertificateBuilder; import org.junit.Test; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; import javax.security.auth.x500.X500Principal; +import java.math.BigInteger; import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.NoSuchAlgorithmException; import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; -import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; import static java.util.Collections.singleton; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -34,23 +35,17 @@ public class AthenzIdentityVerifierTest { public void verifies_certificate_with_athenz_service_as_common_name() throws Exception { AthenzIdentity trustedIdentity = new AthenzService("mydomain", "alice"); AthenzIdentity unknownIdentity = new AthenzService("mydomain", "mallory"); - KeyPair keyPair = createKeyPair(); + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC); AthenzIdentityVerifier verifier = new AthenzIdentityVerifier(singleton(trustedIdentity)); assertTrue(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, trustedIdentity)))); assertFalse(verifier.verify("hostname", createSslSessionMock(createSelfSignedCertificate(keyPair, unknownIdentity)))); } - private static KeyPair createKeyPair() throws NoSuchAlgorithmException { - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(512); - return keyGen.generateKeyPair(); - } - private static X509Certificate createSelfSignedCertificate(KeyPair keyPair, AthenzIdentity identity) { X500Principal x500Name = new X500Principal("CN="+ identity.getFullName()); Instant now = Instant.now(); return X509CertificateBuilder - .fromKeypair(keyPair, x500Name, now, now.plus(Duration.ofDays(30)), SHA256_WITH_RSA, 1) + .fromKeypair(keyPair, x500Name, now, now.plus(Duration.ofDays(30)), SHA256_WITH_ECDSA, BigInteger.ONE) .setBasicConstraints(true, true) .build(); } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java index 22f97ca8b60..750968a437e 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/utils/ntoken/NTokenValidatorTest.java @@ -6,8 +6,8 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzPrincipal; import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.athenz.api.NToken; -import com.yahoo.vespa.athenz.tls.KeyAlgorithm; -import com.yahoo.vespa.athenz.tls.KeyUtils; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; import com.yahoo.vespa.athenz.utils.ntoken.NTokenValidator.InvalidTokenException; import org.junit.Rule; import org.junit.Test; -- cgit v1.2.3 From c6820ac582e67a40f8411e26bc4c9c1c0b7e8099 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Wed, 5 Sep 2018 12:52:27 +0200 Subject: Suppress deprecation warning in AthenzCredentialsMaintainer --- .../identity/AthenzCredentialsMaintainer.java | 25 +++++++++------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java index f82047d885c..ade46182efc 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java @@ -13,12 +13,6 @@ import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.client.DefaultIdentityDocumentClient; import com.yahoo.vespa.athenz.identityprovider.client.InstanceCsrGenerator; import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier; -import com.yahoo.vespa.athenz.tls.KeyAlgorithm; -import com.yahoo.vespa.athenz.tls.KeyStoreType; -import com.yahoo.vespa.athenz.tls.KeyUtils; -import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.SslContextBuilder; -import com.yahoo.vespa.athenz.tls.X509CertificateUtils; import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.hosted.dockerapi.ContainerName; import com.yahoo.vespa.hosted.node.admin.component.Environment; @@ -46,6 +40,7 @@ import static java.util.Collections.singleton; * * @author bjorncs */ +@SuppressWarnings("deprecation") public class AthenzCredentialsMaintainer { private static final Duration EXPIRY_MARGIN = Duration.ofDays(1); @@ -162,7 +157,7 @@ public class AthenzCredentialsMaintainer { private X509Certificate readCertificateFromFile() throws IOException { String pemEncodedCertificate = new String(Files.readAllBytes(certificateFile)); - return X509CertificateUtils.fromPem(pemEncodedCertificate); + return com.yahoo.vespa.athenz.tls.X509CertificateUtils.fromPem(pemEncodedCertificate); } private boolean isCertificateExpired(Instant expiry, Instant now) { @@ -170,9 +165,9 @@ public class AthenzCredentialsMaintainer { } private void registerIdentity() { - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); + KeyPair keyPair = com.yahoo.vespa.athenz.tls.KeyUtils.generateKeypair(com.yahoo.vespa.athenz.tls.KeyAlgorithm.RSA); SignedIdentityDocument signedIdentityDocument = identityDocumentClient.getNodeIdentityDocument(hostname); - Pkcs10Csr csr = csrGenerator.generateCsr( + com.yahoo.vespa.athenz.tls.Pkcs10Csr csr = csrGenerator.generateCsr( containerIdentity, signedIdentityDocument.providerUniqueId(), signedIdentityDocument.ipAddresses(), keyPair); try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, hostIdentityProvider)) { InstanceIdentity instanceIdentity = @@ -193,12 +188,12 @@ public class AthenzCredentialsMaintainer { private void refreshIdentity() { SignedIdentityDocument identityDocument = EntityBindingsMapper.readSignedIdentityDocumentFromFile(identityDocumentFile); - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); - Pkcs10Csr csr = csrGenerator.generateCsr(containerIdentity, identityDocument.providerUniqueId(), identityDocument.ipAddresses(), keyPair); + KeyPair keyPair = com.yahoo.vespa.athenz.tls.KeyUtils.generateKeypair(com.yahoo.vespa.athenz.tls.KeyAlgorithm.RSA); + com.yahoo.vespa.athenz.tls.Pkcs10Csr csr = csrGenerator.generateCsr(containerIdentity, identityDocument.providerUniqueId(), identityDocument.ipAddresses(), keyPair); SSLContext containerIdentitySslContext = - new SslContextBuilder() + new com.yahoo.vespa.athenz.tls.SslContextBuilder() .withKeyStore(privateKeyFile.toFile(), certificateFile.toFile()) - .withTrustStore(trustStorePath.toFile(), KeyStoreType.JKS) + .withTrustStore(trustStorePath.toFile(), com.yahoo.vespa.athenz.tls.KeyStoreType.JKS) .build(); try { try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, containerIdentity, containerIdentitySslContext)) { @@ -226,9 +221,9 @@ public class AthenzCredentialsMaintainer { private void writePrivateKeyAndCertificate(PrivateKey privateKey, X509Certificate certificate) throws IOException { Path tempPrivateKeyFile = toTempPath(privateKeyFile); - Files.write(tempPrivateKeyFile, KeyUtils.toPem(privateKey).getBytes()); + Files.write(tempPrivateKeyFile, com.yahoo.vespa.athenz.tls.KeyUtils.toPem(privateKey).getBytes()); Path tempCertificateFile = toTempPath(certificateFile); - Files.write(tempCertificateFile, X509CertificateUtils.toPem(certificate).getBytes()); + Files.write(tempCertificateFile, com.yahoo.vespa.athenz.tls.X509CertificateUtils.toPem(certificate).getBytes()); Files.move(tempPrivateKeyFile, privateKeyFile, StandardCopyOption.ATOMIC_MOVE); Files.move(tempCertificateFile, certificateFile, StandardCopyOption.ATOMIC_MOVE); -- cgit v1.2.3