From 93d94fff227927c306bd0432fca50be46addd945 Mon Sep 17 00:00:00 2001
From: Valerij Fredriksen <valerijf@oath.com>
Date: Fri, 10 Nov 2017 13:32:46 +0100
Subject: Store provider and certificate converter as instance fields

---
 .../athenz/instanceproviderservice/ca/CertificateSigner.java   | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'athenz-identity-provider-service/src')

diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java
index 3cb530b9088..0806ac6225b 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java
@@ -24,6 +24,7 @@ import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
 
 import java.math.BigInteger;
 import java.security.PrivateKey;
+import java.security.Provider;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.time.Clock;
@@ -54,6 +55,9 @@ public class CertificateSigner {
     private static final List<ASN1ObjectIdentifier> ILLEGAL_EXTENSIONS = ImmutableList.of(
             Extension.basicConstraints, Extension.subjectAlternativeName);
 
+    private final JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter();
+    private final Provider provider = new BouncyCastleProvider();
+
     private final PrivateKey caPrivateKey;
     private final X500Name issuer;
     private final Clock clock;
@@ -90,12 +94,12 @@ public class CertificateSigner {
                     issuer, BigInteger.valueOf(clock.millis()), notBefore, notAfter, certReq.getSubject(), publicKey)
 
                     // Set Basic Constraints to false
-                    .addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
+                    .addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
 
             ContentSigner caSigner = new JcaContentSignerBuilder(SIGNER_ALGORITHM).build(caPrivateKey);
 
-            return new JcaX509CertificateConverter()
-                    .setProvider(new BouncyCastleProvider())
+            return certificateConverter
+                    .setProvider(provider)
                     .getCertificate(caBuilder.build(caSigner));
         } catch (Exception ex) {
             log.log(LogLevel.ERROR, "Failed to generate X509 Certificate", ex);
-- 
cgit v1.2.3