From 513844e78fb39601f0783ec4286838bee3776b8d Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Thu, 22 Mar 2018 17:40:44 +0100 Subject: Use helpers in vespa-athenz instead of BouncyCastle --- node-repository/pom.xml | 10 ++--- .../restapi/v2/filter/AuthorizationFilter.java | 15 +------- .../provision/restapi/v2/filter/FilterTester.java | 44 ++++++---------------- 3 files changed, 16 insertions(+), 53 deletions(-) (limited to 'node-repository') diff --git a/node-repository/pom.xml b/node-repository/pom.xml index 8efd4099773..6741163c19c 100644 --- a/node-repository/pom.xml +++ b/node-repository/pom.xml @@ -78,13 +78,9 @@ provided - org.bouncycastle - bcpkix-jdk15on - provided - - - org.bouncycastle - bcprov-jdk15on + com.yahoo.vespa + vespa-athenz + ${project.version} provided diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java index d4435e84de9..4daa9d417dd 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizationFilter.java @@ -7,18 +7,13 @@ import com.yahoo.config.provision.Zone; import com.yahoo.jdisc.handler.ResponseHandler; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.jdisc.http.filter.SecurityRequestFilter; +import com.yahoo.vespa.athenz.tls.X509CertificateUtils; import com.yahoo.vespa.hosted.provision.NodeRepository; import com.yahoo.vespa.hosted.provision.restapi.v2.Authorizer; import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse; -import org.bouncycastle.asn1.x500.RDN; -import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x500.style.BCStyle; -import org.bouncycastle.asn1.x500.style.IETFUtils; -import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; import java.net.URI; import java.security.Principal; -import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.util.Optional; import java.util.function.BiConsumer; @@ -84,13 +79,7 @@ public class AuthorizationFilter implements SecurityRequestFilter { /** Read common name (CN) from certificate */ private static String commonName(X509Certificate certificate) { - try { - X500Name subject = new JcaX509CertificateHolder(certificate).getSubject(); - RDN cn = subject.getRDNs(BCStyle.CN)[0]; - return IETFUtils.valueToString(cn.getFirst().getValue()); - } catch (CertificateEncodingException e) { - throw new RuntimeException(e); - } + return X509CertificateUtils.getCommonNames(certificate).get(0); } } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java index cb3810eeef0..5cd01755c26 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/FilterTester.java @@ -5,33 +5,22 @@ import com.yahoo.application.container.handler.Request.Method; import com.yahoo.container.jdisc.RequestHandlerTestDriver; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.jdisc.http.filter.SecurityRequestFilter; -import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x509.BasicConstraints; -import org.bouncycastle.asn1.x509.Extension; -import org.bouncycastle.cert.X509v3CertificateBuilder; -import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.operator.ContentSigner; -import org.bouncycastle.operator.OperatorCreationException; -import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; - -import java.io.IOException; -import java.math.BigInteger; +import com.yahoo.vespa.athenz.tls.X509CertificateBuilder; + +import javax.security.auth.x500.X500Principal; import java.net.URI; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; import java.util.Collections; -import java.util.Date; import java.util.List; import java.util.Map; import java.util.Optional; +import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -95,24 +84,13 @@ public class FilterTester { /** Create a self signed certificate for commonName using given public/private key pair */ private static X509Certificate certificateFor(String commonName, KeyPair keyPair) { - try { - ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSA") - .build(keyPair.getPrivate()); - X500Name x500Name = new X500Name("CN=" + commonName); - Instant now = Instant.now(); - Date notBefore = Date.from(now); - Date notAfter = Date.from(now.plus(Duration.ofDays(30))); - X509v3CertificateBuilder certificateBuilder = - new JcaX509v3CertificateBuilder( - x500Name, - BigInteger.valueOf(now.toEpochMilli()), notBefore, notAfter, x500Name, keyPair.getPublic() - ).addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); - return new JcaX509CertificateConverter() - .setProvider(new BouncyCastleProvider()) - .getCertificate(certificateBuilder.build(contentSigner)); - } catch (OperatorCreationException |IOException |CertificateException e) { - throw new RuntimeException(e); - } + Instant now = Instant.now(); + X500Principal subject = new X500Principal("CN=" + commonName); + return X509CertificateBuilder + .fromKeypair( + keyPair, subject, now, now.plus(Duration.ofDays(30)), SHA256_WITH_RSA, now.toEpochMilli()) + .setBasicConstraints(true, true) + .build(); } private static class Response { -- cgit v1.2.3