From ab53bb75dc2d56f75ba10a6a1dc127b7d0fa0ba6 Mon Sep 17 00:00:00 2001 From: Morten Tokle Date: Thu, 4 Oct 2018 14:32:09 +0200 Subject: Add OU field to csr --- .../client/AthenzCredentialsService.java | 8 ++--- .../client/InstanceCsrGenerator.java | 6 ++-- .../yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java | 3 +- .../client/InstanceCsrGeneratorTest.java | 37 ++++++++++++++++++++++ 4 files changed, 47 insertions(+), 7 deletions(-) create mode 100644 vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java (limited to 'vespa-athenz') diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index 4a189c872bc..afbdb7fed6c 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -2,6 +2,9 @@ package com.yahoo.vespa.athenz.identityprovider.client; import com.yahoo.container.core.identity.IdentityConfig; +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; +import com.yahoo.security.SslContextBuilder; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient; import com.yahoo.vespa.athenz.client.zts.InstanceIdentity; @@ -11,9 +14,6 @@ import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper; import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier; -import com.yahoo.security.KeyAlgorithm; -import com.yahoo.security.KeyUtils; -import com.yahoo.security.SslContextBuilder; import com.yahoo.vespa.athenz.tls.Pkcs10Csr; import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.defaults.Defaults; @@ -66,7 +66,7 @@ class AthenzCredentialsService { this.nodeIdentityProvider = nodeIdentityProvider; this.trustStoreJks = trustStoreJks; this.hostname = hostname; - this.instanceCsrGenerator = new InstanceCsrGenerator(identityConfig.athenzDnsSuffix()); + this.instanceCsrGenerator = new InstanceCsrGenerator(identityConfig.athenzDnsSuffix(), identityConfig.configserverIdentityName()); this.clock = clock; } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java index 70227eae91c..cb97c4fb99c 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java @@ -23,16 +23,18 @@ import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS; public class InstanceCsrGenerator { private final String dnsSuffix; + private final String providerService; - public InstanceCsrGenerator(String dnsSuffix) { + public InstanceCsrGenerator(String dnsSuffix, String providerService) { this.dnsSuffix = dnsSuffix; + this.providerService = providerService; } public Pkcs10Csr generateCsr(AthenzIdentity instanceIdentity, VespaUniqueInstanceId instanceId, Set ipAddresses, KeyPair keyPair) { - X500Principal subject = new X500Principal("CN=" + instanceIdentity.getFullName()); + X500Principal subject = new X500Principal(String.format("OU=%s, CN=%s", providerService, instanceIdentity.getFullName())); // Add SAN dnsname .. // and SAN dnsname .instanceid.athenz. Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA) diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java index 702b2f6cd4b..607bec90dee 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrBuilder.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.athenz.tls; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.BasicConstraints; import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.ExtensionsGenerator; @@ -72,7 +73,7 @@ public class Pkcs10CsrBuilder { public Pkcs10Csr build() { try { PKCS10CertificationRequestBuilder requestBuilder = - new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic()); + new JcaPKCS10CertificationRequestBuilder(new X500Name(subject.getName()), keyPair.getPublic()); ExtensionsGenerator extGen = new ExtensionsGenerator(); if (basicConstraintsExtension != null) { extGen.addExtension( diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java new file mode 100644 index 00000000000..d401696015e --- /dev/null +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGeneratorTest.java @@ -0,0 +1,37 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.identityprovider.client; + +import com.yahoo.security.KeyAlgorithm; +import com.yahoo.security.KeyUtils; +import com.yahoo.vespa.athenz.api.AthenzService; +import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; +import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import org.junit.Test; + +import javax.security.auth.x500.X500Principal; +import java.security.KeyPair; +import java.util.Collections; + +import static org.junit.Assert.assertEquals; + +/** + * @author mortent + */ +public class InstanceCsrGeneratorTest { + + private static final String DNS_SUFFIX = "prod-us-north-1.vespa.yahoo.cloud"; + private static final String PROVIDER_SERVICE = "vespa.vespa.provider_prod_us-north-1"; + private static final String ATHENZ_SERVICE = "foo.bar"; + + @Test + public void it_generates_csr_with_correct_subject() { + InstanceCsrGenerator instanceCsrGenerator = new InstanceCsrGenerator(DNS_SUFFIX, PROVIDER_SERVICE); + + AthenzService service = new AthenzService(ATHENZ_SERVICE); + VespaUniqueInstanceId vespaUniqueInstanceId = VespaUniqueInstanceId.fromDottedString("0.default.default.foo-app.vespa.us-north-1.prod.node"); + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); + + Pkcs10Csr csr = instanceCsrGenerator.generateCsr(service, vespaUniqueInstanceId, Collections.emptySet(), keyPair); + assertEquals(new X500Principal(String.format("OU=%s, CN=%s", PROVIDER_SERVICE, ATHENZ_SERVICE)), csr.getSubject()); + } +} -- cgit v1.2.3