blob: 62c7038a265f667d2434158bcddc116937e90d7d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl;
import com.yahoo.athenz.auth.util.Crypto;
import com.yahoo.athenz.zts.InstanceRefreshRequest;
import com.yahoo.athenz.zts.ZTSClient;
import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider;
import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
import javax.net.ssl.SSLContext;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
/**
* @author bjorncs
*/
public class AthenzCertificateClient {
private final AthenzProviderServiceConfig config;
private final AthenzProviderServiceConfig.Zones zoneConfig;
private final AthenzIdentityProvider bootstrapIdentity;
public AthenzCertificateClient(AthenzIdentityProvider bootstrapIdentity,
AthenzProviderServiceConfig config,
AthenzProviderServiceConfig.Zones zoneConfig) {
this.bootstrapIdentity = bootstrapIdentity;
this.config = config;
this.zoneConfig = zoneConfig;
}
public X509Certificate updateCertificate(PrivateKey privateKey) {
SSLContext bootstrapSslContext = bootstrapIdentity.getIdentitySslContext();
ZTSClient ztsClient = new ZTSClient(config.ztsUrl(), bootstrapSslContext);
InstanceRefreshRequest req =
ZTSClient.generateInstanceRefreshRequest(
zoneConfig.domain(), zoneConfig.serviceName(), privateKey, zoneConfig.certDnsSuffix(), /*expiryTime*/0);
req.setKeyId(Integer.toString(zoneConfig.secretVersion()));
String pemEncoded = ztsClient.postInstanceRefreshRequest(zoneConfig.domain(), zoneConfig.serviceName(), req)
.getCertificate();
return Crypto.loadX509Certificate(pemEncoded);
}
}
|