1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.athenz.identity;
import com.yahoo.security.KeyAlgorithm;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.SignatureAlgorithm;
import com.yahoo.security.X509CertificateBuilder;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.vespa.athenz.api.AthenzService;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import javax.security.auth.x500.X500Principal;
import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.file.Files;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import static com.yahoo.yolean.Exceptions.uncheck;
import static org.junit.Assert.assertNotNull;
/**
* @author bjorncs
*/
public class SiaIdentityProviderTest {
@Rule
public TemporaryFolder tempDirectory = new TemporaryFolder();
@Test
public void constructs_ssl_context_from_file() throws IOException {
File keyFile = tempDirectory.newFile();
KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
createPrivateKeyFile(keyFile, keypair);
X509Certificate certificate = createCertificate(keypair);
File certificateFile = tempDirectory.newFile();
createCertificateFile(certificate, certificateFile);
File trustStoreFile = tempDirectory.newFile();
createTrustStoreFile(certificate, trustStoreFile);
SiaIdentityProvider provider =
new SiaIdentityProvider(
new AthenzService("domain", "service-name"),
keyFile.toPath(),
certificateFile.toPath(),
trustStoreFile.toPath());
assertNotNull(provider.getIdentitySslContext());
}
@Test
public void constructs_ssl_context_with_pem_trust_store() throws IOException {
File keyFile = tempDirectory.newFile();
KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
createPrivateKeyFile(keyFile, keypair);
X509Certificate certificate = createCertificate(keypair);
File certificateFile = tempDirectory.newFile();
createCertificateFile(certificate, certificateFile);
File trustStoreFile = tempDirectory.newFile();
createPemTrustStoreFile(certificate, trustStoreFile);
SiaIdentityProvider provider =
new SiaIdentityProvider(
new AthenzService("domain", "service-name"),
keyFile.toPath(),
certificateFile.toPath(),
trustStoreFile.toPath());
assertNotNull(provider.getIdentitySslContext());
}
private void createPrivateKeyFile(File keyFile, KeyPair keypair) throws IOException {
String privateKeyPem = KeyUtils.toPem(keypair.getPrivate());
Files.write(keyFile.toPath(), privateKeyPem.getBytes());
}
private void createCertificateFile(X509Certificate certificate, File certificateFile) throws IOException {
String certificatePem = X509CertificateUtils.toPem(certificate);
Files.write(certificateFile.toPath(), certificatePem.getBytes());
}
private X509Certificate createCertificate(KeyPair keypair) {
Instant now = Instant.now();
return X509CertificateBuilder
.fromKeypair(
keypair,
new X500Principal("CN=subject"),
now,
now.plus(Duration.ofDays(1)),
SignatureAlgorithm.SHA256_WITH_RSA,
BigInteger.ONE)
.build();
}
private void createPemTrustStoreFile(X509Certificate certificate, File trustStoreFile) {
var pemEncoded = X509CertificateUtils.toPem(certificate);
uncheck(() -> Files.writeString(trustStoreFile.toPath(), pemEncoded));
}
private void createTrustStoreFile(X509Certificate certificate, File trustStoreFile) {
uncheck(() -> Files.writeString(trustStoreFile.toPath(), X509CertificateUtils.toPem(certificate)));
}
}
|