use of com.android.org.bouncycastle.asn1.DERIA5String in project athenz by yahoo.
the class InstanceClientRefresh method generateCSR.
public static String generateCSR(String domainName, String serviceName, String instanceId, String dnsSuffix, PrivateKey key) {
final String dn = "cn=" + domainName + "." + serviceName + ",o=Athenz";
// now let's generate our dsnName field based on our principal's details
StringBuilder dnsName = new StringBuilder(128);
dnsName.append(serviceName);
dnsName.append('.');
dnsName.append(domainName.replace('.', '-'));
dnsName.append('.');
dnsName.append(dnsSuffix);
GeneralName[] sanArray = new GeneralName[2];
sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(dnsName.toString()));
// next we include our instance id
StringBuilder dnsInstance = new StringBuilder(128);
dnsInstance.append(instanceId);
dnsInstance.append(".instanceid.athenz.");
dnsInstance.append(dnsSuffix);
sanArray[1] = new GeneralName(GeneralName.dNSName, new DERIA5String(dnsInstance.toString()));
String csr = null;
try {
csr = Crypto.generateX509CSR(key, dn, sanArray);
} catch (OperatorCreationException | IOException ex) {
System.err.println(ex.getMessage());
}
return csr;
}
use of com.android.org.bouncycastle.asn1.DERIA5String in project athenz by yahoo.
the class InstanceClientRegister method generateCSR.
public static String generateCSR(String domainName, String serviceName, String instanceId, String dnsSuffix, PrivateKey key) {
final String dn = "cn=" + domainName + "." + serviceName + ",o=Athenz";
// now let's generate our dsnName field based on our principal's details
StringBuilder dnsName = new StringBuilder(128);
dnsName.append(serviceName);
dnsName.append('.');
dnsName.append(domainName.replace('.', '-'));
dnsName.append('.');
dnsName.append(dnsSuffix);
GeneralName[] sanArray = new GeneralName[2];
sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(dnsName.toString()));
// next we include our instance id
StringBuilder dnsInstance = new StringBuilder(128);
dnsInstance.append(instanceId);
dnsInstance.append(".instanceid.athenz.");
dnsInstance.append(dnsSuffix);
sanArray[1] = new GeneralName(GeneralName.dNSName, new DERIA5String(dnsInstance.toString()));
String csr = null;
try {
csr = Crypto.generateX509CSR(key, dn, sanArray);
} catch (OperatorCreationException | IOException ex) {
System.err.println(ex.getMessage());
}
return csr;
}
use of com.android.org.bouncycastle.asn1.DERIA5String in project athenz by yahoo.
the class ZTSClient method generateRoleCertificateRequest.
/**
* Generate a Role Certificate request that could be sent to ZTS
* to obtain a X509 Certificate for the requested role.
* @param principalDomain name of the principal's domain
* @param principalService name of the principal's service
* @param roleDomainName name of the domain where role is defined
* @param roleName name of the role to get a certificate request for
* @param privateKey private key for the service identity for the caller
* @param csrDn string identifying the dn for the csr without the cn component
* @param csrDomain string identifying the dns domain for generating SAN fields
* @param expiryTime number of seconds to request certificate to be valid for
* @return RoleCertificateRequest object
*/
public static RoleCertificateRequest generateRoleCertificateRequest(final String principalDomain, final String principalService, final String roleDomainName, final String roleName, PrivateKey privateKey, final String csrDn, final String csrDomain, int expiryTime) {
if (principalDomain == null || principalService == null) {
throw new IllegalArgumentException("Principal's Domain and Service must be specified");
}
if (roleDomainName == null || roleName == null) {
throw new IllegalArgumentException("Role DomainName and Name must be specified");
}
if (csrDomain == null) {
throw new IllegalArgumentException("X509 CSR Domain must be specified");
}
// Athenz uses lower case for all elements, so let's
// generate our dn which will be our role resource value
final String domain = principalDomain.toLowerCase();
final String service = principalService.toLowerCase();
String dn = "cn=" + roleDomainName.toLowerCase() + ":role." + roleName.toLowerCase();
if (csrDn != null) {
dn = dn.concat(",").concat(csrDn);
}
// now let's generate our dsnName and email fields which will based on
// our principal's details
StringBuilder hostBuilder = new StringBuilder(128);
hostBuilder.append(service);
hostBuilder.append('.');
hostBuilder.append(domain.replace('.', '-'));
hostBuilder.append('.');
hostBuilder.append(csrDomain);
String hostName = hostBuilder.toString();
String email = domain + "." + service + "@" + csrDomain;
GeneralName[] sanArray = new GeneralName[2];
sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(hostName));
sanArray[1] = new GeneralName(GeneralName.rfc822Name, new DERIA5String(email));
String csr = null;
try {
csr = Crypto.generateX509CSR(privateKey, dn, sanArray);
} catch (OperatorCreationException | IOException ex) {
throw new ZTSClientException(ZTSClientException.BAD_REQUEST, ex.getMessage());
}
RoleCertificateRequest req = new RoleCertificateRequest().setCsr(csr).setExpiryTime(Long.valueOf(expiryTime));
return req;
}
use of com.android.org.bouncycastle.asn1.DERIA5String in project athenz by yahoo.
the class ZTSClient method generateInstanceRefreshRequest.
/**
* Generate a Instance Refresh request that could be sent to ZTS to
* request a TLS certificate for a service.
* @param principalDomain name of the principal's domain
* @param principalService name of the principal's service
* @param privateKey private key for the service identity for the caller
* @param csrDn string identifying the dn for the csr without the cn component
* @param csrDomain string identifying the dns domain for generating SAN fields
* @param expiryTime number of seconds to request certificate to be valid for
* @return InstanceRefreshRequest object
*/
public static InstanceRefreshRequest generateInstanceRefreshRequest(final String principalDomain, final String principalService, PrivateKey privateKey, final String csrDn, final String csrDomain, int expiryTime) {
if (principalDomain == null || principalService == null) {
throw new IllegalArgumentException("Principal's Domain and Service must be specified");
}
if (csrDomain == null) {
throw new IllegalArgumentException("X509 CSR Domain must be specified");
}
// Athenz uses lower case for all elements, so let's
// generate our dn which will be based on our service name
final String domain = principalDomain.toLowerCase();
final String service = principalService.toLowerCase();
final String cn = domain + "." + service;
String dn = "cn=" + cn;
if (csrDn != null) {
dn = dn.concat(",").concat(csrDn);
}
// now let's generate our dsnName field based on our principal's details
StringBuilder hostBuilder = new StringBuilder(128);
hostBuilder.append(service);
hostBuilder.append('.');
hostBuilder.append(domain.replace('.', '-'));
hostBuilder.append('.');
hostBuilder.append(csrDomain);
String hostName = hostBuilder.toString();
GeneralName[] sanArray = new GeneralName[1];
sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(hostName));
String csr = null;
try {
csr = Crypto.generateX509CSR(privateKey, dn, sanArray);
} catch (OperatorCreationException | IOException ex) {
throw new ZTSClientException(ZTSClientException.BAD_REQUEST, ex.getMessage());
}
InstanceRefreshRequest req = new InstanceRefreshRequest().setCsr(csr).setExpiryTime(Integer.valueOf(expiryTime));
return req;
}
use of com.android.org.bouncycastle.asn1.DERIA5String in project athenz by yahoo.
the class CryptoTest method testX509CSRrequestWithPrivateKeyOnly.
@Test(dataProvider = "x500Principal")
public void testX509CSRrequestWithPrivateKeyOnly(String x500Principal, boolean badRequest) throws Exception {
PrivateKey privateKey = Crypto.loadPrivateKey(rsaPrivateKey);
String certRequest = null;
GeneralName otherName1 = new GeneralName(GeneralName.otherName, new DERIA5String("role1"));
GeneralName otherName2 = new GeneralName(GeneralName.otherName, new DERIA5String("role2"));
GeneralName[] sanArray = new GeneralName[] { otherName1, otherName2 };
try {
certRequest = Crypto.generateX509CSR(privateKey, x500Principal, sanArray);
} catch (Exception e) {
if (!badRequest) {
fail("Should not have failed to create csr");
}
}
if (!badRequest) {
// Now validate the csr
Crypto.getPKCS10CertRequest(certRequest);
}
}
Aggregations