Search in sources :

Example 81 with DERIA5String

use of com.github.zhenwei.core.asn1.DERIA5String in project athenz by AthenZ.

the class ZTSClient method getAWSLambdaServiceCertificate.

/**
 * For AWS Lambda functions generate a new private key, request a
 * x.509 certificate based on the requested CSR and return both to
 * the client in order to establish tls connections with other
 * Athenz enabled services.
 * @param domainName name of the domain
 * @param serviceName name of the service
 * @param account AWS account name that the function runs in
 * @param provider name of the provider service for AWS Lambda
 * @return AWSLambdaIdentity with private key and certificate
 */
public AWSLambdaIdentity getAWSLambdaServiceCertificate(String domainName, String serviceName, String account, String provider) {
    if (domainName == null || serviceName == null) {
        throw new IllegalArgumentException("Domain and Service must be specified");
    }
    if (account == null || provider == null) {
        throw new IllegalArgumentException("AWS Account and Provider must be specified");
    }
    if (x509CsrDomain == null) {
        throw new IllegalArgumentException("X509 CSR Domain must be specified");
    }
    // first we're going to generate a private key for the request
    AWSLambdaIdentity lambdaIdentity = new AWSLambdaIdentity();
    try {
        lambdaIdentity.setPrivateKey(Crypto.generateRSAPrivateKey(2048));
    } catch (CryptoException ex) {
        throw new ZTSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
    }
    // we need to generate an csr with an instance register object
    InstanceRegisterInformation info = new InstanceRegisterInformation();
    info.setDomain(domainName.toLowerCase());
    info.setService(serviceName.toLowerCase());
    info.setProvider(provider.toLowerCase());
    final String athenzService = info.getDomain() + "." + info.getService();
    // generate our dn which will be based on our service name
    StringBuilder dnBuilder = new StringBuilder(128);
    dnBuilder.append("cn=");
    dnBuilder.append(athenzService);
    if (x509CsrDn != null) {
        dnBuilder.append(',');
        dnBuilder.append(x509CsrDn);
    }
    // now let's generate our dsnName field based on our principal's details
    GeneralName[] sanArray = new GeneralName[3];
    final String hostBuilder = info.getService() + '.' + info.getDomain().replace('.', '-') + '.' + x509CsrDomain;
    sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(hostBuilder));
    final String instanceHostBuilder = "lambda-" + account + '-' + info.getService() + ".instanceid.athenz." + x509CsrDomain;
    sanArray[1] = new GeneralName(GeneralName.dNSName, new DERIA5String(instanceHostBuilder));
    final String spiffeUri = SPIFFE_URI + info.getDomain() + SPIFFE_COMP_SERVICE + info.getService();
    sanArray[2] = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(spiffeUri));
    try {
        info.setCsr(Crypto.generateX509CSR(lambdaIdentity.getPrivateKey(), dnBuilder.toString(), sanArray));
    } catch (OperatorCreationException | IOException ex) {
        throw new ZTSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
    }
    // finally obtain attestation data for lambda
    info.setAttestationData(getAWSLambdaAttestationData(athenzService, account));
    // request the x.509 certificate from zts server
    Map<String, List<String>> responseHeaders = new HashMap<>();
    InstanceIdentity identity = postInstanceRegisterInformation(info, responseHeaders);
    try {
        lambdaIdentity.setX509Certificate(Crypto.loadX509Certificate(identity.getX509Certificate()));
    } catch (CryptoException ex) {
        throw new ZTSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
    }
    lambdaIdentity.setCaCertificates(identity.getX509CertificateSigner());
    return lambdaIdentity;
}
Also used : ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) DERIA5String(org.bouncycastle.asn1.DERIA5String) IOException(java.io.IOException) DERIA5String(org.bouncycastle.asn1.DERIA5String) GeneralName(org.bouncycastle.asn1.x509.GeneralName) CryptoException(com.yahoo.athenz.auth.util.CryptoException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Example 82 with DERIA5String

use of com.github.zhenwei.core.asn1.DERIA5String in project athenz by AthenZ.

the class ZTSClient method generateRoleCertificateRequest.

/**
 * Generate a Role Certificate request that could be sent to ZTS
 * to obtain a X509 Certificate for the requested role.
 * @param principalDomain name of the principal's domain
 * @param principalService name of the principal's service
 * @param roleDomainName name of the domain where role is defined
 * @param roleName name of the role to get a certificate request for
 * @param privateKey private key for the service identity for the caller
 * @param csrDn string identifying the dn for the csr without the cn component
 * @param csrDomain string identifying the dns domain for generating SAN fields
 * @param expiryTime number of minutes to request certificate to be valid for
 * @return RoleCertificateRequest object
 */
public static RoleCertificateRequest generateRoleCertificateRequest(final String principalDomain, final String principalService, final String roleDomainName, final String roleName, PrivateKey privateKey, final String csrDn, final String csrDomain, int expiryTime) {
    if (principalDomain == null || principalService == null) {
        throw new IllegalArgumentException("Principal's Domain and Service must be specified");
    }
    if (roleDomainName == null || roleName == null) {
        throw new IllegalArgumentException("Role DomainName and Name must be specified");
    }
    if (csrDomain == null) {
        throw new IllegalArgumentException("X509 CSR Domain must be specified");
    }
    // Athenz uses lower case for all elements, so let's
    // generate our dn which will be our role resource value
    final String domain = principalDomain.toLowerCase();
    final String service = principalService.toLowerCase();
    final String rnDomain = roleDomainName.toLowerCase();
    final String rnName = roleName.toLowerCase();
    String dn = "cn=" + rnDomain + AuthorityConsts.ROLE_SEP + rnName;
    if (csrDn != null) {
        dn = dn.concat(",").concat(csrDn);
    }
    // now let's generate our dsnName and email fields which will based on
    // our principal's details
    final String hostName = service + '.' + domain.replace('.', '-') + '.' + csrDomain;
    final String email = domain + "." + service + "@" + csrDomain;
    GeneralName[] sanArray = new GeneralName[4];
    sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(hostName));
    sanArray[1] = new GeneralName(GeneralName.rfc822Name, new DERIA5String(email));
    final String spiffeUri = SPIFFE_URI + rnDomain + SPIFFE_COMP_ROLE + rnName;
    sanArray[2] = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(spiffeUri));
    final String principalUri = AuthorityConsts.ZTS_CERT_PRINCIPAL_URI + domain + "." + service;
    sanArray[3] = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(principalUri));
    String csr;
    try {
        csr = Crypto.generateX509CSR(privateKey, dn, sanArray);
    } catch (OperatorCreationException | IOException ex) {
        throw new ZTSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
    }
    return new RoleCertificateRequest().setCsr(csr).setExpiryTime(expiryTime);
}
Also used : DERIA5String(org.bouncycastle.asn1.DERIA5String) DERIA5String(org.bouncycastle.asn1.DERIA5String) GeneralName(org.bouncycastle.asn1.x509.GeneralName) IOException(java.io.IOException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Example 83 with DERIA5String

use of com.github.zhenwei.core.asn1.DERIA5String in project athenz by AthenZ.

the class ZTSInstanceRegister method generateInstanceRegisterInfo.

private static InstanceRegisterInformation generateInstanceRegisterInfo(final String domainName, final String serviceName, PrivateKey privateKey, final String serviceToken, final String csrDn, final String csrDomain) {
    if (domainName == null || serviceName == null) {
        throw new IllegalArgumentException("Principal's Domain and Service must be specified");
    }
    if (csrDomain == null) {
        throw new IllegalArgumentException("X509 CSR Domain must be specified");
    }
    // Athenz uses lower case for all elements, so let's
    // generate our dn which will be based on our service name
    final String domain = domainName.toLowerCase();
    final String service = serviceName.toLowerCase();
    final String cn = domain + "." + service;
    String dn = "cn=" + cn;
    if (csrDn != null) {
        dn = dn.concat(",").concat(csrDn);
    }
    // now let's generate our dsnName field based on our principal's details
    final String hostName = service + '.' + domain.replace('.', '-') + '.' + csrDomain;
    final String instanceUri = "athenz://instanceid/" + domain + "/" + service;
    GeneralName[] sanArray = new GeneralName[2];
    sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(hostName));
    sanArray[1] = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(instanceUri));
    String csr;
    try {
        csr = Crypto.generateX509CSR(privateKey, dn, sanArray);
    } catch (OperatorCreationException | IOException ex) {
        throw new ZTSClientException(ZTSClientException.BAD_REQUEST, ex.getMessage());
    }
    return new InstanceRegisterInformation().setCsr(csr).setProvider("sys.auth.zts").setDomain(domain).setService(service).setAttestationData(serviceToken);
}
Also used : DERIA5String(org.bouncycastle.asn1.DERIA5String) DERIA5String(org.bouncycastle.asn1.DERIA5String) GeneralName(org.bouncycastle.asn1.x509.GeneralName) IOException(java.io.IOException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Example 84 with DERIA5String

use of com.github.zhenwei.core.asn1.DERIA5String in project LinLong-Java by zhenwei1108.

the class CMSTimeStampedGenerator method setMetaData.

/**
 * Set the MetaData for the generated message.
 *
 * @param hashProtected true if the MetaData should be included in first imprint calculation,
 *                      false otherwise.
 * @param fileName      optional file name, may be null.
 * @param mediaType     optional media type, may be null.
 * @param attributes    optional attributes, may be null.
 */
public void setMetaData(boolean hashProtected, String fileName, String mediaType, Attributes attributes) {
    ASN1UTF8String asn1FileName = null;
    if (fileName != null) {
        asn1FileName = new DERUTF8String(fileName);
    }
    ASN1IA5String asn1MediaType = null;
    if (mediaType != null) {
        asn1MediaType = new DERIA5String(mediaType);
    }
    setMetaData(hashProtected, asn1FileName, asn1MediaType, attributes);
}
Also used : DERUTF8String(com.github.zhenwei.core.asn1.DERUTF8String) DERIA5String(com.github.zhenwei.core.asn1.DERIA5String) ASN1UTF8String(com.github.zhenwei.core.asn1.ASN1UTF8String) ASN1IA5String(com.github.zhenwei.core.asn1.ASN1IA5String)

Example 85 with DERIA5String

use of com.github.zhenwei.core.asn1.DERIA5String in project jans by JanssenProject.

the class OCSPCertificateVerifier method getOCSPUrl.

@SuppressWarnings({ "deprecation", "resource" })
private String getOCSPUrl(X509Certificate certificate) throws IOException {
    ASN1Primitive obj;
    try {
        obj = getExtensionValue(certificate, Extension.authorityInfoAccess.getId());
    } catch (IOException ex) {
        log.error("Failed to get OCSP URL", ex);
        return null;
    }
    if (obj == null) {
        return null;
    }
    AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess.getInstance(obj);
    AccessDescription[] accessDescriptions = authorityInformationAccess.getAccessDescriptions();
    for (AccessDescription accessDescription : accessDescriptions) {
        boolean correctAccessMethod = accessDescription.getAccessMethod().equals(X509ObjectIdentifiers.ocspAccessMethod);
        if (!correctAccessMethod) {
            continue;
        }
        GeneralName name = accessDescription.getAccessLocation();
        if (name.getTagNo() != GeneralName.uniformResourceIdentifier) {
            continue;
        }
        DERIA5String derStr = DERIA5String.getInstance((ASN1TaggedObject) name.toASN1Primitive(), false);
        return derStr.getString();
    }
    return null;
}
Also used : AuthorityInformationAccess(org.bouncycastle.asn1.x509.AuthorityInformationAccess) DERIA5String(org.bouncycastle.asn1.DERIA5String) AccessDescription(org.bouncycastle.asn1.x509.AccessDescription) IOException(java.io.IOException) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)

Aggregations

DERIA5String (org.bouncycastle.asn1.DERIA5String)80 IOException (java.io.IOException)55 GeneralName (org.bouncycastle.asn1.x509.GeneralName)29 DEROctetString (org.bouncycastle.asn1.DEROctetString)22 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)21 DERSequence (org.bouncycastle.asn1.DERSequence)17 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)16 ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)15 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)14 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)14 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)12 DERBitString (org.bouncycastle.asn1.DERBitString)12 SignatureException (java.security.SignatureException)10 ArrayList (java.util.ArrayList)10 DERTaggedObject (org.bouncycastle.asn1.DERTaggedObject)10 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)10 HashSet (java.util.HashSet)9 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)9 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)9 ASN1InputStream (org.bouncycastle.asn1.ASN1InputStream)8