Examples with GeneralName com.github.zhenwei.core.asn1.x509.GeneralName used on opensource projects

Example 66 with GeneralName

use of com.github.zhenwei.core.asn1.x509.GeneralName in project athenz by yahoo.

the class ZTSClient method getAWSLambdaServiceCertificate.

/**
 * For AWS Lambda functions generate a new private key, request a
 * x.509 certificate based on the requested CSR and return both to
 * the client in order to establish tls connections with other
 * Athenz enabled services.
 * @param domainName name of the domain
 * @param serviceName name of the service
 * @param account AWS account name that the function runs in
 * @param provider name of the provider service for AWS Lambda
 * @return AWSLambdaIdentity with private key and certificate
 */
public AWSLambdaIdentity getAWSLambdaServiceCertificate(String domainName, String serviceName, String account, String provider) {
    if (domainName == null || serviceName == null) {
        throw new IllegalArgumentException("Domain and Service must be specified");
    }
    if (account == null || provider == null) {
        throw new IllegalArgumentException("AWS Account and Provider must be specified");
    }
    if (x509CsrDomain == null) {
        throw new IllegalArgumentException("X509 CSR Domain must be specified");
    }
    // first we're going to generate a private key for the request
    AWSLambdaIdentity lambdaIdentity = new AWSLambdaIdentity();
    try {
        lambdaIdentity.setPrivateKey(Crypto.generateRSAPrivateKey(2048));
    } catch (CryptoException ex) {
        throw new ZTSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
    }
    // we need to generate an csr with an instance register object
    InstanceRegisterInformation info = new InstanceRegisterInformation();
    info.setDomain(domainName.toLowerCase());
    info.setService(serviceName.toLowerCase());
    info.setProvider(provider.toLowerCase());
    final String athenzService = info.getDomain() + "." + info.getService();
    // generate our dn which will be based on our service name
    StringBuilder dnBuilder = new StringBuilder(128);
    dnBuilder.append("cn=");
    dnBuilder.append(athenzService);
    if (x509CsrDn != null) {
        dnBuilder.append(',');
        dnBuilder.append(x509CsrDn);
    }
    // now let's generate our dsnName field based on our principal's details
    GeneralName[] sanArray = new GeneralName[3];
    final String hostBuilder = info.getService() + '.' + info.getDomain().replace('.', '-') + '.' + x509CsrDomain;
    sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(hostBuilder));
    final String instanceHostBuilder = "lambda-" + account + '-' + info.getService() + ".instanceid.athenz." + x509CsrDomain;
    sanArray[1] = new GeneralName(GeneralName.dNSName, new DERIA5String(instanceHostBuilder));
    final String spiffeUri = SPIFFE_URI + info.getDomain() + SPIFFE_COMP_SERVICE + info.getService();
    sanArray[2] = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(spiffeUri));
    try {
        info.setCsr(Crypto.generateX509CSR(lambdaIdentity.getPrivateKey(), dnBuilder.toString(), sanArray));
    } catch (OperatorCreationException | IOException ex) {
        throw new ZTSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
    }
    // finally obtain attestation data for lambda
    info.setAttestationData(getAWSLambdaAttestationData(athenzService, account));
    // request the x.509 certificate from zts server
    Map<String, List<String>> responseHeaders = new HashMap<>();
    InstanceIdentity identity = postInstanceRegisterInformation(info, responseHeaders);
    try {
        lambdaIdentity.setX509Certificate(Crypto.loadX509Certificate(identity.getX509Certificate()));
    } catch (CryptoException ex) {
        throw new ZTSClientException(ResourceException.BAD_REQUEST, ex.getMessage());
    }
    lambdaIdentity.setCaCertificates(identity.getX509CertificateSigner());
    return lambdaIdentity;
}

Example 67 with GeneralName

use of com.github.zhenwei.core.asn1.x509.GeneralName in project qpid-broker-j by apache.

the class TlsResourceBuilder method createDistributionPointExtension.

private static Extension createDistributionPointExtension(final String crlUri) throws CertificateException {
    try {
        final GeneralName generalName = new GeneralName(GeneralName.uniformResourceIdentifier, crlUri);
        final DistributionPointName pointName = new DistributionPointName(new GeneralNames(generalName));
        final DistributionPoint[] points = new DistributionPoint[] { new DistributionPoint(pointName, null, null) };
        return new Extension(Extension.cRLDistributionPoints, false, new CRLDistPoint(points).getEncoded());
    } catch (IOException e) {
        throw new CertificateException(e);
    }
}

Example 68 with GeneralName

use of com.github.zhenwei.core.asn1.x509.GeneralName in project dcos-commons by mesosphere.

the class CertificateNamesGenerator method getSANs.

/**
 * Returns additional Subject Alternative Names for service certificates.
 */
public GeneralNames getSANs() {
    List<GeneralName> generalNames = new ArrayList<>();
    generalNames.add(new GeneralName(GeneralName.dNSName, autoIpHostname));
    // Process VIP names, if any
    vipSpecs.stream().map(vipSpec -> new GeneralName(GeneralName.dNSName, EndpointUtils.toVipHostname(serviceName, schedulerConfig, new EndpointUtils.VipInfo(vipSpec.getVipName(), (int) vipSpec.getPort())))).forEach(generalNames::add);
    return new GeneralNames(generalNames.toArray(new GeneralName[0]));
}

Example 69 with GeneralName

use of com.github.zhenwei.core.asn1.x509.GeneralName in project xipki by xipki.

the class CmpCaClient method transmit.

private PKIMessage transmit(ProtectedPKIMessage request) throws Exception {
    byte[] encodedResponse = send(request.toASN1Structure().getEncoded());
    GeneralPKIMessage response = new GeneralPKIMessage(encodedResponse);
    PKIHeader reqHeader = request.getHeader();
    PKIHeader respHeader = response.getHeader();
    ASN1OctetString tid = reqHeader.getTransactionID();
    if (!tid.equals(respHeader.getTransactionID())) {
        throw new Exception("response.transactionId != request.transactionId");
    }
    ASN1OctetString senderNonce = reqHeader.getSenderNonce();
    if (!senderNonce.equals(respHeader.getRecipNonce())) {
        throw new Exception("response.recipientNonce != request.senderNonce");
    }
    GeneralName rec = respHeader.getRecipient();
    if (!requestorSubject.equals(rec)) {
        throw new Exception("unknown CMP requestor " + rec.toString());
    }
    if (!response.hasProtection()) {
        PKIBody respBody = response.getBody();
        int bodyType = respBody.getType();
        if (bodyType != PKIBody.TYPE_ERROR) {
            throw new Exception("response is not signed");
        }
    }
    if (verifyProtection(response)) {
        return response.toASN1Structure();
    }
    throw new Exception("invalid signature in PKI protection");
}

Example 70 with GeneralName

use of com.github.zhenwei.core.asn1.x509.GeneralName in project xipki by xipki.

the class CmpResponder method buildErrorPkiMessage.

// method addProtection
protected PKIMessage buildErrorPkiMessage(ASN1OctetString tid, PKIHeader requestHeader, int failureCode, String statusText) {
    GeneralName respRecipient = requestHeader.getSender();
    PKIHeaderBuilder respHeader = new PKIHeaderBuilder(requestHeader.getPvno().getValue().intValue(), getSender(), respRecipient);
    respHeader.setMessageTime(new ASN1GeneralizedTime(new Date()));
    if (tid != null) {
        respHeader.setTransactionID(tid);
    }
    ASN1OctetString senderNonce = requestHeader.getSenderNonce();
    if (senderNonce != null) {
        respHeader.setRecipNonce(senderNonce);
    }
    PKIStatusInfo status = generateRejectionStatus(failureCode, statusText);
    ErrorMsgContent error = new ErrorMsgContent(status);
    PKIBody body = new PKIBody(PKIBody.TYPE_ERROR, error);
    return new PKIMessage(respHeader.build(), body);
}