use of com.venafi.vcert.sdk.certificate.KeyType in project vcert-java by Venafi.
the class ServerPolicy method toPolicy.
public Policy toPolicy() {
Function<String, String> escapeOne = s -> addStartEnd.apply(Pattern.quote(s));
Function<Collection<String>, Collection<String>> escapeCollection = in -> in.stream().map(escapeOne).collect(Collectors.toList());
Function<LockableValue<String>, Collection<String>> selectValue = in -> {
if (null == in) {
// Go would provide empty structs with
return Collections.singleton(allAllowedRegex);
// default values, so in Java, we have to
// deal with null instead
}
return in.locked() ? Collections.singleton(escapeOne.apply(in.value())) : Collections.singleton(allAllowedRegex);
};
Function<Boolean, Collection<String>> allOrNothing = bool -> bool ? Collections.singleton(allAllowedRegex) : Collections.emptyList();
Policy policy = new Policy().allowedKeyConfigurations(new ArrayList<>());
if (Is.blank(whitelistedDomains)) {
policy.subjectCNRegexes(Collections.singleton(allAllowedRegex));
} else {
ArrayList<String> subjectCNRegexes = new ArrayList<>(whitelistedDomains.size());
for (String whitelistedDomain : whitelistedDomains()) {
if (wildcardsAllowed()) {
subjectCNRegexes.add(addStartEnd.apply(allAllowedRegex + Pattern.quote("." + whitelistedDomain)));
} else {
subjectCNRegexes.add(escapeOne.apply(whitelistedDomain));
}
}
policy.subjectCNRegexes(subjectCNRegexes);
}
if (this.subject.organizationalUnit().locked()) {
policy.subjectOURegexes(escapeCollection.apply(this.subject.organizationalUnit().values()));
} else {
policy.subjectOURegexes(Collections.singleton(allAllowedRegex));
}
policy.subjectORegexes(selectValue.apply(subject.organization()));
policy.subjectLRegexes(selectValue.apply(subject.city()));
policy.subjectSTRegexes(selectValue.apply(subject.state()));
policy.subjectCRegexes(selectValue.apply(subject.country()));
if (subjAltNameDnsAllowed) {
if (Is.blank(whitelistedDomains)) {
policy.dnsSanRegExs(Collections.singleton(allAllowedRegex));
} else {
List<String> regExs = new ArrayList<>(whitelistedDomains.size());
for (String whitelistedDomain : whitelistedDomains) {
if (wildcardsAllowed) {
regExs.add(addStartEnd.apply(allAllowedRegex + Pattern.quote("." + whitelistedDomain)));
} else {
regExs.add(escapeOne.apply(whitelistedDomain));
}
}
policy.dnsSanRegExs(regExs);
}
} else {
policy.dnsSanRegExs(Collections.emptyList());
}
policy.ipSanRegExs(allOrNothing.apply(subjAltNameIpAllowed));
policy.emailSanRegExs(allOrNothing.apply(subjAltNameEmailAllowed));
policy.uriSanRegExs(allOrNothing.apply(subjAltNameUriAllowed));
policy.upnSanRegExs(allOrNothing.apply(subjAltNameUpnAllowed));
if (keyPair.keyAlgorithm().locked()) {
KeyType keyType = KeyType.from(keyPair.keyAlgorithm().value());
AllowedKeyConfiguration key = new AllowedKeyConfiguration().keyType(keyType).keySizes(new ArrayList<Integer>()).keyCurves(new ArrayList<EllipticCurve>());
if (KeyType.RSA.equals(keyType)) {
if (keyPair.keySize().locked()) {
for (Integer keySize : KeyType.allSupportedKeySizes()) {
if (keySize >= keyPair.keySize().value() || keyPair.keySize().value() == null) {
key.keySizes().add(keySize);
}
}
} else {
key.keySizes(KeyType.allSupportedKeySizes());
}
} else {
if (keyPair.ellipticCurve().locked()) {
EllipticCurve curve = EllipticCurve.from(keyPair.ellipticCurve().value());
key.keyCurves().add(curve);
} else {
key.keyCurves(EllipticCurve.allSupportedCures());
}
}
policy.allowedKeyConfigurations().add(key);
} else {
policy.allowedKeyConfigurations().add(new AllowedKeyConfiguration().keyType(KeyType.RSA).keySizes(KeyType.allSupportedKeySizes()));
policy.allowedKeyConfigurations().add(new AllowedKeyConfiguration().keyType(KeyType.ECDSA).keyCurves(EllipticCurve.allSupportedCures()));
}
policy.allowWildcards(wildcardsAllowed);
policy.allowKeyReuse(privateKeyReuseAllowed);
return policy;
}
Aggregations