Example 1 with AllowedKeyConfiguration
use of com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration in project vcert-java by Venafi.
the class ZoneConfigurationTest method getBaseZoneConfiguration.
private ZoneConfiguration getBaseZoneConfiguration() {
final ZoneConfiguration defaultZoneConf = new ZoneConfiguration();
final Policy policy = new Policy();
final AllowedKeyConfiguration allowedKeyConfiguration = new AllowedKeyConfiguration();
defaultZoneConf.organization("Venafi");
defaultZoneConf.organizationalUnit(Arrays.asList("Engineering", "Automated Test"));
defaultZoneConf.country("US");
defaultZoneConf.province("Utah");
defaultZoneConf.locality("SLC");
allowedKeyConfiguration.keyType(KeyType.RSA);
allowedKeyConfiguration.keySizes(singletonList(4096));
policy.allowedKeyConfigurations(Arrays.asList(allowedKeyConfiguration));
policy.subjectCNRegexes(singletonList(".*vfidev.com"));
policy.subjectORegexes(singletonList("Venafi, Inc."));
policy.subjectOURegexes(singletonList("Engineering"));
policy.subjectSTRegexes(singletonList("Nevada"));
policy.subjectLRegexes(singletonList("Las Vegas"));
policy.subjectCRegexes(singletonList("US"));
policy.dnsSanRegExs(singletonList(".*"));
defaultZoneConf.policy(policy);
return defaultZoneConf;
}
Also used :
Policy(com.venafi.vcert.sdk.connectors.Policy)
ZoneConfiguration(com.venafi.vcert.sdk.connectors.ZoneConfiguration)
AllowedKeyConfiguration(com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration)
Example 2 with AllowedKeyConfiguration
use of com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration in project vcert-java by Venafi.
the class CertificateIssuingTemplate method toZoneConfig.
public ZoneConfiguration toZoneConfig() {
ZoneConfiguration zoneConfig = new ZoneConfiguration().customAttributeValues(new HashMap<>());
if (recommendedSettings != null) {
zoneConfig.country(recommendedSettings.subjectCValue).organization(recommendedSettings.subjectOValue).organizationalUnit(Collections.singletonList(recommendedSettings.subjectOUValue)).province(recommendedSettings.subjectSTValue).locality(recommendedSettings.subjectLValue);
if (recommendedSettings.key() != null) {
String type = recommendedSettings.key().type != null ? recommendedSettings.key().type : KeyType.defaultKeyType().name();
Integer length = recommendedSettings.key().length != null ? recommendedSettings.key().length : KeyType.defaultRsaLength();
zoneConfig.keyConfig(new AllowedKeyConfiguration(KeyType.from(type), Collections.singletonList(length), null));
}
}
return zoneConfig;
}
Also used :
ZoneConfiguration(com.venafi.vcert.sdk.connectors.ZoneConfiguration)
AllowedKeyConfiguration(com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration)
Example 3 with AllowedKeyConfiguration
use of com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration in project vcert-java by Venafi.
the class CertificateIssuingTemplate method toPolicy.
public Policy toPolicy() {
List<AllowedKeyConfiguration> allowedKeyConfigurations = keyTypes.stream().map(kt -> new AllowedKeyConfiguration(KeyType.from(kt.keyType), kt.keyLengths, null)).collect(Collectors.toList());
Policy policy = Policy.builder().subjectCNRegexes(subjectCNRegexes).subjectCRegexes(subjectCValues).subjectLRegexes(subjectLRegexes).subjectORegexes(subjectORegexes).subjectOURegexes(subjectOURegexes).subjectSTRegexes(subjectSTRegexes).dnsSanRegExs(sanDnsNameRegexes).allowedKeyConfigurations(allowedKeyConfigurations).allowKeyReuse(keyReuse).build();
return policy;
}
Also used :
Date(java.util.Date)
KeyType(com.venafi.vcert.sdk.certificate.KeyType)
ZoneConfiguration(com.venafi.vcert.sdk.connectors.ZoneConfiguration)
Policy(com.venafi.vcert.sdk.connectors.Policy)
HashMap(java.util.HashMap)
SerializedName(com.google.gson.annotations.SerializedName)
Collectors(java.util.stream.Collectors)
List(java.util.List)
Data(lombok.Data)
AllArgsConstructor(lombok.AllArgsConstructor)
AllowedKeyConfiguration(com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration)
Collections(java.util.Collections)
NoArgsConstructor(lombok.NoArgsConstructor)
Policy(com.venafi.vcert.sdk.connectors.Policy)
AllowedKeyConfiguration(com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration)
Example 4 with AllowedKeyConfiguration
use of com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration in project vcert-java by Venafi.
the class ServerPolicy method toPolicy.
public Policy toPolicy() {
Function<String, String> escapeOne = s -> addStartEnd.apply(Pattern.quote(s));
Function<Collection<String>, Collection<String>> escapeCollection = in -> in.stream().map(escapeOne).collect(Collectors.toList());
Function<LockableValue<String>, Collection<String>> selectValue = in -> {
if (null == in) {
// Go would provide empty structs with
return Collections.singleton(allAllowedRegex);
// default values, so in Java, we have to
// deal with null instead
}
return in.locked() ? Collections.singleton(escapeOne.apply(in.value())) : Collections.singleton(allAllowedRegex);
};
Function<Boolean, Collection<String>> allOrNothing = bool -> bool ? Collections.singleton(allAllowedRegex) : Collections.emptyList();
Policy policy = new Policy().allowedKeyConfigurations(new ArrayList<>());
if (Is.blank(whitelistedDomains)) {
policy.subjectCNRegexes(Collections.singleton(allAllowedRegex));
} else {
ArrayList<String> subjectCNRegexes = new ArrayList<>(whitelistedDomains.size());
for (String whitelistedDomain : whitelistedDomains()) {
if (wildcardsAllowed()) {
subjectCNRegexes.add(addStartEnd.apply(allAllowedRegex + Pattern.quote("." + whitelistedDomain)));
} else {
subjectCNRegexes.add(escapeOne.apply(whitelistedDomain));
}
}
policy.subjectCNRegexes(subjectCNRegexes);
}
if (this.subject.organizationalUnit().locked()) {
policy.subjectOURegexes(escapeCollection.apply(this.subject.organizationalUnit().values()));
} else {
policy.subjectOURegexes(Collections.singleton(allAllowedRegex));
}
policy.subjectORegexes(selectValue.apply(subject.organization()));
policy.subjectLRegexes(selectValue.apply(subject.city()));
policy.subjectSTRegexes(selectValue.apply(subject.state()));
policy.subjectCRegexes(selectValue.apply(subject.country()));
if (subjAltNameDnsAllowed) {
if (Is.blank(whitelistedDomains)) {
policy.dnsSanRegExs(Collections.singleton(allAllowedRegex));
} else {
List<String> regExs = new ArrayList<>(whitelistedDomains.size());
for (String whitelistedDomain : whitelistedDomains) {
if (wildcardsAllowed) {
regExs.add(addStartEnd.apply(allAllowedRegex + Pattern.quote("." + whitelistedDomain)));
} else {
regExs.add(escapeOne.apply(whitelistedDomain));
}
}
policy.dnsSanRegExs(regExs);
}
} else {
policy.dnsSanRegExs(Collections.emptyList());
}
policy.ipSanRegExs(allOrNothing.apply(subjAltNameIpAllowed));
policy.emailSanRegExs(allOrNothing.apply(subjAltNameEmailAllowed));
policy.uriSanRegExs(allOrNothing.apply(subjAltNameUriAllowed));
policy.upnSanRegExs(allOrNothing.apply(subjAltNameUpnAllowed));
if (keyPair.keyAlgorithm().locked()) {
KeyType keyType = KeyType.from(keyPair.keyAlgorithm().value());
AllowedKeyConfiguration key = new AllowedKeyConfiguration().keyType(keyType).keySizes(new ArrayList<Integer>()).keyCurves(new ArrayList<EllipticCurve>());
if (KeyType.RSA.equals(keyType)) {
if (keyPair.keySize().locked()) {
for (Integer keySize : KeyType.allSupportedKeySizes()) {
if (keySize >= keyPair.keySize().value() || keyPair.keySize().value() == null) {
key.keySizes().add(keySize);
}
}
} else {
key.keySizes(KeyType.allSupportedKeySizes());
}
} else {
if (keyPair.ellipticCurve().locked()) {
EllipticCurve curve = EllipticCurve.from(keyPair.ellipticCurve().value());
key.keyCurves().add(curve);
} else {
key.keyCurves(EllipticCurve.allSupportedCures());
}
}
policy.allowedKeyConfigurations().add(key);
} else {
policy.allowedKeyConfigurations().add(new AllowedKeyConfiguration().keyType(KeyType.RSA).keySizes(KeyType.allSupportedKeySizes()));
policy.allowedKeyConfigurations().add(new AllowedKeyConfiguration().keyType(KeyType.ECDSA).keyCurves(EllipticCurve.allSupportedCures()));
}
policy.allowWildcards(wildcardsAllowed);
policy.allowKeyReuse(privateKeyReuseAllowed);
return policy;
}
Also used :
SignatureAlgorithm(com.venafi.vcert.sdk.SignatureAlgorithm)
KeyType(com.venafi.vcert.sdk.certificate.KeyType)
Collection(java.util.Collection)
HashMap(java.util.HashMap)
Function(java.util.function.Function)
Collectors(java.util.stream.Collectors)
ArrayList(java.util.ArrayList)
List(java.util.List)
Data(lombok.Data)
EllipticCurve(com.venafi.vcert.sdk.certificate.EllipticCurve)
Is(com.venafi.vcert.sdk.utils.Is)
Pattern(java.util.regex.Pattern)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
AllArgsConstructor(lombok.AllArgsConstructor)
AllowedKeyConfiguration(com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration)
Collections(java.util.Collections)
NoArgsConstructor(lombok.NoArgsConstructor)
KeyType(com.venafi.vcert.sdk.certificate.KeyType)
ArrayList(java.util.ArrayList)
EllipticCurve(com.venafi.vcert.sdk.certificate.EllipticCurve)
Collection(java.util.Collection)
AllowedKeyConfiguration(com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration)
Example 5 with AllowedKeyConfiguration
use of com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration in project vcert-java by Venafi.
the class ZoneConfiguration method applyCertificateRequestDefaultSettingsIfNeeded.
/**
* UpdateCertificateRequest updates a certificate request based on the zone configuration
* retrieved from the remote endpoint
*/
public void applyCertificateRequestDefaultSettingsIfNeeded(CertificateRequest request) {
CertificateRequest.PKIXName subject = request.subject();
subject.organization(Entity.of(subject.organization(), organization).resolve());
if (Is.blank(subject.organizationalUnit()) && !Is.blank(organizationalUnit)) {
subject.organizationalUnit(organizationalUnit);
}
subject.country(Entity.of(subject.country(), country).resolve());
subject.province(Entity.of(subject.province(), province).resolve());
subject.locality(Entity.of(subject.locality(), locality).resolve());
// apply defaults for settings that weren't specified and then make sure they comply with policy
if (request.keyType() == null) {
request.keyType(keyConfig != null && keyConfig.keyType() != null ? keyConfig.keyType() : KeyType.defaultKeyType());
}
switch(request.keyType()) {
case ECDSA:
if (request.keyCurve() == null) {
request.keyCurve(EllipticCurve.ellipticCurveDefault());
}
if (request.signatureAlgorithm() == SignatureAlgorithm.UnknownSignatureAlgorithm) {
request.signatureAlgorithm(SignatureAlgorithm.ECDSAWithSHA256);
}
break;
default:
if (request.keyLength() < KeyType.defaultRsaLength()) {
request.keyLength(keyConfig != null && !Is.blank(keyConfig.keySizes()) && keyConfig.keySizes().get(0) >= KeyType.defaultRsaLength() ? keyConfig.keySizes().get(0) : KeyType.defaultRsaLength());
}
if (request.signatureAlgorithm() == SignatureAlgorithm.UnknownSignatureAlgorithm) {
request.signatureAlgorithm(SignatureAlgorithm.SHA256WithRSA);
}
break;
}
if (!Is.blank(policy.allowedKeyConfigurations())) {
for (AllowedKeyConfiguration keyConf : policy.allowedKeyConfigurations()) {
if (keyConf.keyType() == request.keyType()) {
switch(request.keyType()) {
case ECDSA:
{
if (!Is.blank(keyConf.keyCurves())) {
if (!keyConf.keyCurves().contains(request.keyCurve())) {
request.keyCurve(keyConf.keyCurves().get(0));
}
}
break;
}
case RSA:
{
if (!Is.blank(keyConf.keySizes())) {
boolean sizeOK = false;
for (Integer size : keyConf.keySizes()) {
if (size.equals(request.keyLength())) {
sizeOK = true;
}
}
if (!sizeOK) {
request.keyLength(keyConf.keySizes().get(0));
}
}
break;
}
}
}
}
}
}
Also used :
AllowedKeyConfiguration(com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration)
CertificateRequest(com.venafi.vcert.sdk.certificate.CertificateRequest)
Aggregations
AllowedKeyConfiguration (com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration)5
ZoneConfiguration (com.venafi.vcert.sdk.connectors.ZoneConfiguration)3
KeyType (com.venafi.vcert.sdk.certificate.KeyType)2
Policy (com.venafi.vcert.sdk.connectors.Policy)2
Collections (java.util.Collections)2
HashMap (java.util.HashMap)2
List (java.util.List)2
Collectors (java.util.stream.Collectors)2
AllArgsConstructor (lombok.AllArgsConstructor)2
Data (lombok.Data)2
NoArgsConstructor (lombok.NoArgsConstructor)2
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
SerializedName (com.google.gson.annotations.SerializedName)1
SignatureAlgorithm (com.venafi.vcert.sdk.SignatureAlgorithm)1
CertificateRequest (com.venafi.vcert.sdk.certificate.CertificateRequest)1
EllipticCurve (com.venafi.vcert.sdk.certificate.EllipticCurve)1
Is (com.venafi.vcert.sdk.utils.Is)1
ArrayList (java.util.ArrayList)1
Collection (java.util.Collection)1
Date (java.util.Date)1
