From 89d2b5edeb2dfc9d8c22ef335780bd23f6cd6541 Mon Sep 17 00:00:00 2001 From: Jonathan Oddy Date: Fri, 2 Aug 2019 09:41:09 +0100 Subject: [PATCH] Use the certificate chain as provided by the workload api Signed-off-by: Jonathan Oddy --- .../java/spiffe/provider/CertificateUtils.java | 4 ++-- .../java/spiffe/provider/SpiffeIdManager.java | 5 +++-- .../java/spiffe/provider/SpiffeKeyManager.java | 8 ++++---- src/main/java/spiffe/provider/SpiffeSVID.java | 15 ++++++++------- 4 files changed, 17 insertions(+), 15 deletions(-) diff --git a/src/main/java/spiffe/provider/CertificateUtils.java b/src/main/java/spiffe/provider/CertificateUtils.java index 1317138..6cd8f44 100644 --- a/src/main/java/spiffe/provider/CertificateUtils.java +++ b/src/main/java/spiffe/provider/CertificateUtils.java @@ -38,11 +38,11 @@ class CertificateUtils { * @return a Set of X509Certificate * @throws CertificateException */ - static Set generateCertificates(byte[] input) throws CertificateException { + static List generateCertificates(byte[] input) throws CertificateException { Collection certificates = getCertificateFactory().generateCertificates(new ByteArrayInputStream(input)); return certificates.stream() .map(X509Certificate.class::cast) - .collect(Collectors.toSet()); + .collect(Collectors.toList()); } /** diff --git a/src/main/java/spiffe/provider/SpiffeIdManager.java b/src/main/java/spiffe/provider/SpiffeIdManager.java index ef2d4b1..376ba9a 100644 --- a/src/main/java/spiffe/provider/SpiffeIdManager.java +++ b/src/main/java/spiffe/provider/SpiffeIdManager.java @@ -6,6 +6,7 @@ import spiffe.api.svid.X509SVIDFetcher; import java.security.PrivateKey; import java.security.cert.X509Certificate; +import java.util.List; import java.util.Set; import java.util.concurrent.CountDownLatch; import java.util.logging.Level; @@ -70,9 +71,9 @@ public class SpiffeIdManager { LOGGER.log(Level.FINE, "Spiffe SVID has been updated "); } - public X509Certificate getCertificate() { + public List getCertificateChain() { awaitSpiffeSVID(); - return guard.read(() -> spiffeSVID != null ? spiffeSVID.getCertificate() : null); + return guard.read(() -> spiffeSVID != null ? spiffeSVID.getCertificateChain() : null); } public PrivateKey getPrivateKey() { diff --git a/src/main/java/spiffe/provider/SpiffeKeyManager.java b/src/main/java/spiffe/provider/SpiffeKeyManager.java index bd20045..06f08f3 100644 --- a/src/main/java/spiffe/provider/SpiffeKeyManager.java +++ b/src/main/java/spiffe/provider/SpiffeKeyManager.java @@ -7,6 +7,7 @@ import java.security.Principal; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.util.Arrays; +import java.util.List; import java.util.Objects; import static spiffe.provider.SpiffeProviderConstants.ALIAS; @@ -27,14 +28,13 @@ public class SpiffeKeyManager extends X509ExtendedKeyManager { } /** - * The Certificate Chain that the workload presents to the other peer, - * it consists only of the SpiffeSVID leaf certificate + * The Certificate Chain that the workload presents to the other peer. * - * @return the X.509 SVID Certificate + * @return the X.509 SVID Certificates */ @Override public X509Certificate[] getCertificateChain(String s) { - return new X509Certificate[]{spiffeIdManager.getCertificate()}; + return spiffeIdManager.getCertificateChain().toArray(new X509Certificate[0]); } /** diff --git a/src/main/java/spiffe/provider/SpiffeSVID.java b/src/main/java/spiffe/provider/SpiffeSVID.java index d175460..171c3ca 100644 --- a/src/main/java/spiffe/provider/SpiffeSVID.java +++ b/src/main/java/spiffe/provider/SpiffeSVID.java @@ -8,6 +8,7 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.HashMap; import java.util.HashSet; +import java.util.List; import java.util.Map; import java.util.Set; import java.util.logging.Level; @@ -27,9 +28,9 @@ public class SpiffeSVID { private String spiffeID; /** - * The SPIFFE Verifiable Identity Document + * The SPIFFE Verifiable Identity Document and chain */ - private X509Certificate certificate; + private List certificateChain; /** * The Private Key associated to the Public Key of the certificate @@ -62,8 +63,8 @@ public class SpiffeSVID { Workload.X509SVID svid = x509SVIDResponse.getSvidsList().get(0); - certificate = CertificateUtils.generateCertificate(svid.getX509Svid().toByteArray()); - bundle = CertificateUtils.generateCertificates(svid.getBundle().toByteArray()); + certificateChain = CertificateUtils.generateCertificates(svid.getX509Svid().toByteArray()); + bundle = new HashSet<>(CertificateUtils.generateCertificates(svid.getBundle().toByteArray())); privateKey = CertificateUtils.generatePrivateKey(svid.getX509SvidKey().toByteArray()); spiffeID = svid.getSpiffeId(); federatedBundles = buildFederatedX509CertificatesMap(x509SVIDResponse.getFederatedBundlesMap()); @@ -81,7 +82,7 @@ public class SpiffeSVID { Map> federatedCertificates = new HashMap<>(); federatedBundlesMap.forEach((trustDomain, cert) -> { try { - federatedCertificates.put(trustDomain, CertificateUtils.generateCertificates(cert.toByteArray())); + federatedCertificates.put(trustDomain, new HashSet<>(CertificateUtils.generateCertificates(cert.toByteArray()))); } catch (CertificateException e) { LOGGER.log(Level.SEVERE, "Federated Bundles couldn't be processed ", e); throw new RuntimeException(e); @@ -94,8 +95,8 @@ public class SpiffeSVID { return spiffeID; } - public X509Certificate getCertificate() { - return certificate; + public List getCertificateChain() { + return certificateChain; } public PrivateKey getPrivateKey() {