Use the certificate chain as provided by the workload api

Signed-off-by: Jonathan Oddy <jonathan.oddy@transferwise.com>
2019-08-02 09:41:09 +01:00 · 2019-08-02 09:41:09 +01:00 · 89d2b5edeb
parent 2edd5a7c35
commit 89d2b5edeb
4 changed files with 17 additions and 15 deletions
--- a/src/main/java/spiffe/provider/CertificateUtils.java
+++ b/src/main/java/spiffe/provider/CertificateUtils.java
@ -38,11 +38,11 @@ class CertificateUtils {
     * @return a Set of X509Certificate
     * @throws CertificateException
     */
-    static Set<X509Certificate> generateCertificates(byte[] input) throws CertificateException {
+    static List<X509Certificate> generateCertificates(byte[] input) throws CertificateException {
        Collection<? extends Certificate> certificates =  getCertificateFactory().generateCertificates(new ByteArrayInputStream(input));
        return certificates.stream()
                .map(X509Certificate.class::cast)
-                .collect(Collectors.toSet());
+                .collect(Collectors.toList());
    }

    /**
--- a/src/main/java/spiffe/provider/SpiffeIdManager.java
+++ b/src/main/java/spiffe/provider/SpiffeIdManager.java
@ -6,6 +6,7 @@ import spiffe.api.svid.X509SVIDFetcher;

 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
+import java.util.List;
 import java.util.Set;
 import java.util.concurrent.CountDownLatch;
 import java.util.logging.Level;
@ -70,9 +71,9 @@ public class SpiffeIdManager {
        LOGGER.log(Level.FINE, "Spiffe SVID has been updated ");
    }

-    public X509Certificate getCertificate() {
+    public List<X509Certificate> getCertificateChain() {
        awaitSpiffeSVID();
-        return guard.read(() -> spiffeSVID != null ? spiffeSVID.getCertificate() : null);
+        return guard.read(() -> spiffeSVID != null ? spiffeSVID.getCertificateChain() : null);
    }

    public PrivateKey getPrivateKey() {
--- a/src/main/java/spiffe/provider/SpiffeKeyManager.java
+++ b/src/main/java/spiffe/provider/SpiffeKeyManager.java
@ -7,6 +7,7 @@ import java.security.Principal;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.List;
 import java.util.Objects;

 import static spiffe.provider.SpiffeProviderConstants.ALIAS;
@ -27,14 +28,13 @@ public class SpiffeKeyManager extends X509ExtendedKeyManager {
    }

    /**
-     * The Certificate Chain that the workload presents to the other peer,
-     * it consists only of the SpiffeSVID leaf certificate
+     * The Certificate Chain that the workload presents to the other peer.
     *
-     * @return the X.509 SVID Certificate
+     * @return the X.509 SVID Certificates
     */
    @Override
    public X509Certificate[] getCertificateChain(String s) {
-        return new X509Certificate[]{spiffeIdManager.getCertificate()};
+        return spiffeIdManager.getCertificateChain().toArray(new X509Certificate[0]);
    }

    /**
--- a/src/main/java/spiffe/provider/SpiffeSVID.java
+++ b/src/main/java/spiffe/provider/SpiffeSVID.java
@ -8,6 +8,7 @@ import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.logging.Level;
@ -27,9 +28,9 @@ public class SpiffeSVID {
    private String spiffeID;

    /**
-     * The SPIFFE Verifiable Identity Document
+     * The SPIFFE Verifiable Identity Document and chain
     */
-    private X509Certificate certificate;
+    private List<X509Certificate> certificateChain;

    /**
     * The Private Key associated to the Public Key of the certificate
@ -62,8 +63,8 @@ public class SpiffeSVID {

            Workload.X509SVID svid  = x509SVIDResponse.getSvidsList().get(0);

-            certificate = CertificateUtils.generateCertificate(svid.getX509Svid().toByteArray());
-            bundle = CertificateUtils.generateCertificates(svid.getBundle().toByteArray());
+            certificateChain = CertificateUtils.generateCertificates(svid.getX509Svid().toByteArray());
+            bundle = new HashSet<>(CertificateUtils.generateCertificates(svid.getBundle().toByteArray()));
            privateKey = CertificateUtils.generatePrivateKey(svid.getX509SvidKey().toByteArray());
            spiffeID = svid.getSpiffeId();
            federatedBundles = buildFederatedX509CertificatesMap(x509SVIDResponse.getFederatedBundlesMap());
@ -81,7 +82,7 @@ public class SpiffeSVID {
        Map<String, Set<X509Certificate>> federatedCertificates = new HashMap<>();
        federatedBundlesMap.forEach((trustDomain, cert) -> {
            try {
-                federatedCertificates.put(trustDomain, CertificateUtils.generateCertificates(cert.toByteArray()));
+                federatedCertificates.put(trustDomain, new HashSet<>(CertificateUtils.generateCertificates(cert.toByteArray())));
            } catch (CertificateException e) {
                LOGGER.log(Level.SEVERE, "Federated Bundles couldn't be processed ", e);
                throw new RuntimeException(e);
@ -94,8 +95,8 @@ public class SpiffeSVID {
        return spiffeID;
    }

-    public X509Certificate getCertificate() {
-        return certificate;
+    public List<X509Certificate> getCertificateChain() {
+        return certificateChain;
    }

    public PrivateKey getPrivateKey() {