ref: 69d101a4a0048201d502b4a0fd8cf7158cfa6e37
src/main/java/net/lulli/certsigner/strategy/vault/VaultSigningStrategy.java
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
/* * This file is part of cert-signer * Copyright (c) 2024 Paolo Lulli. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, version 3. * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see <http://www.gnu.org/licenses/>. */ package net.lulli.certsigner.strategy.vault; import net.lulli.certsigner.ca.CertificateData; import net.lulli.certsigner.network.VaultLocal; import net.lulli.certsigner.service.CertificateSigningService; import net.lulli.certsigner.strategy.SigningStrategy; import net.lulli.certsigner.util.Serde; import org.json.JSONObject; import java.util.Base64; import java.util.HashMap; import java.util.Objects; public class VaultSigningStrategy implements SigningStrategy { private final String serviceName; private static String vaultEndpoint = System.getenv("VAULT_ENDPOINT"); private static String vaultToken = System.getenv("VAULT_TOKEN"); private static final String VAULT_PATH = "cert-auth"; private final VaultLocal vaultLocal; public VaultSigningStrategy(String serviceName) { Objects.requireNonNull(serviceName); this.serviceName = serviceName; this.vaultLocal = new VaultLocal(vaultEndpoint, vaultToken); } @Override public String sign(String clientName) { var rootSubject = "CN=root-cert, O=" + serviceName; return createCert(rootSubject, clientName); } public String createCert(String rootSubject, String clientName) { var optionalCsr = vaultLocal.retrieveSecret( CertificateSigningService.VAULT_CSR_PATH + "/" + serviceName + "/" + clientName); if (!optionalCsr.isPresent()) { throw new IllegalStateException("Could not find CSR in vault"); } var csrContent = optionalCsr.get(); var csrPayload = getPayload(csrContent); var pem = new String(Base64.getDecoder().decode(csrPayload.getString("csr"))); var pkcs10CertificationRequest = Serde.pemToCsr(pem); var certificateData = CertificateData.withSubject(clientName); vaultLocal.retrieveSecret(VAULT_PATH + "/" + serviceName) .ifPresentOrElse(secret -> { var payload = getPayload(secret); certificateData.sign( new String(Base64.getDecoder().decode(payload.getString("privateKey"))), new String(Base64.getDecoder().decode(payload.getString("certificate"))), pkcs10CertificationRequest, rootSubject ); }, () -> { throw new IllegalStateException("Could not find secret in vault"); }); var map = new HashMap<String, String>(); map.put("certificate", Base64.getEncoder().encodeToString(certificateData.certificate().getBytes())); vaultLocal.storeSecret(CertificateSigningService.VAULT_CERTIFICATES_PATH + "/" + serviceName + "/" + clientName, map); return certificateData.certificate(); } private static JSONObject getPayload(String secret) { var secretData = new JSONObject(secret); var stage2Secret = (JSONObject) secretData.get("data"); var payload = (JSONObject) stage2Secret.get("data"); return payload; } } |