All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.venafi.vcert.sdk.connectors.ServerPolicy Maven / Gradle / Ivy

Go to download

VCert is a Java library, SDK, designed to simplify key generation and enrollment of machine identities (also known as SSL/TLS certificates and keys) that comply with enterprise security policy by using the Venafi Platform or Venafi Cloud.

There is a newer version: 0.9.3
Show newest version
package com.venafi.vcert.sdk.connectors;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.function.Function;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import com.google.common.annotations.VisibleForTesting;
import lombok.AllArgsConstructor;
import lombok.Data;
import lombok.NoArgsConstructor;
import com.venafi.vcert.sdk.SignatureAlgorithm;
import com.venafi.vcert.sdk.certificate.EllipticCurve;
import com.venafi.vcert.sdk.certificate.KeyType;
import com.venafi.vcert.sdk.endpoint.AllowedKeyConfiguration;
import com.venafi.vcert.sdk.utils.Is;

@Data
@NoArgsConstructor // for testing
@AllArgsConstructor
public class ServerPolicy {

  private static transient final String allAllowedRegex = ".*";
  public static transient final Function addStartEnd = s -> {
    if (!s.startsWith("^")) {
      s = "^" + s;
    }
    if (!s.endsWith("$")) {
      s += "$";
    }
    return s;
  };

  private LockableValue certificateAuthority;
  private LockableValue csrGeneration;
  private LockableValue keyGeneration;
  private KeyPair keyPair;
  private LockableValue managementType;

  private boolean privateKeyReuseAllowed;
  private boolean subjAltNameDnsAllowed;
  private boolean subjAltNameEmailAllowed;
  private boolean subjAltNameIpAllowed;
  private boolean subjAltNameUpnAllowed;
  private boolean subjAltNameUriAllowed;
  private Subject subject;
  private boolean uniqueSubjectEnforced;
  private Collection whitelistedDomains;
  private boolean wildcardsAllowed;

  public Policy toPolicy() {
    Function escapeOne = s -> addStartEnd.apply(Pattern.quote(s));
    Function, Collection> escapeCollection =
        in -> in.stream().map(escapeOne).collect(Collectors.toList());
    Function, Collection> selectValue = in -> {
      if (null == in) {
        return Collections.singleton(allAllowedRegex); // Go would provide empty structs with
                                                       // default values, so in Java, we have to
                                                       // deal with null instead
      }
      return in.locked() ? Collections.singleton(escapeOne.apply(in.value()))
          : Collections.singleton(allAllowedRegex);
    };
    Function> allOrNothing =
        bool -> bool ? Collections.singleton(allAllowedRegex) : Collections.emptyList();

    Policy policy = new Policy().allowedKeyConfigurations(new ArrayList<>());
    if (Is.blank(whitelistedDomains)) {
      policy.subjectCNRegexes(Collections.singleton(allAllowedRegex));
    } else {
      ArrayList subjectCNRegexes = new ArrayList<>(whitelistedDomains.size());
      for (String whitelistedDomain : whitelistedDomains()) {
        if (wildcardsAllowed()) {
          subjectCNRegexes
              .add(addStartEnd.apply(allAllowedRegex + Pattern.quote("." + whitelistedDomain)));
        } else {
          subjectCNRegexes.add(escapeOne.apply(whitelistedDomain));
        }
      }
      policy.subjectCNRegexes(subjectCNRegexes);

    }
    if (this.subject.organizationalUnit().locked()) {
      policy.subjectOURegexes(escapeCollection.apply(this.subject.organizationalUnit().values()));
    } else {
      policy.subjectOURegexes(Collections.singleton(allAllowedRegex));
    }

    policy.subjectORegexes(selectValue.apply(subject.organization()));
    policy.subjectLRegexes(selectValue.apply(subject.city()));
    policy.subjectSTRegexes(selectValue.apply(subject.state()));
    policy.subjectCRegexes(selectValue.apply(subject.country()));

    if (subjAltNameDnsAllowed) {
      if (Is.blank(whitelistedDomains)) {
        policy.dnsSanRegExs(Collections.singleton(allAllowedRegex));
      } else {
        List regExs = new ArrayList<>(whitelistedDomains.size());
        for (String whitelistedDomain : whitelistedDomains) {
          if (wildcardsAllowed) {
            regExs.add(addStartEnd.apply(allAllowedRegex + Pattern.quote("." + whitelistedDomain)));
          } else {
            regExs.add(escapeOne.apply(whitelistedDomain));
          }
        }
        policy.dnsSanRegExs(regExs);
      }
    } else {
      policy.dnsSanRegExs(Collections.emptyList());
    }

    policy.ipSanRegExs(allOrNothing.apply(subjAltNameIpAllowed));
    policy.emailSanRegExs(allOrNothing.apply(subjAltNameEmailAllowed));
    policy.uriSanRegExs(allOrNothing.apply(subjAltNameUriAllowed));
    policy.upnSanRegExs(allOrNothing.apply(subjAltNameUpnAllowed));

    if (keyPair.keyAlgorithm().locked()) {
      KeyType keyType = KeyType.from(keyPair.keyAlgorithm().value());
      AllowedKeyConfiguration key =
          new AllowedKeyConfiguration().keyType(keyType).keySizes(new ArrayList<>());
      if (KeyType.RSA.equals(keyType)) {
        if (keyPair.keySize().locked()) {
          for (Integer keySize : KeyType.allSupportedKeySizes()) {
            if (keySize >= keyPair.keySize().value() || keyPair.keySize().value() == null) {
              key.keySizes().add(keySize);
            }
          }
        } else {
          key.keySizes(KeyType.allSupportedKeySizes());
        }
      } else {
        if (keyPair.ellipticCurve().locked()) {
          EllipticCurve curve = EllipticCurve.from(keyPair.ellipticCurve().value());
          key.keyCurves().add(curve);
        } else {
          key.keyCurves(EllipticCurve.allSupportedCures());
        }
      }
      policy.allowedKeyConfigurations().add(key);
    } else {
      policy.allowedKeyConfigurations().add(new AllowedKeyConfiguration().keyType(KeyType.RSA)
          .keySizes(KeyType.allSupportedKeySizes()));
      policy.allowedKeyConfigurations().add(new AllowedKeyConfiguration().keyType(KeyType.ECDSA)
          .keyCurves(EllipticCurve.allSupportedCures()));
    }
    policy.allowWildcards(wildcardsAllowed);
    policy.allowKeyReuse(privateKeyReuseAllowed);
    return policy;
  }

  public ZoneConfiguration toZoneConfig() {
    return new ZoneConfiguration().customAttributeValues(new HashMap<>())
        .hashAlgorithm(SignatureAlgorithm.SHA256WithRSA).country(subject.country().value())
        .organization(subject.organization().value())
        .organizationalUnit(subject.organizationalUnit().values()).province(subject.state().value())
        .locality(subject.city().value());
  }

  @Data
  @AllArgsConstructor
  @VisibleForTesting
  public static class KeyPair {
    private LockableValue keyAlgorithm;
    private LockableValue keySize;
    private LockableValue ellipticCurve;
  }

  @Data
  @NoArgsConstructor // for testing
  @AllArgsConstructor
  @VisibleForTesting
  public static class Subject {
    private LockableValue city;
    private LockableValue country;
    private LockableValue organization;
    private LockableValues organizationalUnit;
    private LockableValue state;
  }

}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy