feat: Use Bouncy Castle to generate CSRs for AWS private CA. #1905
Conversation
|
This change is |
robinsons
force-pushed
the
robinsons-bouncy-castle
branch
3 times, most recently
from
cb28805
to
efd12a9
Compare
There was a problem hiding this comment.
Reviewed 11 of 11 files at r1, all commit messages.
Reviewable status: all files reviewed, 4 unresolved discussions (waiting on @robinsons and @sandip80)
src/main/kotlin/org/wfanet/panelmatch/common/certificates/aws/CertificateAuthority.kt line 52 at r1 (raw file):
private val client: CreateCertificateClient, private val signatureAlgorithm: SignatureAlgorithm = SignatureAlgorithm.SHA_256_WITH_RSA_ENCRYPTION,
nit: can we use ECDSA by default? Most of the web has switched due to smaller key sizes for similar security.
MODULE.bazel line 236 at r1 (raw file):
# Bouncy Castle "org.bouncycastle:bcpkix-jdk15on:1.70",
Use a newer version built for newer JDK. Note that jdk18on here means Java 1.8, i.e. JDK 8.
Suggestion:
jdk18on:1.79imports/java/org/bouncycastle/bcpkix/BUILD.bazel line 1 at r1 (raw file):
package(default_visibility = ["//visibility:public"])
Imports follow the Java packages included by the target. This defines many subpackages in org.bouncycastle, but not all of them. Therefore the target label should be //imports/java/org/bouncycastle:bcpkix
src/main/kotlin/org/wfanet/panelmatch/common/certificates/GenerateCsr.kt line 29 at r1 (raw file):
* algorithm. */ fun generateCsrFromKeyPair(
New non-extension functions should always be defined in the context of a class or object. e.g. object Certificates or object CertificateSigningRequests. The file and Bazel target name should match this top-level object.
robinsons
force-pushed
the
robinsons-bouncy-castle
branch
3 times, most recently
from
adda655
to
c76c092
Compare
There was a problem hiding this comment.
Reviewable status: 2 of 15 files reviewed, 4 unresolved discussions (waiting on @sandip80 and @SanjayVas)
MODULE.bazel line 236 at r1 (raw file):
Previously, SanjayVas (Sanjay Vasandani) wrote…
Use a newer version built for newer JDK. Note that
jdk18onhere means Java 1.8, i.e. JDK 8.
Done.
src/main/kotlin/org/wfanet/panelmatch/common/certificates/aws/CertificateAuthority.kt line 52 at r1 (raw file):
Previously, SanjayVas (Sanjay Vasandani) wrote…
nit: can we use ECDSA by default? Most of the web has switched due to smaller key sizes for similar security.
Done, but I moved this to a flag since Origin's root cert uses RSA. I did set the default to ECDSA.
imports/java/org/bouncycastle/bcpkix/BUILD.bazel line 1 at r1 (raw file):
Previously, SanjayVas (Sanjay Vasandani) wrote…
Imports follow the Java packages included by the target. This defines many subpackages in
org.bouncycastle, but not all of them. Therefore the target label should be//imports/java/org/bouncycastle:bcpkix
Done.
src/main/kotlin/org/wfanet/panelmatch/common/certificates/GenerateCsr.kt line 29 at r1 (raw file):
Previously, SanjayVas (Sanjay Vasandani) wrote…
New non-extension functions should always be defined in the context of a class or object. e.g.
object Certificatesorobject CertificateSigningRequests. The file and Bazel target name should match this top-level object.
Done.
src/main/kotlin/org/wfanet/panelmatch/client/deploy/example/aws/AwsExampleDaemon.kt line 170 at r3 (raw file):
} private val SignatureAlgorithm.keyAlgorithm: String
@SanjayVas - I put this here for now, but would you care for me to make this an actual property of SignatureAlgorithm? I can do this in a follow-up PR if you think there'd be value.
There was a problem hiding this comment.
Reviewed 9 of 12 files at r2, 4 of 4 files at r3, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @robinsons and @sandip80)
src/main/kotlin/org/wfanet/panelmatch/client/deploy/example/aws/AwsExampleDaemon.kt line 170 at r3 (raw file):
Previously, robinsons wrote…
@SanjayVas - I put this here for now, but would you care for me to make this an actual property of SignatureAlgorithm? I can do this in a follow-up PR if you think there'd be value.
This is basically the inverse of fromKeyAndHashAlgorithm, right? Not a bad idea to move it to SignatureAlgorithm itself eventually. Feel free to just leave a TODO for now.
robinsons
force-pushed
the
robinsons-bouncy-castle
branch
from
c76c092
to
34348cc
Compare
There was a problem hiding this comment.
Reviewed 2 of 11 files at r1, 8 of 12 files at r2, 4 of 4 files at r3, 1 of 1 files at r4, all commit messages.
Reviewable status:complete! all files reviewed, all discussions resolved (waiting on @robinsons)
Removes a dependency on
opensslfor generating CSRs and switches to Bouncy Castle APIs instead. This PR is based on the corresponding changes in #1602.