You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ozone.apache.org by ae...@apache.org on 2019/11/07 23:32:17 UTC
[hadoop-ozone] branch master updated: HDDS-2404. Added support for
Registered id as service identifier for CSR. Based on the discussion with
reviewer, otherName field make more sence then registeredId.
This is an automated email from the ASF dual-hosted git repository.
aengineer pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hadoop-ozone.git
The following commit(s) were added to refs/heads/master by this push:
new ab7987c HDDS-2404. Added support for Registered id as service identifier for CSR. Based on the discussion with reviewer, otherName field make more sence then registeredId.
ab7987c is described below
commit ab7987c0de2a06f14603f726c441491454ce13ba
Author: Abhishek Purohit <ap...@cloudera.com>
AuthorDate: Mon Nov 4 10:05:48 2019 -0800
HDDS-2404. Added support for Registered id as service identifier for CSR. Based on the discussion with reviewer, otherName field make more sence then registeredId.
Signed-off-by: Anu Engineer <ae...@apache.org>
---
.../authority/PKIProfiles/DefaultProfile.java | 4 +++
.../certificates/utils/CertificateSignRequest.java | 41 +++++++++++++++++++++-
.../certificate/authority/TestDefaultCAServer.java | 1 +
.../certificate/authority/TestDefaultProfile.java | 3 +-
4 files changed, 47 insertions(+), 2 deletions(-)
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java
index 5fdb6f7..25ae126 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java
@@ -74,6 +74,7 @@ public class DefaultProfile implements PKIProfile {
private static final int[] GENERAL_NAMES = {
GeneralName.dNSName,
GeneralName.iPAddress,
+ GeneralName.otherName,
};
// Map that handles all the Extensions lookup and validations.
private static final Map<ASN1ObjectIdentifier, BiFunction<Extension,
@@ -245,6 +246,9 @@ public class DefaultProfile implements PKIProfile {
}
case GeneralName.dNSName:
return DomainValidator.getInstance().isValid(value);
+ case GeneralName.otherName:
+ // for other name its a general string, nothing to validate
+ return true;
default:
// This should not happen, since it guarded via isSupportedGeneralName.
LOG.error("Unexpected type in General Name (int value) : " + type);
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
index 28f853a..21a19b5 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
@@ -25,7 +25,13 @@ import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.exceptions.CertificateException;
import org.apache.hadoop.hdds.security.x509.keys.SecurityUtil;
import org.apache.logging.log4j.util.Strings;
+import org.bouncycastle.asn1.ASN1EncodableVector;
+import org.bouncycastle.asn1.ASN1Object;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.DERSequence;
+import org.bouncycastle.asn1.DERTaggedObject;
+import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
@@ -198,14 +204,47 @@ public final class CertificateSignRequest {
return this;
}
+ public CertificateSignRequest.Builder addServiceName(
+ String serviceName) {
+ Preconditions.checkNotNull(
+ serviceName, "Service Name cannot be null");
+
+ this.addAltName(GeneralName.otherName, serviceName);
+ return this;
+ }
+
private CertificateSignRequest.Builder addAltName(int tag, String name) {
if (altNames == null) {
altNames = new ArrayList<>();
}
- altNames.add(new GeneralName(tag, name));
+ if (tag == GeneralName.otherName) {
+ ASN1Object ono = addOtherNameAsn1Object(name);
+
+ altNames.add(new GeneralName(tag, ono));
+ } else {
+ altNames.add(new GeneralName(tag, name));
+ }
return this;
}
+ /**
+ * addOtherNameAsn1Object requires special handling since
+ * Bouncy Castle does not support othername as string.
+ * @param name
+ * @return
+ */
+ private ASN1Object addOtherNameAsn1Object(String name) {
+ // Below oid is copied from this URL:
+ // https://docs.microsoft.com/en-us/windows/win32/adschema/a-middlename
+ final String otherNameOID = "2.16.840.1.113730.3.1.34";
+ ASN1EncodableVector otherName = new ASN1EncodableVector();
+ otherName.add(new ASN1ObjectIdentifier(otherNameOID));
+ otherName.add(new DERTaggedObject(
+ true, GeneralName.otherName, new DERUTF8String(name)));
+ return new DERTaggedObject(
+ false, 0, new DERSequence(otherName));
+ }
+
public CertificateSignRequest.Builder setCA(Boolean isCA) {
this.ca = isCA;
return this;
diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
index 64eb4ba..b203305 100644
--- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
+++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
@@ -147,6 +147,7 @@ public class TestDefaultCAServer {
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
.addDnsName("hadoop.apache.org")
.addIpAddress("8.8.8.8")
+ .addServiceName("OzoneMarketingCluster002")
.setCA(false)
.setClusterID(clusterId)
.setScmID(scmId)
diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
index f892b8d..aecd91f 100644
--- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
+++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
@@ -91,11 +91,11 @@ public class TestDefaultProfile {
// Positive tests
assertTrue(defaultProfile.isSupportedGeneralName(GeneralName.iPAddress));
assertTrue(defaultProfile.isSupportedGeneralName(GeneralName.dNSName));
+ assertTrue(defaultProfile.isSupportedGeneralName(GeneralName.otherName));
// Negative Tests
assertFalse(defaultProfile.isSupportedGeneralName(
GeneralName.directoryName));
assertFalse(defaultProfile.isSupportedGeneralName(GeneralName.rfc822Name));
- assertFalse(defaultProfile.isSupportedGeneralName(GeneralName.otherName));
}
/**
@@ -111,6 +111,7 @@ public class TestDefaultProfile {
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
.addDnsName("hadoop.apache.org")
.addIpAddress("8.8.8.8")
+ .addServiceName("OzoneMarketingCluster001")
.setCA(false)
.setClusterID("ClusterID")
.setScmID("SCMID")
---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-commits-help@hadoop.apache.org