[nifi] branch main updated: NIFI-8286 Extended CertificateUtils to allow parsing of CNs conforming to RFC5280

[ex...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new 481046f  NIFI-8286 Extended CertificateUtils to allow parsing of CNs conforming to RFC5280
481046f is described below

commit 481046f5be89831517952d1d930a189a8425cfe4
Author: Janosch Woschitz <ja...@gmail.com>
AuthorDate: Tue Mar 2 17:18:54 2021 +0100

    NIFI-8286 Extended CertificateUtils to allow parsing of CNs conforming to RFC5280
    
    This closes #4866
    
    Signed-off-by: David Handermann <ex...@apache.org>
---
 .../apache/nifi/security/util/CertificateUtils.java | 21 +++++++++++++++++++++
 .../nifi/security/util/CertificateUtilsTest.groovy  |  9 +++++++++
 2 files changed, 30 insertions(+)

diff --git a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
index 0e4d387..2f2ec87 100644
--- a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
+++ b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
@@ -149,6 +149,27 @@ public final class CertificateUtils {
                     username = StringUtils.substring(dn, cnIndex + cnPattern.length());
                 }
             }
+
+            /*
+                https://tools.ietf.org/html/rfc5280#section-4.1.2.6
+
+                Legacy implementations exist where an electronic mail address is
+                embedded in the subject distinguished name as an emailAddress
+                attribute [RFC2985].  The attribute value for emailAddress is of type
+                IA5String to permit inclusion of the character '@', which is not part
+                of the PrintableString character set.  emailAddress attribute values
+                are not case-sensitive (e.g., "subscriber@example.com" is the same as
+                "SUBSCRIBER@EXAMPLE.COM").
+             */
+            final String emailPattern = "/emailAddress=";
+            final int index = StringUtils.indexOfIgnoreCase(username, emailPattern);
+            if (index >= 0) {
+                String[] dnParts = username.split(emailPattern);
+                if (dnParts.length > 0) {
+                    // only use the actual CN
+                    username = dnParts[0];
+                }
+            }
         }
 
         return username;
diff --git a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
index 03ab118..6155a9a 100644
--- a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
+++ b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
@@ -60,6 +60,7 @@ import java.util.concurrent.Future
 import java.util.concurrent.TimeUnit
 import java.util.concurrent.atomic.AtomicBoolean
 
+import static org.junit.Assert.assertEquals
 import static org.junit.Assert.assertTrue
 
 @RunWith(JUnit4.class)
@@ -75,6 +76,7 @@ class CertificateUtilsTest extends GroovyTestCase {
     private static final String PROVIDER = "BC"
 
     private static final String SUBJECT_DN = "CN=NiFi Test Server,OU=Security,O=Apache,ST=CA,C=US"
+    private static final String SUBJECT_DN_LEGACY_EMAIL_ATTR_RFC2985 = "CN=NiFi Test Server/emailAddress=test@apache.org,OU=Security,O=Apache,ST=CA,C=US"
     private static final String ISSUER_DN = "CN=NiFi Test CA,OU=Security,O=Apache,ST=CA,C=US"
     private static final List<String> SUBJECT_ALT_NAMES = ["127.0.0.1", "nifi.nifi.apache.org"]
 
@@ -647,6 +649,13 @@ class CertificateUtilsTest extends GroovyTestCase {
         assert(extensions.equivalent(sanExtensions))
     }
 
+    @Test
+    void testExtractUserNameFromDN() {
+        String expected = "NiFi Test Server"
+        assertEquals(CertificateUtils.extractUsername(SUBJECT_DN), expected)
+        assertEquals(CertificateUtils.extractUsername(SUBJECT_DN_LEGACY_EMAIL_ATTR_RFC2985), expected)
+    }
+
     // Using this directly from tls-toolkit results in a dependency loop, so it's added here for testing purposes.
     private static Extensions createDomainAlternativeNamesExtensions(List<String> domainAlternativeNames, String requestedDn) throws IOException {
         List<GeneralName> namesList = new ArrayList<>()