You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by ex...@apache.org on 2021/03/02 18:33:44 UTC
[nifi] branch main updated: NIFI-8286 Extended CertificateUtils to
allow parsing of CNs conforming to RFC5280
This is an automated email from the ASF dual-hosted git repository.
exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 481046f NIFI-8286 Extended CertificateUtils to allow parsing of CNs conforming to RFC5280
481046f is described below
commit 481046f5be89831517952d1d930a189a8425cfe4
Author: Janosch Woschitz <ja...@gmail.com>
AuthorDate: Tue Mar 2 17:18:54 2021 +0100
NIFI-8286 Extended CertificateUtils to allow parsing of CNs conforming to RFC5280
This closes #4866
Signed-off-by: David Handermann <ex...@apache.org>
---
.../apache/nifi/security/util/CertificateUtils.java | 21 +++++++++++++++++++++
.../nifi/security/util/CertificateUtilsTest.groovy | 9 +++++++++
2 files changed, 30 insertions(+)
diff --git a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
index 0e4d387..2f2ec87 100644
--- a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
+++ b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
@@ -149,6 +149,27 @@ public final class CertificateUtils {
username = StringUtils.substring(dn, cnIndex + cnPattern.length());
}
}
+
+ /*
+ https://tools.ietf.org/html/rfc5280#section-4.1.2.6
+
+ Legacy implementations exist where an electronic mail address is
+ embedded in the subject distinguished name as an emailAddress
+ attribute [RFC2985]. The attribute value for emailAddress is of type
+ IA5String to permit inclusion of the character '@', which is not part
+ of the PrintableString character set. emailAddress attribute values
+ are not case-sensitive (e.g., "subscriber@example.com" is the same as
+ "SUBSCRIBER@EXAMPLE.COM").
+ */
+ final String emailPattern = "/emailAddress=";
+ final int index = StringUtils.indexOfIgnoreCase(username, emailPattern);
+ if (index >= 0) {
+ String[] dnParts = username.split(emailPattern);
+ if (dnParts.length > 0) {
+ // only use the actual CN
+ username = dnParts[0];
+ }
+ }
}
return username;
diff --git a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
index 03ab118..6155a9a 100644
--- a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
+++ b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
@@ -60,6 +60,7 @@ import java.util.concurrent.Future
import java.util.concurrent.TimeUnit
import java.util.concurrent.atomic.AtomicBoolean
+import static org.junit.Assert.assertEquals
import static org.junit.Assert.assertTrue
@RunWith(JUnit4.class)
@@ -75,6 +76,7 @@ class CertificateUtilsTest extends GroovyTestCase {
private static final String PROVIDER = "BC"
private static final String SUBJECT_DN = "CN=NiFi Test Server,OU=Security,O=Apache,ST=CA,C=US"
+ private static final String SUBJECT_DN_LEGACY_EMAIL_ATTR_RFC2985 = "CN=NiFi Test Server/emailAddress=test@apache.org,OU=Security,O=Apache,ST=CA,C=US"
private static final String ISSUER_DN = "CN=NiFi Test CA,OU=Security,O=Apache,ST=CA,C=US"
private static final List<String> SUBJECT_ALT_NAMES = ["127.0.0.1", "nifi.nifi.apache.org"]
@@ -647,6 +649,13 @@ class CertificateUtilsTest extends GroovyTestCase {
assert(extensions.equivalent(sanExtensions))
}
+ @Test
+ void testExtractUserNameFromDN() {
+ String expected = "NiFi Test Server"
+ assertEquals(CertificateUtils.extractUsername(SUBJECT_DN), expected)
+ assertEquals(CertificateUtils.extractUsername(SUBJECT_DN_LEGACY_EMAIL_ATTR_RFC2985), expected)
+ }
+
// Using this directly from tls-toolkit results in a dependency loop, so it's added here for testing purposes.
private static Extensions createDomainAlternativeNamesExtensions(List<String> domainAlternativeNames, String requestedDn) throws IOException {
List<GeneralName> namesList = new ArrayList<>()