[hadoop-ozone] branch master updated: HDDS-4301. SCM CA certificate does not encode KeyUsage extension properly (#1468)

[xy...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

xyao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hadoop-ozone.git


The following commit(s) were added to refs/heads/master by this push:
     new 049793d  HDDS-4301. SCM CA certificate does not encode KeyUsage extension properly (#1468)
049793d is described below

commit 049793ddabe895532c95d0af0ca3de9ec940066a
Author: Xiaoyu Yao <xy...@apache.org>
AuthorDate: Mon Oct 19 13:08:45 2020 -0700

    HDDS-4301. SCM CA certificate does not encode KeyUsage extension properly (#1468)
---
 .../hdds/security/x509/certificates/utils/CertificateSignRequest.java | 2 +-
 .../hdds/security/x509/certificates/utils/SelfSignedCertificate.java  | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
index f740e43..bee64e1 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
@@ -265,7 +265,7 @@ public final class CertificateSignRequest {
       }
       KeyUsage keyUsage = new KeyUsage(keyUsageFlag);
       return new Extension(Extension.keyUsage, true,
-          new DEROctetString(keyUsage));
+          keyUsage.getEncoded());
     }
 
     private Optional<Extension> getSubjectAltNameExtension() throws
diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.java
index a7edfde..daf0e26 100644
--- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.java
+++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.java
@@ -42,7 +42,6 @@ import org.apache.logging.log4j.util.Strings;
 import org.bouncycastle.asn1.ASN1EncodableVector;
 import org.bouncycastle.asn1.ASN1Object;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.DERSequence;
 import org.bouncycastle.asn1.DERTaggedObject;
 import org.bouncycastle.asn1.DERUTF8String;
@@ -145,8 +144,7 @@ public final class SelfSignedCertificate {
           new BasicConstraints(true));
       int keyUsageFlag = KeyUsage.keyCertSign | KeyUsage.cRLSign;
       KeyUsage keyUsage = new KeyUsage(keyUsageFlag);
-      builder.addExtension(Extension.keyUsage, false,
-          new DEROctetString(keyUsage));
+      builder.addExtension(Extension.keyUsage, true, keyUsage);
       if (altNames != null && altNames.size() >= 1) {
         builder.addExtension(new Extension(Extension.subjectAlternativeName,
             false, new GeneralNames(altNames.toArray(


---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-commits-help@hadoop.apache.org