[trafficcontrol] branch 3.0.x updated: Use exact matching of requested name to certificate for SNI fields

[dg...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

dgelinas pushed a commit to branch 3.0.x
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git


The following commit(s) were added to refs/heads/3.0.x by this push:
     new ca96432  Use exact matching of requested name to certificate for SNI fields
ca96432 is described below

commit ca9643282055c8d6a0b8ee6475bd26301b85bf02
Author: Eric Friedrich <ef...@cisco.com>
AuthorDate: Fri Sep 14 09:30:54 2018 -0400

    Use exact matching of requested name to certificate for SNI fields
---
 .../traffic_router/secure/KeyManager.java              | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
index 1c2df67..2996cb0 100644
--- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
+++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
@@ -29,6 +29,7 @@ import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
 // Uses the in memory CertificateRegistry to provide dynamic key and certificate management for the router
 // The provided default implementation does not allow for the key store to change state
@@ -87,11 +88,19 @@ public class KeyManager extends X509ExtendedKeyManager implements X509KeyManager
 			final String sniString = new String(requestedName.getEncoded());
 			stringBuilder.append(sniString);
 
-			final Optional<String> optionalAlias = certificateRegistry.getAliases().stream().filter(sniString::contains).findFirst();
-			if (optionalAlias.isPresent()) {
-				log.info("KeyManager: FOUND certificate registry aliases matching " + optionalAlias.get());
-				return optionalAlias.get();
+			final List<String> partialAliasMatches = certificateRegistry.getAliases().stream().filter(sniString::contains).collect(Collectors.toList());
+			Optional<String> alias = partialAliasMatches.stream().filter(sniString::contentEquals).findFirst();
+			if (alias.isPresent()) {
+			    return alias.get();
 			}
+
+			// Not an exact match, some of the aliases may have had the leading zone removed
+			final String sniStringTrimmed = sniString.substring(sniString.indexOf('.') + 1);
+			alias = partialAliasMatches.stream().filter(sniStringTrimmed::contentEquals).findFirst();
+			if (alias.isPresent()) {
+			    return alias.get();
+			}
+
 		}
 
 		if (stringBuilder.length() > 0) {
@@ -102,6 +111,7 @@ public class KeyManager extends X509ExtendedKeyManager implements X509KeyManager
 		return null;
 	}
 
+
 	@Override
 	public X509Certificate[] getCertificateChain(final String alias) {
 		final HandshakeData handshakeData = certificateRegistry.getHandshakeData(alias);