You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by dg...@apache.org on 2018/11/12 15:14:28 UTC
[trafficcontrol] branch 3.0.x updated: Use exact matching of
requested name to certificate for SNI fields
This is an automated email from the ASF dual-hosted git repository.
dgelinas pushed a commit to branch 3.0.x
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/3.0.x by this push:
new ca96432 Use exact matching of requested name to certificate for SNI fields
ca96432 is described below
commit ca9643282055c8d6a0b8ee6475bd26301b85bf02
Author: Eric Friedrich <ef...@cisco.com>
AuthorDate: Fri Sep 14 09:30:54 2018 -0400
Use exact matching of requested name to certificate for SNI fields
---
.../traffic_router/secure/KeyManager.java | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
index 1c2df67..2996cb0 100644
--- a/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
+++ b/traffic_router/connector/src/main/java/com/comcast/cdn/traffic_control/traffic_router/secure/KeyManager.java
@@ -29,6 +29,7 @@ import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Optional;
+import java.util.stream.Collectors;
// Uses the in memory CertificateRegistry to provide dynamic key and certificate management for the router
// The provided default implementation does not allow for the key store to change state
@@ -87,11 +88,19 @@ public class KeyManager extends X509ExtendedKeyManager implements X509KeyManager
final String sniString = new String(requestedName.getEncoded());
stringBuilder.append(sniString);
- final Optional<String> optionalAlias = certificateRegistry.getAliases().stream().filter(sniString::contains).findFirst();
- if (optionalAlias.isPresent()) {
- log.info("KeyManager: FOUND certificate registry aliases matching " + optionalAlias.get());
- return optionalAlias.get();
+ final List<String> partialAliasMatches = certificateRegistry.getAliases().stream().filter(sniString::contains).collect(Collectors.toList());
+ Optional<String> alias = partialAliasMatches.stream().filter(sniString::contentEquals).findFirst();
+ if (alias.isPresent()) {
+ return alias.get();
}
+
+ // Not an exact match, some of the aliases may have had the leading zone removed
+ final String sniStringTrimmed = sniString.substring(sniString.indexOf('.') + 1);
+ alias = partialAliasMatches.stream().filter(sniStringTrimmed::contentEquals).findFirst();
+ if (alias.isPresent()) {
+ return alias.get();
+ }
+
}
if (stringBuilder.length() > 0) {
@@ -102,6 +111,7 @@ public class KeyManager extends X509ExtendedKeyManager implements X509KeyManager
return null;
}
+
@Override
public X509Certificate[] getCertificateChain(final String alias) {
final HandshakeData handshakeData = certificateRegistry.getHandshakeData(alias);