You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2021/03/02 17:46:17 UTC

[GitHub] [nifi] jwoschitz commented on a change in pull request #4866: NIFI-8286 Extended CertificateUtils to allow parsing of CNs conforming to RFC5280

jwoschitz commented on a change in pull request #4866:
URL: https://github.com/apache/nifi/pull/4866#discussion_r585777687



##########
File path: nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
##########
@@ -149,6 +149,27 @@ public static String extractUsername(String dn) {
                     username = StringUtils.substring(dn, cnIndex + cnPattern.length());
                 }
             }
+
+            /*
+                https://tools.ietf.org/html/rfc5280#section-4.1.2.6
+
+                Legacy implementations exist where an electronic mail address is
+                embedded in the subject distinguished name as an emailAddress
+                attribute [RFC2985].  The attribute value for emailAddress is of type
+                IA5String to permit inclusion of the character '@', which is not part
+                of the PrintableString character set.  emailAddress attribute values
+                are not case-sensitive (e.g., "subscriber@example.com" is the same as
+                "SUBSCRIBER@EXAMPLE.COM").
+             */
+            final String emailPattern = "/emailAddress=";
+            final int index = StringUtils.indexOfIgnoreCase(username, emailPattern);
+            if (index >= 0) {
+                String[] dnParts = username.split(emailPattern);
+                if (dnParts.length > 0) {
+                    // only use the actual CN
+                    username = dnParts[0];
+                }
+            }

Review comment:
       Yes, I considered it, though as the other logic (see already existing code above the lines added by me) was not using regex for a similar problem, I tried to keep the code consistent by following the same approach.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org