[GitHub] [cloudstack] sureshanaparti commented on a change in pull request #4852: Allow host cert renewals even if client auth strictness is false

[GitBox]

sureshanaparti commented on a change in pull request #4852:
URL: https://github.com/apache/cloudstack/pull/4852#discussion_r614745679



##########
File path: 
plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCACustomTrustManager.java
##########
@@ -79,57 +79,58 @@ public void checkClientTrusted(final X509Certificate[] 
certificates, final Strin
         if (LOG.isDebugEnabled()) {
             printCertificateChain(certificates, s);
         }
-        if (!authStrictness) {
-            return;
-        }
-        if (certificates == null || certificates.length < 1 || certificates[0] 
== null) {
-            throw new CertificateException("In strict auth mode, 
certificate(s) are expected from client:" + clientAddress);
-        }
-        final X509Certificate primaryClientCertificate = certificates[0];
-
-        // Revocation check
-        final BigInteger serialNumber = 
primaryClientCertificate.getSerialNumber();
-        if (serialNumber == null || crlDao.findBySerial(serialNumber) != null) 
{
-            final String errorMsg = String.format("Client is using revoked 
certificate of serial=%x, subject=%s from address=%s",
-                    primaryClientCertificate.getSerialNumber(), 
primaryClientCertificate.getSubjectDN(), clientAddress);
-            LOG.error(errorMsg);
-            throw new CertificateException(errorMsg);
-        }
 
-        // Validity check
-        if (!allowExpiredCertificate) {
-            try {
-                primaryClientCertificate.checkValidity();
-            } catch (final CertificateExpiredException | 
CertificateNotYetValidException e) {
-                final String errorMsg = String.format("Client certificate has 
expired with serial=%x, subject=%s from address=%s",
+        final X509Certificate primaryClientCertificate = (certificates != null 
&& certificates.length > 0 && certificates[0] != null) ? certificates[0] : null;
+
+        if (authStrictness) {
+            if (primaryClientCertificate == null) {
+                throw new CertificateException("In strict auth mode, 
certificate(s) are expected from client:" + clientAddress);
+            }
+
+            // Revocation check
+            final BigInteger serialNumber = 
primaryClientCertificate.getSerialNumber();
+            if (serialNumber == null || crlDao.findBySerial(serialNumber) != 
null) {
+                final String errorMsg = String.format("Client is using revoked 
certificate of serial=%x, subject=%s from address=%s",

Review comment:
       yes pls, when auth strictness is disabled (_authStrictness_ - false) and 
_primaryClientCertificate_ is null @Slair1 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org