Author: fschumacher Date: Sat Nov 24 15:40:02 2018 New Revision: 1847368 URL: http://svn.apache.org/viewvc?rev=1847368&view=rev Log: Use different cn and type of SAN extension when we are generating certificates based on IP addresses.
Bugzilla Id: 62940 Modified: jmeter/trunk/src/jorphan/org/apache/jorphan/exec/KeyToolUtils.java jmeter/trunk/test/src/org/apache/jorphan/exec/TestKeyToolUtils.java jmeter/trunk/xdocs/changes.xml Modified: jmeter/trunk/src/jorphan/org/apache/jorphan/exec/KeyToolUtils.java URL: http://svn.apache.org/viewvc/jmeter/trunk/src/jorphan/org/apache/jorphan/exec/KeyToolUtils.java?rev=1847368&r1=1847367&r2=1847368&view=diff ============================================================================== --- jmeter/trunk/src/jorphan/org/apache/jorphan/exec/KeyToolUtils.java (original) +++ jmeter/trunk/src/jorphan/org/apache/jorphan/exec/KeyToolUtils.java Sat Nov 24 15:40:02 2018 @@ -30,6 +30,7 @@ import java.util.List; import org.apache.commons.io.FileUtils; import org.apache.commons.lang3.SystemUtils; +import org.apache.commons.lang3.math.NumberUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -281,8 +282,8 @@ public class KeyToolUtils { private static void generateSignedCert(File keystore, String password, int validity, String alias, String subject) throws IOException { - String dname = "cn=" + subject + ", o=JMeter Proxy (TEMPORARY TRUST ONLY)"; - String ext = "san=dns:" + subject; + String dname = "cn=" + guardSubjectName(subject) + ", o=JMeter Proxy (TEMPORARY TRUST ONLY)"; + String ext = "san=" + chooseExtension(subject); KeyToolUtils.genkeypair(keystore, alias, password, validity, dname, ext); //rem generate cert for DOMAIN using CA and import it @@ -302,6 +303,34 @@ public class KeyToolUtils { } /** + * The subject name of an certificate must not start with a number or else the keytool will bark. + * To mitigate this prefix the argument with a word, if it starts with a number. + * + * @param subject name of the host or an IP address + * @return a string that is safe to use as subject name + */ + private static String guardSubjectName(String subject) { + if (NumberUtils.isDigits(subject.substring(0,1))) { + return "ip" + subject; + } + return subject; + } + + /** + * The SAN (subject alternative name) includes the IP address or hostname of the service, but the types + * are different for IP address and hostname. + * + * @param subject name of the host or its IP address + * @return prefixed extension + */ + private static String chooseExtension(String subject) { + if (NumberUtils.isDigits(subject.substring(0,1))) { + return "ip:" + subject; + } + return "dns:" + subject; + } + + /** * List the contents of a keystore * * @param keystore Modified: jmeter/trunk/test/src/org/apache/jorphan/exec/TestKeyToolUtils.java URL: http://svn.apache.org/viewvc/jmeter/trunk/test/src/org/apache/jorphan/exec/TestKeyToolUtils.java?rev=1847368&r1=1847367&r2=1847368&view=diff ============================================================================== --- jmeter/trunk/test/src/org/apache/jorphan/exec/TestKeyToolUtils.java (original) +++ jmeter/trunk/test/src/org/apache/jorphan/exec/TestKeyToolUtils.java Sat Nov 24 15:40:02 2018 @@ -24,14 +24,35 @@ package org.apache.jorphan.exec; import static org.junit.Assert.fail; +import java.io.File; import java.io.IOException; import java.util.ArrayList; import java.util.List; +import org.apache.commons.lang3.RandomStringUtils; +import org.junit.After; +import org.junit.Before; import org.junit.Test; public class TestKeyToolUtils { + private File keystore; + private String password = RandomStringUtils.randomAlphabetic(32); + private int validity = 1; + + @Before + public void setup() throws IOException { + keystore = File.createTempFile("dummy-keystore", "jks"); + keystore.deleteOnExit(); + KeyToolUtils.generateProxyCA(keystore, password , validity ); + } + + @After + public void cleanup() { + if (keystore.exists()) { + keystore.delete(); + } + } /* * Check the assumption that a missing executable will generate @@ -51,4 +72,15 @@ public class TestKeyToolUtils { } catch (IOException expected) { } } + + @Test + public void testIPBasedCert() throws Exception { + KeyToolUtils.generateHostCert(keystore, password, "10.1.2.3", validity); + } + + @Test + public void testDNSNameBasedCert() throws Exception { + KeyToolUtils.generateHostCert(keystore, password, "www.example.invalid", validity); + } + } Modified: jmeter/trunk/xdocs/changes.xml URL: http://svn.apache.org/viewvc/jmeter/trunk/xdocs/changes.xml?rev=1847368&r1=1847367&r2=1847368&view=diff ============================================================================== --- jmeter/trunk/xdocs/changes.xml [utf-8] (original) +++ jmeter/trunk/xdocs/changes.xml [utf-8] Sat Nov 24 15:40:02 2018 @@ -149,6 +149,7 @@ of previous time slot as a base. Startin <li><bug>62785</bug><pr>400</pr>Incomplete search path applied to the filenames used in the upload functionality of the HTTP sampler. Implemented by Artem Fedorov (artem.fedorov at blazemeter.com) and contributed by BlazeMeter.</li> <li><bug>62842</bug>HTTP(S) Test Script Recorder: Brotli compression is not supported leading to "<code>Content Encoding Error</code>"</li> <li><bug>60424</bug>Hessian Burlap application: JMeter inserts <code>0x0D</code> before <code>0x0A</code> automatically (http binary post data)</li> + <li><bug>62940</bug>Use different <code>cn</code> and type of SAN extension when we are generating certificates based on IP addresses.</li> </ul> <h3>Other Samplers</h3>