Author: fschumacher
Date: Sat Nov 24 15:40:02 2018
New Revision: 1847368

URL: http://svn.apache.org/viewvc?rev=1847368&view=rev
Log:
Use different cn and type of SAN extension when we are generating certificates 
based on IP addresses.

Bugzilla Id: 62940

Modified:
    jmeter/trunk/src/jorphan/org/apache/jorphan/exec/KeyToolUtils.java
    jmeter/trunk/test/src/org/apache/jorphan/exec/TestKeyToolUtils.java
    jmeter/trunk/xdocs/changes.xml

Modified: jmeter/trunk/src/jorphan/org/apache/jorphan/exec/KeyToolUtils.java
URL: 
http://svn.apache.org/viewvc/jmeter/trunk/src/jorphan/org/apache/jorphan/exec/KeyToolUtils.java?rev=1847368&r1=1847367&r2=1847368&view=diff
==============================================================================
--- jmeter/trunk/src/jorphan/org/apache/jorphan/exec/KeyToolUtils.java 
(original)
+++ jmeter/trunk/src/jorphan/org/apache/jorphan/exec/KeyToolUtils.java Sat Nov 
24 15:40:02 2018
@@ -30,6 +30,7 @@ import java.util.List;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.SystemUtils;
+import org.apache.commons.lang3.math.NumberUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -281,8 +282,8 @@ public class KeyToolUtils {
 
     private static void generateSignedCert(File keystore, String password,
             int validity, String alias, String subject) throws IOException {
-        String dname = "cn=" + subject + ", o=JMeter Proxy (TEMPORARY TRUST 
ONLY)";
-        String ext = "san=dns:" + subject;
+        String dname = "cn=" + guardSubjectName(subject) + ", o=JMeter Proxy 
(TEMPORARY TRUST ONLY)";
+        String ext = "san=" + chooseExtension(subject);
         KeyToolUtils.genkeypair(keystore, alias, password, validity, dname, 
ext);
         //rem generate cert for DOMAIN using CA and import it
 
@@ -302,6 +303,34 @@ public class KeyToolUtils {
     }
 
     /**
+     * The subject name of an certificate must not start with a number or else 
the keytool will bark.
+     * To mitigate this prefix the argument with a word, if it starts with a 
number.
+     *
+     * @param subject name of the host or an IP address
+     * @return a string that is safe to use as subject name
+     */
+    private static String guardSubjectName(String subject) {
+        if (NumberUtils.isDigits(subject.substring(0,1))) {
+            return "ip" + subject;
+        }
+        return subject;
+    }
+
+    /**
+     * The SAN (subject alternative name) includes the IP address or hostname 
of the service, but the types
+     * are different for IP address and hostname.
+     *
+     * @param subject name of the host or its IP address
+     * @return prefixed extension
+     */
+    private static String chooseExtension(String subject) {
+        if (NumberUtils.isDigits(subject.substring(0,1))) {
+            return "ip:" + subject;
+        }
+        return "dns:" + subject;
+    }
+
+    /**
      * List the contents of a keystore
      *
      * @param keystore

Modified: jmeter/trunk/test/src/org/apache/jorphan/exec/TestKeyToolUtils.java
URL: 
http://svn.apache.org/viewvc/jmeter/trunk/test/src/org/apache/jorphan/exec/TestKeyToolUtils.java?rev=1847368&r1=1847367&r2=1847368&view=diff
==============================================================================
--- jmeter/trunk/test/src/org/apache/jorphan/exec/TestKeyToolUtils.java 
(original)
+++ jmeter/trunk/test/src/org/apache/jorphan/exec/TestKeyToolUtils.java Sat Nov 
24 15:40:02 2018
@@ -24,14 +24,35 @@ package org.apache.jorphan.exec;
 
 import static org.junit.Assert.fail;
 
+import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.apache.commons.lang3.RandomStringUtils;
+import org.junit.After;
+import org.junit.Before;
 import org.junit.Test;
 
 public class TestKeyToolUtils {
 
+    private File keystore;
+    private String password = RandomStringUtils.randomAlphabetic(32);
+    private int validity = 1;
+
+    @Before
+    public void setup() throws IOException {
+        keystore = File.createTempFile("dummy-keystore", "jks");
+        keystore.deleteOnExit();
+        KeyToolUtils.generateProxyCA(keystore, password , validity );
+    }
+
+    @After
+    public void cleanup() {
+        if (keystore.exists()) {
+            keystore.delete();
+        }
+    }
 
     /*
      * Check the assumption that a missing executable will generate
@@ -51,4 +72,15 @@ public class TestKeyToolUtils {
         } catch (IOException expected) {
         }
     }
+
+    @Test
+    public void testIPBasedCert() throws Exception {
+        KeyToolUtils.generateHostCert(keystore, password, "10.1.2.3", 
validity);
+    }
+
+    @Test
+    public void testDNSNameBasedCert() throws Exception {
+        KeyToolUtils.generateHostCert(keystore, password, 
"www.example.invalid", validity);
+    }
+
 }

Modified: jmeter/trunk/xdocs/changes.xml
URL: 
http://svn.apache.org/viewvc/jmeter/trunk/xdocs/changes.xml?rev=1847368&r1=1847367&r2=1847368&view=diff
==============================================================================
--- jmeter/trunk/xdocs/changes.xml [utf-8] (original)
+++ jmeter/trunk/xdocs/changes.xml [utf-8] Sat Nov 24 15:40:02 2018
@@ -149,6 +149,7 @@ of previous time slot as a base. Startin
     <li><bug>62785</bug><pr>400</pr>Incomplete search path applied to the 
filenames used in the upload functionality of the HTTP sampler. Implemented by 
Artem Fedorov (artem.fedorov at blazemeter.com) and contributed by 
BlazeMeter.</li>
     <li><bug>62842</bug>HTTP(S) Test Script Recorder: Brotli compression is 
not supported leading to "<code>Content Encoding Error</code>"</li>
     <li><bug>60424</bug>Hessian Burlap application: JMeter inserts 
<code>0x0D</code> before <code>0x0A</code> automatically (http binary post 
data)</li>
+    <li><bug>62940</bug>Use different <code>cn</code> and type of SAN 
extension when we are generating certificates based on IP addresses.</li>
 </ul>
 
 <h3>Other Samplers</h3>


Reply via email to