This is an automated email from the ASF dual-hosted git repository.
exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new 481046f NIFI-8286 Extended CertificateUtils to allow parsing of CNs
conforming to RFC5280
481046f is described below
commit 481046f5be89831517952d1d930a189a8425cfe4
Author: Janosch Woschitz <[email protected]>
AuthorDate: Tue Mar 2 17:18:54 2021 +0100
NIFI-8286 Extended CertificateUtils to allow parsing of CNs conforming to
RFC5280
This closes #4866
Signed-off-by: David Handermann <[email protected]>
---
.../apache/nifi/security/util/CertificateUtils.java | 21 +++++++++++++++++++++
.../nifi/security/util/CertificateUtilsTest.groovy | 9 +++++++++
2 files changed, 30 insertions(+)
diff --git
a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
index 0e4d387..2f2ec87 100644
---
a/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
+++
b/nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
@@ -149,6 +149,27 @@ public final class CertificateUtils {
username = StringUtils.substring(dn, cnIndex +
cnPattern.length());
}
}
+
+ /*
+ https://tools.ietf.org/html/rfc5280#section-4.1.2.6
+
+ Legacy implementations exist where an electronic mail address
is
+ embedded in the subject distinguished name as an emailAddress
+ attribute [RFC2985]. The attribute value for emailAddress is
of type
+ IA5String to permit inclusion of the character '@', which is
not part
+ of the PrintableString character set. emailAddress attribute
values
+ are not case-sensitive (e.g., "[email protected]" is the
same as
+ "[email protected]").
+ */
+ final String emailPattern = "/emailAddress=";
+ final int index = StringUtils.indexOfIgnoreCase(username,
emailPattern);
+ if (index >= 0) {
+ String[] dnParts = username.split(emailPattern);
+ if (dnParts.length > 0) {
+ // only use the actual CN
+ username = dnParts[0];
+ }
+ }
}
return username;
diff --git
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
index 03ab118..6155a9a 100644
---
a/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
+++
b/nifi-commons/nifi-security-utils/src/test/groovy/org/apache/nifi/security/util/CertificateUtilsTest.groovy
@@ -60,6 +60,7 @@ import java.util.concurrent.Future
import java.util.concurrent.TimeUnit
import java.util.concurrent.atomic.AtomicBoolean
+import static org.junit.Assert.assertEquals
import static org.junit.Assert.assertTrue
@RunWith(JUnit4.class)
@@ -75,6 +76,7 @@ class CertificateUtilsTest extends GroovyTestCase {
private static final String PROVIDER = "BC"
private static final String SUBJECT_DN = "CN=NiFi Test
Server,OU=Security,O=Apache,ST=CA,C=US"
+ private static final String SUBJECT_DN_LEGACY_EMAIL_ATTR_RFC2985 =
"CN=NiFi Test
Server/[email protected],OU=Security,O=Apache,ST=CA,C=US"
private static final String ISSUER_DN = "CN=NiFi Test
CA,OU=Security,O=Apache,ST=CA,C=US"
private static final List<String> SUBJECT_ALT_NAMES = ["127.0.0.1",
"nifi.nifi.apache.org"]
@@ -647,6 +649,13 @@ class CertificateUtilsTest extends GroovyTestCase {
assert(extensions.equivalent(sanExtensions))
}
+ @Test
+ void testExtractUserNameFromDN() {
+ String expected = "NiFi Test Server"
+ assertEquals(CertificateUtils.extractUsername(SUBJECT_DN), expected)
+
assertEquals(CertificateUtils.extractUsername(SUBJECT_DN_LEGACY_EMAIL_ATTR_RFC2985),
expected)
+ }
+
// Using this directly from tls-toolkit results in a dependency loop, so
it's added here for testing purposes.
private static Extensions
createDomainAlternativeNamesExtensions(List<String> domainAlternativeNames,
String requestedDn) throws IOException {
List<GeneralName> namesList = new ArrayList<>()
