Bjorn Beskow created CAMEL-22623:
------------------------------------
Summary: Regression: CamelNettySSLClientCertSubjectName changed
from readable string representation to obscure RFC2253 format
Key: CAMEL-22623
URL: https://issues.apache.org/jira/browse/CAMEL-22623
Project: Camel
Issue Type: Bug
Components: camel-netty
Affects Versions: 4.14.1
Reporter: Bjorn Beskow
"CAMEL-22257: Java 25 deprecations" fixed deprecations in
X509Certificate, replacing X509Certificate.get\{Subject|Issuer}DN() with
X509Certificate.
get{Subject|Issuer}X500Principal().
In camel-netty, this is done in NettyEndpoint to extract certificate
information into headers:
{code:java}
Principal subject = cert.getSubjectDN();
if (subject != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME,
subject.getName());
}
Principal issuer = cert.getIssuerDN();
if (issuer != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME,
issuer.getName());
}{code}
was changed into
{code:java}
Principal subject = cert.getSubjectX500Principal();
if (subject != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME,
subject.getName());
}
Principal issuer = cert.getIssuerX500Principal();
if (issuer != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME,
issuer.getName());
} {code}
The output however differs:
cert.getSubjectDN().getName()
results in a user-friendly string representation of the DN, as presented by
most other tools (eg. NGinx when extracting a client certificate into header
'ssl-client-subject-dn').
The output from the (non-deprecated)
cert.getSubjectX500Principal().getName()
instead results in a string representation of the DN in RFC2253 format, a
somewhat obscure format defined for LDAP. The difference is only visible for
certificates that contains a DN attribute other than the keywords defined in
RFC2253 (CN, L, ST, O, OU, C, STREET). All other attributes are emitted in OID
representation. This is likely not what is expected in a typical use case.
Example: Given the following certificate:
{noformat}
➜ openssl x509 -in client.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:f1:91:b1:b4:49:41:89:13:84:db:d0:cf:4f:ed:1a:c3:06:6a:0e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=SE, ST=Sverige, O=VGR, CN=self-signed root
Validity
Not Before: Aug 15 09:37:53 2024 GMT
Not After : Nov 18 09:37:53 2026 GMT
Subject: C=SE, ST=Sweden, O=VGR, CN=client,
serialNumber=SE0000000000-client
{noformat}
The old (deprecated) cert.getSubjectDN().getName() gives
SERIALNUMBER=SE0000000000-client, CN=client, O=VGR, ST=Sweden, C=SE
whereas cert.getSubjectX500Principal().getName() gives
2.5.4.5=#13135345303030303030303030302d636c69656e74,CN=client,O=VGR,ST=Sweden,C=SE
The difference being the attribute SERIALNUMBER is encoded in a (standardized
but human-unreadable) OID format.
In order to restore the previous behavior while still using a non-deprecated
API, I suggest using X500Principal.toString() instead of
X500Principal.getName(), which returns the same, user-friendly representation.
I.e. in
[https://github.com/apache/camel/commit/b4d982e5afc4283e45b97c45dfb7ecf3d9382ed1]
the change in NettyEndpoint should instead be
{code:java}
Principal subject = cert.getSubjectX500Principal();
if (subject != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME,
subject.toString());
}
Principal issuer = cert.getIssuerX500Principal();
if (issuer != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME,
issuer.toString());
} {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
