[
https://issues.apache.org/jira/browse/CAMEL-22623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bjorn Beskow updated CAMEL-22623:
---------------------------------
Description:
"CAMEL-22257: Java 25 deprecations" fixed deprecations in
X509Certificate, replacing X509Certificate.get\{Subject|Issuer}DN() with
X509Certificate.
get\{Subject|Issuer}X500Principal()
In camel-netty, this is done in NettyEndpoint to extract certificate
information into headers:
{code:java}
Principal subject = cert.getSubjectDN();
if (subject != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME,
subject.getName());
}
Principal issuer = cert.getIssuerDN();
if (issuer != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME,
issuer.getName());
}{code}
was changed into
{code:java}
Principal subject = cert.getSubjectX500Principal();
if (subject != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME,
subject.getName());
}
Principal issuer = cert.getIssuerX500Principal();
if (issuer != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME,
issuer.getName());
} {code}
The output however differs:
cert.getSubjectDN().getName()
results in a user-friendly string representation of the DN, as presented by
most other tools (eg. NGinx when extracting a client certificate into header
'ssl-client-subject-dn').
The output from the (non-deprecated)
cert.getSubjectX500Principal().getName()
instead results in a string representation of the DN in RFC2253 format, a
somewhat obscure format defined for LDAP. The difference is only visible for
certificates that contains a DN attribute other than the keywords defined in
RFC2253 (CN, L, ST, O, OU, C, STREET). All other attributes are emitted in OID
representation. This is likely not what is expected in a typical use case.
Example: Given the following certificate:
{noformat}
➜ openssl x509 -in client.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:f1:91:b1:b4:49:41:89:13:84:db:d0:cf:4f:ed:1a:c3:06:6a:0e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=SE, ST=Sverige, O=VGR, CN=self-signed root
Validity
Not Before: Aug 15 09:37:53 2024 GMT
Not After : Nov 18 09:37:53 2026 GMT
Subject: C=SE, ST=Sweden, O=VGR, CN=client,
serialNumber=SE0000000000-client
{noformat}
The old (deprecated) cert.getSubjectDN().getName() gives
SERIALNUMBER=SE0000000000-client, CN=client, O=VGR, ST=Sweden, C=SE
whereas cert.getSubjectX500Principal().getName() gives
2.5.4.5=#13135345303030303030303030302d636c69656e74,CN=client,O=VGR,ST=Sweden,C=SE
The difference being the attribute SERIALNUMBER is encoded in a (standardized
but human-unreadable) OID format.
In order to restore the previous behavior while still using a non-deprecated
API, I suggest using X500Principal.toString() instead of
X500Principal.getName(), which returns the same, user-friendly representation.
I.e. in
[https://github.com/apache/camel/commit/b4d982e5afc4283e45b97c45dfb7ecf3d9382ed1]
the change in NettyEndpoint should instead be
{code:java}
Principal subject = cert.getSubjectX500Principal();
if (subject != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME,
subject.toString());
}
Principal issuer = cert.getIssuerX500Principal();
if (issuer != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME,
issuer.toString());
} {code}
was:
"CAMEL-22257: Java 25 deprecations" fixed deprecations in
X509Certificate, replacing X509Certificate.get\{Subject|Issuer}DN() with
X509Certificate.
get{Subject|Issuer}X500Principal().
In camel-netty, this is done in NettyEndpoint to extract certificate
information into headers:
{code:java}
Principal subject = cert.getSubjectDN();
if (subject != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME,
subject.getName());
}
Principal issuer = cert.getIssuerDN();
if (issuer != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME,
issuer.getName());
}{code}
was changed into
{code:java}
Principal subject = cert.getSubjectX500Principal();
if (subject != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME,
subject.getName());
}
Principal issuer = cert.getIssuerX500Principal();
if (issuer != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME,
issuer.getName());
} {code}
The output however differs:
cert.getSubjectDN().getName()
results in a user-friendly string representation of the DN, as presented by
most other tools (eg. NGinx when extracting a client certificate into header
'ssl-client-subject-dn').
The output from the (non-deprecated)
cert.getSubjectX500Principal().getName()
instead results in a string representation of the DN in RFC2253 format, a
somewhat obscure format defined for LDAP. The difference is only visible for
certificates that contains a DN attribute other than the keywords defined in
RFC2253 (CN, L, ST, O, OU, C, STREET). All other attributes are emitted in OID
representation. This is likely not what is expected in a typical use case.
Example: Given the following certificate:
{noformat}
➜ openssl x509 -in client.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:f1:91:b1:b4:49:41:89:13:84:db:d0:cf:4f:ed:1a:c3:06:6a:0e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=SE, ST=Sverige, O=VGR, CN=self-signed root
Validity
Not Before: Aug 15 09:37:53 2024 GMT
Not After : Nov 18 09:37:53 2026 GMT
Subject: C=SE, ST=Sweden, O=VGR, CN=client,
serialNumber=SE0000000000-client
{noformat}
The old (deprecated) cert.getSubjectDN().getName() gives
SERIALNUMBER=SE0000000000-client, CN=client, O=VGR, ST=Sweden, C=SE
whereas cert.getSubjectX500Principal().getName() gives
2.5.4.5=#13135345303030303030303030302d636c69656e74,CN=client,O=VGR,ST=Sweden,C=SE
The difference being the attribute SERIALNUMBER is encoded in a (standardized
but human-unreadable) OID format.
In order to restore the previous behavior while still using a non-deprecated
API, I suggest using X500Principal.toString() instead of
X500Principal.getName(), which returns the same, user-friendly representation.
I.e. in
[https://github.com/apache/camel/commit/b4d982e5afc4283e45b97c45dfb7ecf3d9382ed1]
the change in NettyEndpoint should instead be
{code:java}
Principal subject = cert.getSubjectX500Principal();
if (subject != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME,
subject.toString());
}
Principal issuer = cert.getIssuerX500Principal();
if (issuer != null) {
message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME,
issuer.toString());
} {code}
> Regression: CamelNettySSLClientCertSubjectName changed from readable string
> representation to obscure RFC2253 format
> --------------------------------------------------------------------------------------------------------------------
>
> Key: CAMEL-22623
> URL: https://issues.apache.org/jira/browse/CAMEL-22623
> Project: Camel
> Issue Type: Improvement
> Components: camel-netty
> Affects Versions: 4.14.1
> Reporter: Bjorn Beskow
> Priority: Minor
> Fix For: 4.14.3, 4.16.0
>
>
> "CAMEL-22257: Java 25 deprecations" fixed deprecations in
> X509Certificate, replacing X509Certificate.get\{Subject|Issuer}DN() with
> X509Certificate.
> get\{Subject|Issuer}X500Principal()
>
> In camel-netty, this is done in NettyEndpoint to extract certificate
> information into headers:
>
> {code:java}
> Principal subject = cert.getSubjectDN();
> if (subject != null) {
> message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME,
> subject.getName());
> }
> Principal issuer = cert.getIssuerDN();
> if (issuer != null) {
> message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME,
> issuer.getName());
> }{code}
> was changed into
> {code:java}
> Principal subject = cert.getSubjectX500Principal();
> if (subject != null) {
> message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME,
> subject.getName());
> }
> Principal issuer = cert.getIssuerX500Principal();
> if (issuer != null) {
> message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME,
> issuer.getName());
> } {code}
> The output however differs:
>
> cert.getSubjectDN().getName()
>
> results in a user-friendly string representation of the DN, as presented by
> most other tools (eg. NGinx when extracting a client certificate into header
> 'ssl-client-subject-dn').
>
> The output from the (non-deprecated)
>
> cert.getSubjectX500Principal().getName()
>
> instead results in a string representation of the DN in RFC2253 format, a
> somewhat obscure format defined for LDAP. The difference is only visible for
> certificates that contains a DN attribute other than the keywords defined in
> RFC2253 (CN, L, ST, O, OU, C, STREET). All other attributes are emitted in
> OID representation. This is likely not what is expected in a typical use case.
>
> Example: Given the following certificate:
> {noformat}
> ➜ openssl x509 -in client.crt -text -noout
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 50:f1:91:b1:b4:49:41:89:13:84:db:d0:cf:4f:ed:1a:c3:06:6a:0e
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=SE, ST=Sverige, O=VGR, CN=self-signed root
> Validity
> Not Before: Aug 15 09:37:53 2024 GMT
> Not After : Nov 18 09:37:53 2026 GMT
> Subject: C=SE, ST=Sweden, O=VGR, CN=client,
> serialNumber=SE0000000000-client
> {noformat}
> The old (deprecated) cert.getSubjectDN().getName() gives
>
> SERIALNUMBER=SE0000000000-client, CN=client, O=VGR, ST=Sweden, C=SE
>
> whereas cert.getSubjectX500Principal().getName() gives
>
> 2.5.4.5=#13135345303030303030303030302d636c69656e74,CN=client,O=VGR,ST=Sweden,C=SE
>
> The difference being the attribute SERIALNUMBER is encoded in a (standardized
> but human-unreadable) OID format.
>
> In order to restore the previous behavior while still using a non-deprecated
> API, I suggest using X500Principal.toString() instead of
> X500Principal.getName(), which returns the same, user-friendly representation.
>
> I.e. in
> [https://github.com/apache/camel/commit/b4d982e5afc4283e45b97c45dfb7ecf3d9382ed1]
> the change in NettyEndpoint should instead be
>
> {code:java}
> Principal subject = cert.getSubjectX500Principal();
> if (subject != null) {
> message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME,
> subject.toString());
> }
> Principal issuer = cert.getIssuerX500Principal();
> if (issuer != null) {
> message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME,
> issuer.toString());
> } {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
