[jira] [Resolved] (CAMEL-22623) Regression: CamelNettySSLClientCertSubjectName changed from readable string representation to obscure RFC2253 format

[Claus Ibsen (Jira)]

     [ 
https://issues.apache.org/jira/browse/CAMEL-22623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Claus Ibsen resolved CAMEL-22623.
---------------------------------
    Resolution: Fixed

Thanks for reporting and the PR

> Regression: CamelNettySSLClientCertSubjectName changed from readable string 
> representation to obscure RFC2253 format
> --------------------------------------------------------------------------------------------------------------------
>
>                 Key: CAMEL-22623
>                 URL: https://issues.apache.org/jira/browse/CAMEL-22623
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-netty
>    Affects Versions: 4.14.1
>            Reporter: Bjorn Beskow
>            Priority: Minor
>             Fix For: 4.14.3, 4.16.0
>
>
> "CAMEL-22257: Java 25 deprecations" fixed deprecations in 
> X509Certificate, replacing X509Certificate.get\{Subject|Issuer}DN() with 
> X509Certificate.
> get\{Subject|Issuer}X500Principal()
>  
> In camel-netty, this is done in NettyEndpoint to extract certificate 
> information into headers:
>  
> {code:java}
> Principal subject = cert.getSubjectDN();
> if (subject != null) {
>     message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME, 
> subject.getName());
> }
> Principal issuer = cert.getIssuerDN();
> if (issuer != null) {
>     message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME, 
> issuer.getName());
> }{code}
> was changed into
> {code:java}
> Principal subject = cert.getSubjectX500Principal();
> if (subject != null) {
>     message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME, 
> subject.getName());
> }
> Principal issuer = cert.getIssuerX500Principal();
> if (issuer != null) {
>     message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME, 
> issuer.getName());
> } {code}
> The output of Principal.getName() however differs:
>  
> cert.getSubjectDN().getName()
>  
> results in a user-friendly string representation of the DN, as presented by 
> most other tools (eg. NGinx when extracting a client certificate into header 
> 'ssl-client-subject-dn').
>  
> The output from the (non-deprecated)
>  
> cert.getSubjectX500Principal().getName()
>  
> instead results in a string representation of the DN in RFC2253 format, a 
> somewhat obscure format defined for LDAP. The difference is only visible for 
> certificates that contains a DN attribute other than the keywords defined in 
> RFC2253 (CN, L, ST, O, OU, C, STREET). All other attributes are emitted in 
> OID representation. This is likely not what is expected in a typical use case.
>  
> Example: Given the following certificate:
> {noformat}
> ➜ openssl x509 -in client.crt -text -noout
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             50:f1:91:b1:b4:49:41:89:13:84:db:d0:cf:4f:ed:1a:c3:06:6a:0e
>         Signature Algorithm: sha256WithRSAEncryption
>         Issuer: C=SE, ST=Sverige, O=VGR, CN=self-signed root
>         Validity
>             Not Before: Aug 15 09:37:53 2024 GMT
>             Not After : Nov 18 09:37:53 2026 GMT
>         Subject: C=SE, ST=Sweden, O=VGR, CN=client, 
> serialNumber=SE0000000000-client
> {noformat}
> The old (deprecated) cert.getSubjectDN().getName() gives
>  
> SERIALNUMBER=SE0000000000-client, CN=client, O=VGR, ST=Sweden, C=SE
>  
> whereas  cert.getSubjectX500Principal().getName() gives
>  
> 2.5.4.5=#13135345303030303030303030302d636c69656e74,CN=client,O=VGR,ST=Sweden,C=SE
>  
> The difference being the attribute SERIALNUMBER is encoded in a (standardized 
> but human-unreadable) OID format.
>  
> In order to restore the previous behavior while still using a non-deprecated 
> API, I suggest using X500Principal.toString() instead of 
> X500Principal.getName(), which returns the same, user-friendly representation.
>  
> I.e. in 
> [https://github.com/apache/camel/commit/b4d982e5afc4283e45b97c45dfb7ecf3d9382ed1]
>  the change in NettyEndpoint should instead be
>  
> {code:java}
> Principal subject = cert.getSubjectX500Principal();
> if (subject != null) {
>   message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME, 
> subject.toString());
> }
> Principal issuer = cert.getIssuerX500Principal();
> if (issuer != null) {
>   message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME, 
> issuer.toString());
> }  {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)