[GitHub] [nifi] thenatog commented on a change in pull request #4670: NIFI-7673 Standalone diagnosis mode verifies independent node

[GitBox]

thenatog commented on a change in pull request #4670:
URL: https://github.com/apache/nifi/pull/4670#discussion_r526498722



##########
File path: 
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
##########
@@ -160,26 +180,33 @@ public static String extractUsername(String dn) {
      */
     public static List<String> getSubjectAlternativeNames(final 
X509Certificate certificate) throws CertificateParsingException {
 
-        final Collection<List<?>> altNames = 
certificate.getSubjectAlternativeNames();
+        /*
+         * generalName has the name type as the first element a String or byte 
array for the second element. We return any general names that are String types.
+         *
+         * We don't inspect the numeric name type because some certificates 
incorrectly put IPs and DNS names under the wrong name types.
+         */
+
+        ArrayList<String> sanEntries = new 
ArrayList<>(getSubjectAlternativeNamesMap(certificate).keySet());
+        Collections.sort(sanEntries);
+        return sanEntries;
+    }
+
+    public static Map<String, String> 
getSubjectAlternativeNamesMap(X509Certificate cert) throws 
CertificateParsingException {
+
+        final Collection<List<?>> altNames = cert.getSubjectAlternativeNames();
+
         if (altNames == null) {
-            return new ArrayList<>();
+            return new HashMap<>();
         }
 
-        final List<String> result = new ArrayList<>();
-        for (final List<?> generalName : altNames) {
-            /**
-             * generalName has the name type as the first element a String or 
byte array for the second element. We return any general names that are String 
types.
-             *
-             * We don't inspect the numeric name type because some 
certificates incorrectly put IPs and DNS names under the wrong name types.
-             */
-            final Object value = generalName.get(1);
-            if (value instanceof String) {
-                result.add(((String) value).toLowerCase());
-            }
+        Map<String, String> sanMap = altNames.stream()
+                .map(nameType -> new Tuple<Object, Object>(nameType.get(0), 
nameType.get(1)))
+                .filter(Objects::nonNull)
+                .filter(t -> t.getValue() instanceof String)
+                .collect(Collectors.toMap(x -> (String) x.getValue(), x -> 
sanOrderMap.get( x.getKey() )));

Review comment:
       Couldn't figure out a great way to fit use of GeneralName from the 
BouncyCastle ASN1 library in here. 




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org