exceptionfactory commented on a change in pull request #4709:
URL: https://github.com/apache/nifi/pull/4709#discussion_r551308940
##########
File path:
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
##########
@@ -469,6 +472,14 @@ public static X509Certificate
generateSelfSignedX509Certificate(KeyPair keyPair,
// (2) extendedKeyUsage extension
certBuilder.addExtension(Extension.extendedKeyUsage, false, new
ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth,
KeyPurposeId.id_kp_serverAuth}));
+ // (3) subjectAlternativeName extension. Include CN as a SAN entry.
+ try {
+ final String cn = IETFUtils.valueToString(new
X500Name(dn).getRDNs(BCStyle.CN)[0].getFirst().getValue());
Review comment:
Although all current uses of `generateSelfSignedX509Certificate()`
appear to include a common name in the distinguished name string, common name
is not necessarily required. Perhaps creating a separate method along the
lines of `String getCommonName(String dn)` would allow for checking whether
`getRDNs(BCStyle.CN)` returns at least one value. The return of that method
would inform this method as to whether the SAN should be added.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
