exceptionfactory commented on a change in pull request #4709:
URL: https://github.com/apache/nifi/pull/4709#discussion_r568005942
##########
File path:
nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java
##########
@@ -469,6 +472,14 @@ public static X509Certificate
generateSelfSignedX509Certificate(KeyPair keyPair,
// (2) extendedKeyUsage extension
certBuilder.addExtension(Extension.extendedKeyUsage, false, new
ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth,
KeyPurposeId.id_kp_serverAuth}));
+ // (3) subjectAlternativeName extension. Include CN as a SAN entry.
+ try {
+ final String cn = IETFUtils.valueToString(new
X500Name(dn).getRDNs(BCStyle.CN)[0].getFirst().getValue());
+ certBuilder.addExtension(Extension.subjectAlternativeName,
false, new GeneralNames(new GeneralName(GeneralName.dNSName, cn)));
Review comment:
After evaluating the valid characters for a DNS name, it looks like it
would be difficult to incorporate an appropriate regular expression pattern to
cover all cases, so it is probably best to just introduce a check for a string
that is not blank.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
