[GitHub] [ozone] Galsza commented on a diff in pull request #4808: HDDS-8588. Add initialization logic in CertificateClient to handle more than one rootCA certificate

Wed, 07 Jun 2023 02:33:39 -0700 


Galsza commented on code in PR #4808:
URL: https://github.com/apache/ozone/pull/4808#discussion_r1221265461


##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java:
##########
@@ -340,20 +349,52 @@ public synchronized List<X509Certificate> getTrustChain() 
{
       }
     } else {
       // case before certificate bundle is supported
-      chain.add(getCertificate());
-      X509Certificate cert = getCACertificate();
-      if (cert != null) {
-        chain.add(getCACertificate());
-      }
-      cert = getRootCACertificate();
-      if (cert != null) {
-        chain.add(cert);
+      X509Certificate lastInsertedCert = getCertificate();
+      chain.add(lastInsertedCert);
+      List<X509Certificate> caCertList = getCaCertList();
+      while (!isRootCa(lastInsertedCert)) {
+        Optional<X509Certificate> issuerOpt =
+            getIssuerForCert(lastInsertedCert, caCertList);
+        if (issuerOpt.isPresent()) {
+          X509Certificate issuer = issuerOpt.get();
+          chain.add(issuer);
+          lastInsertedCert = issuer;
+        } else {
+          throw new CertificateException("No issuer found for certificate: " +
+              lastInsertedCert);
+        }
       }
+      //add self-signed certificate to the chain
+      chain.add(lastInsertedCert);
     }
 
     return chain;
   }
 
+  private boolean isRootCa(X509Certificate cert) {
+    return 
cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal());

Review Comment:
   We could do 2 simple things here which can solve both these. Check if the 
cert is in the rootCerts, and check if it's self-signed. If both are true, that 
means we are working correctly. If the cert is not self-signed that could mean 
it's an external root CA, we can use a sanity check if it's enabled in the 
system and it really is the external cert.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to