ChenSammi commented on code in PR #4943:
URL: https://github.com/apache/ozone/pull/4943#discussion_r1247448394
##########
hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509TrustManager.java:
##########
@@ -127,23 +129,22 @@ public ReloadingX509TrustManager
loadFrom(CertificateClient caClient) {
X509TrustManager loadTrustManager(CertificateClient caClient)
throws GeneralSecurityException, IOException {
// SCM certificate client sets root CA as CA cert instead of root CA cert
- X509Certificate rootCACert = caClient.getRootCACertificate() == null ?
- caClient.getCACertificate() : caClient.getRootCACertificate();
+ Set<X509Certificate> rootCACerts = caClient.getAllRootCaCerts().isEmpty() ?
+ caClient.getAllCaCerts() : caClient.getAllRootCaCerts();
- String rootCACertId = rootCACert.getSerialNumber().toString();
// Certificate keeps the same.
- if (currentRootCACertId != null &&
- currentRootCACertId.equals(rootCACertId)) {
+ if (rootCACerts.size() > 0 &&
+ currentRootCACertIds.size() == rootCACerts.size() &&
+ !rootCACerts.stream().filter(
+ c ->
!currentRootCACertIds.contains(c.getSerialNumber().toString()))
+ .findAny().isPresent()) {
Review Comment:
Nice suggestion.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
