sarankk commented on code in PR #137: URL: https://github.com/apache/cassandra-sidecar/pull/137#discussion_r1796221711
########## vertx-auth-mtls/src/main/java/io/vertx/ext/auth/mtls/impl/CertificateValidatorImpl.java: ########## @@ -0,0 +1,189 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package io.vertx.ext.auth.mtls.impl; + +import io.vertx.ext.auth.authentication.CertificateCredentials; +import io.vertx.ext.auth.authentication.CredentialValidationException; +import io.vertx.ext.auth.mtls.CertificateValidator; + +import javax.naming.InvalidNameException; +import javax.naming.NamingException; +import javax.naming.directory.Attribute; +import javax.naming.directory.Attributes; +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; +import java.security.cert.Certificate; +import java.security.cert.CertificateExpiredException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.Set; + +/** + * {@link CertificateValidator} implementation that can be used for validating certificates. + */ +public class CertificateValidatorImpl implements CertificateValidator +{ + private final Set<String> trustedCNs; + private final String trustedIssuerOrganization; + private final String trustedIssuerOrganizationUnit; + private final String trustedIssuerCountry; + + public CertificateValidatorImpl() + { + this.trustedCNs = Collections.emptySet(); + this.trustedIssuerOrganization = null; + this.trustedIssuerOrganizationUnit = null; + this.trustedIssuerCountry = null; + } + + public CertificateValidatorImpl(Set<String> trustedCNs, + String trustedIssuerOrganization, + String trustedIssuerOrganizationUnit, + String trustedIssuerCountry) + { + this.trustedCNs = Collections.unmodifiableSet(trustedCNs); + this.trustedIssuerOrganization = trustedIssuerOrganization; + this.trustedIssuerOrganizationUnit = trustedIssuerOrganizationUnit; + this.trustedIssuerCountry = trustedIssuerCountry; + } + + @Override + public boolean isValidCertificate(CertificateCredentials credentials) + { + credentials.checkValid(); + Certificate certificate = credentials.certificateChain().get(0); + if (certificate instanceof X509Certificate) + { + X509Certificate castedCert = (X509Certificate) certificate; + if (!isValidIssuer(castedCert)) + { + return false; + } + + try + { + castedCert.checkValidity(); + return true; + } + catch (CertificateExpiredException e) + { + throw new CredentialValidationException("Expired certificates shared for authentication"); + } + catch (Exception e) + { + return false; + } + } + return false; Review Comment: In interface methods, we take in `Certificate` but for default implementations we support checking only `X509Certificate` . This is because `X509Certificate` implementation has methods to get SAN detail. Else we have to parse the certificate content and extract SAN detail. Regarding first cert, we check with the assumption that first cert is private key entry. When we extract the chain from `HttpRequest` that is the case too. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
