Skip to content

Commit

Permalink
Merge pull request #253 from pdowler/main
Browse files Browse the repository at this point in the history
cadc-util: fix X509CertificateChain extract principal from chain
  • Loading branch information
pdowler authored Oct 21, 2024
2 parents b58c70e + a7e469f commit 2188d44
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 26 deletions.
2 changes: 1 addition & 1 deletion cadc-util/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ sourceCompatibility = 1.8

group = 'org.opencadc'

version = '1.11.4'
version = '1.11.5'

description = 'OpenCADC core utility library'
def git_url = 'https://github.com/opencadc/core'
Expand Down
36 changes: 11 additions & 25 deletions cadc-util/src/main/java/ca/nrc/cadc/auth/X509CertificateChain.java
Original file line number Diff line number Diff line change
Expand Up @@ -140,31 +140,17 @@ public X509CertificateChain(X509Certificate[] chain, PrivateKey key) {
}

private void initPrincipal() {
for (X509Certificate c : chain) {
this.endEntity = c;
X500Principal sp = c.getSubjectX500Principal();
String sdn = sp.getName(X500Principal.RFC1779);
X500Principal ip = c.getIssuerX500Principal();
String idn = ip.getName(X500Principal.RFC1779);
log.debug("found: subject=" + sdn + ", issuer=" + idn);
if (sdn.endsWith(idn)) {
this.principal = ip;
this.isProxy = true;
} else {
this.principal = sp;
}

}

String canonizedDn = AuthenticationUtil.canonizeDistinguishedName(principal.getName());
// TODO: some upstream SSL termination engines (haproxy, tomcat) only pass the
// first certificate in the
// chain which makes the correct method above fail if the proxy certificate has
// more than two certificates
// in the chain. The following is just a workaround to remove extra leading
// CN(s):
if (canonizedDn.lastIndexOf("cn=") > -1) {
canonizedDn = canonizedDn.substring(canonizedDn.lastIndexOf("cn="));
X509Certificate c = chain[0];
X500Principal xp = c.getSubjectX500Principal();

// put into canonical form and look for multiple CN: proxy cert
String canonizedDn = AuthenticationUtil.canonizeDistinguishedName(xp.getName());

int cn1 = canonizedDn.indexOf("cn=");
int cnex = canonizedDn.lastIndexOf("cn=");
if (cnex > cn1) {
canonizedDn = canonizedDn.substring(cnex);
this.isProxy = true;
}
this.principal = new X500Principal(canonizedDn);
log.debug("principal: " + principal.getName(X500Principal.RFC1779));
Expand Down

0 comments on commit 2188d44

Please sign in to comment.