Tero Saarni created ZOOKEEPER-4992:
--------------------------------------
Summary: Loading multiple trusted certificates with identical
subject names from a PEM bundle fails
Key: ZOOKEEPER-4992
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4992
Project: ZooKeeper
Issue Type: Bug
Components: java client, server
Affects Versions: 3.9.4
Reporter: Tero Saarni
When a PEM bundle file is read as a trust store, each certificate is added to
an in-memory {{KeyStore}} using the subject name as the alias:
[https://github.com/apache/zookeeper/blob/e8e141b21f3a07797958c74053762048c7a3a0bf/zookeeper-server/src/main/java/org/apache/zookeeper/util/PemReader.java#L95-L98]
for (X509Certificate certificate : certificateChain) \{
X500Principal principal = certificate.getSubjectX500Principal();
keyStore.setCertificateEntry(principal.getName("RFC2253"),
certificate);
}
If two CA certificates in the bundle share the same subject name, the first
entry is overridden by the second.
This behavior causes loss of trusted certificates that have identical subjects
but are otherwise different certificates. Using the subject name as a unique
alias is therefore not suitable.
Related to ZOOKEEPER-4990
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
