exceptionfactory commented on a change in pull request #4866: URL: https://github.com/apache/nifi/pull/4866#discussion_r585743722
########## File path: nifi-commons/nifi-security-utils/src/main/java/org/apache/nifi/security/util/CertificateUtils.java ########## @@ -149,6 +149,27 @@ public static String extractUsername(String dn) { username = StringUtils.substring(dn, cnIndex + cnPattern.length()); } } + + /* + https://tools.ietf.org/html/rfc5280#section-4.1.2.6 + + Legacy implementations exist where an electronic mail address is + embedded in the subject distinguished name as an emailAddress + attribute [RFC2985]. The attribute value for emailAddress is of type + IA5String to permit inclusion of the character '@', which is not part + of the PrintableString character set. emailAddress attribute values + are not case-sensitive (e.g., "subscri...@example.com" is the same as + "subscri...@example.com"). + */ + final String emailPattern = "/emailAddress="; + final int index = StringUtils.indexOfIgnoreCase(username, emailPattern); + if (index >= 0) { + String[] dnParts = username.split(emailPattern); + if (dnParts.length > 0) { + // only use the actual CN + username = dnParts[0]; + } + } Review comment: Did you consider using regular expression pattern? That might simplify the approach and the Pattern could be compiled as a static variable. ```suggestion // Replace variable with: private static final Pattern EMAIL_ATTRIBUTE_PATTERN = Pattern.compile("/emailAddress=.+"); final Pattern emailAttributePattern = Pattern.compile("/emailAddress=.+"); final Matcher emailMatcher = emailAttributePattern.matcher(username); if (emailMatcher.find()) { username = emailMatcher.replace(StringUtils.EMPTY); } ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org