[GitHub] [ozone] fapifta commented on a diff in pull request #4442: HDDS-8178. CertificateClient and KeyStoresFactory support multiple Sub-CA certificates in the trust chain

Fri, 24 Mar 2023 07:33:32 -0700 


fapifta commented on code in PR #4442:
URL: https://github.com/apache/ozone/pull/4442#discussion_r1147644768


##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/DefaultCertificateClient.java:
##########
@@ -331,6 +332,35 @@ public synchronized X509Certificate getCACertificate() {
     return firstCertificateFrom(caCertPath);
   }
 
+  /**
+   * Return all certificates in this component's trust chain,
+   * the last one is the root CA certificate.
+   */
+  public synchronized List<X509Certificate> getTrustChain() {
+    CertPath path = getCertPath();
+    if (path == null || path.getCertificates() == null) {
+      return null;
+    }
+
+    List<X509Certificate> chain = new ArrayList<>();
+    // certificate bundle case
+    if (path.getCertificates().size() > 1) {
+      for (int i = 0; i < path.getCertificates().size(); i++) {
+        chain.add((X509Certificate) path.getCertificates().get(i));
+      }
+    } else {
+      // case before certificate bundle is supported
+      chain.add(getCertificate());
+      chain.add(getCACertificate());

Review Comment:
   One thing I am not sure here...
   Is it possible that we do not have a subordinate CA cert stored due to 
upgrading from a very old version or on a cluster without SCM HA? If so we 
might not want to add a null value to this list... however if the null value is 
possible, but does not cause any trouble, then let's just keep this piece 
simple.



##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/ssl/ReloadingX509KeyManager.java:
##########
@@ -176,7 +181,10 @@ private X509ExtendedKeyManager 
loadKeyManager(CertificateClient caClient)
     }
 
     currentPrivateKey = privateKey;
-    currentCertId = cert.getSerialNumber().toString();
+    currentCertList.clear();
+    for (X509Certificate caCert: newCertList) {

Review Comment:
   the name caCert is a little bit misleading here, as the newCertList should 
contain the service certificate the subordinate CA certs, and the root CA cert, 
can we just name it c or cert within the for loop?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to