This is an automated email from the ASF dual-hosted git repository.
aengineer pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hadoop-ozone.git
The following commit(s) were added to refs/heads/master by this push:
new ab7987c HDDS-2404. Added support for Registered id as service
identifier for CSR. Based on the discussion with reviewer, otherName field make
more sence then registeredId.
ab7987c is described below
commit ab7987c0de2a06f14603f726c441491454ce13ba
Author: Abhishek Purohit <apuro...@cloudera.com>
AuthorDate: Mon Nov 4 10:05:48 2019 -0800
HDDS-2404. Added support for Registered id as service identifier for CSR.
Based on the discussion with reviewer, otherName field make more sence then
registeredId.
Signed-off-by: Anu Engineer <aengin...@apache.org>
---
.../authority/PKIProfiles/DefaultProfile.java | 4 +++
.../certificates/utils/CertificateSignRequest.java | 41 +++++++++++++++++++++-
.../certificate/authority/TestDefaultCAServer.java | 1 +
.../certificate/authority/TestDefaultProfile.java | 3 +-
4 files changed, 47 insertions(+), 2 deletions(-)
diff --git
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java
index 5fdb6f7..25ae126 100644
---
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java
+++
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java
@@ -74,6 +74,7 @@ public class DefaultProfile implements PKIProfile {
private static final int[] GENERAL_NAMES = {
GeneralName.dNSName,
GeneralName.iPAddress,
+ GeneralName.otherName,
};
// Map that handles all the Extensions lookup and validations.
private static final Map<ASN1ObjectIdentifier, BiFunction<Extension,
@@ -245,6 +246,9 @@ public class DefaultProfile implements PKIProfile {
}
case GeneralName.dNSName:
return DomainValidator.getInstance().isValid(value);
+ case GeneralName.otherName:
+ // for other name its a general string, nothing to validate
+ return true;
default:
// This should not happen, since it guarded via isSupportedGeneralName.
LOG.error("Unexpected type in General Name (int value) : " + type);
diff --git
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
index 28f853a..21a19b5 100644
---
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
+++
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
@@ -25,7 +25,13 @@ import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.exceptions.CertificateException;
import org.apache.hadoop.hdds.security.x509.keys.SecurityUtil;
import org.apache.logging.log4j.util.Strings;
+import org.bouncycastle.asn1.ASN1EncodableVector;
+import org.bouncycastle.asn1.ASN1Object;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.DERSequence;
+import org.bouncycastle.asn1.DERTaggedObject;
+import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
@@ -198,14 +204,47 @@ public final class CertificateSignRequest {
return this;
}
+ public CertificateSignRequest.Builder addServiceName(
+ String serviceName) {
+ Preconditions.checkNotNull(
+ serviceName, "Service Name cannot be null");
+
+ this.addAltName(GeneralName.otherName, serviceName);
+ return this;
+ }
+
private CertificateSignRequest.Builder addAltName(int tag, String name) {
if (altNames == null) {
altNames = new ArrayList<>();
}
- altNames.add(new GeneralName(tag, name));
+ if (tag == GeneralName.otherName) {
+ ASN1Object ono = addOtherNameAsn1Object(name);
+
+ altNames.add(new GeneralName(tag, ono));
+ } else {
+ altNames.add(new GeneralName(tag, name));
+ }
return this;
}
+ /**
+ * addOtherNameAsn1Object requires special handling since
+ * Bouncy Castle does not support othername as string.
+ * @param name
+ * @return
+ */
+ private ASN1Object addOtherNameAsn1Object(String name) {
+ // Below oid is copied from this URL:
+ // https://docs.microsoft.com/en-us/windows/win32/adschema/a-middlename
+ final String otherNameOID = "2.16.840.1.113730.3.1.34";
+ ASN1EncodableVector otherName = new ASN1EncodableVector();
+ otherName.add(new ASN1ObjectIdentifier(otherNameOID));
+ otherName.add(new DERTaggedObject(
+ true, GeneralName.otherName, new DERUTF8String(name)));
+ return new DERTaggedObject(
+ false, 0, new DERSequence(otherName));
+ }
+
public CertificateSignRequest.Builder setCA(Boolean isCA) {
this.ca = isCA;
return this;
diff --git
a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
index 64eb4ba..b203305 100644
---
a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
+++
b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
@@ -147,6 +147,7 @@ public class TestDefaultCAServer {
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
.addDnsName("hadoop.apache.org")
.addIpAddress("8.8.8.8")
+ .addServiceName("OzoneMarketingCluster002")
.setCA(false)
.setClusterID(clusterId)
.setScmID(scmId)
diff --git
a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
index f892b8d..aecd91f 100644
---
a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
+++
b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
@@ -91,11 +91,11 @@ public class TestDefaultProfile {
// Positive tests
assertTrue(defaultProfile.isSupportedGeneralName(GeneralName.iPAddress));
assertTrue(defaultProfile.isSupportedGeneralName(GeneralName.dNSName));
+ assertTrue(defaultProfile.isSupportedGeneralName(GeneralName.otherName));
// Negative Tests
assertFalse(defaultProfile.isSupportedGeneralName(
GeneralName.directoryName));
assertFalse(defaultProfile.isSupportedGeneralName(GeneralName.rfc822Name));
- assertFalse(defaultProfile.isSupportedGeneralName(GeneralName.otherName));
}
/**
@@ -111,6 +111,7 @@ public class TestDefaultProfile {
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
.addDnsName("hadoop.apache.org")
.addIpAddress("8.8.8.8")
+ .addServiceName("OzoneMarketingCluster001")
.setCA(false)
.setClusterID("ClusterID")
.setScmID("SCMID")
---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-commits-unsubscr...@hadoop.apache.org
For additional commands, e-mail: ozone-commits-h...@hadoop.apache.org
