This is an automated email from the ASF dual-hosted git repository. aengineer pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/hadoop-ozone.git
The following commit(s) were added to refs/heads/master by this push: new ab7987c HDDS-2404. Added support for Registered id as service identifier for CSR. Based on the discussion with reviewer, otherName field make more sence then registeredId. ab7987c is described below commit ab7987c0de2a06f14603f726c441491454ce13ba Author: Abhishek Purohit <apuro...@cloudera.com> AuthorDate: Mon Nov 4 10:05:48 2019 -0800 HDDS-2404. Added support for Registered id as service identifier for CSR. Based on the discussion with reviewer, otherName field make more sence then registeredId. Signed-off-by: Anu Engineer <aengin...@apache.org> --- .../authority/PKIProfiles/DefaultProfile.java | 4 +++ .../certificates/utils/CertificateSignRequest.java | 41 +++++++++++++++++++++- .../certificate/authority/TestDefaultCAServer.java | 1 + .../certificate/authority/TestDefaultProfile.java | 3 +- 4 files changed, 47 insertions(+), 2 deletions(-) diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java index 5fdb6f7..25ae126 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java @@ -74,6 +74,7 @@ public class DefaultProfile implements PKIProfile { private static final int[] GENERAL_NAMES = { GeneralName.dNSName, GeneralName.iPAddress, + GeneralName.otherName, }; // Map that handles all the Extensions lookup and validations. private static final Map<ASN1ObjectIdentifier, BiFunction<Extension, @@ -245,6 +246,9 @@ public class DefaultProfile implements PKIProfile { } case GeneralName.dNSName: return DomainValidator.getInstance().isValid(value); + case GeneralName.otherName: + // for other name its a general string, nothing to validate + return true; default: // This should not happen, since it guarded via isSupportedGeneralName. LOG.error("Unexpected type in General Name (int value) : " + type); diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java index 28f853a..21a19b5 100644 --- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java @@ -25,7 +25,13 @@ import org.apache.hadoop.hdds.security.x509.SecurityConfig; import org.apache.hadoop.hdds.security.x509.exceptions.CertificateException; import org.apache.hadoop.hdds.security.x509.keys.SecurityUtil; import org.apache.logging.log4j.util.Strings; +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.ASN1Object; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.DERTaggedObject; +import org.bouncycastle.asn1.DERUTF8String; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.BasicConstraints; @@ -198,14 +204,47 @@ public final class CertificateSignRequest { return this; } + public CertificateSignRequest.Builder addServiceName( + String serviceName) { + Preconditions.checkNotNull( + serviceName, "Service Name cannot be null"); + + this.addAltName(GeneralName.otherName, serviceName); + return this; + } + private CertificateSignRequest.Builder addAltName(int tag, String name) { if (altNames == null) { altNames = new ArrayList<>(); } - altNames.add(new GeneralName(tag, name)); + if (tag == GeneralName.otherName) { + ASN1Object ono = addOtherNameAsn1Object(name); + + altNames.add(new GeneralName(tag, ono)); + } else { + altNames.add(new GeneralName(tag, name)); + } return this; } + /** + * addOtherNameAsn1Object requires special handling since + * Bouncy Castle does not support othername as string. + * @param name + * @return + */ + private ASN1Object addOtherNameAsn1Object(String name) { + // Below oid is copied from this URL: + // https://docs.microsoft.com/en-us/windows/win32/adschema/a-middlename + final String otherNameOID = "2.16.840.1.113730.3.1.34"; + ASN1EncodableVector otherName = new ASN1EncodableVector(); + otherName.add(new ASN1ObjectIdentifier(otherNameOID)); + otherName.add(new DERTaggedObject( + true, GeneralName.otherName, new DERUTF8String(name))); + return new DERTaggedObject( + false, 0, new DERSequence(otherName)); + } + public CertificateSignRequest.Builder setCA(Boolean isCA) { this.ca = isCA; return this; diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java index 64eb4ba..b203305 100644 --- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java +++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java @@ -147,6 +147,7 @@ public class TestDefaultCAServer { PKCS10CertificationRequest csr = new CertificateSignRequest.Builder() .addDnsName("hadoop.apache.org") .addIpAddress("8.8.8.8") + .addServiceName("OzoneMarketingCluster002") .setCA(false) .setClusterID(clusterId) .setScmID(scmId) diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java index f892b8d..aecd91f 100644 --- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java +++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java @@ -91,11 +91,11 @@ public class TestDefaultProfile { // Positive tests assertTrue(defaultProfile.isSupportedGeneralName(GeneralName.iPAddress)); assertTrue(defaultProfile.isSupportedGeneralName(GeneralName.dNSName)); + assertTrue(defaultProfile.isSupportedGeneralName(GeneralName.otherName)); // Negative Tests assertFalse(defaultProfile.isSupportedGeneralName( GeneralName.directoryName)); assertFalse(defaultProfile.isSupportedGeneralName(GeneralName.rfc822Name)); - assertFalse(defaultProfile.isSupportedGeneralName(GeneralName.otherName)); } /** @@ -111,6 +111,7 @@ public class TestDefaultProfile { PKCS10CertificationRequest csr = new CertificateSignRequest.Builder() .addDnsName("hadoop.apache.org") .addIpAddress("8.8.8.8") + .addServiceName("OzoneMarketingCluster001") .setCA(false) .setClusterID("ClusterID") .setScmID("SCMID") --------------------------------------------------------------------- To unsubscribe, e-mail: ozone-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: ozone-commits-h...@hadoop.apache.org