Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZOOKEEPER-3832 ZKHostnameVerifier rejects valid certificates with subjectAltNames #1353

Closed
wants to merge 3 commits into from
Closed

ZOOKEEPER-3832 ZKHostnameVerifier rejects valid certificates with subjectAltNames #1353

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3c2570c
ZOOKEEPER-3832. Backported original fix with tests from HTTPCLIENT-1802
anmolnar May 18, 2020
9f8c77d
ZOOKEEPER-3832. Fix checkstyle warnings
anmolnar May 18, 2020
51effdc
ZOOKEEPER-3832. Added comment to new test case. Checkstyle adjustments.
anmolnar May 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions checkstyleSuppressions.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,6 @@

<!-- TODO ZOOKEEPER-3469 -->
<suppress checks="Javadoc.+" files=".+[\\/]zookeeper-server[\\/].+\.java"/>

<suppress checks="OperatorWrap|ModifierOrder" files="zookeeper-server/src/test/java/org/apache/zookeeper/common/CertificatesToPlayWith\.java" />
</suppressions>
10 changes: 8 additions & 2 deletions zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKHostnameVerifier.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -324,8 +324,14 @@ private static List<SubjectName> getSubjectAltNames(final X509Certificate cert)
for (List<?> entry : entries) {
final Integer type = entry.size() >= 2 ? (Integer) entry.get(0) : null;
if (type != null) {
final String s = (String) entry.get(1);
result.add(new SubjectName(s, type));
if (type == SubjectName.DNS || type == SubjectName.IP) {
final Object o = entry.get(1);
if (o instanceof String) {
result.add(new SubjectName((String) o, type));
} else if (o instanceof byte[]) {
// TODO ASN.1 DER encoded form
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure what ASN.1 DER is or how commonly it is used, but I think at least printing out a warning here would make sense (informing the user that ASN.1 DER is not supported). (?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe it can be done with BouncyCastle ASN1 libraries, but this part was missing in the original patch too. I'd be happy to add it as a separate ticket, but first I need an example certificate with ASN1 encoded data.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with Mate here, probably adding a warning until this TODO is not implemented would be nice.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a static method. How can I log here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't see it's a static method. But I believe you can log by making the logger also static. Not sure it is worth it though, it's not a stopper from my side if we leave the TODO, just a nice-to-have.

}
}
}
}
return result;
Expand Down
Loading