fix: allow to extract non-encoded certificate

gravitee-io · Sep 12, 2023 · 702a807 · 702a807
1 parent ff7aa97
commit 702a807
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/src/main/java/io/gravitee/common/security/CertificateUtils.java b/src/main/java/io/gravitee/common/security/CertificateUtils.java
@@ -49,7 +49,10 @@ public static Optional<X509Certificate> extractCertificate(final HttpHeaders htt
 
         if (certHeaderValue != null) {
             try {
-                certHeaderValue = URLDecoder.decode(certHeaderValue.replaceAll("\t", "\n"), Charset.defaultCharset());
+                if (!certHeaderValue.contains("\n")) {
+                    certHeaderValue = URLDecoder.decode(certHeaderValue, Charset.defaultCharset());
+                }
+                certHeaderValue = certHeaderValue.replaceAll("\t", "\n");
                 CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                 certificate =
                     Optional.ofNullable(

diff --git a/src/test/java/io/gravitee/common/security/CertificateUtilsTest.java b/src/test/java/io/gravitee/common/security/CertificateUtilsTest.java
@@ -66,7 +66,7 @@ void should_return_empty_certificate_without_header() {
     }
 
     @Test
-    void should_extract_certificate_from_header() {
+    void should_extract_encoded_certificate_from_header() {
         HttpHeaders httpHeaders = HttpHeaders.create();
         httpHeaders.set(CLIENT_CERT_HEADER, URLEncoder.encode(clientCertificate, StandardCharsets.UTF_8));
         Optional<X509Certificate> certificateOptional = CertificateUtils.extractCertificate(httpHeaders, CLIENT_CERT_HEADER);
@@ -76,6 +76,17 @@ void should_extract_certificate_from_header() {
         assertThat(certificate).isEqualTo(clientX509Certificate);
     }
 
+    @Test
+    void should_extract_non_encoded_certificate_from_header() {
+        HttpHeaders httpHeaders = HttpHeaders.create();
+        httpHeaders.set(CLIENT_CERT_HEADER, clientCertificate);
+        Optional<X509Certificate> certificateOptional = CertificateUtils.extractCertificate(httpHeaders, CLIENT_CERT_HEADER);
+
+        assertThat(certificateOptional).isNotEmpty();
+        X509Certificate certificate = certificateOptional.get();
+        assertThat(certificate).isEqualTo(clientX509Certificate);
+    }
+
     @Test
     void should_return_empty_certificate_without_ssl_session() {
         Optional<X509Certificate> certificateOptional = CertificateUtils.extractPeerCertificate(null);