hadoop-ozone-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aengin...@apache.org
Subject [hadoop-ozone] branch master updated: HDDS-2404. Added support for Registered id as service identifier for CSR. Based on the discussion with reviewer, otherName field make more sence then registeredId.
Date Thu, 07 Nov 2019 23:32:17 GMT
This is an automated email from the ASF dual-hosted git repository.

aengineer pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hadoop-ozone.git


The following commit(s) were added to refs/heads/master by this push:
     new ab7987c  HDDS-2404. Added support for Registered id as service identifier for CSR.
Based on the discussion with reviewer, otherName field make more sence then registeredId.
ab7987c is described below

commit ab7987c0de2a06f14603f726c441491454ce13ba
Author: Abhishek Purohit <apurohit@cloudera.com>
AuthorDate: Mon Nov 4 10:05:48 2019 -0800

    HDDS-2404. Added support for Registered id as service identifier for CSR. Based on the
discussion with reviewer, otherName field make more sence then registeredId.
    
    Signed-off-by: Anu Engineer <aengineer@apache.org>
---
 .../authority/PKIProfiles/DefaultProfile.java      |  4 +++
 .../certificates/utils/CertificateSignRequest.java | 41 +++++++++++++++++++++-
 .../certificate/authority/TestDefaultCAServer.java |  1 +
 .../certificate/authority/TestDefaultProfile.java  |  3 +-
 4 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java
index 5fdb6f7..25ae126 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/PKIProfiles/DefaultProfile.java
@@ -74,6 +74,7 @@ public class DefaultProfile implements PKIProfile {
   private static final int[] GENERAL_NAMES = {
       GeneralName.dNSName,
       GeneralName.iPAddress,
+      GeneralName.otherName,
   };
   // Map that handles all the Extensions lookup and validations.
   private static final Map<ASN1ObjectIdentifier, BiFunction<Extension,
@@ -245,6 +246,9 @@ public class DefaultProfile implements PKIProfile {
       }
     case GeneralName.dNSName:
       return DomainValidator.getInstance().isValid(value);
+    case GeneralName.otherName:
+      // for other name its a general string, nothing to validate
+      return true;
     default:
       // This should not happen, since it guarded via isSupportedGeneralName.
       LOG.error("Unexpected type in General Name (int value) : " + type);
diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
index 28f853a..21a19b5 100644
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java
@@ -25,7 +25,13 @@ import org.apache.hadoop.hdds.security.x509.SecurityConfig;
 import org.apache.hadoop.hdds.security.x509.exceptions.CertificateException;
 import org.apache.hadoop.hdds.security.x509.keys.SecurityUtil;
 import org.apache.logging.log4j.util.Strings;
+import org.bouncycastle.asn1.ASN1EncodableVector;
+import org.bouncycastle.asn1.ASN1Object;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.DERSequence;
+import org.bouncycastle.asn1.DERTaggedObject;
+import org.bouncycastle.asn1.DERUTF8String;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x509.BasicConstraints;
@@ -198,14 +204,47 @@ public final class CertificateSignRequest {
       return this;
     }
 
+    public CertificateSignRequest.Builder addServiceName(
+        String serviceName) {
+      Preconditions.checkNotNull(
+          serviceName, "Service Name cannot be null");
+
+      this.addAltName(GeneralName.otherName, serviceName);
+      return this;
+    }
+
     private CertificateSignRequest.Builder addAltName(int tag, String name) {
       if (altNames == null) {
         altNames = new ArrayList<>();
       }
-      altNames.add(new GeneralName(tag, name));
+      if (tag == GeneralName.otherName) {
+        ASN1Object ono = addOtherNameAsn1Object(name);
+
+        altNames.add(new GeneralName(tag, ono));
+      } else {
+        altNames.add(new GeneralName(tag, name));
+      }
       return this;
     }
 
+    /**
+     * addOtherNameAsn1Object requires special handling since
+     * Bouncy Castle does not support othername as string.
+     * @param name
+     * @return
+     */
+    private ASN1Object addOtherNameAsn1Object(String name) {
+      // Below oid is copied from this URL:
+      // https://docs.microsoft.com/en-us/windows/win32/adschema/a-middlename
+      final String otherNameOID = "2.16.840.1.113730.3.1.34";
+      ASN1EncodableVector otherName = new ASN1EncodableVector();
+      otherName.add(new ASN1ObjectIdentifier(otherNameOID));
+      otherName.add(new DERTaggedObject(
+          true, GeneralName.otherName, new DERUTF8String(name)));
+      return new DERTaggedObject(
+          false, 0, new DERSequence(otherName));
+    }
+
     public CertificateSignRequest.Builder setCA(Boolean isCA) {
       this.ca = isCA;
       return this;
diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
index 64eb4ba..b203305 100644
--- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
+++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
@@ -147,6 +147,7 @@ public class TestDefaultCAServer {
     PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
         .addDnsName("hadoop.apache.org")
         .addIpAddress("8.8.8.8")
+        .addServiceName("OzoneMarketingCluster002")
         .setCA(false)
         .setClusterID(clusterId)
         .setScmID(scmId)
diff --git a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
index f892b8d..aecd91f 100644
--- a/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
+++ b/hadoop-hdds/common/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultProfile.java
@@ -91,11 +91,11 @@ public class TestDefaultProfile {
 // Positive tests
     assertTrue(defaultProfile.isSupportedGeneralName(GeneralName.iPAddress));
     assertTrue(defaultProfile.isSupportedGeneralName(GeneralName.dNSName));
+    assertTrue(defaultProfile.isSupportedGeneralName(GeneralName.otherName));
 // Negative Tests
     assertFalse(defaultProfile.isSupportedGeneralName(
         GeneralName.directoryName));
     assertFalse(defaultProfile.isSupportedGeneralName(GeneralName.rfc822Name));
-    assertFalse(defaultProfile.isSupportedGeneralName(GeneralName.otherName));
   }
 
   /**
@@ -111,6 +111,7 @@ public class TestDefaultProfile {
     PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
         .addDnsName("hadoop.apache.org")
         .addIpAddress("8.8.8.8")
+        .addServiceName("OzoneMarketingCluster001")
         .setCA(false)
         .setClusterID("ClusterID")
         .setScmID("SCMID")


---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-commits-help@hadoop.apache.org


Mime
View raw message