diff options
| author |   Instrumental <jonathan.gathman@att.com> | 2019-01-22 18:32:18 -0600 |
|---|---|---|
| committer | Instrumental <jonathan.gathman@att.com> | 2019-01-22 18:34:58 -0600 |
| commit | ad389b325def6b35dc0331dac0899adceafced07 (patch) | |
| tree | 80368fb59c0b396986b4d727f5448ebed6394c91 /cadi/core | |
| parent | 12414fe43077e12d7ef711951b1633ad31d73573 (diff) | |
Improve X509 Subject Eval
Issue-ID: AAF-727
Change-Id: Id7d11692191de0456699a3b1097d26bfd2da04f5
Signed-off-by: Instrumental <jonathan.gathman@att.com>
Diffstat (limited to 'cadi/core')
| -rw-r--r-- | cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java | 71 |
1 files changed, 47 insertions, 24 deletions
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java index 0f252e39..677f2139 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java @@ -133,32 +133,56 @@ public class X509Taf implements HttpTaf { si.checkClientTrusted(certarr); // Note: If the Issuer is not in the TrustStore, it's not added to the Cert list String issuer = certarr[0].getIssuerDN().toString(); + String subject = certarr[0].getSubjectDN().getName(); + access.printf(Level.DEBUG,"Client Certificate found\n Subject %s\n Issuer %s",subject,issuer); if (cadiIssuers.contains(issuer)) { - String subject = certarr[0].getSubjectDN().getName(); // avoiding extra object creation, since this is validated EVERY transaction with a Cert - int at = subject.indexOf('@'); - if (at>=0) { - int start = subject.lastIndexOf(',', at); - if (start<0) { - start = 0; - } - int end = subject.indexOf(',', at); - if (end<0) { - end=subject.length(); - } - int temp; - if (((temp=subject.indexOf("OU=",start))>=0 && temp<end) || - ((temp=subject.indexOf("CN=",start))>=0 && temp<end)) { - String[] sa = Split.splitTrim(':', subject, temp+3,end); - if (sa.length==1 || (sa.length>1 && env!=null && env.equals(sa[1]))) { // Check Environment - return new X509HttpTafResp(access, - new X509Principal(sa[0], certarr[0],(byte[])null,bht), - "X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED); - } - } - - } + int start = 0; + int end = 1; + int comma; + int length = subject.length(); + + compare: + while(start<length) { + while(Character.isWhitespace(subject.charAt(start))) { + if(++start>length) { + break compare; + } + } + comma = subject.indexOf(',',start); + if(comma<0) { + end = subject.length(); + } else { + end = comma<=0?0:comma-1; + } + while(Character.isWhitespace(subject.charAt(end))) { + if(--end < 0) { + break compare; + } + } + if(subject.regionMatches(start, "OU=", 0, 3) || + subject.regionMatches(start, "CN=", 0, 3)) { + int at = subject.indexOf('@', start); + if(at<end && at>=0) { + String[] sa = Split.splitTrim(':', subject, start+3,end+1); + if (sa.length==1 || (sa.length>1 && env!=null && env.equals(sa[1]))) { // Check Environment + return new X509HttpTafResp(access, + new X509Principal(sa[0], certarr[0],(byte[])null,bht), + "X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED); + } else { + access.printf(Level.DEBUG,"Certificate is not for environment '%s'",env); + break; + } + } + } + start = comma+1; + } + access.log(Level.DEBUG,"Certificate is not acceptable for Authentication"); + } else { + access.log(Level.DEBUG,"Issuer is not trusted for Authentication"); } + } else { + access.log(Level.DEBUG,"There is no client certificate on the transaction"); } @@ -272,5 +296,4 @@ public class X509Taf implements HttpTaf { return bht.getCredVal(key); } } - } |