From ad389b325def6b35dc0331dac0899adceafced07 Mon Sep 17 00:00:00 2001 From: Instrumental Date: Tue, 22 Jan 2019 18:32:18 -0600 Subject: [PATCH] Improve X509 Subject Eval Issue-ID: AAF-727 Change-Id: Id7d11692191de0456699a3b1097d26bfd2da04f5 Signed-off-by: Instrumental --- .../java/org/onap/aaf/cadi/taf/cert/X509Taf.java | 71 ++++++++++++++-------- 1 file changed, 47 insertions(+), 24 deletions(-) diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java index 0f252e39..677f2139 100644 --- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java +++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java @@ -133,32 +133,56 @@ public class X509Taf implements HttpTaf { si.checkClientTrusted(certarr); // Note: If the Issuer is not in the TrustStore, it's not added to the Cert list String issuer = certarr[0].getIssuerDN().toString(); + String subject = certarr[0].getSubjectDN().getName(); + access.printf(Level.DEBUG,"Client Certificate found\n Subject %s\n Issuer %s",subject,issuer); if (cadiIssuers.contains(issuer)) { - String subject = certarr[0].getSubjectDN().getName(); // avoiding extra object creation, since this is validated EVERY transaction with a Cert - int at = subject.indexOf('@'); - if (at>=0) { - int start = subject.lastIndexOf(',', at); - if (start<0) { - start = 0; - } - int end = subject.indexOf(',', at); - if (end<0) { - end=subject.length(); - } - int temp; - if (((temp=subject.indexOf("OU=",start))>=0 && temp=0 && temp1 && env!=null && env.equals(sa[1]))) { // Check Environment - return new X509HttpTafResp(access, - new X509Principal(sa[0], certarr[0],(byte[])null,bht), - "X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED); - } - } - - } + int start = 0; + int end = 1; + int comma; + int length = subject.length(); + + compare: + while(startlength) { + break compare; + } + } + comma = subject.indexOf(',',start); + if(comma<0) { + end = subject.length(); + } else { + end = comma<=0?0:comma-1; + } + while(Character.isWhitespace(subject.charAt(end))) { + if(--end < 0) { + break compare; + } + } + if(subject.regionMatches(start, "OU=", 0, 3) || + subject.regionMatches(start, "CN=", 0, 3)) { + int at = subject.indexOf('@', start); + if(at=0) { + String[] sa = Split.splitTrim(':', subject, start+3,end+1); + if (sa.length==1 || (sa.length>1 && env!=null && env.equals(sa[1]))) { // Check Environment + return new X509HttpTafResp(access, + new X509Principal(sa[0], certarr[0],(byte[])null,bht), + "X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED); + } else { + access.printf(Level.DEBUG,"Certificate is not for environment '%s'",env); + break; + } + } + } + start = comma+1; + } + access.log(Level.DEBUG,"Certificate is not acceptable for Authentication"); + } else { + access.log(Level.DEBUG,"Issuer is not trusted for Authentication"); } + } else { + access.log(Level.DEBUG,"There is no client certificate on the transaction"); } @@ -272,5 +296,4 @@ public class X509Taf implements HttpTaf { return bht.getCredVal(key); } } - } -- 2.16.6