diff options
author | andreer <andreer@verizonmedia.com> | 2020-01-27 15:17:15 +0100 |
---|---|---|
committer | andreer <andreer@verizonmedia.com> | 2020-01-27 15:17:15 +0100 |
commit | a6769f64b639152760d84ed4e6f3300f1f83d90b (patch) | |
tree | 756c554a1ca0fbc60b8b51f701968f51ed9175c9 | |
parent | 9e4b9422124073188f9aab1c0498f9fd04f6c8c1 (diff) |
stricter SAN verification
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java index 4908735659f..c421c106a59 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/endpointcertificates/EndpointCertificateManager.java @@ -25,6 +25,7 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; import java.util.Optional; +import java.util.Set; import java.util.logging.Logger; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -98,14 +99,12 @@ public class EndpointCertificateManager { } X509Certificate endEntityCertificate = x509CertificateList.get(0); - List<String> subjectAlternativeNames = X509CertificateUtils.getSubjectAlternativeNames(endEntityCertificate).stream() + Set<String> subjectAlternativeNames = X509CertificateUtils.getSubjectAlternativeNames(endEntityCertificate).stream() .filter(san -> san.getType().equals(SubjectAlternativeName.Type.DNS_NAME)) - .map(SubjectAlternativeName::getValue).collect(Collectors.toList()); + .map(SubjectAlternativeName::getValue).collect(Collectors.toSet()); - System.out.println(subjectAlternativeNames); - - if (!subjectAlternativeNames.containsAll(dnsNamesOf(instance.id(), List.of(zone)))) - return logWarning("Certificate is missing SANs"); + if (!subjectAlternativeNames.equals(Set.copyOf(dnsNamesOf(instance.id(), List.of(zone))))) + return logWarning("The set of DNS SANs in the certificate has changed"); return true; // All good then, hopefully } catch (Exception e) { |