diff options
author | Valerij Fredriksen <freva@users.noreply.github.com> | 2018-03-08 14:27:04 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-03-08 14:27:04 +0100 |
commit | 0d4f9c79a4a93f52c2071cb351a92dc2ca03b7a0 (patch) | |
tree | 44421c3c3a037fa7c89f5ed9c08b5715d9d8b43a /athenz-identity-provider-service | |
parent | 66dfb66beb03b9a979db071fc785295c73ee7962 (diff) | |
parent | 79239d4a4f110542e977bcb7bb98e0b4cc38a03d (diff) |
Merge pull request #5257 from vespa-engine/hakonhall/tune-hostname-commonname-mismatch-message
Tune hostname-commonname mismatch message
Diffstat (limited to 'athenz-identity-provider-service')
2 files changed, 5 insertions, 4 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java index 8c851ed5489..f6f6bb1dbca 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java @@ -117,7 +117,7 @@ public class CertificateSigner { } } - static void verifyCertificateCommonName(X500Name subject, String commonName) { + static void verifyCertificateCommonName(X500Name subject, String remoteHostname) { List<AttributeTypeAndValue> attributesAndValues = Arrays.stream(subject.getRDNs()) .flatMap(rdn -> rdn.isMultiValued() ? Stream.of(rdn.getTypesAndValues()) : Stream.of(rdn.getFirst())) @@ -129,8 +129,9 @@ public class CertificateSigner { } String actualCommonName = DERUTF8String.getInstance(attributesAndValues.get(0).getValue()).getString(); - if (! actualCommonName.equals(commonName)) { - throw new IllegalArgumentException("Expected common name to be " + commonName + ", but was " + actualCommonName); + if (! actualCommonName.equals(remoteHostname)) { + throw new IllegalArgumentException("Remote hostname " + remoteHostname + + " does not match common name " + actualCommonName); } } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerTest.java index 480ff5679fe..594bbf77fce 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerTest.java @@ -67,7 +67,7 @@ public class CertificateSignerTest { assertCertificateCommonNameException("C=NO", "Only 1 common name should be set"); assertCertificateCommonNameException("C=US+CN=abc123.domain.tld,C=NO+CN=" + requestersHostname, "Only 1 common name should be set"); assertCertificateCommonNameException("CN=evil.hostname.domain.tld", - "Expected common name to be tenant-123.us-north-1.vespa.domain.tld, but was evil.hostname.domain.tld"); + "Remote hostname tenant-123.us-north-1.vespa.domain.tld does not match common name evil.hostname.domain.tld"); } @Test(expected = IllegalArgumentException.class) |