diff options
| author | Håkon Hallingstad <hakon@oath.com> | 2018-03-08 13:59:05 +0100 |
|---|---|---|
| committer | Håkon Hallingstad <hakon@oath.com> | 2018-03-08 13:59:05 +0100 |
| commit | 79239d4a4f110542e977bcb7bb98e0b4cc38a03d (patch) | |
| tree | c14a4f184a4a1c1424cbd50af5bc1c381aa6dc0d /athenz-identity-provider-service | |
| parent | b2b63c48f74ae45bb744d45b68a8cafa7ca36e29 (diff) | |
Tune hostname-commonname mismatch message
Diffstat (limited to 'athenz-identity-provider-service')
2 files changed, 5 insertions, 4 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java index 8c851ed5489..f6f6bb1dbca 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSigner.java @@ -117,7 +117,7 @@ public class CertificateSigner { } } - static void verifyCertificateCommonName(X500Name subject, String commonName) { + static void verifyCertificateCommonName(X500Name subject, String remoteHostname) { List<AttributeTypeAndValue> attributesAndValues = Arrays.stream(subject.getRDNs()) .flatMap(rdn -> rdn.isMultiValued() ? Stream.of(rdn.getTypesAndValues()) : Stream.of(rdn.getFirst())) @@ -129,8 +129,9 @@ public class CertificateSigner { } String actualCommonName = DERUTF8String.getInstance(attributesAndValues.get(0).getValue()).getString(); - if (! actualCommonName.equals(commonName)) { - throw new IllegalArgumentException("Expected common name to be " + commonName + ", but was " + actualCommonName); + if (! actualCommonName.equals(remoteHostname)) { + throw new IllegalArgumentException("Remote hostname " + remoteHostname + + " does not match common name " + actualCommonName); } } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerTest.java index 480ff5679fe..594bbf77fce 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ca/CertificateSignerTest.java @@ -67,7 +67,7 @@ public class CertificateSignerTest { assertCertificateCommonNameException("C=NO", "Only 1 common name should be set"); assertCertificateCommonNameException("C=US+CN=abc123.domain.tld,C=NO+CN=" + requestersHostname, "Only 1 common name should be set"); assertCertificateCommonNameException("CN=evil.hostname.domain.tld", - "Expected common name to be tenant-123.us-north-1.vespa.domain.tld, but was evil.hostname.domain.tld"); + "Remote hostname tenant-123.us-north-1.vespa.domain.tld does not match common name evil.hostname.domain.tld"); } @Test(expected = IllegalArgumentException.class) |