From 0fb7ae70a0bfa8c10f91b767000dd39e4b5c6c01 Mon Sep 17 00:00:00 2001 From: Xiaoyu Yao Date: Thu, 1 Oct 2020 15:05:09 -0700 Subject: [PATCH 1/2] HDDS-4301. SCM CA certificate does not encode KeyUsage extension propertly. --- .../x509/certificates/utils/CertificateSignRequest.java | 2 +- .../x509/certificates/utils/SelfSignedCertificate.java | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java index f740e437435d..bee64e188ec2 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/CertificateSignRequest.java @@ -265,7 +265,7 @@ private Extension getKeyUsageExtension() throws IOException { } KeyUsage keyUsage = new KeyUsage(keyUsageFlag); return new Extension(Extension.keyUsage, true, - new DEROctetString(keyUsage)); + keyUsage.getEncoded()); } private Optional getSubjectAltNameExtension() throws diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.java index a7edfde34fa7..bba9dcfa57dc 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.java @@ -145,8 +145,7 @@ private X509CertificateHolder generateCertificate(boolean isCA) new BasicConstraints(true)); int keyUsageFlag = KeyUsage.keyCertSign | KeyUsage.cRLSign; KeyUsage keyUsage = new KeyUsage(keyUsageFlag); - builder.addExtension(Extension.keyUsage, false, - new DEROctetString(keyUsage)); + builder.addExtension(Extension.keyUsage, true, keyUsage); if (altNames != null && altNames.size() >= 1) { builder.addExtension(new Extension(Extension.subjectAlternativeName, false, new GeneralNames(altNames.toArray( From f627fc106b209a2b4fe3290d89b74dbae1bad909 Mon Sep 17 00:00:00 2001 From: Xiaoyu Yao Date: Thu, 1 Oct 2020 15:13:50 -0700 Subject: [PATCH 2/2] remove unused import --- .../security/x509/certificates/utils/SelfSignedCertificate.java | 1 - 1 file changed, 1 deletion(-) diff --git a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.java b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.java index bba9dcfa57dc..daf0e262b1d5 100644 --- a/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.java +++ b/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificates/utils/SelfSignedCertificate.java @@ -42,7 +42,6 @@ import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1Object; import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.asn1.DERSequence; import org.bouncycastle.asn1.DERTaggedObject; import org.bouncycastle.asn1.DERUTF8String;