Addl checks for san dns validation

AthenZ · Mar 31, 2017 · bf5c0c1 · bf5c0c1
1 parent ae38b26
commit bf5c0c1
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 2 deletions.
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java
@@ -260,9 +260,9 @@ public static boolean validateCertReqDNSNames(PKCS10CertificationRequest certReq
             return true;
         }
         // the only two formats we're allowed to have in the CSR are:
-        // 1) service.domain-with-dashes.<svc>.yahoo.cloud
+        // 1) service.domain-with-dashes.<cloud>.yahoo.cloud
         // 2) athenz.uuid.<instance-id>
-        final String prefix = service + "." + domain.replace('.', '-');
+        final String prefix = service + "." + domain.replace('.', '-') + ".";
         for (String dnsName : dnsNames) {
             if (dnsName.startsWith(prefix) && dnsName.endsWith(ZTS_CERT_DNS_SUFFIX)) {
                 continue;

diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/utils/ZTSUtilsTest.java
@@ -315,4 +315,24 @@ public void testValidateCertReqDNSNamesUnknown() throws IOException {
         boolean result = ZTSUtils.validateCertReqDNSNames(certReq, "athenz", "production");
         assertFalse(result);
     }
+
+    @Test
+    public void testValidateCertReqDNSNamesSubdomain() throws IOException {
+        Path path = Paths.get("src/test/resources/subdomain.csr");
+        String csr = new String(Files.readAllBytes(path));
+
+        PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(csr);
+        boolean result = ZTSUtils.validateCertReqDNSNames(certReq, "athenz.domain", "production");
+        assertTrue(result);
+    }
+
+    @Test
+    public void testValidateCertReqDNSNamesSubdomainInvalid() throws IOException {
+        Path path = Paths.get("src/test/resources/subdomain_invalid.csr");
+        String csr = new String(Files.readAllBytes(path));
+
+        PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(csr);
+        boolean result = ZTSUtils.validateCertReqDNSNames(certReq, "athenz.domain", "production");
+        assertFalse(result);
+    }
 }
diff --git a/servers/zts/src/test/resources/subdomain.csr b/servers/zts/src/test/resources/subdomain.csr
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBaTCCARMCAQAwZzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQK
+EwZBdGhlbnoxFzAVBgNVBAsTDlRlc3RpbmcgRG9tYWluMSEwHwYDVQQDExhhdGhl
+bnouZG9tYWluLnByb2R1Y3Rpb24wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAqaxs
+JnMNtEUxFd+j1MAE0mSv47W8JN4yBDRkDh/J1agsE2dHIV7CxLj9e5e05/IrB0rR
+hWSX4TaPmQ9KgeioHQIDAQABoEcwRQYJKoZIhvcNAQkOMTgwNjA0BgNVHREELTAr
+gilwcm9kdWN0aW9uLmF0aGVuei1kb21haW4ub3N0ay55YWhvby5jbG91ZDANBgkq
+hkiG9w0BAQsFAANBAIi0X1mJbVv10N81Cg1TaU+YZqrQYN7UFGoYXYb9QwOKBw9k
+4REzTnGf4WtZ5mdWVoxSeVKPP9Its95TiS+KyK0=
+-----END CERTIFICATE REQUEST-----
diff --git a/servers/zts/src/test/resources/subdomain_invalid.csr b/servers/zts/src/test/resources/subdomain_invalid.csr
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBbTCCARcCAQAwZzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQK
+EwZBdGhlbnoxFzAVBgNVBAsTDlRlc3RpbmcgRG9tYWluMSEwHwYDVQQDExhhdGhl
+bnouZG9tYWluLnByb2R1Y3Rpb24wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA3S0W
+SY14RWrU0lOA6V5JnZ/wkuZKzEkGXC47IH2mLVJaQCJ3FoZOEnq3NqTgSL6A4lS4
+OcR0ztT2PdyMXDnBNwIDAQABoEswSQYJKoZIhvcNAQkOMTwwOjA4BgNVHREEMTAv
+gi1wcm9kdWN0aW9uLmF0aGVuei1kb21haW50ZXN0Lm9zdGsueWFob28uY2xvdWQw
+DQYJKoZIhvcNAQELBQADQQA0uYd5mrc6YEtp8fO4alzdtiJtkF6EO9Xa3pHBev/K
+UWz+8Ivz9XChZR0VWrYezLGnlCcok/ETnYKjxkrCcDeO
+-----END CERTIFICATE REQUEST-----