Fix LSC parser

Fix multi-chain LSC files by reading only the first chain

Author: enricovianello

src/main/java/org/italiangrid/voms/store/impl/DefaultLSCFileParser.java

@@ -35,104 +35,69 @@
  */
 public class DefaultLSCFileParser implements LSCFileParser {
 
-  public static final String EMPTY_LINE_REGEX = "(?m)^\\s*?$";
   public static final String MALFORMED_LSC_FILE_ERROR_TEMPLATE = "LSC file parsing error: Malformed LSC file (vo=%s, host=%s): %s";
 
   private void checkFileExistanceAndReadabilty(File f) {
 
-    if (!f.exists())
+    if (!f.exists()) {
       throw new VOMSError("LSC file does not exist: " + f.getAbsolutePath());
-
-    if (!f.canRead())
+    }
+    if (!f.canRead()) {
       throw new VOMSError("LSC file is not readable: " + f.getAbsolutePath());
-
-  }
-
-  public LSCFile parse(String vo, String hostname, String filename) {
-
-    LSCFile lsc = null;
-
-    try {
-
-      File f = new File(filename);
-
-      checkFileExistanceAndReadabilty(f);
-
-      lsc = parse(vo, hostname, new FileInputStream(f));
-
-      lsc.setFilename(filename);
-
-    } catch (IOException e) {
-      throw new VOMSError("LSC file parsing error: " + e.getMessage(), e);
     }
-
-    return lsc;
   }
 
   public synchronized LSCFile parse(String vo, String hostname, InputStream is) {
 
+    final String NEXT_CHAIN = "------NEXT CHAIN------";
+
     LSCFile lsc = new LSCFile();
 
     lsc.setHostname(hostname);
     lsc.setVo(vo);
 
-    try {
-
-      BufferedReader lscReader = new BufferedReader(new InputStreamReader(is));
-
-      String line = null;
+    try (BufferedReader reader = new BufferedReader(new InputStreamReader(is))) {
       List<String> certificateChainDescription = new ArrayList<String>();
-
-      do {
-        line = lscReader.readLine();
-
-        // This is EOF
-        if (line == null)
-          break;
-
-        // Ignore comments
-        if (line.startsWith("#"))
+      String line;
+      while ((line = reader.readLine()) != null) {
+        if (line.trim().startsWith("#") || line.isBlank()) {
           continue;
-
-        // Ignore ---NEXT CHAIN---
-        if (line.startsWith("-"))
-          continue;
-
-        // Ignore empty lines
-        if (line.matches(EMPTY_LINE_REGEX))
-          continue;
-
-        if (line.startsWith("/"))
+        }
+        if (line.equalsIgnoreCase(NEXT_CHAIN)) {
+          /* This parser doesn't support multi-chain LSC files */
+          break;
+        }
+        if (line.startsWith("/")) {
           certificateChainDescription.add(line);
-
-      } while (true);
-
-      lscReader.close();
-
-      if (certificateChainDescription.size() % 2 != 0) {
-        String errorMessage = String.format(MALFORMED_LSC_FILE_ERROR_TEMPLATE,
-          vo, hostname, "Odd number of distinguished name entries.");
-
-        throw new VOMSError(errorMessage);
-
+        }
       }
-
-      if (certificateChainDescription.size() == 0) {
-        String errorMessage = String.format(MALFORMED_LSC_FILE_ERROR_TEMPLATE,
-          vo, hostname, "No distinguished name entries found.");
-
-        throw new VOMSError(errorMessage);
-      }
-
+      validateChain(certificateChainDescription, vo, hostname);
       lsc.setCertificateChainDescription(certificateChainDescription);
-
     } catch (IOException e) {
       throw new VOMSError("LSC file parsing error: " + e.getMessage(), e);
     }
-
+    if (lsc.getCertificateChainDescription().isEmpty()) {
+      String errorMessage =
+          String.format(MALFORMED_LSC_FILE_ERROR_TEMPLATE, vo, hostname, "No chains found.");
+      throw new VOMSError(errorMessage);
+    }
     return lsc;
   }
 
+  private void validateChain(List<String> certificateChainDescription, String vo, String hostname) {
+    if (certificateChainDescription.size() % 2 != 0) {
+      String errorMessage = String.format(MALFORMED_LSC_FILE_ERROR_TEMPLATE, vo, hostname,
+          "Odd number of distinguished name entries.");
+      throw new VOMSError(errorMessage);
+    }
+    if (certificateChainDescription.size() == 0) {
+      String errorMessage = String.format(MALFORMED_LSC_FILE_ERROR_TEMPLATE, vo, hostname,
+          "No distinguished name entries found.");
+
+      throw new VOMSError(errorMessage);
+    }
+  }
+
   public LSCFile parse(String vo, String hostname, File file) {
 
     LSCFile lsc = null;
@@ -150,7 +115,5 @@ public LSCFile parse(String vo, String hostname, File file) {
     }
 
     return lsc;
-
   }
-
 }

src/main/java/org/italiangrid/voms/store/impl/LSCFile.java

@@ -16,8 +16,11 @@
 package org.italiangrid.voms.store.impl;
 
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.List;
 
+import javax.security.auth.x500.X500Principal;
+
 import org.italiangrid.voms.store.LSCInfo;
 
 import eu.emi.security.authn.x509.impl.OpensslNameUtils;
@@ -51,7 +54,7 @@ public class LSCFile implements LSCInfo {
   String hostname;
 
   /** The certificate chain description contained in this LSC file **/
-  List<String> certChainDescription;
+  List<String> certChainDescription = new ArrayList<>();
 
   public String getVOName() {
 
@@ -95,7 +98,7 @@ public void setHostname(String hostname) {
 
   public void setCertificateChainDescription(List<String> certChainDesc) {
 
-    this.certChainDescription = certChainDesc;
+    this.certChainDescription = new ArrayList<>(certChainDesc);
   }
 
   @Override
@@ -138,39 +141,33 @@ public String toString() {
       + hostname + ", certChainDescription=" + certChainDescription + "]";
   }
 
-  @SuppressWarnings("deprecation")
   public boolean matches(X509Certificate[] certChain) {
 
-    if (certChainDescription == null || certChainDescription.isEmpty())
+    if (certChainDescription == null || certChainDescription.isEmpty()) {
       return false;
+    }
 
-    if (certChain == null || certChain.length == 0)
+    if (certChain == null || certChain.length == 0) {
       return false;
+    }
 
-    if (certChainDescription.size() == certChain.length * 2) {
-
-      for (int i = 0; i < certChain.length; i++) {
-
-        String lscSubjectRFC2253 = OpensslNameUtils
-          .opensslToRfc2253(certChainDescription.get(i));
-        String lscIssuerRFC2253 = OpensslNameUtils
-          .opensslToRfc2253(certChainDescription.get(i + 1));
-
-        boolean subjectDoesMatch = X500NameUtils.equal(
-          certChain[i].getSubjectX500Principal(), lscSubjectRFC2253);
-        boolean issuerDoesMatch = X500NameUtils.equal(
-          certChain[i].getIssuerX500Principal(), lscIssuerRFC2253);
-
-        if (!subjectDoesMatch || !issuerDoesMatch)
-          return false;
-
-      }
-    } else {
-      // Cert chain description does not match certificate chain length
+    if (certChainDescription.size() != certChain.length * 2) {
       return false;
     }
 
+    for (int i = 0; i < certChain.length; i++) {
+      if (!matches(certChain[i].getSubjectX500Principal(), certChainDescription.get(2 * i))) {
+        return false;
+      }
+      if (!matches(certChain[i].getIssuerX500Principal(), certChainDescription.get(2 * i + 1))) {
+        return false;
+      }
+    }
     return true;
   }
 
+  @SuppressWarnings("deprecation")
+  private boolean matches(X500Principal certDn, String lscDn) {
+    return X500NameUtils.equal(certDn, OpensslNameUtils.opensslToRfc2253(lscDn));
+  }
 }

src/test/java/org/italiangrid/voms/test/TestLSCParser.java

@@ -21,6 +21,7 @@
 import static org.junit.Assert.fail;
 
 import java.io.ByteArrayInputStream;
+import java.io.File;
 
 import org.italiangrid.voms.VOMSError;
 import org.italiangrid.voms.store.impl.DefaultLSCFileParser;
@@ -51,8 +52,7 @@ public void testParse() {
 
     assertEquals(2, f.getCertificateChainDescription().size());
 
-    assertEquals("/C=it/O=org/CN=commonName", f
-      .getCertificateChainDescription().get(0));
+    assertEquals("/C=it/O=org/CN=commonName", f.getCertificateChainDescription().get(0));
     assertEquals("/C=it/O=org/CN=CA", f.getCertificateChainDescription().get(1));
 
   }
@@ -111,6 +111,43 @@ public void testEmptyLSCFileParseError() {
     fail("No error caught for malformed, empty LSC file parsing.");
   }
 
+  @Test
+  public void testSlashInsideCommonNameIsIgnored() {
+
+    DefaultLSCFileParser parser = new DefaultLSCFileParser();
+
+    String malformedLSCContent = "/C=it/O=org/CN=commonName\n" + "/C=it/O=org/CN=common/Name";
+
+    LSCFile f =
+        parser.parse("vo", "host", new ByteArrayInputStream(malformedLSCContent.getBytes()));
+
+    assertEquals(2, f.getCertificateChainDescription().size());
+  }
+
+  @Test
+  public void testUnsupportedMultichainLSCFileParseSuccess() {
+
+    DefaultLSCFileParser parser = new DefaultLSCFileParser();
+
+    String multichainLSCContent = "/C=IT/O=IGI/CN=test-host.cnaf.infn.it\n"
+        + "/C=IT/O=IGI/CN=Test CA\n" + "------NEXT CHAIN------\n"
+        + "/C=IT/O=IGI/CN=test-host2.cnaf.infn.it\n" + "/C=IT/O=IGI/CN=Test CA";
+
+    try {
+
+      LSCFile f =
+          parser.parse("vo", "host", new ByteArrayInputStream(multichainLSCContent.getBytes()));
+      assertEquals(2, f.getCertificateChainDescription().size());
+      assertEquals("/C=IT/O=IGI/CN=test-host.cnaf.infn.it", f.getCertificateChainDescription().get(0));
+      assertEquals("/C=IT/O=IGI/CN=Test CA", f.getCertificateChainDescription().get(1));
+
+    } catch (VOMSError e) {
+      fail("No error expected for malformed, empty LSC file parsing.");
+      return;
+    }
+  }
+
+
   @Test
   public void testNonExistingFileParse() {
 
@@ -121,7 +158,7 @@ public void testNonExistingFileParse() {
     try {
 
       @SuppressWarnings("unused")
-      LSCFile f = parser.parse("vo", "host", nonExistentFile);
+      LSCFile f = parser.parse("vo", "host", new File(nonExistentFile));
 
     } catch (VOMSError e) {
 

src/test/resources/vomsdir/test.vo/test-multichain.cnaf.infn.it.lsc

@@ -0,0 +1,5 @@
+/C=IT/O=IGI/CN=test-host.cnaf.infn.it
+/C=IT/O=IGI/CN=Test CA
+------NEXT CHAIN------
+/C=IT/O=IGI/CN=test-host2.cnaf.infn.it
+/C=IT/O=IGI/CN=Test CA