ZOOKEEPER-4992: Avoid overriding same-subject certs in PEM trust store #2336
+27
−16
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Tero Saarni <[email protected]>
tsaarni
force-pushed
the
fix-zookeeper-4992
branch
from
dbbad6f to
95bd22b
Compare
Contributor
Author
|
One of the CI tests failed, but I think it might just be a flake. @kezhuw, could you please re-run the test? |
Contributor
Author
|
When you have a chance, could someone review this PR? Thanks! |
anmolnar
requested changes
Jan 9, 2026
Contributor
anmolnar
left a comment
anmolnar
left a comment
There was a problem hiding this comment.
I'm fine with the patch overall, but I have a small suggestion.
| for (X509Certificate certificate : certificateChain) { | ||
| X500Principal principal = certificate.getSubjectX500Principal(); | ||
| keyStore.setCertificateEntry(principal.getName("RFC2253"), certificate); | ||
| keyStore.setCertificateEntry(principal.getName("RFC2253") + "-" + i++, certificate); |
Contributor
There was a problem hiding this comment.
Shall we check the name already exists first and add the suffix only when it's necessary?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When a PEM bundle is loaded as a trust store, each certificate is added to an in-memory
KeyStore.Previously, the certificate’s subject name was used as the alias, which caused entries to be overwritten when multiple certificates shared the same subject name.
This change assigns a unique alias to each certificate, ensuring that all certificates from the PEM bundle are preserved in the trust store.
Certificates valid at the same time can share the same subject name, for example CA certificate might be reissued with another key type.
https://issues.apache.org/jira/projects/ZOOKEEPER/issues/ZOOKEEPER-4992