Add test

willyborankin · willyborankin · commit e6220e2c21fe · 2025-04-08T21:33:10.000+02:00
Added test to check behave

Signed-off-by: Andrey Pleskach &lt;ples@aiven.io&gt;
diff --git a/src/main/java/org/opensearch/security/ssl/config/KeyStoreConfiguration.java b/src/main/java/org/opensearch/security/ssl/config/KeyStoreConfiguration.java
@@ -18,10 +18,10 @@
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Objects;
 import java.util.Set;
+import java.util.stream.Collectors;
 import javax.net.ssl.KeyManagerFactory;
 import javax.security.auth.x500.X500Principal;
 
@@ -45,12 +45,10 @@ default KeyManagerFactory createKeyManagerFactory(boolean validateCertificates)
     }
 
     default Set<X500Principal> getIssuerDns() {
-        Set<X500Principal> issuerDns = new HashSet<>();
-        final List<Certificate> certificates = loadCertificates();
-        for (Certificate certificate : certificates) {
-            issuerDns.add(certificate.x509Certificate().getIssuerX500Principal());
-        }
-        return issuerDns;
+        return loadCertificates().stream()
+            .map(Certificate::x509Certificate)
+            .map(X509Certificate::getIssuerX500Principal)
+            .collect(Collectors.toSet());
     }
 
     default KeyManagerFactory buildKeyManagerFactory(final KeyStore keyStore, final char[] password) {
diff --git a/src/test/java/org/opensearch/security/ssl/CertificatesRule.java b/src/test/java/org/opensearch/security/ssl/CertificatesRule.java
@@ -144,15 +144,34 @@ public X509CertificateHolder generateCaCertificate(final KeyPair parentKeyPair,
         return generateCaCertificate(parentKeyPair, generateSerialNumber(), startDate, endDate);
     }
 
+    public X509CertificateHolder generateCaCertificate(
+        final KeyPair parentKeyPair,
+        final String subjectName,
+        final Instant startDate,
+        final Instant endDate
+    ) throws IOException, NoSuchAlgorithmException, OperatorCreationException {
+        return generateCaCertificate(parentKeyPair, subjectName, generateSerialNumber(), startDate, endDate);
+    }
+
     public X509CertificateHolder generateCaCertificate(
         final KeyPair parentKeyPair,
         final BigInteger serialNumber,
         final Instant startDate,
         final Instant endDate
+    ) throws IOException, NoSuchAlgorithmException, OperatorCreationException {
+        return generateCaCertificate(parentKeyPair, DEFAULT_SUBJECT_NAME, serialNumber, startDate, endDate);
+    }
+
+    public X509CertificateHolder generateCaCertificate(
+        final KeyPair parentKeyPair,
+        final String subjectName,
+        final BigInteger serialNumber,
+        final Instant startDate,
+        final Instant endDate
     ) throws IOException, NoSuchAlgorithmException, OperatorCreationException {
         // CS-SUPPRESS-SINGLE: RegexpSingleline Extension should only be used sparingly to keep implementations as generic as possible
         return createCertificateBuilder(
-            DEFAULT_SUBJECT_NAME,
+            subjectName,
             DEFAULT_SUBJECT_NAME,
             parentKeyPair.getPublic(),
             parentKeyPair.getPublic(),
diff --git a/src/test/java/org/opensearch/security/ssl/CertificatesUtils.java b/src/test/java/org/opensearch/security/ssl/CertificatesUtils.java
@@ -25,9 +25,11 @@
 
 public class CertificatesUtils {
 
-    public static void writePemContent(final Path path, final Object pemContent) throws IOException {
-        try (JcaPEMWriter writer = new JcaPEMWriter(Files.newBufferedWriter(path))) {
-            writer.writeObject(pemContent);
+    public static void writePemContent(final Path path, final Object... content) throws IOException {
+        for (final Object c : content) {
+            try (JcaPEMWriter writer = new JcaPEMWriter(Files.newBufferedWriter(path))) {
+                writer.writeObject(c);
+            }
         }
     }
 
diff --git a/src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java b/src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java
@@ -73,6 +73,24 @@ void writeCertificates(
         writePemContent(accessCertificatePrivateKeyPath, privateKeyToPemObject(accessPrivateKey, certificatesRule.privateKeyPassword()));
     }
 
+    @Test
+    public void skipInvalidCaCertificateValidation() throws Exception {
+        final var caCertificate = certificatesRule.caCertificateHolder();
+
+        final var invalidCertKeys = certificatesRule.generateKeyPair();
+        var invalidCaCertificate = certificatesRule.generateCaCertificate(
+            invalidCertKeys,
+            "CN=not_default_subject,OU=client,O=client,L=test,C=de",
+            caCertificate.getNotAfter().toInstant().minus(20, ChronoUnit.DAYS),
+            caCertificate.getNotAfter().toInstant().minus(10, ChronoUnit.DAYS)
+        );
+
+        writePemContent(caCertificatePath, caCertificate, invalidCaCertificate);
+
+        final var sslContextHandler = sslContextHandler();
+        sslContextHandler.sslContext();
+    }
+
     @Test
     public void doesNothingIfCertificatesAreSame() throws Exception {
         final var sslContextHandler = sslContextHandler();

Original file line number	Diff line number	Diff line change
`@@ -25,9 +25,11 @@`
`25`	`25`
`26`	`26`	`public class CertificatesUtils {`
`27`	`27`
`28`		`- public static void writePemContent(final Path path, final Object pemContent) throws IOException {`
`29`		`- try (JcaPEMWriter writer = new JcaPEMWriter(Files.newBufferedWriter(path))) {`
`30`		`- writer.writeObject(pemContent);`
	`28`	`+ public static void writePemContent(final Path path, final Object... content) throws IOException {`
	`29`	`+ for (final Object c : content) {`
	`30`	`+ try (JcaPEMWriter writer = new JcaPEMWriter(Files.newBufferedWriter(path))) {`
	`31`	`+ writer.writeObject(c);`
	`32`	`+ }`
`31`	`33`	`}`
`32`	`34`	`}`
`33`	`35`