Skip to content

ZOOKEEPER-4992: Avoid overriding same-subject certs in PEM trust store #2336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tsaarni wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ZOOKEEPER-4992: Avoid overriding same-subject certs in PEM trust store #2336

tsaarni wants to merge 1 commit into from
+33 −16

Conversation

@tsaarni
Copy link
Contributor

@tsaarni tsaarni commented Nov 7, 2025
edited
Loading

When a PEM bundle is loaded as a trust store, each certificate is added to an in-memory KeyStore.
Previously, the certificate’s subject name was used as the alias, which caused entries to be overwritten when multiple certificates shared the same subject name.

This change assigns a unique alias to each certificate, ensuring that all certificates from the PEM bundle are preserved in the trust store.

Certificates valid at the same time can share the same subject name, for example CA certificate might be reissued with another key type.

https://issues.apache.org/jira/projects/ZOOKEEPER/issues/ZOOKEEPER-4992

@tsaarni tsaarni force-pushed the fix-zookeeper-4992 branch from dbbad6f to 95bd22b Compare November 8, 2025 05:33
@tsaarni
Copy link
Contributor Author

tsaarni commented Nov 10, 2025
edited
Loading

One of the CI tests failed, but I think it might just be a flake. @kezhuw, could you please re-run the test?

@tsaarni
Copy link
Contributor Author

tsaarni commented Dec 5, 2025

When you have a chance, could someone review this PR? Thanks!

anmolnar
anmolnar requested changes Jan 9, 2026
View reviewed changes
Copy link
Contributor

@anmolnar anmolnar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with the patch overall, but I have a small suggestion.

zookeeper-server/src/main/java/org/apache/zookeeper/util/PemReader.java Outdated
for (X509Certificate certificate : certificateChain) {
X500Principal principal = certificate.getSubjectX500Principal();
keyStore.setCertificateEntry(principal.getName("RFC2253"), certificate);
keyStore.setCertificateEntry(principal.getName("RFC2253") + "-" + i++, certificate);
Copy link
Contributor

@anmolnar anmolnar Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we check the name already exists first and add the suffix only when it's necessary?

Copy link
Contributor Author

@tsaarni tsaarni Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@anmolnar Yes, that's a good idea. I updated it and added a check to make sure the aliases have the right suffix. Now, the first suffix starts from 2 since the first one doesn't have one.

Copy link
Contributor Author

@tsaarni tsaarni Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sequence numbers in the suffixes aren't working perfectly logically, for example, if adding four certificates with subjects cn=foo, cn=foo, cn=bar and cn=bar, the aliases become cn=foo, cn=foo-2, cn=bar, and cn=bar-3, but I hope it does not need to be perfect.

@tsaarni tsaarni force-pushed the fix-zookeeper-4992 branch from 95bd22b to 6b87ef5 Compare January 10, 2026 08:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anmolnar anmolnar anmolnar requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tsaarni @anmolnar