From a7e469f0d5329680e938471cde723b109e6c9358 Mon Sep 17 00:00:00 2001
From: Patrick Dowler <pdowler.cadc@gmail.com>
Date: Thu, 10 Oct 2024 15:56:41 -0700
Subject: [PATCH] cadc-util: fix X509CertificateChain extract principal from
 chain

---
 cadc-util/build.gradle                        |  2 +-
 .../nrc/cadc/auth/X509CertificateChain.java   | 36 ++++++-------------
 2 files changed, 12 insertions(+), 26 deletions(-)

diff --git a/cadc-util/build.gradle b/cadc-util/build.gradle
index 142dad3b..8b445b0a 100644
--- a/cadc-util/build.gradle
+++ b/cadc-util/build.gradle
@@ -16,7 +16,7 @@ sourceCompatibility = 1.8
 
 group = 'org.opencadc'
 
-version = '1.11.4'
+version = '1.11.5'
 
 description = 'OpenCADC core utility library'
 def git_url = 'https://github.com/opencadc/core'
diff --git a/cadc-util/src/main/java/ca/nrc/cadc/auth/X509CertificateChain.java b/cadc-util/src/main/java/ca/nrc/cadc/auth/X509CertificateChain.java
index 9cbb0b47..c6577b7a 100644
--- a/cadc-util/src/main/java/ca/nrc/cadc/auth/X509CertificateChain.java
+++ b/cadc-util/src/main/java/ca/nrc/cadc/auth/X509CertificateChain.java
@@ -140,31 +140,17 @@ public X509CertificateChain(X509Certificate[] chain, PrivateKey key) {
     }
 
     private void initPrincipal() {
-        for (X509Certificate c : chain) {
-            this.endEntity = c;
-            X500Principal sp = c.getSubjectX500Principal();
-            String sdn = sp.getName(X500Principal.RFC1779);
-            X500Principal ip = c.getIssuerX500Principal();
-            String idn = ip.getName(X500Principal.RFC1779);
-            log.debug("found: subject=" + sdn + ", issuer=" + idn);
-            if (sdn.endsWith(idn)) {
-                this.principal = ip;
-                this.isProxy = true;
-            } else {
-                this.principal = sp;
-            }
-
-        }
-
-        String canonizedDn = AuthenticationUtil.canonizeDistinguishedName(principal.getName());
-        // TODO: some upstream SSL termination engines (haproxy, tomcat) only pass the
-        // first certificate in the
-        // chain which makes the correct method above fail if the proxy certificate has
-        // more than two certificates
-        // in the chain. The following is just a workaround to remove extra leading
-        // CN(s):
-        if (canonizedDn.lastIndexOf("cn=") > -1) {
-            canonizedDn = canonizedDn.substring(canonizedDn.lastIndexOf("cn="));
+        X509Certificate c = chain[0];
+        X500Principal xp = c.getSubjectX500Principal();
+        
+        // put into canonical form and look for multiple CN: proxy cert
+        String canonizedDn = AuthenticationUtil.canonizeDistinguishedName(xp.getName());
+        
+        int cn1 = canonizedDn.indexOf("cn=");
+        int cnex = canonizedDn.lastIndexOf("cn=");
+        if (cnex > cn1) {
+            canonizedDn = canonizedDn.substring(cnex);
+            this.isProxy = true;
         }
         this.principal = new X500Principal(canonizedDn);
         log.debug("principal: " + principal.getName(X500Principal.RFC1779));