Improve X509 Subject Eval

Issue-ID: AAF-727
Change-Id: Id7d11692191de0456699a3b1097d26bfd2da04f5
Signed-off-by: Instrumental <jonathan.gathman@att.com>
diff --git a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
index 0f252e3..677f213 100644
--- a/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
+++ b/cadi/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
@@ -133,32 +133,56 @@
                 si.checkClientTrusted(certarr);
                 // Note: If the Issuer is not in the TrustStore, it's not added to the Cert list
                 String issuer = certarr[0].getIssuerDN().toString();
+                String subject = certarr[0].getSubjectDN().getName();
+                access.printf(Level.DEBUG,"Client Certificate found\n  Subject %s\n  Issuer  %s",subject,issuer);
                 if (cadiIssuers.contains(issuer)) {
-                    String subject = certarr[0].getSubjectDN().getName();
                     // avoiding extra object creation, since this is validated EVERY transaction with a Cert
-                    int at = subject.indexOf('@');
-                    if (at>=0) {
-                        int start = subject.lastIndexOf(',', at);
-                        if (start<0) {
-                            start = 0;
-                        }
-                        int end = subject.indexOf(',', at);
-                        if (end<0) {
-                            end=subject.length();
-                        }
-                        int temp;
-                        if (((temp=subject.indexOf("OU=",start))>=0 && temp<end) || 
-                           ((temp=subject.indexOf("CN=",start))>=0 && temp<end)) {
-                            String[] sa = Split.splitTrim(':', subject, temp+3,end);
-                            if (sa.length==1 || (sa.length>1 && env!=null && env.equals(sa[1]))) { // Check Environment 
-                                return new X509HttpTafResp(access, 
-                                        new X509Principal(sa[0], certarr[0],(byte[])null,bht), 
-                                        "X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED);
-                            }
-                        }
-                        
-                    }
+                	int start = 0;
+                	int end = 1;
+                	int comma;
+                	int length = subject.length();
+                	
+                	compare:
+                	while(start<length) {
+                		while(Character.isWhitespace(subject.charAt(start))) {
+                			if(++start>length) {
+                				break compare;
+                			}
+                		}
+                    	comma = subject.indexOf(',',start);
+                    	if(comma<0) {
+                    		end = subject.length();
+                    	} else {
+                    		end = comma<=0?0:comma-1;
+                    	}
+                		while(Character.isWhitespace(subject.charAt(end))) {
+                			if(--end < 0) {
+                				break compare;
+                			}
+                		}
+                    	if(subject.regionMatches(start, "OU=", 0, 3) ||
+                    	   subject.regionMatches(start, "CN=", 0, 3)) {
+                    	   int at = subject.indexOf('@', start);
+                    	   if(at<end && at>=0) {
+                               String[] sa = Split.splitTrim(':', subject, start+3,end+1);
+                               if (sa.length==1 || (sa.length>1 && env!=null && env.equals(sa[1]))) { // Check Environment 
+                                   return new X509HttpTafResp(access, 
+                                           new X509Principal(sa[0], certarr[0],(byte[])null,bht), 
+                                           "X509Taf validated " + sa[0] + (sa.length<2?"":" for aaf_env " + env ), RESP.IS_AUTHENTICATED);
+                               } else {
+                               	  access.printf(Level.DEBUG,"Certificate is not for environment '%s'",env);
+                               	  break;
+                               }
+                    	   }
+                    	}
+                    	start = comma+1;
+                	}
+                 	access.log(Level.DEBUG,"Certificate is not acceptable for Authentication");
+                } else {
+                	access.log(Level.DEBUG,"Issuer is not trusted for Authentication");
                 }
+            } else {
+            	access.log(Level.DEBUG,"There is no client certificate on the transaction");
             }
         
 
@@ -272,5 +296,4 @@
             return bht.getCredVal(key);
         }
     }
-    
 }