Domain name normalization

This commit is contained in:
Oleg Kalnichevski 2020-01-10 14:52:15 +01:00
parent 4381ea3e47
commit 343ac3d407
4 changed files with 133 additions and 7 deletions

View File

@ -36,7 +36,6 @@ import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.List; import java.util.List;
import java.util.Locale;
import java.util.NoSuchElementException; import java.util.NoSuchElementException;
import javax.naming.InvalidNameException; import javax.naming.InvalidNameException;
@ -55,6 +54,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.apache.http.annotation.Contract; import org.apache.http.annotation.Contract;
import org.apache.http.annotation.ThreadingBehavior; import org.apache.http.annotation.ThreadingBehavior;
import org.apache.http.conn.util.DnsUtils;
import org.apache.http.conn.util.DomainType; import org.apache.http.conn.util.DomainType;
import org.apache.http.conn.util.InetAddressUtils; import org.apache.http.conn.util.InetAddressUtils;
import org.apache.http.conn.util.PublicSuffixMatcher; import org.apache.http.conn.util.PublicSuffixMatcher;
@ -164,11 +164,11 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {
static void matchDNSName(final String host, final List<SubjectName> subjectAlts, static void matchDNSName(final String host, final List<SubjectName> subjectAlts,
final PublicSuffixMatcher publicSuffixMatcher) throws SSLException { final PublicSuffixMatcher publicSuffixMatcher) throws SSLException {
final String normalizedHost = host.toLowerCase(Locale.ROOT); final String normalizedHost = DnsUtils.normalize(host);
for (int i = 0; i < subjectAlts.size(); i++) { for (int i = 0; i < subjectAlts.size(); i++) {
final SubjectName subjectAlt = subjectAlts.get(i); final SubjectName subjectAlt = subjectAlts.get(i);
if (subjectAlt.getType() == SubjectName.DNS) { if (subjectAlt.getType() == SubjectName.DNS) {
final String normalizedSubjectAlt = subjectAlt.getValue().toLowerCase(Locale.ROOT); final String normalizedSubjectAlt = DnsUtils.normalize(subjectAlt.getValue());
if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher, DomainType.ICANN)) { if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher, DomainType.ICANN)) {
return; return;
} }
@ -180,8 +180,8 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {
static void matchCN(final String host, final String cn, static void matchCN(final String host, final String cn,
final PublicSuffixMatcher publicSuffixMatcher) throws SSLException { final PublicSuffixMatcher publicSuffixMatcher) throws SSLException {
final String normalizedHost = host.toLowerCase(Locale.ROOT); final String normalizedHost = DnsUtils.normalize(host);
final String normalizedCn = cn.toLowerCase(Locale.ROOT); final String normalizedCn = DnsUtils.normalize(cn);
if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher, DomainType.ICANN)) { if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher, DomainType.ICANN)) {
throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match " + throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match " +
"common name of the certificate subject: " + cn); "common name of the certificate subject: " + cn);

View File

@ -0,0 +1,76 @@
/*
* ====================================================================
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
*/
package org.apache.http.conn.util;
/**
* A collection of utilities relating to Domain Name System.
*
* @since 4.5
*/
public class DnsUtils {
private DnsUtils() {
}
private static boolean isUpper(final char c) {
return c >= 'A' && c <= 'Z';
}
public static String normalize(final String s) {
if (s == null) {
return null;
}
int pos = 0;
int remaining = s.length();
while (remaining > 0) {
if (isUpper(s.charAt(pos))) {
break;
}
pos++;
remaining--;
}
if (remaining > 0) {
final StringBuilder buf = new StringBuilder(s.length());
buf.append(s, 0, pos);
while (remaining > 0) {
final char c = s.charAt(pos);
if (isUpper(c)) {
buf.append((char) (c + ('a' - 'A')));
} else {
buf.append(c);
}
pos++;
remaining--;
}
return buf.toString();
} else {
return s;
}
}
}

View File

@ -29,7 +29,6 @@ package org.apache.http.conn.util;
import java.net.IDN; import java.net.IDN;
import java.util.Collection; import java.util.Collection;
import java.util.List; import java.util.List;
import java.util.Locale;
import java.util.Map; import java.util.Map;
import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentHashMap;
@ -142,7 +141,7 @@ public final class PublicSuffixMatcher {
if (domain.startsWith(".")) { if (domain.startsWith(".")) {
return null; return null;
} }
final String normalized = domain.toLowerCase(Locale.ROOT); final String normalized = DnsUtils.normalize(domain);
String segment = normalized; String segment = normalized;
String result = null; String result = null;
while (segment != null) { while (segment != null) {

View File

@ -0,0 +1,51 @@
/*
* ====================================================================
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
*/
package org.apache.http.conn.util;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Test;
/**
* Unit tests for DnsUtils.
*/
public class TesDnsUtils {
@Test
public void testNormalize() {
Assert.assertThat(DnsUtils.normalize(null), CoreMatchers.equalTo(null));
Assert.assertThat(DnsUtils.normalize(""), CoreMatchers.equalTo(""));
Assert.assertThat(DnsUtils.normalize("blah"), CoreMatchers.equalTo("blah"));
Assert.assertThat(DnsUtils.normalize("BLAH"), CoreMatchers.equalTo("blah"));
Assert.assertThat(DnsUtils.normalize("blAh"), CoreMatchers.equalTo("blah"));
Assert.assertThat(DnsUtils.normalize("blaH"), CoreMatchers.equalTo("blah"));
Assert.assertThat(DnsUtils.normalize("blaH"), CoreMatchers.equalTo("blah"));
Assert.assertThat(DnsUtils.normalize("hac\u212A!!!"), CoreMatchers.equalTo("hac\u212A!!!"));
}
}