Fixed CN extraction from DN of X500 principal

git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1411702 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Oleg Kalnichevski 2012-11-20 15:37:02 +00:00
parent 529541458b
commit 6e14fc146a
2 changed files with 24 additions and 7 deletions

View File

@ -178,12 +178,12 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
// We're can be case-insensitive when comparing the host we used to
// establish the socket to the hostname in the certificate.
String hostName = host.trim().toLowerCase(Locale.ENGLISH);
String hostName = host.trim().toLowerCase(Locale.US);
boolean match = false;
for(Iterator<String> it = names.iterator(); it.hasNext();) {
// Don't trim the CN, though!
String cn = it.next();
cn = cn.toLowerCase(Locale.ENGLISH);
cn = cn.toLowerCase(Locale.US);
// Store CN in StringBuilder in case we need to report an error.
buf.append(" <");
buf.append(cn);
@ -260,13 +260,15 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
Looks like toString() even works with non-ascii domain names!
I tested it with "&#x82b1;&#x5b50;.co.jp" and it worked fine.
*/
String subjectPrincipal = cert.getSubjectX500Principal().toString();
StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
while(st.hasMoreTokens()) {
String tok = st.nextToken();
int x = tok.indexOf("CN=");
if(x >= 0) {
cnList.add(tok.substring(x + 3));
String tok = st.nextToken().trim();
if (tok.length() > 3) {
if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
cnList.add(tok.substring(3));
}
}
}
if(!cnList.isEmpty()) {

View File

@ -29,6 +29,7 @@ package org.apache.http.conn.ssl;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.security.Principal;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
@ -37,6 +38,7 @@ import javax.net.ssl.SSLException;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.Mockito;
/**
* Unit tests for {@link X509HostnameVerifier}.
@ -336,7 +338,7 @@ public class TestHostnameVerifier {
@Test
// Various checks of 2TLDs
public void testacceptableCountryWildcards() {
public void testAcceptableCountryWildcards() {
checkWildcard("*.co.org", true); // Not a 2 character TLD
checkWildcard("s*.co.org", true); // Not a 2 character TLD
checkWildcard("*.co.uk", false); // 2 character TLD, invalid 2TLD
@ -345,4 +347,17 @@ public class TestHostnameVerifier {
checkWildcard("*.a.co.uk", true); // 2 character TLD, invalid 2TLD, but using subdomain
checkWildcard("s*.a.co.uk", true); // 2 character TLD, invalid 2TLD, but using subdomain
}
public void testGetCNs() {
Principal principal = Mockito.mock(Principal.class);
X509Certificate cert = Mockito.mock(X509Certificate.class);
Mockito.when(cert.getSubjectDN()).thenReturn(principal);
Mockito.when(principal.toString()).thenReturn("bla, bla, blah");
Assert.assertArrayEquals(new String[] {}, AbstractVerifier.getCNs(cert));
Mockito.when(principal.toString()).thenReturn("Cn=, Cn= , CN, OU=CN=");
Assert.assertArrayEquals(new String[] {}, AbstractVerifier.getCNs(cert));
Mockito.when(principal.toString()).thenReturn(" Cn=blah, CN= blah , OU=CN=yada");
Assert.assertArrayEquals(new String[] {"blah", " blah"}, AbstractVerifier.getCNs(cert));
}
}