HTTPCLIENT-2047: fixed regression in DefaultHostnameVerifier causing rejection of certs with non-standard domains.

This reverts commit e0416f07
This commit is contained in:
Oleg Kalnichevski 2020-01-25 15:49:44 +01:00
parent dbc3342781
commit 736c00da6d
3 changed files with 29 additions and 2 deletions

View File

@ -169,7 +169,7 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {
final SubjectName subjectAlt = subjectAlts.get(i);
if (subjectAlt.getType() == SubjectName.DNS) {
final String normalizedSubjectAlt = DnsUtils.normalize(subjectAlt.getValue());
if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher, DomainType.ICANN)) {
if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher)) {
return;
}
}
@ -182,7 +182,7 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {
final PublicSuffixMatcher publicSuffixMatcher) throws SSLException {
final String normalizedHost = DnsUtils.normalize(host);
final String normalizedCn = DnsUtils.normalize(cn);
if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher, DomainType.ICANN)) {
if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher)) {
throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match " +
"common name of the certificate subject: " + cn);
}

View File

@ -35,6 +35,7 @@ import java.nio.charset.Charset;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import javax.net.ssl.SSLException;
@ -375,6 +376,7 @@ public class TestDefaultHostnameVerifier {
Assert.assertTrue(DefaultHostnameVerifier.matchIdentity( "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict( "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
}
@Test // Check compressed IPv6 hostname matching
public void testHTTPCLIENT_1316() throws Exception{
final String host1 = "2001:0db8:aaaa:bbbb:cccc:0:0:0001";
@ -417,4 +419,28 @@ public class TestDefaultHostnameVerifier {
}
}
@Test
public void testMatchDNSName() throws Exception {
DefaultHostnameVerifier.matchDNSName(
"host.domain.com",
Collections.singletonList(SubjectName.DNS("*.domain.com")),
publicSuffixMatcher);
DefaultHostnameVerifier.matchDNSName(
"host.xx",
Collections.singletonList(SubjectName.DNS("*.xx")),
publicSuffixMatcher);
DefaultHostnameVerifier.matchDNSName(
"host.appspot.com",
Collections.singletonList(SubjectName.DNS("*.appspot.com")),
publicSuffixMatcher);
DefaultHostnameVerifier.matchDNSName(
"demo-s3-bucket.s3.eu-central-1.amazonaws.com",
Collections.singletonList(SubjectName.DNS("*.s3.eu-central-1.amazonaws.com")),
publicSuffixMatcher);
DefaultHostnameVerifier.matchDNSName(
"hostname-workspace-1.local",
Collections.singletonList(SubjectName.DNS("hostname-workspace-1.local")),
publicSuffixMatcher);
}
}

View File

@ -27,6 +27,7 @@
xx
lan
appspot.com
s3.eu-central-1.amazonaws.com
// ===END PRIVATE DOMAINS===
// ===BEGIN ICANN DOMAINS===