From cea5b2697b2ae50e058e027800b2553b503c967d Mon Sep 17 00:00:00 2001 From: Oleg Kalnichevski Date: Fri, 20 Jan 2017 19:21:10 +0000 Subject: [PATCH] HTTPCLIENT-1802: Do not attempt to match SSL host to subject CN if subject alternative name of any type are given git-svn-id: https://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk@1779669 13f79535-47bb-0310-9956-ffa450edef68 --- .../http/ssl/DefaultHostnameVerifier.java | 74 +++++++++---------- .../http/ssl/SSLConnectionSocketFactory.java | 2 +- .../hc/client5/http/ssl/SubjectName.java | 65 ++++++++++++++++ .../http/ssl/CertificatesToPlayWith.java | 41 ++++++++++ .../http/ssl/TestDefaultHostnameVerifier.java | 27 +++++-- 5 files changed, 164 insertions(+), 45 deletions(-) create mode 100644 httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SubjectName.java diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java index fd33f8aee..a5d48ee58 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java @@ -34,6 +34,7 @@ import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; +import java.util.Collections; import java.util.List; import java.util.Locale; import java.util.NoSuchElementException; @@ -108,7 +109,7 @@ public final class DefaultHostnameVerifier implements HttpClientHostnameVerifier public void verify( final String host, final X509Certificate cert) throws SSLException { final HostNameType hostType = determineHostFormat(host); - final List subjectAlts = extractSubjectAlts(cert, hostType.subjectType); + final List subjectAlts = getSubjectAltNames(cert); if (subjectAlts != null && !subjectAlts.isEmpty()) { switch (hostType) { case IPv4: @@ -133,38 +134,44 @@ public final class DefaultHostnameVerifier implements HttpClientHostnameVerifier } } - static void matchIPAddress(final String host, final List subjectAlts) throws SSLException { + static void matchIPAddress(final String host, final List subjectAlts) throws SSLException { for (int i = 0; i < subjectAlts.size(); i++) { - final String subjectAlt = subjectAlts.get(i); - if (host.equals(subjectAlt)) { - return; + final SubjectName subjectAlt = subjectAlts.get(i); + if (subjectAlt.getType() == SubjectName.IP) { + if (host.equals(subjectAlt.getValue())) { + return; + } } } throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match any " + "of the subject alternative names: " + subjectAlts); } - static void matchIPv6Address(final String host, final List subjectAlts) throws SSLException { + static void matchIPv6Address(final String host, final List subjectAlts) throws SSLException { final String normalisedHost = normaliseAddress(host); for (int i = 0; i < subjectAlts.size(); i++) { - final String subjectAlt = subjectAlts.get(i); - final String normalizedSubjectAlt = normaliseAddress(subjectAlt); - if (normalisedHost.equals(normalizedSubjectAlt)) { - return; + final SubjectName subjectAlt = subjectAlts.get(i); + if (subjectAlt.getType() == SubjectName.IP) { + final String normalizedSubjectAlt = normaliseAddress(subjectAlt.getValue()); + if (normalisedHost.equals(normalizedSubjectAlt)) { + return; + } } } throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match any " + "of the subject alternative names: " + subjectAlts); } - static void matchDNSName(final String host, final List subjectAlts, + static void matchDNSName(final String host, final List subjectAlts, final PublicSuffixMatcher publicSuffixMatcher) throws SSLException { final String normalizedHost = host.toLowerCase(Locale.ROOT); for (int i = 0; i < subjectAlts.size(); i++) { - final String subjectAlt = subjectAlts.get(i); - final String normalizedSubjectAlt = subjectAlt.toLowerCase(Locale.ROOT); - if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher)) { - return; + final SubjectName subjectAlt = subjectAlts.get(i); + if (subjectAlt.getType() == SubjectName.DNS) { + final String normalizedSubjectAlt = subjectAlt.getValue().toLowerCase(Locale.ROOT); + if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher)) { + return; + } } } throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match any " + @@ -287,33 +294,24 @@ public final class DefaultHostnameVerifier implements HttpClientHostnameVerifier return HostNameType.DNS; } - static List extractSubjectAlts(final X509Certificate cert, final int subjectType) { - Collection> c = null; + static List getSubjectAltNames(final X509Certificate cert) { try { - c = cert.getSubjectAlternativeNames(); - } catch(final CertificateParsingException ignore) { - return null; - } - List subjectAltList = null; - if (c != null) { - for (final List aC : c) { - final List list = aC; - final int type = ((Integer) list.get(0)).intValue(); - if (type == subjectType) { - final String s = (String) list.get(1); - if (subjectAltList == null) { - subjectAltList = new ArrayList<>(); - } - subjectAltList.add(s); + final Collection> entries = cert.getSubjectAlternativeNames(); + if (entries == null) { + return Collections.emptyList(); + } + final List result = new ArrayList<>(); + for (List entry: entries) { + final Integer type = entry.size() >= 2 ? (Integer) entry.get(0) : null; + if (type != null) { + final String s = (String) entry.get(1); + result.add(new SubjectName(s, type)); } } + return result; + } catch (final CertificateParsingException ignore) { + return Collections.emptyList(); } - return subjectAltList; - } - - static List extractSubjectAlts(final String host, final X509Certificate cert) { - final HostNameType hostType = determineHostFormat(host); - return extractSubjectAlts(cert, hostType.subjectType); } /* diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SSLConnectionSocketFactory.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SSLConnectionSocketFactory.java index 42e3f9d64..cad1b4219 100644 --- a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SSLConnectionSocketFactory.java +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SSLConnectionSocketFactory.java @@ -404,7 +404,7 @@ public class SSLConnectionSocketFactory implements LayeredConnectionSocketFactor } else if (!this.hostnameVerifier.verify(hostname, session)) { final Certificate[] certs = session.getPeerCertificates(); final X509Certificate x509 = (X509Certificate) certs[0]; - final List subjectAlts = DefaultHostnameVerifier.extractSubjectAlts(hostname, x509); + final List subjectAlts = DefaultHostnameVerifier.getSubjectAltNames(x509); throw new SSLPeerUnverifiedException("Certificate for <" + hostname + "> doesn't match any " + "of the subject alternative names: " + subjectAlts); } diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SubjectName.java b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SubjectName.java new file mode 100644 index 000000000..4be11c00b --- /dev/null +++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SubjectName.java @@ -0,0 +1,65 @@ +/* + * ==================================================================== + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * . + * + */ +package org.apache.hc.client5.http.ssl; + +import org.apache.hc.core5.util.Args; + +final class SubjectName { + + static final int DNS = 2; + static final int IP = 7; + + private final String value; + private final int type; + + static SubjectName IP(final String value) { + return new SubjectName(value, IP); + } + + static SubjectName DNS(final String value) { + return new SubjectName(value, DNS); + } + + SubjectName(final String value, final int type) { + this.value = Args.notNull(value, "Value"); + this.type = Args.positive(type, "Type"); + } + + public int getType() { + return type; + } + + public String getValue() { + return value; + } + + @Override + public String toString() { + return value; + } + +} diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/CertificatesToPlayWith.java b/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/CertificatesToPlayWith.java index b393cd27e..344a81ed5 100644 --- a/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/CertificatesToPlayWith.java +++ b/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/CertificatesToPlayWith.java @@ -509,4 +509,45 @@ public class CertificatesToPlayWith { "I1mQmUs44cg2HZAqnFBpDyJQhNYy8M7yGVaRkbfuVaMqiPa+xDPR5v7NFB3kxRq2\n" + "Za2Snopi52eUxDEhJ0MNqFi3Jfj/ZSmJ+XHra5lU4R8lijCAq8SVLZCmIQ==\n" + "-----END CERTIFICATE-----").getBytes(); + + public final static byte[] S_GOOGLE_COM = ( + "-----BEGIN CERTIFICATE-----\n" + + "MIICpzCCAY+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAXMRUwEwYDVQQDDAwqLmdv\n" + + "b2dsZS5jb20wHhcNMTcwMTEzMjI0OTAzWhcNMTgwMTEzMjI0OTAzWjAXMRUwEwYD\n" + + "VQQDDAwqLmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\n" + + "AQDHuzznuHdJ5PH344xCyGYnUnIRhyLGBKN3WDLLrXWtr/5Sf3Q1qkiMiJ4BINsh\n" + + "3Xy0z7VvHmMFlntgHXtkofBUPvTihxsVIypRkCZb5hpsWLotR10AW2JpVl/oxLP2\n" + + "227/36X1zKh33fjImLJl9KzGWHLsbCBleQQJOn7YRsNR/QBZO0XGGkN/R2rRfLF3\n" + + "rseRfI5gJjZkO0WDxocnf/iieOe0XNR0NAZaY1aozzPmZ/pRrOKYB8OFH7F73WOC\n" + + "lPIUGai/byJ9SpbXdLUcMlGhml/4XzcnV/WVRD2P/mlY+xEFG3UEy3ufhNnKFJul\n" + + "yjZrOaKbagamqtOyktzkjnerAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBADaMcwVs\n" + + "w5kbnoDJzMBJ01H16T4u8k78i/ybwz7u7krgkU0tABXCRj7S/4Dt3jqQ/rV6evj4\n" + + "gIJ/2kZUp/PHKkV7CxWI48XBTAQUu9LEpxj0Hut3AtNMD9y/J6cFn2978tWsHFHI\n" + + "mYgvclKUDE4WFMvuxfQVuX3RcGQ5i8khEMczY/KVhZYDcLU1PU0GTTJqqrQm59Z4\n" + + "T4UyI3OPBR7Nb/kaU1fcgQ083uxRXcNYRMMZnU6c2oFnR+c6pO6aGoXo0C6rgC4R\n" + + "pOj4hPvHCfZO2xg6HAdQ7UPALLX8pu5KGot7GRc8yiJ/Q1nBEuiPKKu0MIwQoFgP\n" + + "WUux/APTsgLR7Vc=\n" + + "-----END CERTIFICATE-----" + ).getBytes(); + + public final static byte[] IP_1_1_1_1 = ( + "-----BEGIN CERTIFICATE-----\n" + + "MIICwjCCAaqgAwIBAgIBATANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw9kdW1t\n" + + "eS12YWx1ZS5jb20wHhcNMTcwMTEzMjI1MTQ2WhcNMTgwMTEzMjI1MTQ2WjAaMRgw\n" + + "FgYDVQQDEw9kdW1teS12YWx1ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n" + + "ggEKAoIBAQDfrapp3jHLp1RlElzpR/4sF9AcTYwMF1N+adkHRoVtmTlJV2lTIAjn\n" + + "QLauy0Kkzv8uxmbID3uROgrFNDQ5RxTTCe+kW/vE6Pyzr5Z5ayjSTKeycTE7mAC4\n" + + "6ntoCeEWiD593zlfqVo5PuRSp9Kusd+kexNVjC/BETDPa3yXctcH1ouW9GyGItgQ\n" + + "u4GhCE8cipKMuTltgfK+Gh/5e9lFG9/F2fD+wHUVBULLR3JOQoqwgk2zAwKDwLuS\n" + + "sEd1CBi35+W3apCKN0SEdTKIAxc/R+O/1j2hpOl9yXCCYyveGwJdFXVZtDcx+9/H\n" + + "7NXhOdmw/mTXC5fOQGKciEo2SXt8Wp89AgMBAAGjEzARMA8GA1UdEQQIMAaHBAEB\n" + + "AQEwDQYJKoZIhvcNAQEFBQADggEBAEAO6CE8twpcfdjk9oMjI5nX9GdC5Wt6+ujd\n" + + "tLj0SbXvMKzCLLkveT0xTEzXfyEo8KW2qYYvPP1h83BIxsbR/J3Swt35UQVofv+4\n" + + "JgO0FIdgB+iLEcjUh5+60xslylqWE+9bSWm4f06OXuv78tq5NYPZKku/3i4tqLRp\n" + + "gH2rTtjX7Q4olSS7GdAgfiA2AnDZAbMtxtsnTt/QFpYQqhlkqHVDwgkGP7C8aMBD\n" + + "RH0UIQCPxUkhwhtNmVyHO42r6oHXselZoVU6XRHuhogrGxPf/pzDUvrKBiJhsZQQ\n" + + "oEu+pZCwkFLiNwUoq1G2oDpkkdBWB0JcBXB2Txa536ezFFWZYc0=\n" + + "-----END CERTIFICATE-----" + ).getBytes(); + } diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java b/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java index d84d1cb53..2f33b6396 100644 --- a/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java +++ b/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java @@ -149,6 +149,21 @@ public class TestDefaultHostnameVerifier { in = new ByteArrayInputStream(CertificatesToPlayWith.X509_MULTIPLE_VALUE_AVA); x509 = (X509Certificate) cf.generateCertificate(in); impl.verify("repository.infonotary.com", x509); + + in = new ByteArrayInputStream(CertificatesToPlayWith.S_GOOGLE_COM); + x509 = (X509Certificate) cf.generateCertificate(in); + impl.verify("*.google.com", x509); + + in = new ByteArrayInputStream(CertificatesToPlayWith.S_GOOGLE_COM); + x509 = (X509Certificate) cf.generateCertificate(in); + impl.verify("*.Google.com", x509); + + in = new ByteArrayInputStream(CertificatesToPlayWith.IP_1_1_1_1); + x509 = (X509Certificate) cf.generateCertificate(in); + impl.verify("1.1.1.1", x509); + + exceptionPlease(impl, "1.1.1.2", x509); + exceptionPlease(impl, "dummy-value.com", x509); } @Test @@ -259,18 +274,18 @@ public class TestDefaultHostnameVerifier { @Test // Check compressed IPv6 hostname matching public void testHTTPCLIENT_1316() throws Exception{ final String host1 = "2001:0db8:aaaa:bbbb:cccc:0:0:0001"; - DefaultHostnameVerifier.matchIPv6Address(host1, Arrays.asList("2001:0db8:aaaa:bbbb:cccc:0:0:0001")); - DefaultHostnameVerifier.matchIPv6Address(host1, Arrays.asList("2001:0db8:aaaa:bbbb:cccc::1")); + DefaultHostnameVerifier.matchIPv6Address(host1, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc:0:0:0001"))); + DefaultHostnameVerifier.matchIPv6Address(host1, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc::1"))); try { - DefaultHostnameVerifier.matchIPv6Address(host1, Arrays.asList("2001:0db8:aaaa:bbbb:cccc::10")); + DefaultHostnameVerifier.matchIPv6Address(host1, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc::10"))); Assert.fail("SSLException expected"); } catch (final SSLException expected) { } final String host2 = "2001:0db8:aaaa:bbbb:cccc::1"; - DefaultHostnameVerifier.matchIPv6Address(host2, Arrays.asList("2001:0db8:aaaa:bbbb:cccc:0:0:0001")); - DefaultHostnameVerifier.matchIPv6Address(host2, Arrays.asList("2001:0db8:aaaa:bbbb:cccc::1")); + DefaultHostnameVerifier.matchIPv6Address(host2, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc:0:0:0001"))); + DefaultHostnameVerifier.matchIPv6Address(host2, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc::1"))); try { - DefaultHostnameVerifier.matchIPv6Address(host2, Arrays.asList("2001:0db8:aaaa:bbbb:cccc::10")); + DefaultHostnameVerifier.matchIPv6Address(host2, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc::10"))); Assert.fail("SSLException expected"); } catch (final SSLException expected) { }