Improved FQDN matching

2024-08-16 16:47:14 +02:00 · 2024-08-16 16:47:14 +02:00 · d7ed56894a
parent 4009567af7
commit d7ed56894a
2 changed files with 51 additions and 3 deletions
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java
@ -35,6 +35,7 @@ import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.LinkedList;
 import java.util.List;

 import javax.net.ssl.SSLException;
@ -182,12 +183,41 @@ public final class DefaultHostnameVerifier implements HttpClientHostnameVerifier
        }
    }

+    static List<CharSequence> parseFQDN(final CharSequence s) {
+        if (s == null) {
+            return null;
+        }
+        final LinkedList<CharSequence> elements = new LinkedList<>();
+        int pos = 0;
+        for (int i = 0; i < s.length(); i++) {
+            final char ch = s.charAt(i);
+            if (ch == '.') {
+                elements.addFirst(s.subSequence(pos, i));
+                pos = i + 1;
+            }
+        }
+        elements.addFirst(s.subSequence(pos, s.length()));
+        return elements;
+    }
+
    static boolean matchDomainRoot(final String host, final String domainRoot) {
        if (domainRoot == null) {
            return false;
        }
-        return host.endsWith(domainRoot) && (host.length() == domainRoot.length()
-                || host.charAt(host.length() - domainRoot.length() - 1) == '.');
+        final List<CharSequence> hostElements = parseFQDN(host);
+        final List<CharSequence> rootElements = parseFQDN(domainRoot);
+        if (hostElements.size() >= rootElements.size()) {
+            for (int i = 0; i < rootElements.size(); i++) {
+                final CharSequence s1 = rootElements.get(i);
+                final CharSequence s2 = hostElements.get(i);
+                if (!s1.equals(s2)) {
+                    return false;
+                }
+            }
+            return true;
+        } else {
+            return false;
+        }
    }

    private static boolean matchIdentity(final String host, final String identity,
--- a/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java
+++ b/httpclient5/src/test/java/org/apache/hc/client5/http/ssl/TestDefaultHostnameVerifier.java
@ -34,6 +34,7 @@ import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;

@ -210,8 +211,25 @@ class TestDefaultHostnameVerifier {
    }

    @Test
-    void testDomainRootMatching() {
+    void testParseFQDN() {
+        Assertions.assertEquals(Arrays.asList("blah"),
+                DefaultHostnameVerifier.parseFQDN("blah"));
+        Assertions.assertEquals(Arrays.asList("blah", "blah"),
+                DefaultHostnameVerifier.parseFQDN("blah.blah"));
+        Assertions.assertEquals(Arrays.asList("blah", "blah", "blah"),
+                DefaultHostnameVerifier.parseFQDN("blah.blah.blah"));
+        Assertions.assertEquals(Arrays.asList("", "", "blah", ""),
+                DefaultHostnameVerifier.parseFQDN(".blah.."));
+        Assertions.assertEquals(Arrays.asList(""),
+                DefaultHostnameVerifier.parseFQDN(""));
+        Assertions.assertEquals(Arrays.asList("", ""),
+                DefaultHostnameVerifier.parseFQDN("."));
+        Assertions.assertEquals(Arrays.asList("com", "domain", "host"),
+                DefaultHostnameVerifier.parseFQDN("host.domain.com"));
+    }

+    @Test
+    void testDomainRootMatching() {
        Assertions.assertFalse(DefaultHostnameVerifier.matchDomainRoot("a.b.c", null));
        Assertions.assertTrue(DefaultHostnameVerifier.matchDomainRoot("a.b.c", "a.b.c"));
        Assertions.assertFalse(DefaultHostnameVerifier.matchDomainRoot("aa.b.c", "a.b.c"));