Apache
/
httpcomponents-client
mirror of https://github.com/apache/httpcomponents-client.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Extracted hostname verification code into a separate support class

This commit is contained in:
Oleg Kalnichevski 2018-10-20 10:34:06 +02:00
parent 2a4220a39f
commit e72d745ecd
3 changed files with 138 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/H2TlsStrategy.java
View File

@ -30,20 +30,13 @@ package org.apache.hc.client5.http.ssl;
import java.net.SocketAddress;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.x500.X500Principal;
import org.apache.hc.client5.http.psl.PublicSuffixMatcherLoader;
import org.apache.hc.core5.annotation.Contract;
@ -112,6 +105,7 @@ public class H2TlsStrategy implements TlsStrategy {
private final String[] supportedCipherSuites;
private final SSLBufferMode sslBufferManagement;
private final HostnameVerifier hostnameVerifier;
private final TlsSessionValidator tlsSessionValidator;
public H2TlsStrategy(
final SSLContext sslContext,
@ -125,6 +119,7 @@ public class H2TlsStrategy implements TlsStrategy {
this.supportedCipherSuites = supportedCipherSuites;
this.sslBufferManagement = sslBufferManagement != null ? sslBufferManagement : SSLBufferMode.STATIC;
this.hostnameVerifier = hostnameVerifier != null ? hostnameVerifier : getDefaultHostnameVerifier();
this.tlsSessionValidator = new TlsSessionValidator(log);
}
public H2TlsStrategy(
@ -174,67 +169,17 @@ public class H2TlsStrategy implements TlsStrategy {
return true;
}
protected TlsDetails createTlsDetails(final SSLEngine sslEngine) {
return null;
}
protected void initializeEngine(final SSLEngine sslEngine) {
}
protected void verifySession(
final String hostname,
final SSLSession sslsession) throws SSLException {
if (log.isDebugEnabled()) {
log.debug("Secure session established");
log.debug(" negotiated protocol: " + sslsession.getProtocol());
log.debug(" negotiated cipher suite: " + sslsession.getCipherSuite());
try {
final Certificate[] certs = sslsession.getPeerCertificates();
final X509Certificate x509 = (X509Certificate) certs[0];
final X500Principal peer = x509.getSubjectX500Principal();
log.debug(" peer principal: " + peer.toString());
final Collection<List<?>> altNames1 = x509.getSubjectAlternativeNames();
if (altNames1 != null) {
final List<String> altNames = new ArrayList<>();
for (final List<?> aC : altNames1) {
if (!aC.isEmpty()) {
altNames.add((String) aC.get(1));
}
}
log.debug(" peer alternative names: " + altNames);
}
final X500Principal issuer = x509.getIssuerX500Principal();
log.debug(" issuer principal: " + issuer.toString());
final Collection<List<?>> altNames2 = x509.getIssuerAlternativeNames();
if (altNames2 != null) {
final List<String> altNames = new ArrayList<>();
for (final List<?> aC : altNames2) {
if (!aC.isEmpty()) {
altNames.add((String) aC.get(1));
}
}
log.debug(" issuer alternative names: " + altNames);
}
} catch (final Exception ignore) {
}
}
if (this.hostnameVerifier instanceof HttpClientHostnameVerifier) {
final Certificate[] certs = sslsession.getPeerCertificates();
final X509Certificate x509 = (X509Certificate) certs[0];
((HttpClientHostnameVerifier) this.hostnameVerifier).verify(hostname, x509);
} else if (!this.hostnameVerifier.verify(hostname, sslsession)) {
final Certificate[] certs = sslsession.getPeerCertificates();
final X509Certificate x509 = (X509Certificate) certs[0];
final List<SubjectName> subjectAlts = DefaultHostnameVerifier.getSubjectAltNames(x509);
throw new SSLPeerUnverifiedException("Certificate for <" + hostname + "> doesn't match any " +
"of the subject alternative names: " + subjectAlts);
}
}
protected TlsDetails createTlsDetails(final SSLEngine sslEngine) {
return null;
tlsSessionValidator.verifySession(hostname, sslsession, hostnameVerifier);
}
}

67
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SSLConnectionSocketFactory.java
View File

@ -31,21 +31,17 @@ import java.io.IOException;
import java.io.InputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import javax.net.SocketFactory;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.security.auth.x500.X500Principal;
import org.apache.hc.client5.http.psl.PublicSuffixMatcherLoader;
import org.apache.hc.client5.http.socket.LayeredConnectionSocketFactory;
@ -190,6 +186,7 @@ public class SSLConnectionSocketFactory implements LayeredConnectionSocketFactor
private final HostnameVerifier hostnameVerifier;
private final String[] supportedProtocols;
private final String[] supportedCipherSuites;
private final TlsSessionValidator tlsSessionValidator;
public SSLConnectionSocketFactory(final SSLContext sslContext) {
this(sslContext, getDefaultHostnameVerifier());
@ -237,6 +234,7 @@ public class SSLConnectionSocketFactory implements LayeredConnectionSocketFactor
this.supportedProtocols = supportedProtocols;
this.supportedCipherSuites = supportedCipherSuites;
this.hostnameVerifier = hostnameVerifier != null ? hostnameVerifier : getDefaultHostnameVerifier();
this.tlsSessionValidator = new TlsSessionValidator(log);
}
/**
@ -356,58 +354,7 @@ public class SSLConnectionSocketFactory implements LayeredConnectionSocketFactor
if (session == null) {
throw new SSLHandshakeException("SSL session not available");
}
if (this.log.isDebugEnabled()) {
this.log.debug("Secure session established");
this.log.debug(" negotiated protocol: " + session.getProtocol());
this.log.debug(" negotiated cipher suite: " + session.getCipherSuite());
try {
final Certificate[] certs = session.getPeerCertificates();
final X509Certificate x509 = (X509Certificate) certs[0];
final X500Principal peer = x509.getSubjectX500Principal();
this.log.debug(" peer principal: " + peer.toString());
final Collection<List<?>> altNames1 = x509.getSubjectAlternativeNames();
if (altNames1 != null) {
final List<String> altNames = new ArrayList<>();
for (final List<?> aC : altNames1) {
if (!aC.isEmpty()) {
altNames.add((String) aC.get(1));
}
}
this.log.debug(" peer alternative names: " + altNames);
}
final X500Principal issuer = x509.getIssuerX500Principal();
this.log.debug(" issuer principal: " + issuer.toString());
final Collection<List<?>> altNames2 = x509.getIssuerAlternativeNames();
if (altNames2 != null) {
final List<String> altNames = new ArrayList<>();
for (final List<?> aC : altNames2) {
if (!aC.isEmpty()) {
altNames.add((String) aC.get(1));
}
}
this.log.debug(" issuer alternative names: " + altNames);
}
} catch (final Exception ignore) {
}
}
if (this.hostnameVerifier instanceof HttpClientHostnameVerifier) {
final Certificate[] certs = session.getPeerCertificates();
final X509Certificate x509 = (X509Certificate) certs[0];
((HttpClientHostnameVerifier) this.hostnameVerifier).verify(hostname, x509);
} else if (!this.hostnameVerifier.verify(hostname, session)) {
final Certificate[] certs = session.getPeerCertificates();
final X509Certificate x509 = (X509Certificate) certs[0];
final List<SubjectName> subjectAlts = DefaultHostnameVerifier.getSubjectAltNames(x509);
throw new SSLPeerUnverifiedException("Certificate for <" + hostname + "> doesn't match any " +
"of the subject alternative names: " + subjectAlts);
}
// verifyHostName() didn't blowup - good!
verifySession(hostname, session);
} catch (final IOException iox) {
// close the socket before re-throwing the exception
Closer.closeQuietly(sslsock);
@ -415,4 +362,10 @@ public class SSLConnectionSocketFactory implements LayeredConnectionSocketFactor
}
}
protected void verifySession(
final String hostname,
final SSLSession sslsession) throws SSLException {
tlsSessionValidator.verifySession(hostname, sslsession, hostnameVerifier);
}
}

121
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java Normal file
View File

@ -0,0 +1,121 @@
/*
* ====================================================================
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
* <http://www.apache.org/>.
*
*/
package org.apache.hc.client5.http.ssl;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.x500.X500Principal;
import org.slf4j.Logger;
final class TlsSessionValidator {
private final Logger log;
TlsSessionValidator(final Logger log) {
this.log = log;
}
void verifySession(
final String hostname,
final SSLSession sslsession,
final HostnameVerifier hostnameVerifier) throws SSLException {
if (log.isDebugEnabled()) {
log.debug("Secure session established");
log.debug(" negotiated protocol: " + sslsession.getProtocol());
log.debug(" negotiated cipher suite: " + sslsession.getCipherSuite());
try {
final Certificate[] certs = sslsession.getPeerCertificates();
final Certificate cert = certs[0];
if (cert instanceof X509Certificate) {
final X509Certificate x509 = (X509Certificate) cert;
final X500Principal peer = x509.getSubjectX500Principal();
log.debug(" peer principal: " + peer.toString());
final Collection<List<?>> altNames1 = x509.getSubjectAlternativeNames();
if (altNames1 != null) {
final List<String> altNames = new ArrayList<>();
for (final List<?> aC : altNames1) {
if (!aC.isEmpty()) {
altNames.add((String) aC.get(1));
}
}
log.debug(" peer alternative names: " + altNames);
}
final X500Principal issuer = x509.getIssuerX500Principal();
log.debug(" issuer principal: " + issuer.toString());
final Collection<List<?>> altNames2 = x509.getIssuerAlternativeNames();
if (altNames2 != null) {
final List<String> altNames = new ArrayList<>();
for (final List<?> aC : altNames2) {
if (!aC.isEmpty()) {
altNames.add((String) aC.get(1));
}
}
log.debug(" issuer alternative names: " + altNames);
}
}
} catch (final Exception ignore) {
}
}
if (hostnameVerifier != null) {
final Certificate[] certs = sslsession.getPeerCertificates();
if (certs.length < 1) {
throw new SSLPeerUnverifiedException("Peer ceritifate chain is empty");
}
final Certificate peerCertificate = certs[0];
final X509Certificate x509Certificate;
if (peerCertificate instanceof X509Certificate) {
x509Certificate = (X509Certificate) peerCertificate;
} else {
throw new SSLPeerUnverifiedException("Unexpected ceritifcate type: " + peerCertificate.getType());
}
if (hostnameVerifier instanceof HttpClientHostnameVerifier) {
((HttpClientHostnameVerifier) hostnameVerifier).verify(hostname, x509Certificate);
} else if (!hostnameVerifier.verify(hostname, sslsession)) {
final List<SubjectName> subjectAlts = DefaultHostnameVerifier.getSubjectAltNames(x509Certificate);
throw new SSLPeerUnverifiedException("Certificate for <" + hostname + "> doesn't match any " +
"of the subject alternative names: " + subjectAlts);
}
}
}
}