Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

430951 Support SNI with ExtendedSslContextFactory 

Added support for SAN names
optimised lookup
This commit is contained in:
Greg Wilkins 2015-04-21 14:14:04 +10:00
parent 78bf5978de
commit 53fdbd2ec0
3 changed files with 64 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
jetty-server/src/test/java/org/eclipse/jetty/server/ssl/SslConnectionFactoryTest.java
View File

@ -154,6 +154,12 @@ public class SslConnectionFactoryTest
response= getResponse("foo.domain.com","*.domain.com"); response= getResponse("foo.domain.com","*.domain.com");
Assert.assertThat(response,Matchers.containsString("host=foo.domain.com")); Assert.assertThat(response,Matchers.containsString("host=foo.domain.com"));
response= getResponse("m.san.com","san example");
Assert.assertThat(response,Matchers.containsString("host=m.san.com"));
response= getResponse("www.san.com","san example");
Assert.assertThat(response,Matchers.containsString("host=www.san.com"));
} }

BIN
jetty-server/src/test/resources/snikeystore
View File

Binary file not shown.

62
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/ExtendedSslContextFactory.java
View File

@ -21,8 +21,11 @@ package org.eclipse.jetty.util.ssl;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
@ -36,6 +39,7 @@ import javax.net.ssl.SSLParameters;
import javax.net.ssl.StandardConstants; import javax.net.ssl.StandardConstants;
import javax.net.ssl.X509ExtendedKeyManager; import javax.net.ssl.X509ExtendedKeyManager;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger; import org.eclipse.jetty.util.log.Logger;
@ -57,6 +61,7 @@ public class ExtendedSslContextFactory extends SslContextFactory
static final Logger LOG = Log.getLogger(ExtendedSslContextFactory.class); static final Logger LOG = Log.getLogger(ExtendedSslContextFactory.class);
public final static Pattern __cnPattern = Pattern.compile(".*[cC][nN]=\\h*([^,\\h]*).*"); public final static Pattern __cnPattern = Pattern.compile(".*[cC][nN]=\\h*([^,\\h]*).*");
private final Map<String,String> _aliases = new HashMap<>(); private final Map<String,String> _aliases = new HashMap<>();
private final Map<String,String> _wild = new HashMap<>();
private boolean _useCipherSuitesOrder=true; private boolean _useCipherSuitesOrder=true;
public boolean isUseCipherSuitesOrder() public boolean isUseCipherSuitesOrder()
@ -87,20 +92,48 @@ public class ExtendedSslContextFactory extends SslContextFactory
if ("X.509".equals(certificate.getType())) if ("X.509".equals(certificate.getType()))
{ {
X509Certificate x509 = (X509Certificate)certificate; X509Certificate x509 = (X509Certificate)certificate;
boolean named=false;
Collection<List<?>> altNames = x509.getSubjectAlternativeNames();
if (altNames!=null)
{
for (List<?> list : altNames)
{
if (((Number)list.get(0)).intValue() == 2 )
{
String cn = list.get(1).toString();
LOG.info("Certificate san alias={} cn={} in {}",alias,cn,_factory);
if (cn!=null)
{
named=true;
_aliases.put(cn,alias);
}
}
}
}
if (!named)
{
Matcher matcher = __cnPattern.matcher(x509.getSubjectX500Principal().getName("CANONICAL")); Matcher matcher = __cnPattern.matcher(x509.getSubjectX500Principal().getName("CANONICAL"));
if (matcher.matches()) if (matcher.matches())
{ {
String cn = matcher.group(1); String cn = matcher.group(1);
LOG.debug("Certificate alias={} cn={} in {}",alias,cn,_factory); LOG.info("Certificate cn alias={} cn={} in {}",alias,cn,_factory);
if (cn!=null) if (cn!=null)
_aliases.put(alias,cn); _aliases.put(cn,alias);
}
} }
} }
} }
} }
LOG.debug("aliases={} for {}",_aliases,this); // find wild aliases
_wild.clear();
for (String name : _aliases.keySet())
if (name.startsWith("*."))
_wild.put(name.substring(1),_aliases.get(name));
LOG.info("aliases={} for {}",_aliases,this);
} }
@Override @Override
@ -159,31 +192,30 @@ public class ExtendedSslContextFactory extends SslContextFactory
if (_name==null || _aliases.size()==0) if (_name==null || _aliases.size()==0)
return true; return true;
for (String alias:_aliases.keySet()) // Try an exact match
_alias = _aliases.get(_name.getAsciiName());
if (_alias!=null)
{ {
String cn = _aliases.get(alias); if (LOG.isDebugEnabled())
LOG.debug("matched {}->{}",_name.getAsciiName(),_alias);
if (cn.equals(_name.getAsciiName()))
{
_alias=alias;
LOG.debug("matches={}",alias);
return true; return true;
} }
if (cn.startsWith("*.")) // Try wild card matches
for (String wild:_wild.keySet())
{ {
String domain = _name.getAsciiName(); String domain = _name.getAsciiName();
domain=domain.substring(domain.indexOf('.')); domain=domain.substring(domain.indexOf('.'));
if (cn.substring(1).equals(domain)) if (wild.equals(domain))
{ {
_alias=alias; _alias=_wild.get(wild);
LOG.debug("matches={}",alias); if (LOG.isDebugEnabled())
LOG.debug("wild match {}->{}",_name.getAsciiName(),_alias);
return true; return true;
} }
} }
} }
}
return false; return false;
} }