Eclipse/jetty.project
1
0
Fork 0
mirror of https://github.com/jetty/jetty.project.git synced 2025-03-01 03:19:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

475927 - SecureRequestCustomizer fails to match host.

Browse Source 
Cosmetic changes during review.
This commit is contained in:
Simone Bordet 2015-08-27 11:14:33 +02:00
parent 8070ce61f3
commit bee5437bad
3 changed files with 25 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java
View File

@ -19,7 +19,6 @@
package org.eclipse.jetty.server;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
@ -107,14 +106,13 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer
String name = request.getServerName();
@SuppressWarnings("unchecked")
X509 x509 = (X509)sslSession.getValue(SniX509ExtendedKeyManager.SNI_X509);
if (x509!=null && !x509.matches(name))
{
LOG.warn("Host {} does not match SNI {}",name,x509);
throw new BadMessageException(400,"Host does not match SNI");
}
if (LOG.isDebugEnabled())
LOG.debug("Host {} matched SNI {}",name,x509);
}

22
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
View File

@ -299,7 +299,7 @@ public class SslContextFactory extends AbstractLifeCycle
{
return _aliasX509.get(alias);
}
/**
* Create the SSLContext object and start the lifecycle
* @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart()
@ -359,7 +359,7 @@ public class SslContextFactory extends AbstractLifeCycle
}
X509 x509 = new X509(alias,x509C);
_aliasX509.put(alias,x509);
if (_validateCerts)
{
CertificateValidator validator = new CertificateValidator(trustStore, crls);
@ -371,7 +371,7 @@ public class SslContextFactory extends AbstractLifeCycle
}
LOG.info("x509={} for {}",x509,this);
for (String h:x509.getHosts())
_certHosts.put(h,x509);
for (String w:x509.getWilds())
@ -405,7 +405,7 @@ public class SslContextFactory extends AbstractLifeCycle
LOG.debug("Selected Ciphers {} of {}",Arrays.asList(_selectedCipherSuites),Arrays.asList(sslEngine.getSupportedCipherSuites()));
}
}
@Override
protected void doStop() throws Exception
{
@ -1710,15 +1710,15 @@ public class SslContextFactory extends AbstractLifeCycle
{
String host = _host = ((SNIHostName)serverName).getAsciiName();
host=StringUtil.asciiToLowerCase(host);
// Try an exact match
_x509 = _certHosts.get(host);
// Else try an exact wild match
if (_x509==null)
{
_x509 = _certWilds.get(host);
// Else try an 1 deep wild match
if (_x509==null)
{
@ -1733,10 +1733,12 @@ public class SslContextFactory extends AbstractLifeCycle
if (LOG.isDebugEnabled())
LOG.debug("SNI matched {}->{}",host,_x509);
}
else if (LOG.isDebugEnabled())
LOG.debug("SNI no match for {}", serverName);
else
{
if (LOG.isDebugEnabled())
LOG.debug("SNI no match for {}", serverName);
}
// Return true and allow the KeyManager to accept or reject when choosing a certificate.
// If we don't have a SNI host, or didn't see any certificate aliases,

31
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/X509.java
View File

@ -32,14 +32,13 @@ import javax.naming.ldap.Rdn;
import javax.security.auth.x500.X500Principal;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.TypeUtil;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
public class X509
{
static final Logger LOG = Log.getLogger(X509.class);
private static final Logger LOG = Log.getLogger(X509.class);
/*
* @see {@link X509Certificate#getKeyUsage()}
*/
@ -51,26 +50,22 @@ public class X509
*/
private static final int SUBJECT_ALTERNATIVE_NAMES__DNS_NAME=2;
public static boolean isCertSign(X509Certificate x509)
{
boolean[] key_usage=x509.getKeyUsage();
return key_usage!=null && key_usage[KEY_USAGE__KEY_CERT_SIGN];
}
private final X509Certificate _x509;
private final String _alias;
private final List<String> _hosts=new ArrayList<>();
private final List<String> _wilds=new ArrayList<>();
public X509(String alias,X509Certificate x509) throws CertificateParsingException, InvalidNameException
{
_alias=alias;
_x509 = x509;
// Look for alternative name extensions
boolean named=false;
Collection<List<?>> altNames = x509.getSubjectAlternativeNames();
@ -82,7 +77,7 @@ public class X509
{
String cn = list.get(1).toString();
if (LOG.isDebugEnabled())
LOG.debug("Certificate SAN alias={} cn={} in {}",alias,cn,this);
LOG.debug("Certificate SAN alias={} CN={} in {}",alias,cn,this);
if (cn!=null)
{
named=true;
@ -92,28 +87,27 @@ public class X509
}
}
// If no names found, look up the cn from the subject
// If no names found, look up the CN from the subject
if (!named)
{
LdapName name=new LdapName(x509.getSubjectX500Principal().getName(X500Principal.RFC2253));
for (Rdn rdn : name.getRdns())
{
if (rdn.getType().equalsIgnoreCase("cn"))
if (rdn.getType().equalsIgnoreCase("CN"))
{
String cn = rdn.getValue().toString();
if (LOG.isDebugEnabled())
LOG.debug("Certificate cn alias={} cn={} in {}",alias,cn,this);
LOG.debug("Certificate CN alias={} CN={} in {}",alias,cn,this);
if (cn!=null && cn.contains(".") && !cn.contains(" "))
addName(cn);
}
}
}
}
protected void addName(String cn)
{
cn=StringUtil.asciiToLowerCase(cn);
cn.toLowerCase();
if (cn.startsWith("*."))
_wilds.add(cn.substring(2));
else
@ -124,17 +118,17 @@ public class X509
{
return _alias;
}
public X509Certificate getCertificate()
{
return _x509;
}
public Set<String> getHosts()
{
return new HashSet<>(_hosts);
}
public Set<String> getWilds()
{
return new HashSet<>(_wilds);
@ -156,7 +150,6 @@ public class X509
return false;
}
@Override
public String toString()
{