475927 - SecureRequestCustomizer fails to match host.

Cosmetic changes during review.
This commit is contained in:
Simone Bordet 2015-08-27 11:14:33 +02:00
parent 8070ce61f3
commit bee5437bad
3 changed files with 25 additions and 32 deletions

View File

@ -19,7 +19,6 @@
package org.eclipse.jetty.server; package org.eclipse.jetty.server;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.List;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngine;
@ -114,7 +113,6 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer
throw new BadMessageException(400,"Host does not match SNI"); throw new BadMessageException(400,"Host does not match SNI");
} }
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
LOG.debug("Host {} matched SNI {}",name,x509); LOG.debug("Host {} matched SNI {}",name,x509);
} }

View File

@ -1733,10 +1733,12 @@ public class SslContextFactory extends AbstractLifeCycle
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
LOG.debug("SNI matched {}->{}",host,_x509); LOG.debug("SNI matched {}->{}",host,_x509);
} }
else if (LOG.isDebugEnabled()) else
{
if (LOG.isDebugEnabled())
LOG.debug("SNI no match for {}", serverName); LOG.debug("SNI no match for {}", serverName);
}
// Return true and allow the KeyManager to accept or reject when choosing a certificate. // Return true and allow the KeyManager to accept or reject when choosing a certificate.
// If we don't have a SNI host, or didn't see any certificate aliases, // If we don't have a SNI host, or didn't see any certificate aliases,

View File

@ -32,13 +32,12 @@ import javax.naming.ldap.Rdn;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import org.eclipse.jetty.util.StringUtil; import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.TypeUtil;
import org.eclipse.jetty.util.log.Log; import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger; import org.eclipse.jetty.util.log.Logger;
public class X509 public class X509
{ {
static final Logger LOG = Log.getLogger(X509.class); private static final Logger LOG = Log.getLogger(X509.class);
/* /*
* @see {@link X509Certificate#getKeyUsage()} * @see {@link X509Certificate#getKeyUsage()}
@ -51,26 +50,22 @@ public class X509
*/ */
private static final int SUBJECT_ALTERNATIVE_NAMES__DNS_NAME=2; private static final int SUBJECT_ALTERNATIVE_NAMES__DNS_NAME=2;
public static boolean isCertSign(X509Certificate x509) public static boolean isCertSign(X509Certificate x509)
{ {
boolean[] key_usage=x509.getKeyUsage(); boolean[] key_usage=x509.getKeyUsage();
return key_usage!=null && key_usage[KEY_USAGE__KEY_CERT_SIGN]; return key_usage!=null && key_usage[KEY_USAGE__KEY_CERT_SIGN];
} }
private final X509Certificate _x509; private final X509Certificate _x509;
private final String _alias; private final String _alias;
private final List<String> _hosts=new ArrayList<>(); private final List<String> _hosts=new ArrayList<>();
private final List<String> _wilds=new ArrayList<>(); private final List<String> _wilds=new ArrayList<>();
public X509(String alias,X509Certificate x509) throws CertificateParsingException, InvalidNameException public X509(String alias,X509Certificate x509) throws CertificateParsingException, InvalidNameException
{ {
_alias=alias; _alias=alias;
_x509 = x509; _x509 = x509;
// Look for alternative name extensions // Look for alternative name extensions
boolean named=false; boolean named=false;
Collection<List<?>> altNames = x509.getSubjectAlternativeNames(); Collection<List<?>> altNames = x509.getSubjectAlternativeNames();
@ -82,7 +77,7 @@ public class X509
{ {
String cn = list.get(1).toString(); String cn = list.get(1).toString();
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
LOG.debug("Certificate SAN alias={} cn={} in {}",alias,cn,this); LOG.debug("Certificate SAN alias={} CN={} in {}",alias,cn,this);
if (cn!=null) if (cn!=null)
{ {
named=true; named=true;
@ -92,17 +87,17 @@ public class X509
} }
} }
// If no names found, look up the cn from the subject // If no names found, look up the CN from the subject
if (!named) if (!named)
{ {
LdapName name=new LdapName(x509.getSubjectX500Principal().getName(X500Principal.RFC2253)); LdapName name=new LdapName(x509.getSubjectX500Principal().getName(X500Principal.RFC2253));
for (Rdn rdn : name.getRdns()) for (Rdn rdn : name.getRdns())
{ {
if (rdn.getType().equalsIgnoreCase("cn")) if (rdn.getType().equalsIgnoreCase("CN"))
{ {
String cn = rdn.getValue().toString(); String cn = rdn.getValue().toString();
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
LOG.debug("Certificate cn alias={} cn={} in {}",alias,cn,this); LOG.debug("Certificate CN alias={} CN={} in {}",alias,cn,this);
if (cn!=null && cn.contains(".") && !cn.contains(" ")) if (cn!=null && cn.contains(".") && !cn.contains(" "))
addName(cn); addName(cn);
} }
@ -113,7 +108,6 @@ public class X509
protected void addName(String cn) protected void addName(String cn)
{ {
cn=StringUtil.asciiToLowerCase(cn); cn=StringUtil.asciiToLowerCase(cn);
cn.toLowerCase();
if (cn.startsWith("*.")) if (cn.startsWith("*."))
_wilds.add(cn.substring(2)); _wilds.add(cn.substring(2));
else else
@ -156,7 +150,6 @@ public class X509
return false; return false;
} }
@Override @Override
public String toString() public String toString()
{ {