/* * Copyright (C) 2010 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.internal.net; import com.android.internal.net.DomainNameValidator; import com.android.frameworks.coretests.R; import com.android.frameworks.coretests.R.raw; import android.test.AndroidTestCase; import java.io.InputStream; import java.math.BigInteger; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.Principal; import java.security.PublicKey; import java.security.SignatureException; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.CertificateExpiredException; import java.security.cert.CertificateFactory; import java.security.cert.CertificateNotYetValidException; import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; import java.util.Date; import java.util.LinkedList; import java.util.List; import java.util.Set; import javax.security.auth.x500.X500Principal; public class DomainNameValidatorTest extends AndroidTestCase { private static final int ALT_UNKNOWN = 0; private static final int ALT_DNS_NAME = 2; private static final int ALT_IPA_NAME = 7; /** * Tests {@link DomainNameValidator#match}, using a simple {@link X509Certificate} * implementation. */ public void testMatch() { checkMatch("11", new StubX509Certificate("cn=imap.g.com"), "imap.g.com", true); checkMatch("12", new StubX509Certificate("cn=imap2.g.com"), "imap.g.com", false); checkMatch("13", new StubX509Certificate("cn=sub.imap.g.com"), "imap.g.com", false); // If a subjectAltName extension of type dNSName is present, that MUST // be used as the identity checkMatch("21", new StubX509Certificate("") .addSubjectAlternativeName(ALT_DNS_NAME, "a.y.com") , "imap.g.com", false); checkMatch("22", new StubX509Certificate("cn=imap.g.com") // This cn should be ignored .addSubjectAlternativeName(ALT_DNS_NAME, "a.y.com") , "imap.g.com", false); checkMatch("23", new StubX509Certificate("") .addSubjectAlternativeName(ALT_DNS_NAME, "imap.g.com") , "imap.g.com", true); // With wildcards checkMatch("24", new StubX509Certificate("") .addSubjectAlternativeName(ALT_DNS_NAME, "*.g.com") , "imap.g.com", true); // host name is ip address checkMatch("31", new StubX509Certificate("") .addSubjectAlternativeName(ALT_IPA_NAME, "1.2.3.4") , "1.2.3.4", true); checkMatch("32", new StubX509Certificate("") .addSubjectAlternativeName(ALT_IPA_NAME, "1.2.3.4") , "1.2.3.5", false); checkMatch("32", new StubX509Certificate("") .addSubjectAlternativeName(ALT_IPA_NAME, "1.2.3.4") .addSubjectAlternativeName(ALT_IPA_NAME, "192.168.100.1") , "192.168.100.1", true); // Has unknown subject alternative names checkMatch("41", new StubX509Certificate("") .addSubjectAlternativeName(ALT_UNKNOWN, "random string 1") .addSubjectAlternativeName(ALT_UNKNOWN, "random string 2") .addSubjectAlternativeName(ALT_DNS_NAME, "a.b.c.d") .addSubjectAlternativeName(ALT_DNS_NAME, "*.google.com") .addSubjectAlternativeName(ALT_DNS_NAME, "imap.g.com") .addSubjectAlternativeName(ALT_IPA_NAME, "2.33.44.55") .addSubjectAlternativeName(ALT_UNKNOWN, "random string 3") , "imap.g.com", true); checkMatch("42", new StubX509Certificate("") .addSubjectAlternativeName(ALT_UNKNOWN, "random string 1") .addSubjectAlternativeName(ALT_UNKNOWN, "random string 2") .addSubjectAlternativeName(ALT_DNS_NAME, "a.b.c.d") .addSubjectAlternativeName(ALT_DNS_NAME, "*.google.com") .addSubjectAlternativeName(ALT_DNS_NAME, "imap.g.com") .addSubjectAlternativeName(ALT_IPA_NAME, "2.33.44.55") .addSubjectAlternativeName(ALT_UNKNOWN, "random string 3") , "2.33.44.55", true); checkMatch("43", new StubX509Certificate("") .addSubjectAlternativeName(ALT_UNKNOWN, "random string 1") .addSubjectAlternativeName(ALT_UNKNOWN, "random string 2") .addSubjectAlternativeName(ALT_DNS_NAME, "a.b.c.d") .addSubjectAlternativeName(ALT_DNS_NAME, "*.google.com") .addSubjectAlternativeName(ALT_DNS_NAME, "imap.g.com") .addSubjectAlternativeName(ALT_IPA_NAME, "2.33.44.55") .addSubjectAlternativeName(ALT_UNKNOWN, "random string 3") , "g.com", false); checkMatch("44", new StubX509Certificate("") .addSubjectAlternativeName(ALT_UNKNOWN, "random string 1") .addSubjectAlternativeName(ALT_UNKNOWN, "random string 2") .addSubjectAlternativeName(ALT_DNS_NAME, "a.b.c.d") .addSubjectAlternativeName(ALT_DNS_NAME, "*.google.com") .addSubjectAlternativeName(ALT_DNS_NAME, "imap.g.com") .addSubjectAlternativeName(ALT_IPA_NAME, "2.33.44.55") .addSubjectAlternativeName(ALT_UNKNOWN, "random string 3") , "2.33.44.1", false); } private void checkMatch(String message, X509Certificate certificate, String thisDomain, boolean expected) { Boolean actual = DomainNameValidator.match(certificate, thisDomain); assertEquals(message, (Object) expected, (Object) actual); } /** * Tests {@link DomainNameValidator#matchDns} */ public void testMatchDns() { checkMatchDns("11", "a.b.c.d", "a.b.c.d", true); checkMatchDns("12", "a.b.c.d", "*.b.c.d", true); checkMatchDns("13", "b.c.d", "*.b.c.d", true); checkMatchDns("14", "b.c.d", "b*.c.d", true); checkMatchDns("15", "a.b.c.d", "*.*.c.d", false); checkMatchDns("16", "a.b.c.d", "*.c.d", false); checkMatchDns("21", "imap.google.com", "imap.google.com", true); checkMatchDns("22", "imap2.google.com", "imap.google.com", false); checkMatchDns("23", "imap.google.com", "*.google.com", true); checkMatchDns("24", "imap2.google.com", "*.google.com", true); checkMatchDns("25", "imap.google.com", "*.googl.com", false); checkMatchDns("26", "imap2.google2.com", "*.google3.com", false); checkMatchDns("27", "imap.google.com", "ima*.google.com", true); checkMatchDns("28", "imap.google.com", "imap*.google.com", true); checkMatchDns("29", "imap.google.com", "*.imap.google.com", true); checkMatchDns("41", "imap.google.com", "a*.google.com", false); checkMatchDns("42", "imap.google.com", "ix*.google.com", false); checkMatchDns("51", "imap.google.com", "iMap.Google.Com", true); } private void checkMatchDns(String message, String thisDomain, String thatDomain, boolean expected) { boolean actual = DomainNameValidator.matchDns(thisDomain, thatDomain); assertEquals(message, expected, actual); } /** * Test {@link DomainNameValidator#match} with actual certificates. */ public void testWithActualCert() throws Exception { // subject_only // // subject: C=JP, CN=www.example.com // subject alt names: n/a checkWithActualCert("11", R.raw.subject_only, "www.example.com", true); checkWithActualCert("12", R.raw.subject_only, "www2.example.com", false); // subject_alt_only // // subject: C=JP (no CN) // subject alt names: DNS:www.example.com checkWithActualCert("21", R.raw.subject_alt_only, "www.example.com", true); checkWithActualCert("22", R.raw.subject_alt_only, "www2.example.com", false); // subject_with_alt_names // // subject: C=JP, CN=www.example.com // subject alt names: DNS:www2.example.com, DNS:www3.example.com // * Subject should be ignored, because it has subject alt names. checkWithActualCert("31", R.raw.subject_with_alt_names, "www.example.com", false); checkWithActualCert("32", R.raw.subject_with_alt_names, "www2.example.com", true); checkWithActualCert("33", R.raw.subject_with_alt_names, "www3.example.com", true); checkWithActualCert("34", R.raw.subject_with_alt_names, "www4.example.com", false); // subject_with_wild_alt_name // // subject: C=JP, CN=www.example.com // subject alt names: DNS:*.example2.com // * Subject should be ignored, because it has subject alt names. checkWithActualCert("41", R.raw.subject_with_wild_alt_name, "www.example.com", false); checkWithActualCert("42", R.raw.subject_with_wild_alt_name, "www2.example.com", false); checkWithActualCert("43", R.raw.subject_with_wild_alt_name, "www.example2.com", true); checkWithActualCert("44", R.raw.subject_with_wild_alt_name, "abc.example2.com", true); checkWithActualCert("45", R.raw.subject_with_wild_alt_name, "www.example3.com", false); // wild_alt_name_only // // subject: C=JP // subject alt names: DNS:*.example.com checkWithActualCert("51", R.raw.wild_alt_name_only, "www.example.com", true); checkWithActualCert("52", R.raw.wild_alt_name_only, "www2.example.com", true); checkWithActualCert("53", R.raw.wild_alt_name_only, "www.example2.com", false); // wild_alt_name_only // // subject: C=JP // subject alt names: IP Address:192.168.10.1 checkWithActualCert("61", R.raw.alt_ip_only, "192.168.10.1", true); checkWithActualCert("61", R.raw.alt_ip_only, "192.168.10.2", false); } private void checkWithActualCert(String message, int resId, String domain, boolean expected) throws Exception { CertificateFactory factory = CertificateFactory.getInstance("X509"); InputStream certStream = getContext().getResources().openRawResource(resId); X509Certificate certificate = (X509Certificate) factory.generateCertificate(certStream); checkMatch(message, certificate, domain, expected); } /** * Minimal {@link X509Certificate} implementation for {@link DomainNameValidator}. */ private static class StubX509Certificate extends X509Certificate { private final X500Principal subjectX500Principal; private Collection> subjectAlternativeNames; public StubX509Certificate(String subjectDn) { subjectX500Principal = new X500Principal(subjectDn); subjectAlternativeNames = null; } public StubX509Certificate addSubjectAlternativeName(int type, String name) { if (subjectAlternativeNames == null) { subjectAlternativeNames = new ArrayList>(); } LinkedList entry = new LinkedList(); entry.add(type); entry.add(name); subjectAlternativeNames.add(entry); return this; } @Override public Collection> getSubjectAlternativeNames() throws CertificateParsingException { return subjectAlternativeNames; } @Override public X500Principal getSubjectX500Principal() { return subjectX500Principal; } @Override public void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException { throw new RuntimeException("Method not implemented"); } @Override public void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException { throw new RuntimeException("Method not implemented"); } @Override public int getBasicConstraints() { throw new RuntimeException("Method not implemented"); } @Override public Principal getIssuerDN() { throw new RuntimeException("Method not implemented"); } @Override public boolean[] getIssuerUniqueID() { throw new RuntimeException("Method not implemented"); } @Override public boolean[] getKeyUsage() { throw new RuntimeException("Method not implemented"); } @Override public Date getNotAfter() { throw new RuntimeException("Method not implemented"); } @Override public Date getNotBefore() { throw new RuntimeException("Method not implemented"); } @Override public BigInteger getSerialNumber() { throw new RuntimeException("Method not implemented"); } @Override public String getSigAlgName() { throw new RuntimeException("Method not implemented"); } @Override public String getSigAlgOID() { throw new RuntimeException("Method not implemented"); } @Override public byte[] getSigAlgParams() { throw new RuntimeException("Method not implemented"); } @Override public byte[] getSignature() { throw new RuntimeException("Method not implemented"); } @Override public Principal getSubjectDN() { throw new RuntimeException("Method not implemented"); } @Override public boolean[] getSubjectUniqueID() { throw new RuntimeException("Method not implemented"); } @Override public byte[] getTBSCertificate() throws CertificateEncodingException { throw new RuntimeException("Method not implemented"); } @Override public int getVersion() { throw new RuntimeException("Method not implemented"); } @Override public byte[] getEncoded() throws CertificateEncodingException { throw new RuntimeException("Method not implemented"); } @Override public PublicKey getPublicKey() { throw new RuntimeException("Method not implemented"); } @Override public String toString() { throw new RuntimeException("Method not implemented"); } @Override public void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException { throw new RuntimeException("Method not implemented"); } @Override public void verify(PublicKey key, String sigProvider) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException { throw new RuntimeException("Method not implemented"); } public Set getCriticalExtensionOIDs() { throw new RuntimeException("Method not implemented"); } public byte[] getExtensionValue(String oid) { throw new RuntimeException("Method not implemented"); } public Set getNonCriticalExtensionOIDs() { throw new RuntimeException("Method not implemented"); } public boolean hasUnsupportedCriticalExtension() { throw new RuntimeException("Method not implemented"); } } }