/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package javax.net.ssl; import java.net.InetAddress; import java.security.cert.Certificate; import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.List; import java.util.Locale; /** * A HostnameVerifier that works the same way as Curl and Firefox. * *

The hostname must match either the first CN, or any of the subject-alts. * A wildcard can occur in the CN, and in any of the subject-alts. * * @author Julius Davies */ class DefaultHostnameVerifier implements HostnameVerifier { /** * This contains a list of 2nd-level domains that aren't allowed to * have wildcards when combined with country-codes. * For example: [*.co.uk]. * *

The [*.co.uk] problem is an interesting one. Should we just hope * that CA's would never foolishly allow such a certificate to happen? * Looks like we're the only implementation guarding against this. * Firefox, Curl, Sun Java 1.4, 5, 6 don't bother with this check. */ private static final String[] BAD_COUNTRY_2LDS = { "ac", "co", "com", "ed", "edu", "go", "gouv", "gov", "info", "lg", "ne", "net", "or", "org" }; static { // Just in case developer forgot to manually sort the array. :-) Arrays.sort(BAD_COUNTRY_2LDS); } public final boolean verify(String host, SSLSession session) { Certificate[] certs; try { certs = session.getPeerCertificates(); } catch (SSLException e) { return false; } X509Certificate x509 = (X509Certificate) certs[0]; // We can be case-insensitive when comparing the host we used to // establish the socket to the hostname in the certificate. String hostName = host.trim().toLowerCase(Locale.ENGLISH); // Verify the first CN provided. Other CNs are ignored. Firefox, wget, // curl, and Sun Java work this way. String firstCn = getFirstCn(x509); if (matches(hostName, firstCn)) { return true; } for (String cn : getDNSSubjectAlts(x509)) { if (matches(hostName, cn)) { return true; } } return false; } /** * Returns true if {@code hostname} matches {@code cn}. * * @param hostName a trimmed, lowercase hostname to verify * @param cn a certificate CN or DNS subject alt. Either a literal name or * a wildcard of the form "*.google.com". */ private boolean matches(String hostName, String cn) { if (cn == null) { return false; } // Don't trim the CN, though! cn = cn.toLowerCase(Locale.ENGLISH); if (cn.startsWith("*.")) { // When a wildcard matches, also check that the wildcard is legit // - Wildcards must contain at least two dots: "*.google.com" // - Wildcards must be for private domains. No "*.co.uk" etc. // - Wildcards must not match IP addresses: "*.8.8" int matchLength = cn.length() - 1; return hostName.regionMatches(hostName.length() - matchLength, cn, 1, matchLength) && cn.indexOf('.', 2) != -1 && acceptableCountryWildcard(cn) && !InetAddress.isNumeric(hostName); } else { return hostName.equals(cn); } } private boolean acceptableCountryWildcard(String cn) { int cnLen = cn.length(); if (cnLen >= 7 && cnLen <= 9) { // Look for the '.' in the 3rd-last position: if (cn.charAt(cnLen - 3) == '.') { // Trim off the [*.] and the [.XX]. String s = cn.substring(2, cnLen - 3); // And test against the sorted array of bad 2lds: int x = Arrays.binarySearch(BAD_COUNTRY_2LDS, s); return x < 0; } } return true; } private String getFirstCn(X509Certificate cert) { /* * Sebastian Hauer's original StrictSSLProtocolSocketFactory used * getName() and had the following comment: * * Parses a X.500 distinguished name for the value of the * "Common Name" field. This is done a bit sloppy right * now and should probably be done a bit more according to * RFC 2253. * * I've noticed that toString() seems to do a better job than * getName() on these X500Principal objects, so I'm hoping that * addresses Sebastian's concern. * * For example, getName() gives me this: * 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d * * whereas toString() gives me this: * EMAILADDRESS=juliusdavies@cucbc.com * * Looks like toString() even works with non-ascii domain names! * I tested it with "花子.co.jp" and it worked fine. */ String subjectPrincipal = cert.getSubjectX500Principal().toString(); for (String token : subjectPrincipal.split(",")) { int x = token.indexOf("CN="); if (x >= 0) { return token.substring(x + 3); } } return null; } /** * Returns all SubjectAlt DNS names from an X509Certificate. * *

Note: Java doesn't appear able to extract international characters * from the SubjectAlts. It can only extract international characters * from the CN field. * *

(Or maybe the version of OpenSSL I'm using to test isn't storing the * international characters correctly in the SubjectAlts?). */ private List getDNSSubjectAlts(X509Certificate cert) { Collection> subjectAlternativeNames; try { subjectAlternativeNames = cert.getSubjectAlternativeNames(); } catch (CertificateParsingException cpe) { System.logI("Error parsing certificate", cpe); return Collections.emptyList(); } if (subjectAlternativeNames == null) { return Collections.emptyList(); } List subjectAltList = new ArrayList(); for (List pair : subjectAlternativeNames) { int type = (Integer) pair.get(0); // If type is 2, then we've got a dNSName if (type == 2) { subjectAltList.add((String) pair.get(1)); } } return subjectAltList; } }