hc-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s...@apache.org
Subject svn commit: r1130531 - in /httpcomponents/httpclient/trunk: RELEASE_NOTES.txt httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java
Date Thu, 02 Jun 2011 13:08:16 GMT
Author: sebb
Date: Thu Jun  2 13:08:15 2011
New Revision: 1130531

URL: http://svn.apache.org/viewvc?rev=1130531&view=rev
Log:
HTTPCLIENT-1097 BrowserCompatHostnameVerifier and StrictHostnameVerifier should handle wildcards
in SSL certificates better.

Modified:
    httpcomponents/httpclient/trunk/RELEASE_NOTES.txt
    httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
    httpcomponents/httpclient/trunk/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java

Modified: httpcomponents/httpclient/trunk/RELEASE_NOTES.txt
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/RELEASE_NOTES.txt?rev=1130531&r1=1130530&r2=1130531&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/RELEASE_NOTES.txt (original)
+++ httpcomponents/httpclient/trunk/RELEASE_NOTES.txt Thu Jun  2 13:08:15 2011
@@ -1,5 +1,8 @@
 Changes since 4.1.1
 
+* [HTTPCLIENT-1097] BrowserCompatHostnameVerifier and StrictHostnameVerifier should handle
wildcards in SSL certificates better.
+  Contributed by Sebastian Bazley <sebb at apache.org>
+
 * [HTTPCLIENT-1092] If ClientPNames.VIRTUAL_HOST does not provide the port, derive it from
the current request.
   Contributed by Sebastian Bazley <sebb at apache.org>
 

Modified: httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java?rev=1130531&r1=1130530&r2=1130531&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
(original)
+++ httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
Thu Jun  2 13:08:15 2011
@@ -197,13 +197,21 @@ public abstract class AbstractVerifier i
             // The CN better have at least two dots if it wants wildcard
             // action.  It also can't be [*.co.uk] or [*.co.jp] or
             // [*.org.uk], etc...
-            boolean doWildcard = cn.startsWith("*.") &&
-                                 cn.lastIndexOf('.') >= 0 &&
+            String parts[] = cn.split("\\.");
+            boolean doWildcard = parts.length >= 3 &&
+                                 parts[0].endsWith("*") &&
                                  acceptableCountryWildcard(cn) &&
                                  !isIPAddress(host);
 
             if(doWildcard) {
-                match = hostName.endsWith(cn.substring(1));
+                if (parts[0].length() > 1) { // e.g. server*
+                    String prefix = parts[0].substring(0, parts.length-2); // e.g. server
+                    String suffix = cn.substring(parts[0].length()); // skip wildcard part
from cn
+                    String hostSuffix = hostName.substring(prefix.length()); // skip wildcard
part from host
+                    match = hostName.startsWith(prefix) && hostSuffix.endsWith(suffix);
+                } else {
+                    match = hostName.endsWith(cn.substring(1));                    
+                }
                 if(match && strictWithSubDomains) {
                     // If we're in strict mode, then [*.foo.com] is not
                     // allowed to match [a.b.foo.com]
@@ -222,18 +230,11 @@ public abstract class AbstractVerifier i
     }
 
     public static boolean acceptableCountryWildcard(String cn) {
-        int cnLen = cn.length();
-        if(cnLen >= 7 && cnLen <= 9) {
-            // Look for the '.' in the 3rd-last position:
-            if(cn.charAt(cnLen - 3) == '.') {
-                // Trim off the [*.] and the [.XX].
-                String s = cn.substring(2, cnLen - 3);
-                // And test against the sorted array of bad 2lds:
-                int x = Arrays.binarySearch(BAD_COUNTRY_2LDS, s);
-                return x < 0;
-            }
+        String parts[] = cn.split("\\.");
+        if (parts.length != 3 || parts[2].length() != 2) {
+            return true; // it's not an attempt to wildcard a 2TLD within a country code
         }
-        return true;
+        return Arrays.binarySearch(BAD_COUNTRY_2LDS, parts[1]) < 0;
     }
 
     public static String[] getCNs(X509Certificate cert) {

Modified: httpcomponents/httpclient/trunk/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java
URL: http://svn.apache.org/viewvc/httpcomponents/httpclient/trunk/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java?rev=1130531&r1=1130530&r2=1130531&view=diff
==============================================================================
--- httpcomponents/httpclient/trunk/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java
(original)
+++ httpcomponents/httpclient/trunk/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java
Thu Jun  2 13:08:15 2011
@@ -36,7 +36,6 @@ import java.util.Arrays;
 import javax.net.ssl.SSLException;
 
 import org.junit.Assert;
-import org.junit.Ignore;
 import org.junit.Test;
 
 /**
@@ -301,7 +300,6 @@ public class TestHostnameVerifier {
     }
 
     @Test
-    @Ignore("not yet implemented")
     public void HTTPCLIENT_1097() {
         String cns[];
         String alt[] = {};
@@ -312,8 +310,8 @@ public class TestHostnameVerifier {
         checkMatching(bhv, "a.b.c", cns, alt, false); // OK
         checkMatching(shv, "a.b.c", cns, alt, false); // OK
 
-        checkMatching(bhv, "s.a.b.c", cns, alt, false); // OK
-        checkMatching(shv, "s.a.b.c", cns, alt, true); // subdomain not OK
+        checkMatching(bhv, "a.a.b.c", cns, alt, false); // OK
+        checkMatching(shv, "a.a.b.c", cns, alt, true); // subdomain not OK
 
         checkWildcard("s*.co.uk", false); // 2 character TLD, invalid 2TLD
         checkWildcard("s*.gov.uk", false); // 2 character TLD, invalid 2TLD



Mime
View raw message