summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Klyubin <klyubin@google.com>2014-07-24 13:18:22 -0700
committerPaul Kocialkowski <contact@paulk.fr>2014-11-16 11:16:54 +0100
commite592820e13c096701c16834a28109928c39f792d (patch)
tree9e1dcd772c1dc5b657795b294d78188121670a70
parent3be157fc74e12c82abfa92ee804a35dfb68f4410 (diff)
downloadexternal_apache-http-replicant-4.2.zip
external_apache-http-replicant-4.2.tar.gz
external_apache-http-replicant-4.2.tar.bz2
Stricter subject DN parsing for HTTPS hostname verification.HEADreplicant-4.2-0004replicant-4.2-0003replicant-4.2
This switches AbstractVerifier to the DN parser used by the platform default HostnameVerifier. Bug: 16510257 (cherry picked from commit ec8c48dd748c81ba2cce518bf83cb9f236c30bae) Change-Id: I8124b54801481065df5230c1277e59c5e602b2b9
-rw-r--r--src/org/apache/http/conn/ssl/AbstractVerifier.java36
1 files changed, 4 insertions, 32 deletions
diff --git a/src/org/apache/http/conn/ssl/AbstractVerifier.java b/src/org/apache/http/conn/ssl/AbstractVerifier.java
index 723d806..deda1d0 100644
--- a/src/org/apache/http/conn/ssl/AbstractVerifier.java
+++ b/src/org/apache/http/conn/ssl/AbstractVerifier.java
@@ -44,10 +44,10 @@ import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
-import java.util.StringTokenizer;
import java.util.logging.Logger;
import java.util.logging.Level;
+import javax.net.ssl.DistinguishedNameParser;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
@@ -202,38 +202,10 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
}
public static String[] getCNs(X509Certificate cert) {
- LinkedList<String> cnList = new LinkedList<String>();
- /*
- Sebastian Hauer's original StrictSSLProtocolSocketFactory used
- getName() and had the following comment:
+ DistinguishedNameParser dnParser =
+ new DistinguishedNameParser(cert.getSubjectX500Principal());
+ List<String> cnList = dnParser.getAllMostSpecificFirst("cn");
- Parses a X.500 distinguished name for the value of the
- "Common Name" field. This is done a bit sloppy right
- now and should probably be done a bit more according to
- <code>RFC 2253</code>.
-
- I've noticed that toString() seems to do a better job than
- getName() on these X500Principal objects, so I'm hoping that
- addresses Sebastian's concern.
-
- For example, getName() gives me this:
- 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
-
- whereas toString() gives me this:
- EMAILADDRESS=juliusdavies@cucbc.com
-
- Looks like toString() even works with non-ascii domain names!
- I tested it with "&#x82b1;&#x5b50;.co.jp" and it worked fine.
- */
- String subjectPrincipal = cert.getSubjectX500Principal().toString();
- StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
- while(st.hasMoreTokens()) {
- String tok = st.nextToken();
- int x = tok.indexOf("CN=");
- if(x >= 0) {
- cnList.add(tok.substring(x + 3));
- }
- }
if(!cnList.isEmpty()) {
String[] cns = new String[cnList.size()];
cnList.toArray(cns);