diff options
author | Alex Klyubin <klyubin@google.com> | 2014-07-24 13:18:22 -0700 |
---|---|---|
committer | Paul Kocialkowski <contact@paulk.fr> | 2014-11-16 11:16:54 +0100 |
commit | e592820e13c096701c16834a28109928c39f792d (patch) | |
tree | 9e1dcd772c1dc5b657795b294d78188121670a70 | |
parent | 3be157fc74e12c82abfa92ee804a35dfb68f4410 (diff) | |
download | external_apache-http-e592820e13c096701c16834a28109928c39f792d.zip external_apache-http-e592820e13c096701c16834a28109928c39f792d.tar.gz external_apache-http-e592820e13c096701c16834a28109928c39f792d.tar.bz2 |
Stricter subject DN parsing for HTTPS hostname verification.HEADreplicant-4.2-0004replicant-4.2-0003replicant-4.2
This switches AbstractVerifier to the DN parser used by the platform
default HostnameVerifier.
Bug: 16510257
(cherry picked from commit ec8c48dd748c81ba2cce518bf83cb9f236c30bae)
Change-Id: I8124b54801481065df5230c1277e59c5e602b2b9
-rw-r--r-- | src/org/apache/http/conn/ssl/AbstractVerifier.java | 36 |
1 files changed, 4 insertions, 32 deletions
diff --git a/src/org/apache/http/conn/ssl/AbstractVerifier.java b/src/org/apache/http/conn/ssl/AbstractVerifier.java index 723d806..deda1d0 100644 --- a/src/org/apache/http/conn/ssl/AbstractVerifier.java +++ b/src/org/apache/http/conn/ssl/AbstractVerifier.java @@ -44,10 +44,10 @@ import java.util.Iterator; import java.util.LinkedList; import java.util.List; import java.util.Locale; -import java.util.StringTokenizer; import java.util.logging.Logger; import java.util.logging.Level; +import javax.net.ssl.DistinguishedNameParser; import javax.net.ssl.SSLException; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; @@ -202,38 +202,10 @@ public abstract class AbstractVerifier implements X509HostnameVerifier { } public static String[] getCNs(X509Certificate cert) { - LinkedList<String> cnList = new LinkedList<String>(); - /* - Sebastian Hauer's original StrictSSLProtocolSocketFactory used - getName() and had the following comment: + DistinguishedNameParser dnParser = + new DistinguishedNameParser(cert.getSubjectX500Principal()); + List<String> cnList = dnParser.getAllMostSpecificFirst("cn"); - Parses a X.500 distinguished name for the value of the - "Common Name" field. This is done a bit sloppy right - now and should probably be done a bit more according to - <code>RFC 2253</code>. - - I've noticed that toString() seems to do a better job than - getName() on these X500Principal objects, so I'm hoping that - addresses Sebastian's concern. - - For example, getName() gives me this: - 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d - - whereas toString() gives me this: - EMAILADDRESS=juliusdavies@cucbc.com - - Looks like toString() even works with non-ascii domain names! - I tested it with "花子.co.jp" and it worked fine. - */ - String subjectPrincipal = cert.getSubjectX500Principal().toString(); - StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); - while(st.hasMoreTokens()) { - String tok = st.nextToken(); - int x = tok.indexOf("CN="); - if(x >= 0) { - cnList.add(tok.substring(x + 3)); - } - } if(!cnList.isEmpty()) { String[] cns = new String[cnList.size()]; cnList.toArray(cns); |