From e592820e13c096701c16834a28109928c39f792d Mon Sep 17 00:00:00 2001 From: Alex Klyubin Date: Thu, 24 Jul 2014 13:18:22 -0700 Subject: Stricter subject DN parsing for HTTPS hostname verification. This switches AbstractVerifier to the DN parser used by the platform default HostnameVerifier. Bug: 16510257 (cherry picked from commit ec8c48dd748c81ba2cce518bf83cb9f236c30bae) Change-Id: I8124b54801481065df5230c1277e59c5e602b2b9 --- src/org/apache/http/conn/ssl/AbstractVerifier.java | 36 +++------------------- 1 file changed, 4 insertions(+), 32 deletions(-) diff --git a/src/org/apache/http/conn/ssl/AbstractVerifier.java b/src/org/apache/http/conn/ssl/AbstractVerifier.java index 723d806..deda1d0 100644 --- a/src/org/apache/http/conn/ssl/AbstractVerifier.java +++ b/src/org/apache/http/conn/ssl/AbstractVerifier.java @@ -44,10 +44,10 @@ import java.util.Iterator; import java.util.LinkedList; import java.util.List; import java.util.Locale; -import java.util.StringTokenizer; import java.util.logging.Logger; import java.util.logging.Level; +import javax.net.ssl.DistinguishedNameParser; import javax.net.ssl.SSLException; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; @@ -202,38 +202,10 @@ public abstract class AbstractVerifier implements X509HostnameVerifier { } public static String[] getCNs(X509Certificate cert) { - LinkedList cnList = new LinkedList(); - /* - Sebastian Hauer's original StrictSSLProtocolSocketFactory used - getName() and had the following comment: + DistinguishedNameParser dnParser = + new DistinguishedNameParser(cert.getSubjectX500Principal()); + List cnList = dnParser.getAllMostSpecificFirst("cn"); - Parses a X.500 distinguished name for the value of the - "Common Name" field. This is done a bit sloppy right - now and should probably be done a bit more according to - RFC 2253. - - I've noticed that toString() seems to do a better job than - getName() on these X500Principal objects, so I'm hoping that - addresses Sebastian's concern. - - For example, getName() gives me this: - 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d - - whereas toString() gives me this: - EMAILADDRESS=juliusdavies@cucbc.com - - Looks like toString() even works with non-ascii domain names! - I tested it with "花子.co.jp" and it worked fine. - */ - String subjectPrincipal = cert.getSubjectX500Principal().toString(); - StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); - while(st.hasMoreTokens()) { - String tok = st.nextToken(); - int x = tok.indexOf("CN="); - if(x >= 0) { - cnList.add(tok.substring(x + 3)); - } - } if(!cnList.isEmpty()) { String[] cns = new String[cnList.size()]; cnList.toArray(cns); -- cgit v1.1