src/java.base/share/classes/sun/security/util/HostnameChecker.java
branchJDK-8145252-TLS13-branch
changeset 56542 56aaa6cb3693
parent 47216 71c04702a3d5
child 56692 7b0bde908f58
equal deleted inserted replaced
56541:92cbbfc996f3 56542:56aaa6cb3693
    33 import java.util.*;
    33 import java.util.*;
    34 import javax.security.auth.x500.X500Principal;
    34 import javax.security.auth.x500.X500Principal;
    35 import javax.net.ssl.SNIHostName;
    35 import javax.net.ssl.SNIHostName;
    36 
    36 
    37 import sun.net.util.IPAddressUtil;
    37 import sun.net.util.IPAddressUtil;
    38 import sun.security.ssl.ClientKeyExchangeService;
       
    39 import sun.security.ssl.Debug;
       
    40 import sun.security.x509.X500Name;
    38 import sun.security.x509.X500Name;
       
    39 import sun.security.ssl.SSLLogger;
    41 
    40 
    42 /**
    41 /**
    43  * Class to check hostnames against the names specified in a certificate as
    42  * Class to check hostnames against the names specified in a certificate as
    44  * required for TLS and LDAP.
    43  * required for TLS and LDAP.
    45  *
    44  *
    58 
    57 
    59     // constants for subject alt names of type DNS and IP
    58     // constants for subject alt names of type DNS and IP
    60     private static final int ALTNAME_DNS = 2;
    59     private static final int ALTNAME_DNS = 2;
    61     private static final int ALTNAME_IP  = 7;
    60     private static final int ALTNAME_IP  = 7;
    62 
    61 
    63     private static final Debug debug = Debug.getInstance("ssl");
       
    64 
       
    65     // the algorithm to follow to perform the check. Currently unused.
    62     // the algorithm to follow to perform the check. Currently unused.
    66     private final byte checkType;
    63     private final byte checkType;
    67 
    64 
    68     private HostnameChecker(byte checkType) {
    65     private HostnameChecker(byte checkType) {
    69         this.checkType = checkType;
    66         this.checkType = checkType;
   116 
   113 
   117     /**
   114     /**
   118      * Return the Server name from Kerberos principal.
   115      * Return the Server name from Kerberos principal.
   119      */
   116      */
   120     public static String getServerName(Principal principal) {
   117     public static String getServerName(Principal principal) {
       
   118 /*
   121         ClientKeyExchangeService p =
   119         ClientKeyExchangeService p =
   122                 ClientKeyExchangeService.find("KRB5");
   120                 ClientKeyExchangeService.find("KRB5");
   123         if (p == null) {
   121         if (p == null) {
   124             throw new AssertionError("Kerberos should have been available");
   122             throw new AssertionError("Kerberos should have been available");
   125         }
   123         }
   126         return p.getServiceHostName(principal);
   124         return p.getServiceHostName(principal);
       
   125 */
       
   126         return null;
   127     }
   127     }
   128 
   128 
   129     /**
   129     /**
   130      * Test whether the given hostname looks like a literal IPv4 or IPv6
   130      * Test whether the given hostname looks like a literal IPv4 or IPv6
   131      * address. The hostname does not need to be a fully qualified name.
   131      * address. The hostname does not need to be a fully qualified name.
   314      */
   314      */
   315     private static boolean hasIllegalWildcard(String domain, String template,
   315     private static boolean hasIllegalWildcard(String domain, String template,
   316                                               boolean chainsToPublicCA) {
   316                                               boolean chainsToPublicCA) {
   317         // not ok if it is a single wildcard character or "*."
   317         // not ok if it is a single wildcard character or "*."
   318         if (template.equals("*") || template.equals("*.")) {
   318         if (template.equals("*") || template.equals("*.")) {
   319             if (debug != null) {
   319             if (SSLLogger.isOn) {
   320                 debug.println("Certificate domain name has illegal single " +
   320                 SSLLogger.fine(
   321                               "wildcard character: " + template);
   321                     "Certificate domain name has illegal single " +
       
   322                       "wildcard character: " + template);
   322             }
   323             }
   323             return true;
   324             return true;
   324         }
   325         }
   325 
   326 
   326         int lastWildcardIndex = template.lastIndexOf("*");
   327         int lastWildcardIndex = template.lastIndexOf("*");
   333         String afterWildcard = template.substring(lastWildcardIndex);
   334         String afterWildcard = template.substring(lastWildcardIndex);
   334         int firstDotIndex = afterWildcard.indexOf(".");
   335         int firstDotIndex = afterWildcard.indexOf(".");
   335 
   336 
   336         // not ok if there is no dot after wildcard (ex: "*com")
   337         // not ok if there is no dot after wildcard (ex: "*com")
   337         if (firstDotIndex == -1) {
   338         if (firstDotIndex == -1) {
   338             if (debug != null) {
   339             if (SSLLogger.isOn) {
   339                 debug.println("Certificate domain name has illegal wildcard, " +
   340                 SSLLogger.fine(
   340                               "no dot after wildcard character: " + template);
   341                     "Certificate domain name has illegal wildcard, " +
       
   342                     "no dot after wildcard character: " + template);
   341             }
   343             }
   342             return true;
   344             return true;
   343         }
   345         }
   344 
   346 
   345         // If the wildcarded domain is a top-level domain under which names
   347         // If the wildcarded domain is a top-level domain under which names
   352                 .filter(d -> d.type() == RegisteredDomain.Type.ICANN);
   354                 .filter(d -> d.type() == RegisteredDomain.Type.ICANN);
   353 
   355 
   354         if (rd.isPresent()) {
   356         if (rd.isPresent()) {
   355             String wDomain = afterWildcard.substring(firstDotIndex + 1);
   357             String wDomain = afterWildcard.substring(firstDotIndex + 1);
   356             if (rd.get().publicSuffix().equalsIgnoreCase(wDomain)) {
   358             if (rd.get().publicSuffix().equalsIgnoreCase(wDomain)) {
   357                 if (debug != null) {
   359                 if (SSLLogger.isOn) {
   358                     debug.println("Certificate domain name has illegal " +
   360                     SSLLogger.fine(
   359                                   "wildcard for public suffix: " + template);
   361                         "Certificate domain name has illegal " +
       
   362                         "wildcard for public suffix: " + template);
   360                 }
   363                 }
   361                 return true;
   364                 return true;
   362             }
   365             }
   363         }
   366         }
   364 
   367