equal
deleted
inserted
replaced
33 import java.util.*; |
33 import java.util.*; |
34 import javax.security.auth.x500.X500Principal; |
34 import javax.security.auth.x500.X500Principal; |
35 import javax.net.ssl.SNIHostName; |
35 import javax.net.ssl.SNIHostName; |
36 |
36 |
37 import sun.net.util.IPAddressUtil; |
37 import sun.net.util.IPAddressUtil; |
38 import sun.security.ssl.ClientKeyExchangeService; |
|
39 import sun.security.ssl.Debug; |
|
40 import sun.security.x509.X500Name; |
38 import sun.security.x509.X500Name; |
|
39 import sun.security.ssl.SSLLogger; |
41 |
40 |
42 /** |
41 /** |
43 * Class to check hostnames against the names specified in a certificate as |
42 * Class to check hostnames against the names specified in a certificate as |
44 * required for TLS and LDAP. |
43 * required for TLS and LDAP. |
45 * |
44 * |
58 |
57 |
59 // constants for subject alt names of type DNS and IP |
58 // constants for subject alt names of type DNS and IP |
60 private static final int ALTNAME_DNS = 2; |
59 private static final int ALTNAME_DNS = 2; |
61 private static final int ALTNAME_IP = 7; |
60 private static final int ALTNAME_IP = 7; |
62 |
61 |
63 private static final Debug debug = Debug.getInstance("ssl"); |
|
64 |
|
65 // the algorithm to follow to perform the check. Currently unused. |
62 // the algorithm to follow to perform the check. Currently unused. |
66 private final byte checkType; |
63 private final byte checkType; |
67 |
64 |
68 private HostnameChecker(byte checkType) { |
65 private HostnameChecker(byte checkType) { |
69 this.checkType = checkType; |
66 this.checkType = checkType; |
116 |
113 |
117 /** |
114 /** |
118 * Return the Server name from Kerberos principal. |
115 * Return the Server name from Kerberos principal. |
119 */ |
116 */ |
120 public static String getServerName(Principal principal) { |
117 public static String getServerName(Principal principal) { |
|
118 /* |
121 ClientKeyExchangeService p = |
119 ClientKeyExchangeService p = |
122 ClientKeyExchangeService.find("KRB5"); |
120 ClientKeyExchangeService.find("KRB5"); |
123 if (p == null) { |
121 if (p == null) { |
124 throw new AssertionError("Kerberos should have been available"); |
122 throw new AssertionError("Kerberos should have been available"); |
125 } |
123 } |
126 return p.getServiceHostName(principal); |
124 return p.getServiceHostName(principal); |
|
125 */ |
|
126 return null; |
127 } |
127 } |
128 |
128 |
129 /** |
129 /** |
130 * Test whether the given hostname looks like a literal IPv4 or IPv6 |
130 * Test whether the given hostname looks like a literal IPv4 or IPv6 |
131 * address. The hostname does not need to be a fully qualified name. |
131 * address. The hostname does not need to be a fully qualified name. |
314 */ |
314 */ |
315 private static boolean hasIllegalWildcard(String domain, String template, |
315 private static boolean hasIllegalWildcard(String domain, String template, |
316 boolean chainsToPublicCA) { |
316 boolean chainsToPublicCA) { |
317 // not ok if it is a single wildcard character or "*." |
317 // not ok if it is a single wildcard character or "*." |
318 if (template.equals("*") || template.equals("*.")) { |
318 if (template.equals("*") || template.equals("*.")) { |
319 if (debug != null) { |
319 if (SSLLogger.isOn) { |
320 debug.println("Certificate domain name has illegal single " + |
320 SSLLogger.fine( |
321 "wildcard character: " + template); |
321 "Certificate domain name has illegal single " + |
|
322 "wildcard character: " + template); |
322 } |
323 } |
323 return true; |
324 return true; |
324 } |
325 } |
325 |
326 |
326 int lastWildcardIndex = template.lastIndexOf("*"); |
327 int lastWildcardIndex = template.lastIndexOf("*"); |
333 String afterWildcard = template.substring(lastWildcardIndex); |
334 String afterWildcard = template.substring(lastWildcardIndex); |
334 int firstDotIndex = afterWildcard.indexOf("."); |
335 int firstDotIndex = afterWildcard.indexOf("."); |
335 |
336 |
336 // not ok if there is no dot after wildcard (ex: "*com") |
337 // not ok if there is no dot after wildcard (ex: "*com") |
337 if (firstDotIndex == -1) { |
338 if (firstDotIndex == -1) { |
338 if (debug != null) { |
339 if (SSLLogger.isOn) { |
339 debug.println("Certificate domain name has illegal wildcard, " + |
340 SSLLogger.fine( |
340 "no dot after wildcard character: " + template); |
341 "Certificate domain name has illegal wildcard, " + |
|
342 "no dot after wildcard character: " + template); |
341 } |
343 } |
342 return true; |
344 return true; |
343 } |
345 } |
344 |
346 |
345 // If the wildcarded domain is a top-level domain under which names |
347 // If the wildcarded domain is a top-level domain under which names |
352 .filter(d -> d.type() == RegisteredDomain.Type.ICANN); |
354 .filter(d -> d.type() == RegisteredDomain.Type.ICANN); |
353 |
355 |
354 if (rd.isPresent()) { |
356 if (rd.isPresent()) { |
355 String wDomain = afterWildcard.substring(firstDotIndex + 1); |
357 String wDomain = afterWildcard.substring(firstDotIndex + 1); |
356 if (rd.get().publicSuffix().equalsIgnoreCase(wDomain)) { |
358 if (rd.get().publicSuffix().equalsIgnoreCase(wDomain)) { |
357 if (debug != null) { |
359 if (SSLLogger.isOn) { |
358 debug.println("Certificate domain name has illegal " + |
360 SSLLogger.fine( |
359 "wildcard for public suffix: " + template); |
361 "Certificate domain name has illegal " + |
|
362 "wildcard for public suffix: " + template); |
360 } |
363 } |
361 return true; |
364 return true; |
362 } |
365 } |
363 } |
366 } |
364 |
367 |