-
Notifications
You must be signed in to change notification settings - Fork 263
/
OkHostnameVerifier.java
286 lines (258 loc) · 11.8 KB
/
OkHostnameVerifier.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.conscrypt;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.regex.Pattern;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
/**
* A HostnameVerifier consistent with <a
* href="http://www.ietf.org/rfc/rfc2818.txt">RFC 2818</a>.
*/
public final class OkHostnameVerifier implements ConscryptHostnameVerifier {
// Android-changed: Add a mode which disallows top-level domain wildcards. b/144694112
// public static final OkHostnameVerifier INSTANCE = new OkHostnameVerifier();
public static final OkHostnameVerifier INSTANCE = new OkHostnameVerifier(false);
/**
* Quick and dirty pattern to differentiate IP addresses from hostnames. This
* is an approximation of Android's private InetAddress#isNumeric API.
*
* <p>This matches IPv6 addresses as a hex string containing at least one
* colon, and possibly including dots after the first colon. It matches IPv4
* addresses as strings containing only decimal digits and dots. This pattern
* matches strings like "a:.23" and "54" that are neither IP addresses nor
* hostnames; they will be verified as IP addresses (which is a more strict
* verification).
*/
private static final Pattern VERIFY_AS_IP_ADDRESS = Pattern.compile(
"([0-9a-fA-F]*:[0-9a-fA-F:.]*)|([\\d.]+)");
private static final int ALT_DNS_NAME = 2;
private static final int ALT_IPA_NAME = 7;
// BEGIN Android-changed: Add a mode which disallows top-level domain wildcards. b/144694112
// private OkHostnameVerifier() {
// }
private final boolean strictWildcardMode;
private OkHostnameVerifier(boolean strictWildcardMode) {
this.strictWildcardMode = strictWildcardMode;
}
public static OkHostnameVerifier strictInstance() {
return new OkHostnameVerifier(true);
}
// END Android-changed: Add a mode which disallows top-level domain wildcards. b/144694112
@Override
public boolean verify(X509Certificate[] certs, String host, SSLSession session) {
if (certs.length > 0) {
return verify(host, certs[0]);
} else {
try {
Certificate[] certificates = session.getPeerCertificates();
return verify(host, (X509Certificate) certificates[0]);
} catch (SSLException e) {
return false;
}
}
}
public boolean verify(String host, X509Certificate certificate) {
return verifyAsIpAddress(host)
? verifyIpAddress(host, certificate)
: verifyHostName(host, certificate);
}
static boolean verifyAsIpAddress(String host) {
return VERIFY_AS_IP_ADDRESS.matcher(host).matches();
}
/**
* Returns true if {@code certificate} matches {@code ipAddress}.
*/
private boolean verifyIpAddress(String ipAddress, X509Certificate certificate) {
List<String> altNames = getSubjectAltNames(certificate, ALT_IPA_NAME);
for (int i = 0, size = altNames.size(); i < size; i++) {
if (ipAddress.equalsIgnoreCase(altNames.get(i))) {
return true;
}
}
return false;
}
/**
* Returns true if {@code certificate} matches {@code hostName}.
*/
@SuppressWarnings("UnusedVariable")
private boolean verifyHostName(String hostName, X509Certificate certificate) {
hostName = hostName.toLowerCase(Locale.US);
boolean hasDns = false;
List<String> altNames = getSubjectAltNames(certificate, ALT_DNS_NAME);
for (int i = 0, size = altNames.size(); i < size; i++) {
hasDns = true;
if (verifyHostName(hostName, altNames.get(i))) {
return true;
}
}
return false;
}
// BEGIN Android-removed: Ignore common name in hostname verification. http://b/70278814
/*
if (!hasDns) {
X500Principal principal = certificate.getSubjectX500Principal();
// RFC 2818 advises using the most specific name for matching.
String cn = new DistinguishedNameParser(principal).findMostSpecific("cn");
if (cn != null) {
return verifyHostName(hostName, cn);
}
}
*/
// END Android-removed: Ignore common name in hostname verification. http://b/70278814
public static List<String> allSubjectAltNames(X509Certificate certificate) {
List<String> altIpaNames = getSubjectAltNames(certificate, ALT_IPA_NAME);
List<String> altDnsNames = getSubjectAltNames(certificate, ALT_DNS_NAME);
List<String> result = new ArrayList<>(altIpaNames.size() + altDnsNames.size());
result.addAll(altIpaNames);
result.addAll(altDnsNames);
return result;
}
@SuppressWarnings("MixedMutabilityReturnType")
private static List<String> getSubjectAltNames(X509Certificate certificate, int type) {
List<String> result = new ArrayList<>();
try {
Collection<?> subjectAltNames = certificate.getSubjectAlternativeNames();
if (subjectAltNames == null) {
return Collections.emptyList();
}
for (Object subjectAltName : subjectAltNames) {
List<?> entry = (List<?>) subjectAltName;
if (entry == null || entry.size() < 2) {
continue;
}
Integer altNameType = (Integer) entry.get(0);
if (altNameType == null) {
continue;
}
if (altNameType == type) {
String altName = (String) entry.get(1);
if (altName != null) {
result.add(altName);
}
}
}
return result;
} catch (CertificateParsingException e) {
return Collections.emptyList();
}
}
/**
* Returns {@code true} iff {@code hostName} matches the domain name {@code pattern}.
*
* @param hostName lower-case host name.
* @param pattern domain name pattern from certificate. May be a wildcard pattern such as
* {@code *.android.com}.
*/
private boolean verifyHostName(String hostName, String pattern) {
// Basic sanity checks
// Check length == 0 instead of .isEmpty() to support Java 5.
if (hostName == null || hostName.length() == 0 || hostName.startsWith(".")
|| hostName.endsWith("..")) {
// Invalid domain name
return false;
}
if (pattern == null || pattern.length() == 0 || pattern.startsWith(".")
|| pattern.endsWith("..")) {
// Invalid pattern/domain name
return false;
}
// Normalize hostName and pattern by turning them into absolute domain names if they are not
// yet absolute. This is needed because server certificates do not normally contain absolute
// names or patterns, but they should be treated as absolute. At the same time, any hostName
// presented to this method should also be treated as absolute for the purposes of matching
// to the server certificate.
// www.android.com matches www.android.com
// www.android.com matches www.android.com.
// www.android.com. matches www.android.com.
// www.android.com. matches www.android.com
if (!hostName.endsWith(".")) {
hostName += '.';
}
if (!pattern.endsWith(".")) {
pattern += '.';
}
// hostName and pattern are now absolute domain names.
pattern = pattern.toLowerCase(Locale.US);
// hostName and pattern are now in lower case -- domain names are case-insensitive.
if (!pattern.contains("*")) {
// Not a wildcard pattern -- hostName and pattern must match exactly.
return hostName.equals(pattern);
}
// Wildcard pattern
// WILDCARD PATTERN RULES:
// 1. Asterisk (*) is only permitted in the left-most domain name label and must be the
// only character in that label (i.e., must match the whole left-most label).
// For example, *.example.com is permitted, while *a.example.com, a*.example.com,
// a*b.example.com, a.*.example.com are not permitted.
// 2. Asterisk (*) cannot match across domain name labels.
// For example, *.example.com matches test.example.com but does not match
// sub.test.example.com.
// 3. Wildcard patterns for single-label domain names are not permitted.
// 4. Android-added: if strictWildcardMode is true then wildcards matching top-level domains,
// e.g. *.com, are not permitted.
if (!pattern.startsWith("*.") || pattern.indexOf('*', 1) != -1) {
// Asterisk (*) is only permitted in the left-most domain name label and must be the only
// character in that label
return false;
}
// Optimization: check whether hostName is too short to match the pattern. hostName must be at
// least as long as the pattern because asterisk must match the whole left-most label and
// hostName starts with a non-empty label. Thus, asterisk has to match one or more characters.
if (hostName.length() < pattern.length()) {
// hostName too short to match the pattern.
return false;
}
if ("*.".equals(pattern)) {
// Wildcard pattern for single-label domain name -- not permitted.
return false;
}
// BEGIN Android-added: Disallow top-level wildcards in strict mode. http://b/144694112
if (strictWildcardMode) {
// By this point we know the pattern has been normalised and starts with a wildcard,
// i.e. "*.domainpart."
String domainPart = pattern.substring(2, pattern.length() - 1);
// If the domain part contains no dots then this pattern will match top level domains.
if (domainPart.indexOf('.') < 0) {
return false;
}
}
// END Android-added: Disallow top-level wildcards in strict mode. http://b/144694112
// hostName must end with the region of pattern following the asterisk.
String suffix = pattern.substring(1);
if (!hostName.endsWith(suffix)) {
// hostName does not end with the suffix
return false;
}
// Check that asterisk did not match across domain name labels.
int suffixStartIndexInHostName = hostName.length() - suffix.length();
if ((suffixStartIndexInHostName > 0)
&& (hostName.lastIndexOf('.', suffixStartIndexInHostName - 1) != -1)) {
// Asterisk is matching across domain name labels -- not permitted.
return false;
}
// hostName matches pattern
return true;
}
}