diff --git a/common/src/main/java/org/conscrypt/OkHostnameVerifier.java b/common/src/main/java/org/conscrypt/OkHostnameVerifier.java index 57f12f483..c14e3719d 100644 --- a/common/src/main/java/org/conscrypt/OkHostnameVerifier.java +++ b/common/src/main/java/org/conscrypt/OkHostnameVerifier.java @@ -109,6 +109,7 @@ private boolean verifyIpAddress(String ipAddress, X509Certificate certificate) { /** * Returns true if {@code certificate} matches {@code hostName}. */ + @SuppressWarnings("UnusedVariable") private boolean verifyHostName(String hostName, X509Certificate certificate) { hostName = hostName.toLowerCase(Locale.US); boolean hasDns = false; @@ -144,6 +145,7 @@ public static List allSubjectAltNames(X509Certificate certificate) { return result; } + @SuppressWarnings("MixedMutabilityReturnType") private static List getSubjectAltNames(X509Certificate certificate, int type) { List result = new ArrayList<>(); try { diff --git a/common/src/test/java/org/conscrypt/TrustManagerImplTest.java b/common/src/test/java/org/conscrypt/TrustManagerImplTest.java index a05241b01..e3c7ad8d2 100644 --- a/common/src/test/java/org/conscrypt/TrustManagerImplTest.java +++ b/common/src/test/java/org/conscrypt/TrustManagerImplTest.java @@ -147,18 +147,64 @@ public void testHttpsEndpointIdentification() throws Exception { // Turn on endpoint identification params.setEndpointIdentificationAlgorithm("HTTPS"); - try { // this should fail - certs = tmi.getTrustedChainForServer(chain, "RSA", + try { + tmi.getTrustedChainForServer(chain, "RSA", new FakeSSLSocket(new FakeSSLSession(badHostname, chain), params)); - assertEquals(Arrays.asList(chain), certs); fail(); + } catch (CertificateException expected) { + } + + certs = tmi.getTrustedChainForServer(chain, "RSA", + new FakeSSLSocket(new FakeSSLSession(goodHostname, chain), params)); + assertEquals(Arrays.asList(chain), certs); + + // Override the global default hostname verifier with a Conscrypt-specific one that + // always passes. Both scenarios should pass. + Conscrypt.setHostnameVerifier(tmi, new ConscryptHostnameVerifier() { + @Override + public boolean verify(X509Certificate[] certificates, String s, SSLSession sslSession) { + return true; + } + }); + + certs = tmi.getTrustedChainForServer(chain, "RSA", + new FakeSSLSocket(new FakeSSLSession(badHostname, chain), params)); + assertEquals(Arrays.asList(chain), certs); + + certs = tmi.getTrustedChainForServer(chain, "RSA", + new FakeSSLSocket(new FakeSSLSession(goodHostname, chain), params)); + assertEquals(Arrays.asList(chain), certs); + // Now set an instance-specific verifier on the trust manager. The bad hostname should + // fail again. +// Conscrypt.setHostnameVerifier(tmi, new TestHostnameVerifier()); + Conscrypt.setHostnameVerifier(tmi, Conscrypt.wrapHostnameVerifier(new org.conscrypt.javax.net.ssl.TestHostnameVerifier())); + + try { + tmi.getTrustedChainForServer(chain, "RSA", + new FakeSSLSocket(new FakeSSLSession(badHostname, chain), params)); + fail(); + } catch (CertificateException expected) { + } + + certs = tmi.getTrustedChainForServer(chain, "RSA", + new FakeSSLSocket(new FakeSSLSession(goodHostname, chain), params)); + assertEquals(Arrays.asList(chain), certs); + + // Remove the instance-specific verifier, and both should pass again. + Conscrypt.setHostnameVerifier(tmi, null); + + try { + tmi.getTrustedChainForServer(chain, "RSA", + new FakeSSLSocket(new FakeSSLSession(badHostname, chain), params)); + fail(); } catch (CertificateException expected) { } + certs = tmi.getTrustedChainForServer(chain, "RSA", new FakeSSLSocket(new FakeSSLSession(goodHostname, chain), params)); assertEquals(Arrays.asList(chain), certs); - } finally { // Still need for protecting future tests + } finally { Conscrypt.setDefaultHostnameVerifier(null); } }