You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by as...@apache.org on 2014/10/23 18:26:54 UTC

git commit: Refactoring cert host verifier

Repository: cxf
Updated Branches:
  refs/heads/master 5e2b1fa9d -> 68cd67b11


Refactoring cert host verifier


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/68cd67b1
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/68cd67b1
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/68cd67b1

Branch: refs/heads/master
Commit: 68cd67b1187edfca957f15a00eab9a14cd140672
Parents: 5e2b1fa
Author: Alessio Soldano <as...@redhat.com>
Authored: Thu Oct 23 18:24:06 2014 +0200
Committer: Alessio Soldano <as...@redhat.com>
Committed: Thu Oct 23 18:24:06 2014 +0200

----------------------------------------------------------------------
 .../https/CertificateHostnameVerifier.java      | 71 +++++++++-----------
 1 file changed, 33 insertions(+), 38 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/68cd67b1/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertificateHostnameVerifier.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertificateHostnameVerifier.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertificateHostnameVerifier.java
index 10da8ea..d9f543b 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertificateHostnameVerifier.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/CertificateHostnameVerifier.java
@@ -30,14 +30,21 @@ import java.util.Collection;
 import java.util.Iterator;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.NoSuchElementException;
 import java.util.Set;
-import java.util.StringTokenizer;
 import java.util.TreeSet;
 
+import javax.naming.InvalidNameException;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
+import javax.security.auth.x500.X500Principal;
 
 /**
  * ************************************************************************
@@ -498,45 +505,33 @@ public interface CertificateHostnameVerifier extends javax.net.ssl.HostnameVerif
             //utility class
         }
         public static String[] getCNs(X509Certificate cert) {
-            List<String> cnList = new LinkedList<String>();
-            /*
-           Sebastian Hauer's original StrictSSLProtocolSocketFactory used
-           getName() and had the following comment:
-
-              Parses a X.500 distinguished name for the value of the
-              "Common Name" field.  This is done a bit sloppy right
-              now and should probably be done a bit more according to
-              <code>RFC 2253</code>.
-
-            I've noticed that toString() seems to do a better job than
-            getName() on these X500Principal objects, so I'm hoping that
-            addresses Sebastian's concern.
-
-            For example, getName() gives me this:
-            1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
-
-            whereas toString() gives me this:
-            EMAILADDRESS=juliusdavies@cucbc.com
-
-            Looks like toString() even works with non-ascii domain names!
-            I tested it with "&#x82b1;&#x5b50;.co.jp" and it worked fine.
-           */
-            String subjectPrincipal = cert.getSubjectX500Principal().toString();
-            StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
-            while (st.hasMoreTokens()) {
-                String tok = st.nextToken();
-                int x = tok.indexOf("CN=");
-                if (x >= 0) {
-                    cnList.add(tok.substring(x + 3));
+            try {
+                final String subjectPrincipal = cert.getSubjectX500Principal().getName(X500Principal.RFC2253);
+                final List<String> cnList = new LinkedList<String>();
+                final LdapName subjectDN = new LdapName(subjectPrincipal);
+                for (final Rdn rds : subjectDN.getRdns()) {
+                    final Attributes attributes = rds.toAttributes();
+                    final Attribute cn = attributes.get("cn");
+                    if (cn != null) {
+                        try {
+                            final Object value = cn.get();
+                            if (value != null) {
+                                cnList.add(value.toString());
+                            }
+                        } catch (NoSuchElementException ignore) {
+                            //ignore
+                        } catch (NamingException ignore) {
+                            //ignore
+                        }
+                    }
                 }
+                if (!cnList.isEmpty()) {
+                    return cnList.toArray(new String[cnList.size()]);
+                }
+            } catch (InvalidNameException ignore) {
+                //ignore
             }
-            if (!cnList.isEmpty()) {
-                String[] cns = new String[cnList.size()];
-                cnList.toArray(cns);
-                return cns;
-            } else {
-                return null;
-            }
+            return null;
         }
 
         /**