You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hc.apache.org by ol...@apache.org on 2018/02/26 14:09:09 UTC
httpcomponents-client git commit: HTTPCLIENT-1906: certificates
containing alternative subject names other than DNS and IP (such as RFC822)
get rejected as invalid
Repository: httpcomponents-client
Updated Branches:
refs/heads/4.6.x 9cc7e3929 -> 8d24ee07e
HTTPCLIENT-1906: certificates containing alternative subject names other than DNS and IP (such as RFC822) get rejected as invalid
Project: http://git-wip-us.apache.org/repos/asf/httpcomponents-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/httpcomponents-client/commit/8d24ee07
Tree: http://git-wip-us.apache.org/repos/asf/httpcomponents-client/tree/8d24ee07
Diff: http://git-wip-us.apache.org/repos/asf/httpcomponents-client/diff/8d24ee07
Branch: refs/heads/4.6.x
Commit: 8d24ee07e63c7d217af882b675b5afce002c2a36
Parents: 9cc7e39
Author: Oleg Kalnichevski <ol...@apache.org>
Authored: Mon Feb 26 15:08:23 2018 +0100
Committer: Oleg Kalnichevski <ol...@apache.org>
Committed: Mon Feb 26 15:08:23 2018 +0100
----------------------------------------------------------------------
.../http/conn/ssl/DefaultHostnameVerifier.java | 12 ++++++----
.../http/conn/ssl/CertificatesToPlayWith.java | 25 ++++++++++++++++++++
.../conn/ssl/TestDefaultHostnameVerifier.java | 4 ++++
3 files changed, 36 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/httpcomponents-client/blob/8d24ee07/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
----------------------------------------------------------------------
diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
index 843c636..4385e4b 100644
--- a/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
+++ b/httpclient/src/main/java/org/apache/http/conn/ssl/DefaultHostnameVerifier.java
@@ -286,11 +286,13 @@ public final class DefaultHostnameVerifier implements HostnameVerifier {
for (final List<?> entry : entries) {
final Integer type = entry.size() >= 2 ? (Integer) entry.get(0) : null;
if (type != null) {
- final Object o = entry.get(1);
- if (o instanceof String) {
- result.add(new SubjectName((String) o, type.intValue()));
- } else if (o instanceof byte[]) {
- // TODO ASN.1 DER encoded form
+ if (type == SubjectName.DNS || type == SubjectName.IP) {
+ final Object o = entry.get(1);
+ if (o instanceof String) {
+ result.add(new SubjectName((String) o, type));
+ } else if (o instanceof byte[]) {
+ // TODO ASN.1 DER encoded form
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/httpcomponents-client/blob/8d24ee07/httpclient/src/test/java/org/apache/http/conn/ssl/CertificatesToPlayWith.java
----------------------------------------------------------------------
diff --git a/httpclient/src/test/java/org/apache/http/conn/ssl/CertificatesToPlayWith.java b/httpclient/src/test/java/org/apache/http/conn/ssl/CertificatesToPlayWith.java
index 284c111..99df26b 100644
--- a/httpclient/src/test/java/org/apache/http/conn/ssl/CertificatesToPlayWith.java
+++ b/httpclient/src/test/java/org/apache/http/conn/ssl/CertificatesToPlayWith.java
@@ -550,4 +550,29 @@ public class CertificatesToPlayWith {
"-----END CERTIFICATE-----"
).getBytes();
+ public final static byte[] EMAIL_ALT_SUBJECT_NAME = (
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIIDpTCCAo2gAwIBAgIJANqkMEtlkelbMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNV\n" +
+ "BAYTAlVTMQswCQYDVQQIDAJWQTERMA8GA1UEBwwIU29tZUNpdHkxEjAQBgNVBAoM\n" +
+ "CU15Q29tcGFueTETMBEGA1UECwwKTXlEaXZpc2lvbjEYMBYGA1UEAwwPd3d3LmNv\n" +
+ "bXBhbnkuY29tMB4XDTE4MDIxNTA3MjkzMFoXDTIwMDIxNTA3MjkzMFowcDELMAkG\n" +
+ "A1UEBhMCVVMxCzAJBgNVBAgMAlZBMREwDwYDVQQHDAhTb21lQ2l0eTESMBAGA1UE\n" +
+ "CgwJTXlDb21wYW55MRMwEQYDVQQLDApNeURpdmlzaW9uMRgwFgYDVQQDDA93d3cu\n" +
+ "Y29tcGFueS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4v6Oq\n" +
+ "Ua0goRVn1cmT7MOpJhXFm3A70bTpvJIRpEjtGIz99hb34/9r5AYyf1VhKyWmBq24\n" +
+ "XNcOJ59XOlyjjbm2Tl811ufTOdcNbPadoVBmMt4039OSUFpVb4wAw2XPWLTCG2h1\n" +
+ "HNj9GuFHmwcDsg5EiIRrhDGQm2LLLAGoe5PdReoMZCeeWzNWvKTCV14pyRzwQhJL\n" +
+ "F1OmzLYzovbPfB8LZVhQgDbLsh034FScivf2oKDB+NEzAEagNpnrFR0MFLWGYsu1\n" +
+ "nWD5RiZi78HFGiibmhH7QrEPfGlo2eofuUga6naoBUROqkmMCIL8n1HZ/Ur0oGny\n" +
+ "vQCj1AyrfOhuVC53AgMBAAGjQjBAMAsGA1UdDwQEAwIEMDATBgNVHSUEDDAKBggr\n" +
+ "BgEFBQcDATAcBgNVHREEFTATgRFlbWFpbEBleGFtcGxlLmNvbTANBgkqhkiG9w0B\n" +
+ "AQsFAAOCAQEAZ0IsqRrsEmJ6Fa9Yo6PQtrKJrejN2TTDddVgyLQdokzWh/25JFad\n" +
+ "NCMYPH5KjTUyKf96hJDlDayjbKk1PMMhSZMU5OG9NOuGMH/dQttruG1ojse7KIKg\n" +
+ "yHDQrfq5Exxgfa7CMHRKAoTCY7JZhSLyVbTMVhmGfuUDad/RA86ZisXycp0ZmS97\n" +
+ "qDkAmzFL0sL0ZUWNNUh4ZUWvCUZwiuN08z70NjGqXMTDCf68p3SYxbII0xTfScgf\n" +
+ "aQ/A/hD7IbGGTexeoTwpEj01DNvefbQV6//neo32/R5XD0D5jn3TCgZcMThA6H3a\n" +
+ "VkEghVg+s7uMfL/UEebOBQWXQJ/uVoknMA==\n" +
+ "-----END CERTIFICATE-----"
+ ).getBytes();
+
}
http://git-wip-us.apache.org/repos/asf/httpcomponents-client/blob/8d24ee07/httpclient/src/test/java/org/apache/http/conn/ssl/TestDefaultHostnameVerifier.java
----------------------------------------------------------------------
diff --git a/httpclient/src/test/java/org/apache/http/conn/ssl/TestDefaultHostnameVerifier.java b/httpclient/src/test/java/org/apache/http/conn/ssl/TestDefaultHostnameVerifier.java
index a58f468..744c3ca 100644
--- a/httpclient/src/test/java/org/apache/http/conn/ssl/TestDefaultHostnameVerifier.java
+++ b/httpclient/src/test/java/org/apache/http/conn/ssl/TestDefaultHostnameVerifier.java
@@ -164,6 +164,10 @@ public class TestDefaultHostnameVerifier {
exceptionPlease(impl, "1.1.1.2", x509);
exceptionPlease(impl, "dummy-value.com", x509);
+
+ in = new ByteArrayInputStream(CertificatesToPlayWith.EMAIL_ALT_SUBJECT_NAME);
+ x509 = (X509Certificate) cf.generateCertificate(in);
+ impl.verify("www.company.com", x509);
}
@Test