Skip to content

Commit

Permalink
modified JsseDefaultHostnameAuthorizer to ignore SANs it can't match.…
Browse files Browse the repository at this point in the history 
… Added logging

migrates Authorizer test code from test package into PKIX.
  • Loading branch information
@dghgit
dghgit committed Jun 26, 2018
1 parent fafe99a commit 7b18529
Show file tree
Hide file tree
Showing 24 changed files with 739 additions and 185 deletions.
23 changes: 21 additions & 2 deletions pkix/src/main/java/org/bouncycastle/est/jcajce/JsseDefaultHostnameAuthorizer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;

import javax.net.ssl.SSLSession;

Expand All @@ -18,6 +20,7 @@
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.est.ESTException;
import org.bouncycastle.util.Strings;
import org.bouncycastle.util.encoders.Hex;


/**
Expand All @@ -26,6 +29,7 @@
public class JsseDefaultHostnameAuthorizer
implements JsseHostnameAuthorizer
{
private static Logger LOG = Logger.getLogger(JsseDefaultHostnameAuthorizer.class.getName());

private final Set<String> knownSuffixes;

Expand Down Expand Up @@ -84,7 +88,8 @@ public boolean verify(String name, X509Certificate cert)
for (Iterator it = n.iterator(); it.hasNext();)
{
List l = (List)it.next();
switch (((Number)l.get(0)).intValue())
int type = ((Number)l.get(0)).intValue();
switch (type)
{
case 2:
if (isValidNameMatch(name, l.get(1).toString(), knownSuffixes))
Expand All @@ -99,7 +104,21 @@ public boolean verify(String name, X509Certificate cert)
}
break;
default:
throw new RuntimeException("Unable to handle ");
// ignore, maybe log
if (LOG.isLoggable(Level.INFO))
{
String value;
if (l.get(1) instanceof byte[])
{
value = Hex.toHexString((byte[])l.get(1));
}
else
{
value = l.get(1).toString();
}

LOG.log(Level.INFO, "ignoring type " + type + " value = " + value);
}
}
}

Expand Down
1 change: 1 addition & 0 deletions pkix/src/test/java/org/bouncycastle/est/test/AllTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ public static Test suite()

suite.addTestSuite(ESTParsingTest.class);
suite.addTestSuite(HostNameAuthorizerMatchTest.class);
suite.addTestSuite(TestHostNameAuthorizer.class);

return new ESTTestSetup(suite);
}
Expand Down
108 changes: 108 additions & 0 deletions pkix/src/test/java/org/bouncycastle/est/test/TestHostNameAuthorizer.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
package org.bouncycastle.est.test;


import java.io.InputStreamReader;
import java.security.cert.X509Certificate;

import junit.framework.TestCase;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.est.jcajce.JsseDefaultHostnameAuthorizer;
import org.bouncycastle.util.io.pem.PemReader;
import org.junit.Assert;

/**
* TestHostNameAuthorizer tests the hostname authorizer only. EST related functions
* are not tested here.
*/
public class TestHostNameAuthorizer
extends TestCase
{
private static X509Certificate readPemCertificate(String path)
throws Exception
{
InputStreamReader fr = new InputStreamReader(TestHostNameAuthorizer.class.getResourceAsStream(path));
PemReader reader = new PemReader(fr);
X509CertificateHolder fromFile = new X509CertificateHolder(reader.readPemObject().getContent());
reader.close();
fr.close();
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(fromFile);
}

/*
The following tests do not attempt to validate the certificates.
They only test hostname verification behavior.
*/
public void testCNMatch()
throws Exception
{
X509Certificate cert = readPemCertificate("san/cert_cn_match_wc.pem");

Assert.assertTrue("Common Name match", new JsseDefaultHostnameAuthorizer(null).verify("aardvark.cisco.com", cert));
Assert.assertFalse("Not match", new JsseDefaultHostnameAuthorizer(null).verify("cisco.com", cert));
}

public void testCNMismatch_1()
throws Exception
{
X509Certificate cert = readPemCertificate("san/cert_cn_mismatch_wc.pem");

Assert.assertFalse("Not match", new JsseDefaultHostnameAuthorizer(null).verify("aardvark", cert));
}


// 192.168.1.50
public void testCNIPMismatch()
throws Exception
{
X509Certificate cert = readPemCertificate("san/cert_cn_mismatch_ip.pem");

Assert.assertFalse("Not match", new JsseDefaultHostnameAuthorizer(null).verify("127.0.0.1", cert));
}

public void testWCMismatch()
throws Exception
{
X509Certificate cert = readPemCertificate("san/cert_cn_mismatch_ip.pem");

Assert.assertFalse("Not match", new JsseDefaultHostnameAuthorizer(null).verify("aardvark.cisco.com", cert));
}

public void testSANMatch()
throws Exception
{
X509Certificate cert = readPemCertificate("san/cert_san_match.pem");
Assert.assertTrue("Match", new JsseDefaultHostnameAuthorizer(null).verify("localhost.cisco.com", cert));
}

public void testSANMatchIP()
throws Exception
{
X509Certificate cert = readPemCertificate("san/cert_san_match_ip.pem");
Assert.assertTrue("Match", new JsseDefaultHostnameAuthorizer(null).verify("192.168.51.140", cert));
Assert.assertTrue("Match", new JsseDefaultHostnameAuthorizer(null).verify("127.0.0.1", cert));
Assert.assertFalse("Not Match", new JsseDefaultHostnameAuthorizer(null).verify("10.0.0.1", cert));
}

public void testSANMatchWC()
throws Exception
{
X509Certificate cert = readPemCertificate("san/cert_san_mismatch_wc.pem");
Assert.assertTrue("Match", new JsseDefaultHostnameAuthorizer(null).verify("roundhouse.yahoo.com", cert));
Assert.assertFalse("Not Match", new JsseDefaultHostnameAuthorizer(null).verify("aardvark.cisco.com", cert));
}

public void testSANMismatchIP()
throws Exception
{
X509Certificate cert = readPemCertificate("san/cert_san_mismatch_ip.pem");
Assert.assertFalse("Not Match", new JsseDefaultHostnameAuthorizer(null).verify("localhost.me", cert));
}

public void testSANMismatchWC()
throws Exception
{
X509Certificate cert = readPemCertificate("san/cert_san_mismatch_wc.pem");
Assert.assertFalse("Not Match", new JsseDefaultHostnameAuthorizer(null).verify("localhost.me", cert));
}
}
44 changes: 44 additions & 0 deletions pkix/src/test/resources/org/bouncycastle/est/test/san/cert_cn_match_wc.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 865 (0x361)
Signature Algorithm: ecdsa-with-SHA1
Issuer: CN=estExampleCA
Validity
Not Before: Sep 29 12:41:31 2014 GMT
Not After : Dec 16 12:41:31 2022 GMT
Subject: CN=*.cisco.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b7:08:e6:18:f2:32:d7:07:44:4b:f3:b1:83:01:
59:f8:bc:ec:26:71:92:9a:53:70:f2:c0:be:2a:d6:
26:6f:45:11:86:d7:ee:37:9d:d3:2f:22:b2:8b:9b:
c5:96:00:36:73:97:c3:4c:f2:7a:0b:2c:e0:cc:d9:
f0:ec:ba:1b:75:8c:66:b1:86:10:fd:be:df:6b:67:
9c:0e:6b:2a:0e:d0:80:a8:dc:7a:d4:df:6e:79:28:
a7:60:1a:11:b7:ae:40:94:bb:b4:11:ed:1b:6f:a7:
91:ae:33:ec:bf:9c:30:f3:dc:91:2c:b4:3e:8c:c9:
bd:f1:d1:aa:f6:c2:1d:6a:cd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: ecdsa-with-SHA1
30:44:02:20:76:4f:3a:6c:b4:99:cb:1e:37:f4:0d:6e:e1:74:
4b:99:bb:f5:c4:b6:3d:c1:61:df:8c:d7:1f:9f:e7:d3:64:d6:
02:20:64:38:8f:6f:32:37:2b:7d:cf:28:93:e5:e6:e7:70:c5:
a9:12:04:b0:4b:a5:29:7b:23:df:85:f2:18:44:8b:d2
-----BEGIN CERTIFICATE-----
MIIBezCCASOgAwIBAgICA2EwCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFt
cGxlQ0EwHhcNMTQwOTI5MTI0MTMxWhcNMjIxMjE2MTI0MTMxWjAWMRQwEgYDVQQD
DAsqLmNpc2NvLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtwjmGPIy
1wdES/OxgwFZ+LzsJnGSmlNw8sC+KtYmb0URhtfuN53TLyKyi5vFlgA2c5fDTPJ6
CyzgzNnw7LobdYxmsYYQ/b7fa2ecDmsqDtCAqNx61N9ueSinYBoRt65AlLu0Ee0b
b6eRrjPsv5ww89yRLLQ+jMm98dGq9sIdas0CAwEAAaMaMBgwCQYDVR0TBAIwADAL
BgNVHQ8EBAMCBeAwCQYHKoZIzj0EAQNHADBEAiB2TzpstJnLHjf0DW7hdEuZu/XE
tj3BYd+M1x+f59Nk1gIgZDiPbzI3K33PKJPl5udwxakSBLBLpSl7I9+F8hhEi9I=
-----END CERTIFICATE-----
44 changes: 44 additions & 0 deletions pkix/src/test/resources/org/bouncycastle/est/test/san/cert_cn_mismatch.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 863 (0x35f)
Signature Algorithm: ecdsa-with-SHA1
Issuer: CN=estExampleCA
Validity
Not Before: Sep 29 12:36:22 2014 GMT
Not After : Dec 16 12:36:22 2022 GMT
Subject: CN=hostname
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c2:4e:9f:27:15:91:6b:2b:e7:85:a8:50:d9:5b:
1a:a9:23:0a:84:1c:fd:e7:24:dc:29:18:f2:52:55:
43:25:e4:3e:ce:02:51:9c:93:19:67:89:c9:93:6d:
dc:5d:56:ad:cb:b0:7e:2c:7a:ad:98:17:7f:bb:19:
62:7d:2e:f0:0b:cf:c1:18:6f:6f:3a:fc:3d:3c:03:
9b:18:66:5f:dc:2a:fa:72:54:bf:5f:b0:75:dd:bf:
84:40:b1:3a:c5:65:2d:84:ee:48:76:1d:45:fa:1d:
e2:b2:25:5e:aa:06:8c:11:66:ef:40:f0:68:14:08:
a8:7e:62:4a:d2:e9:88:bd:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: ecdsa-with-SHA1
30:45:02:21:00:a8:bd:82:16:2c:9c:bf:77:1a:4d:fc:0f:a5:
a6:da:6e:e7:2f:45:fc:58:be:e3:0c:d2:a7:36:41:1f:45:c0:
80:02:20:6f:82:eb:4b:05:63:c9:e3:c7:f8:42:c0:ff:f1:0f:
5f:95:db:95:6e:71:fb:05:f0:52:e0:a6:82:53:45:f6:e3
-----BEGIN CERTIFICATE-----
MIIBeTCCASCgAwIBAgICA18wCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFt
cGxlQ0EwHhcNMTQwOTI5MTIzNjIyWhcNMjIxMjE2MTIzNjIyWjATMREwDwYDVQQD
DAhob3N0bmFtZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwk6fJxWRayvn
hahQ2VsaqSMKhBz95yTcKRjyUlVDJeQ+zgJRnJMZZ4nJk23cXVaty7B+LHqtmBd/
uxlifS7wC8/BGG9vOvw9PAObGGZf3Cr6clS/X7B13b+EQLE6xWUthO5Idh1F+h3i
siVeqgaMEWbvQPBoFAiofmJK0umIvT0CAwEAAaMaMBgwCQYDVR0TBAIwADALBgNV
HQ8EBAMCBeAwCQYHKoZIzj0EAQNIADBFAiEAqL2CFiycv3caTfwPpababucvRfxY
vuMM0qc2QR9FwIACIG+C60sFY8njx/hCwP/xD1+V25VucfsF8FLgpoJTRfbj
-----END CERTIFICATE-----
45 changes: 45 additions & 0 deletions pkix/src/test/resources/org/bouncycastle/est/test/san/cert_cn_mismatch_ip.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 864 (0x360)
Signature Algorithm: ecdsa-with-SHA1
Issuer: CN=estExampleCA
Validity
Not Before: Sep 29 12:39:24 2014 GMT
Not After : Dec 16 12:39:24 2022 GMT
Subject: CN=192.168.1.50
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d8:fe:96:35:15:34:48:a5:6c:21:65:8e:0b:9f:
85:59:2e:24:f6:9b:23:2a:d9:d3:71:92:b3:24:2d:
1f:ae:f5:bb:1b:84:e9:ed:42:8a:b9:47:bc:92:70:
69:93:a7:c8:50:4b:05:89:36:67:34:b4:2a:97:fb:
64:9e:49:19:68:0d:21:36:36:63:6f:df:d9:39:f7:
e9:da:ff:fe:9a:a8:e6:d5:75:bb:3f:e5:38:f5:c2:
26:f4:f1:f4:b6:5c:9b:a7:4b:2c:7d:34:ff:c0:87:
ad:dc:2c:6a:bd:22:cc:13:78:ff:f5:93:c7:63:10:
44:e0:3f:2c:04:91:26:9b:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: ecdsa-with-SHA1
30:45:02:21:00:b9:1f:ee:63:e9:0a:79:a6:76:72:e8:d8:93:
b8:26:aa:ff:15:04:2b:f0:37:bb:45:96:5b:0b:ce:15:67:b7:
75:02:20:21:62:07:24:76:f4:98:90:f4:6d:7e:d7:57:62:a6:
6a:b1:40:b7:d2:73:1c:58:24:eb:a9:3a:19:90:34:0e:ba
-----BEGIN CERTIFICATE-----
MIIBfTCCASSgAwIBAgICA2AwCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFt
cGxlQ0EwHhcNMTQwOTI5MTIzOTI0WhcNMjIxMjE2MTIzOTI0WjAXMRUwEwYDVQQD
DAwxOTIuMTY4LjEuNTAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANj+ljUV
NEilbCFljgufhVkuJPabIyrZ03GSsyQtH671uxuE6e1CirlHvJJwaZOnyFBLBYk2
ZzS0Kpf7ZJ5JGWgNITY2Y2/f2Tn36dr//pqo5tV1uz/lOPXCJvTx9LZcm6dLLH00
/8CHrdwsar0izBN4//WTx2MQROA/LASRJpvrAgMBAAGjGjAYMAkGA1UdEwQCMAAw
CwYDVR0PBAQDAgXgMAkGByqGSM49BAEDSAAwRQIhALkf7mPpCnmmdnLo2JO4Jqr/
FQQr8De7RZZbC84VZ7d1AiAhYgckdvSYkPRtftdXYqZqsUC30nMcWCTrqToZkDQO
ug==
-----END CERTIFICATE-----
44 changes: 44 additions & 0 deletions pkix/src/test/resources/org/bouncycastle/est/test/san/cert_cn_mismatch_wc.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 867 (0x363)
Signature Algorithm: ecdsa-with-SHA1
Issuer: CN=estExampleCA
Validity
Not Before: Sep 29 12:43:07 2014 GMT
Not After : Dec 16 12:43:07 2022 GMT
Subject: CN=*.google.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c0:4a:fd:4b:ac:bc:cd:ca:d2:7d:ba:03:d4:49:
5e:68:fb:47:dd:f5:01:9c:ec:65:82:7f:50:9f:24:
3f:9f:44:96:14:d5:9c:64:a9:19:51:83:2f:5e:62:
11:a0:46:14:1f:e8:d9:c4:61:23:6b:fe:96:59:a3:
cd:e5:c3:82:08:c4:3f:55:a4:5c:7a:63:9d:bb:58:
ec:79:62:31:c2:4d:c4:1d:43:05:bc:09:78:a1:c1:
27:21:41:b7:03:82:11:96:5d:b5:97:92:a1:93:f8:
1c:e2:5f:33:e6:03:0e:03:9e:84:6a:72:d6:00:9f:
77:75:2d:be:e6:84:fb:22:b3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Signature Algorithm: ecdsa-with-SHA1
30:44:02:20:09:d4:15:d9:f2:48:dd:be:68:6f:1a:dd:48:fb:
85:e3:f3:e4:f8:67:a6:36:fc:0f:b2:bb:23:f7:ba:92:77:bc:
02:20:4f:aa:2f:29:1f:df:4f:0e:fa:fe:57:6e:85:5e:30:bd:
21:56:c0:ef:30:be:7b:48:6a:f1:71:46:f2:17:fe:b6
-----BEGIN CERTIFICATE-----
MIIBfDCCASSgAwIBAgICA2MwCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxlc3RFeGFt
cGxlQ0EwHhcNMTQwOTI5MTI0MzA3WhcNMjIxMjE2MTI0MzA3WjAXMRUwEwYDVQQD
DAwqLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMBK/Uus
vM3K0n26A9RJXmj7R931AZzsZYJ/UJ8kP59ElhTVnGSpGVGDL15iEaBGFB/o2cRh
I2v+llmjzeXDggjEP1WkXHpjnbtY7HliMcJNxB1DBbwJeKHBJyFBtwOCEZZdtZeS
oZP4HOJfM+YDDgOehGpy1gCfd3UtvuaE+yKzAgMBAAGjGjAYMAkGA1UdEwQCMAAw
CwYDVR0PBAQDAgXgMAkGByqGSM49BAEDRwAwRAIgCdQV2fJI3b5obxrdSPuF4/Pk
+GemNvwPsrsj97qSd7wCIE+qLykf308O+v5XboVeML0hVsDvML57SGrxcUbyF/62
-----END CERTIFICATE-----
Loading

0 comments on commit 7b18529

Please sign in to comment.