Skip to content

Fix CN issue #100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
isudana wants to merge 1 commit into from
Closed

Fix CN issue #100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 14 additions & 29 deletions ...nsports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/HostnameVerifier.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@
*/
package org.apache.synapse.transport.nhttp;

import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
Expand Down Expand Up @@ -504,36 +507,18 @@ public static int countDots(final String s) {
class Certificates {
public static String[] getCNs(X509Certificate cert) {
LinkedList cnList = new LinkedList();
/*
Sebastian Hauer's original StrictSSLProtocolSocketFactory used
getName() and had the following comment:

Parses a X.500 distinguished name for the value of the
"Common Name" field. This is done a bit sloppy right
now and should probably be done a bit more according to
<code>RFC 2253</code>.

I've noticed that toString() seems to do a better job than
getName() on these X500Principal objects, so I'm hoping that
addresses Sebastian's concern.

For example, getName() gives me this:
1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d

whereas toString() gives me this:
EMAILADDRESS=juliusdavies@cucbc.com

Looks like toString() even works with non-ascii domain names!
I tested it with "&#x82b1;&#x5b50;.co.jp" and it worked fine.
*/
String subjectPrincipal = cert.getSubjectX500Principal().toString();
StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
while (st.hasMoreTokens()) {
String tok = st.nextToken();
int x = tok.indexOf("CN=");
if (x >= 0) {
cnList.add(tok.substring(x + 3));
try {
LdapName ldapDN = new LdapName(cert.getSubjectX500Principal().getName());
for (Rdn rdn : ldapDN.getRdns()) {
if ("CN".equalsIgnoreCase(rdn.getType())) {
Object value = rdn.getValue();
if (value != null) {
cnList.add(value.toString());
}
}
}
} catch (InvalidNameException e) {
// unparseable DN — no CNs extractable
}
if (!cnList.isEmpty()) {
String[] cns = new String[cnList.size()];
Expand Down
43 changes: 14 additions & 29 deletions ...orts/core/nhttp/src/main/java/org/apache/synapse/transport/passthru/HostnameVerifier.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,9 @@

package org.apache.synapse.transport.passthru;

import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
Expand Down Expand Up @@ -506,36 +509,18 @@ public static int countDots(final String s) {
class Certificates {
public static String[] getCNs(X509Certificate cert) {
LinkedList cnList = new LinkedList();
/*
Sebastian Hauer's original StrictSSLProtocolSocketFactory used
getName() and had the following comment:

Parses a X.500 distinguished name for the value of the
"Common Name" field. This is done a bit sloppy right
now and should probably be done a bit more according to
<code>RFC 2253</code>.

I've noticed that toString() seems to do a better job than
getName() on these X500Principal objects, so I'm hoping that
addresses Sebastian's concern.

For example, getName() gives me this:
1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d

whereas toString() gives me this:
EMAILADDRESS=juliusdavies@cucbc.com

Looks like toString() even works with non-ascii domain names!
I tested it with "&#x82b1;&#x5b50;.co.jp" and it worked fine.
*/
String subjectPrincipal = cert.getSubjectX500Principal().toString();
StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
while (st.hasMoreTokens()) {
String tok = st.nextToken();
int x = tok.indexOf("CN=");
if (x >= 0) {
cnList.add(tok.substring(x + 3));
try {
LdapName ldapDN = new LdapName(cert.getSubjectX500Principal().getName());
for (Rdn rdn : ldapDN.getRdns()) {
if ("CN".equalsIgnoreCase(rdn.getType())) {
Object value = rdn.getValue();
if (value != null) {
cnList.add(value.toString());
}
}
}
} catch (InvalidNameException e) {
// unparseable DN — no CNs extractable
}
if (!cnList.isEmpty()) {
String[] cns = new String[cnList.size()];
Expand Down
Loading