From 2163fcc9c873fa25ffc3ce6e6e55578092c3c73a Mon Sep 17 00:00:00 2001 From: isudana Date: Mon, 6 Apr 2026 08:54:54 +0530 Subject: [PATCH] Fix CN issue --- .../transport/nhttp/HostnameVerifier.java | 50 ++++++++----------- .../transport/passthru/HostnameVerifier.java | 49 +++++++----------- 2 files changed, 39 insertions(+), 60 deletions(-) diff --git a/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/HostnameVerifier.java b/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/HostnameVerifier.java index 24abd23a2..ed1239f3c 100644 --- a/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/HostnameVerifier.java +++ b/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/nhttp/HostnameVerifier.java @@ -18,6 +18,9 @@ */ package org.apache.synapse.transport.nhttp; +import javax.naming.InvalidNameException; +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; import javax.net.ssl.SSLException; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; @@ -28,6 +31,8 @@ import java.security.cert.X509Certificate; import java.security.cert.CertificateParsingException; import java.util.*; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; /** * ************************************************************************ @@ -502,38 +507,23 @@ public static int countDots(final String s) { } class Certificates { + + private static final Log log = LogFactory.getLog(Certificates.class); public static String[] getCNs(X509Certificate cert) { LinkedList cnList = new LinkedList(); - /* - Sebastian Hauer's original StrictSSLProtocolSocketFactory used - getName() and had the following comment: - - Parses a X.500 distinguished name for the value of the - "Common Name" field. This is done a bit sloppy right - now and should probably be done a bit more according to - RFC 2253. - - I've noticed that toString() seems to do a better job than - getName() on these X500Principal objects, so I'm hoping that - addresses Sebastian's concern. - - For example, getName() gives me this: - 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d - - whereas toString() gives me this: - EMAILADDRESS=juliusdavies@cucbc.com - - Looks like toString() even works with non-ascii domain names! - I tested it with "花子.co.jp" and it worked fine. - */ - String subjectPrincipal = cert.getSubjectX500Principal().toString(); - StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); - while (st.hasMoreTokens()) { - String tok = st.nextToken(); - int x = tok.indexOf("CN="); - if (x >= 0) { - cnList.add(tok.substring(x + 3)); + try { + LdapName ldapDN = new LdapName(cert.getSubjectX500Principal().getName()); + for (Rdn rdn : ldapDN.getRdns()) { + if ("CN".equalsIgnoreCase(rdn.getType())) { + Object value = rdn.getValue(); + if (value != null) { + cnList.add(value.toString()); + } + } } + } catch (InvalidNameException e) { + // unparseable DN — no CNs extractable + log.debug("Could not parse certificate DN for CN extraction", e); } if (!cnList.isEmpty()) { String[] cns = new String[cnList.size()]; @@ -566,7 +556,7 @@ public static String[] getDNSSubjectAlts(X509Certificate cert) { } catch (CertificateParsingException cpe) { // Should probably log.debug() this? - cpe.printStackTrace(); + log.debug("Could not parse SubjectAlternativeNames from certificate", cpe); } if (c != null) { Iterator it = c.iterator(); diff --git a/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/passthru/HostnameVerifier.java b/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/passthru/HostnameVerifier.java index 86088299f..df6b891d3 100644 --- a/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/passthru/HostnameVerifier.java +++ b/modules/transports/core/nhttp/src/main/java/org/apache/synapse/transport/passthru/HostnameVerifier.java @@ -51,6 +51,9 @@ package org.apache.synapse.transport.passthru; +import javax.naming.InvalidNameException; +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; import javax.net.ssl.SSLException; import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; @@ -61,6 +64,8 @@ import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; import java.util.*; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; public interface HostnameVerifier extends javax.net.ssl.HostnameVerifier { @@ -504,38 +509,22 @@ public static int countDots(final String s) { } class Certificates { + private static final Log log = LogFactory.getLog(Certificates.class); public static String[] getCNs(X509Certificate cert) { LinkedList cnList = new LinkedList(); - /* - Sebastian Hauer's original StrictSSLProtocolSocketFactory used - getName() and had the following comment: - - Parses a X.500 distinguished name for the value of the - "Common Name" field. This is done a bit sloppy right - now and should probably be done a bit more according to - RFC 2253. - - I've noticed that toString() seems to do a better job than - getName() on these X500Principal objects, so I'm hoping that - addresses Sebastian's concern. - - For example, getName() gives me this: - 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d - - whereas toString() gives me this: - EMAILADDRESS=juliusdavies@cucbc.com - - Looks like toString() even works with non-ascii domain names! - I tested it with "花子.co.jp" and it worked fine. - */ - String subjectPrincipal = cert.getSubjectX500Principal().toString(); - StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); - while (st.hasMoreTokens()) { - String tok = st.nextToken(); - int x = tok.indexOf("CN="); - if (x >= 0) { - cnList.add(tok.substring(x + 3)); + try { + LdapName ldapDN = new LdapName(cert.getSubjectX500Principal().getName()); + for (Rdn rdn : ldapDN.getRdns()) { + if ("CN".equalsIgnoreCase(rdn.getType())) { + Object value = rdn.getValue(); + if (value != null) { + cnList.add(value.toString()); + } + } } + } catch (InvalidNameException e) { + // unparseable DN — no CNs extractable + log.debug("Could not parse certificate DN for CN extraction", e); } if (!cnList.isEmpty()) { String[] cns = new String[cnList.size()]; @@ -568,7 +557,7 @@ public static String[] getDNSSubjectAlts(X509Certificate cert) { } catch (CertificateParsingException cpe) { // Should probably log.debug() this? - cpe.printStackTrace(); + log.debug("Could not parse SubjectAlternativeNames from certificate", cpe); } if (c != null) { Iterator it = c.iterator();