View Javadoc
1   /*
2    * ====================================================================
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *   http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing,
14   * software distributed under the License is distributed on an
15   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16   * KIND, either express or implied.  See the License for the
17   * specific language governing permissions and limitations
18   * under the License.
19   * ====================================================================
20   *
21   * This software consists of voluntary contributions made by many
22   * individuals on behalf of the Apache Software Foundation.  For more
23   * information on the Apache Software Foundation, please see
24   * <http://www.apache.org/>.
25   *
26   */
27  
28  package org.apache.http.conn.ssl;
29  
30  import java.io.ByteArrayInputStream;
31  import java.io.InputStream;
32  import java.security.cert.CertificateFactory;
33  import java.security.cert.X509Certificate;
34  import java.util.Arrays;
35  
36  import javax.net.ssl.SSLException;
37  
38  import org.apache.http.conn.util.DomainType;
39  import org.apache.http.conn.util.PublicSuffixMatcher;
40  import org.junit.Assert;
41  import org.junit.Before;
42  import org.junit.Test;
43  
44  /**
45   * Unit tests for {@link org.apache.http.conn.ssl.DefaultHostnameVerifier}.
46   */
47  public class TestDefaultHostnameVerifier {
48  
49      private DefaultHostnameVerifier impl;
50      private PublicSuffixMatcher publicSuffixMatcher;
51      private DefaultHostnameVerifier implWithPublicSuffixCheck;
52  
53      @Before
54      public void setup() {
55          impl = new DefaultHostnameVerifier();
56          publicSuffixMatcher = new PublicSuffixMatcher(DomainType.ICANN, Arrays.asList("com", "co.jp", "gov.uk"), null);
57          implWithPublicSuffixCheck = new DefaultHostnameVerifier(publicSuffixMatcher);
58      }
59  
60      @Test
61      public void testVerify() throws Exception {
62          final CertificateFactory cf = CertificateFactory.getInstance("X.509");
63          InputStream in;
64          X509Certificate x509;
65          in = new ByteArrayInputStream(CertificatesToPlayWith.X509_FOO);
66          x509 = (X509Certificate) cf.generateCertificate(in);
67  
68          impl.verify("foo.com", x509);
69          exceptionPlease(impl, "a.foo.com", x509);
70          exceptionPlease(impl, "bar.com", x509);
71  
72          in = new ByteArrayInputStream(CertificatesToPlayWith.X509_HANAKO);
73          x509 = (X509Certificate) cf.generateCertificate(in);
74          impl.verify("\u82b1\u5b50.co.jp", x509);
75          exceptionPlease(impl, "a.\u82b1\u5b50.co.jp", x509);
76  
77          in = new ByteArrayInputStream(CertificatesToPlayWith.X509_FOO_BAR);
78          x509 = (X509Certificate) cf.generateCertificate(in);
79          exceptionPlease(impl, "foo.com", x509);
80          exceptionPlease(impl, "a.foo.com", x509);
81          impl.verify("bar.com", x509);
82          exceptionPlease(impl, "a.bar.com", x509);
83  
84          in = new ByteArrayInputStream(CertificatesToPlayWith.X509_FOO_BAR_HANAKO);
85          x509 = (X509Certificate) cf.generateCertificate(in);
86          exceptionPlease(impl, "foo.com", x509);
87          exceptionPlease(impl, "a.foo.com", x509);
88          impl.verify("bar.com", x509);
89          exceptionPlease(impl, "a.bar.com", x509);
90  
91          /*
92             Java isn't extracting international subjectAlts properly.  (Or
93             OpenSSL isn't storing them properly).
94          */
95          // DEFAULT.verify("\u82b1\u5b50.co.jp", x509 );
96          // impl.verify("\u82b1\u5b50.co.jp", x509 );
97          exceptionPlease(impl, "a.\u82b1\u5b50.co.jp", x509);
98  
99          in = new ByteArrayInputStream(CertificatesToPlayWith.X509_NO_CNS_FOO);
100         x509 = (X509Certificate) cf.generateCertificate(in);
101         impl.verify("foo.com", x509);
102         exceptionPlease(impl, "a.foo.com", x509);
103 
104         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_NO_CNS_FOO);
105         x509 = (X509Certificate) cf.generateCertificate(in);
106         impl.verify("foo.com", x509);
107         exceptionPlease(impl, "a.foo.com", x509);
108 
109         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_THREE_CNS_FOO_BAR_HANAKO);
110         x509 = (X509Certificate) cf.generateCertificate(in);
111         exceptionPlease(impl, "foo.com", x509);
112         exceptionPlease(impl, "a.foo.com", x509);
113         exceptionPlease(impl, "bar.com", x509);
114         exceptionPlease(impl, "a.bar.com", x509);
115         impl.verify("\u82b1\u5b50.co.jp", x509);
116         exceptionPlease(impl, "a.\u82b1\u5b50.co.jp", x509);
117 
118         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_WILD_FOO);
119         x509 = (X509Certificate) cf.generateCertificate(in);
120         exceptionPlease(impl, "foo.com", x509);
121         impl.verify("www.foo.com", x509);
122         impl.verify("\u82b1\u5b50.foo.com", x509);
123         exceptionPlease(impl, "a.b.foo.com", x509);
124 
125         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_WILD_CO_JP);
126         x509 = (X509Certificate) cf.generateCertificate(in);
127         // Silly test because no-one would ever be able to lookup an IP address
128         // using "*.co.jp".
129         impl.verify("*.co.jp", x509);
130         impl.verify("foo.co.jp", x509);
131         impl.verify("\u82b1\u5b50.co.jp", x509);
132 
133         exceptionPlease(implWithPublicSuffixCheck, "foo.co.jp", x509);
134         exceptionPlease(implWithPublicSuffixCheck, "\u82b1\u5b50.co.jp", x509);
135 
136         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_WILD_FOO_BAR_HANAKO);
137         x509 = (X509Certificate) cf.generateCertificate(in);
138         // try the foo.com variations
139         exceptionPlease(impl, "foo.com", x509);
140         exceptionPlease(impl, "www.foo.com", x509);
141         exceptionPlease(impl, "\u82b1\u5b50.foo.com", x509);
142         exceptionPlease(impl, "a.b.foo.com", x509);
143         // try the bar.com variations
144         exceptionPlease(impl, "bar.com", x509);
145         impl.verify("www.bar.com", x509);
146         impl.verify("\u82b1\u5b50.bar.com", x509);
147         exceptionPlease(impl, "a.b.bar.com", x509);
148 
149         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_MULTIPLE_VALUE_AVA);
150         x509 = (X509Certificate) cf.generateCertificate(in);
151         impl.verify("repository.infonotary.com", x509);
152 
153         in = new ByteArrayInputStream(CertificatesToPlayWith.S_GOOGLE_COM);
154         x509 = (X509Certificate) cf.generateCertificate(in);
155         impl.verify("*.google.com", x509);
156 
157         in = new ByteArrayInputStream(CertificatesToPlayWith.S_GOOGLE_COM);
158         x509 = (X509Certificate) cf.generateCertificate(in);
159         impl.verify("*.Google.com", x509);
160 
161         in = new ByteArrayInputStream(CertificatesToPlayWith.IP_1_1_1_1);
162         x509 = (X509Certificate) cf.generateCertificate(in);
163         impl.verify("1.1.1.1", x509);
164 
165         exceptionPlease(impl, "1.1.1.2", x509);
166         exceptionPlease(impl, "dummy-value.com", x509);
167     }
168 
169     @Test
170     public void testSubjectAlt() throws Exception {
171         final CertificateFactory cf = CertificateFactory.getInstance("X.509");
172         final InputStream in = new ByteArrayInputStream(CertificatesToPlayWith.X509_MULTIPLE_SUBJECT_ALT);
173         final X509Certificate x509 = (X509Certificate) cf.generateCertificate(in);
174 
175         Assert.assertEquals("CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=CH",
176                 x509.getSubjectDN().getName());
177 
178         impl.verify("localhost.localdomain", x509);
179         impl.verify("127.0.0.1", x509);
180 
181         try {
182             impl.verify("localhost", x509);
183             Assert.fail("SSLException should have been thrown");
184         } catch (final SSLException ex) {
185             // expected
186         }
187         try {
188             impl.verify("local.host", x509);
189             Assert.fail("SSLException should have been thrown");
190         } catch (final SSLException ex) {
191             // expected
192         }
193         try {
194             impl.verify("127.0.0.2", x509);
195             Assert.fail("SSLException should have been thrown");
196         } catch (final SSLException ex) {
197             // expected
198         }
199     }
200 
201     public void exceptionPlease(final DefaultHostnameVerifier hv, final String host,
202                                 final X509Certificate x509) {
203         try {
204             hv.verify(host, x509);
205             Assert.fail("HostnameVerifier shouldn't allow [" + host + "]");
206         }
207         catch(final SSLException e) {
208             // whew!  we're okay!
209         }
210     }
211 
212     @Test
213     public void testDomainRootMatching() {
214 
215         Assert.assertFalse(DefaultHostnameVerifier.matchDomainRoot("a.b.c", null));
216         Assert.assertTrue(DefaultHostnameVerifier.matchDomainRoot("a.b.c", "a.b.c"));
217         Assert.assertFalse(DefaultHostnameVerifier.matchDomainRoot("aa.b.c", "a.b.c"));
218         Assert.assertFalse(DefaultHostnameVerifier.matchDomainRoot("a.b.c", "aa.b.c"));
219         Assert.assertTrue(DefaultHostnameVerifier.matchDomainRoot("a.a.b.c", "a.b.c"));
220     }
221 
222     @Test
223     public void testIdentityMatching() {
224 
225         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("a.b.c", "*.b.c"));
226         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict("a.b.c", "*.b.c"));
227 
228         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("s.a.b.c", "*.b.c"));
229         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("s.a.b.c", "*.b.c")); // subdomain not OK
230 
231         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity("a.gov.uk", "*.gov.uk", publicSuffixMatcher));
232         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("a.gov.uk", "*.gov.uk", publicSuffixMatcher));  // Bad 2TLD
233 
234         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("s.a.gov.uk", "*.a.gov.uk", publicSuffixMatcher));
235         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict("s.a.gov.uk", "*.a.gov.uk", publicSuffixMatcher));
236 
237         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity("s.a.gov.uk", "*.gov.uk", publicSuffixMatcher));
238         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("s.a.gov.uk", "*.gov.uk", publicSuffixMatcher));  // BBad 2TLD/no subdomain allowed
239 
240         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("a.gov.com", "*.gov.com", publicSuffixMatcher));
241         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict("a.gov.com", "*.gov.com", publicSuffixMatcher));
242 
243         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("s.a.gov.com", "*.gov.com", publicSuffixMatcher));
244         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("s.a.gov.com", "*.gov.com", publicSuffixMatcher)); // no subdomain allowed
245 
246         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity("a.gov.uk", "a*.gov.uk", publicSuffixMatcher));
247         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("a.gov.uk", "a*.gov.uk", publicSuffixMatcher)); // Bad 2TLD
248 
249         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity("s.a.gov.uk", "a*.gov.uk", publicSuffixMatcher)); // Bad 2TLD
250         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("s.a.gov.uk", "a*.gov.uk", publicSuffixMatcher)); // Bad 2TLD/no subdomain allowed
251 
252         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity("a.b.c", "*.b.*"));
253         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("a.b.c", "*.b.*"));
254 
255         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity("a.b.c", "*.*.c"));
256         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("a.b.c", "*.*.c"));
257     }
258 
259     @Test
260     public void testHTTPCLIENT_1097() {
261         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("a.b.c", "a*.b.c"));
262         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict("a.b.c", "a*.b.c"));
263 
264         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("a.a.b.c", "a*.b.c"));
265         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("a.a.b.c", "a*.b.c"));
266     }
267 
268     @Test
269     public void testHTTPCLIENT_1255() {
270         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("mail.a.b.c.com", "m*.a.b.c.com"));
271         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict("mail.a.b.c.com", "m*.a.b.c.com"));
272     }
273 
274     @Test // Check compressed IPv6 hostname matching
275     public void testHTTPCLIENT_1316() throws Exception{
276         final String host1 = "2001:0db8:aaaa:bbbb:cccc:0:0:0001";
277         DefaultHostnameVerifier.matchIPv6Address(host1, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc:0:0:0001")));
278         DefaultHostnameVerifier.matchIPv6Address(host1, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc::1")));
279         try {
280             DefaultHostnameVerifier.matchIPv6Address(host1, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc::10")));
281             Assert.fail("SSLException expected");
282         } catch (final SSLException expected) {
283         }
284         final String host2 = "2001:0db8:aaaa:bbbb:cccc::1";
285         DefaultHostnameVerifier.matchIPv6Address(host2, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc:0:0:0001")));
286         DefaultHostnameVerifier.matchIPv6Address(host2, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc::1")));
287         try {
288             DefaultHostnameVerifier.matchIPv6Address(host2, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc::10")));
289             Assert.fail("SSLException expected");
290         } catch (final SSLException expected) {
291         }
292     }
293 
294     @Test
295     public void testExtractCN() throws Exception {
296         Assert.assertEquals("blah", DefaultHostnameVerifier.extractCN("cn=blah, ou=blah, o=blah"));
297         Assert.assertEquals("blah", DefaultHostnameVerifier.extractCN("cn=blah, cn=yada, cn=booh"));
298         Assert.assertEquals("blah", DefaultHostnameVerifier.extractCN("c = pampa ,  cn  =    blah    , ou = blah , o = blah"));
299         Assert.assertEquals("blah", DefaultHostnameVerifier.extractCN("cn=\"blah\", ou=blah, o=blah"));
300         Assert.assertEquals("blah  blah", DefaultHostnameVerifier.extractCN("cn=\"blah  blah\", ou=blah, o=blah"));
301         Assert.assertEquals("blah, blah", DefaultHostnameVerifier.extractCN("cn=\"blah, blah\", ou=blah, o=blah"));
302         Assert.assertEquals("blah, blah", DefaultHostnameVerifier.extractCN("cn=blah\\, blah, ou=blah, o=blah"));
303         Assert.assertEquals("blah", DefaultHostnameVerifier.extractCN("c = cn=uuh, cn=blah, ou=blah, o=blah"));
304         try {
305             DefaultHostnameVerifier.extractCN("blah,blah");
306             Assert.fail("SSLException expected");
307         } catch (final SSLException expected) {
308         }
309         try {
310             DefaultHostnameVerifier.extractCN("cn,o=blah");
311             Assert.fail("SSLException expected");
312         } catch (final SSLException expected) {
313         }
314     }
315 
316 }