Skip to content

Commit

Permalink
OkHostnameVerifier: Don't fall back to CN verification.
Browse files Browse the repository at this point in the history 
The use of Common Name was deprecated in RFC 2818 (May 2000), section 3.1:

  Although the use of the Common Name is existing practice, it is
  deprecated and Certification Authorities are encouraged to use the
  dNSName instead.

This backports upstream commit 52764cb4b9219d699b66e96ccf54db1c37c638bb
from square/okhttp#3764

Bug: 70278814
Test: CtsLibcoreOkHttpTestCases
Change-Id: Iefa8645b93103d70f057a872ac4332147bc2d4d2
  • Loading branch information
@15characterlimi
15characterlimi committed Jan 8, 2018
1 parent 5343031 commit a3bfc80
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 9 deletions.
32 changes: 24 additions & 8 deletions okhttp-tests/src/test/java/com/squareup/okhttp/internal/tls/HostnameVerifierTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,9 @@ public final class HostnameVerifierTest {
+ "HwlNrAu8jlZ2UqSgskSWlhYdMTAP9CPHiUv9N7FcT58Itv/I4fKREINQYjDpvQcx\n"
+ "SaTYb9dr5sB4WLNglk7zxDtM80H518VvihTcP7FHL+Gn6g4j5fkI98+S\n"
+ "-----END CERTIFICATE-----\n");
assertTrue(verifier.verify("foo.com", session));
// Android-changed: Ignore common name in hostname verification. http://b/70278814
// assertTrue(verifier.verify("foo.com", session));
assertFalse(verifier.verify("foo.com", session));
assertFalse(verifier.verify("a.foo.com", session));
assertFalse(verifier.verify("bar.com", session));
}
Expand Down Expand Up @@ -104,7 +106,9 @@ public final class HostnameVerifierTest {
+ "9BsO7qe46hidgn39hKh1WjKK2VcL/3YRsC4wUi0PBtFW6ScMCuMhgIRXSPU55Rae\n"
+ "UIlOdPjjr1SUNWGId1rD7W16Scpwnknn310FNxFMHVI0GTGFkNdkilNCFJcIoRA=\n"
+ "-----END CERTIFICATE-----\n");
assertTrue(verifier.verify("\u82b1\u5b50.co.jp", session));
// Android-changed: Ignore common name in hostname verification. http://b/70278814
// assertTrue(verifier.verify("\u82b1\u5b50.co.jp", session));
assertFalse(verifier.verify("\u82b1\u5b50.co.jp", session));
assertFalse(verifier.verify("a.\u82b1\u5b50.co.jp", session));
}

Expand Down Expand Up @@ -257,7 +261,9 @@ public final class HostnameVerifierTest {
assertFalse(verifier.verify("a.foo.com", session));
assertFalse(verifier.verify("bar.com", session));
assertFalse(verifier.verify("a.bar.com", session));
assertTrue(verifier.verify("\u82b1\u5b50.co.jp", session));
// Android-changed: Ignore common name in hostname verification. http://b/70278814
// assertTrue(verifier.verify("\u82b1\u5b50.co.jp", session));
assertFalse(verifier.verify("\u82b1\u5b50.co.jp", session));
assertFalse(verifier.verify("a.\u82b1\u5b50.co.jp", session));
}

Expand Down Expand Up @@ -290,8 +296,12 @@ public final class HostnameVerifierTest {
+ "l3Q/RK95bnA6cuRClGusLad0e6bjkBzx/VQ3VarDEpAkTLUGVAa0CLXtnyc=\n"
+ "-----END CERTIFICATE-----\n");
assertFalse(verifier.verify("foo.com", session));
assertTrue(verifier.verify("www.foo.com", session));
assertTrue(verifier.verify("\u82b1\u5b50.foo.com", session));
// Android-changed: Ignore common name in hostname verification. http://b/70278814
// assertTrue(verifier.verify("www.foo.com", session));
assertFalse(verifier.verify("www.foo.com", session));
// Android-changed: Ignore common name in hostname verification. http://b/70278814
// assertTrue(verifier.verify("\u82b1\u5b50.foo.com", session));
assertFalse(verifier.verify("\u82b1\u5b50.foo.com", session));
assertFalse(verifier.verify("a.b.foo.com", session));
}

Expand Down Expand Up @@ -324,8 +334,12 @@ public final class HostnameVerifierTest {
+ "UGPLEUDzRHMPHLnSqT1n5UU5UDRytbjJPXzF+l/+WZIsanefWLsxnkgAuZe/oMMF\n"
+ "EJMryEzOjg4Tfuc5qM0EXoPcQ/JlheaxZ40p2IyHqbsWV4MRYuFH4bkM\n"
+ "-----END CERTIFICATE-----\n");
assertTrue(verifier.verify("foo.co.jp", session));
assertTrue(verifier.verify("\u82b1\u5b50.co.jp", session));
// Android-changed: Ignore common name in hostname verification. http://b/70278814
// assertTrue(verifier.verify("foo.co.jp", session));
assertFalse(verifier.verify("foo.co.jp", session));
// Android-changed: Ignore common name in hostname verification. http://b/70278814
// assertTrue(verifier.verify("\u82b1\u5b50.co.jp", session));
assertFalse(verifier.verify("\u82b1\u5b50.co.jp", session));
}

/**
Expand Down Expand Up @@ -451,7 +465,9 @@ public final class HostnameVerifierTest {
+ "U6LFxmZr31lFyis2/T68PpjAppc0DpNQuA2m/Y7oTHBDi55Fw6HVHCw3lucuWZ5d\n"
+ "qUYo4ES548JdpQtcLrW2sA==\n"
+ "-----END CERTIFICATE-----");
assertTrue(verifier.verify("google.com", session));
// Android-changed: Ignore common name in hostname verification. http://b/70278814
// assertTrue(verifier.verify("google.com", session));
assertFalse(verifier.verify("google.com", session));
}

@Test public void subjectAltName() throws Exception {
Expand Down
5 changes: 4 additions & 1 deletion okhttp/src/main/java/com/squareup/okhttp/internal/tls/OkHostnameVerifier.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import javax.security.auth.x500.X500Principal;

/**
* A HostnameVerifier consistent with <a
Expand Down Expand Up @@ -105,6 +104,8 @@ private boolean verifyHostName(String hostName, X509Certificate certificate) {
}
}

// BEGIN Android-removed: Ignore common name in hostname verification. http://b/70278814
/*
if (!hasDns) {
X500Principal principal = certificate.getSubjectX500Principal();
// RFC 2818 advises using the most specific name for matching.
Expand All @@ -113,6 +114,8 @@ private boolean verifyHostName(String hostName, X509Certificate certificate) {
return verifyHostName(hostName, cn);
}
}
*/
// END Android-removed: Ignore common name in hostname verification. http://b/70278814

return false;
}
Expand Down

0 comments on commit a3bfc80

Please sign in to comment.