8067694: Improved certification checking

Reviewed-by: mullan, jnimeh, coffeys, robm, asmotrak, ahgross

8067694: Improved certification checking
Reviewed-by: mullan, jnimeh, coffeys, robm, asmotrak, ahgross
9405fde6 · xuelei · 51179888 · 9405fde6 · 9405fde6 · 9405fde6
4 changed file
--- a/src/share/classes/java/net/InetAddress.java
+++ b/src/share/classes/java/net/InetAddress.java
 /*
- * Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -203,16 +203,33 @@ class InetAddress implements java.io.Serializable {
    static transient boolean preferIPv6Address = false;
    static class InetAddressHolder {
+        /**
+         * Reserve the original application specified hostname.
+         *
+         * The original hostname is useful for domain-based endpoint
+         * identification (see RFC 2818 and RFC 6125).  If an address
+         * was created with a raw IP address, a reverse name lookup
+         * may introduce endpoint identification security issue via
+         * DNS forging.
+         *
+         * Oracle JSSE provider is using this original hostname, via
+         * sun.misc.JavaNetAccess, for SSL/TLS endpoint identification.
+         *
+         * Note: May define a new public method in the future if necessary.
+         */
+        private String originalHostName;
        InetAddressHolder() {}
        InetAddressHolder(String hostName, int address, int family) {
+            this.originalHostName = hostName;
            this.hostName = hostName;
            this.address = address;
            this.family = family;
        }
        void init(String hostName, int family) {
+            this.originalHostName = hostName;
            this.hostName = hostName;
            if (family != -1) {
                this.family = family;
@@ -225,6 +242,10 @@ class InetAddress implements java.io.Serializable {
            return hostName;
        }
+        String getOriginalHostName() {
+            return originalHostName;
+        }
        /**
         * Holds a 32-bit IPv4 address.
         */

--- a/src/share/classes/java/net/URLClassLoader.java
+++ b/src/share/classes/java/net/URLClassLoader.java
 /*
- * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -774,6 +774,10 @@ public class URLClassLoader extends SecureClassLoader implements Closeable {
                public URLClassPath getURLClassPath (URLClassLoader u) {
                    return u.ucp;
                }
+                public String getOriginalHostName(InetAddress ia) {
+                    return ia.holder.getOriginalHostName();
+                }
            }
        );
        ClassLoader.registerAsParallelCapable();

--- a/src/share/classes/sun/misc/JavaNetAccess.java
+++ b/src/share/classes/sun/misc/JavaNetAccess.java
 /*
- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -26,10 +26,17 @@
 package sun.misc;
 import java.net.URLClassLoader;
+import java.net.InetAddress;
 public interface JavaNetAccess {
    /**
     * return the URLClassPath belonging to the given loader
     */
    URLClassPath getURLClassPath (URLClassLoader u);
+    /**
+     * Return the original application specified hostname of
+     * the given InetAddress object.
+     */
+    String getOriginalHostName(InetAddress ia);
 }
--- a/src/share/classes/sun/security/ssl/SSLSocketImpl.java
+++ b/src/share/classes/sun/security/ssl/SSLSocketImpl.java
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -40,6 +40,9 @@ import java.util.concurrent.locks.ReentrantLock;
 import javax.crypto.BadPaddingException;
 import javax.net.ssl.*;
+import sun.misc.JavaNetAccess;
+import sun.misc.SharedSecrets;
 /**
 * Implementation of an SSL socket.  This is a normal connection type
 * socket, implementing SSL over some lower level socket, such as TCP.
@@ -389,6 +392,15 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
     */
    private boolean preferLocalCipherSuites = false;
+    /*
+     * Is the local name service trustworthy?
+     *
+     * If the local name service is not trustworthy, reverse host name
+     * resolution should not be performed for endpoint identification.
+     */
+    static final boolean trustNameService =
+            Debug.getBooleanProperty("jdk.tls.trustNameService", false);
    //
    // CONSTRUCTORS AND INITIALIZATION CODE
    //
@@ -2149,11 +2161,41 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
    synchronized String getHost() {
        // Note that the host may be null or empty for localhost.
        if (host == null || host.length() == 0) {
-            host = getInetAddress().getHostName();
+            if (!trustNameService) {
+                // If the local name service is not trustworthy, reverse host
+                // name resolution should not be performed for endpoint
+                // identification.  Use the application original specified
+                // hostname or IP address instead.
+                host = getOriginalHostname(getInetAddress());
+            } else {
+                host = getInetAddress().getHostName();
+            }
        }
        return host;
    }
+    /*
+     * Get the original application specified hostname.
+     */
+    private static String getOriginalHostname(InetAddress inetAddress) {
+        /*
+         * Get the original hostname via sun.misc.SharedSecrets.
+         */
+        JavaNetAccess jna = SharedSecrets.getJavaNetAccess();
+        String originalHostname = jna.getOriginalHostName(inetAddress);
+        /*
+         * If no application specified hostname, use the IP address.
+         */
+        if (originalHostname == null || originalHostname.length() == 0) {
+            originalHostname = inetAddress.getHostAddress();
+        }
+        return originalHostname;
+    }
    // ONLY used by HttpsClient to setup the URI specified hostname
    //
    // Please NOTE that this method MUST be called before calling to