Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
b9b979b1
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
b9b979b1
编写于
3月 23, 2015
作者:
R
robm
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8072385: Only the first DNSName entry is checked for endpoint identification
Reviewed-by: xuelei
上级
3df95fba
变更
1
显示空白变更内容
内联
并排
Showing
1 changed file
with
75 addition
and
28 deletion
+75
-28
src/share/classes/sun/security/ssl/ClientHandshaker.java
src/share/classes/sun/security/ssl/ClientHandshaker.java
+75
-28
未找到文件。
src/share/classes/sun/security/ssl/ClientHandshaker.java
浏览文件 @
b9b979b1
...
...
@@ -59,6 +59,10 @@ import static sun.security.ssl.CipherSuite.KeyExchange.*;
*/
final
class
ClientHandshaker
extends
Handshaker
{
// constants for subject alt names of type DNS and IP
private
final
static
int
ALTNAME_DNS
=
2
;
private
final
static
int
ALTNAME_IP
=
7
;
// the server's public key from its certificate.
private
PublicKey
serverKey
;
...
...
@@ -1502,20 +1506,49 @@ final class ClientHandshaker extends Handshaker {
return
true
;
}
// check subject alternative names
Collection
<
List
<?>>
thisSubjectAltNames
=
null
;
try
{
thisSubjectAltNames
=
thisCert
.
getSubjectAlternativeNames
();
}
catch
(
CertificateParsingException
cpe
)
{
if
(
debug
!=
null
&&
Debug
.
isOn
(
"handshake"
))
{
System
.
out
.
println
(
"Attempt to obtain subjectAltNames extension failed!"
);
}
}
Collection
<
List
<?>>
prevSubjectAltNames
=
null
;
try
{
prevSubjectAltNames
=
prevCert
.
getSubjectAlternativeNames
();
}
catch
(
CertificateParsingException
cpe
)
{
if
(
debug
!=
null
&&
Debug
.
isOn
(
"handshake"
))
{
System
.
out
.
println
(
"Attempt to obtain subjectAltNames extension failed!"
);
}
}
if
((
thisSubjectAltNames
!=
null
)
&&
(
prevSubjectAltNames
!=
null
))
{
// check the iPAddress field in subjectAltName extension
Object
thisIPAddress
=
getSubjectAltName
(
thisCert
,
7
);
// 7: iPAddress
Object
prevIPAddress
=
getSubjectAltName
(
prevCert
,
7
);
if
(
thisIPAddress
!=
null
&&
prevIPAddress
!=
null
)
{
// only allow the exactly match
return
Objects
.
equals
(
thisIPAddress
,
prevIPAddress
);
Collection
<
String
>
thisSubAltIPAddrs
=
getSubjectAltNames
(
thisSubjectAltNames
,
ALTNAME_IP
);
Collection
<
String
>
prevSubAltIPAddrs
=
getSubjectAltNames
(
prevSubjectAltNames
,
ALTNAME_IP
);
if
((
thisSubAltIPAddrs
!=
null
)
&&
(
prevSubAltIPAddrs
!=
null
)
&&
(
isEquivalent
(
thisSubAltIPAddrs
,
prevSubAltIPAddrs
)))
{
return
true
;
}
// check the dNSName field in subjectAltName extension
Object
thisDNSName
=
getSubjectAltName
(
thisCert
,
2
);
// 2: dNSName
Object
prevDNSName
=
getSubjectAltName
(
prevCert
,
2
);
if
(
thisDNSName
!=
null
&&
prevDNSName
!=
null
)
{
// only allow the exactly match
return
Objects
.
equals
(
thisDNSName
,
prevDNSName
);
Collection
<
String
>
thisSubAltDnsNames
=
getSubjectAltNames
(
thisSubjectAltNames
,
ALTNAME_DNS
);
Collection
<
String
>
prevSubAltDnsNames
=
getSubjectAltNames
(
prevSubjectAltNames
,
ALTNAME_DNS
);
if
((
thisSubAltDnsNames
!=
null
)
&&
(
prevSubAltDnsNames
!=
null
)
&&
(
isEquivalent
(
thisSubAltDnsNames
,
prevSubAltDnsNames
)))
{
return
true
;
}
}
// check the certificate subject and issuer
...
...
@@ -1536,29 +1569,43 @@ final class ClientHandshaker extends Handshaker {
/*
* Returns the subject alternative name of the specified type in the
* subjectAltNames extension of a certificate.
*
* Note that only those subjectAltName types that use String data
* should be passed into this function.
*/
private
static
Object
getSubjectAltName
(
X509Certificate
cert
,
int
type
)
{
Collection
<
List
<?>>
subjectAltNames
;
try
{
subjectAltNames
=
cert
.
getSubjectAlternativeNames
();
}
catch
(
CertificateParsingException
cpe
)
{
if
(
debug
!=
null
&&
Debug
.
isOn
(
"handshake"
))
{
System
.
out
.
println
(
"Attempt to obtain subjectAltNames extension failed!"
);
}
return
null
;
}
private
static
Collection
<
String
>
getSubjectAltNames
(
Collection
<
List
<?>>
subjectAltNames
,
int
type
)
{
if
(
subjectAltNames
!=
null
)
{
HashSet
<
String
>
subAltDnsNames
=
null
;
for
(
List
<?>
subjectAltName
:
subjectAltNames
)
{
int
subjectAltNameType
=
(
Integer
)
subjectAltName
.
get
(
0
);
if
(
subjectAltNameType
==
type
)
{
return
subjectAltName
.
get
(
1
);
String
subAltDnsName
=
(
String
)
subjectAltName
.
get
(
1
);
if
((
subAltDnsName
!=
null
)
&&
!
subAltDnsName
.
isEmpty
())
{
if
(
subAltDnsNames
==
null
)
{
subAltDnsNames
=
new
HashSet
<>(
subjectAltNames
.
size
());
}
subAltDnsNames
.
add
(
subAltDnsName
);
}
}
}
return
subAltDnsNames
;
}
private
static
boolean
isEquivalent
(
Collection
<
String
>
thisSubAltNames
,
Collection
<
String
>
prevSubAltNames
)
{
for
(
String
thisSubAltName
:
thisSubAltNames
)
{
for
(
String
prevSubAltName
:
prevSubAltNames
)
{
// Only allow the exactly match. Check no wildcard character.
if
(
thisSubAltName
.
equalsIgnoreCase
(
prevSubAltName
))
{
return
true
;
}
}
}
return
null
;
return
false
;
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录