Merge branch 'main' of gitlab.cryptoworkshop.com:root/bc-java

Author: dghgit

pkix/src/main/java/org/bouncycastle/est/jcajce/JsseDefaultHostnameAuthorizer.java

@@ -3,6 +3,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.net.InetAddress;
+import java.net.UnknownHostException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
@@ -13,12 +14,17 @@
 import java.util.logging.Logger;
 
 import javax.net.ssl.SSLSession;
+import javax.security.auth.x500.X500Principal;
 
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.ASN1String;
 import org.bouncycastle.asn1.x500.AttributeTypeAndValue;
 import org.bouncycastle.asn1.x500.RDN;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.est.ESTException;
+import org.bouncycastle.util.IPAddress;
 import org.bouncycastle.util.Strings;
 import org.bouncycastle.util.encoders.Hex;
 
@@ -77,6 +83,17 @@ public boolean verified(String name, SSLSession context)
     public boolean verify(String name, X509Certificate cert)
         throws IOException
     {
+        if (name == null)
+        {
+            throw new NullPointerException("'name' cannot be null");
+        }
+
+        boolean foundAnyDNSNames = false;
+
+        boolean nameIsIPv4 = IPAddress.isValidIPv4(name);
+        boolean nameIsIPv6 = !nameIsIPv4 && IPAddress.isValidIPv6(name);
+        boolean nameIsIPAddress = nameIsIPv4 || nameIsIPv6;
+
         //
         // Test against san.
         //
@@ -85,25 +102,59 @@ public boolean verify(String name, X509Certificate cert)
             Collection n = cert.getSubjectAlternativeNames();
             if (n != null)
             {
+                InetAddress nameInetAddress = null;
+
                 for (Iterator it = n.iterator(); it.hasNext();)
                 {
                     List l = (List)it.next();
-                    int type = ((Number)l.get(0)).intValue();
+                    int type = ((Integer)l.get(0)).intValue();
                     switch (type)
                     {
-                    case 2:
-                        if (isValidNameMatch(name, l.get(1).toString(), knownSuffixes))
+                    case GeneralName.dNSName:
+                    {
+                        if (!nameIsIPAddress &&
+                            isValidNameMatch(name, (String)l.get(1), knownSuffixes))
                         {
                             return true;
                         }
+                        foundAnyDNSNames = true;
                         break;
-                    case 7:
-                        if (InetAddress.getByName(name).equals(InetAddress.getByName(l.get(1).toString())))
+                    }
+                    case GeneralName.iPAddress:
+                    {
+                        if (nameIsIPAddress)
                         {
-                            return true;
+                            String ipAddress = (String)l.get(1);
+
+                            if (name.equalsIgnoreCase(ipAddress))
+                            {
+                                return true;
+                            }
+
+                            // In case of IPv6 addresses, convert to InetAddress to handle abbreviated forms correctly
+                            if (nameIsIPv6 && IPAddress.isValidIPv6(ipAddress))
+                            {
+                                try
+                                {
+                                    if (nameInetAddress == null)
+                                    {
+                                        nameInetAddress = InetAddress.getByName(name);
+                                    }
+                                    if (nameInetAddress.equals(InetAddress.getByName(ipAddress)))
+                                    {
+                                        return true;
+                                    }
+                                }
+                                catch (UnknownHostException e)
+                                {
+                                    // Ignore
+                                }
+                            }
                         }
                         break;
+                    }
                     default:
+                    {
                         // ignore, maybe log
                         if (LOG.isLoggable(Level.INFO))
                         {
@@ -121,38 +172,42 @@ public boolean verify(String name, X509Certificate cert)
                             LOG.log(Level.INFO, "ignoring type " + type + " value = " + value);
                         }
                     }
+                    }
                 }
-
-                //
-                // As we had subject alternative names, we must not attempt to match against the CN.
-                //
-
-                return false;
             }
         }
         catch (Exception ex)
         {
             throw new ESTException(ex.getMessage(), ex);
         }
 
+        // If we found any DNS names in the subject alternative names, we must not attempt to match against the CN.
+        if (nameIsIPAddress || foundAnyDNSNames)
+        {
+            return false;
+        }
+
+        X500Principal subject = cert.getSubjectX500Principal();
+
         // can't match - would need to check subjectAltName
-        if (cert.getSubjectX500Principal() == null)
+        if (subject == null)
         {
             return false;
         }
 
         // Common Name match only.
-        RDN[] rdNs = X500Name.getInstance(cert.getSubjectX500Principal().getEncoded()).getRDNs();
-        for (int i = rdNs.length - 1; i >= 0; --i)
+        RDN[] rdns = X500Name.getInstance(subject.getEncoded()).getRDNs();
+        for (int i = rdns.length - 1; i >= 0; --i)
         {
-            RDN rdn = rdNs[i];
-            AttributeTypeAndValue[] typesAndValues = rdn.getTypesAndValues();
+            AttributeTypeAndValue[] typesAndValues = rdns[i].getTypesAndValues();
             for (int j = 0; j != typesAndValues.length; j++)
             {
-                AttributeTypeAndValue atv = typesAndValues[j];
-                if (atv.getType().equals(BCStyle.CN))
+                AttributeTypeAndValue typeAndValue = typesAndValues[j];
+                if (BCStyle.CN.equals(typeAndValue.getType()))
                 {
-                    return isValidNameMatch(name, atv.getValue().toString(), knownSuffixes);
+                    ASN1Primitive commonName = typeAndValue.getValue().toASN1Primitive();
+                    return commonName instanceof ASN1String
+                        && isValidNameMatch(name, ((ASN1String)commonName).getString(), knownSuffixes);
                 }
             }
         }

tls/src/main/java/org/bouncycastle/jsse/provider/HostnameUtil.java

@@ -30,39 +30,52 @@ static void checkHostname(String hostname, X509Certificate certificate, boolean
             throw new CertificateException("No hostname specified for HTTPS endpoint ID check");
         }
 
-        if (IPAddress.isValid(hostname))
+        boolean hostnameIsIPv4 = IPAddress.isValidIPv4(hostname);
+        boolean hostnameIsIPv6 = !hostnameIsIPv4 && IPAddress.isValidIPv6(hostname);
+
+        if (hostnameIsIPv4 || hostnameIsIPv6)
         {
             Collection<List<?>> subjectAltNames = certificate.getSubjectAlternativeNames();
             if (null != subjectAltNames)
             {
+                InetAddress hostnameInetAddress = null;
+
                 for (List<?> subjectAltName : subjectAltNames)
                 {
-                    int type = ((Integer)subjectAltName.get(0)).intValue();
-                    if (GeneralName.iPAddress != type)
+                    if (!isAltNameType(subjectAltName, GeneralName.iPAddress))
+                    {
+                        continue;
+                    }
+
+                    String ipAddress = getAltNameValue(subjectAltName);
+                    if (ipAddress == null)
                     {
                         continue;
                     }
 
-                    String ipAddress = (String)subjectAltName.get(1);
                     if (hostname.equalsIgnoreCase(ipAddress))
                     {
                         return;
                     }
 
-                    try
+                    // In case of IPv6 addresses, convert to InetAddress to handle abbreviated forms correctly
+                    if (hostnameIsIPv6 && IPAddress.isValidIPv6(ipAddress))
                     {
-                        if (InetAddress.getByName(hostname).equals(InetAddress.getByName(ipAddress)))
+                        try
                         {
-                            return;
+                            if (hostnameInetAddress == null)
+                            {
+                                hostnameInetAddress = InetAddress.getByName(hostname); 
+                            }
+                            if (hostnameInetAddress.equals(InetAddress.getByName(ipAddress)))
+                            {
+                                return;
+                            }
+                        }
+                        catch (UnknownHostException e)
+                        {
+                            // Ignore
                         }
-                    }
-                    catch (UnknownHostException e)
-                    {
-                        // Ignore
-                    }
-                    catch (SecurityException e)
-                    {
-                        // Ignore
                     }
                 }
             }
@@ -76,15 +89,19 @@ else if (isValidDomainName(hostname))
                 boolean foundAnyDNSNames = false;
                 for (List<?> subjectAltName : subjectAltNames)
                 {
-                    int type = ((Integer)subjectAltName.get(0)).intValue();
-                    if (GeneralName.dNSName != type)
+                    if (!isAltNameType(subjectAltName, GeneralName.dNSName))
                     {
                         continue;
                     }
 
                     foundAnyDNSNames = true;
 
-                    String dnsName = (String)subjectAltName.get(1);
+                    String dnsName = getAltNameValue(subjectAltName);
+                    if (dnsName == null)
+                    {
+                        continue;
+                    }
+
                     if (matchesDNSName(hostname, dnsName, allWildcards))
                     {
                         return;
@@ -134,6 +151,19 @@ private static ASN1Primitive findMostSpecificCN(X500Principal principal)
         return null;
     }
 
+    private static String getAltNameValue(List<?> subjectAltName)
+    {
+        if (subjectAltName != null && subjectAltName.size() >= 2)
+        {
+            Object objValue = subjectAltName.get(1);
+            if (objValue instanceof String)
+            {
+                return (String)objValue;
+            }
+        }
+        return null;
+    }
+
     private static String getLabel(String s, int begin)
     {
         int end = s.indexOf('.', begin);
@@ -144,6 +174,19 @@ private static String getLabel(String s, int begin)
         return s.substring(begin, end);
     }
 
+    private static boolean isAltNameType(List<?> subjectAltName, int type)
+    {
+        if (subjectAltName != null && subjectAltName.size() >= 1)
+        {
+            Object objValue = subjectAltName.get(0);
+            if (objValue instanceof Integer)
+            {
+                return ((Integer)objValue).intValue() == type;
+            }
+        }
+        return false;
+    }
+
     private static boolean isValidDomainName(String name)
     {
         try

tls/src/main/java/org/bouncycastle/jsse/provider/JsseUtils.java

@@ -72,8 +72,6 @@ abstract class JsseUtils
         PropertyUtils.getBooleanSystemProperty("jdk.tls.allowLegacyMasterSecret", true);
     private static final boolean provTlsAllowLegacyResumption =
         PropertyUtils.getBooleanSystemProperty("jdk.tls.allowLegacyResumption", false);
-    private static final int provTlsMaxCertificateChainLength =
-        PropertyUtils.getIntegerSystemProperty("jdk.tls.maxCertificateChainLength", 10, 1, Integer.MAX_VALUE);
     private static final int provTlsMaxHandshakeMessageSize =
         PropertyUtils.getIntegerSystemProperty("jdk.tls.maxHandshakeMessageSize", 32768, 1024, Integer.MAX_VALUE);
     private static final boolean provTlsRequireCloseNotify =
@@ -84,6 +82,9 @@ abstract class JsseUtils
     private static final boolean provTlsUseExtendedMasterSecret =
         PropertyUtils.getBooleanSystemProperty("jdk.tls.useExtendedMasterSecret", true);
 
+    private static final int provTlsClientMaxInboundCertChainLen;
+    private static final int provTlsServerMaxInboundCertChainLen;
+
     static final Set<BCCryptoPrimitive> KEY_AGREEMENT_CRYPTO_PRIMITIVES_BC =
         Collections.unmodifiableSet(EnumSet.of(BCCryptoPrimitive.KEY_AGREEMENT));
     static final Set<BCCryptoPrimitive> KEY_ENCAPSULATION_CRYPTO_PRIMITIVES_BC =
@@ -102,6 +103,25 @@ static class BCUnknownServerName extends BCSNIServerName
         }
     }
 
+    static
+    {
+        int clientDefaultValue = 10;
+        int serverDefaultValue = 8;
+
+        int provTlsMaxCertificateChainLength = PropertyUtils.getIntegerSystemProperty(
+            "jdk.tls.maxCertificateChainLength", 0, 1, Integer.MAX_VALUE);
+        if (provTlsMaxCertificateChainLength > 0)
+        {
+            clientDefaultValue = provTlsMaxCertificateChainLength;
+            serverDefaultValue = provTlsMaxCertificateChainLength;
+        }
+
+        provTlsClientMaxInboundCertChainLen = PropertyUtils.getIntegerSystemProperty(
+            "jdk.tls.client.maxInboundCertificateChainLength", clientDefaultValue, 1, Integer.MAX_VALUE);
+        provTlsServerMaxInboundCertChainLen = PropertyUtils.getIntegerSystemProperty(
+            "jdk.tls.server.maxInboundCertificateChainLength", serverDefaultValue, 1, Integer.MAX_VALUE);
+    }
+
     static boolean allowLegacyMasterSecret()
     {
         return provTlsAllowLegacyMasterSecret;
@@ -270,14 +290,19 @@ static boolean equals(Object a, Object b)
         return a == b || (null != a && null != b && a.equals(b));
     }
 
-    static int getMaxCertificateChainLength()
+    static int getMaxHandshakeMessageSize()
     {
-        return provTlsMaxCertificateChainLength;
+        return provTlsMaxHandshakeMessageSize;
     }
 
-    static int getMaxHandshakeMessageSize()
+    static int getMaxInboundCertChainLenClient()
     {
-        return provTlsMaxHandshakeMessageSize;
+        return provTlsClientMaxInboundCertChainLen;
+    }
+
+    static int getMaxInboundCertChainLenServer()
+    {
+        return provTlsServerMaxInboundCertChainLen;
     }
 
     static ASN1ObjectIdentifier getNamedCurveOID(PublicKey publicKey)

tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsClient.java

@@ -396,7 +396,7 @@ public JcaTlsCrypto getCrypto()
     @Override
     public int getMaxCertificateChainLength()
     {
-        return JsseUtils.getMaxCertificateChainLength();
+        return JsseUtils.getMaxInboundCertChainLenClient();
     }
 
     @Override

tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java

@@ -446,7 +446,7 @@ public boolean allowLegacyResumption()
     @Override
     public int getMaxCertificateChainLength()
     {
-        return JsseUtils.getMaxCertificateChainLength();
+        return JsseUtils.getMaxInboundCertChainLenServer();
     }
 
     @Override