BCJSSE: Strip trailing dot from hostname for SNI, endpointID checks

peterdettman · peterdettman · commit f4295a4408e8 · 2025-04-15T21:34:33.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/JsseUtils.java b/tls/src/main/java/org/bouncycastle/jsse/provider/JsseUtils.java
@@ -937,6 +937,19 @@ private static String stripOuterChars(String s, char openChar, char closeChar)
         return s;
     }
 
+    static String stripTrailingDot(String s)
+    {
+        if (s != null && s.endsWith("."))
+        {
+            int sLast = s.length() - 1;
+            if (sLast >= 0 && s.charAt(sLast) == '.')
+            {
+                return s.substring(0, sLast);
+            }
+        }
+        return s;
+    }
+
     static boolean useCompatibilityMode()
     {
         return provTlsUseCompatibilityMode;
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsClient.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsClient.java
@@ -174,7 +174,11 @@ protected Vector<ServerName> getSNIServerNames()
             List<BCSNIServerName> sniServerNames = sslParameters.getServerNames();
             if (null == sniServerNames)
             {
-                String peerHostSNI = manager.getPeerHostSNI();
+                /*
+                 * A fully qualified domain name (FQDN) may contain a trailing dot. We remove it for the
+                 * purpose of SNI and endpoint ID checks (e.g. SNIHostName doesn't permit it).
+                 */
+                String peerHostSNI = JsseUtils.stripTrailingDot(manager.getPeerHostSNI());
 
                 /*
                  * TODO[jsse] Consider removing the restriction that the name must contain a '.'
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvX509TrustManager.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvX509TrustManager.java
@@ -427,6 +427,13 @@ private static void checkEndpointID(X509Certificate certificate, String endpoint
         BCExtendedSSLSession sslSession) throws CertificateException
     {
         String peerHost = sslSession.getPeerHost();
+
+        /*
+         * A fully qualified domain name (FQDN) may contain a trailing dot. We remove it for the purpose of
+         * SNI and endpoint ID checks (e.g. SNIHostName doesn't permit it).
+         */
+        peerHost = JsseUtils.stripTrailingDot(peerHost);
+
         if (checkServerTrusted)
         {
             BCSNIHostName sniHostName = JsseUtils.getSNIHostName(sslSession.getRequestedServerNames());

Original file line number	Diff line number	Diff line change
`@@ -427,6 +427,13 @@ private static void checkEndpointID(X509Certificate certificate, String endpoint`
`427`	`427`	`BCExtendedSSLSession sslSession) throws CertificateException`
`428`	`428`	`{`
`429`	`429`	`String peerHost = sslSession.getPeerHost();`
	`430`	`+`
	`431`	`+ /*`
	`432`	`+ * A fully qualified domain name (FQDN) may contain a trailing dot. We remove it for the purpose of`
	`433`	`+ * SNI and endpoint ID checks (e.g. SNIHostName doesn't permit it).`
	`434`	`+ */`
	`435`	`+ peerHost = JsseUtils.stripTrailingDot(peerHost);`
	`436`	`+`
`430`	`437`	`if (checkServerTrusted)`
`431`	`438`	`{`
`432`	`439`	`BCSNIHostName sniHostName = JsseUtils.getSNIHostName(sslSession.getRequestedServerNames());`