fix #772 - implement SSLHostnameVerifier on OkHttp

Author: sammefford

pom.xml

@@ -290,6 +290,12 @@
 			<version>4.11</version>
 			<scope>test</scope>
 		</dependency>
+		<dependency>
+			<groupId>org.mockito</groupId>
+			<artifactId>mockito-all</artifactId>
+			<version>1.10.19</version>
+			<scope>test</scope>
+		</dependency>
 		<dependency>
 			<groupId>xmlunit</groupId>
 			<artifactId>xmlunit</artifactId>

src/main/java/com/marklogic/client/impl/OkHttpServices.java

@@ -117,6 +117,9 @@
 import javax.mail.internet.ContentDisposition;
 import javax.mail.internet.MimeMultipart;
 import javax.mail.util.ByteArrayDataSource;
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
@@ -137,6 +140,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Calendar;
@@ -188,8 +192,38 @@ public boolean verify(String hostname, SSLSession session) {
     }
 
     public void verify(String hostname, X509Certificate cert) throws SSLException {
-      // verifier.verify(hostname, cns, subjectAlts);
-      throw new IllegalStateException("Not yet implemented");
+      ArrayList<String> cnArray = new ArrayList<String>();
+      try {
+        LdapName ldapDN = new LdapName(cert.getSubjectX500Principal().getName());
+        for(Rdn rdn: ldapDN.getRdns()) {
+          Object value = rdn.getValue();
+          if ( "CN".equalsIgnoreCase(rdn.getType()) && value instanceof String ) {
+            cnArray.add((String) value);
+          }
+        }
+
+        int type_dnsName = 2;
+        int type_ipAddress = 7;
+        ArrayList<String> subjectAltArray = new ArrayList<String>();
+        Collection<List<?>> alts = cert.getSubjectAlternativeNames();
+        if ( alts != null ) {
+          for ( List<?> alt : alts ) {
+            if ( alt != null && alt.size() == 2 && alt.get(1) instanceof String ) {
+              Integer type = (Integer) alt.get(0);
+              if ( type == type_dnsName || type == type_ipAddress ) {
+                subjectAltArray.add((String) alt.get(1));
+              }
+            }
+          }
+        }
+        String[] cns = cnArray.toArray(new String[cnArray.size()]);
+        String[] subjectAlts = subjectAltArray.toArray(new String[subjectAltArray.size()]);
+        verifier.verify(hostname, cns, subjectAlts);
+      } catch(CertificateParsingException e) {
+        throw new MarkLogicIOException(e);
+      } catch(InvalidNameException e) {
+        throw new MarkLogicIOException(e);
+      }
     }
   }
 

src/test/java/com/marklogic/client/test/SSLTest.java

@@ -15,15 +15,25 @@
  */
 package com.marklogic.client.test;
 
+import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
 
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
+import javax.security.auth.x500.X500Principal;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
-
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.concurrent.atomic.AtomicReference;
 import org.junit.Test;
 
 import com.marklogic.client.DatabaseClient;
@@ -32,34 +42,19 @@
 import com.marklogic.client.DatabaseClientFactory.SSLHostnameVerifier;
 import com.marklogic.client.document.TextDocumentManager;
 import com.marklogic.client.io.StringHandle;
+import com.marklogic.client.impl.OkHttpServices;
 
 public class SSLTest {
     @Test
     public void testSSLAuth() throws NoSuchAlgorithmException, KeyManagementException {
 
-        // create a trust manager
-        // (note: a real application should verify certificates)
-        TrustManager naiveTrustMgr = new X509TrustManager() {
-            @Override
-            public void checkClientTrusted(X509Certificate[] chain, String authType) {
-            }
-            @Override
-            public void checkServerTrusted(X509Certificate[] chain, String authType) {
-            }
-            @Override
-            public X509Certificate[] getAcceptedIssuers() {
-                return new X509Certificate[0];
-            }
-        };
-
         // create an SSL context
         SSLContext sslContext = SSLContext.getInstance("SSLv3");
-        sslContext.init(null, new TrustManager[] { naiveTrustMgr }, null);
+        sslContext.init(null, new TrustManager[] { mock(X509TrustManager.class) }, null);
 
         // create the client
         DatabaseClient client = DatabaseClientFactory.newClient(Common.HOST, Common.PORT,
-          "MyFooUser", "x", Authentication.DIGEST, sslContext, SSLHostnameVerifier.ANY);
-
+            "MyFooUser", "x", Authentication.DIGEST, sslContext, SSLHostnameVerifier.ANY);
 
         String expectedException = "com.marklogic.client.MarkLogicIOException: " +
           "javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?";
@@ -79,6 +74,66 @@ public X509Certificate[] getAcceptedIssuers() {
             exception = e.toString();
         }
         assertEquals(expectedException, exception);
+    }
+
+    private static class SSLTestServices extends OkHttpServices {
+        static class SSLTestHostnameVerifierAdapter extends SSLTestServices.HostnameVerifierAdapter {
+            SSLTestHostnameVerifierAdapter(SSLHostnameVerifier hostnameVerifier) {
+                super(hostnameVerifier);
+            }
+        }
+    }
+
+    @Test
+    public void testHostnameVerifier() throws SSLException, CertificateParsingException {
+        // three things our SSLHostnameVerifier will capture
+        final AtomicReference<String> capturedHost = new AtomicReference<String>();
+        final AtomicReference<String[]> capturedCNs = new AtomicReference<String[]>();
+        final AtomicReference<String[]> capturedSAs = new AtomicReference<String[]>();
+
+        // this adapter is an SSLHostnameVerifier we'd normally pass to withSSLHostnameVerifier
+        SSLHostnameVerifier verifier = new SSLHostnameVerifier() {
+            public void verify(String host, String[] cns, String[] alts) {
+                capturedHost.set(host);
+                capturedCNs.set(cns);
+                capturedSAs.set(alts);
+            }
+        };
+        // rather than attempt a real SSL connection, let's just test the implementation
+        // with some mocks
+        SSLTestServices.SSLTestHostnameVerifierAdapter adapter = new SSLTestServices.SSLTestHostnameVerifierAdapter(verifier);
+
+        // three things we'll pass and expect we can capture when verify is called
+        String passedHost = "somehost";
+        String[] passedCns = new String[] {"\u82b1\u5b50.co.jp", "bar.com", "foo.com"};
+        String[] passedSas = new String[] {"a.foo.com", "104.198.163.83", "a.bar.com", "\u82b1\u5b50.co.jp"};
+        // throw some extra information in like a real SSL cert would have
+        // but what we're really wanting here are the CNs (common names)
+        X500Principal principal = new X500Principal("C=US, ST=California, L=San Carlos, O=API Team, OU=test certificates, " +
+            "CN=" + passedCns[2] + ", CN=" + passedCns[1] + ", CN=" + passedCns[0]);
+        X509Certificate cert = mock(X509Certificate.class);
+        when(cert.getSubjectX500Principal()).thenReturn(principal);
+
+        int type_dnsName = 2;
+        int type_ipAddress = 7;
+        // subject alts come out as a Collection of 2-entry lists where the first entry
+        // is the Integer type and the second entry is the value
+        // if the entry is 2 it's a DNS or 7 then it's an IP address
+        // according to https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html#getSubjectAlternativeNames--
+        Collection<List<?>> listSas = new ArrayList<List<?>>();
+        listSas.add(Arrays.asList(new Object[] {new Integer(type_dnsName), passedSas[0]}));
+        listSas.add(Arrays.asList(new Object[] {new Integer(type_ipAddress), passedSas[1]}));
+        listSas.add(Arrays.asList(new Object[] {new Integer(type_dnsName), passedSas[2]}));
+        listSas.add(Arrays.asList(new Object[] {new Integer(type_dnsName), passedSas[3]}));
+        when(cert.getSubjectAlternativeNames()).thenReturn(listSas);
+
+        // now that we have the cert all mocked with common names and subject alts, call the
+        // implementation method HostnameVerifierAdapter.verify to make sure it calls
+        // SSLHostnameVerifier.verify(String, String[], String[]) with the expected hostname, cns, and subjectAlts
+        adapter.verify(passedHost, cert);
 
+        assertEquals(passedHost, capturedHost.get());
+        assertArrayEquals(passedCns, capturedCNs.get());
+        assertArrayEquals(passedSas, capturedSAs.get());
     }
 }