core/java/android/net/http/DomainNameChecker.java - platform/frameworks/base - Gitiles

 /*
  * Copyright (C) 2008 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package android.net.http;

 import org.bouncycastle.asn1.x509.X509Name;

 import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.security.cert.X509Certificate;
 import java.security.cert.CertificateParsingException;
 import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.regex.PatternSyntaxException;
 import java.util.Vector;

 /**
  * Implements basic domain-name validation as specified by RFC2818.
  *
  * {@hide}
  */
 public class DomainNameChecker {
     private static Pattern QUICK_IP_PATTERN;
     static {
         try {
             QUICK_IP_PATTERN = Pattern.compile("^[a-f0-9\\.:]+$");
         } catch (PatternSyntaxException e) {}
     }

     private static final int ALT_DNS_NAME = 2;
     private static final int ALT_IPA_NAME = 7;

     /**
      * Checks the site certificate against the domain name of the site being visited
      * @param certificate The certificate to check
      * @param thisDomain The domain name of the site being visited
      * @return True iff if there is a domain match as specified by RFC2818
      */
     public static boolean match(X509Certificate certificate, String thisDomain) {
         if (certificate == null || thisDomain == null || thisDomain.length() == 0) {
             return false;
         }

         thisDomain = thisDomain.toLowerCase();
         if (!isIpAddress(thisDomain)) {
             return matchDns(certificate, thisDomain);
         } else {
             return matchIpAddress(certificate, thisDomain);
         }
     }

     /**
      * @return True iff the domain name is specified as an IP address
      */
     private static boolean isIpAddress(String domain) {
         boolean rval = (domain != null && domain.length() != 0);
         if (rval) {
             try {
                 // do a quick-dirty IP match first to avoid DNS lookup
                 rval = QUICK_IP_PATTERN.matcher(domain).matches();
                 if (rval) {
                     rval = domain.equals(
                         InetAddress.getByName(domain).getHostAddress());
                 }
             } catch (UnknownHostException e) {
                 String errorMessage = e.getMessage();
                 if (errorMessage == null) {
                   errorMessage = "unknown host exception";
                 }

                 if (HttpLog.LOGV) {
                     HttpLog.v("DomainNameChecker.isIpAddress(): " + errorMessage);
                 }

                 rval = false;
             }
         }

         return rval;
     }

     /**
      * Checks the site certificate against the IP domain name of the site being visited
      * @param certificate The certificate to check
      * @param thisDomain The DNS domain name of the site being visited
      * @return True iff if there is a domain match as specified by RFC2818
      */
     private static boolean matchIpAddress(X509Certificate certificate, String thisDomain) {
         if (HttpLog.LOGV) {
             HttpLog.v("DomainNameChecker.matchIpAddress(): this domain: " + thisDomain);
         }

         try {
             Collection subjectAltNames = certificate.getSubjectAlternativeNames();
             if (subjectAltNames != null) {
                 Iterator i = subjectAltNames.iterator();
                 while (i.hasNext()) {
                     List altNameEntry = (List)(i.next());
                     if (altNameEntry != null && 2 <= altNameEntry.size()) {
                         Integer altNameType = (Integer)(altNameEntry.get(0));
                         if (altNameType != null) {
                             if (altNameType.intValue() == ALT_IPA_NAME) {
                                 String altName = (String)(altNameEntry.get(1));
                                 if (altName != null) {
                                     if (HttpLog.LOGV) {
                                         HttpLog.v("alternative IP: " + altName);
                                     }
                                     if (thisDomain.equalsIgnoreCase(altName)) {
                                         return true;
                                     }
                                 }
                             }
                         }
                     }
                 }
             }
         } catch (CertificateParsingException e) {}

         return false;
     }

     /**
      * Checks the site certificate against the DNS domain name of the site being visited
      * @param certificate The certificate to check
      * @param thisDomain The DNS domain name of the site being visited
      * @return True iff if there is a domain match as specified by RFC2818
      */
     private static boolean matchDns(X509Certificate certificate, String thisDomain) {
         boolean hasDns = false;
         try {
             Collection subjectAltNames = certificate.getSubjectAlternativeNames();
             if (subjectAltNames != null) {
                 Iterator i = subjectAltNames.iterator();
                 while (i.hasNext()) {
                     List altNameEntry = (List)(i.next());
                     if (altNameEntry != null && 2 <= altNameEntry.size()) {
                         Integer altNameType = (Integer)(altNameEntry.get(0));
                         if (altNameType != null) {
                             if (altNameType.intValue() == ALT_DNS_NAME) {
                                 hasDns = true;
                                 String altName = (String)(altNameEntry.get(1));
                                 if (altName != null) {
                                     if (matchDns(thisDomain, altName)) {
                                         return true;
                                     }
                                 }
                             }
                         }
                     }
                 }
             }
         } catch (CertificateParsingException e) {
             // one way we can get here is if an alternative name starts with
             // '*' character, which is contrary to one interpretation of the
             // spec (a valid DNS name must start with a letter); there is no
             // good way around this, and in order to be compatible we proceed
             // to check the common name (ie, ignore alternative names)
             if (HttpLog.LOGV) {
                 String errorMessage = e.getMessage();
                 if (errorMessage == null) {
                     errorMessage = "failed to parse certificate";
                 }

                 if (HttpLog.LOGV) {
                     HttpLog.v("DomainNameChecker.matchDns(): " + errorMessage);
                 }
             }
         }

         if (!hasDns) {
             X509Name xName = new X509Name(certificate.getSubjectDN().getName());
             Vector val = xName.getValues();
             Vector oid = xName.getOIDs();
             for (int i = 0; i < oid.size(); i++) {
                 if (oid.elementAt(i).equals(X509Name.CN)) {
                     return matchDns(thisDomain, (String)(val.elementAt(i)));
                 }
             }
         }

         return false;
     }

     /**
      * @param thisDomain The domain name of the site being visited
      * @param thatDomain The domain name from the certificate
      * @return True iff thisDomain matches thatDomain as specified by RFC2818
      */
     private static boolean matchDns(String thisDomain, String thatDomain) {
         if (HttpLog.LOGV) {
             HttpLog.v("DomainNameChecker.matchDns():" +
                       " this domain: " + thisDomain +
                       " that domain: " + thatDomain);
         }

         if (thisDomain == null || thisDomain.length() == 0 ||
             thatDomain == null || thatDomain.length() == 0) {
             return false;
         }

         thatDomain = thatDomain.toLowerCase();

         // (a) domain name strings are equal, ignoring case: X matches X
         boolean rval = thisDomain.equals(thatDomain);
         if (!rval) {
             String[] thisDomainTokens = thisDomain.split("\\.");
             String[] thatDomainTokens = thatDomain.split("\\.");

             int thisDomainTokensNum = thisDomainTokens.length;
             int thatDomainTokensNum = thatDomainTokens.length;

             // (b) OR thatHost is a '.'-suffix of thisHost: Z.Y.X matches X
             if (thisDomainTokensNum >= thatDomainTokensNum) {
                 for (int i = thatDomainTokensNum - 1; i >= 0; --i) {
                     rval = thisDomainTokens[i].equals(thatDomainTokens[i]);
                     if (!rval) {
                         // (c) OR we have a special *-match:
                         // Z.Y.X matches *.Y.X but does not match *.X
                         rval = (i == 0 && thisDomainTokensNum == thatDomainTokensNum);
                         if (rval) {
                             rval = thatDomainTokens[0].equals("*");
                             if (!rval) {
                                 // (d) OR we have a *-component match:
                                 // f*.com matches foo.com but not bar.com
                                 rval = domainTokenMatch(
                                     thisDomainTokens[0], thatDomainTokens[0]);
                             }
                         }

                         break;
                     }
                 }
             }
         }

         return rval;
     }

     /**
      * @param thisDomainToken The domain token from the current domain name
      * @param thatDomainToken The domain token from the certificate
      * @return True iff thisDomainToken matches thatDomainToken, using the
      * wildcard match as specified by RFC2818-3.1. For example, f*.com must
      * match foo.com but not bar.com
      */
     private static boolean domainTokenMatch(String thisDomainToken, String thatDomainToken) {
         if (thisDomainToken != null && thatDomainToken != null) {
             int starIndex = thatDomainToken.indexOf('*');
             if (starIndex >= 0) {
                 if (thatDomainToken.length() - 1 <= thisDomainToken.length()) {
                     String prefix = thatDomainToken.substring(0,  starIndex);
                     String suffix = thatDomainToken.substring(starIndex + 1);

                     return thisDomainToken.startsWith(prefix) && thisDomainToken.endsWith(suffix);
                 }
             }
         }

         return false;
     }
 }
	/*
	* Copyright (C) 2008 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package android.net.http;

	import org.bouncycastle.asn1.x509.X509Name;

	import java.net.InetAddress;
	import java.net.UnknownHostException;
	import java.security.cert.X509Certificate;
	import java.security.cert.CertificateParsingException;
	import java.util.Collection;
	import java.util.Iterator;
	import java.util.List;
	import java.util.regex.Matcher;
	import java.util.regex.Pattern;
	import java.util.regex.PatternSyntaxException;
	import java.util.Vector;

	/**
	* Implements basic domain-name validation as specified by RFC2818.
	*
	* {@hide}
	*/
	public class DomainNameChecker {
	private static Pattern QUICK_IP_PATTERN;
	static {
	try {
	QUICK_IP_PATTERN = Pattern.compile("^[a-f0-9\\.:]+$");
	} catch (PatternSyntaxException e) {}
	}

	private static final int ALT_DNS_NAME = 2;
	private static final int ALT_IPA_NAME = 7;

	/**
	* Checks the site certificate against the domain name of the site being visited
	* @param certificate The certificate to check
	* @param thisDomain The domain name of the site being visited
	* @return True iff if there is a domain match as specified by RFC2818
	*/
	public static boolean match(X509Certificate certificate, String thisDomain) {
	if (certificate == null \|\| thisDomain == null \|\| thisDomain.length() == 0) {
	return false;
	}

	thisDomain = thisDomain.toLowerCase();
	if (!isIpAddress(thisDomain)) {
	return matchDns(certificate, thisDomain);
	} else {
	return matchIpAddress(certificate, thisDomain);
	}
	}

	/**
	* @return True iff the domain name is specified as an IP address
	*/
	private static boolean isIpAddress(String domain) {
	boolean rval = (domain != null && domain.length() != 0);
	if (rval) {
	try {
	// do a quick-dirty IP match first to avoid DNS lookup
	rval = QUICK_IP_PATTERN.matcher(domain).matches();
	if (rval) {
	rval = domain.equals(
	InetAddress.getByName(domain).getHostAddress());
	}
	} catch (UnknownHostException e) {
	String errorMessage = e.getMessage();
	if (errorMessage == null) {
	errorMessage = "unknown host exception";
	}

	if (HttpLog.LOGV) {
	HttpLog.v("DomainNameChecker.isIpAddress(): " + errorMessage);
	}

	rval = false;
	}
	}

	return rval;
	}

	/**
	* Checks the site certificate against the IP domain name of the site being visited
	* @param certificate The certificate to check
	* @param thisDomain The DNS domain name of the site being visited
	* @return True iff if there is a domain match as specified by RFC2818
	*/
	private static boolean matchIpAddress(X509Certificate certificate, String thisDomain) {
	if (HttpLog.LOGV) {
	HttpLog.v("DomainNameChecker.matchIpAddress(): this domain: " + thisDomain);
	}

	try {
	Collection subjectAltNames = certificate.getSubjectAlternativeNames();
	if (subjectAltNames != null) {
	Iterator i = subjectAltNames.iterator();
	while (i.hasNext()) {
	List altNameEntry = (List)(i.next());
	if (altNameEntry != null && 2 <= altNameEntry.size()) {
	Integer altNameType = (Integer)(altNameEntry.get(0));
	if (altNameType != null) {
	if (altNameType.intValue() == ALT_IPA_NAME) {
	String altName = (String)(altNameEntry.get(1));
	if (altName != null) {
	if (HttpLog.LOGV) {
	HttpLog.v("alternative IP: " + altName);
	}
	if (thisDomain.equalsIgnoreCase(altName)) {
	return true;
	}
	}
	}
	}
	}
	}
	}
	} catch (CertificateParsingException e) {}

	return false;
	}

	/**
	* Checks the site certificate against the DNS domain name of the site being visited
	* @param certificate The certificate to check
	* @param thisDomain The DNS domain name of the site being visited
	* @return True iff if there is a domain match as specified by RFC2818
	*/
	private static boolean matchDns(X509Certificate certificate, String thisDomain) {
	boolean hasDns = false;
	try {
	Collection subjectAltNames = certificate.getSubjectAlternativeNames();
	if (subjectAltNames != null) {
	Iterator i = subjectAltNames.iterator();
	while (i.hasNext()) {
	List altNameEntry = (List)(i.next());
	if (altNameEntry != null && 2 <= altNameEntry.size()) {
	Integer altNameType = (Integer)(altNameEntry.get(0));
	if (altNameType != null) {
	if (altNameType.intValue() == ALT_DNS_NAME) {
	hasDns = true;
	String altName = (String)(altNameEntry.get(1));
	if (altName != null) {
	if (matchDns(thisDomain, altName)) {
	return true;
	}
	}
	}
	}
	}
	}
	}
	} catch (CertificateParsingException e) {
	// one way we can get here is if an alternative name starts with
	// '*' character, which is contrary to one interpretation of the
	// spec (a valid DNS name must start with a letter); there is no
	// good way around this, and in order to be compatible we proceed
	// to check the common name (ie, ignore alternative names)
	if (HttpLog.LOGV) {
	String errorMessage = e.getMessage();
	if (errorMessage == null) {
	errorMessage = "failed to parse certificate";
	}

	if (HttpLog.LOGV) {
	HttpLog.v("DomainNameChecker.matchDns(): " + errorMessage);
	}
	}
	}

	if (!hasDns) {
	X509Name xName = new X509Name(certificate.getSubjectDN().getName());
	Vector val = xName.getValues();
	Vector oid = xName.getOIDs();
	for (int i = 0; i < oid.size(); i++) {
	if (oid.elementAt(i).equals(X509Name.CN)) {
	return matchDns(thisDomain, (String)(val.elementAt(i)));
	}
	}
	}

	return false;
	}

	/**
	* @param thisDomain The domain name of the site being visited
	* @param thatDomain The domain name from the certificate
	* @return True iff thisDomain matches thatDomain as specified by RFC2818
	*/
	private static boolean matchDns(String thisDomain, String thatDomain) {
	if (HttpLog.LOGV) {
	HttpLog.v("DomainNameChecker.matchDns():" +
	" this domain: " + thisDomain +
	" that domain: " + thatDomain);
	}

	if (thisDomain == null \|\| thisDomain.length() == 0 \|\|
	thatDomain == null \|\| thatDomain.length() == 0) {
	return false;
	}

	thatDomain = thatDomain.toLowerCase();

	// (a) domain name strings are equal, ignoring case: X matches X
	boolean rval = thisDomain.equals(thatDomain);
	if (!rval) {
	String[] thisDomainTokens = thisDomain.split("\\.");
	String[] thatDomainTokens = thatDomain.split("\\.");

	int thisDomainTokensNum = thisDomainTokens.length;
	int thatDomainTokensNum = thatDomainTokens.length;

	// (b) OR thatHost is a '.'-suffix of thisHost: Z.Y.X matches X
	if (thisDomainTokensNum >= thatDomainTokensNum) {
	for (int i = thatDomainTokensNum - 1; i >= 0; --i) {
	rval = thisDomainTokens[i].equals(thatDomainTokens[i]);
	if (!rval) {
	// (c) OR we have a special *-match:
	// Z.Y.X matches .Y.X but does not match .X
	rval = (i == 0 && thisDomainTokensNum == thatDomainTokensNum);
	if (rval) {
	rval = thatDomainTokens[0].equals("*");
	if (!rval) {
	// (d) OR we have a *-component match:
	// f*.com matches foo.com but not bar.com
	rval = domainTokenMatch(
	thisDomainTokens[0], thatDomainTokens[0]);
	}
	}

	break;
	}
	}
	}
	}

	return rval;
	}

	/**
	* @param thisDomainToken The domain token from the current domain name
	* @param thatDomainToken The domain token from the certificate
	* @return True iff thisDomainToken matches thatDomainToken, using the
	* wildcard match as specified by RFC2818-3.1. For example, f*.com must
	* match foo.com but not bar.com
	*/
	private static boolean domainTokenMatch(String thisDomainToken, String thatDomainToken) {
	if (thisDomainToken != null && thatDomainToken != null) {
	int starIndex = thatDomainToken.indexOf('*');
	if (starIndex >= 0) {
	if (thatDomainToken.length() - 1 <= thisDomainToken.length()) {
	String prefix = thatDomainToken.substring(0, starIndex);
	String suffix = thatDomainToken.substring(starIndex + 1);

	return thisDomainToken.startsWith(prefix) && thisDomainToken.endsWith(suffix);
	}
	}
	}

	return false;
	}
	}