Add CertificateHostChecker class.

This will replace the two or three kludgy methods in CertificateManager
that currently validate hostnames. In the process it fixes some fun
problems that could arise if the subject of a certificate contained
regex quote sequences (\Q...\E).

Issue #806

src/main/java/com/dmdirc/tls/CertificateHostChecker.java

@@ -0,0 +1,130 @@
+package com.dmdirc.tls;
+
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Optional;
+import java.util.Set;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+
+/**
+ * Checks that the host we're connecting to is one specified in a certificate.
+ *
+ * <p>Certificates match if any of their subjectAlternateName extensions, or the subject's common name, matches
+ * the host we're connecting to.
+ */
+public class CertificateHostChecker {
+
+    /**
+     * Checks if the specified certificate is valid for the given hostname.
+     *
+     * @param certificate The certificate to check.
+     * @param host The hostname that was connected to.
+     * @return True if the certificate covers the given hostname, false otherwise.
+     */
+    public boolean isValidFor(final X509Certificate certificate, final String host) {
+        return getAllNames(certificate).stream().anyMatch(name -> matches(name, host));
+    }
+
+    /**
+     * Checks if the specified name matches against the host, taking into account wildcards.
+     *
+     * <p>Hosts are compared by splitting them into domain parts (test.dmdirc.com becomes [test, dmdirc, com]) and
+     * comparing each part against the corresponding part of the supplied name. Wildcards may only expand within a
+     * single part (i.e. *.example.com cannot match foo.bar.example.com).
+     *
+     * @param name The name to check.
+     * @param host The host to check it against.
+     * @return True if the name matches the host; false otherwise.
+     */
+    private boolean matches(final String name, final String host) {
+        final String[] nameParts = name.split("\\.");
+        final String[] hostParts = host.split("\\.");
+
+        if (nameParts.length != hostParts.length) {
+            return false;
+        }
+
+        for (int i = 0; i < nameParts.length; i++) {
+            if (!partMatches(nameParts[i], hostParts[i])) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Checks if the specified part of the name matches the corresponding part of the host, taking into account
+     * wildcards.
+     *
+     * @param namePart The part of the name to be expanded and checked.
+     * @param hostPart The corresponding part of the host to check the name against.
+     * @return True if the name and host parts match; false otherwise.
+     */
+    private boolean partMatches(final String namePart, final String hostPart) {
+        return namePart.equals("*") || hostPart.toLowerCase().matches(
+                Arrays.stream(namePart.toLowerCase().split("\\*"))
+                        .map(Pattern::quote)
+                        .collect(Collectors.joining(".*")));
+    }
+
+    /**
+     * Returns all names for which a certificate is valid.
+     *
+     * @param cert The certificate to read.
+     * @return The names which the certificate covers.
+     */
+    private Set<String> getAllNames(final X509Certificate cert) {
+        final Set<String> names = new HashSet<>();
+        getCommonName(cert).ifPresent(names::add);
+        getSubjectAlternateNames(cert).ifPresent(names::addAll);
+        return names;
+    }
+
+    /**
+     * Reads the common name (CN) from the certificate's subject.
+     *
+     * @param cert The certificate to read.
+     * @return The common name of the certificate, if present.
+     */
+    private Optional<String> getCommonName(final X509Certificate cert) {
+        try {
+            final LdapName name = new LdapName(cert.getSubjectX500Principal().getName());
+            return name.getRdns().stream()
+                    .filter(rdn -> "CN".equalsIgnoreCase(rdn.getType()))
+                    .map(Rdn::getValue)
+                    .map(Object::toString)
+                    .findFirst();
+        } catch (InvalidNameException ex) {
+            return Optional.empty();
+        }
+    }
+
+    /**
+     * Reads all the subjectAlternateName extensions from the certificate.
+     *
+     * @param cert The certificate to read.
+     * @return The (possibly empty) set of subject alternate names.
+     */
+    private Optional<Set<String>> getSubjectAlternateNames(final X509Certificate cert) {
+        try {
+            return Optional.ofNullable(cert.getSubjectAlternativeNames())
+                    .map(sans -> sans.stream()
+                            // Filter for GeneralName type 2 (dNSName)
+                            .filter(san -> (Integer) san.get(0) == 2)
+                            // Get the string representation of the value of those names
+                            .map(san -> san.get(1))
+                            .map(Object::toString)
+                            .collect(Collectors.toSet()));
+        } catch (CertificateParsingException e) {
+            return Optional.empty();
+        }
+    }
+
+}

src/test/java/com/dmdirc/tls/CertificateHostCheckerTest.java

@@ -0,0 +1,86 @@
+package com.dmdirc.tls;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Tests for {@link CertificateHostChecker}.
+ *
+ * <p>These tests use several certificates stored in a keystore. They were generated using:
+ *
+ * <pre>
+ * keytool -genkey -validity 18250 -keystore "keystore.ks" -storepass "dmdirc" -keypass "dmdirc" -alias "name_cn_only" -dname "CN=test.example.com, O=DMDirc, C=GB"
+ * keytool -genkey -validity 18250 -keystore "keystore.ks" -storepass "dmdirc" -keypass "dmdirc" -alias "name_cn_wildcard" -dname "CN=*.example.com, O=DMDirc, C=GB"
+ * keytool -genkey -validity 18250 -keystore "keystore.ks" -storepass "dmdirc" -keypass "dmdirc" -alias "name_san_dns" -dname "CN=other.example.com, O=DMDirc, C=GB" -ext SAN=dns:test.example.com
+ * keytool -genkey -validity 18250 -keystore "keystore.ks" -storepass "dmdirc" -keypass "dmdirc" -alias "name_san_dns_multiple" -dname "CN=other.example.com, O=DMDirc, C=GB" -ext SAN=dns:foo.example.com,dns:test.example.com
+ * </pre>
+ */
+public class CertificateHostCheckerTest {
+
+    private CertificateHostChecker checker;
+
+    @Before
+    public void setup() {
+        checker = new CertificateHostChecker();
+    }
+
+    @Test
+    public void testBasicCn() throws GeneralSecurityException, IOException {
+        final X509Certificate certificate = getCertificate("name_cn_only");
+        assertTrue(checker.isValidFor(certificate, "test.example.com"));
+        assertTrue(checker.isValidFor(certificate, "TEsT.example.com"));
+        assertFalse(checker.isValidFor(certificate, "foo.example.com"));
+        assertFalse(checker.isValidFor(certificate, "test.example.org"));
+        assertFalse(checker.isValidFor(certificate, "foo.test.example.com"));
+    }
+
+    @Test
+    public void testWildcardCn() throws GeneralSecurityException, IOException {
+        final X509Certificate certificate = getCertificate("name_cn_wildcard");
+        assertTrue(checker.isValidFor(certificate, "test.example.com"));
+        assertTrue(checker.isValidFor(certificate, "TEsT.example.com"));
+        assertTrue(checker.isValidFor(certificate, "foo.example.com"));
+        assertFalse(checker.isValidFor(certificate, "test.example.org"));
+        assertFalse(checker.isValidFor(certificate, "foo.test.example.com"));
+    }
+
+    @Test
+    public void testSanDns() throws GeneralSecurityException, IOException {
+        final X509Certificate certificate = getCertificate("name_san_dns");
+        assertTrue(checker.isValidFor(certificate, "test.example.com"));
+        assertTrue(checker.isValidFor(certificate, "TEsT.example.com"));
+        assertTrue(checker.isValidFor(certificate, "other.example.com"));
+        assertFalse(checker.isValidFor(certificate, "foo.example.com"));
+        assertFalse(checker.isValidFor(certificate, "test.example.org"));
+        assertFalse(checker.isValidFor(certificate, "foo.test.example.com"));
+    }
+
+    @Test
+    public void testSanDnsMultiple() throws GeneralSecurityException, IOException {
+        final X509Certificate certificate = getCertificate("name_san_dns_multiple");
+        assertTrue(checker.isValidFor(certificate, "test.example.com"));
+        assertTrue(checker.isValidFor(certificate, "TEsT.example.com"));
+        assertTrue(checker.isValidFor(certificate, "other.example.com"));
+        assertTrue(checker.isValidFor(certificate, "foo.example.com"));
+        assertFalse(checker.isValidFor(certificate, "test.foo.example.org"));
+        assertFalse(checker.isValidFor(certificate, "test.example.org"));
+        assertFalse(checker.isValidFor(certificate, "foo.test.example.com"));
+    }
+
+    private X509Certificate getCertificate(final String name) throws GeneralSecurityException, IOException {
+        try (InputStream is = getClass().getResourceAsStream("keystore.ks")) {
+            final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+            keyStore.load(is, "dmdirc".toCharArray());
+            return (X509Certificate) keyStore.getCertificate(name);
+        }
+    }
+
+}