Merge pull request #808 from csmith/certs

Add CertificateHostChecker class.

src/main/java/com/dmdirc/tls/CertificateHostChecker.java

@@ -0,0 +1,130 @@
+package com.dmdirc.tls;
+
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Optional;
+import java.util.Set;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+
+/**
+ * Checks that the host we're connecting to is one specified in a certificate.
+ *
+ * <p>Certificates match if any of their subjectAlternateName extensions, or the subject's common name, matches
+ * the host we're connecting to.
+ */
+public class CertificateHostChecker {
+
+    /**
+     * Checks if the specified certificate is valid for the given hostname.
+     *
+     * @param certificate The certificate to check.
+     * @param host The hostname that was connected to.
+     * @return True if the certificate covers the given hostname, false otherwise.
+     */
+    public boolean isValidFor(final X509Certificate certificate, final String host) {
+        return getAllNames(certificate).stream().anyMatch(name -> matches(name, host));
+    }
+
+    /**
+     * Checks if the specified name matches against the host, taking into account wildcards.
+     *
+     * <p>Hosts are compared by splitting them into domain parts (test.dmdirc.com becomes [test, dmdirc, com]) and
+     * comparing each part against the corresponding part of the supplied name. Wildcards may only expand within a
+     * single part (i.e. *.example.com cannot match foo.bar.example.com).
+     *
+     * @param name The name to check.
+     * @param host The host to check it against.
+     * @return True if the name matches the host; false otherwise.
+     */
+    private boolean matches(final String name, final String host) {
+        final String[] nameParts = name.split("\\.");
+        final String[] hostParts = host.split("\\.");
+
+        if (nameParts.length != hostParts.length) {
+            return false;
+        }
+
+        for (int i = 0; i < nameParts.length; i++) {
+            if (!partMatches(nameParts[i], hostParts[i])) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Checks if the specified part of the name matches the corresponding part of the host, taking into account
+     * wildcards.
+     *
+     * @param namePart The part of the name to be expanded and checked.
+     * @param hostPart The corresponding part of the host to check the name against.
+     * @return True if the name and host parts match; false otherwise.
+     */
+    private boolean partMatches(final String namePart, final String hostPart) {
+        return "*".equals(namePart) || hostPart.toLowerCase().matches(
+                Arrays.stream(namePart.toLowerCase().split("\\*"))
+                        .map(Pattern::quote)
+                        .collect(Collectors.joining(".*")));
+    }
+
+    /**
+     * Returns all names for which a certificate is valid.
+     *
+     * @param cert The certificate to read.
+     * @return The names which the certificate covers.
+     */
+    private Set<String> getAllNames(final X509Certificate cert) {
+        final Set<String> names = new HashSet<>();
+        getCommonName(cert).ifPresent(names::add);
+        getSubjectAlternateNames(cert).ifPresent(names::addAll);
+        return names;
+    }
+
+    /**
+     * Reads the common name (CN) from the certificate's subject.
+     *
+     * @param cert The certificate to read.
+     * @return The common name of the certificate, if present.
+     */
+    private Optional<String> getCommonName(final X509Certificate cert) {
+        try {
+            final LdapName name = new LdapName(cert.getSubjectX500Principal().getName());
+            return name.getRdns().stream()
+                    .filter(rdn -> "CN".equalsIgnoreCase(rdn.getType()))
+                    .map(Rdn::getValue)
+                    .map(Object::toString)
+                    .findFirst();
+        } catch (InvalidNameException ex) {
+            return Optional.empty();
+        }
+    }
+
+    /**
+     * Reads all the subjectAlternateName extensions from the certificate.
+     *
+     * @param cert The certificate to read.
+     * @return The (possibly empty) set of subject alternate names.
+     */
+    private Optional<Set<String>> getSubjectAlternateNames(final X509Certificate cert) {
+        try {
+            return Optional.ofNullable(cert.getSubjectAlternativeNames())
+                    .map(sans -> sans.stream()
+                            // Filter for GeneralName type 2 (dNSName)
+                            .filter(san -> (Integer) san.get(0) == 2)
+                            // Get the string representation of the value of those names
+                            .map(san -> san.get(1))
+                            .map(Object::toString)
+                            .collect(Collectors.toSet()));
+        } catch (CertificateParsingException e) {
+            return Optional.empty();
+        }
+    }
+
+}

src/test/java/com/dmdirc/tls/CertificateHostCheckerTest.java

@@ -0,0 +1,86 @@
+package com.dmdirc.tls;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Tests for {@link CertificateHostChecker}.
+ *
+ * <p>These tests use several certificates stored in a keystore. They were generated using:
+ *
+ * <pre>
+ * keytool -genkey -validity 18250 -keystore "keystore.ks" -storepass "dmdirc" -keypass "dmdirc" -alias "name_cn_only" -dname "CN=test.example.com, O=DMDirc, C=GB"
+ * keytool -genkey -validity 18250 -keystore "keystore.ks" -storepass "dmdirc" -keypass "dmdirc" -alias "name_cn_wildcard" -dname "CN=*.example.com, O=DMDirc, C=GB"
+ * keytool -genkey -validity 18250 -keystore "keystore.ks" -storepass "dmdirc" -keypass "dmdirc" -alias "name_san_dns" -dname "CN=other.example.com, O=DMDirc, C=GB" -ext SAN=dns:test.example.com
+ * keytool -genkey -validity 18250 -keystore "keystore.ks" -storepass "dmdirc" -keypass "dmdirc" -alias "name_san_dns_multiple" -dname "CN=other.example.com, O=DMDirc, C=GB" -ext SAN=dns:foo.example.com,dns:test.example.com
+ * </pre>
+ */
+public class CertificateHostCheckerTest {
+
+    private CertificateHostChecker checker;
+
+    @Before
+    public void setup() {
+        checker = new CertificateHostChecker();
+    }
+
+    @Test
+    public void testBasicCn() throws GeneralSecurityException, IOException {
+        final X509Certificate certificate = getCertificate("name_cn_only");
+        assertTrue(checker.isValidFor(certificate, "test.example.com"));
+        assertTrue(checker.isValidFor(certificate, "TEsT.example.com"));
+        assertFalse(checker.isValidFor(certificate, "foo.example.com"));
+        assertFalse(checker.isValidFor(certificate, "test.example.org"));
+        assertFalse(checker.isValidFor(certificate, "foo.test.example.com"));
+    }
+
+    @Test
+    public void testWildcardCn() throws GeneralSecurityException, IOException {
+        final X509Certificate certificate = getCertificate("name_cn_wildcard");
+        assertTrue(checker.isValidFor(certificate, "test.example.com"));
+        assertTrue(checker.isValidFor(certificate, "TEsT.example.com"));
+        assertTrue(checker.isValidFor(certificate, "foo.example.com"));
+        assertFalse(checker.isValidFor(certificate, "test.example.org"));
+        assertFalse(checker.isValidFor(certificate, "foo.test.example.com"));
+    }
+
+    @Test
+    public void testSanDns() throws GeneralSecurityException, IOException {
+        final X509Certificate certificate = getCertificate("name_san_dns");
+        assertTrue(checker.isValidFor(certificate, "test.example.com"));
+        assertTrue(checker.isValidFor(certificate, "TEsT.example.com"));
+        assertTrue(checker.isValidFor(certificate, "other.example.com"));
+        assertFalse(checker.isValidFor(certificate, "foo.example.com"));
+        assertFalse(checker.isValidFor(certificate, "test.example.org"));
+        assertFalse(checker.isValidFor(certificate, "foo.test.example.com"));
+    }
+
+    @Test
+    public void testSanDnsMultiple() throws GeneralSecurityException, IOException {
+        final X509Certificate certificate = getCertificate("name_san_dns_multiple");
+        assertTrue(checker.isValidFor(certificate, "test.example.com"));
+        assertTrue(checker.isValidFor(certificate, "TEsT.example.com"));
+        assertTrue(checker.isValidFor(certificate, "other.example.com"));
+        assertTrue(checker.isValidFor(certificate, "foo.example.com"));
+        assertFalse(checker.isValidFor(certificate, "test.foo.example.org"));
+        assertFalse(checker.isValidFor(certificate, "test.example.org"));
+        assertFalse(checker.isValidFor(certificate, "foo.test.example.com"));
+    }
+
+    private X509Certificate getCertificate(final String name) throws GeneralSecurityException, IOException {
+        try (InputStream is = getClass().getResourceAsStream("keystore.ks")) {
+            final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+            keyStore.load(is, "dmdirc".toCharArray());
+            return (X509Certificate) keyStore.getCertificate(name);
+        }
+    }
+
+}