2010-05-19 15:16:36 -04:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2008 The Android Open Source Project
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package com.fsck.k9.helper;
|
|
|
|
|
2011-02-26 10:57:58 -05:00
|
|
|
import android.net.http.SslCertificate;
|
2010-05-19 15:16:36 -04:00
|
|
|
import android.util.Log;
|
|
|
|
import com.fsck.k9.K9;
|
|
|
|
import java.net.InetAddress;
|
|
|
|
import java.net.UnknownHostException;
|
|
|
|
import java.security.cert.X509Certificate;
|
|
|
|
import java.security.cert.CertificateParsingException;
|
|
|
|
import java.util.Collection;
|
|
|
|
import java.util.List;
|
2011-10-27 11:17:43 -04:00
|
|
|
import java.util.Locale;
|
2010-05-19 15:16:36 -04:00
|
|
|
import java.util.regex.Pattern;
|
|
|
|
import java.util.regex.PatternSyntaxException;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implements basic domain-name validation as specified by RFC2818.
|
|
|
|
*/
|
2011-02-06 17:09:48 -05:00
|
|
|
public class DomainNameChecker {
|
2010-05-19 15:16:36 -04:00
|
|
|
private static Pattern QUICK_IP_PATTERN;
|
2011-02-06 17:09:48 -05:00
|
|
|
static {
|
|
|
|
try {
|
2010-05-19 15:16:36 -04:00
|
|
|
QUICK_IP_PATTERN = Pattern.compile("^[a-f0-9\\.:]+$");
|
2011-02-06 17:09:48 -05:00
|
|
|
} catch (PatternSyntaxException e) {
|
2010-05-19 15:16:36 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private static final int ALT_DNS_NAME = 2;
|
|
|
|
private static final int ALT_IPA_NAME = 7;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Checks the site certificate against the domain name of the site being
|
|
|
|
* visited
|
2010-05-30 00:17:00 -04:00
|
|
|
*
|
2010-05-19 15:16:36 -04:00
|
|
|
* @param certificate
|
|
|
|
* The certificate to check
|
|
|
|
* @param thisDomain
|
|
|
|
* The domain name of the site being visited
|
|
|
|
* @return True iff if there is a domain match as specified by RFC2818
|
|
|
|
*/
|
2011-02-06 17:09:48 -05:00
|
|
|
public static boolean match(X509Certificate certificate, String thisDomain) {
|
2010-05-19 15:16:36 -04:00
|
|
|
if ((certificate == null) || (thisDomain == null)
|
2014-02-15 17:47:56 -05:00
|
|
|
|| thisDomain.isEmpty()) {
|
2010-05-19 15:16:36 -04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2011-10-27 11:17:43 -04:00
|
|
|
thisDomain = thisDomain.toLowerCase(Locale.US);
|
2011-02-06 17:09:48 -05:00
|
|
|
if (!isIpAddress(thisDomain)) {
|
2010-05-19 15:16:36 -04:00
|
|
|
return matchDns(certificate, thisDomain);
|
2011-02-06 17:09:48 -05:00
|
|
|
} else {
|
2010-05-19 15:16:36 -04:00
|
|
|
return matchIpAddress(certificate, thisDomain);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @return True iff the domain name is specified as an IP address
|
|
|
|
*/
|
2011-02-06 17:09:48 -05:00
|
|
|
private static boolean isIpAddress(String domain) {
|
2014-02-15 17:47:56 -05:00
|
|
|
if ((domain == null) || domain.isEmpty()) {
|
2011-01-18 19:10:36 -05:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
boolean rval;
|
2011-02-06 17:09:48 -05:00
|
|
|
try {
|
2011-01-18 19:10:36 -05:00
|
|
|
// do a quick-dirty IP match first to avoid DNS lookup
|
|
|
|
rval = QUICK_IP_PATTERN.matcher(domain).matches();
|
2011-02-06 17:09:48 -05:00
|
|
|
if (rval) {
|
2011-01-18 19:10:36 -05:00
|
|
|
rval = domain.equals(InetAddress.getByName(domain)
|
|
|
|
.getHostAddress());
|
2010-05-19 15:16:36 -04:00
|
|
|
}
|
2011-02-06 17:09:48 -05:00
|
|
|
} catch (UnknownHostException e) {
|
2011-01-18 19:10:36 -05:00
|
|
|
String errorMessage = e.getMessage();
|
2011-02-06 17:09:48 -05:00
|
|
|
if (errorMessage == null) {
|
2011-01-18 19:10:36 -05:00
|
|
|
errorMessage = "unknown host exception";
|
|
|
|
}
|
2010-05-19 15:16:36 -04:00
|
|
|
|
2011-02-06 17:09:48 -05:00
|
|
|
if (K9.DEBUG) {
|
2011-01-18 19:10:36 -05:00
|
|
|
Log.v(K9.LOG_TAG, "DomainNameChecker.isIpAddress(): "
|
|
|
|
+ errorMessage);
|
2010-05-19 15:16:36 -04:00
|
|
|
}
|
2011-01-18 19:10:36 -05:00
|
|
|
|
|
|
|
rval = false;
|
2010-05-19 15:16:36 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
return rval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Checks the site certificate against the IP domain name of the site being
|
|
|
|
* visited
|
2010-05-30 00:17:00 -04:00
|
|
|
*
|
2010-05-19 15:16:36 -04:00
|
|
|
* @param certificate
|
|
|
|
* The certificate to check
|
|
|
|
* @param thisDomain
|
|
|
|
* The DNS domain name of the site being visited
|
|
|
|
* @return True iff if there is a domain match as specified by RFC2818
|
|
|
|
*/
|
2011-02-06 17:09:48 -05:00
|
|
|
private static boolean matchIpAddress(X509Certificate certificate, String thisDomain) {
|
|
|
|
if (K9.DEBUG) {
|
2010-05-19 15:16:36 -04:00
|
|
|
Log.v(K9.LOG_TAG, "DomainNameChecker.matchIpAddress(): this domain: " + thisDomain);
|
|
|
|
}
|
|
|
|
|
2011-02-06 17:09:48 -05:00
|
|
|
try {
|
2014-02-15 15:51:19 -05:00
|
|
|
Collection<List<?>> subjectAltNames = certificate.getSubjectAlternativeNames();
|
2011-02-06 17:09:48 -05:00
|
|
|
if (subjectAltNames != null) {
|
2014-02-15 15:51:19 -05:00
|
|
|
for (List<?> altNameEntry : subjectAltNames) {
|
2011-02-06 17:09:48 -05:00
|
|
|
if ((altNameEntry != null) && (2 <= altNameEntry.size())) {
|
|
|
|
Integer altNameType = (Integer)(altNameEntry.get(0));
|
2012-07-07 08:19:22 -04:00
|
|
|
if (altNameType != null && altNameType.intValue() == ALT_IPA_NAME) {
|
2012-07-06 08:22:28 -04:00
|
|
|
String altName = (String)(altNameEntry.get(1));
|
|
|
|
if (altName != null) {
|
|
|
|
if (K9.DEBUG) {
|
|
|
|
Log.v(K9.LOG_TAG, "alternative IP: " + altName);
|
|
|
|
}
|
|
|
|
if (thisDomain.equalsIgnoreCase(altName)) {
|
|
|
|
return true;
|
2010-05-19 15:16:36 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2011-02-06 17:09:48 -05:00
|
|
|
} catch (CertificateParsingException e) {
|
2010-05-19 15:16:36 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Checks the site certificate against the DNS domain name of the site being
|
|
|
|
* visited
|
2010-05-30 00:17:00 -04:00
|
|
|
*
|
2010-05-19 15:16:36 -04:00
|
|
|
* @param certificate
|
|
|
|
* The certificate to check
|
|
|
|
* @param thisDomain
|
|
|
|
* The DNS domain name of the site being visited
|
|
|
|
* @return True iff if there is a domain match as specified by RFC2818
|
|
|
|
*/
|
2011-02-06 17:09:48 -05:00
|
|
|
private static boolean matchDns(X509Certificate certificate, String thisDomain) {
|
2010-05-19 15:16:36 -04:00
|
|
|
boolean hasDns = false;
|
2011-02-06 17:09:48 -05:00
|
|
|
try {
|
2014-02-15 15:50:58 -05:00
|
|
|
Collection<List<?>> subjectAltNames = certificate.getSubjectAlternativeNames();
|
2011-02-06 17:09:48 -05:00
|
|
|
if (subjectAltNames != null) {
|
2014-02-15 15:50:58 -05:00
|
|
|
for (List<?> altNameEntry : subjectAltNames) {
|
2011-02-06 17:09:48 -05:00
|
|
|
if ((altNameEntry != null) && (2 <= altNameEntry.size())) {
|
2010-05-30 00:17:00 -04:00
|
|
|
Integer altNameType = (Integer)(altNameEntry.get(0));
|
2012-07-06 08:22:40 -04:00
|
|
|
if (altNameType != null && altNameType.intValue() == ALT_DNS_NAME) {
|
|
|
|
hasDns = true;
|
|
|
|
String altName = (String)(altNameEntry.get(1));
|
|
|
|
if (altName != null && matchDns(thisDomain, altName)) {
|
|
|
|
return true;
|
2010-05-19 15:16:36 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2011-02-06 17:09:48 -05:00
|
|
|
} catch (CertificateParsingException e) {
|
2010-05-19 15:16:36 -04:00
|
|
|
// one way we can get here is if an alternative name starts with
|
|
|
|
// '*' character, which is contrary to one interpretation of the
|
|
|
|
// spec (a valid DNS name must start with a letter); there is no
|
|
|
|
// good way around this, and in order to be compatible we proceed
|
|
|
|
// to check the common name (ie, ignore alternative names)
|
2011-02-06 17:09:48 -05:00
|
|
|
if (K9.DEBUG) {
|
2010-05-19 15:16:36 -04:00
|
|
|
String errorMessage = e.getMessage();
|
2011-02-06 17:09:48 -05:00
|
|
|
if (errorMessage == null) {
|
2010-05-19 15:16:36 -04:00
|
|
|
errorMessage = "failed to parse certificate";
|
|
|
|
}
|
|
|
|
|
|
|
|
Log.v(K9.LOG_TAG, "DomainNameChecker.matchDns(): "
|
2010-05-30 00:17:00 -04:00
|
|
|
+ errorMessage);
|
2010-05-19 15:16:36 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-02-06 17:09:48 -05:00
|
|
|
if (!hasDns) {
|
2011-02-26 10:57:58 -05:00
|
|
|
SslCertificate sslCertificate = new SslCertificate(certificate);
|
|
|
|
return matchDns(thisDomain, sslCertificate.getIssuedTo().getCName());
|
2010-05-19 15:16:36 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @param thisDomain
|
|
|
|
* The domain name of the site being visited
|
|
|
|
* @param thatDomain
|
|
|
|
* The domain name from the certificate
|
|
|
|
* @return True iff thisDomain matches thatDomain as specified by RFC2818
|
|
|
|
*/
|
2011-02-06 17:09:48 -05:00
|
|
|
private static boolean matchDns(String thisDomain, String thatDomain) {
|
|
|
|
if (K9.DEBUG) {
|
2010-05-19 15:16:36 -04:00
|
|
|
Log.v(K9.LOG_TAG, "DomainNameChecker.matchDns():"
|
2010-05-30 00:17:00 -04:00
|
|
|
+ " this domain: " + thisDomain + " that domain: "
|
|
|
|
+ thatDomain);
|
2010-05-19 15:16:36 -04:00
|
|
|
}
|
|
|
|
|
2014-02-15 17:47:56 -05:00
|
|
|
if ((thisDomain == null) || thisDomain.isEmpty()
|
|
|
|
|| (thatDomain == null) || thatDomain.isEmpty()) {
|
2010-05-19 15:16:36 -04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2011-10-27 11:17:43 -04:00
|
|
|
thatDomain = thatDomain.toLowerCase(Locale.US);
|
2010-05-19 15:16:36 -04:00
|
|
|
|
|
|
|
// (a) domain name strings are equal, ignoring case: X matches X
|
|
|
|
boolean rval = thisDomain.equals(thatDomain);
|
2011-02-06 17:09:48 -05:00
|
|
|
if (!rval) {
|
2010-05-19 15:16:36 -04:00
|
|
|
String[] thisDomainTokens = thisDomain.split("\\.");
|
|
|
|
String[] thatDomainTokens = thatDomain.split("\\.");
|
|
|
|
|
|
|
|
int thisDomainTokensNum = thisDomainTokens.length;
|
|
|
|
int thatDomainTokensNum = thatDomainTokens.length;
|
|
|
|
|
|
|
|
// (b) OR thatHost is a '.'-suffix of thisHost: Z.Y.X matches X
|
2011-02-06 17:09:48 -05:00
|
|
|
if (thisDomainTokensNum >= thatDomainTokensNum) {
|
|
|
|
for (int i = thatDomainTokensNum - 1; i >= 0; --i) {
|
2010-05-19 15:16:36 -04:00
|
|
|
rval = thisDomainTokens[i].equals(thatDomainTokens[i]);
|
2011-02-06 17:09:48 -05:00
|
|
|
if (!rval) {
|
2010-05-19 15:16:36 -04:00
|
|
|
// (c) OR we have a special *-match:
|
|
|
|
// Z.Y.X matches *.Y.X but does not match *.X
|
|
|
|
rval = ((i == 0) && (thisDomainTokensNum == thatDomainTokensNum));
|
2011-02-06 17:09:48 -05:00
|
|
|
if (rval) {
|
2010-05-19 15:16:36 -04:00
|
|
|
rval = thatDomainTokens[0].equals("*");
|
2011-02-06 17:09:48 -05:00
|
|
|
if (!rval) {
|
2010-05-19 15:16:36 -04:00
|
|
|
// (d) OR we have a *-component match:
|
|
|
|
// f*.com matches foo.com but not bar.com
|
|
|
|
rval = domainTokenMatch(thisDomainTokens[0],
|
2010-05-30 00:17:00 -04:00
|
|
|
thatDomainTokens[0]);
|
2010-05-19 15:16:36 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return rval;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @param thisDomainToken
|
|
|
|
* The domain token from the current domain name
|
|
|
|
* @param thatDomainToken
|
|
|
|
* The domain token from the certificate
|
|
|
|
* @return True iff thisDomainToken matches thatDomainToken, using the
|
|
|
|
* wildcard match as specified by RFC2818-3.1. For example, f*.com
|
|
|
|
* must match foo.com but not bar.com
|
|
|
|
*/
|
2011-02-06 17:09:48 -05:00
|
|
|
private static boolean domainTokenMatch(String thisDomainToken, String thatDomainToken) {
|
|
|
|
if ((thisDomainToken != null) && (thatDomainToken != null)) {
|
2010-05-19 15:16:36 -04:00
|
|
|
int starIndex = thatDomainToken.indexOf('*');
|
2011-02-06 17:09:48 -05:00
|
|
|
if (starIndex >= 0) {
|
|
|
|
if (thatDomainToken.length() - 1 <= thisDomainToken.length()) {
|
2010-05-19 15:16:36 -04:00
|
|
|
String prefix = thatDomainToken.substring(0, starIndex);
|
|
|
|
String suffix = thatDomainToken.substring(starIndex + 1);
|
|
|
|
|
|
|
|
return thisDomainToken.startsWith(prefix)
|
2010-05-30 00:17:00 -04:00
|
|
|
&& thisDomainToken.endsWith(suffix);
|
2010-05-19 15:16:36 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|