From 49afa38b71b7b64d549660ff9cb19eaaa70cb662 Mon Sep 17 00:00:00 2001 From: Daniel Gultsch Date: Tue, 1 Apr 2025 19:10:39 +0200 Subject: [PATCH] wildcard certificates only match one label Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com --- .../crypto/DomainHostnameVerifier.java | 11 ----- .../crypto/XmppDomainVerifier.java | 41 ++++++++----------- 2 files changed, 16 insertions(+), 36 deletions(-) delete mode 100644 src/main/java/eu/siacs/conversations/crypto/DomainHostnameVerifier.java diff --git a/src/main/java/eu/siacs/conversations/crypto/DomainHostnameVerifier.java b/src/main/java/eu/siacs/conversations/crypto/DomainHostnameVerifier.java deleted file mode 100644 index 4349db45ebb624d62def3269e0295b0b038ad0fa..0000000000000000000000000000000000000000 --- a/src/main/java/eu/siacs/conversations/crypto/DomainHostnameVerifier.java +++ /dev/null @@ -1,11 +0,0 @@ -package eu.siacs.conversations.crypto; - -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.SSLPeerUnverifiedException; -import javax.net.ssl.SSLSession; - -public interface DomainHostnameVerifier extends HostnameVerifier { - - boolean verify(String domain, String hostname, SSLSession sslSession) throws SSLPeerUnverifiedException; - -} diff --git a/src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java b/src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java index 4e43dd93ab487f9159c7261d3aca2c8509b9b5a4..a0b36985e3cd3fe6d298ee69335711dc34e0ec12 100644 --- a/src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java +++ b/src/main/java/eu/siacs/conversations/crypto/XmppDomainVerifier.java @@ -2,22 +2,8 @@ package eu.siacs.conversations.crypto; import android.util.Log; import android.util.Pair; - import com.google.common.base.MoreObjects; import com.google.common.collect.ImmutableList; - -import org.bouncycastle.asn1.ASN1Object; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.ASN1TaggedObject; -import org.bouncycastle.asn1.DERIA5String; -import org.bouncycastle.asn1.DERUTF8String; -import org.bouncycastle.asn1.DLSequence; -import org.bouncycastle.asn1.x500.RDN; -import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x500.style.BCStyle; -import org.bouncycastle.asn1.x500.style.IETFUtils; -import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; - import java.io.IOException; import java.net.IDN; import java.security.cert.Certificate; @@ -28,9 +14,19 @@ import java.util.ArrayList; import java.util.Collection; import java.util.List; import java.util.Locale; - import javax.net.ssl.SSLPeerUnverifiedException; import javax.net.ssl.SSLSession; +import org.bouncycastle.asn1.ASN1Object; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1TaggedObject; +import org.bouncycastle.asn1.DERIA5String; +import org.bouncycastle.asn1.DERUTF8String; +import org.bouncycastle.asn1.DLSequence; +import org.bouncycastle.asn1.x500.RDN; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x500.style.BCStyle; +import org.bouncycastle.asn1.x500.style.IETFUtils; +import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; public class XmppDomainVerifier { @@ -82,16 +78,11 @@ public class XmppDomainVerifier { public static boolean matchDomain(final String needle, final List haystack) { for (final String entry : haystack) { if (entry.startsWith("*.")) { - int offset = 0; - while (offset < needle.length()) { - int i = needle.indexOf('.', offset); - if (i < 0) { - break; - } - if (needle.substring(i).equalsIgnoreCase(entry.substring(1))) { - return true; - } - offset = i + 1; + // https://www.rfc-editor.org/rfc/rfc6125#section-6.4.3 + // wild cards can only be in the left most label and don’t match '.' + final int i = needle.indexOf('.'); + if (i != -1 && needle.substring(i).equalsIgnoreCase(entry.substring(1))) { + return true; } } else { if (entry.equalsIgnoreCase(needle)) {