mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: df7e9d | patch | commitdiff
Chris Ridd
30.50.2016 8a6e3b7ae9c25f31a5e48034171aff0e9a9ec2c2
refs
author Chris Ridd <chris.ridd@forgerock.com>
Thursday, June 30, 2016 16:50 +0200
committer Chris Ridd <chris.ridd@forgerock.com>
Tuesday, July 12, 2016 17:19 +0200
commit8a6e3b7ae9c25f31a5e48034171aff0e9a9ec2c2
tree 513ce7cf66503d985ddd81996368b1fda14c5813 tree | zip | gz
parent df7e9d9de29829915ef9c71ce168d3c26eac3190 view | diff 
OPENDJ-2855 Check Subject Alt Names in the CheckHostName TrustManager

The behaviour in RFC 4513 surrounding the criticality flag for the SAN extension is not clear.

This change checks the SAN first, and will hard fail if the SAN is critical and either doesn't match the hostname, or contains uncheckable GeneralNames.

The fallback to the popular (but very deprecated) hack of looking for the lowest CN in the subjectDN is only performed if the SAN is non-critical and does not match.

InetAddressValidator is added from the Apache Validator project.
15 files added
2 files modified
965 ■■■■■ changed files
opendj-core/src/main/java/org/forgerock/opendj/ldap/InetAddressValidator.java 217 ●●●●● diff | view | raw | blame | history
opendj-core/src/main/java/org/forgerock/opendj/ldap/TrustManagers.java 282 ●●●● diff | view | raw | blame | history
opendj-core/src/main/resources/com/forgerock/opendj/ldap/core.properties 9 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/java/org/forgerock/opendj/ldap/TrustManagersTestCase.java 218 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert1.pem 18 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert10.pem 18 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert11.pem 19 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert12.pem 18 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert13.pem 20 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert2.pem 19 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert3.pem 18 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert4.pem 18 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert5.pem 18 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert6.pem 18 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert7.pem 18 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert8.pem 18 ●●●●● diff | view | raw | blame | history
opendj-core/src/test/resources/org.forgerock.opendj.ldap.TrustManagers/cert9.pem 19 ●●●●● diff | view | raw | blame | history