Removed DN parsing code duplication.
[java-idp.git] / src / edu / internet2 / middleware / shibboleth / common / provider / ShibbolethTrust.java
index 8a97602..81018a6 100644 (file)
@@ -26,6 +26,7 @@
 package edu.internet2.middleware.shibboleth.common.provider;
 
 import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.cert.CertPathBuilder;
 import java.security.cert.CertPathValidator;
@@ -48,8 +49,6 @@ import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 import javax.security.auth.x500.X500Principal;
 
@@ -60,6 +59,12 @@ import org.apache.xml.security.keys.content.KeyName;
 import org.apache.xml.security.keys.content.X509Data;
 import org.apache.xml.security.keys.content.x509.XMLX509CRL;
 import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.DERObject;
+import org.bouncycastle.asn1.DERObjectIdentifier;
+import org.bouncycastle.asn1.DERPrintableString;
+import org.bouncycastle.asn1.DERSequence;
+import org.bouncycastle.asn1.DERSet;
 import org.opensaml.SAMLException;
 import org.opensaml.SAMLSignedObject;
 
@@ -81,7 +86,7 @@ import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
 public class ShibbolethTrust extends BasicTrust implements Trust {
 
        private static Logger log = Logger.getLogger(ShibbolethTrust.class.getName());
-       private static Pattern regex = Pattern.compile(".*?CN=([^,/]+).*");
+       private static final String CN_OID = "2.5.4.3";
 
        /*
         * @see edu.internet2.middleware.shibboleth.common.Trust#validate(java.security.cert.X509Certificate,
@@ -397,14 +402,54 @@ public class ShibbolethTrust extends BasicTrust implements Trust {
                return false;
        }
 
-       private static String getHostNameFromDN(X500Principal dn) {
+       public static String getHostNameFromDN(X500Principal dn) {
 
-               Matcher matches = regex.matcher(dn.getName(X500Principal.RFC2253));
-               if (!matches.find() || matches.groupCount() > 1) {
-                       log.error("Unable to extract host name name from certificate subject DN.");
+               // Parse the ASN.1 representation of the dn and grab the last CN component that we find
+               // We used to do this with the dn string, but the JDK's default parsing caused problems with some DNs
+
+               try {
+                       ASN1InputStream asn1Stream = new ASN1InputStream(dn.getEncoded());
+                       DERObject parent = asn1Stream.readObject();
+
+                       if (!(parent instanceof DERSequence)) {
+                               log.error("Unable to extract host name name from certificate subject DN: incorrect ASN.1 encoding.");
+                               return null;
+                       }
+
+                       String cn = null;
+                       for (int i = 0; i < ((DERSequence) parent).size(); i++) {
+                               DERObject dnComponent = ((DERSequence) parent).getObjectAt(i).getDERObject();
+                               if (!(dnComponent instanceof DERSet)) {
+                                       continue;
+                               }
+
+                               // Each DN component is a set
+                               for (int j = 0; j < ((DERSet) dnComponent).size(); j++) {
+                                       DERObject grandChild = ((DERSet) dnComponent).getObjectAt(j).getDERObject();
+
+                                       if (((DERSequence) grandChild).getObjectAt(0) != null
+                                                       && ((DERSequence) grandChild).getObjectAt(0).getDERObject() instanceof DERObjectIdentifier) {
+                                               DERObjectIdentifier componentId = (DERObjectIdentifier) ((DERSequence) grandChild).getObjectAt(
+                                                               0).getDERObject();
+
+                                               if (CN_OID.equals(componentId.getId())) {
+                                                       // OK, this dn component is actually a cn attribute
+                                                       if (((DERSequence) grandChild).getObjectAt(1) != null
+                                                                       && ((DERSequence) grandChild).getObjectAt(1).getDERObject() instanceof DERPrintableString) {
+                                                               cn = ((DERPrintableString) ((DERSequence) grandChild).getObjectAt(1).getDERObject())
+                                                                               .getString();
+                                                       }
+                                               }
+                                       }
+                               }
+                       }
+                       asn1Stream.close();
+                       return cn;
+
+               } catch (IOException e) {
+                       log.error("Unable to extract host name name from certificate subject DN: ASN.1 parsing failed: " + e);
                        return null;
                }
-               return matches.group(1);
        }
 
 }
\ No newline at end of file