package edu.internet2.middleware.shibboleth.idp.provider;
+import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.HashSet;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.DERObject;
+import org.bouncycastle.asn1.DERObjectIdentifier;
+import org.bouncycastle.asn1.DERPrintableString;
+import org.bouncycastle.asn1.DERSequence;
+import org.bouncycastle.asn1.DERSet;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
private static Logger log = Logger.getLogger(BaseHandler.class.getName());
private HashSet locations = new HashSet();
-
- private static Pattern regex = Pattern.compile(".*?CN=([^,/]+).*");
+ private static final String CN_OID = "2.5.4.3";
/**
* Required DOM-based constructor.
protected static String getHostNameFromDN(X500Principal dn) {
- Matcher matches = regex.matcher(dn.getName(X500Principal.RFC2253));
- if (!matches.find() || matches.groupCount() > 1) {
- log.error("Unable to extract host name name from certificate subject DN.");
+ // Parse the ASN.1 representation of the dn and grab the last CN component that we find
+ // We used to do this with the dn string, but the JDK's default parsing caused problems with some DNs
+
+ try {
+ ASN1InputStream asn1Stream = new ASN1InputStream(dn.getEncoded());
+ DERObject parent = asn1Stream.readObject();
+
+ if (!(parent instanceof DERSequence)) {
+ log.error("Unable to extract host name name from certificate subject DN: incorrect ASN.1 encoding.");
+ return null;
+ }
+
+ String cn = null;
+ for (int i = 0; i < ((DERSequence) parent).size(); i++) {
+ DERObject dnComponent = ((DERSequence) parent).getObjectAt(i).getDERObject();
+ if (!(dnComponent instanceof DERSet)) {
+ continue;
+ }
+
+ // Each DN component is a set
+ for (int j = 0; j < ((DERSet) dnComponent).size(); j++) {
+ DERObject grandChild = ((DERSet) dnComponent).getObjectAt(j).getDERObject();
+
+ if (((DERSequence) grandChild).getObjectAt(0) != null
+ && ((DERSequence) grandChild).getObjectAt(0).getDERObject() instanceof DERObjectIdentifier) {
+ DERObjectIdentifier componentId = (DERObjectIdentifier) ((DERSequence) grandChild).getObjectAt(
+ 0).getDERObject();
+
+ if (CN_OID.equals(componentId.getId())) {
+ // OK, this dn component is actually a cn attribute
+ if (((DERSequence) grandChild).getObjectAt(1) != null
+ && ((DERSequence) grandChild).getObjectAt(1).getDERObject() instanceof DERPrintableString) {
+ cn = ((DERPrintableString) ((DERSequence) grandChild).getObjectAt(1).getDERObject())
+ .getString();
+ }
+ }
+ }
+ }
+ }
+ asn1Stream.close();
+ return cn;
+
+ } catch (IOException e) {
+ log.error("Unable to extract host name name from certificate subject DN: ASN.1 parsing failed: " + e);
return null;
}
- return matches.group(1);
}
-
}
\ No newline at end of file
package edu.internet2.middleware.shibboleth.idp.provider;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
import javax.security.auth.x500.X500Principal;
import junit.framework.TestCase;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
+import edu.internet2.middleware.shibboleth.common.ShibResource;
+import edu.internet2.middleware.shibboleth.common.ShibResource.ResourceNotAvailableException;
+
/**
* Validation suite for hack to pull hostnames out of a subject DN.
*
*/
public class DNHostNameExtractionTests extends TestCase {
- //Basic
+ // Basic
String dn1 = "CN=wayf.internet2.edu,OU=TSG,O=University Corporation for Advanced Internet Development,L=Ann Arbor,ST=Michigan,C=US";
- //lowercase CN
+ // lowercase CN
String dn2 = "cn=wayf.internet2.edu,OU=TSG,O=University Corporation for Advanced Internet Development,L=Ann Arbor,ST=Michigan,C=US";
- //Multiple CNs
+ // Multiple CNs
String dn4 = "CN=wayf.internet2.edu,OU=TSG, CN=foo, O=University Corporation for Advanced Internet Development,L=Ann Arbor,ST=Michigan,C=US";
public DNHostNameExtractionTests(String name) {
}
}
+ public void testExtractionWithStrangeDN() {
+
+ try {
+ // Use the cert referenced in bugzilla #143
+ // This cert was breaking previously because of java's conversion of the dn to string form
+ KeyStore keyStore = KeyStore.getInstance("JKS");
+ keyStore.load(new ShibResource(new File("data/cnextract.jks").toURL().toString()).getInputStream(),
+ new char[]{'t', 'e', 's', 't', '1', '2', '3'});
+ X509Certificate cert = (X509Certificate) keyStore.getCertificate("scott");
+
+ FileOutputStream output = new FileOutputStream("/tmp/principal.der");
+ output.write(cert.getSubjectX500Principal().getEncoded());
+ output.close();
+
+ assertEquals("Round-trip handle validation failed on DN.", BaseHandler.getHostNameFromDN(cert
+ .getSubjectX500Principal()), "asd3.ais.ucla.edu");
+
+ } catch (ResourceNotAvailableException e) {
+ fail("Error in test specification: " + e);
+ } catch (IOException e) {
+ fail("Error in test specification: " + e);
+ } catch (NoSuchAlgorithmException e) {
+ fail("Error in test specification: " + e);
+ } catch (CertificateException e) {
+ fail("Error in test specification: " + e);
+ } catch (KeyStoreException e) {
+ fail("Error in test specification: " + e);
+ } catch (Exception e) {
+ fail("Error in test specification: " + e.getMessage());
+ }
+ }
+
}
\ No newline at end of file
projects / java-idp.git / commitdiff