Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decode Subject Alternative Names (SAN) for X.509 Certificates #610

Merged
merged 1 commit into from
Jan 20, 2025
Merged

Decode Subject Alternative Names (SAN) for X.509 Certificates #610

merged 1 commit into from
Jan 20, 2025

Conversation

arturobernalg
Copy link
Member

This implementation adds decoding for Subject Alternative Names in X.509 certificates, including:

  • DNS names handled as plain text.
  • IP addresses decoded from binary (IPv4 and IPv6 supported).
  • Fallback to hexadecimal encoding for non-standard or unknown types.

ok2c
ok2c approved these changes Jan 18, 2025
View reviewed changes
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java
@@ -355,7 +355,17 @@ static List<SubjectName> getSubjectAltNames(final X509Certificate cert, final in
if (o instanceof String) {
result.add(new SubjectName((String) o, type));
} else if (o instanceof byte[]) {
// TODO ASN.1 DER encoded form
final byte[] bytes = (byte[]) o;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg We have got to be super careful here as this method has security implications. It is better to be too strict and too lax here. I trust you know what you are doing.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg We have got to be super careful here as this method has security implications. It is better to be too strict and too lax here. I trust you know what you are doing.

@ok2c I've ensured strict validation in the updated method: DNS names now reject unexpected byte[], IP addresses only allow 4 or 16 bytes with exceptions for invalid lengths, and unrecognized types log warnings while falling back.

@arturobernalg arturobernalg requested a review from ok2c January 19, 2025 13:40
ok2c
ok2c requested changes Jan 20, 2025
View reviewed changes
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java Outdated
throw new IllegalArgumentException("Invalid byte length for IP address: " + bytes.length);
}
} else if (type == SubjectName.DNS) {
throw new IllegalArgumentException("Unexpected byte[] for DNS SAN type");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg IllegalArgumentException looks really wrong here. Can we just ignore those bits that we are not able to properly recognize and handle?

httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java Outdated
if (LOG.isWarnEnabled()) {
LOG.warn("Unrecognized SAN type: {}, data: {}", type, TextUtils.toHexString(bytes));
}
decodedValue = TextUtils.toHexString(bytes); // Fallback to hex string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg I would not do that. Before you know there will be so called security professionals with all sorts of hand-crafted certificates, claiming vulnerabilities in our code and demanding we issue CVE with them as a finder.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ok2c please take another look

@arturobernalg
Decode Subject Alternative Names for IP, DNS, and binary data
aa602a1 
Supports DNS names as plain text, IPv4 and IPv6 addresses in binary form, and falls back to hex encoding for unknown types.
@arturobernalg arturobernalg merged commit ed9594a into apache:master Jan 20, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ok2c ok2c ok2c approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@arturobernalg @ok2c