From b260a116b1480df2bad2560986c60a707ea01c4f Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 24 Jul 2014 13:18:22 -0700
Subject: Stricter subject DN parsing for HTTPS hostname verification.

This switches AbstractVerifier to the DN parser used by the platform
default HostnameVerifier.

Bug: 16510257

(cherry picked from commit ec8c48dd748c81ba2cce518bf83cb9f236c30bae)

Change-Id: I8124b54801481065df5230c1277e59c5e602b2b9
---
 src/org/apache/http/conn/ssl/AbstractVerifier.java | 36 +++-------------------
 1 file changed, 4 insertions(+), 32 deletions(-)

diff --git a/src/org/apache/http/conn/ssl/AbstractVerifier.java b/src/org/apache/http/conn/ssl/AbstractVerifier.java
index 723d806..deda1d0 100644
--- a/src/org/apache/http/conn/ssl/AbstractVerifier.java
+++ b/src/org/apache/http/conn/ssl/AbstractVerifier.java
@@ -44,10 +44,10 @@ import java.util.Iterator;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Locale;
-import java.util.StringTokenizer;
 import java.util.logging.Logger;
 import java.util.logging.Level;
 
+import javax.net.ssl.DistinguishedNameParser;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
@@ -202,38 +202,10 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
     }
 
     public static String[] getCNs(X509Certificate cert) {
-        LinkedList<String> cnList = new LinkedList<String>();
-        /*
-          Sebastian Hauer's original StrictSSLProtocolSocketFactory used
-          getName() and had the following comment:
+        DistinguishedNameParser dnParser =
+                new DistinguishedNameParser(cert.getSubjectX500Principal());
+        List<String> cnList = dnParser.getAllMostSpecificFirst("cn");
 
-                Parses a X.500 distinguished name for the value of the
-                "Common Name" field.  This is done a bit sloppy right
-                 now and should probably be done a bit more according to
-                <code>RFC 2253</code>.
-
-           I've noticed that toString() seems to do a better job than
-           getName() on these X500Principal objects, so I'm hoping that
-           addresses Sebastian's concern.
-
-           For example, getName() gives me this:
-           1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
-
-           whereas toString() gives me this:
-           EMAILADDRESS=juliusdavies@cucbc.com
-
-           Looks like toString() even works with non-ascii domain names!
-           I tested it with "&#x82b1;&#x5b50;.co.jp" and it worked fine.
-        */
-        String subjectPrincipal = cert.getSubjectX500Principal().toString();
-        StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
-        while(st.hasMoreTokens()) {
-            String tok = st.nextToken();
-            int x = tok.indexOf("CN=");
-            if(x >= 0) {
-                cnList.add(tok.substring(x + 3));
-            }
-        }
         if(!cnList.isEmpty()) {
             String[] cns = new String[cnList.size()];
             cnList.toArray(cns);
-- 
cgit v1.2.3