View Javadoc
1   /*
2    * ====================================================================
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *   http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing,
14   * software distributed under the License is distributed on an
15   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16   * KIND, either express or implied.  See the License for the
17   * specific language governing permissions and limitations
18   * under the License.
19   * ====================================================================
20   *
21   * This software consists of voluntary contributions made by many
22   * individuals on behalf of the Apache Software Foundation.  For more
23   * information on the Apache Software Foundation, please see
24   * <http://www.apache.org/>.
25   *
26   */
27  
28  package org.apache.hc.client5.http.ssl;
29  
30  import org.apache.hc.client5.http.psl.DomainType;
31  import org.apache.hc.client5.http.psl.PublicSuffixList;
32  import org.apache.hc.client5.http.psl.PublicSuffixListParser;
33  import org.apache.hc.client5.http.psl.PublicSuffixMatcher;
34  import org.junit.Assert;
35  import org.junit.Before;
36  import org.junit.Test;
37  
38  import javax.net.ssl.SSLException;
39  import java.io.ByteArrayInputStream;
40  import java.io.IOException;
41  import java.io.InputStream;
42  import java.io.InputStreamReader;
43  import java.nio.charset.StandardCharsets;
44  import java.security.cert.CertificateFactory;
45  import java.security.cert.X509Certificate;
46  import java.util.Arrays;
47  import java.util.Collections;
48  import java.util.List;
49  
50  /**
51   * Unit tests for {@link org.apache.hc.client5.http.ssl.DefaultHostnameVerifier}.
52   */
53  public class TestDefaultHostnameVerifier {
54  
55      private DefaultHostnameVerifier impl;
56      private PublicSuffixMatcher publicSuffixMatcher;
57      private DefaultHostnameVerifier implWithPublicSuffixCheck;
58  
59      private static final String PUBLIC_SUFFIX_MATCHER_SOURCE_FILE = "suffixlistmatcher.txt";
60  
61      @Before
62      public void setup() throws IOException {
63          impl = new DefaultHostnameVerifier();
64  
65          // Load the test PublicSuffixMatcher
66          final ClassLoader classLoader = getClass().getClassLoader();
67          final InputStream in = classLoader.getResourceAsStream(PUBLIC_SUFFIX_MATCHER_SOURCE_FILE);
68          Assert.assertNotNull(in);
69          final List<PublicSuffixList> lists = new PublicSuffixListParser().parseByType(
70                  new InputStreamReader(in, StandardCharsets.UTF_8));
71          publicSuffixMatcher = new PublicSuffixMatcher(lists);
72  
73          implWithPublicSuffixCheck = new DefaultHostnameVerifier(publicSuffixMatcher);
74      }
75  
76      @Test
77      public void testVerify() throws Exception {
78          final CertificateFactory cf = CertificateFactory.getInstance("X.509");
79          InputStream in;
80          X509Certificate x509;
81          in = new ByteArrayInputStream(CertificatesToPlayWith.X509_FOO);
82          x509 = (X509Certificate) cf.generateCertificate(in);
83  
84          impl.verify("foo.com", x509);
85          exceptionPlease(impl, "a.foo.com", x509);
86          exceptionPlease(impl, "bar.com", x509);
87  
88          in = new ByteArrayInputStream(CertificatesToPlayWith.X509_HANAKO);
89          x509 = (X509Certificate) cf.generateCertificate(in);
90          impl.verify("\u82b1\u5b50.co.jp", x509);
91          exceptionPlease(impl, "a.\u82b1\u5b50.co.jp", x509);
92  
93          in = new ByteArrayInputStream(CertificatesToPlayWith.X509_FOO_BAR);
94          x509 = (X509Certificate) cf.generateCertificate(in);
95          exceptionPlease(impl, "foo.com", x509);
96          exceptionPlease(impl, "a.foo.com", x509);
97          impl.verify("bar.com", x509);
98          exceptionPlease(impl, "a.bar.com", x509);
99  
100         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_FOO_BAR_HANAKO);
101         x509 = (X509Certificate) cf.generateCertificate(in);
102         exceptionPlease(impl, "foo.com", x509);
103         exceptionPlease(impl, "a.foo.com", x509);
104         impl.verify("bar.com", x509);
105         exceptionPlease(impl, "a.bar.com", x509);
106 
107         /*
108            Java isn't extracting international subjectAlts properly.  (Or
109            OpenSSL isn't storing them properly).
110         */
111         // DEFAULT.verify("\u82b1\u5b50.co.jp", x509 );
112         // impl.verify("\u82b1\u5b50.co.jp", x509 );
113         exceptionPlease(impl, "a.\u82b1\u5b50.co.jp", x509);
114 
115         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_NO_CNS_FOO);
116         x509 = (X509Certificate) cf.generateCertificate(in);
117         impl.verify("foo.com", x509);
118         exceptionPlease(impl, "a.foo.com", x509);
119 
120         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_NO_CNS_FOO);
121         x509 = (X509Certificate) cf.generateCertificate(in);
122         impl.verify("foo.com", x509);
123         exceptionPlease(impl, "a.foo.com", x509);
124 
125         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_THREE_CNS_FOO_BAR_HANAKO);
126         x509 = (X509Certificate) cf.generateCertificate(in);
127         exceptionPlease(impl, "foo.com", x509);
128         exceptionPlease(impl, "a.foo.com", x509);
129         exceptionPlease(impl, "bar.com", x509);
130         exceptionPlease(impl, "a.bar.com", x509);
131         impl.verify("\u82b1\u5b50.co.jp", x509);
132         exceptionPlease(impl, "a.\u82b1\u5b50.co.jp", x509);
133 
134         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_WILD_FOO);
135         x509 = (X509Certificate) cf.generateCertificate(in);
136         exceptionPlease(impl, "foo.com", x509);
137         impl.verify("www.foo.com", x509);
138         impl.verify("\u82b1\u5b50.foo.com", x509);
139         exceptionPlease(impl, "a.b.foo.com", x509);
140 
141         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_WILD_CO_JP);
142         x509 = (X509Certificate) cf.generateCertificate(in);
143         // Silly test because no-one would ever be able to lookup an IP address
144         // using "*.co.jp".
145         impl.verify("*.co.jp", x509);
146         impl.verify("foo.co.jp", x509);
147         impl.verify("\u82b1\u5b50.co.jp", x509);
148 
149         exceptionPlease(implWithPublicSuffixCheck, "foo.co.jp", x509);
150         exceptionPlease(implWithPublicSuffixCheck, "\u82b1\u5b50.co.jp", x509);
151 
152         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_WILD_FOO_BAR_HANAKO);
153         x509 = (X509Certificate) cf.generateCertificate(in);
154         // try the foo.com variations
155         exceptionPlease(impl, "foo.com", x509);
156         exceptionPlease(impl, "www.foo.com", x509);
157         exceptionPlease(impl, "\u82b1\u5b50.foo.com", x509);
158         exceptionPlease(impl, "a.b.foo.com", x509);
159         // try the bar.com variations
160         exceptionPlease(impl, "bar.com", x509);
161         impl.verify("www.bar.com", x509);
162         impl.verify("\u82b1\u5b50.bar.com", x509);
163         exceptionPlease(impl, "a.b.bar.com", x509);
164 
165         in = new ByteArrayInputStream(CertificatesToPlayWith.X509_MULTIPLE_VALUE_AVA);
166         x509 = (X509Certificate) cf.generateCertificate(in);
167         impl.verify("repository.infonotary.com", x509);
168 
169         in = new ByteArrayInputStream(CertificatesToPlayWith.S_GOOGLE_COM);
170         x509 = (X509Certificate) cf.generateCertificate(in);
171         impl.verify("*.google.com", x509);
172 
173         in = new ByteArrayInputStream(CertificatesToPlayWith.S_GOOGLE_COM);
174         x509 = (X509Certificate) cf.generateCertificate(in);
175         impl.verify("*.Google.com", x509);
176 
177         in = new ByteArrayInputStream(CertificatesToPlayWith.IP_1_1_1_1);
178         x509 = (X509Certificate) cf.generateCertificate(in);
179         impl.verify("1.1.1.1", x509);
180         impl.verify("dummy-value.com", x509);
181 
182         exceptionPlease(impl, "1.1.1.2", x509);
183         exceptionPlease(impl, "not-the-cn.com", x509);
184 
185         in = new ByteArrayInputStream(CertificatesToPlayWith.EMAIL_ALT_SUBJECT_NAME);
186         x509 = (X509Certificate) cf.generateCertificate(in);
187         impl.verify("www.company.com", x509);
188     }
189 
190     @Test
191     public void testSubjectAlt() throws Exception {
192         final CertificateFactory cf = CertificateFactory.getInstance("X.509");
193         final InputStream in = new ByteArrayInputStream(CertificatesToPlayWith.X509_MULTIPLE_SUBJECT_ALT);
194         final X509Certificate x509 = (X509Certificate) cf.generateCertificate(in);
195 
196         Assert.assertEquals("CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=CH",
197                 x509.getSubjectDN().getName());
198 
199         impl.verify("localhost.localdomain", x509);
200         impl.verify("127.0.0.1", x509);
201 
202         try {
203             impl.verify("localhost", x509);
204             Assert.fail("SSLException should have been thrown");
205         } catch (final SSLException ex) {
206             // expected
207         }
208         try {
209             impl.verify("local.host", x509);
210             Assert.fail("SSLException should have been thrown");
211         } catch (final SSLException ex) {
212             // expected
213         }
214         try {
215             impl.verify("127.0.0.2", x509);
216             Assert.fail("SSLException should have been thrown");
217         } catch (final SSLException ex) {
218             // expected
219         }
220     }
221 
222     public void exceptionPlease(final DefaultHostnameVerifier hv, final String host,
223                                 final X509Certificate x509) {
224         try {
225             hv.verify(host, x509);
226             Assert.fail("HostnameVerifier shouldn't allow [" + host + "]");
227         }
228         catch(final SSLException e) {
229             // whew!  we're okay!
230         }
231     }
232 
233     @Test
234     public void testDomainRootMatching() {
235 
236         Assert.assertFalse(DefaultHostnameVerifier.matchDomainRoot("a.b.c", null));
237         Assert.assertTrue(DefaultHostnameVerifier.matchDomainRoot("a.b.c", "a.b.c"));
238         Assert.assertFalse(DefaultHostnameVerifier.matchDomainRoot("aa.b.c", "a.b.c"));
239         Assert.assertFalse(DefaultHostnameVerifier.matchDomainRoot("a.b.c", "aa.b.c"));
240         Assert.assertTrue(DefaultHostnameVerifier.matchDomainRoot("a.a.b.c", "a.b.c"));
241     }
242 
243     @Test
244     public void testIdentityMatching() {
245 
246         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("a.b.c", "*.b.c"));
247         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict("a.b.c", "*.b.c"));
248 
249         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("s.a.b.c", "*.b.c"));
250         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("s.a.b.c", "*.b.c")); // subdomain not OK
251 
252         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity("a.gov.uk", "*.gov.uk", publicSuffixMatcher));
253         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("a.gov.uk", "*.gov.uk", publicSuffixMatcher));  // Bad 2TLD
254 
255         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("s.a.gov.uk", "*.a.gov.uk", publicSuffixMatcher));
256         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict("s.a.gov.uk", "*.a.gov.uk", publicSuffixMatcher));
257 
258         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity("s.a.gov.uk", "*.gov.uk", publicSuffixMatcher));
259         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("s.a.gov.uk", "*.gov.uk", publicSuffixMatcher));  // BBad 2TLD/no subdomain allowed
260 
261         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("a.gov.com", "*.gov.com", publicSuffixMatcher));
262         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict("a.gov.com", "*.gov.com", publicSuffixMatcher));
263 
264         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("s.a.gov.com", "*.gov.com", publicSuffixMatcher));
265         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("s.a.gov.com", "*.gov.com", publicSuffixMatcher)); // no subdomain allowed
266 
267         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity("a.gov.uk", "a*.gov.uk", publicSuffixMatcher));
268         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("a.gov.uk", "a*.gov.uk", publicSuffixMatcher)); // Bad 2TLD
269 
270         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity("s.a.gov.uk", "a*.gov.uk", publicSuffixMatcher)); // Bad 2TLD
271         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("s.a.gov.uk", "a*.gov.uk", publicSuffixMatcher)); // Bad 2TLD/no subdomain allowed
272 
273         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity("a.b.c", "*.b.*"));
274         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("a.b.c", "*.b.*"));
275 
276         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity("a.b.c", "*.*.c"));
277         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("a.b.c", "*.*.c"));
278     }
279 
280     @Test
281     public void testHTTPCLIENT_1097() {
282         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("a.b.c", "a*.b.c"));
283         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict("a.b.c", "a*.b.c"));
284 
285         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("a.a.b.c", "a*.b.c"));
286         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict("a.a.b.c", "a*.b.c"));
287     }
288 
289     @Test
290     public void testHTTPCLIENT_1255() {
291         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity("mail.a.b.c.com", "m*.a.b.c.com"));
292         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict("mail.a.b.c.com", "m*.a.b.c.com"));
293     }
294 
295     @Test
296     public void testHTTPCLIENT_1997_ANY() { // Only True on all domains
297         String domain;
298         // Unknown
299         domain = "dev.b.cloud.a";
300         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain));
301         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain));
302         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher));
303         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher));
304 
305         // ICANN
306         domain = "dev.b.cloud.com";
307         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain));
308         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain));
309         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher));
310         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher));
311 
312         // PRIVATE
313         domain = "dev.b.cloud.lan";
314         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain));
315         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain));
316         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher));
317         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher));
318     }
319 
320     @Test
321     public void testHTTPCLIENT_1997_ICANN() { // Only True on ICANN domains
322         String domain;
323         // Unknown
324         domain = "dev.b.cloud.a";
325         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.ICANN));
326         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.ICANN));
327 
328         // ICANN
329         domain = "dev.b.cloud.com";
330         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.ICANN));
331         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.ICANN));
332 
333         // PRIVATE
334         domain = "dev.b.cloud.lan";
335         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.ICANN));
336         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.ICANN));
337     }
338 
339     @Test
340     public void testHTTPCLIENT_1997_PRIVATE() { // Only True on PRIVATE domains
341         String domain;
342         // Unknown
343         domain = "dev.b.cloud.a";
344         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.PRIVATE));
345         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.PRIVATE));
346 
347         // ICANN
348         domain = "dev.b.cloud.com";
349         Assert.assertFalse(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.PRIVATE));
350         Assert.assertFalse(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.PRIVATE));
351 
352         // PRIVATE
353         domain = "dev.b.cloud.lan";
354         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.PRIVATE));
355         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.PRIVATE));
356     }
357 
358     @Test
359     public void testHTTPCLIENT_1997_UNKNOWN() { // Only True on all domains (same as ANY)
360         String domain;
361         // Unknown
362         domain = "dev.b.cloud.a";
363         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
364         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
365 
366         // ICANN
367         domain = "dev.b.cloud.com";
368         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
369         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
370 
371         // PRIVATE
372         domain = "dev.b.cloud.lan";
373         Assert.assertTrue(DefaultHostnameVerifier.matchIdentity(        "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
374         Assert.assertTrue(DefaultHostnameVerifier.matchIdentityStrict(  "service.apps." + domain, "*.apps." + domain, publicSuffixMatcher, DomainType.UNKNOWN));
375     }
376 
377     @Test // Check compressed IPv6 hostname matching
378     public void testHTTPCLIENT_1316() throws Exception{
379         final String host1 = "2001:0db8:aaaa:bbbb:cccc:0:0:0001";
380         DefaultHostnameVerifier.matchIPv6Address(host1, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc:0:0:0001")));
381         DefaultHostnameVerifier.matchIPv6Address(host1, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc::1")));
382         try {
383             DefaultHostnameVerifier.matchIPv6Address(host1, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc::10")));
384             Assert.fail("SSLException expected");
385         } catch (final SSLException expected) {
386         }
387         final String host2 = "2001:0db8:aaaa:bbbb:cccc::1";
388         DefaultHostnameVerifier.matchIPv6Address(host2, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc:0:0:0001")));
389         DefaultHostnameVerifier.matchIPv6Address(host2, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc::1")));
390         try {
391             DefaultHostnameVerifier.matchIPv6Address(host2, Arrays.asList(SubjectName.IP("2001:0db8:aaaa:bbbb:cccc::10")));
392             Assert.fail("SSLException expected");
393         } catch (final SSLException expected) {
394         }
395     }
396 
397     @Test
398     public void testHTTPCLIENT_2149() throws Exception {
399         final CertificateFactory cf = CertificateFactory.getInstance("X.509");
400         final InputStream in = new ByteArrayInputStream(CertificatesToPlayWith.SUBJECT_ALT_IP_ONLY);
401         final X509Certificate x509 = (X509Certificate) cf.generateCertificate(in);
402 
403         Assert.assertEquals("CN=www.foo.com", x509.getSubjectDN().getName());
404 
405         impl.verify("127.0.0.1", x509);
406         impl.verify("www.foo.com", x509);
407 
408         exceptionPlease(impl, "127.0.0.2", x509);
409         exceptionPlease(impl, "www.bar.com", x509);
410     }
411 
412     @Test
413     public void testExtractCN() throws Exception {
414         Assert.assertEquals("blah", DefaultHostnameVerifier.extractCN("cn=blah, ou=blah, o=blah"));
415         Assert.assertEquals("blah", DefaultHostnameVerifier.extractCN("cn=blah, cn=yada, cn=booh"));
416         Assert.assertEquals("blah", DefaultHostnameVerifier.extractCN("c = pampa ,  cn  =    blah    , ou = blah , o = blah"));
417         Assert.assertEquals("blah", DefaultHostnameVerifier.extractCN("cn=\"blah\", ou=blah, o=blah"));
418         Assert.assertEquals("blah  blah", DefaultHostnameVerifier.extractCN("cn=\"blah  blah\", ou=blah, o=blah"));
419         Assert.assertEquals("blah, blah", DefaultHostnameVerifier.extractCN("cn=\"blah, blah\", ou=blah, o=blah"));
420         Assert.assertEquals("blah, blah", DefaultHostnameVerifier.extractCN("cn=blah\\, blah, ou=blah, o=blah"));
421         Assert.assertEquals("blah", DefaultHostnameVerifier.extractCN("c = cn=uuh, cn=blah, ou=blah, o=blah"));
422         try {
423             DefaultHostnameVerifier.extractCN("blah,blah");
424             Assert.fail("SSLException expected");
425         } catch (final SSLException expected) {
426         }
427         try {
428             DefaultHostnameVerifier.extractCN("cn,o=blah");
429             Assert.fail("SSLException expected");
430         } catch (final SSLException expected) {
431         }
432     }
433 
434     @Test
435     public void testMatchDNSName() throws Exception {
436         DefaultHostnameVerifier.matchDNSName(
437                 "host.domain.com",
438                 Collections.singletonList(SubjectName.DNS("*.domain.com")),
439                 publicSuffixMatcher);
440         DefaultHostnameVerifier.matchDNSName(
441                 "host.xx",
442                 Collections.singletonList(SubjectName.DNS("*.xx")),
443                 publicSuffixMatcher);
444         DefaultHostnameVerifier.matchDNSName(
445                 "host.appspot.com",
446                 Collections.singletonList(SubjectName.DNS("*.appspot.com")),
447                 publicSuffixMatcher);
448         DefaultHostnameVerifier.matchDNSName(
449                 "demo-s3-bucket.s3.eu-central-1.amazonaws.com",
450                 Collections.singletonList(SubjectName.DNS("*.s3.eu-central-1.amazonaws.com")),
451                 publicSuffixMatcher);
452         DefaultHostnameVerifier.matchDNSName(
453                 "hostname-workspace-1.local",
454                 Collections.singletonList(SubjectName.DNS("hostname-workspace-1.local")),
455                 publicSuffixMatcher);
456 
457         try {
458             DefaultHostnameVerifier.matchDNSName(
459                 "host.domain.com",
460                 Collections.singletonList(SubjectName.DNS("some.other.com")),
461                 publicSuffixMatcher);
462             Assert.fail("SSLException should have been thrown");
463         } catch (final SSLException ex) {
464             // expected
465         }
466     }
467 
468 }