rev 13439 : 8213952: Relax DNSName restriction as per RFC 1123
Reviewed-by: weijun, mullan, chegar

   1 /*
   2  * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package sun.security.x509;
  27 
  28 import java.io.IOException;
  29 import java.net.URI;
  30 import java.net.URISyntaxException;
  31 
  32 import sun.security.util.*;
  33 
  34 /**
  35  * This class implements the URIName as required by the GeneralNames
  36  * ASN.1 object.
  37  * <p>
  38  * [RFC3280] When the subjectAltName extension contains a URI, the name MUST be
  39  * stored in the uniformResourceIdentifier (an IA5String). The name MUST
  40  * be a non-relative URL, and MUST follow the URL syntax and encoding
  41  * rules specified in [RFC 1738].  The name must include both a scheme
  42  * (e.g., "http" or "ftp") and a scheme-specific-part.  The scheme-
  43  * specific-part must include a fully qualified domain name or IP
  44  * address as the host.
  45  * <p>
  46  * As specified in [RFC 1738], the scheme name is not case-sensitive
  47  * (e.g., "http" is equivalent to "HTTP").  The host part is also not
  48  * case-sensitive, but other components of the scheme-specific-part may
  49  * be case-sensitive. When comparing URIs, conforming implementations
  50  * MUST compare the scheme and host without regard to case, but assume
  51  * the remainder of the scheme-specific-part is case sensitive.
  52  * <p>
  53  * [RFC1738] In general, URLs are written as follows:
  54  * <pre>
  55  * <scheme>:<scheme-specific-part>
  56  * </pre>
  57  * A URL contains the name of the scheme being used (<scheme>) followed
  58  * by a colon and then a string (the <scheme-specific-part>) whose
  59  * interpretation depends on the scheme.
  60  * <p>
  61  * While the syntax for the rest of the URL may vary depending on the
  62  * particular scheme selected, URL schemes that involve the direct use
  63  * of an IP-based protocol to a specified host on the Internet use a
  64  * common syntax for the scheme-specific data:
  65  * <pre>
  66  * //<user>:<password>@<host>:<port>/<url-path>
  67  * </pre>
  68  * [RFC2732] specifies that an IPv6 address contained inside a URL
  69  * must be enclosed in square brackets (to allow distinguishing the
  70  * colons that separate IPv6 components from the colons that separate
  71  * scheme-specific data.
  72  * <p>
  73  * @author Amit Kapoor
  74  * @author Hemma Prafullchandra
  75  * @author Sean Mullan
  76  * @author Steve Hanna
  77  * @see GeneralName
  78  * @see GeneralNames
  79  * @see GeneralNameInterface
  80  */
  81 public class URIName implements GeneralNameInterface {
  82 
  83     // private attributes
  84     private URI uri;
  85     private String host;
  86     private DNSName hostDNS;
  87     private IPAddressName hostIP;
  88 
  89     /**
  90      * Create the URIName object from the passed encoded Der value.
  91      *
  92      * @param derValue the encoded DER URIName.
  93      * @exception IOException on error.
  94      */
  95     public URIName(DerValue derValue) throws IOException {
  96         this(derValue.getIA5String());
  97     }
  98 
  99     /**
 100      * Create the URIName object with the specified name.
 101      *
 102      * @param name the URIName.
 103      * @throws IOException if name is not a proper URIName
 104      */
 105     public URIName(String name) throws IOException {
 106         try {
 107             uri = new URI(name);
 108         } catch (URISyntaxException use) {
 109             throw new IOException("invalid URI name:" + name, use);
 110         }
 111         if (uri.getScheme() == null) {
 112             throw new IOException("URI name must include scheme:" + name);
 113         }
 114 
 115         host = uri.getHost();
 116         // RFC 3280 says that the host should be non-null, but we allow it to
 117         // be null because some widely deployed certificates contain CDP
 118         // extensions with URIs that have no hostname (see bugs 4802236 and
 119         // 5107944).
 120         if (host != null) {
 121             if (host.charAt(0) == '[') {
 122                 // Verify host is a valid IPv6 address name
 123                 String ipV6Host = host.substring(1, host.length()-1);
 124                 try {
 125                     hostIP = new IPAddressName(ipV6Host);
 126                 } catch (IOException ioe) {
 127                     throw new IOException("invalid URI name (host " +
 128                         "portion is not a valid IPv6 address):" + name);
 129                 }
 130             } else {
 131                 try {
 132                     hostDNS = new DNSName(host);
 133                 } catch (IOException ioe) {
 134                     // Not a valid DNSName; see if it is a valid IPv4
 135                     // IPAddressName
 136                     try {
 137                         hostIP = new IPAddressName(host);
 138                     } catch (Exception ioe2) {
 139                         throw new IOException("invalid URI name (host " +
 140                             "portion is not a valid DNSName, IPv4 address," +
 141                             " or IPv6 address):" + name);
 142                     }
 143                 }
 144             }
 145         }
 146     }
 147 
 148     /**
 149      * Create the URIName object with the specified name constraint. URI
 150      * name constraints syntax is different than SubjectAltNames, etc. See
 151      * 4.2.1.11 of RFC 3280.
 152      *
 153      * @param value the URI name constraint
 154      * @throws IOException if name is not a proper URI name constraint
 155      */
 156     public static URIName nameConstraint(DerValue value) throws IOException {
 157         URI uri;
 158         String name = value.getIA5String();
 159         try {
 160             uri = new URI(name);
 161         } catch (URISyntaxException use) {
 162             throw new IOException("invalid URI name constraint:" + name, use);
 163         }
 164         if (uri.getScheme() == null) {
 165             String host = uri.getSchemeSpecificPart();
 166             try {
 167                 DNSName hostDNS;
 168                 if (host.startsWith(".")) {
 169                     hostDNS = new DNSName(host.substring(1));
 170                 } else {
 171                     hostDNS = new DNSName(host);
 172                 }
 173                 return new URIName(uri, host, hostDNS);
 174             } catch (IOException ioe) {
 175                 throw new IOException("invalid URI name constraint:" + name, ioe);
 176             }
 177         } else {
 178             throw new IOException("invalid URI name constraint (should not " +
 179                 "include scheme):" + name);
 180         }
 181     }
 182 
 183     URIName(URI uri, String host, DNSName hostDNS) {
 184         this.uri = uri;
 185         this.host = host;
 186         this.hostDNS = hostDNS;
 187     }
 188 
 189     /**
 190      * Return the type of the GeneralName.
 191      */
 192     public int getType() {
 193         return GeneralNameInterface.NAME_URI;
 194     }
 195 
 196     /**
 197      * Encode the URI name into the DerOutputStream.
 198      *
 199      * @param out the DER stream to encode the URIName to.
 200      * @exception IOException on encoding errors.
 201      */
 202     public void encode(DerOutputStream out) throws IOException {
 203         out.putIA5String(uri.toASCIIString());
 204     }
 205 
 206     /**
 207      * Convert the name into user readable string.
 208      */
 209     public String toString() {
 210         return "URIName: " + uri.toString();
 211     }
 212 
 213     /**
 214      * Compares this name with another, for equality.
 215      *
 216      * @return true iff the names are equivalent according to RFC2459.
 217      */
 218     public boolean equals(Object obj) {
 219         if (this == obj) {
 220             return true;
 221         }
 222 
 223         if (!(obj instanceof URIName)) {
 224             return false;
 225         }
 226 
 227         URIName other = (URIName) obj;
 228 
 229         return uri.equals(other.getURI());
 230     }
 231 
 232     /**
 233      * Returns the URIName as a java.net.URI object
 234      */
 235     public URI getURI() {
 236         return uri;
 237     }
 238 
 239     /**
 240      * Returns this URI name.
 241      */
 242     public String getName() {
 243         return uri.toString();
 244     }
 245 
 246     /**
 247      * Return the scheme name portion of a URIName
 248      *
 249      * @returns scheme portion of full name
 250      */
 251     public String getScheme() {
 252         return uri.getScheme();
 253     }
 254 
 255     /**
 256      * Return the host name or IP address portion of the URIName
 257      *
 258      * @returns host name or IP address portion of full name
 259      */
 260     public String getHost() {
 261         return host;
 262     }
 263 
 264     /**
 265      * Return the host object type; if host name is a
 266      * DNSName, then this host object does not include any
 267      * initial "." on the name.
 268      *
 269      * @returns host name as DNSName or IPAddressName
 270      */
 271     public Object getHostObject() {
 272         if (hostIP != null) {
 273             return hostIP;
 274         } else {
 275             return hostDNS;
 276         }
 277     }
 278 
 279     /**
 280      * Returns the hash code value for this object.
 281      *
 282      * @return a hash code value for this object.
 283      */
 284     public int hashCode() {
 285         return uri.hashCode();
 286     }
 287 
 288     /**
 289      * Return type of constraint inputName places on this name:<ul>
 290      *   <li>NAME_DIFF_TYPE = -1: input name is different type from name
 291      *       (i.e. does not constrain).
 292      *   <li>NAME_MATCH = 0: input name matches name.
 293      *   <li>NAME_NARROWS = 1: input name narrows name (is lower in the naming
 294      *       subtree)
 295      *   <li>NAME_WIDENS = 2: input name widens name (is higher in the naming
 296      *       subtree)
 297      *   <li>NAME_SAME_TYPE = 3: input name does not match or narrow name, but
 298      *       is same type.
 299      * </ul>.
 300      * These results are used in checking NameConstraints during
 301      * certification path verification.
 302      * <p>
 303      * RFC3280: For URIs, the constraint applies to the host part of the name.
 304      * The constraint may specify a host or a domain.  Examples would be
 305      * "foo.bar.com";  and ".xyz.com".  When the the constraint begins with
 306      * a period, it may be expanded with one or more subdomains.  That is,
 307      * the constraint ".xyz.com" is satisfied by both abc.xyz.com and
 308      * abc.def.xyz.com.  However, the constraint ".xyz.com" is not satisfied
 309      * by "xyz.com".  When the constraint does not begin with a period, it
 310      * specifies a host.
 311      * <p>
 312      * @param inputName to be checked for being constrained
 313      * @returns constraint type above
 314      * @throws UnsupportedOperationException if name is not exact match, but
 315      *  narrowing and widening are not supported for this name type.
 316      */
 317     public int constrains(GeneralNameInterface inputName)
 318         throws UnsupportedOperationException {
 319         int constraintType;
 320         if (inputName == null) {
 321             constraintType = NAME_DIFF_TYPE;
 322         } else if (inputName.getType() != NAME_URI) {
 323             constraintType = NAME_DIFF_TYPE;
 324         } else {
 325             // Assuming from here on that one or both of these is
 326             // actually a URI name constraint (not a URI), so we
 327             // only need to compare the host portion of the name
 328 
 329             String otherHost = ((URIName)inputName).getHost();
 330 
 331             // Quick check for equality
 332             if (otherHost.equalsIgnoreCase(host)) {
 333                 constraintType = NAME_MATCH;
 334             } else {
 335                 Object otherHostObject = ((URIName)inputName).getHostObject();
 336 
 337                 if ((hostDNS == null) ||
 338                     !(otherHostObject instanceof DNSName)) {
 339                     // If one (or both) is an IP address, only same type
 340                     constraintType = NAME_SAME_TYPE;
 341                 } else {
 342                     // Both host portions are DNSNames. Are they domains?
 343                     boolean thisDomain = (host.charAt(0) == '.');
 344                     boolean otherDomain = (otherHost.charAt(0) == '.');
 345                     DNSName otherDNS = (DNSName) otherHostObject;
 346 
 347                     // Run DNSName.constrains.
 348                     constraintType = hostDNS.constrains(otherDNS);
 349                     // If neither one is a domain, then they can't
 350                     // widen or narrow. That's just SAME_TYPE.
 351                     if ((!thisDomain && !otherDomain) &&
 352                         ((constraintType == NAME_WIDENS) ||
 353                          (constraintType == NAME_NARROWS))) {
 354                         constraintType = NAME_SAME_TYPE;
 355                     }
 356 
 357                     // If one is a domain and the other isn't,
 358                     // then they can't match. The one that's a
 359                     // domain doesn't include the one that's
 360                     // not a domain.
 361                     if ((thisDomain != otherDomain) &&
 362                         (constraintType == NAME_MATCH)) {
 363                         if (thisDomain) {
 364                             constraintType = NAME_WIDENS;
 365                         } else {
 366                             constraintType = NAME_NARROWS;
 367                         }
 368                     }
 369                 }
 370             }
 371         }
 372         return constraintType;
 373     }
 374 
 375     /**
 376      * Return subtree depth of this name for purposes of determining
 377      * NameConstraints minimum and maximum bounds and for calculating
 378      * path lengths in name subtrees.
 379      *
 380      * @returns distance of name from root
 381      * @throws UnsupportedOperationException if not supported for this name type
 382      */
 383     public int subtreeDepth() throws UnsupportedOperationException {
 384         DNSName dnsName = null;
 385         try {
 386             dnsName = new DNSName(host);
 387         } catch (IOException ioe) {
 388             throw new UnsupportedOperationException(ioe.getMessage());
 389         }
 390         return dnsName.subtreeDepth();
 391     }
 392 }
--- EOF ---