< prev index next >

src/share/classes/sun/security/x509/DNSName.java

Print this page
rev 13439 : 8213952: Relax DNSName restriction as per RFC 1123
Reviewed-by: weijun, mullan, chegar

*** 1,7 **** /* ! * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this --- 1,7 ---- /* ! * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this
*** 32,61 **** /** * This class implements the DNSName as required by the GeneralNames * ASN.1 object. * <p> ! * [RFC2459] When the subjectAltName extension contains a domain name service * label, the domain name MUST be stored in the dNSName (an IA5String). ! * The name MUST be in the "preferred name syntax," as specified by RFC ! * 1034 [RFC 1034]. Note that while upper and lower case letters are ! * allowed in domain names, no signifigance is attached to the case. In * addition, while the string " " is a legal domain name, subjectAltName ! * extensions with a dNSName " " are not permitted. Finally, the use of ! * the DNS representation for Internet mail addresses (wpolk.nist.gov ! * instead of wpolk@nist.gov) is not permitted; such identities are to ! * be encoded as rfc822Name. * <p> * @author Amit Kapoor * @author Hemma Prafullchandra */ public class DNSName implements GeneralNameInterface { private String name; ! private static final String alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; ! private static final String digitsAndHyphen = "0123456789-"; ! private static final String alphaDigitsAndHyphen = alpha + digitsAndHyphen; /** * Create the DNSName object from the passed encoded Der value. * * @param derValue the encoded DER DNSName. --- 32,61 ---- /** * This class implements the DNSName as required by the GeneralNames * ASN.1 object. * <p> ! * [RFC5280] When the subjectAltName extension contains a domain name system * label, the domain name MUST be stored in the dNSName (an IA5String). ! * The name MUST be in the "preferred name syntax", as specified by ! * Section 3.5 of [RFC1034] and as modified by Section 2.1 of ! * [RFC1123]. Note that while uppercase and lowercase letters are ! * allowed in domain names, no significance is attached to the case. In * addition, while the string " " is a legal domain name, subjectAltName ! * extensions with a dNSName of " " MUST NOT be used. Finally, the use ! * of the DNS representation for Internet mail addresses ! * (subscriber.example.com instead of subscriber@example.com) MUST NOT ! * be used; such identities are to be encoded as rfc822Name. * <p> * @author Amit Kapoor * @author Hemma Prafullchandra */ public class DNSName implements GeneralNameInterface { private String name; ! private static final String alphaDigits = ! "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; /** * Create the DNSName object from the passed encoded Der value. * * @param derValue the encoded DER DNSName.
*** 71,109 **** * @param name the DNSName. * @throws IOException if the name is not a valid DNSName subjectAltName */ public DNSName(String name) throws IOException { if (name == null || name.length() == 0) ! throw new IOException("DNS name must not be null"); ! if (name.indexOf(' ') != -1) ! throw new IOException("DNS names or NameConstraints with blank components are not permitted"); ! if (name.charAt(0) == '.' || name.charAt(name.length() -1) == '.') ! throw new IOException("DNS names or NameConstraints may not begin or end with a ."); ! //Name will consist of label components separated by "." ! //startIndex is the index of the first character of a component ! //endIndex is the index of the last character of a component plus 1 ! for (int endIndex,startIndex=0; startIndex < name.length(); startIndex = endIndex+1) { endIndex = name.indexOf('.', startIndex); if (endIndex < 0) { endIndex = name.length(); } ! if ((endIndex-startIndex) < 1) ! throw new IOException("DNSName SubjectAltNames with empty components are not permitted"); ! //DNSName components must begin with a letter A-Z or a-z ! if (alpha.indexOf(name.charAt(startIndex)) < 0) ! throw new IOException("DNSName components must begin with a letter"); //nonStartIndex: index for characters in the component beyond the first one for (int nonStartIndex=startIndex+1; nonStartIndex < endIndex; nonStartIndex++) { char x = name.charAt(nonStartIndex); ! if ((alphaDigitsAndHyphen).indexOf(x) < 0) throw new IOException("DNSName components must consist of letters, digits, and hyphens"); } } this.name = name; } /** * Return the type of the GeneralName. */ public int getType() { return (GeneralNameInterface.NAME_DNS); --- 71,112 ---- * @param name the DNSName. * @throws IOException if the name is not a valid DNSName subjectAltName */ public DNSName(String name) throws IOException { if (name == null || name.length() == 0) ! throw new IOException("DNSName must not be null or empty"); ! if (name.contains(" ")) ! throw new IOException("DNSName with blank components is not permitted"); ! if (name.startsWith(".") || name.endsWith(".")) ! throw new IOException("DNSName may not begin or end with a ."); ! /* ! * Name will consist of label components separated by "." ! * startIndex is the index of the first character of a component ! * endIndex is the index of the last character of a component plus 1 ! */ ! for (int endIndex,startIndex = 0; startIndex < name.length(); startIndex = endIndex+1) { endIndex = name.indexOf('.', startIndex); if (endIndex < 0) { endIndex = name.length(); } ! if (endIndex - startIndex < 1) ! throw new IOException("DNSName with empty components are not permitted"); ! // RFC 1123: DNSName components must begin with a letter or digit ! if (alphaDigits.indexOf(name.charAt(startIndex)) < 0) ! throw new IOException("DNSName components must begin with a letter or digit"); //nonStartIndex: index for characters in the component beyond the first one for (int nonStartIndex=startIndex+1; nonStartIndex < endIndex; nonStartIndex++) { char x = name.charAt(nonStartIndex); ! if ((alphaDigits).indexOf(x) < 0 && x != '-') throw new IOException("DNSName components must consist of letters, digits, and hyphens"); } } this.name = name; } + /** * Return the type of the GeneralName. */ public int getType() { return (GeneralNameInterface.NAME_DNS);
*** 115,125 **** public String getName() { return name; } /** ! * Encode the DNS name into the DerOutputStream. * * @param out the DER stream to encode the DNSName to. * @exception IOException on encoding errors. */ public void encode(DerOutputStream out) throws IOException { --- 118,128 ---- public String getName() { return name; } /** ! * Encode the DNSName into the DerOutputStream. * * @param out the DER stream to encode the DNSName to. * @exception IOException on encoding errors. */ public void encode(DerOutputStream out) throws IOException {
*** 135,156 **** /** * Compares this name with another, for equality. * * @return true iff the names are equivalent ! * according to RFC2459. */ public boolean equals(Object obj) { if (this == obj) return true; if (!(obj instanceof DNSName)) return false; DNSName other = (DNSName)obj; ! // RFC2459 mandates that these names are // not case-sensitive return name.equalsIgnoreCase(other.name); } /** --- 138,159 ---- /** * Compares this name with another, for equality. * * @return true iff the names are equivalent ! * according to RFC5280. */ public boolean equals(Object obj) { if (this == obj) return true; if (!(obj instanceof DNSName)) return false; DNSName other = (DNSName)obj; ! // RFC5280 mandates that these names are // not case-sensitive return name.equalsIgnoreCase(other.name); } /**
*** 170,185 **** * <li>NAME_WIDENS = 2: input name widens name (is higher in the naming subtree) * <li>NAME_SAME_TYPE = 3: input name does not match or narrow name, but is same type. * </ul>. These results are used in checking NameConstraints during * certification path verification. * <p> ! * RFC2459: DNS name restrictions are expressed as foo.bar.com. Any subdomain ! * satisfies the name constraint. For example, www.foo.bar.com would ! * satisfy the constraint but bigfoo.bar.com would not. * <p> ! * draft-ietf-pkix-new-part1-00.txt: DNS name restrictions are expressed as foo.bar.com. ! * Any DNS name that * can be constructed by simply adding to the left hand side of the name * satisfies the name constraint. For example, www.foo.bar.com would * satisfy the constraint but foo1.bar.com would not. * <p> * RFC1034: By convention, domain names can be stored with arbitrary case, but --- 173,190 ---- * <li>NAME_WIDENS = 2: input name widens name (is higher in the naming subtree) * <li>NAME_SAME_TYPE = 3: input name does not match or narrow name, but is same type. * </ul>. These results are used in checking NameConstraints during * certification path verification. * <p> ! * RFC5280: DNS name restrictions are expressed as host.example.com. ! * Any DNS name that can be constructed by simply adding zero or more ! * labels to the left-hand side of the name satisfies the name constraint. ! * For example, www.host.example.com would satisfy the constraint but ! * host1.example.com would not. * <p> ! * draft-ietf-pkix-new-part1-00.txt: DNSName restrictions are expressed as foo.bar.com. ! * Any DNSName that * can be constructed by simply adding to the left hand side of the name * satisfies the name constraint. For example, www.foo.bar.com would * satisfy the constraint but foo1.bar.com would not. * <p> * RFC1034: By convention, domain names can be stored with arbitrary case, but
< prev index next >