Fixes WAVE-416 - Delta signature verification fail with wildcard certificates.
Project: http://git-wip-us.apache.org/repos/asf/incubator-wave/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-wave/commit/91611960 Tree: http://git-wip-us.apache.org/repos/asf/incubator-wave/tree/91611960 Diff: http://git-wip-us.apache.org/repos/asf/incubator-wave/diff/91611960 Branch: refs/heads/fulltextsearch Commit: 9161196008317a67b71a64ca8286095b38633a69 Parents: 3513be7 Author: Pablo Ojanguren <[email protected]> Authored: Mon Aug 25 19:40:18 2014 +0300 Committer: Yuri Zelikov <[email protected]> Committed: Mon Aug 25 19:42:07 2014 +0300 ---------------------------------------------------------------------- .../wave/crypto/WaveSignatureVerifier.java | 32 ++++++++++++++++++++ 1 file changed, 32 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-wave/blob/91611960/src/org/waveprotocol/wave/crypto/WaveSignatureVerifier.java ---------------------------------------------------------------------- diff --git a/src/org/waveprotocol/wave/crypto/WaveSignatureVerifier.java b/src/org/waveprotocol/wave/crypto/WaveSignatureVerifier.java index 0b4238e..94557f5 100644 --- a/src/org/waveprotocol/wave/crypto/WaveSignatureVerifier.java +++ b/src/org/waveprotocol/wave/crypto/WaveSignatureVerifier.java @@ -158,6 +158,10 @@ public class WaveSignatureVerifier { return; } + if (authorityMatchesWildcardCN(authority, cn)) { + return; + } + throw new SignatureException("expected " + authority + " as CN or alternative name in cert, but didn't find it"); @@ -210,4 +214,32 @@ public class WaveSignatureVerifier { return null; } } + + /** + * Returns true if the authority given matches a CN with a wildcard + * expression. + * + * @author pablojan ([email protected]) + * + * @param authority + * @param certificate + * @return + */ + private boolean authorityMatchesWildcardCN(String authority, String commonName) { + + // check for a wildcard expression + if (!commonName.startsWith("*.")) { + return false; + } + + // second-level domain + String sndLevelName = commonName.substring(2, commonName.length()); + + + // trim authority name + String sndLevelAuth = authority.substring(authority.indexOf(".") + 1, authority.length()); + + return sndLevelAuth.equals(sndLevelName); + + } }
