fix: support Subject Alternative Names for SSL connections (#952)

pgjdbc/src/main/java/org/postgresql/ssl/jdbc4/LibPQFactory.java

@@ -24,7 +24,10 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.List;
 import java.util.Properties;
 
 import javax.naming.InvalidNameException;
@@ -48,6 +51,8 @@
  */
 public class LibPQFactory extends WrappedFactory implements HostnameVerifier {
 
+  private static final int ALT_DNS_NAME = 2;
+
   LazyKeyManager km = null;
   String sslmode;
 
@@ -229,6 +234,39 @@ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallback
     }
   }
 
+  public static boolean verifyHostName(String hostname, String pattern) {
+    if (hostname == null || pattern == null) {
+      return false;
+    }
+    if (!pattern.startsWith("*")) {
+      // No wildcard => just compare hostnames
+      return hostname.equalsIgnoreCase(pattern);
+    }
+    // pattern starts with *, so hostname should be at least (pattern.length-1) long
+    if (hostname.length() < pattern.length() - 1) {
+      return false;
+    }
+    // Compare ignore case
+    final boolean ignoreCase = true;
+    // Below code is "hostname.endsWithIgnoreCase(pattern.withoutFirstStar())"
+
+    // E.g. hostname==sub.host.com; pattern==*.host.com
+    // We need to start the offset of ".host.com" in hostname
+    // For this we take hostname.length() - pattern.length()
+    // and +1 is required since pattern is known to start with *
+    int toffset = hostname.length() - pattern.length() + 1;
+
+    // Wildcard covers just one domain level
+    // a.b.c.com should not be covered by *.c.com
+    if (hostname.lastIndexOf('.', toffset - 1) >= 0) {
+      // If there's a dot in between 0..toffset
+      return false;
+    }
+
+    return hostname.regionMatches(ignoreCase, toffset,
+        pattern, 1, pattern.length() - 1);
+  }
+
   /**
    * Verifies the server certificate according to the libpq rules. The cn attribute of the
    * certificate is matched against the hostname. If the cn attribute starts with an asterisk (*),
@@ -252,6 +290,26 @@ public boolean verify(String hostname, SSLSession session) {
     }
     // Extract the common name
     X509Certificate serverCert = peerCerts[0];
+
+    try {
+      // Check for Subject Alternative Names (see RFC 6125)
+      Collection<List<?>> subjectAltNames = serverCert.getSubjectAlternativeNames();
+
+      if (subjectAltNames != null) {
+        for (List<?> sanit : subjectAltNames) {
+          Integer type = (Integer) sanit.get(0);
+          String san = (String) sanit.get(1);
+
+          // this mimics libpq check for ALT_DNS_NAME
+          if (type != null && type == ALT_DNS_NAME && verifyHostName(hostname, san)) {
+            return true;
+          }
+        }
+      }
+    } catch (CertificateParsingException e) {
+      return false;
+    }
+
     LdapName DN;
     try {
       DN = new LdapName(serverCert.getSubjectX500Principal().getName(X500Principal.RFC2253));
@@ -266,17 +324,6 @@ public boolean verify(String hostname, SSLSession session) {
         break;
       }
     }
-    if (CN == null) {
-      return false;
-    } else if (CN.startsWith("*")) { // We have a wildcard
-      if (hostname.endsWith(CN.substring(1))) {
-        // Avoid IndexOutOfBoundsException because hostname already ends with CN
-        return !(hostname.substring(0, hostname.length() - CN.length() + 1).contains("."));
-      } else {
-        return false;
-      }
-    } else {
-      return CN.equals(hostname);
-    }
+    return verifyHostName(hostname, CN);
   }
 }

pgjdbc/src/test/java/org/postgresql/test/jdbc4/Jdbc4TestSuite.java

@@ -24,6 +24,7 @@
         BinaryStreamTest.class,
         CharacterStreamTest.class,
         UUIDTest.class,
+        LibPQFactoryHostNameTest.class,
         XmlTest.class
 })
 public class Jdbc4TestSuite {

pgjdbc/src/test/java/org/postgresql/test/jdbc4/LibPQFactoryHostNameTest.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2017, PostgreSQL Global Development Group
+ * See the LICENSE file in the project root for more information.
+ */
+
+package org.postgresql.test.jdbc4;
+
+import org.postgresql.ssl.jdbc4.LibPQFactory;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+import java.util.Arrays;
+
+@RunWith(Parameterized.class)
+public class LibPQFactoryHostNameTest {
+
+  private final String hostname;
+  private final String pattern;
+  private final boolean expected;
+
+  public LibPQFactoryHostNameTest(String hostname, String pattern, boolean expected) {
+    this.hostname = hostname;
+    this.pattern = pattern;
+    this.expected = expected;
+  }
+
+  @Parameterized.Parameters(name = "host={0}, pattern={1}")
+  public static Iterable<Object[]> data() {
+    return Arrays.asList(new Object[][]{
+        {"host.com", "pattern.com", false},
+        {"host.com", ".pattern.com", false},
+        {"host.com", "*.pattern.com", false},
+        {"host.com", "*.host.com", false},
+        {"a.com", "*.host.com", false},
+        {".a.com", "*.host.com", false},
+        {"longhostname.com", "*.com", true},
+        {"longhostname.ru", "*.com", false},
+        {"host.com", "host.com", true},
+        {"sub.host.com", "host.com", false},
+        {"sub.host.com", "sub.host.com", true},
+        {"sub.host.com", "*.host.com", true},
+        {"Sub.host.com", "sub.host.com", true},
+        {"sub.host.com", "Sub.host.com", true},
+        {"sub.host.com", "*.hoSt.com", true},
+        {"*.host.com", "host.com", false},
+        {"sub.sub.host.com", "*.host.com", false}, // Wildcard should cover just one level
+    });
+  }
+
+  @Test
+  public void checkPattern() throws Exception {
+    Assert.assertEquals(expected, LibPQFactory.verifyHostName(hostname, pattern));
+  }
+}