changeset 60190:dabe71eb7fe9

8237592: Enhance certificate verification Reviewed-by: xuelei, mullan, rhalade, ahgross
author weijun
date Sat, 18 Apr 2020 12:16:42 +0800
parents 4a34bb69515c
children 0f0bb183be37
files src/java.base/share/classes/sun/security/util/HostnameChecker.java
diffstat 1 files changed, 8 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/sun/security/util/HostnameChecker.java	Thu Apr 16 10:33:44 2020 -0400
+++ b/src/java.base/share/classes/sun/security/util/HostnameChecker.java	Sat Apr 18 12:16:42 2020 +0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,6 +31,7 @@
 import java.net.UnknownHostException;
 import java.security.Principal;
 import java.security.cert.*;
+import java.text.Normalizer;
 import java.util.*;
 import javax.security.auth.x500.X500Principal;
 import javax.net.ssl.SNIHostName;
@@ -217,8 +218,12 @@
                                                     (X500Name.commonName_oid);
         if (derValue != null) {
             try {
-                if (isMatched(expectedName, derValue.getAsString(),
-                              chainsToPublicCA)) {
+                String cname = derValue.getAsString();
+                if (!Normalizer.isNormalized(cname, Normalizer.Form.NFKC)) {
+                    throw new CertificateException("Not a formal name "
+                            + cname);
+                }
+                if (isMatched(expectedName, cname, chainsToPublicCA)) {
                     return;
                 }
             } catch (IOException e) {