Fix homeserver verification with wildcards certificates.

Disable v2 by default. Add migration to fix the accepted table (due to sqlite unable to change constraint, drop table and create again). Fix displaying the expiration period of the new token. Remove duplicated code. Use v1 single lookup when receive the request with `none` algorithm and the only one argument. Hide v2 endpoint if v2 API disabled.
2019-12-10 00:10:13 +03:00
parent 17ebc2a421
commit 10cdb4360e
11 changed files with 176 additions and 125 deletions
--- a/src/main/java/io/kamax/mxisd/auth/AccountManager.java
+++ b/src/main/java/io/kamax/mxisd/auth/AccountManager.java
@@ -10,6 +10,7 @@ import io.kamax.mxisd.exception.BadRequestException;
 import io.kamax.mxisd.exception.InvalidCredentialsException;
 import io.kamax.mxisd.exception.NotFoundException;
 import io.kamax.mxisd.matrix.HomeserverFederationResolver;
+import io.kamax.mxisd.matrix.HomeserverVerifier;
 import io.kamax.mxisd.storage.IStorage;
 import io.kamax.mxisd.storage.ormlite.dao.AccountDao;
 import org.apache.http.HttpStatus;
@@ -22,18 +23,10 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import java.io.IOException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateParsingException;
-import java.security.cert.X509Certificate;
 import java.time.Instant;
-import java.util.ArrayList;
-import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
 import java.util.UUID;
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLSession;

 public class AccountManager {

@@ -80,7 +73,7 @@ public class AccountManager {
            homeserverURL + "/_matrix/federation/v1/openid/userinfo?access_token=" + openIdToken.getAccessToken());
        String userId;
        try (CloseableHttpClient httpClient = HttpClients.custom()
-            .setSSLHostnameVerifier(new MatrixHostnameVerifier(homeserverTarget.getDomain())).build()) {
+            .setSSLHostnameVerifier(new HomeserverVerifier(homeserverTarget.getDomain())).build()) {
            try (CloseableHttpResponse response = httpClient.execute(getUserInfo)) {
                int statusCode = response.getStatusLine().getStatusCode();
                if (statusCode == HttpStatus.SC_OK) {
@@ -170,74 +163,4 @@ public class AccountManager {
    public MatrixConfig getMatrixConfig() {
        return matrixConfig;
    }
-
-    public static class MatrixHostnameVerifier implements HostnameVerifier {
-
-        private static final String ALT_DNS_NAME_TYPE = "2";
-        private static final String ALT_IP_ADDRESS_TYPE = "7";
-
-        private final String matrixHostname;
-
-        public MatrixHostnameVerifier(String matrixHostname) {
-            this.matrixHostname = matrixHostname;
-        }
-
-        @Override
-        public boolean verify(String hostname, SSLSession session) {
-            try {
-                Certificate peerCertificate = session.getPeerCertificates()[0];
-                if (peerCertificate instanceof X509Certificate) {
-                    X509Certificate x509Certificate = (X509Certificate) peerCertificate;
-                    if (x509Certificate.getSubjectAlternativeNames() == null) {
-                        return false;
-                    }
-                    for (String altSubjectName : getAltSubjectNames(x509Certificate)) {
-                        if (match(altSubjectName)) {
-                            return true;
-                        }
-                    }
-                }
-            } catch (SSLPeerUnverifiedException | CertificateParsingException e) {
-                LOGGER.error("Unable to check remote host", e);
-                return false;
-            }
-
-            return false;
-        }
-
-        private List<String> getAltSubjectNames(X509Certificate x509Certificate) {
-            List<String> subjectNames = new ArrayList<>();
-            try {
-                for (List<?> subjectAlternativeNames : x509Certificate.getSubjectAlternativeNames()) {
-                    if (subjectAlternativeNames == null
-                        || subjectAlternativeNames.size() < 2
-                        || subjectAlternativeNames.get(0) == null
-                        || subjectAlternativeNames.get(1) == null) {
-                        continue;
-                    }
-                    String subjectType = subjectAlternativeNames.get(0).toString();
-                    switch (subjectType) {
-                        case ALT_DNS_NAME_TYPE:
-                        case ALT_IP_ADDRESS_TYPE:
-                            subjectNames.add(subjectAlternativeNames.get(1).toString());
-                            break;
-                        default:
-                            LOGGER.trace("Unusable subject type: " + subjectType);
-                    }
-                }
-            } catch (CertificateParsingException e) {
-                LOGGER.error("Unable to parse the certificate", e);
-                return Collections.emptyList();
-            }
-            return subjectNames;
-        }
-
-        private boolean match(String altSubjectName) {
-            if (altSubjectName.startsWith("*.")) {
-                return altSubjectName.toLowerCase().endsWith(matrixHostname.toLowerCase());
-            } else {
-                return matrixHostname.equalsIgnoreCase(altSubjectName);
-            }
-        }
-    }
 }