Fix matrix server hostname verification.
This commit is contained in:
Anatoly Sablin
@@ -131,7 +131,7 @@ public class Mxisd {
|
|||||||
dirMgr = new DirectoryManager(cfg.getDirectory(), clientDns, httpClient, DirectoryProviders.get());
|
dirMgr = new DirectoryManager(cfg.getDirectory(), clientDns, httpClient, DirectoryProviders.get());
|
||||||
regMgr = new RegistrationManager(cfg.getRegister(), httpClient, clientDns, invMgr);
|
regMgr = new RegistrationManager(cfg.getRegister(), httpClient, clientDns, invMgr);
|
||||||
asHander = new AppSvcManager(this);
|
asHander = new AppSvcManager(this);
|
||||||
accMgr = new AccountManager(store, resolver, getHttpClient(), cfg.getAccountConfig(), cfg.getMatrix());
|
accMgr = new AccountManager(store, resolver, cfg.getAccountConfig(), cfg.getMatrix());
|
||||||
}
|
}
|
||||||
|
|
||||||
public MxisdConfig getConfig() {
|
public MxisdConfig getConfig() {
|
||||||
|
|||||||
@@ -9,7 +9,6 @@ import io.kamax.mxisd.config.PolicyConfig;
|
|||||||
import io.kamax.mxisd.exception.BadRequestException;
|
import io.kamax.mxisd.exception.BadRequestException;
|
||||||
import io.kamax.mxisd.exception.InvalidCredentialsException;
|
import io.kamax.mxisd.exception.InvalidCredentialsException;
|
||||||
import io.kamax.mxisd.exception.NotFoundException;
|
import io.kamax.mxisd.exception.NotFoundException;
|
||||||
import io.kamax.mxisd.http.undertow.handler.auth.v1.LoginGetHandler;
|
|
||||||
import io.kamax.mxisd.matrix.HomeserverFederationResolver;
|
import io.kamax.mxisd.matrix.HomeserverFederationResolver;
|
||||||
import io.kamax.mxisd.storage.IStorage;
|
import io.kamax.mxisd.storage.IStorage;
|
||||||
import io.kamax.mxisd.storage.ormlite.dao.AccountDao;
|
import io.kamax.mxisd.storage.ormlite.dao.AccountDao;
|
||||||
@@ -17,15 +16,24 @@ import org.apache.http.HttpStatus;
|
|||||||
import org.apache.http.client.methods.CloseableHttpResponse;
|
import org.apache.http.client.methods.CloseableHttpResponse;
|
||||||
import org.apache.http.client.methods.HttpGet;
|
import org.apache.http.client.methods.HttpGet;
|
||||||
import org.apache.http.impl.client.CloseableHttpClient;
|
import org.apache.http.impl.client.CloseableHttpClient;
|
||||||
|
import org.apache.http.impl.client.HttpClientBuilder;
|
||||||
import org.apache.http.util.EntityUtils;
|
import org.apache.http.util.EntityUtils;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
import java.security.cert.Certificate;
|
||||||
|
import java.security.cert.CertificateParsingException;
|
||||||
|
import java.security.cert.X509Certificate;
|
||||||
import java.time.Instant;
|
import java.time.Instant;
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.Collections;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Objects;
|
import java.util.Objects;
|
||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
import javax.net.ssl.HostnameVerifier;
|
||||||
|
import javax.net.ssl.SSLPeerUnverifiedException;
|
||||||
|
import javax.net.ssl.SSLSession;
|
||||||
|
|
||||||
public class AccountManager {
|
public class AccountManager {
|
||||||
|
|
||||||
@@ -33,15 +41,12 @@ public class AccountManager {
|
|||||||
|
|
||||||
private final IStorage storage;
|
private final IStorage storage;
|
||||||
private final HomeserverFederationResolver resolver;
|
private final HomeserverFederationResolver resolver;
|
||||||
private final CloseableHttpClient httpClient;
|
|
||||||
private final AccountConfig accountConfig;
|
private final AccountConfig accountConfig;
|
||||||
private final MatrixConfig matrixConfig;
|
private final MatrixConfig matrixConfig;
|
||||||
|
|
||||||
public AccountManager(IStorage storage, HomeserverFederationResolver resolver,
|
public AccountManager(IStorage storage, HomeserverFederationResolver resolver, AccountConfig accountConfig, MatrixConfig matrixConfig) {
|
||||||
CloseableHttpClient httpClient, AccountConfig accountConfig, MatrixConfig matrixConfig) {
|
|
||||||
this.storage = storage;
|
this.storage = storage;
|
||||||
this.resolver = resolver;
|
this.resolver = resolver;
|
||||||
this.httpClient = httpClient;
|
|
||||||
this.accountConfig = accountConfig;
|
this.accountConfig = accountConfig;
|
||||||
this.matrixConfig = matrixConfig;
|
this.matrixConfig = matrixConfig;
|
||||||
}
|
}
|
||||||
@@ -67,24 +72,31 @@ public class AccountManager {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private String getUserId(OpenIdToken openIdToken) {
|
private String getUserId(OpenIdToken openIdToken) {
|
||||||
String homeserverURL = resolver.resolve(openIdToken.getMatrixServerName()).toString();
|
String matrixServerName = openIdToken.getMatrixServerName();
|
||||||
LOGGER.info("Domain resolved: {} => {}", openIdToken.getMatrixServerName(), homeserverURL);
|
String homeserverURL = resolver.resolve(matrixServerName).toString();
|
||||||
|
LOGGER.info("Domain resolved: {} => {}", matrixServerName, homeserverURL);
|
||||||
HttpGet getUserInfo = new HttpGet(
|
HttpGet getUserInfo = new HttpGet(
|
||||||
homeserverURL + "/_matrix/federation/v1/openid/userinfo?access_token=" + openIdToken.getAccessToken());
|
homeserverURL + "/_matrix/federation/v1/openid/userinfo?access_token=" + openIdToken.getAccessToken());
|
||||||
String userId;
|
String userId;
|
||||||
try (CloseableHttpResponse response = httpClient.execute(getUserInfo)) {
|
try (CloseableHttpClient httpClient = HttpClientBuilder.create()
|
||||||
int statusCode = response.getStatusLine().getStatusCode();
|
.setSSLHostnameVerifier(new MatrixHostnameVerifier(matrixServerName)).build()) {
|
||||||
if (statusCode == HttpStatus.SC_OK) {
|
try (CloseableHttpResponse response = httpClient.execute(getUserInfo)) {
|
||||||
String content = EntityUtils.toString(response.getEntity());
|
int statusCode = response.getStatusLine().getStatusCode();
|
||||||
LOGGER.trace("Response: {}", content);
|
if (statusCode == HttpStatus.SC_OK) {
|
||||||
JsonObject body = GsonUtil.parseObj(content);
|
String content = EntityUtils.toString(response.getEntity());
|
||||||
userId = GsonUtil.getStringOrThrow(body, "sub");
|
LOGGER.trace("Response: {}", content);
|
||||||
} else {
|
JsonObject body = GsonUtil.parseObj(content);
|
||||||
LOGGER.error("Wrong response status: {}", statusCode);
|
userId = GsonUtil.getStringOrThrow(body, "sub");
|
||||||
|
} else {
|
||||||
|
LOGGER.error("Wrong response status: {}", statusCode);
|
||||||
|
throw new InvalidCredentialsException();
|
||||||
|
}
|
||||||
|
} catch (IOException e) {
|
||||||
|
LOGGER.error("Unable to get user info.", e);
|
||||||
throw new InvalidCredentialsException();
|
throw new InvalidCredentialsException();
|
||||||
}
|
}
|
||||||
} catch (IOException e) {
|
} catch (IOException e) {
|
||||||
LOGGER.error("Unable to get user info.", e);
|
LOGGER.error("Unable to create a connection to host: " + homeserverURL, e);
|
||||||
throw new InvalidCredentialsException();
|
throw new InvalidCredentialsException();
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -157,4 +169,74 @@ public class AccountManager {
|
|||||||
public MatrixConfig getMatrixConfig() {
|
public MatrixConfig getMatrixConfig() {
|
||||||
return matrixConfig;
|
return matrixConfig;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static class MatrixHostnameVerifier implements HostnameVerifier {
|
||||||
|
|
||||||
|
private static final String ALT_DNS_NAME_TYPE = "2";
|
||||||
|
private static final String ALT_IP_ADDRESS_TYPE = "7";
|
||||||
|
|
||||||
|
private final String matrixHostname;
|
||||||
|
|
||||||
|
public MatrixHostnameVerifier(String matrixHostname) {
|
||||||
|
this.matrixHostname = matrixHostname;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean verify(String hostname, SSLSession session) {
|
||||||
|
try {
|
||||||
|
Certificate peerCertificate = session.getPeerCertificates()[0];
|
||||||
|
if (peerCertificate instanceof X509Certificate) {
|
||||||
|
X509Certificate x509Certificate = (X509Certificate) peerCertificate;
|
||||||
|
if (x509Certificate.getSubjectAlternativeNames() == null) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
for (String altSubjectName : getAltSubjectNames(x509Certificate)) {
|
||||||
|
if (match(altSubjectName)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (SSLPeerUnverifiedException | CertificateParsingException e) {
|
||||||
|
LOGGER.error("Unable to check remote host", e);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
private List<String> getAltSubjectNames(X509Certificate x509Certificate) {
|
||||||
|
List<String> subjectNames = new ArrayList<>();
|
||||||
|
try {
|
||||||
|
for (List<?> subjectAlternativeNames : x509Certificate.getSubjectAlternativeNames()) {
|
||||||
|
if (subjectAlternativeNames == null
|
||||||
|
|| subjectAlternativeNames.size() < 2
|
||||||
|
|| subjectAlternativeNames.get(0) == null
|
||||||
|
|| subjectAlternativeNames.get(1) == null) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
String subjectType = subjectAlternativeNames.get(0).toString();
|
||||||
|
switch (subjectType) {
|
||||||
|
case ALT_DNS_NAME_TYPE:
|
||||||
|
case ALT_IP_ADDRESS_TYPE:
|
||||||
|
subjectNames.add(subjectAlternativeNames.get(1).toString());
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
LOGGER.trace("Unusable subject type: " + subjectType);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (CertificateParsingException e) {
|
||||||
|
LOGGER.error("Unable to parse the certificate", e);
|
||||||
|
return Collections.emptyList();
|
||||||
|
}
|
||||||
|
return subjectNames;
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean match(String altSubjectName) {
|
||||||
|
if (altSubjectName.startsWith("*.")) {
|
||||||
|
return altSubjectName.toLowerCase().endsWith(matrixHostname.toLowerCase());
|
||||||
|
} else {
|
||||||
|
return matrixHostname.equalsIgnoreCase(altSubjectName);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user