From 6893cbc18ecb181d7c27ac6c9f77f2b0eb285f2b Mon Sep 17 00:00:00 2001 From: Hamado Dene Date: Fri, 16 Feb 2024 10:04:37 +0100 Subject: [PATCH] Added check number of segment of subdomain --- .../config/SSLCertificateConfiguration.java | 15 ++++++++----- .../carapaceproxy/listeners/SSLSNITest.java | 21 +++---------------- 2 files changed, 13 insertions(+), 23 deletions(-) diff --git a/carapace-server/src/main/java/org/carapaceproxy/server/config/SSLCertificateConfiguration.java b/carapace-server/src/main/java/org/carapaceproxy/server/config/SSLCertificateConfiguration.java index 2df293614..b258b77b2 100644 --- a/carapace-server/src/main/java/org/carapaceproxy/server/config/SSLCertificateConfiguration.java +++ b/carapace-server/src/main/java/org/carapaceproxy/server/config/SSLCertificateConfiguration.java @@ -96,21 +96,26 @@ public boolean isMoreSpecific(SSLCertificateConfiguration other) { final int maxOtherNameLength = other.getNames().stream() .map(CertificatesUtils::removeWildcard) - .map(String::length) - .max(Integer::compareTo) + .mapToInt(String::length) + .max() + .orElse(0); + + final int maxSubDomainLength = other.getNames().stream() + .map(name -> name.split("\\.")) + .mapToInt(name -> name.length) + .max() .orElse(0); for (var n : getNames()) { final var name = CertificatesUtils.removeWildcard(n); - if (name.length() > maxOtherNameLength) { + final int nameSegmentLength = n.split("\\.").length; + if (name.length() >= maxOtherNameLength && nameSegmentLength >= maxSubDomainLength) { return true; } } return false; } - - public Collection getNames() { return new ArrayList<>() {{ add(id); // hostname or *.hostname diff --git a/carapace-server/src/test/java/org/carapaceproxy/listeners/SSLSNITest.java b/carapace-server/src/test/java/org/carapaceproxy/listeners/SSLSNITest.java index 97db6c779..660eb96b0 100644 --- a/carapace-server/src/test/java/org/carapaceproxy/listeners/SSLSNITest.java +++ b/carapace-server/src/test/java/org/carapaceproxy/listeners/SSLSNITest.java @@ -96,16 +96,14 @@ public void testChooseCertificate() throws Exception { server.addCertificate(new SSLCertificateConfiguration("other", null, "cert", "pwd", STATIC)); server.addCertificate(new SSLCertificateConfiguration("*.example.com", Set.of("example.com", "*.example2.com"), "cert", "pwd", STATIC)); server.addCertificate(new SSLCertificateConfiguration("www.example.com", null, "cert", "pwd", STATIC)); - server.addCertificate(new SSLCertificateConfiguration("*.qapatchweb.peachtest.it", Set.of("qapatchweb.peachtest.it"), "cert", "pwd", STATIC)); - server.addCertificate(new SSLCertificateConfiguration("*.qapatch2web.peachtest.it", Set.of("qapatch2web.peachtest.it"), "cert", "pwd", STATIC)); - server.addCertificate(new SSLCertificateConfiguration("*.peachtest.it", Set.of("gemini.peachtest.it"), "cert", "pwd", STATIC)); + server.addCertificate(new SSLCertificateConfiguration("*.qatest.pexample.it", Set.of("qatest.pexample.it"), "cert", "pwd", STATIC)); + server.addCertificate(new SSLCertificateConfiguration("*.pexample.it", Set.of("qatest2.pexample.it"), "cert", "pwd", STATIC)); // client requests bad SNI, bad default in listener assertNull(server.getListeners().chooseCertificate("no", "no-default")); - assertEquals("*.qapatchweb.peachtest.it", server.getListeners().chooseCertificate("test.qapatchweb.peachtest.it", "no-default").getId()); - + assertEquals("*.qatest.pexample.it", server.getListeners().chooseCertificate("test2.qatest.pexample.it", "no-default").getId()); // client requests SNI, bad default in listener assertEquals("other", server.getListeners().chooseCertificate("other", "no-default").getId()); @@ -136,19 +134,6 @@ public void testChooseCertificate() throws Exception { assertEquals("*.example.com", server.getListeners().chooseCertificate("example.com", "no-default").getId()); assertEquals("*.example.com", server.getListeners().chooseCertificate("test.example2.com", "no-default").getId()); } - - try (HttpProxyServer server = new HttpProxyServer(mapper, tmpDir.getRoot());) { - - // full wildcard - server.addCertificate(new SSLCertificateConfiguration("*", null, "cert", "pwd", STATIC)); - - assertEquals("*", server.getListeners().chooseCertificate(null, "www.example.com").getId()); - assertEquals("*", server.getListeners().chooseCertificate("www.example.com", null).getId()); - assertEquals("*", server.getListeners().chooseCertificate(null, null).getId()); - assertEquals("*", server.getListeners().chooseCertificate("", null).getId()); - assertEquals("*", server.getListeners().chooseCertificate(null, "").getId()); - } - } @Test