Op 21 aug. 2014, om 17:50 heeft Dirk-Willem van Gulik <[email protected]> het volgende geschreven:
> > Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <[email protected]> het > volgende geschreven: > >> I have pretty much completely rewritten every bit of code related to >> hostname verification in SVN trunk. >> >> https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl >> >> I would truly appreciate someone doing a peer review of the changes >> and / or giving me feedback with regards to further improvements. > > - regex for the pattern > > From my read - it seems that you build with input under the user control if I > am not mistaken - yet it could be more than mere characters. > > So I am a bit worried about revil regexes slipping in (e.g. ReDoS); and then > causing some sort of exhaustion*. > Found that some of below are indeed able to hang the regex stack (e.g. # 2). However the more elaborate regex-es are blocked by: private final static Pattern WILDCARD_PATTERN = Pattern.compile( "^[a-z0-9\\-\\*]+(\\.[a-z0-9\\-]+){2,}$", Pattern.CASE_INSENSITIVE); .. WILDCARD_PATTERN.matcher(identity).matches() which we apply to the subjectAltName, CN, etc. So that is not too bad then - assuming that that regep does not let them through. Which is likely - as the only dangerous thing I see in there is a *. Obviously - as we get into UTF8 internationalized domain names - we may accidentally break that protection at some point. Dw. > Having said that - I tried a few obvious ones - and have not gotten a decent > example yet. > > /** > * Evil Regex example(s) / openssl req -new -x509 -nodes -keyout > /dev/null -subj "/CN=^(([a-z])+.)+[A-Z]([a-z])+$" > */ > > public final static byte[] X509_EVIL_REGEX_1= ( > "-----BEGIN CERTIFICATE-----\n" + > "MIICGjCCAYOgAwIBAgIJAOo56cPW09+fMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV\n" + > "BAMMG14oKFthLXpdKSsuKStbQS1aXShbYS16XSkrJDAeFw0xNDA4MjExMzAzMTVa\n" + > "Fw0xNDA5MjAxMzAzMTVaMCYxJDAiBgNVBAMMG14oKFthLXpdKSsuKStbQS1aXShb\n" + > "YS16XSkrJDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3Qo9S/QuEAmVnV9O\n" + > "g7TsdUfjhV+szbCiia3S1Wyywmn70x7UOuxN05kEuYiQOljHk+lcLbZqFjkDoCde\n" + > "3sTrYzocsDV1F44aoIDNf6FoTF4zvO5DrH5PQ7AXS0ot9QLwHbBbNnc8BUDUxcro\n" + > "v4lpDbo7OHdneLPC3iMy6H+TTHUCAwEAAaNQME4wHQYDVR0OBBYEFER/UmoLTblm\n" + > "HC4lnANRHTJJ81aBMB8GA1UdIwQYMBaAFER/UmoLTblmHC4lnANRHTJJ81aBMAwG\n" + > "A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAQdpC4WQ15IN6lzaA0S3QjSRG\n" + > "Sk9Ds4iepfM2xWDFI78oTtYvnffv0Ow+Yzs2QoDHVyRZO7IS9gBWAmGvVvZbTXJD\n" + > "tNofNu074GddS9P1GSj+cd4XsX5pDW8QlYPupg3/5XV3l2i99Eo/EodP3U3WnZd7\n" + > "pTUwN+iCW4sz516Tp40=\n" + > "-----END CERTIFICATE-----").getBytes(); > > public final static byte[] X509_EVIL_REGEX_2 = ( > "-----BEGIN CERTIFICATE-----\n" + > "MIIB9jCCAV+gAwIBAgIJAKFcCPW2esygMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV\n" + > "BAMMCSguKmEpezMwfTAeFw0xNDA4MjExMzIxMDBaFw0xNDA5MjAxMzIxMDBaMBQx\n" + > "EjAQBgNVBAMMCSguKmEpezMwfTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA\n" + > "l4ajddWLAnNAbMkrInDgn5MH5bleFUm1Aq+HDxuBEmy1vabxoyV5GDexL9NquAsL\n" + > "AxOLihWFMjG6NpPCB4rQa98vBSEaj2N+Yp4DTfS01INkOxxOQX+zNfh54GDeJfQS\n" + > "0/+BdzZsGVhE6/ekPLh4He3MO9vC6hXaD79beIRdTN8CAwEAAaNQME4wHQYDVR0O\n" + > "BBYEFODDhk2qLs0qraeXtwHBRE3C1VWPMB8GA1UdIwQYMBaAFODDhk2qLs0qraeX\n" + > "twHBRE3C1VWPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAQHwEiaOy\n" + > "NMs8XbZfbovlXUDtIm20PiQ82TZHYb0kGd+UhcBfGMewi1wO2/ETYToVFbKaELTm\n" + > "cQcad5TQM6KnACi1uZSJLLMO9eFT4sF9ZErcVPNPvszcE0K5PBWu7m4el7ZG4tOe\n" + > "eMam4OzNiZpNy+9aXe4Zh4ZvxS/ReD7+PHM=\n" + > "-----END CERTIFICATE-----").getBytes(); > > public final static byte[] X509_EVIL_REGEX_3 = ( > "-----BEGIN CERTIFICATE-----\n" + > "MIIB+DCCAWGgAwIBAgIJAJyEzt1ofEhdMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV\n" + > "BAMMCihhYXxhYWI/KSswHhcNMTQwODIxMTQ1MzIwWhcNMTQwOTIwMTQ1MzIwWjAV\n" + > "MRMwEQYDVQQDDAooYWF8YWFiPykrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" + > "gQC9XeUm4juhMbeqyMdUgU9Oiudec89Yp+68jfg1397w8yoSrxssUucicnpBS7Kf\n" + > "M0JDy3E3CWSa/mphey9zS+rxxHE+p4u7h3uCZanTe4RcrkRy8jF4VdroDqugm+1T\n" + > "PIV24mNFCsHQU7w4EiWLgvnxkCrBfFmpHEwOYp2GH7/E5QIDAQABo1AwTjAdBgNV\n" + > "HQ4EFgQUdbxxDEpEMjiY0viM0EfNWWtZPIgwHwYDVR0jBBgwFoAUdbxxDEpEMjiY\n" + > "0viM0EfNWWtZPIgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCuBjrr\n" + > "Xdn9KxN5WMwLZ/K6zj403s7eia8Pl2SNofPj7V5t5vXbhCceM1g2NTy1XgB/remx\n" + > "6o3V4Lw94uj3WFdp8UT3sL+PNUuUgg98zUgCcED9EMMU0mKdcHzrwjzZBTjQOF/I\n" + > "ggNk2gVdv6awgBUel0hcWY9/F9a3pNWYMmFn5A==\n" + > "-----END CERTIFICATE-----").getBytes(); > > public final static byte[] X509_EVIL_REGEX_4 = ( > "-----BEGIN CERTIFICATE-----\n" + > "MIIB8jCCAVugAwIBAgIJAPU+FLeLYdGUMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV\n" + > "BAMMB14oYSspKyQwHhcNMTQwODIxMTQ1NzExWhcNMTQwOTIwMTQ1NzExWjASMRAw\n" + > "DgYDVQQDDAdeKGErKSskMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYIkgN\n" + > "N4Y8ZCIjztOzuzqth7gObsuSR7BjWp4FTg9T6J2hfyBrxu1WZY/J/4b01VdJMNE5\n" + > "yMQI9A49i229DSSXKssv9VsLNgRN5X2el4HQg9ibialgB6KUwmL+c2vv4hJ92mrc\n" + > "lnr54CVsXmxgABYhShkWZqIuTyAUE2r1FVqQtQIDAQABo1AwTjAdBgNVHQ4EFgQU\n" + > "36WZSogs45HIg7G8MWKfU+NsSBQwHwYDVR0jBBgwFoAU36WZSogs45HIg7G8MWKf\n" + > "U+NsSBQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBvzGB/5B4tF7dz\n" + > "ME1AhudTbmHyuPAGhGg3DUpPBNNZHHgYS1zGpXgcDlOaXYuvFrb81sCVGNAhCijq\n" + > "wMiQEwW2GWWKi7qNnj/W35OyVsXTchfRXuL75ZcVzABa8hdldijwhvFHev75X+HW\n" + > "Nr5sa4rDYtwqkERMJCtSpE9lETID2A==\n" + > "-----END CERTIFICATE-----").getBytes(); > > public final static byte[] X509_EVIL_REGEX_5 = ( > "-----BEGIN CERTIFICATE-----\n" + > "MIIB9DCCAV2gAwIBAgIJAJkLISjl9geAMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV\n" + > "BAMMCCgqYSl7MzB9MB4XDTE0MDgyMTE1MDM1MFoXDTE0MDkyMDE1MDM1MFowEzER\n" + > "MA8GA1UEAwwIKCphKXszMH0wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOLH\n" + > "GTkGbs0+/7AQoVYG/nHgSLmr9pnd5oAcOVp/ncN7csMrQab4ftfZNFrEsAseRNl5\n" + > "5b1CD0hkz3+sfXdocNUZl7bmkpIqhyHqo2QULbR9j7fTH8IIDbsipMj45FS6gm3P\n" + > "ryL6n99z2jxpkUu6MgR9FNO9uUer57idANstbJwjAgMBAAGjUDBOMB0GA1UdDgQW\n" + > "BBTmSxwccA9GPyAF7qhlUF9XTghFzDAfBgNVHSMEGDAWgBTmSxwccA9GPyAF7qhl\n" + > "UF9XTghFzDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEwPdipEPBGp\n" + > "3ajUKj6Fq4AdI8lOZIFrghjSNDqRe2ANybjwETt/seYOAdIFxlhW2ALDp8mNJAKP\n" + > "5s5aFjeNlUvQKmtLm2ZDIQ0GlrjXZ3R1et1Qwd9XPBGsHK8pmmJZB9pbqdWzVF+w\n" + > "5cgEPhsWHxM16wVtFUIMskyhtlO+Ai/6\n" + > "-----END CERTIFICATE-----").getBytes(); > > public final static byte[] X509_EVIL_REGEX_6 = ( > "-----BEGIN CERTIFICATE-----\n" + > "MIICVjCCAgCgAwIBAgIJAMskaCGIhO70MA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV\n" + > "BAMMB2lnbm9yZWQwHhcNMTQwODIxMTUzNjA1WhcNMTQwOTIwMTUzNjA1WjASMRAw\n" + > "DgYDVQQDDAdpZ25vcmVkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANQg+BI6DYd0\n" + > "RviglOAXhp58CKloK1pzenOugAJ8afCTszQVUzWN+cq5ZS0lxdLQ0WOS2jCDlJfW\n" + > "j2XQOBLsuQUCAwEAAaOCATcwggEzMAsGA1UdDwQEAwIF4DAJBgNVHRMEAjAAMIIB\n" + > "FwYDVR0RBIIBDjCCAQqgEAYDKgMEoAkMB14oYSspKySgEgYDKgMEoAsMCSguKmEp\n" + > "ezMwfaARBgMqAwSgCgwIKCphKXszMH2gEwYDKgMEoAwMCihhYXxhYWI/KSuCFDEu\n" + > "Mi4zLjQ7VVRGODpeKGErKSskghYxLjIuMy40O1VURjg6KC4qYSl7MzB9ghUxLjIu\n" + > "My40O1VURjg6KCphKXszMH2CFzEuMi4zLjQ7VVRGODooYWF8YWFiPykrgRQxLjIu\n" + > "My40O1VURjg6XihhKykrJIEWMS4yLjMuNDtVVEY4OiguKmEpezMwfYEVMS4yLjMu\n" + > "NDtVVEY4OigqYSl7MzB9gRcxLjIuMy40O1VURjg6KGFhfGFhYj8pKzANBgkqhkiG\n" + > "9w0BAQUFAANBAA+NxqNkEqYRWL0Z5940zk4ddZxgD4HnQiOcsEWm0Akys370T7iQ\n" + > "KNiBrfnX7Uf8VF7ZkxmxXH39Xo6hIqHfTXo=\n" + > "-----END CERTIFICATE-----").getBytes(); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
