Hello community,
here is the log from the commit of package jakarta-commons-httpclient3.1518 for
openSUSE:12.1:Update checked in at 2013-04-04 16:29:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1:Update/jakarta-commons-httpclient3.1518 (Old)
and /work/SRC/openSUSE:12.1:Update/.jakarta-commons-httpclient3.1518.new
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jakarta-commons-httpclient3.1518", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2013-04-04 09:12:34.372011006 +0200
+++
/work/SRC/openSUSE:12.1:Update/.jakarta-commons-httpclient3.1518.new/jakarta-commons-httpclient3.changes
2013-04-04 16:29:46.000000000 +0200
@@ -0,0 +1,47 @@
+-------------------------------------------------------------------
+Thu Mar 28 10:33:37 UTC 2013 - mvysko...@suse.com
+
+- enhance fix of bnc#803332 / CVE-2012-5783
+ * add a check for subjectAltNames for instance
+
+-------------------------------------------------------------------
+Thu Feb 14 08:47:07 UTC 2013 - mvysko...@suse.com
+
+- fix bnc#803332: no ssl certificate hostname checking (CVE-2012-5783)
+ * commons-httpclient-CVE-2012-5783.patch
+- use versioned provides/obsoletes
+
+-------------------------------------------------------------------
+Thu Jul 17 07:45:10 CEST 2008 - co...@suse.de
+
+- avoid another build cycle
+
+-------------------------------------------------------------------
+Mon Oct 2 15:47:26 CEST 2006 - dbornkes...@suse.de
+
+- update to v3.0.1
+- fixes necessary to compile with Java 1.5.0 (in 3.0.1 version)
+ - set source="1.4" and target="1.4" for ant "javac" tasks
+ - set source="1.4" for ant "javadoc" tasks
+
+-------------------------------------------------------------------
+Mon Sep 25 12:47:02 CEST 2006 - s...@suse.de
+
+- don't use icecream
+- use source="1.4" and target="1.4" for build with java 1.5
+
+-------------------------------------------------------------------
+Wed Jan 25 21:46:37 CET 2006 - m...@suse.de
+
+- converted neededforbuild to BuildRequires
+
+-------------------------------------------------------------------
+Wed Jan 4 18:21:39 CET 2006 - dbornkes...@suse.de
+
+- disabled and 'test' target as that was specially written for sun JRE and
hence fails with other JREs
+
+-------------------------------------------------------------------
+Mon Dec 19 21:02:45 CET 2005 - dbornkes...@suse.de
+
+- Current version 3.0 from JPackage.org
+
New:
----
commons-httpclient-3.0.1-src.tar.bz2
commons-httpclient-CVE-2012-5783-2.patch
jakarta-commons-httpclient3.changes
jakarta-commons-httpclient3.spec
java150_build.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ jakarta-commons-httpclient3.spec ++++++
#
# spec file for package jakarta-commons-httpclient3
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# icecream 0
Name: jakarta-commons-httpclient3
BuildRequires: ant-junit
BuildRequires: jaf
BuildRequires: jakarta-commons-codec
BuildRequires: jakarta-commons-discovery
BuildRequires: java2-devel-packages
BuildRequires: javamail
BuildRequires: log4j-mini
BuildRequires: servletapi5
BuildRequires: wsdl4j
%define short_name httpclient3
%define name jakarta-commons-%{short_name}
%define version 3.0.1
%define release 0.rc4.1jpp
%define section free
Version: 3.0.1
Release: 0
Summary: Feature rich package for accessing resources via HTTP
License: Apache-2.0
Group: Development/Libraries/Java
#Source0:
http://archive.apache.org/dist/jakarta/commons/httpclient/source/commons-httpclient-3.0-rc4-src.tar.gz
Source0: commons-httpclient-%{version}-src.tar.bz2
#PATCH-FIX-UPSTREAM: bnc#803332
#https://issues.apache.org/jira/secure/attachment/12560251/CVE-2012-5783-2.patch
Patch0: commons-httpclient-CVE-2012-5783-2.patch
Patch150: java150_build.patch
Url: http://jakarta.apache.org/commons/httpclient/
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Requires: jakarta-commons-logging >= 1.0.3
Provides: commons-%{short_name} = %{version}-%{release}
Obsoletes: commons-%{short_name} < %{version}-%{release}
%description
Although the java.net package provides basic functionality for
accessing resources via HTTP, it doesn't provide the full flexibility
or functionality needed by many applications. The Jakarta Commons
HttpClient component seeks to fill this void by providing an efficient,
up-to-date, and feature-rich package implementing the client side of
the most recent HTTP standards and recommendations.
Designed for extension while providing robust support for the base HTTP
protocol, the HttpClient component may be of interest to anyone
building HTTP-aware client applications such as web browsers, web
service clients, or systems that leverage or extend the HTTP protocol
for distributed communication.
Authors:
--------
Adrian Sutton
Alex Chaffee
Arun Mammen Thomas
Juozas Baliuka
Henri Yandell
Jeff Brekke
Bruno D'Avanzo
Costin Manolache
Craig R. McClanahan
Daniel F. Savarese
David Graham
Davanum Srinivas
Dion Gillard
Dirk Verbeeck
Daniel Rall
Dmitri Plotnikov
Eric Pugh
Fredrik Westermarck
Geir Magnusson Jr.
Gary Gregory
Glenn Nielsen
Henning P. Schmiedehausen
Ted Husted
Mario Ivankovits
James Carman
Sung-Gu Park
Jean-Frederic Clere
John Keyes
John McNally
Jon Stevens
Jeff Dever
James Strachan
Jason van Zyl
Jan Luehe
Martin Cooper
Matthew Hawthorne
Michael Becke
Mark R. Diggory
Morgan Delagrange
Martin Poeschl
Mladen Turk
Martin van den Bemt
Noel J. Bergman
Ortwin Gluck
Oleg Kalnichevski
Patrick Luby
Peter Royal
Phil Steitz
Robert Burrell Donkin
Remy Maucherat
Robert Leland
Richard Sitze
Rodney Waldhoff
Scott Sanders
Serge Knystautas
Steve Cohen
Stephen Colebourne
Shawn Bayern
Simon Kitching
Steven Caswell
Sean Sullivan
Tim O'Brien
James Turner
Bob McWhirter
Yoav Shapira
%package javadoc
PreReq: coreutils
Summary: Developer documentation for jakarta-commons-httpclient3
Group: Development/Libraries/Java
%description javadoc
Developer documentation for jakarta-commons-httpclient3 in JavaDoc
format.
Authors:
--------
Adrian Sutton
Alex Chaffee
Arun Mammen Thomas
Juozas Baliuka
Henri Yandell
Jeff Brekke
Bruno D'Avanzo
Costin Manolache
Craig R. McClanahan
Daniel F. Savarese
David Graham
Davanum Srinivas
Dion Gillard
Dirk Verbeeck
Daniel Rall
Dmitri Plotnikov
Eric Pugh
Fredrik Westermarck
Geir Magnusson Jr.
Gary Gregory
Glenn Nielsen
Henning P. Schmiedehausen
Ted Husted
Mario Ivankovits
James Carman
Sung-Gu Park
Jean-Frederic Clere
John Keyes
John McNally
Jon Stevens
Jeff Dever
James Strachan
Jason van Zyl
Jan Luehe
Martin Cooper
Matthew Hawthorne
Michael Becke
Mark R. Diggory
Morgan Delagrange
Martin Poeschl
Mladen Turk
Martin van den Bemt
Noel J. Bergman
Ortwin Gluck
Oleg Kalnichevski
Patrick Luby
Peter Royal
Phil Steitz
Robert Burrell Donkin
Remy Maucherat
Robert Leland
Richard Sitze
Rodney Waldhoff
Scott Sanders
Serge Knystautas
Steve Cohen
Stephen Colebourne
Shawn Bayern
Simon Kitching
Steven Caswell
Sean Sullivan
Tim O'Brien
James Turner
Bob McWhirter
Yoav Shapira
%{summary}.
%package demo
Summary: Demonstration files for jakarta-commons-httpclient3
Group: Development/Libraries/Java
Requires: %{name} = %{version}-%{release}
%description demo
Demonstration files for jakarta-commons-httpclient3. NOTE: It is
possible that some demonstration files are specially prepared for SUN
Java runtime environment. If they fail with IBM or BEA Java, the
package itself does not need to be broken.
Authors:
--------
Adrian Sutton
Alex Chaffee
Arun Mammen Thomas
Juozas Baliuka
Henri Yandell
Jeff Brekke
Bruno D'Avanzo
Costin Manolache
Craig R. McClanahan
Daniel F. Savarese
David Graham
Davanum Srinivas
Dion Gillard
Dirk Verbeeck
Daniel Rall
Dmitri Plotnikov
Eric Pugh
Fredrik Westermarck
Geir Magnusson Jr.
Gary Gregory
Glenn Nielsen
Henning P. Schmiedehausen
Ted Husted
Mario Ivankovits
James Carman
Sung-Gu Park
Jean-Frederic Clere
John Keyes
John McNally
Jon Stevens
Jeff Dever
James Strachan
Jason van Zyl
Jan Luehe
Martin Cooper
Matthew Hawthorne
Michael Becke
Mark R. Diggory
Morgan Delagrange
Martin Poeschl
Mladen Turk
Martin van den Bemt
Noel J. Bergman
Ortwin Gluck
Oleg Kalnichevski
Patrick Luby
Peter Royal
Phil Steitz
Robert Burrell Donkin
Remy Maucherat
Robert Leland
Richard Sitze
Rodney Waldhoff
Scott Sanders
Serge Knystautas
Steve Cohen
Stephen Colebourne
Shawn Bayern
Simon Kitching
Steven Caswell
Sean Sullivan
Tim O'Brien
James Turner
Bob McWhirter
Yoav Shapira
%{summary}.
%package manual
Summary: Manual for jakarta-commons-httpclient3
Group: Development/Libraries/Java
%description manual
Manual for jakarta-commons-httpclient3
Authors:
--------
Adrian Sutton
Alex Chaffee
Arun Mammen Thomas
Juozas Baliuka
Henri Yandell
Jeff Brekke
Bruno D'Avanzo
Costin Manolache
Craig R. McClanahan
Daniel F. Savarese
David Graham
Davanum Srinivas
Dion Gillard
Dirk Verbeeck
Daniel Rall
Dmitri Plotnikov
Eric Pugh
Fredrik Westermarck
Geir Magnusson Jr.
Gary Gregory
Glenn Nielsen
Henning P. Schmiedehausen
Ted Husted
Mario Ivankovits
James Carman
Sung-Gu Park
Jean-Frederic Clere
John Keyes
John McNally
Jon Stevens
Jeff Dever
James Strachan
Jason van Zyl
Jan Luehe
Martin Cooper
Matthew Hawthorne
Michael Becke
Mark R. Diggory
Morgan Delagrange
Martin Poeschl
Mladen Turk
Martin van den Bemt
Noel J. Bergman
Ortwin Gluck
Oleg Kalnichevski
Patrick Luby
Peter Royal
Phil Steitz
Robert Burrell Donkin
Remy Maucherat
Robert Leland
Richard Sitze
Rodney Waldhoff
Scott Sanders
Serge Knystautas
Steve Cohen
Stephen Colebourne
Shawn Bayern
Simon Kitching
Steven Caswell
Sean Sullivan
Tim O'Brien
James Turner
Bob McWhirter
Yoav Shapira
%{summary}.
%prep
%setup -q -n commons-httpclient-%{version}
%patch0 -p1
%patch150 -p1
mkdir lib # duh
rm -rf docs/apidocs docs/*.patch docs/*.orig docs/*.rej
%build
export CLASSPATH=%(build-classpath jsse jce junit jakarta-commons-codec
jakarta-commons-logging)
ant \
-Dbuild.sysclasspath=first \
-Djavadoc.j2sdk.link=%{_javadocdir}/java \
-Djavadoc.logging.link=%{_javadocdir}/jakarta-commons-logging \
dist
%install
# jars
mkdir -p $RPM_BUILD_ROOT%{_javadir}
cp -p dist/commons-httpclient.jar \
$RPM_BUILD_ROOT%{_javadir}/%{name}-%{version}.jar
(cd $RPM_BUILD_ROOT%{_javadir} && for jar in *-%{version}.jar; do ln -sf ${jar}
`echo $jar| sed "s|jakarta-||g"`; done)
(cd $RPM_BUILD_ROOT%{_javadir} && for jar in *-%{version}.jar; do ln -sf ${jar}
`echo $jar| sed "s|-%{version}||g"`; done)
# javadoc
mkdir -p $RPM_BUILD_ROOT%{_javadocdir}
mv dist/docs/api $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
ln -s %{name}-%{version} $RPM_BUILD_ROOT%{_javadocdir}/%{name} # ghost symlink
# demo
mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name}
cp -pr src/examples src/contrib $RPM_BUILD_ROOT%{_datadir}/%{name}
# manual and docs
rm -f dist/docs/{BUILDING,TESTING}.txt
ln -s %{_javadocdir}/%{name} dist/docs/apidocs
%clean
rm -rf $RPM_BUILD_ROOT
%post javadoc
rm -f %{_javadocdir}/%{name}
ln -s %{name}-%{version} %{_javadocdir}/%{name}
%files
%defattr(0644,root,root,0755)
%doc LICENSE.txt README.txt RELEASE_NOTES.txt
%{_javadir}/*
%files javadoc
%defattr(0644,root,root,0755)
%doc %{_javadocdir}/%{name}-%{version}
%ghost %doc %{_javadocdir}/%{name}
%files demo
%defattr(0644,root,root,0755)
%{_datadir}/%{name}
%files manual
%defattr(0644,root,root,0755)
%doc dist/docs/*
%changelog
++++++ commons-httpclient-CVE-2012-5783-2.patch ++++++
---
commons-httpclient-3.1.orig/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+++
commons-httpclient-3.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
@@ -31,10 +31,25 @@
package org.apache.commons.httpclient.protocol;
import java.io.IOException;
+import java.io.InputStream;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.StringTokenizer;
+import java.util.regex.Pattern;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import org.apache.commons.httpclient.ConnectTimeoutException;
@@ -55,6 +70,11 @@ public class SSLProtocolSocketFactory im
*/
private static final SSLProtocolSocketFactory factory = new
SSLProtocolSocketFactory();
+ // This is a a sorted list, if you insert new elements do it orderdered.
+ private final static String[] BAD_COUNTRY_2LDS =
+ {"ac", "co", "com", "ed", "edu", "go", "gouv", "gov", "info",
+ "lg", "ne", "net", "or", "org"};
+
/**
* Gets an singleton instance of the SSLProtocolSocketFactory.
* @return a SSLProtocolSocketFactory
@@ -79,12 +99,14 @@ public class SSLProtocolSocketFactory im
InetAddress clientHost,
int clientPort)
throws IOException, UnknownHostException {
- return SSLSocketFactory.getDefault().createSocket(
+ Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
host,
port,
clientHost,
clientPort
);
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
}
/**
@@ -124,16 +146,19 @@ public class SSLProtocolSocketFactory im
}
int timeout = params.getConnectionTimeout();
if (timeout == 0) {
- return createSocket(host, port, localAddress, localPort);
+ Socket sslSocket = createSocket(host, port, localAddress,
localPort);
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
} else {
// To be eventually deprecated when migrated to Java 1.4 or above
- Socket socket = ReflectionSocketFactory.createSocket(
+ Socket sslSocket = ReflectionSocketFactory.createSocket(
"javax.net.ssl.SSLSocketFactory", host, port, localAddress,
localPort, timeout);
- if (socket == null) {
- socket = ControllerThreadSocketFactory.createSocket(
+ if (sslSocket == null) {
+ sslSocket = ControllerThreadSocketFactory.createSocket(
this, host, port, localAddress, localPort, timeout);
}
- return socket;
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
}
}
@@ -142,10 +167,12 @@ public class SSLProtocolSocketFactory im
*/
public Socket createSocket(String host, int port)
throws IOException, UnknownHostException {
- return SSLSocketFactory.getDefault().createSocket(
+ Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
host,
port
);
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
}
/**
@@ -157,13 +184,271 @@ public class SSLProtocolSocketFactory im
int port,
boolean autoClose)
throws IOException, UnknownHostException {
- return ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket(
+ Socket sslSocket = ((SSLSocketFactory)
SSLSocketFactory.getDefault()).createSocket(
socket,
host,
port,
autoClose
);
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
}
+
+
+
+
+ /**
+ * Verifies that the given hostname in certicifate is the hostname we are
trying to connect to
+ * http://www.cvedetails.com/cve/CVE-2012-5783/
+ * @param host
+ * @param ssl
+ * @throws IOException
+ */
+
+ private static void verifyHostName(String host, SSLSocket ssl)
+ throws IOException {
+ if (host == null) {
+ throw new IllegalArgumentException("host to verify was
null");
+ }
+
+ SSLSession session = ssl.getSession();
+ if (session == null) {
+ // In our experience this only happens under IBM 1.4.x when
+ // spurious (unrelated) certificates show up in the server's chain.
+ // Hopefully this will unearth the real problem:
+ InputStream in = ssl.getInputStream();
+ in.available();
+ /*
+ If you're looking at the 2 lines of code above because you're
+ running into a problem, you probably have two options:
+
+ #1. Clean up the certificate chain that your server
+ is presenting (e.g. edit "/etc/apache2/server.crt" or
+ wherever it is your server's certificate chain is
+ defined).
+
+ OR
+
+ #2. Upgrade to an IBM 1.5.x or greater JVM, or switch to
a
+ non-IBM JVM.
+ */
+
+ // If ssl.getInputStream().available() didn't cause an exception,
+ // maybe at least now the session is available?
+ session = ssl.getSession();
+ if (session == null) {
+ // If it's still null, probably a startHandshake() will
+ // unearth the real problem.
+ ssl.startHandshake();
+
+ // Okay, if we still haven't managed to cause an exception,
+ // might as well go for the NPE. Or maybe we're okay now?
+ session = ssl.getSession();
+ }
+ }
+
+ Certificate[] certs = session.getPeerCertificates();
+ verifyHostName(host.trim().toLowerCase(Locale.US),
(X509Certificate) certs[0]);
+ }
+ /**
+ * Extract the names from the certificate and tests host matches one of
them
+ * @param host
+ * @param cert
+ * @throws SSLException
+ */
+
+ private static void verifyHostName(final String host, X509Certificate
cert)
+ throws SSLException {
+ // I'm okay with being case-insensitive when comparing the host we used
+ // to establish the socket to the hostname in the certificate.
+ // Don't trim the CN, though.
+
+ String cn = getCN(cert);
+ String[] subjectAlts = getDNSSubjectAlts(cert);
+ verifyHostName(host, cn.toLowerCase(Locale.US), subjectAlts);
+
+ }
+
+ /**
+ * Extract all alternative names from a certificate.
+ * @param cert
+ * @return
+ */
+ private static String[] getDNSSubjectAlts(X509Certificate cert) {
+ LinkedList subjectAltList = new LinkedList();
+ Collection c = null;
+ try {
+ c = cert.getSubjectAlternativeNames();
+ } catch (CertificateParsingException cpe) {
+ // Should probably log.debug() this?
+ cpe.printStackTrace();
+ }
+ if (c != null) {
+ Iterator it = c.iterator();
+ while (it.hasNext()) {
+ List list = (List) it.next();
+ int type = ((Integer) list.get(0)).intValue();
+ // If type is 2, then we've got a dNSName
+ if (type == 2) {
+ String s = (String) list.get(1);
+ subjectAltList.add(s);
+ }
+ }
+ }
+ if (!subjectAltList.isEmpty()) {
+ String[] subjectAlts = new
String[subjectAltList.size()];
+ subjectAltList.toArray(subjectAlts);
+ return subjectAlts;
+ } else {
+ return new String[0];
+ }
+
+ }
+ /**
+ * Verifies
+ * @param host
+ * @param cn
+ * @param subjectAlts
+ * @throws SSLException
+ */
+
+ private static void verifyHostName(final String host, String cn,
String[] subjectAlts)throws SSLException{
+ StringBuffer cnTested = new StringBuffer();
+
+ for (int i = 0; i < subjectAlts.length; i++){
+ String name = subjectAlts[i];
+ if (name != null) {
+ name = name.toLowerCase();
+ if (verifyHostName(host, name)){
+ return;
+ }
+ cnTested.append("/").append(name);
+ }
+ }
+ if (cn != null && verifyHostName(host, cn)){
+ return;
+ }
+ cnTested.append("/").append(cn);
+ throw new SSLException("hostname in certificate didn't match: <"
+ + host + "> != <" + cnTested + ">");
+
+ }
+
+ private static boolean verifyHostName(final String host, final String
cn){
+ if (doWildCard(cn) && !isIPAddress(host)) {
+ return matchesWildCard(cn, host);
+ }
+ return host.equalsIgnoreCase(cn);
+ }
+ private static boolean doWildCard(String cn) {
+ // Contains a wildcard
+ // wildcard in the first block
+ // not an ipaddress (ip addres must explicitily be equal)
+ // not using 2nd level common tld : ex: not for *.co.uk
+ String parts[] = cn.split("\\.");
+ return parts.length >= 3 &&
+ parts[0].endsWith("*") &&
+ acceptableCountryWildcard(cn) &&
+ !isIPAddress(cn);
+ }
+
+
+ private static final Pattern IPV4_PATTERN =
+
Pattern.compile("^(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}$");
+
+ private static final Pattern IPV6_STD_PATTERN =
+
Pattern.compile("^(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$");
+
+ private static final Pattern IPV6_HEX_COMPRESSED_PATTERN =
+
Pattern.compile("^((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)$");
+
+
+ private static boolean isIPAddress(final String hostname) {
+ return hostname != null
+ && (
+
IPV4_PATTERN.matcher(hostname).matches()
+ ||
IPV6_STD_PATTERN.matcher(hostname).matches()
+ ||
IPV6_HEX_COMPRESSED_PATTERN.matcher(hostname).matches()
+ );
+
+ }
+
+ private static boolean acceptableCountryWildcard(final String cn) {
+ // The CN better have at least two dots if it wants wildcard
action,
+ // but can't be [*.co.uk] or [*.co.jp] or [*.org.uk], etc...
+ // The [*.co.uk] problem is an interesting one. Should we just
+ // hope that CA's would never foolishly allow such a
+ // certificate to happen?
+
+ String[] parts = cn.split("\\.");
+ // Only checks for 3 levels, with country code of 2 letters.
+ if (parts.length > 3 || parts[parts.length - 1].length() != 2) {
+ return true;
+ }
+ String countryCode = parts[parts.length - 2];
+ return Arrays.binarySearch(BAD_COUNTRY_2LDS, countryCode) < 0;
+ }
+
+ private static boolean matchesWildCard(final String cn,
+ final String hostName) {
+ String parts[] = cn.split("\\.");
+ boolean match = false;
+ String firstpart = parts[0];
+ if (firstpart.length() > 1) {
+ // server∗
+ // e.g. server
+ String prefix = firstpart.substring(0,
firstpart.length() - 1);
+ // skipwildcard part from cn
+ String suffix = cn.substring(firstpart.length());
+ // skip wildcard part from host
+ String hostSuffix =
hostName.substring(prefix.length());
+ match = hostName.startsWith(prefix) &&
hostSuffix.endsWith(suffix);
+ } else {
+ match = hostName.endsWith(cn.substring(1));
+ }
+ if (match) {
+ // I f we're in strict mode ,
+ // [ ∗.foo.com] is not allowed to match [a.b.foo.com]
+ match = countDots(hostName) == countDots(cn);
+ }
+ return match;
+ }
+
+ private static int countDots(final String data) {
+ int dots = 0;
+ for (int i = 0; i < data.length(); i++) {
+ if (data.charAt(i) == '.') {
+ dots += 1;
+ }
+ }
+ return dots;
+ }
+
+ private static String getCN(X509Certificate cert) {
+ // Note: toString() seems to do a better job than getName()
+ //
+ // For example, getName() gives me this:
+ //
1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+ //
+ // whereas toString() gives me this:
+ // EMAILADDRESS=juliusdav...@cucbc.com
+ String subjectPrincipal =
cert.getSubjectX500Principal().toString();
+
+ return getCN(subjectPrincipal);
+
+ }
+ private static String getCN(String subjectPrincipal) {
+ StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
+ while(st.hasMoreTokens()) {
+ String tok = st.nextToken().trim();
+ if (tok.length() > 3) {
+ if (tok.substring(0,
3).equalsIgnoreCase("CN=")) {
+ return tok.substring(3);
+ }
+ }
+ }
+ return null;
+ }
/**
* All instances of SSLProtocolSocketFactory are the same.
++++++ java150_build.patch ++++++
Index: commons-httpclient-3.0.1/build.xml
===================================================================
--- commons-httpclient-3.0.1.orig/build.xml
+++ commons-httpclient-3.0.1/build.xml
@@ -180,6 +180,7 @@
<target name="compile" depends="static"
description="Compile shareable components">
<javac srcdir ="${source.home}/java"
+ source="1.4" target="1.4"
destdir ="${build.home}/classes"
debug ="${compile.debug}"
deprecation ="${compile.deprecation}"
@@ -187,6 +188,7 @@
<classpath refid="compile.classpath"/>
</javac>
<javac srcdir ="${source.home}/examples"
+ source="1.4" target="1.4"
destdir ="${build.home}/examples"
debug ="${compile.debug}"
deprecation ="${compile.deprecation}"
@@ -198,6 +200,7 @@
<target name="compile.tests" depends="compile"
description="Compile unit test cases">
<javac srcdir ="${test.home}"
+ source="1.4" target="1.4"
destdir ="${build.home}/tests"
debug ="${compile.debug}"
deprecation ="${compile.deprecation}"
@@ -240,6 +243,7 @@
<mkdir dir="${dist.home}/docs"/>
<mkdir dir="${dist.home}/docs/api"/>
<javadoc sourcepath ="${source.home}/java"
+ source="1.4"
destdir ="${dist.home}/docs/api"
packagenames ="org.apache.commons.*"
author ="true"
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
