12326 :: DNS SAN matching does not handle wildcards in split patterns that Envoy does #12345
Conversation
| return labelWildcardMatch(certLabels[0], sanLabels[0]); | ||
| } | ||
|
|
||
| private static boolean labelWildcardMatch(String certLabel, String sanLabel) { |
There was a problem hiding this comment.
Rename certLabel to pattern and sanLabel to dnsLabel like in Envoy code, it is more clear that way.
| int starIndex = sanLabel.indexOf('*'); | ||
| String prefix = sanLabel.substring(0, starIndex); | ||
| String suffix = sanLabel.substring(starIndex + 1); | ||
| if (certLabel.length() < prefix.length() + suffix.length()) { |
There was a problem hiding this comment.
This is better said as certLabel.length() <= sanLabel.length() + 1 like in Envoy code. The +1 is for * that stands for 0 or more characters. Combine with below condition in the return statement
|
|
||
| public static boolean verifyDnsNameWildcard( | ||
| String altNameFromCert, String sanToVerify, boolean ignoreCase) { | ||
| if (Strings.isNullOrEmpty(altNameFromCert) || Strings.isNullOrEmpty(sanToVerify)) { |
There was a problem hiding this comment.
We don't need this check since the logic can already handle empty strings, and null won't be passed for sanToVerify here. altNameFromCert wont' be null.
Instead have the trivial check for "*" like Envoy does
| ? sanToVerifySuffix.toLowerCase(Locale.ROOT) | ||
| : sanToVerifySuffix).contains("*")) { | ||
| return verifyDnsNameWildcard(altNameFromCert, sanToVerifySuffix , ignoreCase); | ||
| } |
There was a problem hiding this comment.
Looking at the envoy code here it is not doing wildcard matching for prefix, suffix, and contains and for safe regex it is compiling the pattern as regex. gRPC code is already doing the same for these 3 cases, so only for exact DNS match we need to have the changes for handling split patterns and *.
| @@ -0,0 +1,24 @@ | |||
| -----BEGIN CERTIFICATE----- | |||
| MIID7zCCAtegAwIBAgIUCs5j4C2KXgCRVFa48kc5TYRS1JswDQYJKoZIhvcNAQEL | |||
| BQAwGTEXMBUGA1UEAwwOTXkgSW50ZXJuYWwgQ0EwHhcNMjUwOTA4MTI0NTQyWhcN | |||
There was a problem hiding this comment.
No need to create any new certificate, we can work with
testing/src/main/resources/certs/server0.pem and server1.pem themselves. server0.pem is issued to *.test.google.com.au server1.pem is issued to the names
*.test.google.fr, waterzooi.test.google.be, *.test.youtube.com, IP Address:192.168.1.3
Fixes : #12326