diff --git a/testing/src/main/resources/certs/bad_wildcard_dns_certificate.pem b/testing/src/main/resources/certs/bad_wildcard_dns_certificate.pem new file mode 100644 index 00000000000..c82ae9b32c6 --- /dev/null +++ b/testing/src/main/resources/certs/bad_wildcard_dns_certificate.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7zCCAtegAwIBAgIUCs5j4C2KXgCRVFa48kc5TYRS1JswDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAwwOTXkgSW50ZXJuYWwgQ0EwHhcNMjUwOTA4MTI0NTQyWhcN +MjYwOTA4MTI0NTQyWjBlMQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMx +EDAOBgNVBAcMB0NoaWNhZ28xFTATBgNVBAoMDEV4YW1wbGUsIENvLjEaMBgGA1UE +AwwRKi50ZXN0Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCqKnJzYfTFd/Rh+iYwuSlTDejDtSKE8OsByTdCSf5xjcesnCLASvEoCXmE +UdgRKU+lmW2vn9OCgoXAeGfbYjyEjb1AaZhL++qwLHbXAGcEqRdOquMMR1RORa1+ +pjU/IZOOPJgwQxh1FzQE+oP3v1ZbelNF0crru9d4G2atV+iR9vRRuxCdy1Md+Yer +BJL05WWd5ujSa+82KKq2If4EZD4oLT8WjXKF6NIFZuCBHXtLGM9u0lsjR+L/6Ntz +cp0rpTsMeA8BIQTl3pC2+UCRwasDEz8p2jJ3AUCFxfj13rsTfWt80eg0p/oxsINN +PLUtLZ9hbgLyQwZdKWhMpHTq9qzTAgMBAAGjgeIwgd8wCwYDVR0PBAQDAgXgMBMG +A1UdJQQMMAoGCCsGAQUFBwMBMHsGA1UdEQR0MHKCCioqbHlmdC5jb22CCmx5ZnQq +Ki5jb22CCmx5KipmdC5jb22CCGx5ZnQuYyptgggqeWZ0LmMqbYIKKi5seWZ0LmNv +bYIHbCpmdC5jb4IIbHk/dC5jb22CCGxmKnQuY29tggkqbHlmdC5jb22HBMCoAQMw +HQYDVR0OBBYEFGaC9jswbSvwVM0mH4Fw8d4g43CEMB8GA1UdIwQYMBaAFB5bLRTe +Vki0qsiYFA8ugQdM9Aa4MA0GCSqGSIb3DQEBCwUAA4IBAQA4KAJD17VZqzS59mKw +k5mZAmQoY5LbTIusbUuHKvVMJig6bDFwbbeTwcSE492sZQQN/ZP0OlAQGBK/pxl9 +ynrTlh95SqhLgWgVfh//EmVKbMq+tJKlixz7fTgpjMxka4iCzzQtyYUIy3XhrqKY +B8TBt4M2O52clG/xp/2zMvs4zkjXxuHVSHpMWQV4wGqb+/Rk5oPUCqklOfqQHQcf +3EqqVVArk0AzG0tHiXiQUNggioMZfL/pqsLqOsnSVKSCg5avy4sVXDoB5YHtBpx2 +VL77nfG49WbSg5yGqrPAzIeAu6+ffhTt0XhegxvaV/F/ZnvSMSI59ntGYfsoEqtc +O8w2 +-----END CERTIFICATE----- diff --git a/testing/src/main/resources/certs/wildcard_dns_certificate.pem b/testing/src/main/resources/certs/wildcard_dns_certificate.pem new file mode 100644 index 00000000000..3c9e62f2b71 --- /dev/null +++ b/testing/src/main/resources/certs/wildcard_dns_certificate.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIUCs5j4C2KXgCRVFa48kc5TYRS1JkwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAwwOTXkgSW50ZXJuYWwgQ0EwHhcNMjUwOTA4MTIzNTI4WhcN +MjYwOTA4MTIzNTI4WjBlMQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMx +EDAOBgNVBAcMB0NoaWNhZ28xFTATBgNVBAoMDEV4YW1wbGUsIENvLjEaMBgGA1UE +AwwRKi50ZXN0Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCqKnJzYfTFd/Rh+iYwuSlTDejDtSKE8OsByTdCSf5xjcesnCLASvEoCXmE +UdgRKU+lmW2vn9OCgoXAeGfbYjyEjb1AaZhL++qwLHbXAGcEqRdOquMMR1RORa1+ +pjU/IZOOPJgwQxh1FzQE+oP3v1ZbelNF0crru9d4G2atV+iR9vRRuxCdy1Md+Yer +BJL05WWd5ujSa+82KKq2If4EZD4oLT8WjXKF6NIFZuCBHXtLGM9u0lsjR+L/6Ntz +cp0rpTsMeA8BIQTl3pC2+UCRwasDEz8p2jJ3AUCFxfj13rsTfWt80eg0p/oxsINN +PLUtLZ9hbgLyQwZdKWhMpHTq9qzTAgMBAAGjggEUMIIBEDALBgNVHQ8EBAMCBeAw +EwYDVR0lBAwwCgYIKwYBBQUHAwEwgasGA1UdEQSBozCBoIIQKi50ZXN0Lmdvb2ds +ZS5mcoIYd2F0ZXJ6b29pLnRlc3QuZ29vZ2xlLmJlghIqLnRlc3QueW91dHViZS5j +b22CCmEubHlmdC5jb22CCmEuTFlGVC5jb22CCWx5ZnQqLmNvbYIJKmx5ZnQuY29t +gghseWYqLmNvbYIJbHlmdCouY29tgghsKmZ0LmNvbYILdCoubHlmdC5jb22HBMCo +AQMwHQYDVR0OBBYEFGaC9jswbSvwVM0mH4Fw8d4g43CEMB8GA1UdIwQYMBaAFB5b +LRTeVki0qsiYFA8ugQdM9Aa4MA0GCSqGSIb3DQEBCwUAA4IBAQC5bu34wiKkck4z +aejXjh2PtW6YyzJS2eIi2MbRtF27WA7okM6ZYpz/Xf7dYygSitfsVgUyciZkkkf9 +I6Qi7M7cImBVpagB9w1HA6Fm30Flphgs+HhFdOB/VwDL1sU7YI4R88tPugnANeVq +cxxUbfkZvUxkbwnkgnA+ZoH6Orwjaz1I8I1mTJtZ6IotU42F2iwBBLv6r3xeiOq/ +gwmnPwO8T002OT5m8GyXd6O7cWMRH/Ys0K/hNpLmYWQxa86F3oWJi8RGF/h3ORnz +w7AAWS0PahXx0tmsaZNTZGOwyTnRL7thiXJajdCwpWWsClfgwhhZaZgUrqKbx3/r +2wZpTadR +-----END CERTIFICATE----- diff --git a/xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java b/xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java index 1ecfe378d29..bf80efb77d7 100644 --- a/xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java +++ b/xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java @@ -114,6 +114,11 @@ private static boolean verifyDnsNamePrefix( if (Strings.isNullOrEmpty(sanToVerifyPrefix)) { return false; } + if ((ignoreCase + ? sanToVerifyPrefix.toLowerCase(Locale.ROOT) + : sanToVerifyPrefix).contains("*")) { + return verifyDnsNameWildcard(altNameFromCert, sanToVerifyPrefix , ignoreCase); + } return ignoreCase ? altNameFromCert.toLowerCase(Locale.ROOT).startsWith( sanToVerifyPrefix.toLowerCase(Locale.ROOT)) @@ -125,6 +130,11 @@ private static boolean verifyDnsNameSuffix( if (Strings.isNullOrEmpty(sanToVerifySuffix)) { return false; } + if ((ignoreCase + ? sanToVerifySuffix.toLowerCase(Locale.ROOT) + : sanToVerifySuffix).contains("*")) { + return verifyDnsNameWildcard(altNameFromCert, sanToVerifySuffix , ignoreCase); + } return ignoreCase ? altNameFromCert.toLowerCase(Locale.ROOT).endsWith( sanToVerifySuffix.toLowerCase(Locale.ROOT)) @@ -136,6 +146,11 @@ private static boolean verifyDnsNameContains( if (Strings.isNullOrEmpty(sanToVerifySubstring)) { return false; } + if ((ignoreCase + ? sanToVerifySubstring.toLowerCase(Locale.ROOT) + : sanToVerifySubstring).contains("*")) { + return verifyDnsNameWildcard(altNameFromCert, sanToVerifySubstring , ignoreCase); + } return ignoreCase ? altNameFromCert.toLowerCase(Locale.ROOT).contains( sanToVerifySubstring.toLowerCase(Locale.ROOT)) @@ -147,6 +162,11 @@ private static boolean verifyDnsNameExact( if (Strings.isNullOrEmpty(sanToVerifyExact)) { return false; } + if ((ignoreCase + ? sanToVerifyExact.toLowerCase(Locale.ROOT) + : sanToVerifyExact).contains("*")) { + return verifyDnsNameWildcard(altNameFromCert, sanToVerifyExact , ignoreCase); + } return ignoreCase ? sanToVerifyExact.equalsIgnoreCase(altNameFromCert) : sanToVerifyExact.equals(altNameFromCert); @@ -303,4 +323,38 @@ public X509Certificate[] getAcceptedIssuers() { } return delegate.getAcceptedIssuers(); } + + public static boolean verifyDnsNameWildcard( + String altNameFromCert, String sanToVerify, boolean ignoreCase) { + if (Strings.isNullOrEmpty(altNameFromCert) || Strings.isNullOrEmpty(sanToVerify)) { + return false; + } + String[] certLabels = (ignoreCase ? altNameFromCert.toLowerCase(Locale.ROOT) : altNameFromCert) + .split("\\.", -1); + String[] sanLabels = (ignoreCase ? sanToVerify.toLowerCase(Locale.ROOT) : sanToVerify) + .split("\\.", -1); + if (certLabels.length != sanLabels.length) { + return false; + } + if ((int) sanLabels[0].chars().filter(ch -> ch == '*').count() != 1 + || sanLabels[0].startsWith("xn--")) { + return false; + } + for (int i = 1; i < sanLabels.length; i++) { + if (!sanLabels[i].equals(certLabels[i])) { + return false; + } + } + return labelWildcardMatch(certLabels[0], sanLabels[0]); + } + + private static boolean labelWildcardMatch(String certLabel, String sanLabel) { + int starIndex = sanLabel.indexOf('*'); + String prefix = sanLabel.substring(0, starIndex); + String suffix = sanLabel.substring(starIndex + 1); + if (certLabel.length() < prefix.length() + suffix.length()) { + return false; + } + return certLabel.startsWith(prefix) && certLabel.endsWith(suffix); + } } diff --git a/xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java b/xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java index 48814dece1d..c133ab04002 100644 --- a/xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java +++ b/xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java @@ -60,6 +60,8 @@ public class CommonTlsContextTestsUtil { public static final String BAD_SERVER_KEY_FILE = "badserver.key"; public static final String BAD_CLIENT_PEM_FILE = "badclient.pem"; public static final String BAD_CLIENT_KEY_FILE = "badclient.key"; + public static final String WILDCARD_DNS_PEM_FILE = "wildcard_dns_certificate.pem"; + public static final String BAD_WILDCARD_DNS_PEM_FILE = "bad_wildcard_dns_certificate.pem"; /** takes additional values and creates CombinedCertificateValidationContext as needed. */ private static CommonTlsContext buildCommonTlsContextWithAdditionalValues( diff --git a/xds/src/test/java/io/grpc/xds/internal/security/trust/XdsX509TrustManagerTest.java b/xds/src/test/java/io/grpc/xds/internal/security/trust/XdsX509TrustManagerTest.java index 6fa3d2e7d24..0ea133bcb28 100644 --- a/xds/src/test/java/io/grpc/xds/internal/security/trust/XdsX509TrustManagerTest.java +++ b/xds/src/test/java/io/grpc/xds/internal/security/trust/XdsX509TrustManagerTest.java @@ -18,11 +18,16 @@ import static com.google.common.truth.Truth.assertThat; import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.BAD_SERVER_PEM_FILE; +import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.BAD_WILDCARD_DNS_PEM_FILE; import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CA_PEM_FILE; import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CLIENT_PEM_FILE; import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CLIENT_SPIFFE_PEM_FILE; import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE; import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_1_SPIFFE_PEM_FILE; +import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.WILDCARD_DNS_PEM_FILE; +import static io.grpc.xds.internal.security.trust.XdsX509TrustManager.verifyDnsNameWildcard; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; import static org.junit.Assert.fail; import static org.mockito.Mockito.CALLS_REAL_METHODS; import static org.mockito.Mockito.doReturn; @@ -691,6 +696,292 @@ public void unsupportedAltNameType() throws CertificateException, IOException { } } + @Test + public void testVerifyDnsNameExact_succeedsForValidWildcardSanNames() + throws CertificateException, IOException { + StringMatcher stringMatcher = + StringMatcher.newBuilder() + .setExact("*.lyft.com") + .setIgnoreCase(false) + .build(); + @SuppressWarnings("deprecation") + CertificateValidationContext certContext = + CertificateValidationContext.newBuilder() + .addMatchSubjectAltNames(stringMatcher) + .build(); + trustManager = new XdsX509TrustManager(certContext, mockDelegate); + X509Certificate[] certs = + CertificateUtils.toX509Certificates(TlsTesting.loadCert(WILDCARD_DNS_PEM_FILE)); + System.out.println(Arrays.toString(certs)); + trustManager.verifySubjectAltNameInChain(certs); + } + + @Test + public void testVerifyDnsNameExact_succeedsForValidWildcardSanNames_ignoreCase() + throws CertificateException, IOException { + StringMatcher stringMatcher = + StringMatcher.newBuilder() + .setExact("*.LYFT.COM") + .setIgnoreCase(true) + .build(); + @SuppressWarnings("deprecation") + CertificateValidationContext certContext = + CertificateValidationContext.newBuilder() + .addMatchSubjectAltNames(stringMatcher) + .build(); + trustManager = new XdsX509TrustManager(certContext, mockDelegate); + X509Certificate[] certs = + CertificateUtils.toX509Certificates(TlsTesting.loadCert(WILDCARD_DNS_PEM_FILE)); + trustManager.verifySubjectAltNameInChain(certs); + } + + @Test + public void testVerifyDnsNameExact_failsForInvalidWildcard_SanNames() + throws CertificateException, IOException { + StringMatcher stringMatcher = + StringMatcher.newBuilder() + .setExact("lyft.com") + .setIgnoreCase(false) + .build(); + @SuppressWarnings("deprecation") + CertificateValidationContext certContext = + CertificateValidationContext.newBuilder() + .addMatchSubjectAltNames(stringMatcher) + .build(); + trustManager = new XdsX509TrustManager(certContext, mockDelegate); + X509Certificate[] certs = + CertificateUtils.toX509Certificates(TlsTesting.loadCert(BAD_WILDCARD_DNS_PEM_FILE)); + try { + trustManager.verifySubjectAltNameInChain(certs); + fail("no exception thrown"); + } catch (CertificateException expected) { + assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed"); + } + } + + @Test + public void testVerifyDnsNameExact_failsForInvalidWildcardSanNames_ignoreCase() + throws CertificateException, IOException { + StringMatcher stringMatcher = + StringMatcher.newBuilder() + .setExact("LYFT.COM") + .setIgnoreCase(true) + .build(); + @SuppressWarnings("deprecation") + CertificateValidationContext certContext = + CertificateValidationContext.newBuilder() + .addMatchSubjectAltNames(stringMatcher) + .build(); + trustManager = new XdsX509TrustManager(certContext, mockDelegate); + X509Certificate[] certs = + CertificateUtils.toX509Certificates(TlsTesting.loadCert(BAD_WILDCARD_DNS_PEM_FILE)); + try { + trustManager.verifySubjectAltNameInChain(certs); + fail("no exception thrown"); + } catch (CertificateException expected) { + assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed"); + } + } + + @Test + public void testVerifyDnsNameExact_failsForExtraLabel() throws CertificateException, IOException { + StringMatcher stringMatcher = + StringMatcher.newBuilder() + .setExact("test.lyft.com.extra") + .setIgnoreCase(false) + .build(); + @SuppressWarnings("deprecation") + CertificateValidationContext certContext = + CertificateValidationContext.newBuilder() + .addMatchSubjectAltNames(stringMatcher) + .build(); + trustManager = new XdsX509TrustManager(certContext, mockDelegate); + X509Certificate[] certs = + CertificateUtils.toX509Certificates(TlsTesting.loadCert(BAD_WILDCARD_DNS_PEM_FILE)); + try { + trustManager.verifySubjectAltNameInChain(certs); + fail("no exception thrown"); + } catch (CertificateException expected) { + assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed"); + } + } + + @Test + public void testVerifyDnsNameExact_failsForExtraLabel_ignoreCase() + throws CertificateException, IOException { + StringMatcher stringMatcher = + StringMatcher.newBuilder() + .setExact("TEST.LYFT.COM.EXTRA") + .setIgnoreCase(true) + .build(); + @SuppressWarnings("deprecation") + CertificateValidationContext certContext = + CertificateValidationContext.newBuilder() + .addMatchSubjectAltNames(stringMatcher) + .build(); + trustManager = new XdsX509TrustManager(certContext, mockDelegate); + X509Certificate[] certs = + CertificateUtils.toX509Certificates(TlsTesting.loadCert(BAD_WILDCARD_DNS_PEM_FILE)); + try { + trustManager.verifySubjectAltNameInChain(certs); + fail("no exception thrown"); + } catch (CertificateException expected) { + assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed"); + } + } + + @Test + public void testVerifyDnsNameSuffix_succeedsForValidWildcardSanNames_ignoreCase() + throws CertificateException, IOException { + StringMatcher stringMatcher = + StringMatcher.newBuilder() + .setSuffix("*LYFT.COM") + .setIgnoreCase(true) + .build(); + @SuppressWarnings("deprecation") + CertificateValidationContext certContext = + CertificateValidationContext.newBuilder() + .addMatchSubjectAltNames(stringMatcher) + .build(); + trustManager = new XdsX509TrustManager(certContext, mockDelegate); + X509Certificate[] certs = + CertificateUtils.toX509Certificates(TlsTesting.loadCert(WILDCARD_DNS_PEM_FILE)); + System.out.println(Arrays.toString(certs)); + trustManager.verifySubjectAltNameInChain(certs); + } + + @Test + public void testVerifyDnsNameSuffix_succeedsForValidWildcardSanNames() + throws CertificateException, IOException { + StringMatcher stringMatcher = + StringMatcher.newBuilder() + .setSuffix("*lyft.com") + .setIgnoreCase(false) + .build(); + @SuppressWarnings("deprecation") + CertificateValidationContext certContext = + CertificateValidationContext.newBuilder() + .addMatchSubjectAltNames(stringMatcher) + .build(); + trustManager = new XdsX509TrustManager(certContext, mockDelegate); + X509Certificate[] certs = + CertificateUtils.toX509Certificates(TlsTesting.loadCert(WILDCARD_DNS_PEM_FILE)); + System.out.println(Arrays.toString(certs)); + trustManager.verifySubjectAltNameInChain(certs); + } + + @Test + public void testVerifyDnsNamePrefix_succeedsForValidWildcardSanNames_ignoreCase() + throws CertificateException, IOException { + StringMatcher stringMatcher = + StringMatcher.newBuilder() + .setPrefix("LYFT*.COM") + .setIgnoreCase(true) + .build(); + @SuppressWarnings("deprecation") + CertificateValidationContext certContext = + CertificateValidationContext.newBuilder() + .addMatchSubjectAltNames(stringMatcher) + .build(); + trustManager = new XdsX509TrustManager(certContext, mockDelegate); + X509Certificate[] certs = + CertificateUtils.toX509Certificates(TlsTesting.loadCert(WILDCARD_DNS_PEM_FILE)); + System.out.println(Arrays.toString(certs)); + trustManager.verifySubjectAltNameInChain(certs); + } + + @Test + public void testVerifyDnsNamePrefix_succeedsForValidWildcardSanNames() + throws CertificateException, IOException { + StringMatcher stringMatcher = + StringMatcher.newBuilder() + .setPrefix("lyft*.com") + .setIgnoreCase(false) + .build(); + @SuppressWarnings("deprecation") + CertificateValidationContext certContext = + CertificateValidationContext.newBuilder() + .addMatchSubjectAltNames(stringMatcher) + .build(); + trustManager = new XdsX509TrustManager(certContext, mockDelegate); + X509Certificate[] certs = + CertificateUtils.toX509Certificates(TlsTesting.loadCert(WILDCARD_DNS_PEM_FILE)); + System.out.println(Arrays.toString(certs)); + trustManager.verifySubjectAltNameInChain(certs); + } + + @Test + public void testVerifyDnsNameContains_succeedsForValidWildcardSanNames_ignoreCase() + throws CertificateException, IOException { + StringMatcher stringMatcher = + StringMatcher.newBuilder() + .setContains("zooI.Test.Google") + .setIgnoreCase(true) + .build(); + @SuppressWarnings("deprecation") + CertificateValidationContext certContext = + CertificateValidationContext.newBuilder() + .addMatchSubjectAltNames(stringMatcher) + .build(); + trustManager = new XdsX509TrustManager(certContext, mockDelegate); + X509Certificate[] certs = + CertificateUtils.toX509Certificates(TlsTesting.loadCert(WILDCARD_DNS_PEM_FILE)); + System.out.println(Arrays.toString(certs)); + trustManager.verifySubjectAltNameInChain(certs); + } + + @Test + public void testVerifyDnsNameContains_succeedsForValidWildcardSanNames() + throws CertificateException, IOException { + StringMatcher stringMatcher = + StringMatcher.newBuilder() + .setContains("zooi.test.google") + .setIgnoreCase(false) + .build(); + @SuppressWarnings("deprecation") + CertificateValidationContext certContext = + CertificateValidationContext.newBuilder() + .addMatchSubjectAltNames(stringMatcher) + .build(); + trustManager = new XdsX509TrustManager(certContext, mockDelegate); + X509Certificate[] certs = + CertificateUtils.toX509Certificates(TlsTesting.loadCert(WILDCARD_DNS_PEM_FILE)); + System.out.println(Arrays.toString(certs)); + trustManager.verifySubjectAltNameInChain(certs); + } + + @Test + public void verifyDnsNameWildcard_codeCoverage() { + assertTrue(verifyDnsNameWildcard("a.lyft.com", "*.lyft.com" , true)); + assertTrue(verifyDnsNameWildcard("a.LYFT.com", "*.lyft.COM" , true)); + assertTrue(verifyDnsNameWildcard("lyft.com", "*yft.com" , true)); + assertTrue(verifyDnsNameWildcard("lyft.com", "*lyft.com" , true)); + assertTrue(verifyDnsNameWildcard("lyft.com", "lyf*.com" , true)); + assertTrue(verifyDnsNameWildcard("lyft.com", "lyft*.com" , true)); + assertTrue(verifyDnsNameWildcard("lyft.com", "l*ft.com" , true)); + assertTrue(verifyDnsNameWildcard("t.lyft.com", "t*.lyft.com" , true)); + assertTrue(verifyDnsNameWildcard("test.lyft.com", "t*.lyft.com" , true)); + assertTrue(verifyDnsNameWildcard("l-lots-of-stuff-ft.com", "l*ft.com" , true)); + assertFalse(verifyDnsNameWildcard("t.lyft.com", "t*t.lyft.com", true)); + assertFalse(verifyDnsNameWildcard("lyft.com", "l*ft.co", true)); + assertFalse(verifyDnsNameWildcard("lyft.com", "ly?t.com", true)); + assertFalse(verifyDnsNameWildcard("lyft.com", "lf*t.com", true)); + assertFalse(verifyDnsNameWildcard(".lyft.com", "*lyft.com", true)); + assertFalse(verifyDnsNameWildcard("lyft.com", "**lyft.com", true)); + assertFalse(verifyDnsNameWildcard("lyft.com", "lyft**.com", true)); + assertFalse(verifyDnsNameWildcard("lyft.com", "ly**ft.com", true)); + assertFalse(verifyDnsNameWildcard("lyft.com", "lyft.c*m", true)); + assertFalse(verifyDnsNameWildcard("lyft.com", "*yft.c*m", true)); + assertFalse(verifyDnsNameWildcard("test.lyft.com.extra", "*.lyft.com", true)); + assertFalse(verifyDnsNameWildcard("a.b.lyft.com", "*.lyft.com", true)); + assertFalse(verifyDnsNameWildcard("foo.test.com", "*.lyft.com", true)); + assertFalse(verifyDnsNameWildcard("lyft.com", "*.lyft.com", true)); + assertFalse(verifyDnsNameWildcard("alyft.com", "*.lyft.com", true)); + assertFalse(verifyDnsNameWildcard("", "*lyft.com", true)); + assertFalse(verifyDnsNameWildcard("lyft.com", "", true)); + assertFalse(verifyDnsNameWildcard("xn--lyft.com", "*.xn--lyft.com", true)); + } + private TestSslEngine buildTrustManagerAndGetSslEngine() throws CertificateException, IOException, CertStoreException { SSLParameters sslParams = buildTrustManagerAndGetSslParameters();