Decode Subject Alternative Names (SAN) for X.509 Certificates by arturobernalg · Pull Request #610 · apache/httpcomponents-client

arturobernalg · 2025-01-16T21:02:06Z

This implementation adds decoding for Subject Alternative Names in X.509 certificates, including:

DNS names handled as plain text.
IP addresses decoded from binary (IPv4 and IPv6 supported).
Fallback to hexadecimal encoding for non-standard or unknown types.

ok2c · 2025-01-18T20:55:24Z

httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java

                            result.add(new SubjectName((String) o, type));
                        } else if (o instanceof byte[]) {
-                            // TODO ASN.1 DER encoded form
+                            final byte[] bytes = (byte[]) o;


@arturobernalg We have got to be super careful here as this method has security implications. It is better to be too strict and too lax here. I trust you know what you are doing.

@arturobernalg We have got to be super careful here as this method has security implications. It is better to be too strict and too lax here. I trust you know what you are doing.

@ok2c I've ensured strict validation in the updated method: DNS names now reject unexpected byte[], IP addresses only allow 4 or 16 bytes with exceptions for invalid lengths, and unrecognized types log warnings while falling back.

ok2c · 2025-01-20T09:52:26Z

httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java

+                                    throw new IllegalArgumentException("Invalid byte length for IP address: " + bytes.length);
+                                }
+                            } else if (type == SubjectName.DNS) {
+                                throw new IllegalArgumentException("Unexpected byte[] for DNS SAN type");


@arturobernalg IllegalArgumentException looks really wrong here. Can we just ignore those bits that we are not able to properly recognize and handle?

ok2c · 2025-01-20T09:55:10Z

httpclient5/src/main/java/org/apache/hc/client5/http/ssl/DefaultHostnameVerifier.java

+                                if (LOG.isWarnEnabled()) {
+                                    LOG.warn("Unrecognized SAN type: {}, data: {}", type, TextUtils.toHexString(bytes));
+                                }
+                                decodedValue = TextUtils.toHexString(bytes); // Fallback to hex string


@arturobernalg I would not do that. Before you know there will be so called security professionals with all sorts of hand-crafted certificates, claiming vulnerabilities in our code and demanding we issue CVE with them as a finder.

@ok2c please take another look

Supports DNS names as plain text, IPv4 and IPv6 addresses in binary form, and falls back to hex encoding for unknown types.

leonardehrenfried · 2025-03-28T13:54:19Z

Has this change made into 5.4.3?

I upgrade to that version yesterday and I'm seeing the following exception which seems related:

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <s3.amazonaws.com> doesn't match any of the subject alternative names: [s3.amazonaws.com, *.s3.amazonaws.com, *.s3.dualstack.us-east-1.amazonaws.com, s3.dualstack.us-east-1.amazonaws.com, *.s3.us-east-1.amazonaws.com, s3.us-east-1.amazonaws.com, *.s3-control.us-east-1.amazonaws.com, s3-control.us-east-1.amazonaws.com, *.s3-control.dualstack.us-east-1.amazonaws.com, s3-control.dualstack.us-east-1.amazonaws.com, *.s3-accesspoint.us-east-1.amazonaws.com, *.s3-accesspoint.dualstack.us-east-1.amazonaws.com, *.s3-deprecated.us-east-1.amazonaws.com, s3-deprecated.us-east-1.amazonaws.com, s3-external-1.amazonaws.com, *.s3-external-1.amazonaws.com, s3-external-2.amazonaws.com, *.s3-external-2.amazonaws.com]
	at org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:172)
	at org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:130)
	at org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:316)
	at org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:194)
	at org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.executeHandshake(AbstractClientTlsStrategy.java:253)
	at org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.upgrade(AbstractClientTlsStrategy.java:210)
	at org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy.upgrade(DefaultClientTlsStrategy.java:48)
	at org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:231)
	at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:490)
	at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:164)
	at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:174)
	at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:144)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:192)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:150)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:110)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:183)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)
	at org.opentripplanner.framework.io.OtpHttpClient.executeAndMapWithResponseHandler(OtpHttpClient.java:302)
	... 14 common frames omitted

When I downgrade to 5.4.2 the request succeeds.

The URL that fails is the following: https://s3.amazonaws.com/kcm-alerts-realtime-prod/vehiclepositions.pb

arturobernalg · 2025-03-28T16:18:24Z

Has this change made into 5.4.3?

I upgrade to that version yesterday and I'm seeing the following exception which seems related:

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <s3.amazonaws.com> doesn't match any of the subject alternative names: [s3.amazonaws.com, *.s3.amazonaws.com, *.s3.dualstack.us-east-1.amazonaws.com, s3.dualstack.us-east-1.amazonaws.com, *.s3.us-east-1.amazonaws.com, s3.us-east-1.amazonaws.com, *.s3-control.us-east-1.amazonaws.com, s3-control.us-east-1.amazonaws.com, *.s3-control.dualstack.us-east-1.amazonaws.com, s3-control.dualstack.us-east-1.amazonaws.com, *.s3-accesspoint.us-east-1.amazonaws.com, *.s3-accesspoint.dualstack.us-east-1.amazonaws.com, *.s3-deprecated.us-east-1.amazonaws.com, s3-deprecated.us-east-1.amazonaws.com, s3-external-1.amazonaws.com, *.s3-external-1.amazonaws.com, s3-external-2.amazonaws.com, *.s3-external-2.amazonaws.com]
	at org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:172)
	at org.apache.hc.client5.http.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:130)
	at org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:316)
	at org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.verifySession(AbstractClientTlsStrategy.java:194)
	at org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.executeHandshake(AbstractClientTlsStrategy.java:253)
	at org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.upgrade(AbstractClientTlsStrategy.java:210)
	at org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy.upgrade(DefaultClientTlsStrategy.java:48)
	at org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:231)
	at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:490)
	at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:164)
	at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:174)
	at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:144)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:192)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:150)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.RedirectExec.execute(RedirectExec.java:110)
	at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)
	at org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:183)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)
	at org.opentripplanner.framework.io.OtpHttpClient.executeAndMapWithResponseHandler(OtpHttpClient.java:302)
	... 14 common frames omitted

When I downgrade to 5.4.2 the request succeeds.

The URL that fails is the following: https://s3.amazonaws.com/kcm-alerts-realtime-prod/vehiclepositions.pb

This failure isn't caused by SAN parsing. The old code ignored byte[] SANs entirely, including iPAddress (type 7), which per RFC 5280 must be stored as an OCTET STRING in network byte order.

ok2c · 2025-03-28T17:35:27Z

@leonardehrenfried This PR is completely unrelated to your problem. The cause of it is a regression introduced by #566.

Feel free to raise a JIRA for the regression https://issues.apache.org/jira/browse/HTTPCLIENT

leonardehrenfried · 2025-03-28T18:21:40Z

Thanks for looking into it. I will create a Jira user and a ticket.

ok2c approved these changes Jan 18, 2025

View reviewed changes

arturobernalg force-pushed the asn branch from b94248c to dde9c05 Compare January 19, 2025 13:37

arturobernalg requested a review from ok2c January 19, 2025 13:40

ok2c requested changes Jan 20, 2025

View reviewed changes

arturobernalg force-pushed the asn branch from b8feebd to 41fb510 Compare January 20, 2025 10:07

Decode Subject Alternative Names for IP, DNS, and binary data

aa602a1

Supports DNS names as plain text, IPv4 and IPv6 addresses in binary form, and falls back to hex encoding for unknown types.

arturobernalg force-pushed the asn branch from becce57 to aa602a1 Compare January 20, 2025 10:11

ok2c approved these changes Jan 20, 2025

View reviewed changes

arturobernalg merged commit ed9594a into apache:master Jan 20, 2025
10 checks passed

leonardehrenfried mentioned this pull request Mar 28, 2025

Upgrade of apache HTTP client breaks AWS downloads opentripplanner/OpenTripPlanner#6582

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Decode Subject Alternative Names (SAN) for X.509 Certificates#610

Decode Subject Alternative Names (SAN) for X.509 Certificates#610
arturobernalg merged 1 commit intoapache:masterfrom
arturobernalg:asn

arturobernalg commented Jan 16, 2025

Uh oh!

ok2c Jan 18, 2025

Uh oh!

arturobernalg Jan 19, 2025

Uh oh!

ok2c Jan 20, 2025

Uh oh!

ok2c Jan 20, 2025

Uh oh!

arturobernalg Jan 20, 2025

Uh oh!

Uh oh!

leonardehrenfried commented Mar 28, 2025

Uh oh!

arturobernalg commented Mar 28, 2025

Uh oh!

ok2c commented Mar 28, 2025

Uh oh!

leonardehrenfried commented Mar 28, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

arturobernalg commented Jan 16, 2025

Uh oh!

ok2c Jan 18, 2025

Choose a reason for hiding this comment

Uh oh!

arturobernalg Jan 19, 2025

Choose a reason for hiding this comment

Uh oh!

ok2c Jan 20, 2025

Choose a reason for hiding this comment

Uh oh!

ok2c Jan 20, 2025

Choose a reason for hiding this comment

Uh oh!

arturobernalg Jan 20, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

leonardehrenfried commented Mar 28, 2025

Uh oh!

arturobernalg commented Mar 28, 2025

Uh oh!

ok2c commented Mar 28, 2025

Uh oh!

leonardehrenfried commented Mar 28, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants