Poco::Net::X509Certificate::verify() no longer uses DNS reverse lookups to validate host names

2025-02-20 22:31:23 +01:00 · 2014-04-09 16:36:14 +02:00 · 2014-04-09 16:36:14 +02:00 · 436737171d
commit 436737171d
parent b1bdf7f34c
2 changed files with 11 additions and 36 deletions
--- a/NetSSL_OpenSSL/include/Poco/Net/X509Certificate.h
+++ b/NetSSL_OpenSSL/include/Poco/Net/X509Certificate.h
@ -108,7 +108,7 @@ public:
 		
 protected:
 	static bool containsWildcards(const std::string& commonName);
-	static bool matchByAlias(const std::string& alias, const std::string& hostName);
+	static bool matchWildcard(const std::string& alias, const std::string& hostName);
 	
 private:
 	enum
--- a/NetSSL_OpenSSL/src/X509Certificate.cpp
+++ b/NetSSL_OpenSSL/src/X509Certificate.cpp
@ -120,7 +120,7 @@ bool X509Certificate::verify(const Poco::Crypto::X509Certificate& certificate, c
 				{
 					// a compare by IPAddress is not possible with wildcards
 					// only allow compare by name
-					ok = matchByAlias(*it, hostName);
+					ok = matchWildcard(*it, hostName);
 				}
 				else
 				{
@ -138,11 +138,6 @@ bool X509Certificate::verify(const Poco::Crypto::X509Certificate& certificate, c
 							ok = (*it == ip);
 						}
 					}
-					else
-					{
-						// compare by name
-						ok = matchByAlias(*it, hostName);
-					}
 				}
 			}
 			catch (HostNotFoundException&)
@ -160,37 +155,17 @@ bool X509Certificate::containsWildcards(const std::string& commonName)
 }


-bool X509Certificate::matchByAlias(const std::string& alias, const std::string& hostName)
+bool X509Certificate::matchWildcard(const std::string& wildcard, const std::string& hostName)
 {
-	const HostEntry& heData = DNS::resolve(hostName);
 	// fix wildcards
-	std::string aliasRep = Poco::replace(alias, ".", "\\.");
-	Poco::replaceInPlace(aliasRep, "*", ".*");
-	Poco::replaceInPlace(aliasRep, "..*", ".*");
-	Poco::replaceInPlace(aliasRep, "?", ".?");
-	Poco::replaceInPlace(aliasRep, "..?", ".?");
-	// compare by name
-	Poco::RegularExpression expr(aliasRep);
-	bool found = false;
-	const HostEntry::AliasList& aliases = heData.aliases();
-	HostEntry::AliasList::const_iterator it = aliases.begin();
-	HostEntry::AliasList::const_iterator itEnd = aliases.end();
-	for (; it != itEnd && !found; ++it)
-	{
-		found = expr.match(*it);
-	}
-	// Handle the case where the list of aliases is empty.
-	if (!found)
-	{
-		// Compare the resolved host name against the wildcard host name in the certificate.
-		found = expr.match(heData.name());
-	}
-	if (!found)
-	{
-		// Compare the original host name against the wildcard host name in the certificate.
-		found = expr.match(hostName);
-	}
-	return found;
+	std::string wildcardExpr = Poco::replace(wildcard, ".", "\\.");
+	Poco::replaceInPlace(wildcardExpr, "*", ".*");
+	Poco::replaceInPlace(wildcardExpr, "..*", ".*");
+	Poco::replaceInPlace(wildcardExpr, "?", ".?");
+	Poco::replaceInPlace(wildcardExpr, "..?", ".?");
+
+	Poco::RegularExpression expr(wildcardExpr);
+	return expr.match(hostName);
 }