xds: ignore unknown SAN name type instead of throwing exception (#8183)

2021-05-19 11:48:11 -07:00 · 2021-05-19 11:48:11 -07:00 · 869b395ec0
parent 465c932b41
commit 869b395ec0
2 changed files with 28 additions and 3 deletions
--- a/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManager.java
+++ b/xds/src/main/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManager.java
@ -151,14 +151,13 @@ final class SdsX509TrustManager extends X509ExtendedTrustManager implements X509
    if (altNameType == null) {
      throw new CertificateParsingException("Invalid SAN entry: null altNameType");
    }
-    String altNameFromCert = (String) entry.get(1);
    switch (altNameType) {
      case ALT_DNS_NAME:
      case ALT_URI_NAME:
      case ALT_IPA_NAME:
-        return verifyDnsNameInSanList(altNameFromCert, verifySanList);
+        return verifyDnsNameInSanList((String) entry.get(1), verifySanList);
      default:
-        throw new CertificateParsingException("Unsupported altNameType: " + altNameType);
+        return false;
    }
  }

--- a/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManagerTest.java
+++ b/xds/src/test/java/io/grpc/xds/internal/sds/trust/SdsX509TrustManagerTest.java
@ -29,6 +29,7 @@ import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;

+import com.google.common.collect.ImmutableList;
 import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
 import io.envoyproxy.envoy.type.matcher.v3.RegexMatcher;
 import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
@ -37,6 +38,8 @@ import java.io.IOException;
 import java.security.cert.CertStoreException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.List;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
@ -551,6 +554,29 @@ public class SdsX509TrustManagerTest {
    verify(sslSocket, times(1)).getHandshakeSession();
  }

+  @Test
+  public void unsupportedAltNameType() throws CertificateException, IOException {
+    StringMatcher stringMatcher =
+        StringMatcher.newBuilder()
+            .setExact("waterzooi.test.google.be")
+            .setIgnoreCase(false)
+            .build();
+    CertificateValidationContext certContext =
+        CertificateValidationContext.newBuilder().addMatchSubjectAltNames(stringMatcher).build();
+    trustManager = new SdsX509TrustManager(certContext, mockDelegate);
+    X509Certificate mockCert = mock(X509Certificate.class);
+
+    when(mockCert.getSubjectAlternativeNames())
+        .thenReturn(Collections.<List<?>>singleton(ImmutableList.of(Integer.valueOf(1), "foo")));
+    X509Certificate[] certs = new X509Certificate[] {mockCert};
+    try {
+      trustManager.verifySubjectAltNameInChain(certs);
+      fail("no exception thrown");
+    } catch (CertificateException expected) {
+      assertThat(expected).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
+    }
+  }
+
  private TestSslEngine buildTrustManagerAndGetSslEngine()
      throws CertificateException, IOException, CertStoreException {
    SSLParameters sslParams = buildTrustManagerAndGetSslParameters();