12326 :: DNS SAN matching does not handle wildcards in split patterns that Envoy does

xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java

@@ -147,6 +147,9 @@ private static boolean verifyDnsNameExact(
     if (Strings.isNullOrEmpty(sanToVerifyExact)) {
       return false;
     }
+    if (sanToVerifyExact.contains("*")) {
+      return verifyDnsNameWildcard(altNameFromCert, sanToVerifyExact, ignoreCase);
+    }
     return ignoreCase
         ? sanToVerifyExact.equalsIgnoreCase(altNameFromCert)
         : sanToVerifyExact.equals(altNameFromCert);
@@ -303,4 +306,47 @@ public X509Certificate[] getAcceptedIssuers() {
     }
     return delegate.getAcceptedIssuers();
   }
+
+  private static boolean verifyDnsNameWildcard(
+      String altNameFromCert, String sanToVerify, boolean ignoreCase) {
+    String[] splitPattern = splitAtFirstDelimiter(ignoreCase
+        ? sanToVerify.toLowerCase(Locale.ROOT) : sanToVerify);
+    String[] splitDnsName = splitAtFirstDelimiter(ignoreCase
+        ? altNameFromCert.toLowerCase(Locale.ROOT) : altNameFromCert);
+    if (splitPattern == null || splitDnsName == null
+        || splitPattern.length < 2 || splitDnsName.length < 2) {
+      return false;
+    }
+    if (splitPattern[0].contains("*")
+        && !splitPattern[1].contains("*")
+        && !splitPattern[0].startsWith("xn--")) {
+      return splitDnsName[1].equals(splitPattern[1])
+          && labelWildcardMatch(splitDnsName[0], splitPattern[0]);
+    }
+    return false;
+  }
+
+  private static boolean labelWildcardMatch(String dnsLabel, String pattern) {
+    final char glob = '*';
+    // Check the special case of a single * pattern, as it's common.
+    if (pattern.equals("*")) {
+      return true;
+    }
+    int globIndex = pattern.indexOf(glob);
+    if (pattern.indexOf(glob, globIndex + 1) == -1) {
+      return dnsLabel.length() >= pattern.length() - 1
+          && dnsLabel.startsWith(pattern.substring(0, globIndex))
+          && dnsLabel.endsWith(pattern.substring(globIndex + 1));
+    }
+    return false;
+  }
+
+  @Nullable
+  private static String[] splitAtFirstDelimiter(String s) {
+    int index = s.indexOf('.');
+    if (index == -1) {
+      return null;
+    }
+    return new String[]{s.substring(0, index), s.substring(index + 1)};
+  }
 }

xds/src/test/java/io/grpc/xds/internal/security/trust/XdsX509TrustManagerTest.java

@@ -21,8 +21,10 @@
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CA_PEM_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CLIENT_PEM_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.CLIENT_SPIFFE_PEM_FILE;
+import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_0_PEM_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_1_SPIFFE_PEM_FILE;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 import static org.mockito.Mockito.CALLS_REAL_METHODS;
 import static org.mockito.Mockito.doReturn;
@@ -691,6 +693,42 @@ public void unsupportedAltNameType() throws CertificateException, IOException {
     }
   }
 
+  private void runDnsWildcardTest(
+      String sanPattern, String certFile, boolean ignoreCase, boolean expected)
+      throws CertificateException, IOException {
+    StringMatcher stringMatcher =
+        StringMatcher.newBuilder()
+            .setExact(sanPattern)
+            .setIgnoreCase(ignoreCase)
+            .build();
+    @SuppressWarnings("deprecation")
+    CertificateValidationContext certContext =
+        CertificateValidationContext.newBuilder()
+            .addMatchSubjectAltNames(stringMatcher)
+            .build();
+    trustManager = new XdsX509TrustManager(certContext, mockDelegate);
+    X509Certificate[] certs =
+        CertificateUtils.toX509Certificates(TlsTesting.loadCert(certFile));
+    try {
+      trustManager.verifySubjectAltNameInChain(certs);
+      assertTrue(expected);
+    } catch (CertificateException certException) {
+      assertThat(certException).hasMessageThat().isEqualTo("Peer certificate SAN check failed");
+    }
+  }
+
+  @Test
+  public void testDnsWildcardPatterns() throws Exception {
+    runDnsWildcardTest("*.test.google.fr", SERVER_1_PEM_FILE, false, true);
+    runDnsWildcardTest("*.test.youtube.com", SERVER_1_PEM_FILE, false, true);
+    runDnsWildcardTest("waterzooi.test.google.be", SERVER_1_PEM_FILE, false, true);
+    runDnsWildcardTest("192.168.1.3", SERVER_1_PEM_FILE, false, true);
+    runDnsWildcardTest("*.TEST.YOUTUBE.com", SERVER_1_PEM_FILE, true, true);
+    runDnsWildcardTest("*.test.google.com.au", SERVER_0_PEM_FILE, false, true);
+    runDnsWildcardTest("*.TEST.YOUTUBE.com", SERVER_1_PEM_FILE, false, false);
+    runDnsWildcardTest("*waterzooi", SERVER_1_PEM_FILE, false, false);
+  }
+
   private TestSslEngine buildTrustManagerAndGetSslEngine()
       throws CertificateException, IOException, CertStoreException {
     SSLParameters sslParams = buildTrustManagerAndGetSslParameters();