-// Copyright (C) 2001 Adam Megacz <adam@xwt.org> all rights reserved.
+// Copyright (C) 2002 Adam Megacz <adam@xwt.org> all rights reserved.
//
// You may modify, copy, and redistribute this code under the terms of
// the GNU Library Public License version 2.1, with the exception of
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.TBSCertificateStructure;
import org.bouncycastle.asn1.x509.X509Name;
+import org.bouncycastle.asn1.x509.X509Extensions;
+import org.bouncycastle.asn1.x509.X509Extension;
+import org.bouncycastle.asn1.x509.BasicConstraints;
import org.xwt.util.Log;
import java.net.*;
import java.io.*;
1.02 27-Mar-02 Fixed a bug which would hang the connection when more than one
Handshake message appeared in the same TLS Record
+ 1.03 10-Aug-02 Fixed a vulnerability outlined at
+ http://online.securityfocus.com/archive/1/286290
+
*/
public class TinySSL extends Socket {
public static void main(String[] args) {
Log.on = true;
try {
- Socket s = new TinySSL("www.verisign.com", 443);
+ Socket s = new TinySSL("www.paypal.com", 443);
PrintWriter pw = new PrintWriter(s.getOutputStream());
BufferedReader br = new BufferedReader(new InputStreamReader(s.getInputStream()));
pw.println("GET / HTTP/1.0");
while(true) {
String s2 = br.readLine();
if (s2 == null) return;
- System.out.println(s2);
+ Log.log(TinySSL.class, s2);
}
} catch (Exception e) {
Log.log(this, "server cert (name, validity dates) checks out okay");
- } else if (!isSignedBy(last_cert, this_cert.getSubjectPublicKeyInfo()))
- throw new SSLException("the server sent a broken chain of certificates");
+ } else {
+
+ // don't check the top cert since some very old root certs lack a BasicConstraints field.
+ if (certlen + 3 + i < numcertbytes) {
+ // defend against Mike Benham's attack
+ X509Extension basicConstraints = this_cert.getTBSCertificate().getExtensions().getExtension(X509Extensions.BasicConstraints);
+ if (basicConstraints == null) throw new SSLException("certificate did not contain a basic constraints block");
+ DERInputStream dis = new DERInputStream(new ByteArrayInputStream(basicConstraints.getValue().getOctets()));
+ BasicConstraints bc = new BasicConstraints((DERConstructedSequence)dis.readObject());
+ if (!bc.isCA()) throw new SSLException("non-CA certificate used for signing");
+ }
+
+ if (!isSignedBy(last_cert, this_cert.getSubjectPublicKeyInfo()))
+ throw new SSLException("the server sent a broken chain of certificates");
+ }
last_cert = this_cert;
i += certlen + 3;