Set subjectAlternativeName on SSL cert if CN=IPAddress (issue-170)

diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd
index bf57d118fad656c883d1eb59020aab10fcf2db88..2f35182273f759db929ba935412971ec6e1811e7 100644 (file)
--- a/docs/04_releases.mkd
+++ b/docs/04_releases.mkd
@@ -12,6 +12,7 @@ The permissions model has changed in this release.
 \r
 #### fixes\r
 \r
+- Set subjectAlternativeName on generated SSL cert if CN is an ip address (issue 170)\r
 - Fixed incorrect links on history page for files not in the current/active commit (issue 166)\r
 - Empty repository page failed to handle missing repository (issue 160)\r
 - Fixed broken ticgit urls (issue 157)\r

diff --git a/src/com/gitblit/utils/HttpUtils.java b/src/com/gitblit/utils/HttpUtils.java
index b40088c86ca6a3ff1fcb542c9ee34309bb83e69e..56c8bd203bff0e88420d2164f5af9a830eedd44b 100644 (file)
--- a/src/com/gitblit/utils/HttpUtils.java
+++ b/src/com/gitblit/utils/HttpUtils.java
@@ -178,4 +178,26 @@ public class HttpUtils {
                }\r
                return null;\r
        }\r
+       \r
+       public static boolean isIpAddress(String address) {\r
+               if (StringUtils.isEmpty(address)) {\r
+                       return false;\r
+               }\r
+               String [] fields = address.split("\\.");\r
+               if (fields.length == 4) {\r
+                       // IPV4\r
+                       for (String field : fields) {\r
+                               try {\r
+                                       int value = Integer.parseInt(field);\r
+                                       if (value < 0 || value > 255) {\r
+                                               return false;\r
+                                       }\r
+                               } catch (Exception e) {\r
+                                       return false;\r
+                               }\r
+                       }\r
+               }\r
+               // TODO IPV6?\r
+               return false;\r
+       }\r
 }\r

diff --git a/src/com/gitblit/utils/X509Utils.java b/src/com/gitblit/utils/X509Utils.java
index cfad9ec0be06e6a73fd5979aa6907c9840c9a181..237c8dad7aed97975889d692d07143a6c3a60377 100644 (file)
--- a/src/com/gitblit/utils/X509Utils.java
+++ b/src/com/gitblit/utils/X509Utils.java
@@ -46,11 +46,13 @@ import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;\r
 import java.text.MessageFormat;\r
 import java.text.SimpleDateFormat;\r
+import java.util.ArrayList;\r
 import java.util.Arrays;\r
 import java.util.Calendar;\r
 import java.util.Date;\r
 import java.util.HashMap;\r
 import java.util.HashSet;\r
+import java.util.List;\r
 import java.util.Map;\r
 import java.util.Set;\r
 import java.util.TimeZone;\r
@@ -556,6 +558,16 @@ public class X509Utils {
                        certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));\r
                        certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));\r
 \r
+                       // support alternateSubjectNames for SSL certificates\r
+                       List<GeneralName> altNames = new ArrayList<GeneralName>();\r
+                       if (HttpUtils.isIpAddress(sslMetadata.commonName)) {\r
+                               altNames.add(new GeneralName(GeneralName.iPAddress, sslMetadata.commonName));                           \r
+                       }\r
+                       if (altNames.size() > 0) {\r
+                               GeneralNames subjectAltName = new GeneralNames(altNames.toArray(new GeneralName [altNames.size()]));\r
+                               certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);\r
+                       }\r
+\r
                        ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM)\r
                                        .setProvider(BC).build(caPrivateKey);\r
                        X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC)\r