Skip to content

TerminalCommonNameValidator: Update validation regex #1564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Sep 29, 2025
Merged

TerminalCommonNameValidator: Update validation regex #1564

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d794608
Update validation regex
gcatanese Sep 23, 2025
2c763bd
Correct javadoc
gcatanese Sep 23, 2025
8ba64ac
Refactor to use static regex
gcatanese Sep 23, 2025
d611399
Precompile regex
gcatanese Sep 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 45 additions & 18 deletions src/main/java/com/adyen/terminal/security/TerminalCommonNameValidator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,36 +26,63 @@
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/** Validates the Common Name of a terminal API certificate. */
public final class TerminalCommonNameValidator {

private static final String ENVIRONMENT_WILDCARD = "{ENVIRONMENT}";
private static final String TERMINAL_API_CN_REGEX =
"[a-zA-Z0-9]{3,}-[0-9]{9,15}\\." + ENVIRONMENT_WILDCARD + "\\.terminal\\.adyen\\.com";
private static final String TERMINAL_API_LEGACY_CN =
"legacy-terminal-certificate." + ENVIRONMENT_WILDCARD + ".terminal.adyen.com";
// Precompiled regex for Terminal API CN format
private static final Pattern TERMINAL_API_CN_TEST =
Pattern.compile("[a-zA-Z0-9]{3,}-[a-zA-Z0-9]{9,15}\\.test\\.terminal\\.adyen\\.com");
private static final Pattern TERMINAL_API_CN_LIVE =
Pattern.compile("[a-zA-Z0-9]{3,}-[a-zA-Z0-9]{9,15}\\.live\\.terminal\\.adyen\\.com");

// Exact strings for legacy format (no regex needed)
private static final String TERMINAL_API_LEGACY_TEST =
"legacy-terminal-certificate.test.terminal.adyen.com";
private static final String TERMINAL_API_LEGACY_LIVE =
"legacy-terminal-certificate.live.terminal.adyen.com";

// Regex to extract CN from subject string
private static final Pattern SUBJECT_ATTRIBUTE_PATTERN =
Pattern.compile("(?:^|,\\s?)([A-Z]+)=((?:\"[^\"]+\")|[^,]+)");

private TerminalCommonNameValidator() {}

/**
* Validates the Common Name of the given {@link X509Certificate} for the given {@link
* Environment}.
*
* @param certificate the {@link X509Certificate} to validate.
* @param environment the {@link Environment}.
* @return true if the Common Name is valid, false otherwise.
*/
public static boolean validateCertificate(X509Certificate certificate, Environment environment) {
String environmentName = environment.name().toLowerCase();
String name = certificate.getSubjectX500Principal().getName();
String patternRegex = "(?:^|,\\s?)(?:([A-Z]+)=(\"(?:[^\"]|\"\")+\"|[^,]+))+";
Pattern pattern = Pattern.compile(patternRegex);
Matcher matcher = pattern.matcher(name);
boolean valid = false;
while (matcher.find() && !valid) {
Matcher matcher = SUBJECT_ATTRIBUTE_PATTERN.matcher(name);

while (matcher.find()) {
String groupName = matcher.group(1);
if ("CN".equals(groupName)) {
String commonName = matcher.group(2);
valid =
commonName != null
&& (commonName.matches(
TERMINAL_API_CN_REGEX.replace(ENVIRONMENT_WILDCARD, environmentName))
|| commonName.equals(
TERMINAL_API_LEGACY_CN.replace(ENVIRONMENT_WILDCARD, environmentName)));
return isValidCommonName(commonName, environment);
}
}
return false;
}

return valid;
private static boolean isValidCommonName(String commonName, Environment environment) {
if (commonName == null) {
return false;
}

switch (environment) {
case LIVE:
return TERMINAL_API_CN_LIVE.matcher(commonName).matches()
|| TERMINAL_API_LEGACY_LIVE.equals(commonName);
case TEST:
return TERMINAL_API_CN_TEST.matcher(commonName).matches()
|| TERMINAL_API_LEGACY_TEST.equals(commonName);
default:
return false;
}
}
}
5 changes: 5 additions & 0 deletions src/test/java/com/adyen/terminal/security/TerminalCommonNameValidatorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,11 @@ public static Collection<Object[]> data() {
return Arrays.asList(
new Object[][] {
// Valid CNs and environment
{
"[email protected], CN=TG300-G10M257M70004.test.terminal.adyen.com, OU=Mock, O=Mock, L=Mock, ST=MO, C=MO",
Environment.TEST,
true
},
{
"[email protected], CN=legacy-terminal-certificate.test.terminal.adyen.com, OU=Mock, O=Mock, L=Mock, ST=MO, C=MO",
Environment.TEST,
Expand Down