public void verify( final String host, final X509Certificate cert) throws SSLException { final HostNameType hostType = determineHostFormat(host); final List<SubjectName> subjectAlts = getSubjectAltNames(cert); if (subjectAlts != null && !subjectAlts.isEmpty()) { switch (hostType) { case IPv4: matchIPAddress(host, subjectAlts); break; case IPv6: matchIPv6Address(host, subjectAlts); break; default: matchDNSName(host, subjectAlts, this.publicSuffixMatcher); } } else { // CN matching has been deprecated by rfc2818 and can be used // as fallback only when no subjectAlts are available final X500Principal subjectPrincipal = cert.getSubjectX500Principal(); final String cn = extractCN(subjectPrincipal.getName(X500Principal.RFC2253)); if (cn == null) { throw new SSLException("Certificate subject for <" + host + "> doesn't contain " + "a common name and does not have alternative names"); } matchCN(host, cn, this.publicSuffixMatcher); } }
static boolean matchIdentity(final String host, final String identity, final PublicSuffixMatcher publicSuffixMatcher) { return matchIdentity(host, identity, publicSuffixMatcher, false); }
static void matchCN(final String host, final String cn, final PublicSuffixMatcher publicSuffixMatcher) throws SSLException { final String normalizedHost = host.toLowerCase(Locale.ROOT); final String normalizedCn = cn.toLowerCase(Locale.ROOT); if (!matchIdentityStrict(normalizedHost, normalizedCn, publicSuffixMatcher)) { throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match " + "common name of the certificate subject: " + cn); } }
public void verify( final String host, final X509Certificate cert) throws SSLException { final boolean ipv4 = InetAddressUtils.isIPv4Address(host); final boolean ipv6 = InetAddressUtils.isIPv6Address(host); final int subjectType = ipv4 || ipv6 ? IP_ADDRESS_TYPE : DNS_NAME_TYPE; final List<String> subjectAlts = extractSubjectAlts(cert, subjectType); if (subjectAlts != null && !subjectAlts.isEmpty()) { if (ipv4) { matchIPAddress(host, subjectAlts); } else if (ipv6) { matchIPv6Address(host, subjectAlts); } else { matchDNSName(host, subjectAlts, this.publicSuffixMatcher); } } else { // CN matching has been deprecated by rfc2818 and can be used // as fallback only when no subjectAlts are available final X500Principal subjectPrincipal = cert.getSubjectX500Principal(); final String cn = extractCN(subjectPrincipal.getName(X500Principal.RFC2253)); if (cn == null) { throw new SSLException("Certificate subject for <" + host + "> doesn't contain " + "a common name and does not have alternative names"); } matchCN(host, cn, this.publicSuffixMatcher); } }
public static HostnameVerifier getHostnameVerifier(TLSClientParameters tlsClientParameters) { HostnameVerifier verifier; if (tlsClientParameters.getHostnameVerifier() != null) { verifier = tlsClientParameters.getHostnameVerifier(); } else if (tlsClientParameters.isUseHttpsURLConnectionDefaultHostnameVerifier()) { verifier = HttpsURLConnection.getDefaultHostnameVerifier(); } else if (tlsClientParameters.isDisableCNCheck()) { verifier = new AllowAllHostnameVerifier(); } else { verifier = new DefaultHostnameVerifier(PublicSuffixMatcherLoader.getDefault()); } return verifier; }
@Override public boolean verify(final String host, final SSLSession session) { try { final Certificate[] certs = session.getPeerCertificates(); final X509Certificate x509 = (X509Certificate) certs[0]; verify(host, x509); return true; } catch (final SSLException ex) { if (LOG.isLoggable(Level.FINE)) { LOG.log(Level.FINE, ex.getMessage(), ex); } throw new RuntimeException("HostnameVerifier, socket reset for TTL"); } }
static void matchIPv6Address(final String host, final List<SubjectName> subjectAlts) throws SSLException { final String normalisedHost = normaliseAddress(host); for (int i = 0; i < subjectAlts.size(); i++) { final SubjectName subjectAlt = subjectAlts.get(i); if (subjectAlt.getType() == SubjectName.IP) { final String normalizedSubjectAlt = normaliseAddress(subjectAlt.getValue()); if (normalisedHost.equals(normalizedSubjectAlt)) { return; } } } throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match any " + "of the subject alternative names: " + subjectAlts); }
verifier = new AllowAllHostnameVerifier(); } else { verifier = new DefaultHostnameVerifier(PublicSuffixMatcherLoader.getDefault());
@Override public boolean verify(final String host, final SSLSession session) { try { final Certificate[] certs = session.getPeerCertificates(); final X509Certificate x509 = (X509Certificate) certs[0]; verify(host, x509); return true; } catch (final SSLException ex) { if (LOG.isLoggable(Level.FINE)) { LOG.log(Level.FINE, ex.getMessage(), ex); } throw new RuntimeException("HostnameVerifier, socket reset for TTL"); } }
static void matchIPv6Address(final String host, final List<String> subjectAlts) throws SSLException { final String normalisedHost = normaliseAddress(host); for (int i = 0; i < subjectAlts.size(); i++) { final String subjectAlt = subjectAlts.get(i); final String normalizedSubjectAlt = normaliseAddress(subjectAlt); if (normalisedHost.equals(normalizedSubjectAlt)) { return; } } throw new SSLException("Certificate for <" + host + "> doesn't match any " + "of the subject alternative names: " + subjectAlts); }
public void verify( final String host, final X509Certificate cert) throws SSLException { final HostNameType hostType = determineHostFormat(host); final List<SubjectName> subjectAlts = getSubjectAltNames(cert); if (subjectAlts != null && !subjectAlts.isEmpty()) { switch (hostType) { case IPv4: matchIPAddress(host, subjectAlts); break; case IPv6: matchIPv6Address(host, subjectAlts); break; default: matchDNSName(host, subjectAlts, this.publicSuffixMatcher); } } else { // CN matching has been deprecated by rfc2818 and can be used // as fallback only when no subjectAlts are available final X500Principal subjectPrincipal = cert.getSubjectX500Principal(); final String cn = extractCN(subjectPrincipal.getName(X500Principal.RFC2253)); if (cn == null) { throw new SSLException("Certificate subject for <" + host + "> doesn't contain " + "a common name and does not have alternative names"); } matchCN(host, cn, this.publicSuffixMatcher); } }
static boolean matchIdentityStrict(final String host, final String identity, final PublicSuffixMatcher publicSuffixMatcher) { return matchIdentity(host, identity, publicSuffixMatcher, true); }
static void matchDNSName(final String host, final List<SubjectName> subjectAlts, final PublicSuffixMatcher publicSuffixMatcher) throws SSLException { final String normalizedHost = host.toLowerCase(Locale.ROOT); for (int i = 0; i < subjectAlts.size(); i++) { final SubjectName subjectAlt = subjectAlts.get(i); if (subjectAlt.getType() == SubjectName.DNS) { final String normalizedSubjectAlt = subjectAlt.getValue().toLowerCase(Locale.ROOT); if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher)) { return; } } } throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match any " + "of the subject alternative names: " + subjectAlts); }
public static HostnameVerifier getHostnameVerifier(TLSClientParameters tlsClientParameters) { HostnameVerifier verifier; if (tlsClientParameters.getHostnameVerifier() != null) { verifier = tlsClientParameters.getHostnameVerifier(); } else if (tlsClientParameters.isUseHttpsURLConnectionDefaultHostnameVerifier()) { verifier = HttpsURLConnection.getDefaultHostnameVerifier(); } else if (tlsClientParameters.isDisableCNCheck()) { verifier = new AllowAllHostnameVerifier(); } else { verifier = new DefaultHostnameVerifier(PublicSuffixMatcherLoader.getDefault()); } return verifier; }
@Override public boolean verify(final String host, final SSLSession session) { try { final Certificate[] certs = session.getPeerCertificates(); final X509Certificate x509 = (X509Certificate) certs[0]; verify(host, x509); return true; } catch (final SSLException ex) { if (LOG.isLoggable(Level.FINE)) { LOG.log(Level.FINE, ex.getMessage(), ex); } return false; } }
static void matchIPv6Address(final String host, final List<SubjectName> subjectAlts) throws SSLException { final String normalisedHost = normaliseAddress(host); for (int i = 0; i < subjectAlts.size(); i++) { final SubjectName subjectAlt = subjectAlts.get(i); if (subjectAlt.getType() == SubjectName.IP) { final String normalizedSubjectAlt = normaliseAddress(subjectAlt.getValue()); if (normalisedHost.equals(normalizedSubjectAlt)) { return; } } } throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match any " + "of the subject alternative names: " + subjectAlts); }
static boolean matchIdentity(final String host, final String identity) { return matchIdentity(host, identity, null, false); }
static void matchCN(final String host, final String cn, final PublicSuffixMatcher publicSuffixMatcher) throws SSLException { if (!matchIdentityStrict(host, cn, publicSuffixMatcher)) { throw new SSLException("Certificate for <" + host + "> doesn't match " + "common name of the certificate subject: " + cn); } }
static boolean matchIdentityStrict(final String host, final String identity) { return matchIdentity(host, identity, null, true); }
static void matchDNSName(final String host, final List<String> subjectAlts, final PublicSuffixMatcher publicSuffixMatcher) throws SSLException { final String normalizedHost = host.toLowerCase(Locale.ROOT); for (int i = 0; i < subjectAlts.size(); i++) { final String subjectAlt = subjectAlts.get(i); final String normalizedSubjectAlt = subjectAlt.toLowerCase(Locale.ROOT); if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt, publicSuffixMatcher)) { return; } } throw new SSLException("Certificate for <" + host + "> doesn't match any " + "of the subject alternative names: " + subjectAlts); }