eu.emi.security.authn.x509.helpers.ssl.HostnameToCertificateChecker

public class HostnameToCertificateChecker extends Object

Verifies if a peer's host name matches a DN of its certificate. It is useful on client side when connecting to a server.

By default the implementation checks the certificate's Subject Alternative Name and Common Name, following the server identity part of RFC 2818. Additionally the 'service/hostname' syntax is supported (the service prefix is simply ignored).

If there is a name mismatch the nameMismatch() method is called. User of this class must extend it and provide the application specific reaction in this method.

Note that this class should be used only on SSL connections which are authenticated with X.509 certificates.

Author:: Joni Hahkala, K. Benedyczak

Nested Class Summary

Nested Classes

Modifier and Type

Class

Description

protected static class

HostnameToCertificateChecker.ResultWrapper
Constructor Summary

Constructors

Constructor

Description

HostnameToCertificateChecker()
Method Summary

Modifier and Type

Method

Description

protected boolean

checkAltNameMatching(HostnameToCertificateChecker.ResultWrapper result, String hostname, X509Certificate certificate)

protected boolean

checkCNMatching(String hostname, X509Certificate certificate)

boolean

checkMatching(String hostname, X509Certificate certificate)

String

getMostSpecificCN(X500Principal srcP)

static String

makeRegexpHostWildcard(String pattern)

Converts hostname wildcard string to Java regexp, ensuring that literal sequences are correctly escaped.

static boolean

matchesDNS(String hostname, String pattern)

protected boolean

matchesIP(String what, String pattern)

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details
- HostnameToCertificateChecker
  
  public HostnameToCertificateChecker()
Method Details
- checkMatching
  
  public boolean checkMatching(String hostname, X509Certificate certificate) throws CertificateParsingException, UnknownHostException
  
  Throws:
  
  CertificateParsingException
  
  UnknownHostException
- checkAltNameMatching
  
  protected boolean checkAltNameMatching(HostnameToCertificateChecker.ResultWrapper result, String hostname, X509Certificate certificate) throws CertificateParsingException, UnknownHostException
  
  Parameters:
  
  result - result
  
  hostname - hostname
  
  certificate - certificate
  
  Returns:
  
  true iff a dNSName in altName was found (not if the matching was successful) RFC is unclear whether IP AltName presence is also taking the precedence over CN so we are not enforcing such a rule.
  
  Throws:
  
  CertificateParsingException - certificate parsing exception
  
  UnknownHostException - unknown host exception
- checkCNMatching
  
  protected boolean checkCNMatching(String hostname, X509Certificate certificate)
  
  Parameters:
  
  hostname - hostname
  
  certificate - certificate
  
  Returns:
  
  true if a CN was found and the matching was successful ;-)
- matchesDNS
  
  public static boolean matchesDNS(String hostname, String pattern)
- makeRegexpHostWildcard
  
  public static String makeRegexpHostWildcard(String pattern)
  
  Converts hostname wildcard string to Java regexp, ensuring that literal sequences are correctly escaped.
  
  Parameters:
  
  pattern - hostname wildcard
  
  Returns:
  
  Java regular expression
- matchesIP
  
  protected boolean matchesIP(String what, String pattern) throws UnknownHostException
  
  Throws:
  
  UnknownHostException
- getMostSpecificCN
  
  public String getMostSpecificCN(X500Principal srcP)

Class HostnameToCertificateChecker

Nested Class Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Details

HostnameToCertificateChecker

Method Details

checkMatching

checkAltNameMatching

checkCNMatching

matchesDNS

makeRegexpHostWildcard

matchesIP

getMostSpecificCN