Package eu.emi.security.authn.x509.helpers.ssl

Class HostnameToCertificateChecker

  • public class HostnameToCertificateChecker
extends java.lang.Object
    Verifies if a peer's host name matches a DN of its certificate. It is useful on client side when connecting to a server.

    By default the implementation checks the certificate's Subject Alternative Name and Common Name, following the server identity part of RFC 2818. Additionally the 'service/hostname' syntax is supported (the service prefix is simply ignored).

    If there is a name mismatch the nameMismatch() method is called. User of this class must extend it and provide the application specific reaction in this method.

    Note that this class should be used only on SSL connections which are authenticated with X.509 certificates.

    Author:
    Joni Hahkala, K. Benedyczak

    • Constructor Detail

      • HostnameToCertificateChecker

        public HostnameToCertificateChecker()

    • Method Detail

      • checkMatching

        public boolean checkMatching​(java.lang.String hostname,
                             java.security.cert.X509Certificate certificate)
                      throws java.security.cert.CertificateParsingException,
                             java.net.UnknownHostException
        Throws:
        java.security.cert.CertificateParsingException
        java.net.UnknownHostException

      • checkAltNameMatching

        protected boolean checkAltNameMatching​(HostnameToCertificateChecker.ResultWrapper result,
                                       java.lang.String hostname,
                                       java.security.cert.X509Certificate certificate)
                                throws java.security.cert.CertificateParsingException,
                                       java.net.UnknownHostException
        Parameters:
        result - result
        hostname - hostname
        certificate - certificate
        Returns:
        true iff a dNSName in altName was found (not if the matching was successful) RFC is unclear whether IP AltName presence is also taking the precedence over CN so we are not enforcing such a rule.
        Throws:
        java.security.cert.CertificateParsingException - certificate parsing exception
        java.net.UnknownHostException - unknown host exception

      • checkCNMatching

        protected boolean checkCNMatching​(java.lang.String hostname,
                                  java.security.cert.X509Certificate certificate)
        Parameters:
        hostname - hostname
        certificate - certificate
        Returns:
        true if a CN was found and the matching was successful ;-)

      • matchesDNS

        public static boolean matchesDNS​(java.lang.String hostname,
                                 java.lang.String pattern)

      • makeRegexpHostWildcard

        public static java.lang.String makeRegexpHostWildcard​(java.lang.String pattern)
        Converts hostname wildcard string to Java regexp, ensuring that literal sequences are correctly escaped.
        Parameters:
        pattern - hostname wildcard
        Returns:
        Java regular expression

      • matchesIP

        protected boolean matchesIP​(java.lang.String what,
                            java.lang.String pattern)
                     throws java.net.UnknownHostException
        Throws:
        java.net.UnknownHostException

      • getMostSpecificCN

        public java.lang.String getMostSpecificCN​(javax.security.auth.x500.X500Principal srcP)