Package eu.emi.security.authn.x509.impl

Class AbstractHostnameToCertificateChecker

java.lang.Object

eu.emi.security.authn.x509.impl.AbstractHostnameToCertificateChecker

All Implemented Interfaces:

java.util.EventListener, javax.net.ssl.HandshakeCompletedListener

@Deprecated
public abstract class AbstractHostnameToCertificateChecker
extends java.lang.Object
implements javax.net.ssl.HandshakeCompletedListener

Deprecated.

Use SocketFactoryCreator.connectWithHostnameChecking(SSLSocket, HostnameMismatchCallback) instead. This class is not perfect as the HandshakeCompletedListener is invoked (at least in reference JDK) in a separate thread, what can easily lead to a situation when the connection is opened and made available, before this implementation finishes checking.

Abstract implementation of the JSSE HandshakeCompletedListener which can be registered on a SSLSocket to verify if a peer's host name matches a DN of its certificate. It is useful on client side when connecting to a server.

By default the implementation checks the certificate's Subject Alternative Name and Common Name, following the server identity part of RFC 2818. Additionally the 'service/hostname' syntax is supported (the service prefix is simply ignored).

If there is a name mismatch the nameMismatch() method is called. User of this class must extend it and provide the application specific reaction in this method.

Note that this class should be used only on SSL connections which are authenticated with X.509 certificates.

Author:

Joni Hahkala, K. Benedyczak

Constructor Summary

Constructors

Constructor	Description
AbstractHostnameToCertificateChecker()	Deprecated.

Method Summary

Modifier and Type	Method	Description
void	handshakeCompleted(javax.net.ssl.HandshakeCompletedEvent hce)	Deprecated.
protected abstract void	nameMismatch(javax.net.ssl.HandshakeCompletedEvent hce, java.security.cert.X509Certificate peerCertificate, java.lang.String hostName)	Deprecated. This method is called whenever peer's host name is not matching the peer's certificate DN.
protected void	processingError(javax.net.ssl.HandshakeCompletedEvent hce, java.lang.Exception e)	Deprecated. This method is called whenever there is an error when processing the peer's certificate and hostname.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AbstractHostnameToCertificateChecker

public AbstractHostnameToCertificateChecker()

Deprecated.

Method Detail

handshakeCompleted

public void handshakeCompleted(javax.net.ssl.HandshakeCompletedEvent hce)

Deprecated.

Specified by:

handshakeCompleted in interface javax.net.ssl.HandshakeCompletedListener

nameMismatch

protected abstract void nameMismatch(javax.net.ssl.HandshakeCompletedEvent hce,
                                     java.security.cert.X509Certificate peerCertificate,
                                     java.lang.String hostName)
                              throws javax.net.ssl.SSLException

Deprecated.

This method is called whenever peer's host name is not matching the peer's certificate DN. Note that throwing exceptions from this method doesn't make any sense.

Parameters:

hce - the original event object

peerCertificate - peer's certificate (for convenience)

hostName - peer's host name (for convenience)

Throws:

javax.net.ssl.SSLException - SSL exception

processingError

protected void processingError(javax.net.ssl.HandshakeCompletedEvent hce,
                               java.lang.Exception e)

Deprecated.

This method is called whenever there is an error when processing the peer's certificate and hostname. Generally it should never happen, and the implementation should simply close the socket and report the error. The default implementation simply throws an IllegalStateException.

Parameters:

hce - the original event object

e - error