org.ldaptive.ssl

Class DefaultHostnameVerifier

java.lang.Object

org.ldaptive.ssl.DefaultHostnameVerifier

All Implemented Interfaces:

javax.net.ssl.HostnameVerifier, CertificateHostnameVerifier

public class DefaultHostnameVerifier
extends java.lang.Object
implements javax.net.ssl.HostnameVerifier, CertificateHostnameVerifier

Hostname verifier that provides an implementation similar to what occurs with JNDI startTLS. Verification occurs in the following order:

• if hostname is IP, then cert must have exact match IP subjAltName
• hostname must match any DNS subjAltName if any exist
• hostname must match the first CN
• if cert begins with a wildcard, domains are used for matching

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private static class	DefaultHostnameVerifier.SubjectAltNameType Enum for subject alt name types.

Field Summary

Fields

Modifier and Type	Field and Description
protected org.slf4j.Logger	logger Logger for this class.

Constructor Summary

Constructors

Constructor and Description
DefaultHostnameVerifier()

Method Summary

Modifier and Type	Method and Description
private java.lang.String[]	getCNs(java.security.cert.X509Certificate cert) Returns the CNs from the supplied certificate.
private java.lang.String[]	getSubjectAltNames(java.security.cert.X509Certificate cert, DefaultHostnameVerifier.SubjectAltNameType type) Returns the subject alternative names matching the supplied name type from the supplied certificate.
private boolean	isMatch(java.lang.String hostname, java.lang.String certName) Determines if the supplied hostname matches a name derived from the certificate.
boolean	verify(java.lang.String hostname, javax.net.ssl.SSLSession session)
boolean	verify(java.lang.String hostname, java.security.cert.X509Certificate cert) Verify if the hostname is an IP address using LdapUtils.isIPAddress(String).
protected boolean	verifyDNS(java.lang.String hostname, java.security.cert.X509Certificate cert) Verify the certificate allows use of the supplied DNS name.
protected boolean	verifyIP(java.lang.String ip, java.security.cert.X509Certificate cert) Verify the certificate allows use of the supplied IP address.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

protected final org.slf4j.Logger logger

Logger for this class.

Constructor Detail

DefaultHostnameVerifier

public DefaultHostnameVerifier()

Method Detail

verify

public boolean verify(java.lang.String hostname,
                      javax.net.ssl.SSLSession session)

Specified by:

verify in interface javax.net.ssl.HostnameVerifier

verify

public boolean verify(java.lang.String hostname,
                      java.security.cert.X509Certificate cert)

Verify if the hostname is an IP address using LdapUtils.isIPAddress(String). Delegates to verifyIP(String, X509Certificate) and verifyDNS(String, X509Certificate) accordingly.

Specified by:

verify in interface CertificateHostnameVerifier

Parameters:

hostname - to verify

cert - to verify hostname against

Returns:

whether hostname is valid for the supplied certificate

verifyIP

protected boolean verifyIP(java.lang.String ip,
                           java.security.cert.X509Certificate cert)

Verify the certificate allows use of the supplied IP address.

From RFC2818: In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

Parameters:

ip - address to match in the certificate

cert - to inspect for the IP address

Returns:

whether the ip matched a subject alt name

verifyDNS

protected boolean verifyDNS(java.lang.String hostname,
                            java.security.cert.X509Certificate cert)

Verify the certificate allows use of the supplied DNS name. Note that only the first CN is used.

From RFC2818: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.)

Parameters:

hostname - to match in the certificate

cert - to inspect for the hostname

Returns:

whether the hostname matched a subject alt name or CN

getSubjectAltNames

private java.lang.String[] getSubjectAltNames(java.security.cert.X509Certificate cert,
                                              DefaultHostnameVerifier.SubjectAltNameType type)

Returns the subject alternative names matching the supplied name type from the supplied certificate.

Parameters:

cert - to get subject alt names from

type - subject alt name type

Returns:

subject alt names

getCNs

private java.lang.String[] getCNs(java.security.cert.X509Certificate cert)

Returns the CNs from the supplied certificate.

Parameters:

cert - to get CNs from

Returns:

CNs

isMatch

private boolean isMatch(java.lang.String hostname,
                        java.lang.String certName)

Determines if the supplied hostname matches a name derived from the certificate. If the certificate name starts with '*', the domain components after the first '.' in each name are compared.

Parameters:

hostname - to match

certName - to match

Returns:

whether the hostname matched the cert name