eu.emi.security.authn.x509.helpers.ssl

Class HostnameToCertificateChecker

java.lang.Object

eu.emi.security.authn.x509.helpers.ssl.HostnameToCertificateChecker

public class HostnameToCertificateChecker
extends Object

Verifies if a peer's host name matches a DN of its certificate. It is useful on client side when connecting to a server.

By default the implementation checks the certificate's Subject Alternative Name and Common Name, following the server identity part of RFC 2818. Additionally the 'service/hostname' syntax is supported (the service prefix is simply ignored).

If there is a name mismatch the nameMismatch() method is called. User of this class must extend it and provide the application specific reaction in this method.

Note that this class should be used only on SSL connections which are authenticated with X.509 certificates.

Author:

Joni Hahkala, K. Benedyczak

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
protected static class	HostnameToCertificateChecker.ResultWrapper

Constructor Summary

Constructors

Constructor and Description
HostnameToCertificateChecker()

Method Summary

Modifier and Type	Method and Description
protected boolean	checkAltNameMatching(HostnameToCertificateChecker.ResultWrapper result, String hostname, X509Certificate certificate)
protected boolean	checkCNMatching(String hostname, X509Certificate certificate)
boolean	checkMatching(String hostname, X509Certificate certificate)
String	getMostSpecificCN(X500Principal srcP)
static String	makeRegexpHostWildcard(String pattern) Converts hostname wildcard string to Java regexp, ensuring that literal sequences are correctly escaped.
static boolean	matchesDNS(String hostname, String pattern)
protected boolean	matchesIP(String what, String pattern)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

HostnameToCertificateChecker

public HostnameToCertificateChecker()

Method Detail

checkMatching

public boolean checkMatching(String hostname,
                             X509Certificate certificate)
                      throws CertificateParsingException,
                             UnknownHostException

Throws:

CertificateParsingException

UnknownHostException

checkAltNameMatching

protected boolean checkAltNameMatching(HostnameToCertificateChecker.ResultWrapper result,
                                       String hostname,
                                       X509Certificate certificate)
                                throws CertificateParsingException,
                                       UnknownHostException

Parameters:

result - result

hostname - hostname

certificate - certificate

Returns:

true iff a dNSName in altName was found (not if the matching was successful) RFC is unclear whether IP AltName presence is also taking the precedence over CN so we are not enforcing such a rule.

Throws:

CertificateParsingException - certificate parsing exception

UnknownHostException - unknown host exception

checkCNMatching

protected boolean checkCNMatching(String hostname,
                                  X509Certificate certificate)

Parameters:

hostname - hostname

certificate - certificate

Returns:

true if a CN was found and the matching was successful ;-)

matchesDNS

public static boolean matchesDNS(String hostname,
                                 String pattern)

makeRegexpHostWildcard

public static String makeRegexpHostWildcard(String pattern)

Converts hostname wildcard string to Java regexp, ensuring that literal sequences are correctly escaped.

Parameters:

pattern - hostname wildcard

Returns:

Java regular expression

matchesIP

protected boolean matchesIP(String what,
                            String pattern)
                     throws UnknownHostException

Throws:

UnknownHostException

getMostSpecificCN

public String getMostSpecificCN(X500Principal srcP)