final String[] subjAltNames = getSubjectAltNames(cert, SubjectAltNameType.DNS_NAME); logger.debug("verifyDNS using subjectAltNames={}", Arrays.toString(subjAltNames)); if (subjAltNames.length > 0) { if (isMatch(hostname, name)) { logger.debug("verifyDNS found hostname match: {}", name); verified = true; final String[] cns = getCNs(cert); logger.debug("verifyDNS using CN={}", Arrays.toString(cns)); if (cns.length > 0) { if (isMatch(hostname, cns[cns.length - 1])) { logger.debug("verifyDNS found hostname match: {}", cns[cns.length - 1]); verified = true;
@Override public boolean verify(final String hostname, final SSLSession session) { boolean b = false; try { String name = null; if (hostname != null) { // if IPv6 strip off the "[]" if (hostname.startsWith("[") && hostname.endsWith("]")) { name = hostname.substring(1, hostname.length() - 1).trim(); } else { name = hostname.trim(); } } b = verify(name, (X509Certificate) session.getPeerCertificates()[0]); } catch (SSLPeerUnverifiedException e) { logger.warn("Could not get certificate from the SSL session", e); } return b; }
/** * Verify if the hostname is an IP address using {@link LdapUtils#isIPAddress(String)}. Delegates to {@link * #verifyIP(String, X509Certificate)} and {@link #verifyDNS(String, X509Certificate)} accordingly. * * @param hostname to verify * @param cert to verify hostname against * * @return whether hostname is valid for the supplied certificate */ @Override public boolean verify(final String hostname, final X509Certificate cert) { logger.debug("verifying hostname={} against cert={}", hostname, cert.getSubjectX500Principal()); boolean b; if (LdapUtils.isIPAddress(hostname)) { b = verifyIP(hostname, cert); } else { b = verifyDNS(hostname, cert); } return b; }
/** * Adds a {@link HostnameVerifyingTrustManager} to the supplied config if no trust managers have been configured. A * {@link DefaultTrustManager} is also added in no {@link CredentialConfig} has been configured. * * @param config to modify * @param names of the hosts to verify */ protected static void addHostnameVerifyingTrustManager(final SslConfig config, final String[] names) { if (config.getTrustManagers() == null) { if (config.getCredentialConfig() == null) { config.setTrustManagers( new DefaultTrustManager(), new HostnameVerifyingTrustManager(new DefaultHostnameVerifier(), names)); } else { config.setTrustManagers(new HostnameVerifyingTrustManager(new DefaultHostnameVerifier(), names)); } } }
/** * Verify the certificate allows use of the supplied IP address. * * <p>From RFC2818: In some cases, the URI is specified as an IP address rather than a hostname. In this case, the * iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.</p> * * @param ip address to match in the certificate * @param cert to inspect for the IP address * * @return whether the ip matched a subject alt name */ protected boolean verifyIP(final String ip, final X509Certificate cert) { final String[] subjAltNames = getSubjectAltNames(cert, SubjectAltNameType.IP_ADDRESS); logger.debug("verifyIP using subjectAltNames={}", Arrays.toString(subjAltNames)); for (String name : subjAltNames) { if (ip.equalsIgnoreCase(name)) { logger.debug("verifyIP found hostname match: {}", name); return true; } } return false; }
/** * Adds a {@link HostnameVerifyingTrustManager} to the supplied config if no trust managers have been configured. A * {@link DefaultTrustManager} is also added in no {@link CredentialConfig} has been configured. * * @deprecated {@link HostnameVerifierConfig} should be used for hostname verification * * @param config to modify * @param names of the hosts to verify */ @Deprecated protected static void addHostnameVerifyingTrustManager(final SslConfig config, final String[] names) { if (config.getTrustManagers() == null) { if (config.getCredentialConfig() == null) { config.setTrustManagers( new DefaultTrustManager(), new HostnameVerifyingTrustManager(new DefaultHostnameVerifier(), names)); } else { config.setTrustManagers(new HostnameVerifyingTrustManager(new DefaultHostnameVerifier(), names)); } } }
/** * Verify the certificate allows use of the supplied IP address. * * <p>From RFC2818: In some cases, the URI is specified as an IP address rather than a hostname. In this case, the * iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.</p> * * @param ip address to match in the certificate * @param cert to inspect for the IP address * * @return whether the ip matched a subject alt name */ protected boolean verifyIP(final String ip, final X509Certificate cert) { final String[] subjAltNames = getSubjectAltNames(cert, SubjectAltNameType.IP_ADDRESS); logger.debug("verifyIP using subjectAltNames={}", Arrays.toString(subjAltNames)); for (String name : subjAltNames) { if (ip.equalsIgnoreCase(name)) { logger.debug("verifyIP found hostname match: {}", name); return true; } } return false; }
/** * Adds a {@link HostnameVerifyingTrustManager} to the supplied config if no trust managers have been configured. A * {@link DefaultTrustManager} is also added in no {@link CredentialConfig} has been configured. * * @deprecated {@link HostnameVerifierConfig} should be used for hostname verification * * @param config to modify * @param names of the hosts to verify */ @Deprecated protected static void addHostnameVerifyingTrustManager(final SslConfig config, final String[] names) { if (config.getTrustManagers() == null) { if (config.getCredentialConfig() == null) { config.setTrustManagers( new DefaultTrustManager(), new HostnameVerifyingTrustManager(new DefaultHostnameVerifier(), names)); } else { config.setTrustManagers(new HostnameVerifyingTrustManager(new DefaultHostnameVerifier(), names)); } } }
final String[] subjAltNames = getSubjectAltNames(cert, SubjectAltNameType.DNS_NAME); logger.debug("verifyDNS using subjectAltNames={}", Arrays.toString(subjAltNames)); if (subjAltNames.length > 0) { if (isMatch(hostname, name)) { logger.debug("verifyDNS found hostname match: {}", name); verified = true; final String[] cns = getCNs(cert); logger.debug("verifyDNS using CN={}", Arrays.toString(cns)); if (cns.length > 0) { if (isMatch(hostname, cns[cns.length - 1])) { logger.debug("verifyDNS found hostname match: {}", cns[cns.length - 1]); verified = true;
/** * Verify if the hostname is an IP address using {@link LdapUtils#isIPAddress(String)}. Delegates to {@link * #verifyIP(String, X509Certificate)} and {@link #verifyDNS(String, X509Certificate)} accordingly. * * @param hostname to verify * @param cert to verify hostname against * * @return whether hostname is valid for the supplied certificate */ @Override public boolean verify(final String hostname, final X509Certificate cert) { logger.debug("verifying hostname={} against cert={}", hostname, cert.getSubjectX500Principal()); final boolean b; if (LdapUtils.isIPAddress(hostname)) { b = verifyIP(hostname, cert); } else { b = verifyDNS(hostname, cert); } return b; }
/** * Verify the certificate allows use of the supplied IP address. * * <p>From RFC2818: In some cases, the URI is specified as an IP address rather than a hostname. In this case, the * iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.</p> * * @param ip address to match in the certificate * @param cert to inspect for the IP address * * @return whether the ip matched a subject alt name */ protected boolean verifyIP(final String ip, final X509Certificate cert) { final String[] subjAltNames = getSubjectAltNames(cert, SubjectAltNameType.IP_ADDRESS); logger.debug("verifyIP using subjectAltNames={}", Arrays.toString(subjAltNames)); for (String name : subjAltNames) { if (ip.equalsIgnoreCase(name)) { logger.debug("verifyIP found hostname match: {}", name); return true; } } return false; }
/** * @param hostname to match against the cert * @param cert to extract hostname from * @param pass whether the verify should succeed * * @throws Exception On test failure. */ @Test(groups = {"ssl"}, dataProvider = "certificates") public void verifyDefault(final String hostname, final X509Certificate cert, final boolean pass) throws Exception { Assert.assertEquals(DEFAULT_VERIFIER.verify(hostname, cert), pass); }
sf.getSslConfig().setHostnameVerifierConfig(new HostnameVerifierConfig(new DefaultHostnameVerifier(), names)); } else { sf.getSslConfig().setHostnameVerifierConfig(new HostnameVerifierConfig(verifier, names));
final String[] subjAltNames = getSubjectAltNames(cert, SubjectAltNameType.DNS_NAME); logger.debug("verifyDNS using subjectAltNames={}", Arrays.toString(subjAltNames)); if (subjAltNames.length > 0) { if (isMatch(hostname, name)) { logger.debug("verifyDNS found hostname match: {}", name); verified = true; final String[] cns = getCNs(cert); logger.debug("verifyDNS using CN={}", Arrays.toString(cns)); if (cns.length > 0) { if (isMatch(hostname, cns[cns.length - 1])) { logger.debug("verifyDNS found hostname match: {}", cns[cns.length - 1]); verified = true;
/** * Verify if the hostname is an IP address using {@link LdapUtils#isIPAddress(String)}. Delegates to {@link * #verifyIP(String, X509Certificate)} and {@link #verifyDNS(String, X509Certificate)} accordingly. * * @param hostname to verify * @param cert to verify hostname against * * @return whether hostname is valid for the supplied certificate */ @Override public boolean verify(final String hostname, final X509Certificate cert) { logger.debug("verifying hostname={} against cert={}", hostname, cert.getSubjectX500Principal()); final boolean b; if (LdapUtils.isIPAddress(hostname)) { b = verifyIP(hostname, cert); } else { b = verifyDNS(hostname, cert); } return b; }
sf.getSslConfig().setHostnameVerifierConfig(new HostnameVerifierConfig(new DefaultHostnameVerifier(), names)); } else { sf.getSslConfig().setHostnameVerifierConfig(new HostnameVerifierConfig(verifier, names));
sf.getSslConfig().setHostnameVerifierConfig(new HostnameVerifierConfig(new DefaultHostnameVerifier(), names)); } else { sf.getSslConfig().setHostnameVerifierConfig(new HostnameVerifierConfig(verifier, names));
} else { contextInit.setHostnameVerifierConfig( new HostnameVerifierConfig(new DefaultHostnameVerifier(), ldapUrl.getHostnames())); new HostnameVerifyingTrustManager(new DefaultHostnameVerifier(), ldapUrl.getHostnames()));
sf.getSslConfig().setHostnameVerifierConfig(new HostnameVerifierConfig(new DefaultHostnameVerifier(), names)); } else { sf.getSslConfig().setHostnameVerifierConfig(new HostnameVerifierConfig(verifier, names));
defaultWithTM.setTrustManagers(new AllowAnyTrustManager()); final DefaultSSLContextInitializer defaultWithHV = new DefaultSSLContextInitializer(); defaultWithHV.setHostnameVerifierConfig(new HostnameVerifierConfig(new DefaultHostnameVerifier(), "test")); final DefaultSSLContextInitializer defaultWithTMHV = new DefaultSSLContextInitializer(); defaultWithTMHV.setTrustManagers(new AllowAnyTrustManager()); defaultWithTMHV.setHostnameVerifierConfig(new HostnameVerifierConfig(new DefaultHostnameVerifier(), "test")); final DefaultSSLContextInitializer defaultNoTrustWithTM = new DefaultSSLContextInitializer(false); defaultNoTrustWithTM.setTrustManagers(new AllowAnyTrustManager()); final DefaultSSLContextInitializer defaultNoTrustWithHV = new DefaultSSLContextInitializer(false); defaultNoTrustWithHV.setHostnameVerifierConfig(new HostnameVerifierConfig(new DefaultHostnameVerifier(), "test")); final DefaultSSLContextInitializer defaultNoTrustWithTMHV = new DefaultSSLContextInitializer(false); defaultNoTrustWithTMHV.setTrustManagers(new AllowAnyTrustManager()); defaultNoTrustWithTMHV.setHostnameVerifierConfig(new HostnameVerifierConfig(new DefaultHostnameVerifier(), "test")); final X509SSLContextInitializer x509WithHV = new X509SSLContextInitializer(); x509WithHV.setTrustCertificates(testCert); x509WithHV.setHostnameVerifierConfig(new HostnameVerifierConfig(new DefaultHostnameVerifier(), "test")); final X509SSLContextInitializer x509WithTMHV = new X509SSLContextInitializer(); x509WithTMHV.setTrustCertificates(testCert); x509WithTMHV.setTrustManagers(new AllowAnyTrustManager()); x509WithTMHV.setHostnameVerifierConfig(new HostnameVerifierConfig(new DefaultHostnameVerifier(), "test")); final X509SSLContextInitializer x509NoTrustWithTM = new X509SSLContextInitializer(); x509NoTrustWithTM.setTrustManagers(new AllowAnyTrustManager()); final X509SSLContextInitializer x509NoTrustWithHV = new X509SSLContextInitializer(); x509NoTrustWithHV.setHostnameVerifierConfig(new HostnameVerifierConfig(new DefaultHostnameVerifier(), "test")); final X509SSLContextInitializer x509NoTrustWithTMHV = new X509SSLContextInitializer(); x509NoTrustWithTMHV.setTrustManagers(new AllowAnyTrustManager()); x509NoTrustWithTMHV.setHostnameVerifierConfig(new HostnameVerifierConfig(new DefaultHostnameVerifier(), "test"));