public boolean verify(String hostname, SSLSession session) { HostnameChecker checker = HostnameChecker.getInstance(HostnameChecker.TYPE_TLS); try { Certificate[] peerCertificates = session.getPeerCertificates(); if (peerCertificates.length > 0 && peerCertificates[0] instanceof X509Certificate) { X509Certificate peerCertificate = (X509Certificate) peerCertificates[0]; try { checker.match(hostname, peerCertificate); return true; } catch (CertificateException ignored) { } } } catch (SSLPeerUnverifiedException ignored) { } return false; }
@Override public void checkServerTrusted(final X509Certificate[] chain, final String authType) throws CertificateException { // verify certificate chain delegate.checkServerTrusted(chain, authType); // verify hostname if (chain.length <= 0) { throw new CertificateException("Cannot verify hostname - empty certificate chain"); } // first certificate is the server certificate (from rfc-5246: "This is a sequence (chain) of certificates. The // sender's certificate MUST come first in the list.") final X509Certificate serverCertificate = chain[0]; if (!isServerCertificateInTrustStore(serverCertificate)) { HOSTNAME_CHECKER.match(hostnameOrIp, serverCertificate); } }
@Override public void checkServerTrusted(final X509Certificate[] chain, final String authType) throws CertificateException { // verify certificate chain delegate.checkServerTrusted(chain, authType); // verify hostname if (chain.length <= 0) { throw new CertificateException("Cannot verify hostname - empty certificate chain"); } // first certificate is the server certificate (from rfc-5246: "This is a sequence (chain) of certificates. The // sender's certificate MUST come first in the list.") final X509Certificate serverCertificate = chain[0]; if (!isServerCertificateInTrustStore(serverCertificate)) { HOSTNAME_CHECKER.match(hostnameOrIp, serverCertificate); } }
/** * Expose convenience method for testing. * * @param hostname to verify * @param cert to verify hostname against * * @return whether the certificate is allowed */ @Override public boolean verify(final String hostname, final X509Certificate cert) { boolean b; final HostnameChecker checker = HostnameChecker.getInstance(HostnameChecker.TYPE_LDAP); try { checker.match(hostname, cert); b = true; } catch (CertificateException e) { b = false; } return b; } }