public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { if (certificates.length == 0) { throw new SSLPeerUnverifiedException("peer not authenticated"); } else { return certificates; } }
@SuppressWarnings({"unchecked", "SuspiciousToArrayCall"}) // Reflection on List<Certificate>. @Override public List<Certificate> clean(List<Certificate> chain, String hostname) throws SSLPeerUnverifiedException { try { X509Certificate[] certificates = chain.toArray(new X509Certificate[chain.size()]); return (List<Certificate>) checkServerTrusted.invoke( x509TrustManagerExtensions, certificates, "RSA", hostname); } catch (InvocationTargetException e) { SSLPeerUnverifiedException exception = new SSLPeerUnverifiedException(e.getMessage()); exception.initCause(e); throw exception; } catch (IllegalAccessException e) { throw new AssertionError(e); } }
@Override public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { synchronized (ReferenceCountedOpenSslEngine.this) { if (isEmpty(x509PeerCerts)) { throw new SSLPeerUnverifiedException("peer not verified"); } return x509PeerCerts.clone(); } }
@Override public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { synchronized (ReferenceCountedOpenSslEngine.this) { if (isEmpty(peerCerts)) { throw new SSLPeerUnverifiedException("peer not verified"); } return peerCerts.clone(); } }
private static void matchCN(final String host, final String cn) throws SSLException { final String normalizedHost = host.toLowerCase(Locale.ROOT); final String normalizedCn = cn.toLowerCase(Locale.ROOT); if (!matchIdentityStrict(normalizedHost, normalizedCn)) { throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match " + "common name of the certificate subject: " + cn); } }
@SuppressWarnings({"unchecked", "SuspiciousToArrayCall"}) // Reflection on List<Certificate>. @Override public List<Certificate> clean(List<Certificate> chain, String hostname) throws SSLPeerUnverifiedException { try { X509Certificate[] certificates = chain.toArray(new X509Certificate[chain.size()]); return (List<Certificate>) checkServerTrusted.invoke( x509TrustManagerExtensions, certificates, "RSA", hostname); } catch (InvocationTargetException e) { SSLPeerUnverifiedException exception = new SSLPeerUnverifiedException(e.getMessage()); exception.initCause(e); throw exception; } catch (IllegalAccessException e) { throw new AssertionError(e); } }
@Override public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { synchronized (ReferenceCountedOpenSslEngine.this) { if (isEmpty(x509PeerCerts)) { throw new SSLPeerUnverifiedException("peer not verified"); } return x509PeerCerts.clone(); } }
@Override public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { synchronized (ReferenceCountedOpenSslEngine.this) { if (isEmpty(peerCerts)) { throw new SSLPeerUnverifiedException("peer not verified"); } return peerCerts.clone(); } }
private static void matchIPAddress(final String host, final List<SubjectName> subjectAlts) throws SSLException { for (int i = 0; i < subjectAlts.size(); i++) { final SubjectName subjectAlt = subjectAlts.get(i); if (subjectAlt.getType() == SubjectName.IP) { if (host.equals(subjectAlt.getValue())) { return; } } } throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match any " + "of the subject alternative names: " + subjectAlts); }
public String getDn() throws CertificateException, SSLPeerUnverifiedException { final Certificate[] certs = engine.getSession().getPeerCertificates(); if (certs == null || certs.length == 0) { throw new SSLPeerUnverifiedException("No certificates found"); } final X509Certificate cert = CertificateUtils.convertAbstractX509Certificate(certs[0]); cert.checkValidity(); return cert.getSubjectDN().getName().trim(); }
@SuppressWarnings({"unchecked", "SuspiciousToArrayCall"}) // Reflection on List<Certificate>. @Override public List<Certificate> clean(List<Certificate> chain, String hostname) throws SSLPeerUnverifiedException { try { X509Certificate[] certificates = chain.toArray(new X509Certificate[chain.size()]); return (List<Certificate>) checkServerTrusted.invoke( x509TrustManagerExtensions, certificates, "RSA", hostname); } catch (InvocationTargetException e) { SSLPeerUnverifiedException exception = new SSLPeerUnverifiedException(e.getMessage()); exception.initCause(e); throw exception; } catch (IllegalAccessException e) { throw new AssertionError(e); } }
throw new SSLPeerUnverifiedException( "Failed to find a trusted cert that signed " + toVerify); throw new SSLPeerUnverifiedException("Certificate chain too long: " + result);
private static void matchDNSName(final String host, final List<SubjectName> subjectAlts) throws SSLException { final String normalizedHost = host.toLowerCase(Locale.ROOT); for (int i = 0; i < subjectAlts.size(); i++) { final SubjectName subjectAlt = subjectAlts.get(i); if (subjectAlt.getType() == SubjectName.DNS) { final String normalizedSubjectAlt = subjectAlt.getValue().toLowerCase(Locale.ROOT); if (matchIdentityStrict(normalizedHost, normalizedSubjectAlt)) { return; } } } throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match any " + "of the subject alternative names: " + subjectAlts); }
message.append("\n ").append(pin); throw new SSLPeerUnverifiedException(message.toString());
private Set<String> getCertificateIdentities(final SSLSession sslSession) throws CertificateException, SSLPeerUnverifiedException { final Certificate[] certs = sslSession.getPeerCertificates(); if (certs == null || certs.length == 0) { throw new SSLPeerUnverifiedException("No certificates found"); } final X509Certificate cert = CertificateUtils.convertAbstractX509Certificate(certs[0]); cert.checkValidity(); final Set<String> identities = CertificateUtils.getSubjectAlternativeNames(cert).stream() .map(CertificateUtils::extractUsername) .collect(Collectors.toSet()); return identities; } }
private Set<String> getCertificateIdentities(final SSLSession sslSession) throws CertificateException, SSLPeerUnverifiedException { final Certificate[] certs = sslSession.getPeerCertificates(); if (certs == null || certs.length == 0) { throw new SSLPeerUnverifiedException("No certificates found"); } final X509Certificate cert = CertificateUtils.convertAbstractX509Certificate(certs[0]); cert.checkValidity(); final Set<String> identities = CertificateUtils.getSubjectAlternativeNames(cert).stream() .map(CertificateUtils::extractUsername) .collect(Collectors.toSet()); return identities; } }
private static void matchIPv6Address(final String host, final List<SubjectName> subjectAlts) throws SSLException { final String normalisedHost = normaliseAddress(host); for (int i = 0; i < subjectAlts.size(); i++) { final SubjectName subjectAlt = subjectAlts.get(i); if (subjectAlt.getType() == SubjectName.IP) { final String normalizedSubjectAlt = normaliseAddress(subjectAlt.getValue()); if (normalisedHost.equals(normalizedSubjectAlt)) { return; } } } throw new SSLPeerUnverifiedException("Certificate for <" + host + "> doesn't match any " + "of the subject alternative names: " + subjectAlts); }
@Override public final SSLPeerUnverifiedException peerUnverified() { final SSLPeerUnverifiedException result = new SSLPeerUnverifiedException(String.format(getLoggingLocale(), peerUnverified$str())); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String servletPathMatchFailed = "UT000068: Servlet path match failed";
private Certificate[] getPeerCertificates(final HttpServerExchange exchange, SSLSessionInfo sslSession, SecurityContext securityContext) throws SSLPeerUnverifiedException { try { return sslSession.getPeerCertificates(); } catch (RenegotiationRequiredException e) { //we only renegotiate if authentication is required if (forceRenegotiation && securityContext.isAuthenticationRequired()) { try { sslSession.renegotiate(exchange, SslClientAuthMode.REQUESTED); return sslSession.getPeerCertificates(); } catch (IOException e1) { //ignore } catch (RenegotiationRequiredException e1) { //ignore } } } throw new SSLPeerUnverifiedException(""); }
if (!peerCertificates.isEmpty()) { X509Certificate cert = (X509Certificate) peerCertificates.get(0); throw new SSLPeerUnverifiedException( "Hostname " + address.url().host() + " not verified:" + "\n certificate: " + CertificatePinner.pin(cert) + "\n subjectAltNames: " + OkHostnameVerifier.allSubjectAltNames(cert)); } else { throw new SSLPeerUnverifiedException( "Hostname " + address.url().host() + " not verified (no certificates)");