eu.emi.security.authn.x509.helpers.ssl
Class HostnameToCertificateChecker

java.lang.Object
  extended by eu.emi.security.authn.x509.helpers.ssl.HostnameToCertificateChecker

public class HostnameToCertificateChecker
extends Object

Verifies if a peer's host name matches a DN of its certificate. It is useful on client side when connecting to a server.

By default the implementation checks the certificate's Subject Alternative Name and Common Name, following the server identity part of RFC 2818. Additionally the 'service/hostname' syntax is supported (the service prefix is simply ignored).

If there is a name mismatch the nameMismatch() method is called. User of this class must extend it and provide the application specific reaction in this method.

Note that this class should be used only on SSL connections which are authenticated with X.509 certificates.

Author:
Joni Hahkala, K. Benedyczak

Nested Class Summary
protected static class HostnameToCertificateChecker.ResultWrapper
           
 
Constructor Summary
HostnameToCertificateChecker()
           
 
Method Summary
protected  boolean checkAltNameMatching(HostnameToCertificateChecker.ResultWrapper result, String hostname, X509Certificate certificate)
           
protected  boolean checkCNMatching(String hostname, X509Certificate certificate)
           
 boolean checkMatching(String hostname, X509Certificate certificate)
           
 String getMostSpecificCN(X500Principal srcP)
           
static String makeRegexpHostWildcard(String pattern)
          Converts hostname wildcard string to Java regexp, ensuring that literal sequences are correctly escaped.
static boolean matchesDNS(String hostname, String pattern)
           
protected  boolean matchesIP(String what, String pattern)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

HostnameToCertificateChecker

public HostnameToCertificateChecker()
Method Detail

checkMatching

public boolean checkMatching(String hostname,
                             X509Certificate certificate)
                      throws CertificateParsingException,
                             UnknownHostException
Throws:
CertificateParsingException
UnknownHostException

checkAltNameMatching

protected boolean checkAltNameMatching(HostnameToCertificateChecker.ResultWrapper result,
                                       String hostname,
                                       X509Certificate certificate)
                                throws CertificateParsingException,
                                       UnknownHostException
Returns:
true iff a dNSName in altName was found (not if the matching was successful) RFC is unclear whether IP AltName presence is also taking the precedence over CN so we are not enforcing such a rule.
Throws:
CertificateParsingException
UnknownHostException

checkCNMatching

protected boolean checkCNMatching(String hostname,
                                  X509Certificate certificate)
Returns:
true if a CN was found and the matching was successful ;-)

matchesDNS

public static boolean matchesDNS(String hostname,
                                 String pattern)

makeRegexpHostWildcard

public static String makeRegexpHostWildcard(String pattern)
Converts hostname wildcard string to Java regexp, ensuring that literal sequences are correctly escaped.

Parameters:
pattern - hostname wildcard
Returns:
Java regular expression

matchesIP

protected boolean matchesIP(String what,
                            String pattern)
                     throws UnknownHostException
Throws:
UnknownHostException

getMostSpecificCN

public String getMostSpecificCN(X500Principal srcP)


Copyright © 2012-2013 European Middleware Initiative. All Rights Reserved.