|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectnl.nikhef.slcshttps.trust.HostnameChecker
public class HostnameChecker
Class to check whether a certain certificate is valid for a certain hostname,
either using TLS or LDAP scheme.
This class is roughly a combination of the JDK1.6 internal
sun.security.util.HostnameChecker
and
sun.net.util.IPAddressUtil
. At the same time it uses a method
getCNS()
, roughly adapted from the
not-yet-commons-ssl-0.3.10
package, instead of
getSubjectX500Name().findMostSpecificAttribute(X500Name.commonName_oid)
.
Field Summary | |
---|---|
private static int |
ALTNAME_DNS
constant for subject alt names of type DNS. |
private static int |
ALTNAME_IP
constant for subject alt names of type IP. |
private byte |
checkType
the algorithm to follow to perform the check. |
private static int |
INADDR16SZ
Number of bytes for a IPv6 address. |
private static int |
INADDR4SZ
Number of bytes for a IPv4 address. |
private static HostnameChecker |
INSTANCE_LDAP
Contains the HostnameChecker for type LDAP. |
private static HostnameChecker |
INSTANCE_TLS
Contains the HostnameChecker for type TLS. |
private static int |
INT16SZ
used in IPv6 checking. |
static byte |
TYPE_LDAP
Constant for a HostnameChecker for LDAP. |
static byte |
TYPE_TLS
Constant for a HostnameChecker for TLS. |
Constructor Summary | |
---|---|
private |
HostnameChecker(byte checkType)
Constructs a HostnameChecker for type
checkType . |
Method Summary | |
---|---|
private static byte[] |
convertFromIPv4MappedAddress(byte[] addr)
Converts IPv4-Mapped address to IPv4 address. |
private static String[] |
getCNs(X509Certificate cert)
Method to obtain all the CNs from a certificate. |
static HostnameChecker |
getInstance(byte checkType)
Returns a HostnameChecker instance of the right type. |
private static boolean |
isIpAddress(String name)
Test whether the given hostname looks like a literal IPv4 or IPv6 address. |
private static boolean |
isIPv4LiteralAddress(String src)
Checks whether src is an IPv4 address. |
private static boolean |
isIPv4MappedAddress(byte[] addr)
Utility routine to check if the InetAddress is an IPv4 mapped IPv6 address. |
private static boolean |
isIPv6LiteralAddress(String src)
Checks whether src is an IPv6 address. |
private boolean |
isMatched(String name,
String template)
Returns true if name matches against template. |
void |
match(String expectedName,
X509Certificate cert)
Tries to match the X509Certificate against the given
expectedName . |
private static boolean |
matchAllWildcards(String name,
String template)
Returns true if name matches against template. |
private void |
matchDNS(String expectedName,
X509Certificate cert)
Check if the certificate allows use of the given DNS name. |
private void |
matchDNS(String expectedName,
X509Certificate cert,
boolean allCN)
Check if the certificate allows use of the given DNS name. |
private static void |
matchIP(String expectedIP,
X509Certificate cert)
Check if the certificate allows use of the given IP address. |
private static boolean |
matchLeftmostWildcard(String name,
String template)
Returns true if name matches against template. |
private static boolean |
matchWildCards(String name,
String template)
Returns true if the name matches against the template that may contain wildcard char *. |
private static byte[] |
textToNumericFormatV4(String src)
Converts IPv4 address in its textual presentation form into its numeric binary form. |
private static byte[] |
textToNumericFormatV6(String src)
Convert IPv6 presentation level address to network order binary form. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
private static final int INADDR4SZ
private static final int INADDR16SZ
private static final int INT16SZ
public static final byte TYPE_TLS
private static final HostnameChecker INSTANCE_TLS
public static final byte TYPE_LDAP
private static final HostnameChecker INSTANCE_LDAP
private static final int ALTNAME_DNS
private static final int ALTNAME_IP
private final byte checkType
Constructor Detail |
---|
private HostnameChecker(byte checkType)
HostnameChecker
for type
checkType
.
checkType
- specifies which type to use, TYPE_TLS
or TYPE_LDAP
Method Detail |
---|
public static HostnameChecker getInstance(byte checkType)
HostnameChecker
instance of the right type. Note
that no new instance is created!
checkType
should be one of the TYPE_* constants defined in
this class.
checkType
- specifies which type to return, TYPE_TLS
or TYPE_LDAP
public void match(String expectedName, X509Certificate cert) throws CertificateException
X509Certificate
against the given
expectedName
.
expectedName
- String
containing the hostname or IP to
checkcert
- X509Certificate
CertificateException
- if the name does not match any of the names
specified in the certificateprivate static boolean isIpAddress(String name)
true
, name need not be a
correct IP address, rather that it does not represent a valid DNS
hostname. Likewise for IP addresses when it returns false
.
name
- String
to check
true
if name
looks like an IP
address.private static void matchIP(String expectedIP, X509Certificate cert) throws CertificateException
expectedIP
- String
containing the IP to check.cert
- X509Certificate
.
CertificateException
- if the certificate is not valid for the
given IP address.match(String,X509Certificate)
,
matchDNS(String,X509Certificate)
private void matchDNS(String expectedName, X509Certificate cert) throws CertificateException
expectedName
- String
containing the DNS name to check.cert
- X509Certificate
.
CertificateException
- if the certificate is not valid for the
given DNS name.match(String,X509Certificate)
,
matchDNS(String,X509Certificate,boolean)
private void matchDNS(String expectedName, X509Certificate cert, boolean allCN) throws CertificateException
expectedName
- String
containing the DNS name to check.cert
- X509Certificate
.allCN
- boolean whether to check all CN's or just the
first. Only IE uses all.
- Throws:
CertificateException
- if the certificate is not valid for the
given DNS name.- See Also:
match(String,X509Certificate)
,
matchDNS(String,X509Certificate)
private static String[] getCNs(X509Certificate cert)
cert
- X509Certificate to use
private boolean isMatched(String name, String template)
name
- should represent a DNS name.template
- may contain the wildcard character *
matchAllWildcards(String,String)
,
matchLeftmostWildcard(String,String)
,
matchWildCards(String,String)
private static boolean matchAllWildcards(String name, String template)
name
- should represent a DNS name.template
- may contain the wildcard character *
isMatched(String,String)
,
matchLeftmostWildcard(String,String)
,
matchWildCards(String,String)
private static boolean matchLeftmostWildcard(String name, String template)
name
- should represent a DNS name.template
- may contain the wildcard character *
isMatched(String,String)
,
matchAllWildcards(String,String)
,
matchWildCards(String,String)
private static boolean matchWildCards(String name, String template)
name
- should represent a DNS name.template
- may contain the wildcard character *
isMatched(String,String)
,
matchAllWildcards(String,String)
,
matchLeftmostWildcard(String,String)
private static byte[] textToNumericFormatV4(String src)
src
- a String representing an IPv4 address in standard format
private static byte[] textToNumericFormatV6(String src)
src
- a String representing an IPv6 address in textual format
private static boolean isIPv4LiteralAddress(String src)
src
is an IPv4 address.
src
- String
representing an IPv4 address in textual format.
src
is an IPv4 literal addressprivate static boolean isIPv6LiteralAddress(String src)
src
is an IPv6 address.
src
- String
representing an IPv6 address in textual format.
src
is an IPv6 literal address.private static byte[] convertFromIPv4MappedAddress(byte[] addr)
addr
- byte[]
representing an IPv4-Mapped address
null
private static boolean isIPv4MappedAddress(byte[] addr)
addr
- byte[]
describing the address.
boolean
: true
if the InetAddress is
an IPv4 mapped IPv6 address; or false
if address is IPv4 address.
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
nl.nikhef.slcshttps | Mischa Sallé - msalle(AT)nikhef.nl |