Examples with SSLPeerUnverifiedException javax.net.ssl.SSLPeerUnverifiedException used on opensource projects

Example 16 with SSLPeerUnverifiedException

use of javax.net.ssl.SSLPeerUnverifiedException in project XobotOS by xamarin.

the class SSLCertificateSocketFactory method verifyHostname.

/**
     * Verify the hostname of the certificate used by the other end of a
     * connected socket.  You MUST call this if you did not supply a hostname
     * to {@link #createSocket()}.  It is harmless to call this method
     * redundantly if the hostname has already been verified.
     *
     * <p>Wildcard certificates are allowed to verify any matching hostname,
     * so "foo.bar.example.com" is verified if the peer has a certificate
     * for "*.example.com".
     *
     * @param socket An SSL socket which has been connected to a server
     * @param hostname The expected hostname of the remote server
     * @throws IOException if something goes wrong handshaking with the server
     * @throws SSLPeerUnverifiedException if the server cannot prove its identity
     *
     * @hide
     */
public static void verifyHostname(Socket socket, String hostname) throws IOException {
    if (!(socket instanceof SSLSocket)) {
        throw new IllegalArgumentException("Attempt to verify non-SSL socket");
    }
    if (!isSslCheckRelaxed()) {
        // The code at the start of OpenSSLSocketImpl.startHandshake()
        // ensures that the call is idempotent, so we can safely call it.
        SSLSocket ssl = (SSLSocket) socket;
        ssl.startHandshake();
        SSLSession session = ssl.getSession();
        if (session == null) {
            throw new SSLException("Cannot verify SSL socket without session");
        }
        if (!HOSTNAME_VERIFIER.verify(hostname, session)) {
            throw new SSLPeerUnverifiedException("Cannot verify hostname: " + hostname);
        }
    }
}

Example 17 with SSLPeerUnverifiedException

use of javax.net.ssl.SSLPeerUnverifiedException in project camel by apache.

the class NettyEndpoint method enrichWithClientCertInformation.

/**
     * Enriches the message with client certificate details such as subject name, serial number etc.
     * <p/>
     * If the certificate is unverified then the headers is not enriched.
     *
     * @param sslSession  the SSL session
     * @param message     the message to enrich
     */
protected void enrichWithClientCertInformation(SSLSession sslSession, Message message) {
    try {
        X509Certificate[] certificates = sslSession.getPeerCertificateChain();
        if (certificates != null && certificates.length > 0) {
            X509Certificate cert = certificates[0];
            Principal subject = cert.getSubjectDN();
            if (subject != null) {
                message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SUBJECT_NAME, subject.getName());
            }
            Principal issuer = cert.getIssuerDN();
            if (issuer != null) {
                message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_ISSUER_NAME, issuer.getName());
            }
            BigInteger serial = cert.getSerialNumber();
            if (serial != null) {
                message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_SERIAL_NO, serial.toString());
            }
            message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_NOT_BEFORE, cert.getNotBefore());
            message.setHeader(NettyConstants.NETTY_SSL_CLIENT_CERT_NOT_AFTER, cert.getNotAfter());
        }
    } catch (SSLPeerUnverifiedException e) {
    // ignore
    }
}

Example 18 with SSLPeerUnverifiedException

use of javax.net.ssl.SSLPeerUnverifiedException in project nifi by apache.

the class SSLSocketChannel method getDn.

public String getDn() throws CertificateException, SSLPeerUnverifiedException {
    final Certificate[] certs = engine.getSession().getPeerCertificates();
    if (certs == null || certs.length == 0) {
        throw new SSLPeerUnverifiedException("No certificates found");
    }
    final X509Certificate cert = CertificateUtils.convertAbstractX509Certificate(certs[0]);
    cert.checkValidity();
    return cert.getSubjectDN().getName().trim();
}

Example 19 with SSLPeerUnverifiedException

use of javax.net.ssl.SSLPeerUnverifiedException in project nifi by apache.

the class CertificateUtils method extractPeerDNFromServerSSLSocket.

/**
 * Returns the DN extracted from the server certificate.
 *
 * @param socket the SSL Socket
 * @return the extracted DN
 * @throws CertificateException if there is a problem parsing the certificate
 */
private static String extractPeerDNFromServerSSLSocket(Socket socket) throws CertificateException {
    String dn = null;
    if (socket instanceof SSLSocket) {
        final SSLSocket sslSocket = (SSLSocket) socket;
        try {
            final Certificate[] certChains = sslSocket.getSession().getPeerCertificates();
            if (certChains != null && certChains.length > 0) {
                X509Certificate x509Certificate = convertAbstractX509Certificate(certChains[0]);
                dn = x509Certificate.getSubjectDN().getName().trim();
                logger.debug("Extracted DN={} from server certificate", dn);
            }
        } catch (SSLPeerUnverifiedException e) {
            if (e.getMessage().equals(PEER_NOT_AUTHENTICATED_MSG)) {
                logger.error("The server did not present a certificate and thus the DN cannot" + " be extracted. Check that the other endpoint is providing a complete certificate chain");
            }
            throw new CertificateException(e);
        }
    }
    return dn;
}

Example 20 with SSLPeerUnverifiedException

use of javax.net.ssl.SSLPeerUnverifiedException in project nifi by apache.

the class CertificateUtils method extractPeerDNFromClientSSLSocket.

/**
 * Returns the DN extracted from the client certificate.
 *
 * If the client auth setting is WANT or NONE and a certificate is not present (and {@code respectClientAuth} is {@code true}), this method will return {@code null}.
 * If the client auth is NEED, it will throw a {@link CertificateException}.
 *
 * @param sslSocket the SSL Socket
 * @return the extracted DN
 * @throws CertificateException if there is a problem parsing the certificate
 */
private static String extractPeerDNFromClientSSLSocket(SSLSocket sslSocket) throws CertificateException {
    String dn = null;
    /**
     * The clientAuth value can be "need", "want", or "none"
     * A client must send client certificates for need, should for want, and will not for none.
     * This method should throw an exception if none are provided for need, return null if none are provided for want, and return null (without checking) for none.
     */
    ClientAuth clientAuth = getClientAuthStatus(sslSocket);
    logger.debug("SSL Socket client auth status: {}", clientAuth);
    if (clientAuth != ClientAuth.NONE) {
        try {
            final Certificate[] certChains = sslSocket.getSession().getPeerCertificates();
            if (certChains != null && certChains.length > 0) {
                X509Certificate x509Certificate = convertAbstractX509Certificate(certChains[0]);
                dn = x509Certificate.getSubjectDN().getName().trim();
                logger.debug("Extracted DN={} from client certificate", dn);
            }
        } catch (SSLPeerUnverifiedException e) {
            if (e.getMessage().equals(PEER_NOT_AUTHENTICATED_MSG)) {
                logger.error("The incoming request did not contain client certificates and thus the DN cannot" + " be extracted. Check that the other endpoint is providing a complete client certificate chain");
            }
            if (clientAuth == ClientAuth.WANT) {
                logger.warn("Suppressing missing client certificate exception because client auth is set to 'want'");
                return dn;
            }
            throw new CertificateException(e);
        }
    }
    return dn;
}