Examples with HostnameChecker sun.security.util.HostnameChecker used on opensource projects

Example 1 with HostnameChecker

use of sun.security.util.HostnameChecker in project zm-mailbox by Zimbra.

the class CustomHostnameVerifier method verifyHostname.

public static void verifyHostname(String hostname, SSLSession session) throws IOException {
    if (NetConfig.getInstance().isAllowMismatchedCerts())
        return;
    try {
        InetAddress.getByName(hostname);
    } catch (UnknownHostException uhe) {
        throw new UnknownHostException("Could not resolve SSL sessions server hostname: " + hostname);
    }
    javax.security.cert.X509Certificate[] certs = session.getPeerCertificateChain();
    if (certs == null || certs.length == 0)
        throw new SSLPeerUnverifiedException("No server certificates found: " + hostname);
    X509Certificate cert = certJavax2Java(certs[0]);
    CustomTrustManager ctm = TrustManagers.customTrustManager();
    if (ctm.isCertificateAcceptedForHostname(hostname, cert))
        return;
    HostnameChecker hc = HostnameChecker.getInstance(HostnameChecker.TYPE_TLS);
    try {
        hc.match(hostname, cert);
    } catch (CertificateException x) {
        String certInfo = ctm.handleCertificateCheckFailure(hostname, cert, true);
        throw new SSLPeerUnverifiedException(certInfo);
    }
}

Example 2 with HostnameChecker

use of sun.security.util.HostnameChecker in project jdk8u_jdk by JetBrains.

the class HttpsClient method checkURLSpoofing.

// Server identity checking is done according to RFC 2818: HTTP over TLS
// Section 3.1 Server Identity
private void checkURLSpoofing(HostnameVerifier hostnameVerifier) throws IOException {
    //
    // Get authenticated server name, if any
    //
    String host = url.getHost();
    // if IPv6 strip off the "[]"
    if (host != null && host.startsWith("[") && host.endsWith("]")) {
        host = host.substring(1, host.length() - 1);
    }
    Certificate[] peerCerts = null;
    String cipher = session.getCipherSuite();
    try {
        HostnameChecker checker = HostnameChecker.getInstance(HostnameChecker.TYPE_TLS);
        // Use ciphersuite to determine whether Kerberos is present.
        if (cipher.startsWith("TLS_KRB5")) {
            if (!HostnameChecker.match(host, getPeerPrincipal())) {
                throw new SSLPeerUnverifiedException("Hostname checker" + " failed for Kerberos");
            }
        } else {
            // X.509
            // get the subject's certificate
            peerCerts = session.getPeerCertificates();
            X509Certificate peerCert;
            if (peerCerts[0] instanceof java.security.cert.X509Certificate) {
                peerCert = (java.security.cert.X509Certificate) peerCerts[0];
            } else {
                throw new SSLPeerUnverifiedException("");
            }
            checker.match(host, peerCert);
        }
        // if it doesn't throw an exception, we passed. Return.
        return;
    } catch (SSLPeerUnverifiedException e) {
    //
    // client explicitly changed default policy and enabled
    // anonymous ciphers; we can't check the standard policy
    //
    // ignore
    } catch (java.security.cert.CertificateException cpe) {
    // ignore
    }
    if ((cipher != null) && (cipher.indexOf("_anon_") != -1)) {
        return;
    } else if ((hostnameVerifier != null) && (hostnameVerifier.verify(host, session))) {
        return;
    }
    serverSocket.close();
    session.invalidate();
    throw new IOException("HTTPS hostname wrong:  should be <" + url.getHost() + ">");
}

Example 3 with HostnameChecker

use of sun.security.util.HostnameChecker in project jdk8u_jdk by JetBrains.

the class StartTlsResponseImpl method verify.

/*
     * Verifies that the hostname in the server's certificate matches the
     * hostname of the server.
     * The server's first certificate is examined. If it has a subjectAltName
     * that contains a dNSName then that is used as the server's hostname.
     * The server's hostname may contain a wildcard for its left-most name part.
     * Otherwise, if the certificate has no subjectAltName then the value of
     * the common name attribute of the subject name is used.
     *
     * @param hostname The hostname of the server.
     * @param session the SSLSession used on the connection to host.
     * @return true if the hostname is verified, false otherwise.
     */
private boolean verify(String hostname, SSLSession session) throws SSLPeerUnverifiedException {
    java.security.cert.Certificate[] certs = null;
    // if IPv6 strip off the "[]"
    if (hostname != null && hostname.startsWith("[") && hostname.endsWith("]")) {
        hostname = hostname.substring(1, hostname.length() - 1);
    }
    try {
        HostnameChecker checker = HostnameChecker.getInstance(HostnameChecker.TYPE_LDAP);
        // Use ciphersuite to determine whether Kerberos is active.
        if (session.getCipherSuite().startsWith("TLS_KRB5")) {
            Principal principal = getPeerPrincipal(session);
            if (!HostnameChecker.match(hostname, principal)) {
                throw new SSLPeerUnverifiedException("hostname of the kerberos principal:" + principal + " does not match the hostname:" + hostname);
            }
        } else {
            // X.509
            // get the subject's certificate
            certs = session.getPeerCertificates();
            X509Certificate peerCert;
            if (certs[0] instanceof java.security.cert.X509Certificate) {
                peerCert = (java.security.cert.X509Certificate) certs[0];
            } else {
                throw new SSLPeerUnverifiedException("Received a non X509Certificate from the server");
            }
            checker.match(hostname, peerCert);
        }
        // no exception means verification passed
        return true;
    } catch (SSLPeerUnverifiedException e) {
        /*
             * The application may enable an anonymous SSL cipher suite, and
             * hostname verification is not done for anonymous ciphers
             */
        String cipher = session.getCipherSuite();
        if (cipher != null && (cipher.indexOf("_anon_") != -1)) {
            return true;
        }
        throw e;
    } catch (CertificateException e) {
        /*
             * Pass up the cause of the failure
             */
        throw (SSLPeerUnverifiedException) new SSLPeerUnverifiedException("hostname of the server '" + hostname + "' does not match the hostname in the " + "server's certificate.").initCause(e);
    }
}