Search in sources :

Example 1 with DNSName

use of sun.security.x509.DNSName in project OpenAttestation by OpenAttestation.

the class X509Builder method dnsAlternativeName.

public X509Builder dnsAlternativeName(String dns) {
    try {
        v3();
        String alternativeName = dns;
        if (dns.startsWith("dns:")) {
            alternativeName = dns.substring(4);
        }
        DNSName dnsName = new DNSName(alternativeName);
        if (alternativeNames == null) {
            alternativeNames = new GeneralNames();
        }
        alternativeNames.add(new GeneralName(dnsName));
        SubjectAlternativeNameExtension san = new SubjectAlternativeNameExtension(alternativeNames);
        if (certificateExtensions == null) {
            certificateExtensions = new CertificateExtensions();
        }
        certificateExtensions.set(san.getExtensionId().toString(), san);
        info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
    } catch (Exception e) {
        fault(e, "dnsAlternativeName(%s)", dns);
    }
    return this;
}
Also used : GeneralNames(sun.security.x509.GeneralNames) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) CertificateExtensions(sun.security.x509.CertificateExtensions) GeneralName(sun.security.x509.GeneralName) DNSName(sun.security.x509.DNSName)

Example 2 with DNSName

use of sun.security.x509.DNSName in project jdk8u_jdk by JetBrains.

the class HostnameChecker method matchDNS.

/**
     * Check if the certificate allows use of the given DNS name.
     *
     * From RFC2818:
     * If a subjectAltName extension of type dNSName is present, that MUST
     * be used as the identity. Otherwise, the (most specific) Common Name
     * field in the Subject field of the certificate MUST be used. Although
     * the use of the Common Name is existing practice, it is deprecated and
     * Certification Authorities are encouraged to use the dNSName instead.
     *
     * Matching is performed using the matching rules specified by
     * [RFC2459].  If more than one identity of a given type is present in
     * the certificate (e.g., more than one dNSName name, a match in any one
     * of the set is considered acceptable.)
     */
private void matchDNS(String expectedName, X509Certificate cert) throws CertificateException {
    Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
    if (subjAltNames != null) {
        boolean foundDNS = false;
        for (List<?> next : subjAltNames) {
            if (((Integer) next.get(0)).intValue() == ALTNAME_DNS) {
                foundDNS = true;
                String dnsName = (String) next.get(1);
                if (isMatched(expectedName, dnsName)) {
                    return;
                }
            }
        }
        if (foundDNS) {
            // but none match, reject
            throw new CertificateException("No subject alternative DNS " + "name matching " + expectedName + " found.");
        }
    }
    X500Name subjectName = getSubjectX500Name(cert);
    DerValue derValue = subjectName.findMostSpecificAttribute(X500Name.commonName_oid);
    if (derValue != null) {
        try {
            if (isMatched(expectedName, derValue.getAsString())) {
                return;
            }
        } catch (IOException e) {
        // ignore
        }
    }
    String msg = "No name matching " + expectedName + " found";
    throw new CertificateException(msg);
}
Also used : X500Name(sun.security.x509.X500Name) IOException(java.io.IOException)

Example 3 with DNSName

use of sun.security.x509.DNSName in project jdk8u_jdk by JetBrains.

the class VerifierWrapper method getServername.

/*
     * Extract the name of the SSL server from the certificate.
     *
     * Note this code is essentially a subset of the hostname extraction
     * code in HostnameChecker.
     */
private static String getServername(X509Certificate peerCert) {
    try {
        // compare to subjectAltNames if dnsName is present
        Collection<List<?>> subjAltNames = peerCert.getSubjectAlternativeNames();
        if (subjAltNames != null) {
            for (Iterator<List<?>> itr = subjAltNames.iterator(); itr.hasNext(); ) {
                List<?> next = itr.next();
                if (((Integer) next.get(0)).intValue() == 2) {
                    // compare dNSName with host in url
                    String dnsName = ((String) next.get(1));
                    return dnsName;
                }
            }
        }
        // else check against common name in the subject field
        X500Name subject = HostnameChecker.getSubjectX500Name(peerCert);
        DerValue derValue = subject.findMostSpecificAttribute(X500Name.commonName_oid);
        if (derValue != null) {
            try {
                String name = derValue.getAsString();
                return name;
            } catch (IOException e) {
            // ignore
            }
        }
    } catch (java.security.cert.CertificateException e) {
    // ignore
    }
    return null;
}
Also used : DerValue(sun.security.util.DerValue) List(java.util.List) java.security.cert(java.security.cert) X500Name(sun.security.x509.X500Name) IOException(java.io.IOException)

Example 4 with DNSName

use of sun.security.x509.DNSName in project jdk8u_jdk by JetBrains.

the class X509CertSelectorTest method testSubjectAltName.

/*
     * Tests matching on the subject alternative name extension contained in the
     * certificate.
     */
private void testSubjectAltName() throws IOException {
    System.out.println("X.509 Certificate Match on subjectAltName");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    GeneralNameInterface dnsName = new DNSName("foo.com");
    DerOutputStream tmp = new DerOutputStream();
    dnsName.encode(tmp);
    selector.addSubjectAlternativeName(2, tmp.toByteArray());
    checkMatch(selector, cert, false);
    // good match
    DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.17"));
    byte[] encoded = in.getOctetString();
    SubjectAlternativeNameExtension ext = new SubjectAlternativeNameExtension(false, encoded);
    GeneralNames names = (GeneralNames) ext.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
    GeneralName name = (GeneralName) names.get(0);
    selector.setSubjectAlternativeNames(null);
    DerOutputStream tmp2 = new DerOutputStream();
    name.getName().encode(tmp2);
    selector.addSubjectAlternativeName(name.getType(), tmp2.toByteArray());
    checkMatch(selector, cert, true);
    // good match 2 (matches at least one)
    selector.setMatchAllSubjectAltNames(false);
    selector.addSubjectAlternativeName(2, "foo.com");
    checkMatch(selector, cert, true);
}
Also used : GeneralNameInterface(sun.security.x509.GeneralNameInterface) GeneralNames(sun.security.x509.GeneralNames) DerOutputStream(sun.security.util.DerOutputStream) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) X509CertSelector(java.security.cert.X509CertSelector) DerInputStream(sun.security.util.DerInputStream) GeneralName(sun.security.x509.GeneralName) DNSName(sun.security.x509.DNSName)

Example 5 with DNSName

use of sun.security.x509.DNSName in project Bytecoder by mirkosertic.

the class HostnameChecker method matchDNS.

/**
 * Check if the certificate allows use of the given DNS name.
 *
 * From RFC2818:
 * If a subjectAltName extension of type dNSName is present, that MUST
 * be used as the identity. Otherwise, the (most specific) Common Name
 * field in the Subject field of the certificate MUST be used. Although
 * the use of the Common Name is existing practice, it is deprecated and
 * Certification Authorities are encouraged to use the dNSName instead.
 *
 * Matching is performed using the matching rules specified by
 * [RFC5280].  If more than one identity of a given type is present in
 * the certificate (e.g., more than one dNSName name, a match in any one
 * of the set is considered acceptable.)
 */
private void matchDNS(String expectedName, X509Certificate cert, boolean chainsToPublicCA) throws CertificateException {
    // Check that the expected name is a valid domain name.
    try {
        // Using the checking implemented in SNIHostName
        SNIHostName sni = new SNIHostName(expectedName);
    } catch (IllegalArgumentException iae) {
        throw new CertificateException("Illegal given domain name: " + expectedName, iae);
    }
    Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
    if (subjAltNames != null) {
        boolean foundDNS = false;
        for (List<?> next : subjAltNames) {
            if (((Integer) next.get(0)).intValue() == ALTNAME_DNS) {
                foundDNS = true;
                String dnsName = (String) next.get(1);
                if (isMatched(expectedName, dnsName, chainsToPublicCA)) {
                    return;
                }
            }
        }
        if (foundDNS) {
            // but none match, reject
            throw new CertificateException("No subject alternative DNS " + "name matching " + expectedName + " found.");
        }
    }
    X500Name subjectName = getSubjectX500Name(cert);
    DerValue derValue = subjectName.findMostSpecificAttribute(X500Name.commonName_oid);
    if (derValue != null) {
        try {
            if (isMatched(expectedName, derValue.getAsString(), chainsToPublicCA)) {
                return;
            }
        } catch (IOException e) {
        // ignore
        }
    }
    String msg = "No name matching " + expectedName + " found";
    throw new CertificateException(msg);
}
Also used : SNIHostName(javax.net.ssl.SNIHostName) X500Name(sun.security.x509.X500Name) IOException(java.io.IOException)

Aggregations

IOException (java.io.IOException)4 X500Name (sun.security.x509.X500Name)4 DerValue (sun.security.util.DerValue)3 DNSName (sun.security.x509.DNSName)3 GeneralName (sun.security.x509.GeneralName)3 GeneralNames (sun.security.x509.GeneralNames)3 java.security.cert (java.security.cert)2 List (java.util.List)2 DerOutputStream (sun.security.util.DerOutputStream)2 SubjectAlternativeNameExtension (sun.security.x509.SubjectAlternativeNameExtension)2 X509CertSelector (java.security.cert.X509CertSelector)1 SNIHostName (javax.net.ssl.SNIHostName)1 BitArray (sun.security.util.BitArray)1 DerInputStream (sun.security.util.DerInputStream)1 CertificateExtensions (sun.security.x509.CertificateExtensions)1 DistributionPoint (sun.security.x509.DistributionPoint)1 GeneralNameInterface (sun.security.x509.GeneralNameInterface)1 KeyUsageExtension (sun.security.x509.KeyUsageExtension)1 NetscapeCertTypeExtension (sun.security.x509.NetscapeCertTypeExtension)1 ReasonFlags (sun.security.x509.ReasonFlags)1