Example 1 with DNSName
use of sun.security.x509.DNSName in project OpenAttestation by OpenAttestation.
the class X509Builder method dnsAlternativeName.
public X509Builder dnsAlternativeName(String dns) {
try {
v3();
String alternativeName = dns;
if (dns.startsWith("dns:")) {
alternativeName = dns.substring(4);
}
DNSName dnsName = new DNSName(alternativeName);
if (alternativeNames == null) {
alternativeNames = new GeneralNames();
}
alternativeNames.add(new GeneralName(dnsName));
SubjectAlternativeNameExtension san = new SubjectAlternativeNameExtension(alternativeNames);
if (certificateExtensions == null) {
certificateExtensions = new CertificateExtensions();
}
certificateExtensions.set(san.getExtensionId().toString(), san);
info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
} catch (Exception e) {
fault(e, "dnsAlternativeName(%s)", dns);
}
return this;
}
Also used :
GeneralNames(sun.security.x509.GeneralNames)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
CertificateExtensions(sun.security.x509.CertificateExtensions)
GeneralName(sun.security.x509.GeneralName)
DNSName(sun.security.x509.DNSName)
Example 2 with DNSName
use of sun.security.x509.DNSName in project jdk8u_jdk by JetBrains.
the class HostnameChecker method matchDNS.
/**
* Check if the certificate allows use of the given DNS name.
*
* From RFC2818:
* If a subjectAltName extension of type dNSName is present, that MUST
* be used as the identity. Otherwise, the (most specific) Common Name
* field in the Subject field of the certificate MUST be used. Although
* the use of the Common Name is existing practice, it is deprecated and
* Certification Authorities are encouraged to use the dNSName instead.
*
* Matching is performed using the matching rules specified by
* [RFC2459]. If more than one identity of a given type is present in
* the certificate (e.g., more than one dNSName name, a match in any one
* of the set is considered acceptable.)
*/
private void matchDNS(String expectedName, X509Certificate cert) throws CertificateException {
Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
if (subjAltNames != null) {
boolean foundDNS = false;
for (List<?> next : subjAltNames) {
if (((Integer) next.get(0)).intValue() == ALTNAME_DNS) {
foundDNS = true;
String dnsName = (String) next.get(1);
if (isMatched(expectedName, dnsName)) {
return;
}
}
}
if (foundDNS) {
// but none match, reject
throw new CertificateException("No subject alternative DNS " + "name matching " + expectedName + " found.");
}
}
X500Name subjectName = getSubjectX500Name(cert);
DerValue derValue = subjectName.findMostSpecificAttribute(X500Name.commonName_oid);
if (derValue != null) {
try {
if (isMatched(expectedName, derValue.getAsString())) {
return;
}
} catch (IOException e) {
// ignore
}
}
String msg = "No name matching " + expectedName + " found";
throw new CertificateException(msg);
}
Also used :
X500Name(sun.security.x509.X500Name)
IOException(java.io.IOException)
Example 3 with DNSName
use of sun.security.x509.DNSName in project jdk8u_jdk by JetBrains.
the class VerifierWrapper method getServername.
/*
* Extract the name of the SSL server from the certificate.
*
* Note this code is essentially a subset of the hostname extraction
* code in HostnameChecker.
*/
private static String getServername(X509Certificate peerCert) {
try {
// compare to subjectAltNames if dnsName is present
Collection<List<?>> subjAltNames = peerCert.getSubjectAlternativeNames();
if (subjAltNames != null) {
for (Iterator<List<?>> itr = subjAltNames.iterator(); itr.hasNext(); ) {
List<?> next = itr.next();
if (((Integer) next.get(0)).intValue() == 2) {
// compare dNSName with host in url
String dnsName = ((String) next.get(1));
return dnsName;
}
}
}
// else check against common name in the subject field
X500Name subject = HostnameChecker.getSubjectX500Name(peerCert);
DerValue derValue = subject.findMostSpecificAttribute(X500Name.commonName_oid);
if (derValue != null) {
try {
String name = derValue.getAsString();
return name;
} catch (IOException e) {
// ignore
}
}
} catch (java.security.cert.CertificateException e) {
// ignore
}
return null;
}
Also used :
DerValue(sun.security.util.DerValue)
List(java.util.List)
java.security.cert(java.security.cert)
X500Name(sun.security.x509.X500Name)
IOException(java.io.IOException)
Example 4 with DNSName
use of sun.security.x509.DNSName in project jdk8u_jdk by JetBrains.
the class X509CertSelectorTest method testSubjectAltName.
/*
* Tests matching on the subject alternative name extension contained in the
* certificate.
*/
private void testSubjectAltName() throws IOException {
System.out.println("X.509 Certificate Match on subjectAltName");
// bad match
X509CertSelector selector = new X509CertSelector();
GeneralNameInterface dnsName = new DNSName("foo.com");
DerOutputStream tmp = new DerOutputStream();
dnsName.encode(tmp);
selector.addSubjectAlternativeName(2, tmp.toByteArray());
checkMatch(selector, cert, false);
// good match
DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.17"));
byte[] encoded = in.getOctetString();
SubjectAlternativeNameExtension ext = new SubjectAlternativeNameExtension(false, encoded);
GeneralNames names = (GeneralNames) ext.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
GeneralName name = (GeneralName) names.get(0);
selector.setSubjectAlternativeNames(null);
DerOutputStream tmp2 = new DerOutputStream();
name.getName().encode(tmp2);
selector.addSubjectAlternativeName(name.getType(), tmp2.toByteArray());
checkMatch(selector, cert, true);
// good match 2 (matches at least one)
selector.setMatchAllSubjectAltNames(false);
selector.addSubjectAlternativeName(2, "foo.com");
checkMatch(selector, cert, true);
}
Also used :
GeneralNameInterface(sun.security.x509.GeneralNameInterface)
GeneralNames(sun.security.x509.GeneralNames)
DerOutputStream(sun.security.util.DerOutputStream)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
X509CertSelector(java.security.cert.X509CertSelector)
DerInputStream(sun.security.util.DerInputStream)
GeneralName(sun.security.x509.GeneralName)
DNSName(sun.security.x509.DNSName)
Example 5 with DNSName
use of sun.security.x509.DNSName in project Bytecoder by mirkosertic.
the class HostnameChecker method matchDNS.
/**
* Check if the certificate allows use of the given DNS name.
*
* From RFC2818:
* If a subjectAltName extension of type dNSName is present, that MUST
* be used as the identity. Otherwise, the (most specific) Common Name
* field in the Subject field of the certificate MUST be used. Although
* the use of the Common Name is existing practice, it is deprecated and
* Certification Authorities are encouraged to use the dNSName instead.
*
* Matching is performed using the matching rules specified by
* [RFC5280]. If more than one identity of a given type is present in
* the certificate (e.g., more than one dNSName name, a match in any one
* of the set is considered acceptable.)
*/
private void matchDNS(String expectedName, X509Certificate cert, boolean chainsToPublicCA) throws CertificateException {
// Check that the expected name is a valid domain name.
try {
// Using the checking implemented in SNIHostName
SNIHostName sni = new SNIHostName(expectedName);
} catch (IllegalArgumentException iae) {
throw new CertificateException("Illegal given domain name: " + expectedName, iae);
}
Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
if (subjAltNames != null) {
boolean foundDNS = false;
for (List<?> next : subjAltNames) {
if (((Integer) next.get(0)).intValue() == ALTNAME_DNS) {
foundDNS = true;
String dnsName = (String) next.get(1);
if (isMatched(expectedName, dnsName, chainsToPublicCA)) {
return;
}
}
}
if (foundDNS) {
// but none match, reject
throw new CertificateException("No subject alternative DNS " + "name matching " + expectedName + " found.");
}
}
X500Name subjectName = getSubjectX500Name(cert);
DerValue derValue = subjectName.findMostSpecificAttribute(X500Name.commonName_oid);
if (derValue != null) {
try {
if (isMatched(expectedName, derValue.getAsString(), chainsToPublicCA)) {
return;
}
} catch (IOException e) {
// ignore
}
}
String msg = "No name matching " + expectedName + " found";
throw new CertificateException(msg);
}
Also used :
SNIHostName(javax.net.ssl.SNIHostName)
X500Name(sun.security.x509.X500Name)
IOException(java.io.IOException)
Aggregations
IOException (java.io.IOException)4
X500Name (sun.security.x509.X500Name)4
DerValue (sun.security.util.DerValue)3
DNSName (sun.security.x509.DNSName)3
GeneralName (sun.security.x509.GeneralName)3
GeneralNames (sun.security.x509.GeneralNames)3
java.security.cert (java.security.cert)2
List (java.util.List)2
DerOutputStream (sun.security.util.DerOutputStream)2
SubjectAlternativeNameExtension (sun.security.x509.SubjectAlternativeNameExtension)2
X509CertSelector (java.security.cert.X509CertSelector)1
SNIHostName (javax.net.ssl.SNIHostName)1
BitArray (sun.security.util.BitArray)1
DerInputStream (sun.security.util.DerInputStream)1
CertificateExtensions (sun.security.x509.CertificateExtensions)1
DistributionPoint (sun.security.x509.DistributionPoint)1
GeneralNameInterface (sun.security.x509.GeneralNameInterface)1
KeyUsageExtension (sun.security.x509.KeyUsageExtension)1
NetscapeCertTypeExtension (sun.security.x509.NetscapeCertTypeExtension)1
ReasonFlags (sun.security.x509.ReasonFlags)1
