Package org.ldaptive.ssl

Class DefaultHostnameVerifier

  • All Implemented Interfaces:
    HostnameVerifier, CertificateHostnameVerifier
    public class DefaultHostnameVerifier
extends Object
implements HostnameVerifier, CertificateHostnameVerifier
    Hostname verifier that provides an implementation similar to what occurs with JNDI startTLS. Verification occurs in the following order:
    • if hostname is IP, then cert must have exact match IP subjAltName
    • hostname must match any DNS subjAltName if any exist
    • hostname must match the first CN
    • if cert begins with a wildcard, domains are used for matching

    • Field Detail

      • logger

        protected final Logger logger
        Logger for this class.

    • Constructor Detail

      • DefaultHostnameVerifier

        public DefaultHostnameVerifier()

    • Method Detail

      • verifyIP

        protected boolean verifyIP​(String ip,
                           X509Certificate cert)
        Verify the certificate allows use of the supplied IP address.

        From RFC2818: In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

        Parameters:
        ip - address to match in the certificate
        cert - to inspect for the IP address
        Returns:
        whether the ip matched a subject alt name

      • verifyDNS

        protected boolean verifyDNS​(String hostname,
                            X509Certificate cert)
        Verify the certificate allows use of the supplied DNS name. Note that only the first CN is used.

        From RFC2818: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

        Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.)

        Parameters:
        hostname - to match in the certificate
        cert - to inspect for the hostname
        Returns:
        whether the hostname matched a subject alt name or CN

      • getSubjectAltNames

        private String[] getSubjectAltNames​(X509Certificate cert,
                                    DefaultHostnameVerifier.SubjectAltNameType type)
        Returns the subject alternative names matching the supplied name type from the supplied certificate.
        Parameters:
        cert - to get subject alt names from
        type - subject alt name type
        Returns:
        subject alt names

      • getCNs

        private String[] getCNs​(X509Certificate cert)
        Returns the CNs from the supplied certificate.
        Parameters:
        cert - to get CNs from
        Returns:
        CNs

      • isMatch

        private boolean isMatch​(String hostname,
                        String certName)
        Determines if the supplied hostname matches a name derived from the certificate. If the certificate name starts with '*', the domain components after the first '.' in each name are compared.
        Parameters:
        hostname - to match
        certName - to match
        Returns:
        whether the hostname matched the cert name