Class DefaultHostnameVerifier

java.lang.Object
org.ldaptive.ssl.DefaultHostnameVerifier
All Implemented Interfaces:
HostnameVerifier, CertificateHostnameVerifier

public class DefaultHostnameVerifier extends Object implements HostnameVerifier, CertificateHostnameVerifier
Hostname verifier that provides an implementation similar to what occurs with JNDI startTLS. Verification occurs in the following order:
  • if hostname is IP, then cert must have exact match IP subjAltName
  • hostname must match any DNS subjAltName if any exist
  • hostname must match the first CN
  • if cert begins with a wildcard, domains are used for matching
  • Field Details

    • logger

      protected final org.slf4j.Logger logger
      Logger for this class.
    • verifier

      private final HostnameVerifier verifier
      Hostname verifier delegate.
  • Constructor Details

    • DefaultHostnameVerifier

      public DefaultHostnameVerifier()
  • Method Details

    • verify

      public boolean verify(String hostname, SSLSession session)
      Specified by:
      verify in interface HostnameVerifier
    • verify

      public boolean verify(String hostname, X509Certificate cert)
      Verify if the hostname is an IP address using LdapUtils.isIPAddress(String). Delegates to verifyIP(String, X509Certificate) and verifyDNS(String, X509Certificate) accordingly.
      Specified by:
      verify in interface CertificateHostnameVerifier
      Parameters:
      hostname - to verify
      cert - to verify hostname against
      Returns:
      whether hostname is valid for the supplied certificate
    • verifyIP

      protected boolean verifyIP(String ip, X509Certificate cert)
      Verify the certificate allows use of the supplied IP address.

      From RFC2818: In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

      Parameters:
      ip - address to match in the certificate
      cert - to inspect for the IP address
      Returns:
      whether the ip matched a subject alt name
    • verifyDNS

      protected boolean verifyDNS(String hostname, X509Certificate cert)
      Verify the certificate allows use of the supplied DNS name. Note that only the first CN is used.

      From RFC2818: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

      Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.)

      Parameters:
      hostname - to match in the certificate
      cert - to inspect for the hostname
      Returns:
      whether the hostname matched a subject alt name or CN
    • getSubjectAltNames

      private String[] getSubjectAltNames(X509Certificate cert, DefaultHostnameVerifier.SubjectAltNameType type)
      Returns the subject alternative names matching the supplied name type from the supplied certificate.
      Parameters:
      cert - to get subject alt names from
      type - subject alt name type
      Returns:
      subject alt names
    • getCNs

      private String[] getCNs(X509Certificate cert)
      Returns the CNs from the supplied certificate.
      Parameters:
      cert - to get CNs from
      Returns:
      CNs
    • isMatch

      private boolean isMatch(String hostname, String certName)
      Determines if the supplied hostname matches a name derived from the certificate. If the certificate name starts with '*', the domain components after the first '.' in each name are compared.
      Parameters:
      hostname - to match
      certName - to match
      Returns:
      whether the hostname matched the cert name