Java Code Examples for java.security.cert.X509Certificate#getSubjectAlternativeNames()

The following examples show how to use java.security.cert.X509Certificate#getSubjectAlternativeNames() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: X509Utils.java    From bcm-android with GNU General Public License v3.0 7 votes vote down vote up
/**
 * Returns either a string that "sums up" the certificate for humans, in a similar manner to what you might see
 * in a web browser, or null if one cannot be extracted. This will typically be the common name (CN) field, but
 * can also be the org (O) field, org+location+country if withLocation is set, or the email
 * address for S/MIME certificates.
 */
@Nullable
public static String getDisplayNameFromCertificate(@Nonnull X509Certificate certificate, boolean withLocation) throws CertificateParsingException {
    X500Name name = new X500Name(certificate.getSubjectX500Principal().getName());
    String commonName = null, org = null, location = null, country = null;
    for (RDN rdn : name.getRDNs()) {
        AttributeTypeAndValue pair = rdn.getFirst();
        String val = ((ASN1String) pair.getValue()).getString();
        ASN1ObjectIdentifier type = pair.getType();
        if (type.equals(RFC4519Style.cn))
            commonName = val;
        else if (type.equals(RFC4519Style.o))
            org = val;
        else if (type.equals(RFC4519Style.l))
            location = val;
        else if (type.equals(RFC4519Style.c))
            country = val;
    }
    final Collection<List<?>> subjectAlternativeNames = certificate.getSubjectAlternativeNames();
    String altName = null;
    if (subjectAlternativeNames != null)
        for (final List<?> subjectAlternativeName : subjectAlternativeNames)
            if ((Integer) subjectAlternativeName.get(0) == 1) // rfc822name
                altName = (String) subjectAlternativeName.get(1);

    if (org != null) {
        return withLocation ? Joiner.on(", ").skipNulls().join(org, location, country) : org;
    } else if (commonName != null) {
        return commonName;
    } else {
        return altName;
    }
}
 
Example 2
Source File: TlsToolkitStandaloneTest.java    From nifi with Apache License 2.0 6 votes vote down vote up
@Test
public void testStaticHostnameNoSan() throws Exception {
    String hostname = "static.nifi.apache.org";
    runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", hostname);

    X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM);
    Certificate[] certificateChain = loadCertificateChain(hostname, x509Certificate);
    X509Certificate clientCert = (X509Certificate) certificateChain[0];
    Collection<List<?>> clientSaNames = clientCert.getSubjectAlternativeNames();

    // Must have one san that matches
    assertEquals(1, clientSaNames.size());
    List<?> firstSan = clientSaNames.toArray(new List<?>[0])[0];
    assertEquals(GeneralName.dNSName, firstSan.get(0));
    assertEquals(hostname, firstSan.get(1));
}
 
Example 3
Source File: OkHostnameVerifier.java    From CordovaYoutubeVideoPlayer with MIT License 5 votes vote down vote up
private List<String> getSubjectAltNames(X509Certificate certificate, int type) {
  List<String> result = new ArrayList<String>();
  try {
    Collection<?> subjectAltNames = certificate.getSubjectAlternativeNames();
    if (subjectAltNames == null) {
      return Collections.emptyList();
    }
    for (Object subjectAltName : subjectAltNames) {
      List<?> entry = (List<?>) subjectAltName;
      if (entry == null || entry.size() < 2) {
        continue;
      }
      Integer altNameType = (Integer) entry.get(0);
      if (altNameType == null) {
        continue;
      }
      if (altNameType == type) {
        String altName = (String) entry.get(1);
        if (altName != null) {
          result.add(altName);
        }
      }
    }
    return result;
  } catch (CertificateParsingException e) {
    return Collections.emptyList();
  }
}
 
Example 4
Source File: OkHostnameVerifier.java    From bluemix-parking-meter with MIT License 5 votes vote down vote up
private List<String> getSubjectAltNames(X509Certificate certificate, int type) {
  List<String> result = new ArrayList<String>();
  try {
    Collection<?> subjectAltNames = certificate.getSubjectAlternativeNames();
    if (subjectAltNames == null) {
      return Collections.emptyList();
    }
    for (Object subjectAltName : subjectAltNames) {
      List<?> entry = (List<?>) subjectAltName;
      if (entry == null || entry.size() < 2) {
        continue;
      }
      Integer altNameType = (Integer) entry.get(0);
      if (altNameType == null) {
        continue;
      }
      if (altNameType == type) {
        String altName = (String) entry.get(1);
        if (altName != null) {
          result.add(altName);
        }
      }
    }
    return result;
  } catch (CertificateParsingException e) {
    return Collections.emptyList();
  }
}
 
Example 5
Source File: OkHostnameVerifier.java    From reader with MIT License 5 votes vote down vote up
private List<String> getSubjectAltNames(X509Certificate certificate, int type) {
  List<String> result = new ArrayList<String>();
  try {
    Collection<?> subjectAltNames = certificate.getSubjectAlternativeNames();
    if (subjectAltNames == null) {
      return Collections.emptyList();
    }
    for (Object subjectAltName : subjectAltNames) {
      List<?> entry = (List<?>) subjectAltName;
      if (entry == null || entry.size() < 2) {
        continue;
      }
      Integer altNameType = (Integer) entry.get(0);
      if (altNameType == null) {
        continue;
      }
      if (altNameType == type) {
        String altName = (String) entry.get(1);
        if (altName != null) {
          result.add(altName);
        }
      }
    }
    return result;
  } catch (CertificateParsingException e) {
    return Collections.emptyList();
  }
}
 
Example 6
Source File: OpenSslCertManagerTest.java    From strimzi-kafka-operator with Apache License 2.0 5 votes vote down vote up
private void testGenerateSelfSignedCert(File key, File cert, File trustStore, String trustStorePassword, Subject sbj) throws Exception {
    ssl.generateSelfSignedCert(key, cert, sbj, 365);
    ssl.addCertToTrustStore(cert, "ca", trustStore, trustStorePassword);

    Certificate c = certFactory.generateCertificate(new FileInputStream(cert));

    c.verify(c.getPublicKey());

    // subject verification if provided
    if (sbj != null) {
        if (c instanceof X509Certificate) {
            X509Certificate x509Certificate = (X509Certificate) c;
            Principal p = x509Certificate.getSubjectDN();

            assertThat(String.format("CN=%s, O=%s", sbj.commonName(), sbj.organizationName()), is(p.getName()));

            if (sbj.subjectAltNames() != null && sbj.subjectAltNames().size() > 0) {
                final Collection<List<?>> sans = x509Certificate.getSubjectAlternativeNames();
                assertThat(sans, is(notNullValue()));
                assertThat(sbj.subjectAltNames().size(), is(sans.size()));
                for (final List<?> sanItem : sans) {
                    assertThat(sbj.subjectAltNames().containsValue(sanItem.get(1)), is(true));
                }
            }
        } else {
            fail();
        }
    }

    // truststore verification if provided
    if (trustStore != null) {
        KeyStore store = KeyStore.getInstance("PKCS12");
        store.load(new FileInputStream(trustStore), trustStorePassword.toCharArray());
        X509Certificate storeCert = (X509Certificate) store.getCertificate("ca");
        storeCert.verify(storeCert.getPublicKey());
    }
}
 
Example 7
Source File: OkHostnameVerifier.java    From crosswalk-cordova-android with Apache License 2.0 5 votes vote down vote up
private List<String> getSubjectAltNames(X509Certificate certificate, int type) {
  List<String> result = new ArrayList<String>();
  try {
    Collection<?> subjectAltNames = certificate.getSubjectAlternativeNames();
    if (subjectAltNames == null) {
      return Collections.emptyList();
    }
    for (Object subjectAltName : subjectAltNames) {
      List<?> entry = (List<?>) subjectAltName;
      if (entry == null || entry.size() < 2) {
        continue;
      }
      Integer altNameType = (Integer) entry.get(0);
      if (altNameType == null) {
        continue;
      }
      if (altNameType == type) {
        String altName = (String) entry.get(1);
        if (altName != null) {
          result.add(altName);
        }
      }
    }
    return result;
  } catch (CertificateParsingException e) {
    return Collections.emptyList();
  }
}
 
Example 8
Source File: OkHostnameVerifier.java    From nv-websocket-client with Apache License 2.0 5 votes vote down vote up
private static List<String> getSubjectAltNames(X509Certificate certificate, int type) {
  List<String> result = new ArrayList<String>();
  try {
    Collection<?> subjectAltNames = certificate.getSubjectAlternativeNames();
    if (subjectAltNames == null) {
      return Collections.emptyList();
    }
    for (Object subjectAltName : subjectAltNames) {
      List<?> entry = (List<?>) subjectAltName;
      if (entry == null || entry.size() < 2) {
        continue;
      }
      Integer altNameType = (Integer) entry.get(0);
      if (altNameType == null) {
        continue;
      }
      if (altNameType == type) {
        String altName = (String) entry.get(1);
        if (altName != null) {
          result.add(altName);
        }
      }
    }
    return result;
  } catch (CertificateParsingException e) {
    return Collections.emptyList();
  }
}
 
Example 9
Source File: OkHostnameVerifier.java    From AndroidProjects with MIT License 5 votes vote down vote up
private static List<String> getSubjectAltNames(X509Certificate certificate, int type) {
  List<String> result = new ArrayList<>();
  try {
    Collection<?> subjectAltNames = certificate.getSubjectAlternativeNames();
    if (subjectAltNames == null) {
      return Collections.emptyList();
    }
    for (Object subjectAltName : subjectAltNames) {
      List<?> entry = (List<?>) subjectAltName;
      if (entry == null || entry.size() < 2) {
        continue;
      }
      Integer altNameType = (Integer) entry.get(0);
      if (altNameType == null) {
        continue;
      }
      if (altNameType == type) {
        String altName = (String) entry.get(1);
        if (altName != null) {
          result.add(altName);
        }
      }
    }
    return result;
  } catch (CertificateParsingException e) {
    return Collections.emptyList();
  }
}
 
Example 10
Source File: SdsX509TrustManager.java    From grpc-java with Apache License 2.0 5 votes vote down vote up
private static void verifySubjectAltNameInLeaf(X509Certificate cert, List<String> verifyList)
    throws CertificateException {
  Collection<List<?>> names = cert.getSubjectAlternativeNames();
  if (names == null || names.isEmpty()) {
    throw new CertificateException("Peer certificate SAN check failed");
  }
  for (List<?> name : names) {
    if (verifyOneSanInList(name, verifyList)) {
      return;
    }
  }
  // at this point there's no match
  throw new CertificateException("Peer certificate SAN check failed");
}
 
Example 11
Source File: XmppHostnameVerifier.java    From Smack with Apache License 2.0 5 votes vote down vote up
/**
 * Check if the certificate allows use of the given IP address.
 * <p>
 * From RFC2818 § 3.1: "In some cases, the URI is specified as an IP address rather than a
 * hostname. In this case, the iPAddress subjectAltName must be present in the certificate and
 * must exactly match the IP in the URI."
 * <p>
 *
 * @param expectedIP TODO javadoc me please
 * @param cert TODO javadoc me please
 * @throws CertificateException
 */
private static void matchIp(String expectedIP, X509Certificate cert)
                throws CertificateException {
    Collection<List<?>> subjectAlternativeNames = cert.getSubjectAlternativeNames();
    if (subjectAlternativeNames == null) {
        throw new CertificateException("No subject alternative names present");
    }
    List<String> nonMatchingIpAltnames = new LinkedList<>();
    for (List<?> san : subjectAlternativeNames) {
        if (((Integer) san.get(0)).intValue() != ALTNAME_IP) {
            continue;
        }
        String ipAddress = (String) san.get(1);
        if (expectedIP.equalsIgnoreCase(ipAddress)) {
            return;
        }
        else {
            try {
                // See if the addresses match if we transform then, useful for IPv6 addresses
                if (InetAddress.getByName(expectedIP).equals(InetAddress.getByName(ipAddress))) {
                    // expectedIP matches the given ipAddress, return
                    return;
                }
            }
            catch (UnknownHostException | SecurityException e) {
                LOGGER.log(Level.FINE, "Comparing IP strings failed", e);
            }
        }
        nonMatchingIpAltnames.add(ipAddress);
    }
    StringBuilder sb = new StringBuilder("No subject alternative names matching IP address "
                    + expectedIP + " found. Tried: ");
    for (String s : nonMatchingIpAltnames) {
        sb.append(s).append(',');
    }
    throw new CertificateException(sb.toString());
}
 
Example 12
Source File: MemorizingTrustManager.java    From Pix-Art-Messenger with GNU General Public License v3.0 5 votes vote down vote up
private String hostNameMessage(X509Certificate cert, String hostname) {
    StringBuffer si = new StringBuffer();

    si.append(master.getString(R.string.mtm_hostname_mismatch, hostname));
    si.append("\n\n");
    try {
        Collection<List<?>> sans = cert.getSubjectAlternativeNames();
        if (sans == null) {
            si.append(cert.getSubjectDN());
            si.append("\n");
        } else for (List<?> altName : sans) {
            Object name = altName.get(1);
            if (name instanceof String) {
                si.append("[");
                si.append((Integer) altName.get(0));
                si.append("] ");
                si.append(name);
                si.append("\n");
            }
        }
    } catch (CertificateParsingException e) {
        e.printStackTrace();
        si.append("<Parsing error: ");
        si.append(e.getLocalizedMessage());
        si.append(">\n");
    }
    si.append("\n");
    si.append(master.getString(R.string.mtm_connect_anyway));
    si.append("\n\n");
    si.append(master.getString(R.string.mtm_cert_details));
    certDetails(si, cert);
    return si.toString();
}
 
Example 13
Source File: OkHostnameVerifier.java    From iGap-Android with GNU Affero General Public License v3.0 5 votes vote down vote up
private static List<String> getSubjectAltNames(X509Certificate certificate, int type) {
    List<String> result = new ArrayList<String>();
    try {
        Collection<?> subjectAltNames = certificate.getSubjectAlternativeNames();
        if (subjectAltNames == null) {
            return Collections.emptyList();
        }
        for (Object subjectAltName : subjectAltNames) {
            List<?> entry = (List<?>) subjectAltName;
            if (entry == null || entry.size() < 2) {
                continue;
            }
            Integer altNameType = (Integer) entry.get(0);
            if (altNameType == null) {
                continue;
            }
            if (altNameType == type) {
                String altName = (String) entry.get(1);
                if (altName != null) {
                    result.add(altName);
                }
            }
        }
        return result;
    } catch (CertificateParsingException e) {
        return Collections.emptyList();
    }
}
 
Example 14
Source File: CryptoHelper.java    From Conversations with GNU General Public License v3.0 5 votes vote down vote up
public static Pair<Jid, String> extractJidAndName(X509Certificate certificate) throws CertificateEncodingException, IllegalArgumentException, CertificateParsingException {
    Collection<List<?>> alternativeNames = certificate.getSubjectAlternativeNames();
    List<String> emails = new ArrayList<>();
    if (alternativeNames != null) {
        for (List<?> san : alternativeNames) {
            Integer type = (Integer) san.get(0);
            if (type == 1) {
                emails.add((String) san.get(1));
            }
        }
    }
    X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject();
    if (emails.size() == 0 && x500name.getRDNs(BCStyle.EmailAddress).length > 0) {
        emails.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.EmailAddress)[0].getFirst().getValue()));
    }
    String name = x500name.getRDNs(BCStyle.CN).length > 0 ? IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[0].getFirst().getValue()) : null;
    if (emails.size() >= 1) {
        return new Pair<>(Jid.of(emails.get(0)), name);
    } else if (name != null) {
        try {
            Jid jid = Jid.of(name);
            if (jid.isBareJid() && jid.getLocal() != null) {
                return new Pair<>(jid, null);
            }
        } catch (IllegalArgumentException e) {
            return null;
        }
    }
    return null;
}
 
Example 15
Source File: OkHostnameVerifier.java    From wildfly-samples with MIT License 5 votes vote down vote up
private List<String> getSubjectAltNames(X509Certificate certificate, int type) {
  List<String> result = new ArrayList<String>();
  try {
    Collection<?> subjectAltNames = certificate.getSubjectAlternativeNames();
    if (subjectAltNames == null) {
      return Collections.emptyList();
    }
    for (Object subjectAltName : subjectAltNames) {
      List<?> entry = (List<?>) subjectAltName;
      if (entry == null || entry.size() < 2) {
        continue;
      }
      Integer altNameType = (Integer) entry.get(0);
      if (altNameType == null) {
        continue;
      }
      if (altNameType == type) {
        String altName = (String) entry.get(1);
        if (altName != null) {
          result.add(altName);
        }
      }
    }
    return result;
  } catch (CertificateParsingException e) {
    return Collections.emptyList();
  }
}
 
Example 16
Source File: TlsToolkitStandaloneTest.java    From nifi with Apache License 2.0 5 votes vote down vote up
@Test
public void testDynamicHostnameDynamicSansSameRange() throws Exception {
    String nodeNames = "node[1-2].nifi.apache.org";
    String saNames = "alternative[1-2].nifi.apache.org";

    runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", nodeNames, "--subjectAlternativeName", saNames);
    X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM);

    Stream<InstanceIdentifier> hostIds = InstanceIdentifier.createIdentifiers(Arrays.stream(new String[]{nodeNames}));
    Stream<InstanceIdentifier> sansIds = InstanceIdentifier.createIdentifiers(Arrays.stream(new String[]{saNames}));

    String[] nodeHosts = hostIds.map(InstanceIdentifier::getHostname).toArray(String[]::new);
    String[] sanHosts = sansIds.map(InstanceIdentifier::getHostname).toArray(String[]::new);
    assertEquals(nodeHosts.length, sanHosts.length);

    for (int i = 0; i< nodeHosts.length; i++) {
        String host = nodeHosts[i];
        String san = sanHosts[i];

        Certificate[] certificateChain = loadCertificateChain(host, x509Certificate);
        X509Certificate clientCert = (X509Certificate) certificateChain[0];
        Collection<List<?>> clientSaNames = clientCert.getSubjectAlternativeNames();

        // Must have two sans, and both must match
        assertEquals(2, clientSaNames.size());

        List<?> hostSan = clientSaNames.toArray(new List<?>[0])[0];
        assertEquals(GeneralName.dNSName, hostSan.get(0));
        assertEquals(host, hostSan.get(1));

        List<?> altSan = clientSaNames.toArray(new List<?>[0])[1];
        assertEquals(GeneralName.dNSName, altSan.get(0));
        assertEquals(san, altSan.get(1));
    }
}
 
Example 17
Source File: SANCertificateIdentityMapping.java    From Openfire with Apache License 2.0 4 votes vote down vote up
/**
 * Returns the JID representation of an XMPP entity contained as a SubjectAltName extension
 * in the certificate. If none was found then return an empty list.
 *
 * @param certificate the certificate presented by the remote entity.
 * @return the JID representation of an XMPP entity contained as a SubjectAltName extension
 * in the certificate. If none was found then return an empty list.
 */
@Override
public List<String> mapIdentity( X509Certificate certificate )
{
    List<String> identities = new ArrayList<>();
    try
    {
        Collection<List<?>> altNames = certificate.getSubjectAlternativeNames();
        // Check that the certificate includes the SubjectAltName extension
        if ( altNames == null )
        {
            return Collections.emptyList();
        }
        for ( List<?> item : altNames )
        {
            final Integer type = (Integer) item.get( 0 );
            final Object value = item.get( 1 ); // this is either a string, or a byte-array that represents the ASN.1 DER encoded form.
            final String result;
            switch ( type )
            {
                case 0:
                    // OtherName: search for "id-on-xmppAddr" or 'sRVName' or 'userPrincipalName'
                    result = parseOtherName( (byte[]) value );
                    break;
                case 2:
                    // DNS
                    result = (String) value;
                    break;
                case 6:
                    // URI
                    result = (String) value;
                    break;
                default:
                    // Not applicable to XMPP, so silently ignore them
                    result = null;
                    break;
            }

            if ( result != null )
            {
                identities.add( result );
            }
        }
    }
    catch ( CertificateParsingException e )
    {
        Log.error( "Error parsing SubjectAltName in certificate: " + certificate.getSubjectDN(), e );
    }
    return identities;
}
 
Example 18
Source File: ServerTrustManager.java    From AndroidPNClient with Apache License 2.0 4 votes vote down vote up
/**
 * Returns the JID representation of an XMPP entity contained as a SubjectAltName extension
 * in the certificate. If none was found then return <tt>null</tt>.
 *
 * @param certificate the certificate presented by the remote entity.
 * @return the JID representation of an XMPP entity contained as a SubjectAltName extension
 *         in the certificate. If none was found then return <tt>null</tt>.
 */
private static List<String> getSubjectAlternativeNames(X509Certificate certificate) {
    List<String> identities = new ArrayList<String>();
    try {
        Collection<List<?>> altNames = certificate.getSubjectAlternativeNames();
        // Check that the certificate includes the SubjectAltName extension
        if (altNames == null) {
            return Collections.emptyList();
        }
        // Use the type OtherName to search for the certified server name
        /*for (List item : altNames) {
            Integer type = (Integer) item.get(0);
            if (type == 0) {
                // Type OtherName found so return the associated value
                try {
                    // Value is encoded using ASN.1 so decode it to get the server's identity
                    ASN1InputStream decoder = new ASN1InputStream((byte[]) item.toArray()[1]);
                    DEREncodable encoded = decoder.readObject();
                    encoded = ((DERSequence) encoded).getObjectAt(1);
                    encoded = ((DERTaggedObject) encoded).getObject();
                    encoded = ((DERTaggedObject) encoded).getObject();
                    String identity = ((DERUTF8String) encoded).getString();
                    // Add the decoded server name to the list of identities
                    identities.add(identity);
                }
                catch (UnsupportedEncodingException e) {
                    // Ignore
                }
                catch (IOException e) {
                    // Ignore
                }
                catch (Exception e) {
                    e.printStackTrace();
                }
            }
            // Other types are not good for XMPP so ignore them
            System.out.println("SubjectAltName of invalid type found: " + certificate);
        }*/
    }
    catch (CertificateParsingException e) {
        e.printStackTrace();
    }
    return identities;
}
 
Example 19
Source File: XmppDomainVerifier.java    From Pix-Art-Messenger with GNU General Public License v3.0 4 votes vote down vote up
@Override
public boolean verify(String domain, String hostname, SSLSession sslSession) {
    try {
        Certificate[] chain = sslSession.getPeerCertificates();
        if (chain.length == 0 || !(chain[0] instanceof X509Certificate)) {
            return false;
        }
        X509Certificate certificate = (X509Certificate) chain[0];
        final List<String> commonNames = getCommonNames(certificate);
        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.KITKAT && isSelfSigned(certificate)) {
            if (commonNames.size() == 1 && matchDomain(domain, commonNames)) {
                Log.d(LOGTAG, "accepted CN in self signed cert as work around for " + domain);
                return true;
            }
        }
        Collection<List<?>> alternativeNames = certificate.getSubjectAlternativeNames();
        List<String> xmppAddrs = new ArrayList<>();
        List<String> srvNames = new ArrayList<>();
        List<String> domains = new ArrayList<>();
        if (alternativeNames != null) {
            for (List<?> san : alternativeNames) {
                final Integer type = (Integer) san.get(0);
                if (type == 0) {
                    final Pair<String, String> otherName = parseOtherName((byte[]) san.get(1));
                    if (otherName != null && otherName.first != null && otherName.second != null) {
                        switch (otherName.first) {
                            case SRV_NAME:
                                srvNames.add(otherName.second.toLowerCase(Locale.US));
                                break;
                            case XMPP_ADDR:
                                xmppAddrs.add(otherName.second.toLowerCase(Locale.US));
                                break;
                            default:
                                Log.d(LOGTAG, "oid: " + otherName.first + " value: " + otherName.second);
                        }
                    }
                } else if (type == 2) {
                    final Object value = san.get(1);
                    if (value instanceof String) {
                        domains.add(((String) value).toLowerCase(Locale.US));
                    }
                }
            }
        }
        if (srvNames.size() == 0 && xmppAddrs.size() == 0 && domains.size() == 0) {
            domains.addAll(commonNames);
        }
        Log.d(LOGTAG, "searching for " + domain + " in srvNames: " + srvNames + " xmppAddrs: " + xmppAddrs + " domains:" + domains);
        if (hostname != null) {
            Log.d(LOGTAG, "also trying to verify hostname " + hostname);
        }
        return xmppAddrs.contains(domain)
                || srvNames.contains("_xmpp-client." + domain)
                || matchDomain(domain, domains)
                || (hostname != null && matchDomain(hostname, domains));
    } catch (Exception e) {
        return false;
    }
}
 
Example 20
Source File: MySqlHostVerifier.java    From r2dbc-mysql with Apache License 2.0 4 votes vote down vote up
private static List<San> extractSans(X509Certificate cert) {
    try {
        Collection<List<?>> pairs = cert.getSubjectAlternativeNames();

        if (pairs == null || pairs.isEmpty()) {
            return Collections.emptyList();
        }

        List<San> sans = new ArrayList<>();

        for (List<?> pair : pairs) {
            // Ignore if it is not a pair.
            if (pair == null || pair.size() < 2) {
                continue;
            }

            Integer type = determineSubjectType(pair.get(0));

            if (type == null) {
                continue;
            }

            if (San.DNS == type || San.IP == type) {
                Object value = pair.get(1);

                if (value instanceof String) {
                    sans.add(new San((String) value, type));
                } else if (value instanceof byte[]) {
                    // TODO: decode ASN.1 DER form.
                    logger.warn("Certificate contains an ASN.1 DER encoded form in Subject Alternative Names, but DER is unsupported now");
                } else if (logger.isWarnEnabled()) {
                    logger.warn("Certificate contains an unknown value of Subject Alternative Names: {}", value.getClass());
                }
            } else {
                logger.warn("Certificate contains an unknown type of Subject Alternative Names: {}", type);
            }
        }

        return sans;
    } catch (CertificateParsingException ignored) {
        return Collections.emptyList();
    }
}