Java Code Examples for javax.net.ssl.SSLSession#getPeerHost()
The following examples show how to use
javax.net.ssl.SSLSession#getPeerHost() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: RootTrustManager.java From android_9.0.0_r45 with Apache License 2.0 | 6 votes |
|
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType, Socket socket)
throws CertificateException {
if (socket instanceof SSLSocket) {
SSLSocket sslSocket = (SSLSocket) socket;
SSLSession session = sslSocket.getHandshakeSession();
if (session == null) {
throw new CertificateException("Not in handshake; no session available");
}
String host = session.getPeerHost();
NetworkSecurityConfig config = mConfig.getConfigForHostname(host);
config.getTrustManager().checkServerTrusted(certs, authType, socket);
} else {
// Not an SSLSocket, use the hostname unaware checkServerTrusted.
checkServerTrusted(certs, authType);
}
}
Example 2
| Source File: SdkTLSSocketFactory.java From ibm-cos-sdk-java with Apache License 2.0 | 6 votes |
|
/**
* Invalidates all SSL/TLS sessions in {@code sessionContext} associated with {@code remoteAddress}.
*
* @param sessionContext collection of SSL/TLS sessions to be (potentially) invalidated
* @param remoteAddress associated with sessions to invalidate
*/
private void clearSessionCache(final SSLSessionContext sessionContext, final InetSocketAddress remoteAddress) {
final String hostName = remoteAddress.getHostName();
final int port = remoteAddress.getPort();
final Enumeration<byte[]> ids = sessionContext.getIds();
if (ids == null) {
return;
}
while (ids.hasMoreElements()) {
final byte[] id = ids.nextElement();
final SSLSession session = sessionContext.getSession(id);
if (session != null && session.getPeerHost() != null && session.getPeerHost().equalsIgnoreCase(hostName)
&& session.getPeerPort() == port) {
session.invalidate();
if (LOG.isDebugEnabled()) {
LOG.debug("Invalidated session " + session);
}
}
}
}
Example 3
| Source File: X509TrustManagerImpl.java From jdk8u_jdk with GNU General Public License v2.0 | 5 votes |
|
static void checkIdentity(SSLSession session,
X509Certificate [] trustedChain,
String algorithm,
boolean checkClientTrusted) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (!checkClientTrusted) {
List<SNIServerName> sniNames = getRequestedServerNames(session);
String sniHostName = getHostNameInSNI(sniNames);
if (sniHostName != null) {
try {
checkIdentity(sniHostName,
trustedChain[0], algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (sniHostName.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost,
trustedChain[0], algorithm);
}
}
Example 4
| Source File: X509TrustManagerImpl.java From openjdk-8 with GNU General Public License v2.0 | 5 votes |
|
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
Example 5
| Source File: ClientX509ExtendedTrustManager.java From light-4j with Apache License 2.0 | 5 votes |
|
/**
* check server identify against hostnames. This method is used to enhance X509TrustManager to provide standard identity check.
*
* This method can be applied to both clients and servers.
*
* @param session SSLSession
* @param cert X509Certificate
* @throws CertificateException
*/
private void checkIdentity(SSLSession session, X509Certificate cert) throws CertificateException {
if (session == null) {
throw new CertificateException("No handshake session");
}
if (EndpointIdentificationAlgorithm.HTTPS == identityAlg) {
String hostname = session.getPeerHost();
APINameChecker.verifyAndThrow(hostname, cert);
}
}
Example 6
| Source File: X509TrustManagerImpl.java From openjdk-8-source with GNU General Public License v2.0 | 5 votes |
|
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
Example 7
| Source File: X509TrustManagerImpl.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
|
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
Example 8
| Source File: X509TrustManagerImpl.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
|
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
Example 9
| Source File: X509TrustManagerImpl.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 5 votes |
|
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
Example 10
| Source File: X509TrustManagerImpl.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 5 votes |
|
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
Example 11
| Source File: TLSProtocolSocketFactory.java From lams with GNU General Public License v2.0 | 5 votes |
|
/**
* Verifies the peer's hostname using the configured {@link HostnameVerifier}.
*
* @param socket the socket connected to the peer whose hostname is to be verified.
*
* @throws SSLException if the hostname does not verify against the peer's certificate,
* or if there is an error in performing the evaluation
*/
protected void verifyHostname(Socket socket) throws SSLException {
if (hostnameVerifier == null) {
return;
}
if (!(socket instanceof SSLSocket)) {
return;
}
SSLSocket sslSocket = (SSLSocket) socket;
try {
SSLSession sslSession = sslSocket.getSession();
String hostname = sslSession.getPeerHost();
if (!hostnameVerifier.verify(hostname, sslSession)) {
throw new SSLPeerUnverifiedException("SSL peer failed hostname validation for name: " + hostname);
}
} catch (SSLException e) {
cleanUpFailedSocket(sslSocket);
throw e;
} catch (Throwable t) {
// Make sure we close the socket on any kind of Exception, RuntimeException or Error.
cleanUpFailedSocket(sslSocket);
throw new SSLException("Error in hostname verification", t);
}
}
Example 12
| Source File: TrustManagerExt.java From servicecomb-java-chassis with Apache License 2.0 | 5 votes |
|
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType,
SSLEngine engine) throws CertificateException {
if (!option.isAuthPeer()) {
return;
}
String ip = null;
if (engine != null) {
SSLSession session = engine.getHandshakeSession();
ip = session.getPeerHost();
}
checkTrustedCustom(chain, ip);
trustManager.checkServerTrusted(chain, authType, engine);
}
Example 13
| Source File: TrustManagerExt.java From servicecomb-java-chassis with Apache License 2.0 | 5 votes |
|
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType,
SSLEngine engine) throws CertificateException {
if (!option.isAuthPeer()) {
return;
}
String ip = null;
if (engine != null) {
SSLSession session = engine.getHandshakeSession();
ip = session.getPeerHost();
}
checkTrustedCustom(chain, ip);
trustManager.checkClientTrusted(chain, authType, engine);
}
Example 14
| Source File: X509TrustManagerImpl.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
|
static void checkIdentity(SSLSession session,
X509Certificate [] trustedChain,
String algorithm,
boolean checkClientTrusted) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (!checkClientTrusted) {
List<SNIServerName> sniNames = getRequestedServerNames(session);
String sniHostName = getHostNameInSNI(sniNames);
if (sniHostName != null) {
try {
checkIdentity(sniHostName,
trustedChain[0], algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (sniHostName.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost,
trustedChain[0], algorithm);
}
}
Example 15
| Source File: X509TrustManagerImpl.java From jdk8u60 with GNU General Public License v2.0 | 5 votes |
|
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
Example 16
| Source File: X509TrustManagerImpl.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
|
static void checkIdentity(SSLSession session,
X509Certificate [] trustedChain,
String algorithm,
boolean checkClientTrusted) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (!checkClientTrusted) {
List<SNIServerName> sniNames = getRequestedServerNames(session);
String sniHostName = getHostNameInSNI(sniNames);
if (sniHostName != null) {
try {
checkIdentity(sniHostName,
trustedChain[0], algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (sniHostName.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost,
trustedChain[0], algorithm);
}
}
Example 17
| Source File: X509TrustManagerImpl.java From dragonwell8_jdk with GNU General Public License v2.0 | 5 votes |
|
static void checkIdentity(SSLSession session,
X509Certificate [] trustedChain,
String algorithm,
boolean checkClientTrusted) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (!checkClientTrusted) {
List<SNIServerName> sniNames = getRequestedServerNames(session);
String sniHostName = getHostNameInSNI(sniNames);
if (sniHostName != null) {
try {
checkIdentity(sniHostName,
trustedChain[0], algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (sniHostName.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost,
trustedChain[0], algorithm);
}
}
Example 18
| Source File: RootTrustManager.java From android_9.0.0_r45 with Apache License 2.0 | 5 votes |
|
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType, SSLEngine engine)
throws CertificateException {
SSLSession session = engine.getHandshakeSession();
if (session == null) {
throw new CertificateException("Not in handshake; no session available");
}
String host = session.getPeerHost();
NetworkSecurityConfig config = mConfig.getConfigForHostname(host);
config.getTrustManager().checkServerTrusted(certs, authType, engine);
}
Example 19
| Source File: StrictSSLProtocolSocketFactory.java From http4e with Apache License 2.0 | 4 votes |
|
/**
* Describe <code>verifyHostname</code> method here.
*
* @param socket a <code>SSLSocket</code> value
* @exception SSLPeerUnverifiedException If there are problems obtaining
* the server certificates from the SSL session, or the server host name
* does not match with the "Common Name" in the server certificates
* SubjectDN.
* @exception UnknownHostException If we are not able to resolve
* the SSL sessions returned server host name.
*/
private void verifyHostname(SSLSocket socket)
throws SSLPeerUnverifiedException, UnknownHostException {
if (! verifyHostname)
return;
SSLSession session = socket.getSession();
String hostname = session.getPeerHost();
try {
InetAddress addr = InetAddress.getByName(hostname);
} catch (UnknownHostException uhe) {
throw new UnknownHostException("Could not resolve SSL sessions "
+ "server hostname: " + hostname);
}
X509Certificate[] certs = session.getPeerCertificateChain();
if (certs == null || certs.length == 0)
throw new SSLPeerUnverifiedException("No server certificates found!");
//get the servers DN in its string representation
String dn = certs[0].getSubjectDN().getName();
//might be useful to print out all certificates we receive from the
//server, in case one has to debug a problem with the installed certs.
if (LOG.isDebugEnabled()) {
LOG.debug("Server certificate chain:");
for (int i = 0; i < certs.length; i++) {
LOG.debug("X509Certificate[" + i + "]=" + certs[i]);
}
}
//get the common name from the first cert
String cn = getCN(dn);
if (hostname.equalsIgnoreCase(cn)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Target hostname valid: " + cn);
}
} else {
throw new SSLPeerUnverifiedException(
"HTTPS hostname invalid: expected '" + hostname + "', received '" + cn + "'");
}
}
Example 20
| Source File: AuthSSLProtocolSocketFactoryBase.java From iaf with Apache License 2.0 | 4 votes |
|
/**
* Describe <code>verifyHostname</code> method here.
*
* @param socket a <code>SSLSocket</code> value
* @exception SSLPeerUnverifiedException If there are problems obtaining
* the server certificates from the SSL session, or the server host name
* does not match with the "Common Name" in the server certificates
* SubjectDN.
* @exception UnknownHostException If we are not able to resolve
* the SSL sessions returned server host name.
*/
protected void verifyHostname(SSLSocket socket)
throws SSLPeerUnverifiedException, UnknownHostException {
if (! verifyHostname)
return;
SSLSession session = socket.getSession();
if (session==null) {
throw new UnknownHostException("could not obtain session from socket");
}
String hostname = session.getPeerHost();
try {
InetAddress.getByName(hostname);
} catch (UnknownHostException uhe) {
String msg = "Could not resolve SSL sessions server hostname: " + hostname;
// Under WebSphere, hostname can be equal to proxy-hostname
log.warn(msg,uhe);
// throw new UnknownHostException(msg);
}
javax.security.cert.X509Certificate[] certs = session.getPeerCertificateChain();
if (certs == null || certs.length == 0)
throw new SSLPeerUnverifiedException("No server certificates found!");
//get the servers DN in its string representation
String dn = certs[0].getSubjectDN().getName();
//might be useful to print out all certificates we receive from the
//server, in case one has to debug a problem with the installed certs.
if (log.isInfoEnabled()) {
log.info("Server certificate chain:");
for (int i = 0; i < certs.length; i++) {
log.info("X509Certificate[" + i + "]=" + certs[i]);
}
}
//get the common name from the first cert
String cn = getCN(dn);
if (hostname.equalsIgnoreCase(cn)) {
if (log.isInfoEnabled()) {
log.info("Target hostname valid: " + cn);
}
} else {
throw new SSLPeerUnverifiedException(
"HTTPS hostname invalid: expected '" + hostname + "', received '" + cn + "'");
}
}
