|
@@ -19,6 +19,7 @@ package com.dmdirc.ui.core.dialogs.sslcertificate;
|
19
|
19
|
|
20
|
20
|
import com.dmdirc.tls.CertificateAction;
|
21
|
21
|
import com.dmdirc.tls.CertificateDoesntMatchHostException;
|
|
22
|
+import com.dmdirc.tls.CertificateHostChecker;
|
22
|
23
|
import com.dmdirc.tls.CertificateManager;
|
23
|
24
|
import com.dmdirc.tls.CertificateNotTrustedException;
|
24
|
25
|
|
|
@@ -47,6 +48,8 @@ public class SSLCertificateDialogModel {
|
47
|
48
|
private final CertificateManager manager;
|
48
|
49
|
/** The list of problems found with the certs, if any. */
|
49
|
50
|
private final Collection<CertificateException> problems;
|
|
51
|
+ /** Checker to use for hostnames. */
|
|
52
|
+ private final CertificateHostChecker hostChecker;
|
50
|
53
|
|
51
|
54
|
/**
|
52
|
55
|
* Creates a new SSLCertificateDialogModel for the specified chain.
|
|
@@ -61,6 +64,7 @@ public class SSLCertificateDialogModel {
|
61
|
64
|
this.chain = chain;
|
62
|
65
|
this.problems = problems;
|
63
|
66
|
this.manager = manager;
|
|
67
|
+ this.hostChecker = new CertificateHostChecker();
|
64
|
68
|
}
|
65
|
69
|
|
66
|
70
|
/**
|
|
@@ -75,7 +79,7 @@ public class SSLCertificateDialogModel {
|
75
|
79
|
boolean first = true;
|
76
|
80
|
|
77
|
81
|
for (X509Certificate cert : chain) {
|
78
|
|
- boolean invalid = first && !manager.isValidHost(cert);
|
|
82
|
+ boolean invalid = first && !hostChecker.isValidFor(cert, manager.getServerName());
|
79
|
83
|
first = false;
|
80
|
84
|
|
81
|
85
|
try {
|
|
@@ -123,7 +127,7 @@ public class SSLCertificateDialogModel {
|
123
|
127
|
cert.getNotAfter().toString(), tooOld, false));
|
124
|
128
|
res.add(group);
|
125
|
129
|
|
126
|
|
- final boolean wrongName = index == 0 && !manager.isValidHost(cert);
|
|
130
|
+ final boolean wrongName = index == 0 && !hostChecker.isValidFor(cert, manager.getServerName());
|
127
|
131
|
final String names = getAlternateNames(cert);
|
128
|
132
|
final Map<String, String> fields = CertificateManager.getDNFieldsFromCert(cert);
|
129
|
133
|
|
|
@@ -160,7 +164,7 @@ public class SSLCertificateDialogModel {
|
160
|
164
|
*
|
161
|
165
|
* @return A comma-separated list of alternate names
|
162
|
166
|
*/
|
163
|
|
- protected String getAlternateNames(final X509Certificate cert) {
|
|
167
|
+ private String getAlternateNames(final X509Certificate cert) {
|
164
|
168
|
final StringBuilder res = new StringBuilder();
|
165
|
169
|
|
166
|
170
|
try {
|
|
@@ -196,11 +200,13 @@ public class SSLCertificateDialogModel {
|
196
|
200
|
* @param field The name of the field to look for
|
197
|
201
|
* @param invalid Whether or not the field is a cause for concern
|
198
|
202
|
*/
|
199
|
|
- protected void addCertField(final Map<String, String> fields,
|
200
|
|
- final List<CertificateInformationEntry> group, final String title,
|
201
|
|
- final String field, final boolean invalid) {
|
202
|
|
- group.add(new CertificateInformationEntry(title,
|
203
|
|
- fields.containsKey(field) ? fields.get(field) : NOTPRESENT, invalid,
|
|
203
|
+ private void addCertField(
|
|
204
|
+ final Map<String, String> fields,
|
|
205
|
+ final List<CertificateInformationEntry> group,
|
|
206
|
+ final String title,
|
|
207
|
+ final String field,
|
|
208
|
+ final boolean invalid) {
|
|
209
|
+ group.add(new CertificateInformationEntry(title, fields.getOrDefault(field, NOTPRESENT), invalid,
|
204
|
210
|
!fields.containsKey(field)));
|
205
|
211
|
}
|
206
|
212
|
|
|
@@ -212,22 +218,22 @@ public class SSLCertificateDialogModel {
|
212
|
218
|
public List<CertificateSummaryEntry> getSummary() {
|
213
|
219
|
final List<CertificateSummaryEntry> res = new ArrayList<>();
|
214
|
220
|
|
215
|
|
- boolean outofdate = false;
|
216
|
|
- boolean wronghost = false;
|
217
|
|
- boolean nottrusted = false;
|
|
221
|
+ boolean outOfDate = false;
|
|
222
|
+ boolean wrongHost = false;
|
|
223
|
+ boolean notTrusted = false;
|
218
|
224
|
|
219
|
225
|
for (CertificateException ex : problems) {
|
220
|
226
|
if (ex instanceof CertificateExpiredException
|
221
|
227
|
|| ex instanceof CertificateNotYetValidException) {
|
222
|
|
- outofdate = true;
|
|
228
|
+ outOfDate = true;
|
223
|
229
|
} else if (ex instanceof CertificateDoesntMatchHostException) {
|
224
|
|
- wronghost = true;
|
|
230
|
+ wrongHost = true;
|
225
|
231
|
} else if (ex instanceof CertificateNotTrustedException) {
|
226
|
|
- nottrusted = true;
|
|
232
|
+ notTrusted = true;
|
227
|
233
|
}
|
228
|
234
|
}
|
229
|
235
|
|
230
|
|
- if (outofdate) {
|
|
236
|
+ if (outOfDate) {
|
231
|
237
|
res.add(new CertificateSummaryEntry("One or more certificates are "
|
232
|
238
|
+ "not within their validity period", false));
|
233
|
239
|
} else {
|
|
@@ -235,7 +241,7 @@ public class SSLCertificateDialogModel {
|
235
|
241
|
+ "within their validity period", true));
|
236
|
242
|
}
|
237
|
243
|
|
238
|
|
- if (nottrusted) {
|
|
244
|
+ if (notTrusted) {
|
239
|
245
|
res.add(new CertificateSummaryEntry("The certificate is not issued "
|
240
|
246
|
+ "by a trusted authority", false));
|
241
|
247
|
} else {
|
|
@@ -243,7 +249,7 @@ public class SSLCertificateDialogModel {
|
243
|
249
|
+ "trusted", true));
|
244
|
250
|
}
|
245
|
251
|
|
246
|
|
- if (wronghost) {
|
|
252
|
+ if (wrongHost) {
|
247
|
253
|
res.add(new CertificateSummaryEntry("The certificate is not issued "
|
248
|
254
|
+ "to the host you are connecting to", false));
|
249
|
255
|
} else {
|