|
@@ -0,0 +1,130 @@
|
|
1
|
+package com.dmdirc.tls;
|
|
2
|
+
|
|
3
|
+import java.security.cert.CertificateParsingException;
|
|
4
|
+import java.security.cert.X509Certificate;
|
|
5
|
+import java.util.Arrays;
|
|
6
|
+import java.util.HashSet;
|
|
7
|
+import java.util.Optional;
|
|
8
|
+import java.util.Set;
|
|
9
|
+import java.util.regex.Pattern;
|
|
10
|
+import java.util.stream.Collectors;
|
|
11
|
+import javax.naming.InvalidNameException;
|
|
12
|
+import javax.naming.ldap.LdapName;
|
|
13
|
+import javax.naming.ldap.Rdn;
|
|
14
|
+
|
|
15
|
+/**
|
|
16
|
+ * Checks that the host we're connecting to is one specified in a certificate.
|
|
17
|
+ *
|
|
18
|
+ * <p>Certificates match if any of their subjectAlternateName extensions, or the subject's common name, matches
|
|
19
|
+ * the host we're connecting to.
|
|
20
|
+ */
|
|
21
|
+public class CertificateHostChecker {
|
|
22
|
+
|
|
23
|
+ /**
|
|
24
|
+ * Checks if the specified certificate is valid for the given hostname.
|
|
25
|
+ *
|
|
26
|
+ * @param certificate The certificate to check.
|
|
27
|
+ * @param host The hostname that was connected to.
|
|
28
|
+ * @return True if the certificate covers the given hostname, false otherwise.
|
|
29
|
+ */
|
|
30
|
+ public boolean isValidFor(final X509Certificate certificate, final String host) {
|
|
31
|
+ return getAllNames(certificate).stream().anyMatch(name -> matches(name, host));
|
|
32
|
+ }
|
|
33
|
+
|
|
34
|
+ /**
|
|
35
|
+ * Checks if the specified name matches against the host, taking into account wildcards.
|
|
36
|
+ *
|
|
37
|
+ * <p>Hosts are compared by splitting them into domain parts (test.dmdirc.com becomes [test, dmdirc, com]) and
|
|
38
|
+ * comparing each part against the corresponding part of the supplied name. Wildcards may only expand within a
|
|
39
|
+ * single part (i.e. *.example.com cannot match foo.bar.example.com).
|
|
40
|
+ *
|
|
41
|
+ * @param name The name to check.
|
|
42
|
+ * @param host The host to check it against.
|
|
43
|
+ * @return True if the name matches the host; false otherwise.
|
|
44
|
+ */
|
|
45
|
+ private boolean matches(final String name, final String host) {
|
|
46
|
+ final String[] nameParts = name.split("\\.");
|
|
47
|
+ final String[] hostParts = host.split("\\.");
|
|
48
|
+
|
|
49
|
+ if (nameParts.length != hostParts.length) {
|
|
50
|
+ return false;
|
|
51
|
+ }
|
|
52
|
+
|
|
53
|
+ for (int i = 0; i < nameParts.length; i++) {
|
|
54
|
+ if (!partMatches(nameParts[i], hostParts[i])) {
|
|
55
|
+ return false;
|
|
56
|
+ }
|
|
57
|
+ }
|
|
58
|
+
|
|
59
|
+ return true;
|
|
60
|
+ }
|
|
61
|
+
|
|
62
|
+ /**
|
|
63
|
+ * Checks if the specified part of the name matches the corresponding part of the host, taking into account
|
|
64
|
+ * wildcards.
|
|
65
|
+ *
|
|
66
|
+ * @param namePart The part of the name to be expanded and checked.
|
|
67
|
+ * @param hostPart The corresponding part of the host to check the name against.
|
|
68
|
+ * @return True if the name and host parts match; false otherwise.
|
|
69
|
+ */
|
|
70
|
+ private boolean partMatches(final String namePart, final String hostPart) {
|
|
71
|
+ return "*".equals(namePart) || hostPart.toLowerCase().matches(
|
|
72
|
+ Arrays.stream(namePart.toLowerCase().split("\\*"))
|
|
73
|
+ .map(Pattern::quote)
|
|
74
|
+ .collect(Collectors.joining(".*")));
|
|
75
|
+ }
|
|
76
|
+
|
|
77
|
+ /**
|
|
78
|
+ * Returns all names for which a certificate is valid.
|
|
79
|
+ *
|
|
80
|
+ * @param cert The certificate to read.
|
|
81
|
+ * @return The names which the certificate covers.
|
|
82
|
+ */
|
|
83
|
+ private Set<String> getAllNames(final X509Certificate cert) {
|
|
84
|
+ final Set<String> names = new HashSet<>();
|
|
85
|
+ getCommonName(cert).ifPresent(names::add);
|
|
86
|
+ getSubjectAlternateNames(cert).ifPresent(names::addAll);
|
|
87
|
+ return names;
|
|
88
|
+ }
|
|
89
|
+
|
|
90
|
+ /**
|
|
91
|
+ * Reads the common name (CN) from the certificate's subject.
|
|
92
|
+ *
|
|
93
|
+ * @param cert The certificate to read.
|
|
94
|
+ * @return The common name of the certificate, if present.
|
|
95
|
+ */
|
|
96
|
+ private Optional<String> getCommonName(final X509Certificate cert) {
|
|
97
|
+ try {
|
|
98
|
+ final LdapName name = new LdapName(cert.getSubjectX500Principal().getName());
|
|
99
|
+ return name.getRdns().stream()
|
|
100
|
+ .filter(rdn -> "CN".equalsIgnoreCase(rdn.getType()))
|
|
101
|
+ .map(Rdn::getValue)
|
|
102
|
+ .map(Object::toString)
|
|
103
|
+ .findFirst();
|
|
104
|
+ } catch (InvalidNameException ex) {
|
|
105
|
+ return Optional.empty();
|
|
106
|
+ }
|
|
107
|
+ }
|
|
108
|
+
|
|
109
|
+ /**
|
|
110
|
+ * Reads all the subjectAlternateName extensions from the certificate.
|
|
111
|
+ *
|
|
112
|
+ * @param cert The certificate to read.
|
|
113
|
+ * @return The (possibly empty) set of subject alternate names.
|
|
114
|
+ */
|
|
115
|
+ private Optional<Set<String>> getSubjectAlternateNames(final X509Certificate cert) {
|
|
116
|
+ try {
|
|
117
|
+ return Optional.ofNullable(cert.getSubjectAlternativeNames())
|
|
118
|
+ .map(sans -> sans.stream()
|
|
119
|
+ // Filter for GeneralName type 2 (dNSName)
|
|
120
|
+ .filter(san -> (Integer) san.get(0) == 2)
|
|
121
|
+ // Get the string representation of the value of those names
|
|
122
|
+ .map(san -> san.get(1))
|
|
123
|
+ .map(Object::toString)
|
|
124
|
+ .collect(Collectors.toSet()));
|
|
125
|
+ } catch (CertificateParsingException e) {
|
|
126
|
+ return Optional.empty();
|
|
127
|
+ }
|
|
128
|
+ }
|
|
129
|
+
|
|
130
|
+}
|