111 |
111 |
112 /* |
112 /* |
113 * In com.sun.net.ssl.HostnameVerifier the method is defined |
113 * In com.sun.net.ssl.HostnameVerifier the method is defined |
114 * as verify(String urlHostname, String certHostname). |
114 * as verify(String urlHostname, String certHostname). |
115 * This means we need to extract the hostname from the X.509 certificate |
115 * This means we need to extract the hostname from the X.509 certificate |
116 * or from the Kerberos principal name, in this wrapper. |
116 * in this wrapper. |
117 */ |
117 */ |
118 public boolean verify(String hostname, javax.net.ssl.SSLSession session) { |
118 public boolean verify(String hostname, javax.net.ssl.SSLSession session) { |
119 try { |
119 try { |
120 String serverName; |
120 Certificate[] serverChain = session.getPeerCertificates(); |
121 // Use ciphersuite to determine whether Kerberos is active. |
121 if ((serverChain == null) || (serverChain.length == 0)) { |
122 if (session.getCipherSuite().startsWith("TLS_KRB5")) { |
122 return false; |
123 serverName = |
|
124 HostnameChecker.getServerName(getPeerPrincipal(session)); |
|
125 |
|
126 } else { // X.509 |
|
127 Certificate[] serverChain = session.getPeerCertificates(); |
|
128 if ((serverChain == null) || (serverChain.length == 0)) { |
|
129 return false; |
|
130 } |
|
131 if (serverChain[0] instanceof X509Certificate == false) { |
|
132 return false; |
|
133 } |
|
134 X509Certificate serverCert = (X509Certificate)serverChain[0]; |
|
135 serverName = getServername(serverCert); |
|
136 } |
123 } |
|
124 if (serverChain[0] instanceof X509Certificate == false) { |
|
125 return false; |
|
126 } |
|
127 X509Certificate serverCert = (X509Certificate)serverChain[0]; |
|
128 String serverName = getServername(serverCert); |
137 if (serverName == null) { |
129 if (serverName == null) { |
138 return false; |
130 return false; |
139 } |
131 } |
140 return verifier.verify(hostname, serverName); |
132 return verifier.verify(hostname, serverName); |
141 } catch (javax.net.ssl.SSLPeerUnverifiedException e) { |
133 } catch (javax.net.ssl.SSLPeerUnverifiedException e) { |
142 return false; |
134 return false; |
143 } |
135 } |
144 } |
|
145 |
|
146 /* |
|
147 * Get the peer principal from the session |
|
148 */ |
|
149 private Principal getPeerPrincipal(javax.net.ssl.SSLSession session) |
|
150 throws javax.net.ssl.SSLPeerUnverifiedException |
|
151 { |
|
152 Principal principal; |
|
153 try { |
|
154 principal = session.getPeerPrincipal(); |
|
155 } catch (AbstractMethodError e) { |
|
156 // if the provider does not support it, return null, since |
|
157 // we need it only for Kerberos. |
|
158 principal = null; |
|
159 } |
|
160 return principal; |
|
161 } |
136 } |
162 |
137 |
163 /* |
138 /* |
164 * Extract the name of the SSL server from the certificate. |
139 * Extract the name of the SSL server from the certificate. |
165 * |
140 * |