1 /* |
|
2 * Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. Oracle designates this |
|
8 * particular file as subject to the "Classpath" exception as provided |
|
9 * by Oracle in the LICENSE file that accompanied this code. |
|
10 * |
|
11 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 * version 2 for more details (a copy is included in the LICENSE file that |
|
15 * accompanied this code). |
|
16 * |
|
17 * You should have received a copy of the GNU General Public License version |
|
18 * 2 along with this work; if not, write to the Free Software Foundation, |
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 * |
|
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 * or visit www.oracle.com if you need additional information or have any |
|
23 * questions. |
|
24 */ |
|
25 |
|
26 package com.sun.net.ssl.internal.www.protocol.https; |
|
27 |
|
28 import java.net.URL; |
|
29 import java.net.Proxy; |
|
30 import java.io.IOException; |
|
31 import java.util.Collection; |
|
32 import java.util.List; |
|
33 import java.util.Iterator; |
|
34 |
|
35 import java.security.Principal; |
|
36 import java.security.cert.*; |
|
37 |
|
38 import javax.security.auth.x500.X500Principal; |
|
39 |
|
40 import sun.security.util.HostnameChecker; |
|
41 import sun.security.util.DerValue; |
|
42 import sun.security.x509.X500Name; |
|
43 |
|
44 import sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection; |
|
45 |
|
46 /** |
|
47 * This class was introduced to provide an additional level of |
|
48 * abstraction between javax.net.ssl.HttpURLConnection and |
|
49 * com.sun.net.ssl.HttpURLConnection objects. <p> |
|
50 * |
|
51 * javax.net.ssl.HttpURLConnection is used in the new sun.net version |
|
52 * of protocol implementation (this one) |
|
53 * com.sun.net.ssl.HttpURLConnection is used in the com.sun version. |
|
54 * |
|
55 */ |
|
56 @Deprecated(since="9") |
|
57 @SuppressWarnings("deprecation") // HttpsURLConnection is deprecated |
|
58 public class DelegateHttpsURLConnection extends AbstractDelegateHttpsURLConnection { |
|
59 |
|
60 // we need a reference to the HttpsURLConnection to get |
|
61 // the properties set there |
|
62 // we also need it to be public so that it can be referenced |
|
63 // from sun.net.www.protocol.http.HttpURLConnection |
|
64 // this is for ResponseCache.put(URI, URLConnection) |
|
65 // second parameter needs to be cast to javax.net.ssl.HttpsURLConnection |
|
66 // instead of AbstractDelegateHttpsURLConnection |
|
67 |
|
68 public com.sun.net.ssl.HttpsURLConnection httpsURLConnection; |
|
69 |
|
70 DelegateHttpsURLConnection(URL url, |
|
71 sun.net.www.protocol.http.Handler handler, |
|
72 com.sun.net.ssl.HttpsURLConnection httpsURLConnection) |
|
73 throws IOException { |
|
74 this(url, null, handler, httpsURLConnection); |
|
75 } |
|
76 |
|
77 DelegateHttpsURLConnection(URL url, Proxy p, |
|
78 sun.net.www.protocol.http.Handler handler, |
|
79 com.sun.net.ssl.HttpsURLConnection httpsURLConnection) |
|
80 throws IOException { |
|
81 super(url, p, handler); |
|
82 this.httpsURLConnection = httpsURLConnection; |
|
83 } |
|
84 |
|
85 protected javax.net.ssl.SSLSocketFactory getSSLSocketFactory() { |
|
86 return httpsURLConnection.getSSLSocketFactory(); |
|
87 } |
|
88 |
|
89 protected javax.net.ssl.HostnameVerifier getHostnameVerifier() { |
|
90 // note: getHostnameVerifier() never returns null |
|
91 return new VerifierWrapper(httpsURLConnection.getHostnameVerifier()); |
|
92 } |
|
93 |
|
94 /* |
|
95 * Called by layered delegator's finalize() method to handle closing |
|
96 * the underlying object. |
|
97 */ |
|
98 protected void dispose() throws Throwable { |
|
99 super.finalize(); |
|
100 } |
|
101 } |
|
102 |
|
103 class VerifierWrapper implements javax.net.ssl.HostnameVerifier { |
|
104 @SuppressWarnings("deprecation") |
|
105 private com.sun.net.ssl.HostnameVerifier verifier; |
|
106 |
|
107 @SuppressWarnings("deprecation") |
|
108 VerifierWrapper(com.sun.net.ssl.HostnameVerifier verifier) { |
|
109 this.verifier = verifier; |
|
110 } |
|
111 |
|
112 /* |
|
113 * In com.sun.net.ssl.HostnameVerifier the method is defined |
|
114 * as verify(String urlHostname, String certHostname). |
|
115 * This means we need to extract the hostname from the X.509 certificate |
|
116 * in this wrapper. |
|
117 */ |
|
118 public boolean verify(String hostname, javax.net.ssl.SSLSession session) { |
|
119 try { |
|
120 Certificate[] serverChain = session.getPeerCertificates(); |
|
121 if ((serverChain == null) || (serverChain.length == 0)) { |
|
122 return false; |
|
123 } |
|
124 if (serverChain[0] instanceof X509Certificate == false) { |
|
125 return false; |
|
126 } |
|
127 X509Certificate serverCert = (X509Certificate)serverChain[0]; |
|
128 String serverName = getServername(serverCert); |
|
129 if (serverName == null) { |
|
130 return false; |
|
131 } |
|
132 return verifier.verify(hostname, serverName); |
|
133 } catch (javax.net.ssl.SSLPeerUnverifiedException e) { |
|
134 return false; |
|
135 } |
|
136 } |
|
137 |
|
138 /* |
|
139 * Extract the name of the SSL server from the certificate. |
|
140 * |
|
141 * Note this code is essentially a subset of the hostname extraction |
|
142 * code in HostnameChecker. |
|
143 */ |
|
144 private static String getServername(X509Certificate peerCert) { |
|
145 try { |
|
146 // compare to subjectAltNames if dnsName is present |
|
147 Collection<List<?>> subjAltNames = peerCert.getSubjectAlternativeNames(); |
|
148 if (subjAltNames != null) { |
|
149 for (Iterator<List<?>> itr = subjAltNames.iterator(); itr.hasNext(); ) { |
|
150 List<?> next = itr.next(); |
|
151 if (((Integer)next.get(0)).intValue() == 2) { |
|
152 // compare dNSName with host in url |
|
153 String dnsName = ((String)next.get(1)); |
|
154 return dnsName; |
|
155 } |
|
156 } |
|
157 } |
|
158 |
|
159 // else check against common name in the subject field |
|
160 X500Name subject = HostnameChecker.getSubjectX500Name(peerCert); |
|
161 |
|
162 DerValue derValue = subject.findMostSpecificAttribute |
|
163 (X500Name.commonName_oid); |
|
164 if (derValue != null) { |
|
165 try { |
|
166 String name = derValue.getAsString(); |
|
167 return name; |
|
168 } catch (IOException e) { |
|
169 // ignore |
|
170 } |
|
171 } |
|
172 } catch (java.security.cert.CertificateException e) { |
|
173 // ignore |
|
174 } |
|
175 return null; |
|
176 } |
|
177 |
|
178 } |
|