mirror of
https://github.com/vanitasvitae/Smack.git
synced 2024-09-27 10:09:32 +02:00
89 lines
3.1 KiB
Java
89 lines
3.1 KiB
Java
|
/**
|
||
|
*
|
||
|
* Copyright 2014 the original author or authors
|
||
|
*
|
||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
* you may not use this file except in compliance with the License.
|
||
|
* You may obtain a copy of the License at
|
||
|
*
|
||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||
|
*
|
||
|
* Unless required by applicable law or agreed to in writing, software
|
||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
* See the License for the specific language governing permissions and
|
||
|
* limitations under the License.
|
||
|
*/
|
||
|
|
||
|
package org.jivesoftware.smack.java7;
|
||
|
|
||
|
import java.security.Principal;
|
||
|
import java.security.cert.Certificate;
|
||
|
import java.security.cert.CertificateException;
|
||
|
import java.security.cert.X509Certificate;
|
||
|
|
||
|
import javax.net.ssl.HostnameVerifier;
|
||
|
import javax.net.ssl.SSLPeerUnverifiedException;
|
||
|
import javax.net.ssl.SSLSession;
|
||
|
import javax.security.auth.kerberos.KerberosPrincipal;
|
||
|
|
||
|
import sun.security.util.HostnameChecker;
|
||
|
|
||
|
/**
|
||
|
* <p>
|
||
|
* HostnameVerifier implementation which implements the same policy as the Java built-in
|
||
|
* pre-HostnameVerifier policy.
|
||
|
* </p>
|
||
|
* <p>
|
||
|
* Based on the <a href="found at http://kevinlocke.name/bits
|
||
|
* /2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/">work by Kevin
|
||
|
* Locke</a> (released under CC0 1.0 Universal / Public Domain Dedication).
|
||
|
* </p>
|
||
|
*/
|
||
|
public class Java7HostnameVerifier implements HostnameVerifier {
|
||
|
|
||
|
@Override
|
||
|
public boolean verify(String hostname, SSLSession session) {
|
||
|
HostnameChecker checker = HostnameChecker.getInstance(HostnameChecker.TYPE_TLS);
|
||
|
|
||
|
boolean validCertificate = false, validPrincipal = false;
|
||
|
try {
|
||
|
Certificate[] peerCertificates = session.getPeerCertificates();
|
||
|
|
||
|
if (peerCertificates.length > 0 && peerCertificates[0] instanceof X509Certificate) {
|
||
|
X509Certificate peerCertificate = (X509Certificate) peerCertificates[0];
|
||
|
|
||
|
try {
|
||
|
checker.match(hostname, peerCertificate);
|
||
|
// Certificate matches hostname
|
||
|
validCertificate = true;
|
||
|
}
|
||
|
catch (CertificateException ex) {
|
||
|
// Certificate does not match hostname
|
||
|
}
|
||
|
}
|
||
|
else {
|
||
|
// Peer does not have any certificates or they aren't X.509
|
||
|
}
|
||
|
}
|
||
|
catch (SSLPeerUnverifiedException ex) {
|
||
|
// Not using certificates for peers, try verifying the principal
|
||
|
try {
|
||
|
Principal peerPrincipal = session.getPeerPrincipal();
|
||
|
if (peerPrincipal instanceof KerberosPrincipal) {
|
||
|
validPrincipal = HostnameChecker.match(hostname,
|
||
|
(KerberosPrincipal) peerPrincipal);
|
||
|
}
|
||
|
else {
|
||
|
// Can't verify principal, not Kerberos
|
||
|
}
|
||
|
}
|
||
|
catch (SSLPeerUnverifiedException ex2) {
|
||
|
// Can't verify principal, no principal
|
||
|
}
|
||
|
}
|
||
|
|
||
|
return validCertificate || validPrincipal;
|
||
|
}
|
||
|
}
|