org.openeuler.sun.security.util

类 HostnameChecker

java.lang.Object

org.openeuler.sun.security.util.HostnameChecker

public class HostnameChecker
extends Object

Class to check hostnames against the names specified in a certificate as required for TLS and LDAP.

字段概要

字段

限定符和类型	字段和说明
private static int	ALTNAME_DNS
private static int	ALTNAME_IP
private byte	checkType
private static HostnameChecker	INSTANCE_LDAP
private static HostnameChecker	INSTANCE_TLS
static byte	TYPE_LDAP
static byte	TYPE_TLS

构造器概要

构造器

限定符	构造器和说明
private	HostnameChecker(byte checkType)

方法概要

限定符和类型	方法和说明
static HostnameChecker	getInstance(byte checkType) Get a HostnameChecker instance. checkType should be one of the TYPE_* constants defined in this class.
static String	getServerName(Principal principal) Return the Server name from Kerberos principal.
static sun.security.x509.X500Name	getSubjectX500Name(X509Certificate cert) Return the subject of a certificate as X500Name, by reparsing if necessary.
private static boolean	hasIllegalWildcard(String domain, String template, boolean chainsToPublicCA) Returns true if the template contains an illegal wildcard character.
private static boolean	isIpAddress(String name) Test whether the given hostname looks like a literal IPv4 or IPv6 address.
private boolean	isMatched(String name, String template, boolean chainsToPublicCA) Returns true if name matches against template.
static boolean	match(String expectedName, Principal principal) Perform the check for Kerberos.
void	match(String expectedName, X509Certificate cert)
void	match(String expectedName, X509Certificate cert, boolean chainsToPublicCA) Perform the check.
private static boolean	matchAllWildcards(String name, String template) Returns true if name matches against template.
private void	matchDNS(String expectedName, X509Certificate cert, boolean chainsToPublicCA) Check if the certificate allows use of the given DNS name.
private static void	matchIP(String expectedIP, X509Certificate cert) Check if the certificate allows use of the given IP address.
private static boolean	matchLeftmostWildcard(String name, String template) Returns true if name matches against template.
private static boolean	matchWildCards(String name, String template) Returns true if the name matches against the template that may contain wildcard char *

从类继承的方法 java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

字段详细资料

TYPE_TLS

public static final byte TYPE_TLS

另请参阅:

常量字段值

INSTANCE_TLS

private static final HostnameChecker INSTANCE_TLS

TYPE_LDAP

public static final byte TYPE_LDAP

另请参阅:

常量字段值

INSTANCE_LDAP

private static final HostnameChecker INSTANCE_LDAP

ALTNAME_DNS

private static final int ALTNAME_DNS

另请参阅:

常量字段值

ALTNAME_IP

private static final int ALTNAME_IP

另请参阅:

常量字段值

checkType

private final byte checkType

构造器详细资料

HostnameChecker

private HostnameChecker(byte checkType)

方法详细资料

getInstance

public static HostnameChecker getInstance(byte checkType)

Get a HostnameChecker instance. checkType should be one of the TYPE_* constants defined in this class.

match

public void match(String expectedName,
                  X509Certificate cert,
                  boolean chainsToPublicCA)
           throws CertificateException

Perform the check.

参数:

expectedName - the expected host name or ip address

cert - the certificate to check against

chainsToPublicCA - true if the certificate chains to a public root CA (as pre-installed in the cacerts file)

抛出:

CertificateException - if the name does not match any of the names specified in the certificate

match

public void match(String expectedName,
                  X509Certificate cert)
           throws CertificateException

抛出:

CertificateException

match

public static boolean match(String expectedName,
                            Principal principal)

Perform the check for Kerberos.

getServerName

public static String getServerName(Principal principal)

Return the Server name from Kerberos principal.

isIpAddress

private static boolean isIpAddress(String name)

Test whether the given hostname looks like a literal IPv4 or IPv6 address. The hostname does not need to be a fully qualified name. This is not a strict check that performs full input validation. That means if the method returns true, name need not be a correct IP address, rather that it does not represent a valid DNS hostname. Likewise for IP addresses when it returns false.

matchIP

private static void matchIP(String expectedIP,
                            X509Certificate cert)
                     throws CertificateException

Check if the certificate allows use of the given IP address. From RFC2818: In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

抛出:

CertificateException

matchDNS

private void matchDNS(String expectedName,
                      X509Certificate cert,
                      boolean chainsToPublicCA)
               throws CertificateException

Check if the certificate allows use of the given DNS name. From RFC2818: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. Matching is performed using the matching rules specified by [RFC5280]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.)

抛出:

CertificateException

getSubjectX500Name

public static sun.security.x509.X500Name getSubjectX500Name(X509Certificate cert)
                                                     throws CertificateParsingException

Return the subject of a certificate as X500Name, by reparsing if necessary. X500Name should only be used if access to name components is required, in other cases X500Principal is to be preferred. This method is currently used from within JSSE, do not remove.

抛出:

CertificateParsingException

isMatched

private boolean isMatched(String name,
                          String template,
                          boolean chainsToPublicCA)

Returns true if name matches against template.

The matching is performed as per RFC 2818 rules for TLS and RFC 2830 rules for LDAP.

The name parameter should represent a DNS name. The template parameter may contain the wildcard character '*'.

hasIllegalWildcard

private static boolean hasIllegalWildcard(String domain,
                                          String template,
                                          boolean chainsToPublicCA)

Returns true if the template contains an illegal wildcard character.

matchAllWildcards

private static boolean matchAllWildcards(String name,
                                         String template)

Returns true if name matches against template.

According to RFC 2818, section 3.1 - Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

matchLeftmostWildcard

private static boolean matchLeftmostWildcard(String name,
                                             String template)

Returns true if name matches against template.

As per RFC 2830, section 3.6 - The "*" wildcard character is allowed. If present, it applies only to the left-most name component. E.g. *.bar.com would match a.bar.com, b.bar.com, etc. but not bar.com.

matchWildCards

private static boolean matchWildCards(String name,
                                      String template)

Returns true if the name matches against the template that may contain wildcard char *