下面列出了javax.net.ssl.SSLSession#getPeerHost ( ) 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType, Socket socket)
throws CertificateException {
if (socket instanceof SSLSocket) {
SSLSocket sslSocket = (SSLSocket) socket;
SSLSession session = sslSocket.getHandshakeSession();
if (session == null) {
throw new CertificateException("Not in handshake; no session available");
}
String host = session.getPeerHost();
NetworkSecurityConfig config = mConfig.getConfigForHostname(host);
config.getTrustManager().checkServerTrusted(certs, authType, socket);
} else {
// Not an SSLSocket, use the hostname unaware checkServerTrusted.
checkServerTrusted(certs, authType);
}
}
/**
* Invalidates all SSL/TLS sessions in {@code sessionContext} associated with {@code remoteAddress}.
*
* @param sessionContext collection of SSL/TLS sessions to be (potentially) invalidated
* @param remoteAddress associated with sessions to invalidate
*/
private void clearSessionCache(final SSLSessionContext sessionContext, final InetSocketAddress remoteAddress) {
final String hostName = remoteAddress.getHostName();
final int port = remoteAddress.getPort();
final Enumeration<byte[]> ids = sessionContext.getIds();
if (ids == null) {
return;
}
while (ids.hasMoreElements()) {
final byte[] id = ids.nextElement();
final SSLSession session = sessionContext.getSession(id);
if (session != null && session.getPeerHost() != null && session.getPeerHost().equalsIgnoreCase(hostName)
&& session.getPeerPort() == port) {
session.invalidate();
if (LOG.isDebugEnabled()) {
LOG.debug("Invalidated session " + session);
}
}
}
}
@Override
public void checkServerTrusted(X509Certificate[] certs, String authType, SSLEngine engine)
throws CertificateException {
SSLSession session = engine.getHandshakeSession();
if (session == null) {
throw new CertificateException("Not in handshake; no session available");
}
String host = session.getPeerHost();
NetworkSecurityConfig config = mConfig.getConfigForHostname(host);
config.getTrustManager().checkServerTrusted(certs, authType, engine);
}
static void checkIdentity(SSLSession session,
X509Certificate [] trustedChain,
String algorithm,
boolean checkClientTrusted) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (!checkClientTrusted) {
List<SNIServerName> sniNames = getRequestedServerNames(session);
String sniHostName = getHostNameInSNI(sniNames);
if (sniHostName != null) {
try {
checkIdentity(sniHostName,
trustedChain[0], algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (sniHostName.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost,
trustedChain[0], algorithm);
}
}
static void checkIdentity(SSLSession session,
X509Certificate [] trustedChain,
String algorithm,
boolean checkClientTrusted) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (!checkClientTrusted) {
List<SNIServerName> sniNames = getRequestedServerNames(session);
String sniHostName = getHostNameInSNI(sniNames);
if (sniHostName != null) {
try {
checkIdentity(sniHostName,
trustedChain[0], algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (sniHostName.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost,
trustedChain[0], algorithm);
}
}
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
static void checkIdentity(SSLSession session,
X509Certificate [] trustedChain,
String algorithm,
boolean checkClientTrusted) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (!checkClientTrusted) {
List<SNIServerName> sniNames = getRequestedServerNames(session);
String sniHostName = getHostNameInSNI(sniNames);
if (sniHostName != null) {
try {
checkIdentity(sniHostName,
trustedChain[0], algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (sniHostName.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost,
trustedChain[0], algorithm);
}
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType,
SSLEngine engine) throws CertificateException {
if (!option.isAuthPeer()) {
return;
}
String ip = null;
if (engine != null) {
SSLSession session = engine.getHandshakeSession();
ip = session.getPeerHost();
}
checkTrustedCustom(chain, ip);
trustManager.checkClientTrusted(chain, authType, engine);
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType,
SSLEngine engine) throws CertificateException {
if (!option.isAuthPeer()) {
return;
}
String ip = null;
if (engine != null) {
SSLSession session = engine.getHandshakeSession();
ip = session.getPeerHost();
}
checkTrustedCustom(chain, ip);
trustManager.checkServerTrusted(chain, authType, engine);
}
/**
* Verifies the peer's hostname using the configured {@link HostnameVerifier}.
*
* @param socket the socket connected to the peer whose hostname is to be verified.
*
* @throws SSLException if the hostname does not verify against the peer's certificate,
* or if there is an error in performing the evaluation
*/
protected void verifyHostname(Socket socket) throws SSLException {
if (hostnameVerifier == null) {
return;
}
if (!(socket instanceof SSLSocket)) {
return;
}
SSLSocket sslSocket = (SSLSocket) socket;
try {
SSLSession sslSession = sslSocket.getSession();
String hostname = sslSession.getPeerHost();
if (!hostnameVerifier.verify(hostname, sslSession)) {
throw new SSLPeerUnverifiedException("SSL peer failed hostname validation for name: " + hostname);
}
} catch (SSLException e) {
cleanUpFailedSocket(sslSocket);
throw e;
} catch (Throwable t) {
// Make sure we close the socket on any kind of Exception, RuntimeException or Error.
cleanUpFailedSocket(sslSocket);
throw new SSLException("Error in hostname verification", t);
}
}
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
/**
* check server identify against hostnames. This method is used to enhance X509TrustManager to provide standard identity check.
*
* This method can be applied to both clients and servers.
*
* @param session SSLSession
* @param cert X509Certificate
* @throws CertificateException
*/
private void checkIdentity(SSLSession session, X509Certificate cert) throws CertificateException {
if (session == null) {
throw new CertificateException("No handshake session");
}
if (EndpointIdentificationAlgorithm.HTTPS == identityAlg) {
String hostname = session.getPeerHost();
APINameChecker.verifyAndThrow(hostname, cert);
}
}
private static void checkIdentity(SSLSession session,
X509Certificate cert,
String algorithm,
boolean isClient,
List<SNIServerName> sniNames) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (isClient) {
String hostname = getHostNameInSNI(sniNames);
if (hostname != null) {
try {
checkIdentity(hostname, cert, algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (hostname.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost, cert, algorithm);
}
}
static void checkIdentity(SSLSession session,
X509Certificate [] trustedChain,
String algorithm,
boolean checkClientTrusted) throws CertificateException {
boolean identifiable = false;
String peerHost = session.getPeerHost();
if (!checkClientTrusted) {
List<SNIServerName> sniNames = getRequestedServerNames(session);
String sniHostName = getHostNameInSNI(sniNames);
if (sniHostName != null) {
try {
checkIdentity(sniHostName,
trustedChain[0], algorithm);
identifiable = true;
} catch (CertificateException ce) {
if (sniHostName.equalsIgnoreCase(peerHost)) {
throw ce;
}
// otherwisw, failover to check peer host
}
}
}
if (!identifiable) {
checkIdentity(peerHost,
trustedChain[0], algorithm);
}
}
/**
* Describe <code>verifyHostname</code> method here.
*
* @param socket a <code>SSLSocket</code> value
* @exception SSLPeerUnverifiedException If there are problems obtaining
* the server certificates from the SSL session, or the server host name
* does not match with the "Common Name" in the server certificates
* SubjectDN.
* @exception UnknownHostException If we are not able to resolve
* the SSL sessions returned server host name.
*/
protected void verifyHostname(SSLSocket socket)
throws SSLPeerUnverifiedException, UnknownHostException {
if (! verifyHostname)
return;
SSLSession session = socket.getSession();
if (session==null) {
throw new UnknownHostException("could not obtain session from socket");
}
String hostname = session.getPeerHost();
try {
InetAddress.getByName(hostname);
} catch (UnknownHostException uhe) {
String msg = "Could not resolve SSL sessions server hostname: " + hostname;
// Under WebSphere, hostname can be equal to proxy-hostname
log.warn(msg,uhe);
// throw new UnknownHostException(msg);
}
javax.security.cert.X509Certificate[] certs = session.getPeerCertificateChain();
if (certs == null || certs.length == 0)
throw new SSLPeerUnverifiedException("No server certificates found!");
//get the servers DN in its string representation
String dn = certs[0].getSubjectDN().getName();
//might be useful to print out all certificates we receive from the
//server, in case one has to debug a problem with the installed certs.
if (log.isInfoEnabled()) {
log.info("Server certificate chain:");
for (int i = 0; i < certs.length; i++) {
log.info("X509Certificate[" + i + "]=" + certs[i]);
}
}
//get the common name from the first cert
String cn = getCN(dn);
if (hostname.equalsIgnoreCase(cn)) {
if (log.isInfoEnabled()) {
log.info("Target hostname valid: " + cn);
}
} else {
throw new SSLPeerUnverifiedException(
"HTTPS hostname invalid: expected '" + hostname + "', received '" + cn + "'");
}
}
/**
* Describe <code>verifyHostname</code> method here.
*
* @param socket a <code>SSLSocket</code> value
* @exception SSLPeerUnverifiedException If there are problems obtaining
* the server certificates from the SSL session, or the server host name
* does not match with the "Common Name" in the server certificates
* SubjectDN.
* @exception UnknownHostException If we are not able to resolve
* the SSL sessions returned server host name.
*/
private void verifyHostname(SSLSocket socket)
throws SSLPeerUnverifiedException, UnknownHostException {
if (! verifyHostname)
return;
SSLSession session = socket.getSession();
String hostname = session.getPeerHost();
try {
InetAddress addr = InetAddress.getByName(hostname);
} catch (UnknownHostException uhe) {
throw new UnknownHostException("Could not resolve SSL sessions "
+ "server hostname: " + hostname);
}
X509Certificate[] certs = session.getPeerCertificateChain();
if (certs == null || certs.length == 0)
throw new SSLPeerUnverifiedException("No server certificates found!");
//get the servers DN in its string representation
String dn = certs[0].getSubjectDN().getName();
//might be useful to print out all certificates we receive from the
//server, in case one has to debug a problem with the installed certs.
if (LOG.isDebugEnabled()) {
LOG.debug("Server certificate chain:");
for (int i = 0; i < certs.length; i++) {
LOG.debug("X509Certificate[" + i + "]=" + certs[i]);
}
}
//get the common name from the first cert
String cn = getCN(dn);
if (hostname.equalsIgnoreCase(cn)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Target hostname valid: " + cn);
}
} else {
throw new SSLPeerUnverifiedException(
"HTTPS hostname invalid: expected '" + hostname + "', received '" + cn + "'");
}
}