1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package io.netty.handler.ssl;
18
19 import io.netty.util.internal.SuppressJava6Requirement;
20
21 import javax.net.ssl.SSLEngine;
22 import javax.net.ssl.X509ExtendedTrustManager;
23 import javax.net.ssl.X509TrustManager;
24 import java.net.Socket;
25 import java.security.cert.CertificateException;
26 import java.security.cert.X509Certificate;
27 import java.util.Collection;
28 import java.util.List;
29
30
31
32
33
34
35 @SuppressJava6Requirement(reason = "Usage guarded by java version check")
36 final class EnhancingX509ExtendedTrustManager extends X509ExtendedTrustManager {
37 private final X509ExtendedTrustManager wrapped;
38
39 EnhancingX509ExtendedTrustManager(X509TrustManager wrapped) {
40 this.wrapped = (X509ExtendedTrustManager) wrapped;
41 }
42
43 @Override
44 public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
45 throws CertificateException {
46 wrapped.checkClientTrusted(chain, authType, socket);
47 }
48
49 @Override
50 public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket)
51 throws CertificateException {
52 try {
53 wrapped.checkServerTrusted(chain, authType, socket);
54 } catch (CertificateException e) {
55 throwEnhancedCertificateException(chain, e);
56 }
57 }
58
59 @Override
60 public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
61 throws CertificateException {
62 wrapped.checkClientTrusted(chain, authType, engine);
63 }
64
65 @Override
66 public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
67 throws CertificateException {
68 try {
69 wrapped.checkServerTrusted(chain, authType, engine);
70 } catch (CertificateException e) {
71 throwEnhancedCertificateException(chain, e);
72 }
73 }
74
75 @Override
76 public void checkClientTrusted(X509Certificate[] chain, String authType)
77 throws CertificateException {
78 wrapped.checkClientTrusted(chain, authType);
79 }
80
81 @Override
82 public void checkServerTrusted(X509Certificate[] chain, String authType)
83 throws CertificateException {
84 try {
85 wrapped.checkServerTrusted(chain, authType);
86 } catch (CertificateException e) {
87 throwEnhancedCertificateException(chain, e);
88 }
89 }
90
91 @Override
92 public X509Certificate[] getAcceptedIssuers() {
93 return wrapped.getAcceptedIssuers();
94 }
95
96 private static void throwEnhancedCertificateException(X509Certificate[] chain, CertificateException e)
97 throws CertificateException {
98
99 String message = e.getMessage();
100 if (message != null && e.getMessage().startsWith("No subject alternative DNS name matching")) {
101 StringBuilder names = new StringBuilder(64);
102 for (int i = 0; i < chain.length; i++) {
103 X509Certificate cert = chain[i];
104 Collection<List<?>> collection = cert.getSubjectAlternativeNames();
105 if (collection != null) {
106 for (List<?> altNames : collection) {
107
108 if (altNames.size() >= 2 && ((Integer) altNames.get(0)).intValue() == 2) {
109 names.append((String) altNames.get(1)).append(",");
110 }
111 }
112 }
113 }
114 if (names.length() != 0) {
115
116 names.setLength(names.length() - 1);
117 throw new CertificateException(message +
118 " Subject alternative DNS names in the certificate chain of " + chain.length +
119 " certificate(s): " + names, e);
120 }
121 }
122 throw e;
123 }
124 }