in client/src/main/java/org/apache/qpid/transport/network/security/ssl/SSLUtil.java [123:194]
public static void verifyHostname(final String hostnameExpected, final X509Certificate cert)
{
Principal p = cert.getSubjectDN();
SortedSet<String> names = new TreeSet<>();
String dn = p.getName();
try
{
LdapName ldapName = new LdapName(dn);
for (Rdn part : ldapName.getRdns())
{
if (part.getType().equalsIgnoreCase("CN"))
{
names.add(part.getValue().toString());
break;
}
}
if(cert.getSubjectAlternativeNames() != null)
{
for (List<?> entry : cert.getSubjectAlternativeNames())
{
if (DNS_NAME_TYPE.equals(entry.get(0)))
{
names.add((String) entry.get(1));
}
}
}
if (names.isEmpty())
{
throw new TransportException("SSL hostname verification failed. Certificate for did not contain CN or DNS subjectAlt");
}
boolean match = false;
final String hostName = hostnameExpected.trim().toLowerCase();
for (String cn : names)
{
boolean doWildcard = cn.startsWith("*.") &&
cn.lastIndexOf('.') >= 3 &&
!cn.matches("\\*\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}");
match = doWildcard
? hostName.endsWith(cn.substring(1)) && hostName.indexOf(".") == (1 + hostName.length() - cn.length())
: hostName.equals(cn);
if (match)
{
break;
}
}
if (!match)
{
throw new TransportException("SSL hostname verification failed." +
" Expected : " + hostnameExpected +
" Found in cert : " + names);
}
}
catch (InvalidNameException e)
{
throw new TransportException("SSL hostname verification failed. Could not parse name " + dn, e);
}
catch (CertificateParsingException e)
{
throw new TransportException("SSL hostname verification failed. Could not parse certificate: " + e.getMessage(), e);
}
}