How to get list of all hostnames and IPs that will match certificate (java.security.cert.X509Certificate) including also subject alternative names? I've only found various implementations of javax.net.ssl.HostnameVerifiers.
Asked
Active
Viewed 3,995 times
2
Martin Ždila
- 2,998
- 3
- 31
- 35
1 Answers
6
How host name verification is tied to certificates is defined in RFC 2818, Section 3.1 (for HTTPS, for other protocols, see RFC 6125, but it's very similar).
In short:
- Using your instance of
X509Certificate, and iterate through the result ofgetSubjectAlternativeNames(). - Each entry will be a 2-element list. The first one is the type, the second is the actual value.
- Type 2 is for DNS names, type 7 is for IP addresses. You'll need to treat them separately.
- If there are any SAN IP address entries, add these addresses to your list of IP addresses.
- If there are any SAN DNS names entries, add these names to your list of IP addresses.
- If there aren't any SAN DNS names entries (but there may still be have IP SANs AFAIK), you can read the Subject DN of the certificate and extract its CN (Common Name) and add it to your list. (See this question on how to extract the CN. Note that the notion of "most specific" CN in RFC 2818 was an ambiguity acknowledged and addressed in RFC 6125.)
Note that some of the host names in the certificates may contain wildcards, hence you won't be able to build an exhaustive list of possible matches. This problem with wilcards is certainly one of the reasons it usually makes more sense to write a verifier than trying to get a complete list. (Read RFC 2818 Section 3.1 for details about the position, and keep in mind that the dot itself isn't part of the wildcard expression, so *.example.org doesn't match example.org.)
