/**
* Check if the certificate allows use of the given DNS name.
*
* <p>From RFC2818: If a subjectAltName extension of type dNSName is present, that MUST be used as
* the identity. Otherwise, the (most specific) Common Name field in the Subject field of the
* certificate MUST be used. Although the use of the Common Name is existing practice, it is
* deprecated and Certification Authorities are encouraged to use the dNSName instead.
*
* <p>Matching is performed using the matching rules specified by [RFC2459]. If more than one
* identity of a given type is present in the certificate (e.g., more than one dNSName name, a
* match in any one of the set is considered acceptable.)
*/
private void matchDNS(String expectedName, X509Certificate cert) throws CertificateException {
Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
if (subjAltNames != null) {
boolean foundDNS = false;
for (List<?> next : subjAltNames) {
if (((Integer) next.get(0)).intValue() == ALTNAME_DNS) {
foundDNS = true;
String dnsName = (String) next.get(1);
if (isMatched(expectedName, dnsName)) {
return;
}
}
}
if (foundDNS) {
// if certificate contains any subject alt names of type DNS
// but none match, reject
throw new CertificateException(
"No subject alternative DNS " + "name matching " + expectedName + " found.");
}
}
X500Name subjectName = getSubjectX500Name(cert);
DerValue derValue = subjectName.findMostSpecificAttribute(X500Name.commonName_oid);
if (derValue != null) {
try {
if (isMatched(expectedName, derValue.getAsString())) {
return;
}
} catch (IOException e) {
// ignore
}
}
String msg = "No name matching " + expectedName + " found";
throw new CertificateException(msg);
}
@RequestMapping("to_login")
public String ToLogin(HttpServletRequest request, ModelMap map) throws WebException {
try {
// X509Certificate[] clientCertChain = (X509Certificate[])
// request.getAttribute("javax.servlet.request.X509Certificate");
String certString = request.getHeader("client-cert");
if (StringUtils.isEmpty(certString)) {
return LOGINPAGER;
}
certString = certString.replaceAll("\t", "\n");
X509Certificate clientCertChain =
(X509Certificate) new PEMReader(new StringReader(certString), null, "SUN").readObject();
if (clientCertChain == null) {
return LOGINPAGER;
} else {
Principal dn = clientCertChain.getSubjectDN();
X500Name x509Principal = (X500Name) dn;
String uid = x509Principal.getGivenName();
if (StringUtils.isNotEmpty(uid)) {
String[] uids = uid.split(",");
map.put("accountName", uids[1]);
map.put("memberName", uids[0]);
}
}
return LOGINPAGER;
} catch (Exception e) {
throw new WebException("系统错误", e);
}
}
public void invoke(MessageContext context) throws Exception {
context.setProperty("TiempoInicial", new Long(System.currentTimeMillis()));
Vector result = (Vector) context.getProperty(WSHandlerConstants.RECV_RESULTS);
for (int i = 0; i < result.size(); i++) {
WSHandlerResult res = (WSHandlerResult) result.get(i);
for (int j = 0; j < res.getResults().size(); j++) {
WSSecurityEngineResult secRes = (WSSecurityEngineResult) res.getResults().get(j);
int action = secRes.getAction();
// USER TOKEN
if ((action & WSConstants.UT) > 0) {
WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal) secRes.getPrincipal();
// Set user property to user from UT to allow response encryption
context.setProperty(WSHandlerConstants.ENCRYPTION_USER, principal.getName());
// System.out.print("User : "******" password : "******"\n");
SOALocalGISLNWS localGISLNWS = new SOALocalGISLNWS();
Integer idUsuario =
localGISLNWS.obtenerUsuario(principal.getName(), principal.getPassword(), context);
if (idUsuario != null) {
context.setProperty(WSHandlerConstants.USER, idUsuario);
localGISLNWS.comprobarPermisoLogin(context);
}
}
// SIGNATURE
if ((action & WSConstants.SIGN) > 0) {
X509Certificate cert = secRes.getCertificate();
X500Name principal = (X500Name) secRes.getPrincipal();
// Do something whith cert
System.out.print("Signature for : " + principal.getCommonName());
}
}
}
}
public int compare(Object o1, Object o2) {
X509Certificate cert1 = (X509Certificate) o1;
X509Certificate cert2 = (X509Certificate) o2;
/*
* if either cert certifies the target, always
* put at head of list.
*/
if (cert1.getSubjectX500Principal().equals(targetSubjectDN)) {
return -1;
}
if (cert2.getSubjectX500Principal().equals(targetSubjectDN)) {
return 1;
}
int targetDist1;
int targetDist2;
try {
X500Name targetSubjectName = X500Name.asX500Name(targetSubjectDN);
targetDist1 = Builder.targetDistance(null, cert1, targetSubjectName);
targetDist2 = Builder.targetDistance(null, cert2, targetSubjectName);
} catch (IOException e) {
if (debug != null) {
debug.println("IOException in call to Builder.targetDistance");
e.printStackTrace();
}
throw new ClassCastException("Invalid target subject distinguished name");
}
if (targetDist1 == targetDist2) return 0;
if (targetDist1 == -1) return 1;
if (targetDist1 < targetDist2) return -1;
return 1;
}
