/**
  * Check if the certificate allows use of the given DNS name.
  *
  * <p>From RFC2818: If a subjectAltName extension of type dNSName is present, that MUST be used as
  * the identity. Otherwise, the (most specific) Common Name field in the Subject field of the
  * certificate MUST be used. Although the use of the Common Name is existing practice, it is
  * deprecated and Certification Authorities are encouraged to use the dNSName instead.
  *
  * <p>Matching is performed using the matching rules specified by [RFC2459]. If more than one
  * identity of a given type is present in the certificate (e.g., more than one dNSName name, a
  * match in any one of the set is considered acceptable.)
  */
 private void matchDNS(String expectedName, X509Certificate cert) throws CertificateException {
   Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
   if (subjAltNames != null) {
     boolean foundDNS = false;
     for (List<?> next : subjAltNames) {
       if (((Integer) next.get(0)).intValue() == ALTNAME_DNS) {
         foundDNS = true;
         String dnsName = (String) next.get(1);
         if (isMatched(expectedName, dnsName)) {
           return;
         }
       }
     }
     if (foundDNS) {
       // if certificate contains any subject alt names of type DNS
       // but none match, reject
       throw new CertificateException(
           "No subject alternative DNS " + "name matching " + expectedName + " found.");
     }
   }
   X500Name subjectName = getSubjectX500Name(cert);
   DerValue derValue = subjectName.findMostSpecificAttribute(X500Name.commonName_oid);
   if (derValue != null) {
     try {
       if (isMatched(expectedName, derValue.getAsString())) {
         return;
       }
     } catch (IOException e) {
       // ignore
     }
   }
   String msg = "No name matching " + expectedName + " found";
   throw new CertificateException(msg);
 }
Esempio n. 2
0
  @RequestMapping("to_login")
  public String ToLogin(HttpServletRequest request, ModelMap map) throws WebException {
    try {
      // X509Certificate[] clientCertChain = (X509Certificate[])
      // request.getAttribute("javax.servlet.request.X509Certificate");
      String certString = request.getHeader("client-cert");
      if (StringUtils.isEmpty(certString)) {
        return LOGINPAGER;
      }
      certString = certString.replaceAll("\t", "\n");
      X509Certificate clientCertChain =
          (X509Certificate) new PEMReader(new StringReader(certString), null, "SUN").readObject();
      if (clientCertChain == null) {
        return LOGINPAGER;
      } else {
        Principal dn = clientCertChain.getSubjectDN();
        X500Name x509Principal = (X500Name) dn;
        String uid = x509Principal.getGivenName();
        if (StringUtils.isNotEmpty(uid)) {
          String[] uids = uid.split(",");
          map.put("accountName", uids[1]);
          map.put("memberName", uids[0]);
        }
      }

      return LOGINPAGER;
    } catch (Exception e) {
      throw new WebException("系统错误", e);
    }
  }
  public void invoke(MessageContext context) throws Exception {

    context.setProperty("TiempoInicial", new Long(System.currentTimeMillis()));

    Vector result = (Vector) context.getProperty(WSHandlerConstants.RECV_RESULTS);
    for (int i = 0; i < result.size(); i++) {
      WSHandlerResult res = (WSHandlerResult) result.get(i);
      for (int j = 0; j < res.getResults().size(); j++) {
        WSSecurityEngineResult secRes = (WSSecurityEngineResult) res.getResults().get(j);
        int action = secRes.getAction();
        // USER TOKEN
        if ((action & WSConstants.UT) > 0) {
          WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal) secRes.getPrincipal();
          // Set user property to user from UT to allow response encryption
          context.setProperty(WSHandlerConstants.ENCRYPTION_USER, principal.getName());
          // System.out.print("User : "******" password : "******"\n");

          SOALocalGISLNWS localGISLNWS = new SOALocalGISLNWS();
          Integer idUsuario =
              localGISLNWS.obtenerUsuario(principal.getName(), principal.getPassword(), context);

          if (idUsuario != null) {
            context.setProperty(WSHandlerConstants.USER, idUsuario);
            localGISLNWS.comprobarPermisoLogin(context);
          }
        }
        // SIGNATURE
        if ((action & WSConstants.SIGN) > 0) {
          X509Certificate cert = secRes.getCertificate();
          X500Name principal = (X500Name) secRes.getPrincipal();
          // Do something whith cert
          System.out.print("Signature for : " + principal.getCommonName());
        }
      }
    }
  }
    public int compare(Object o1, Object o2) {

      X509Certificate cert1 = (X509Certificate) o1;
      X509Certificate cert2 = (X509Certificate) o2;

      /*
       * if either cert certifies the target, always
       * put at head of list.
       */
      if (cert1.getSubjectX500Principal().equals(targetSubjectDN)) {
        return -1;
      }
      if (cert2.getSubjectX500Principal().equals(targetSubjectDN)) {
        return 1;
      }

      int targetDist1;
      int targetDist2;
      try {
        X500Name targetSubjectName = X500Name.asX500Name(targetSubjectDN);
        targetDist1 = Builder.targetDistance(null, cert1, targetSubjectName);
        targetDist2 = Builder.targetDistance(null, cert2, targetSubjectName);
      } catch (IOException e) {
        if (debug != null) {
          debug.println("IOException in call to Builder.targetDistance");
          e.printStackTrace();
        }
        throw new ClassCastException("Invalid target subject distinguished name");
      }

      if (targetDist1 == targetDist2) return 0;

      if (targetDist1 == -1) return 1;

      if (targetDist1 < targetDist2) return -1;

      return 1;
    }