at.spardat.xma.boot.comp.data.XMASSLRestriction Maven / Gradle / Ivy
/*
* @(#) $Id: $
*
* Copyright 2009/2010 by sIT Solutions, A-1110 Wien, Geiselbergstr.21-25. All rights reserved.
*/
package at.spardat.xma.boot.comp.data;
import java.io.PrintStream;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import at.spardat.xma.boot.comp.DTDStatics;
/**
* Holds information about ssl restrictions (aka certificate pinning)
*/
public class XMASSLRestriction {
private String hostname;
private List subject = new ArrayList();
private List issuer = new ArrayList();
/**
* Returns, whether the given attributes match the subject.
*
* @param attributes
* A comma separated list of X.509 attributes
* @return true if the attributes match
*/
public boolean matchesSubject(String attributes) {
return matches(attributes, subject);
}
/**
* Returns, whether the given attributes match the issuer.
*
* @param attributes
* A comma separated list of X.509 attributes
* @return true if the attributes match
*/
public boolean matchesIssuer(String attributes) {
return matches(attributes, issuer);
}
/**
* Returns whether the given X.509 certificate attributes match the restrictions. A match is found if all entries of
* the restriction list are present in the attribute string. If the attribute string contains values which are not present in
* the restriction list, they are ignored.
*
* An empty restriction list matches any attribute parameter.
*
* Example:
* Given the restriction is a list of:
*
* - CN=Sample Cert
* - O=Company Ltd.
* - C=IE
*
* A match would be found for the following X.509 attributes:
*
* - CN=Sample Cert, O=Company Ltd., C=IE
* - CN=Sample Cert, O=Company Ltd., OU=Dept C=IE
*
* No match would be found for e.g.:
*
* - CN=Sample Cert, O=Other Company Ltd., C=IE (not matching O=Other Company Ltd.)
* - CN=Sample Cert, C=IE (not containing O=Copmany Ltd.)
*
*
* @param attributes
* A comma separated list of X.509 attributes
* @return true if the attributes match
*/
private boolean matches(String attributes, List restrictions) {
List attributesSplit = splitDN(attributes);
for (String string : restrictions) {
if (!attributesSplit.contains(string)) {
return false;
}
}
return true;
}
void setSubject(String s) {
subject.clear();
subject.addAll(splitDN(s));
}
void setIssuer(String s) {
issuer.clear();
issuer.addAll(splitDN(s));
}
private List splitDN(String s) {
List list = new ArrayList();
for (String item : s.trim().split(",")) {
list.add(item.trim());
}
return list;
}
public String getHostname() {
return hostname;
}
void setHostname(String hostname) {
this.hostname = hostname;
}
public void writeXML(PrintStream ps) {
ps.print(" " + DTDStatics.OPEN + DTDStatics.SSL_RESTRICTION);
if (hostname != null && hostname.length() > 0) {
ps.print(DTDStatics.SP + DTDStatics.SSL_RESTRICTION_HOSTNAME + DTDStatics.QUOTE + hostname
+ DTDStatics.E_QUOTE);
}
ps.println(DTDStatics.CLOSE);
ps.println(" " + DTDStatics.OPEN + DTDStatics.CERTIFICATE + DTDStatics.CLOSE);
printTag(ps, DTDStatics.SUBJECT, subject);
printTag(ps, DTDStatics.ISSUER, issuer);
ps.println(" " + DTDStatics.OPEN + DTDStatics.CLOSE_CHAR + DTDStatics.CERTIFICATE + DTDStatics.CLOSE);
ps.println(" " + DTDStatics.OPEN + DTDStatics.CLOSE_CHAR + DTDStatics.SSL_RESTRICTION + DTDStatics.CLOSE);
}
private void printTag(PrintStream ps, String tagname, List list) {
Iterator iterator = list.iterator();
if (iterator.hasNext()) {
ps.print(" " + DTDStatics.OPEN + tagname + DTDStatics.CLOSE);
ps.print(iterator.next());
while (iterator.hasNext()) {
ps.print(", ");
ps.print(iterator.next());
}
ps.println(DTDStatics.OPEN + DTDStatics.CLOSE_CHAR + tagname + DTDStatics.CLOSE);
}
}
@Override
public String toString() {
return "hostname=" + hostname + ", subject=" + subject + ", issuer=" + issuer;
}
}