获取匹配证书的所有主机名的列表 [英] get list of all hostnames matching certificate

问题描述

如何获取将匹配证书（ java.security.cert.X509Certificate ）的所有主机名和IP的列表，还包括主题备用名称？我只找到 javax.net.ssl.HostnameVerifier 的各种实现。

解决方案

如何将主机名验证与证书绑定在 RFC 2818，第3.1节中定义对于HTTPS，对于其他协议，请参见 RFC 6125 ，但非常相似）。

简而言之：

• 使用您的 X509Certificate 并遍历 <$ c $的结果c> getSubjectAlternativeNames（） 。


• 每个条目都将是一个2元素列表。第一个是类型，第二个是实际值。


• 类型2是DNS名称，类型7是IP地址。


• 如果有任何SAN IP地址条目，请将这些地址添加到您的IP地址列表。


• 如果有任何SAN DNS名称条目，请将这些名称添加到IP地址列表。


• 如果没有任何SAN DNS名称条目（但可能仍有IP SAN AFAIK ），您可以读取证书的主题DN，并提取其CN（公用名称）并将其添加到您的列表。 （有关如何提取CN请参见此问题。请注意，RFC 2818中最具体CN的概念是




请注意，证书中的一些主机名可能包含通配符，因此您赢得了能够构建可能匹配的详尽列表。 wilcards的这个问题肯定是写一个验证器通常比获得一个完整的列表更有意义的原因之一。 （有关位置的详细信息，请阅读RFC 2818第3.1节，并且记住点本身不是通配符表达式的一部分，因此 *。example.org doesn' t match example.org 。）




How to get list of all hostnames and IPs that will match certificate (java.security.cert.X509Certificate) including also subject alternative names? I've only found various implementations of javax.net.ssl.HostnameVerifiers.

解决方案

How host name verification is tied to certificates is defined in RFC 2818, Section 3.1 (for HTTPS, for other protocols, see RFC 6125, but it's very similar).

In short:

• Using your instance of X509Certificate, and iterate through the result of getSubjectAlternativeNames().
• Each entry will be a 2-element list. The first one is the type, the second is the actual value.
• Type 2 is for DNS names, type 7 is for IP addresses. You'll need to treat them separately.
• If there are any SAN IP address entries, add these addresses to your list of IP addresses.
• If there are any SAN DNS names entries, add these names to your list of IP addresses.
• If there aren't any SAN DNS names entries (but there may still be have IP SANs AFAIK), you can read the Subject DN of the certificate and extract its CN (Common Name) and add it to your list. (See this question on how to extract the CN. Note that the notion of "most specific" CN in RFC 2818 was an ambiguity acknowledged and addressed in RFC 6125.)

Note that some of the host names in the certificates may contain wildcards, hence you won't be able to build an exhaustive list of possible matches. This problem with wilcards is certainly one of the reasons it usually makes more sense to write a verifier than trying to get a complete list. (Read RFC 2818 Section 3.1 for details about the position, and keep in mind that the dot itself isn't part of the wildcard expression, so *.example.org doesn't match example.org.)

这篇关于获取匹配证书的所有主机名的列表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！