diff --git a/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java b/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java index 077ec85e..3f60f672 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java @@ -24,6 +24,9 @@ import java.util.Collection; import java.util.List; +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.SSLPeerUnverifiedException; +import javax.net.ssl.SSLSession; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; @@ -31,7 +34,7 @@ /** * Trust manager that works with a {@link TrustedCertificateConfiguration}. */ -public class TrustedCertificateConfigurationTrustManager implements X509TrustManager { +public class TrustedCertificateConfigurationTrustManager implements X509TrustManager, HostnameVerifier { private final Collection publicPkiDelegates; private final Collection privateTrustStoreDelegates; @@ -162,4 +165,22 @@ public void checkServerTrusted(X509Certificate[] chain, String s) throws Certifi public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } + + @Override + public boolean verify(String hostname, SSLSession session) { + if (config.isHostnameVerifierEnabled()) { + if (session.getPeerHost() != null && config.getHost().getHost().equals(session.getPeerHost())) { + return true; + } else { + try { + throw new SSLPeerUnverifiedException("Cannot verify hostname: " + hostname); + } catch (SSLPeerUnverifiedException e) { + e.printStackTrace(); + } + return false; + } + } else { + return true; + } + } } \ No newline at end of file diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java index 403a4b08..fbf89685 100644 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java @@ -24,6 +24,7 @@ public interface MASSecurityConfiguration { boolean isPublic(); boolean trustPublicPki(); boolean allowSSLPinning(); + boolean isHostnameVerifierEnabled(); List getCertificates(); List getPublicKeyHashes(); @@ -32,6 +33,7 @@ class Builder { private boolean isPublic; private boolean allowSSLPinning = true; private boolean trustPublicPKI; + private boolean isHostVerifyEnable; private List certificates; private List publicKeyHashes; @@ -68,6 +70,16 @@ public Builder allowSSLPinning(boolean sslPinning) { return this; } + /** + * Determines whether or not to include sensitive credentials from primary gateway in the network communication with the target host. + * @param enable to include or not + * @return the builder object + */ + public Builder enableHostnameVerifier(boolean enable) { + this.isHostVerifyEnable = enable; + return this; + } + /** * The URI of the designated host. * @param host URI for the host @@ -150,6 +162,11 @@ public boolean trustPublicPki() { public boolean allowSSLPinning() { return allowSSLPinning; } + + @Override + public boolean isHostnameVerifierEnabled() { + return isHostVerifyEnable; + } }; } }