Package org.minidns.dane

Class DaneVerifier

java.lang.Object

org.minidns.dane.DaneVerifier

public class DaneVerifier
extends Object

A helper class to validate the usage of TLSA records.

Constructor Summary

Constructors

Constructor	Description
DaneVerifier()
DaneVerifier(DnssecClient client)

Method Summary

Modifier and Type	Method	Description
HttpsURLConnection	verifiedConnect(HttpsURLConnection conn)	Invokes URLConnection.connect() in a DANE verified fashion.
HttpsURLConnection	verifiedConnect(HttpsURLConnection conn, X509TrustManager trustManager)	Invokes URLConnection.connect() in a DANE verified fashion.
boolean	verify(SSLSession session)	Verifies the certificate chain in an active SSLSession.
boolean	verify(SSLSocket socket)	Verifies the certificate chain in an active SSLSocket.
boolean	verifyCertificateChain(X509Certificate[] chain, String hostName, int port)	Verifies a certificate chain to be valid when used with the given connection details using DANE.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DaneVerifier

public DaneVerifier()

DaneVerifier

public DaneVerifier(DnssecClient client)

Method Detail

verify

public boolean verify(SSLSocket socket)
               throws CertificateException

Verifies the certificate chain in an active SSLSocket. The socket must be connected.

Parameters:

socket - A connected SSLSocket whose certificate chain shall be verified using DANE.

Returns:

Whether the DANE verification is the only requirement according to the TLSA record. If this method returns false, additional PKIX validation is required.

Throws:

CertificateException - if the certificate chain provided differs from the one enforced using DANE.

verify

public boolean verify(SSLSession session)
               throws CertificateException

Verifies the certificate chain in an active SSLSession.

Parameters:

session - An active SSLSession whose certificate chain shall be verified using DANE.

Returns:

Whether the DANE verification is the only requirement according to the TLSA record. If this method returns false, additional PKIX validation is required.

Throws:

CertificateException - if the certificate chain provided differs from the one enforced using DANE.

verifyCertificateChain

public boolean verifyCertificateChain(X509Certificate[] chain,
                                      String hostName,
                                      int port)
                               throws CertificateException

Verifies a certificate chain to be valid when used with the given connection details using DANE.

Parameters:

chain - A certificate chain that should be verified using DANE.

hostName - The DNS name of the host this certificate chain belongs to.

port - The port number that was used to reach the server providing the certificate chain in question.

Returns:

Whether the DANE verification is the only requirement according to the TLSA record. If this method returns false, additional PKIX validation is required.

Throws:

CertificateException - if the certificate chain provided differs from the one enforced using DANE.

verifiedConnect

public HttpsURLConnection verifiedConnect(HttpsURLConnection conn)
                                   throws IOException,
                                          CertificateException

Invokes URLConnection.connect() in a DANE verified fashion. This method must be called before URLConnection.connect() is invoked. If a SSLSocketFactory was set on this HttpsURLConnection, it will be ignored. You can use verifiedConnect(HttpsURLConnection, X509TrustManager) to inject a custom TrustManager.

Parameters:

conn - connection to be connected.

Returns:

The HttpsURLConnection after being connected.

Throws:

IOException - when the connection could not be established.

CertificateException - if there was an exception while verifying the certificate.

verifiedConnect

public HttpsURLConnection verifiedConnect(HttpsURLConnection conn,
                                          X509TrustManager trustManager)
                                   throws IOException,
                                          CertificateException

Invokes URLConnection.connect() in a DANE verified fashion. This method must be called before URLConnection.connect() is invoked. If a SSLSocketFactory was set on this HttpsURLConnection, it will be ignored.

Parameters:

conn - connection to be connected.

trustManager - A non-default TrustManager to be used.

Returns:

The HttpsURLConnection after being connected.

Throws:

IOException - when the connection could not be established.

CertificateException - if there was an exception while verifying the certificate.