Package org.minidns.dane
Class DaneVerifier
- java.lang.Object
-
- org.minidns.dane.DaneVerifier
-
public class DaneVerifier extends Object
A helper class to validate the usage of TLSA records.
-
-
Constructor Summary
Constructors Constructor Description DaneVerifier()
DaneVerifier(DnssecClient client)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description HttpsURLConnection
verifiedConnect(HttpsURLConnection conn)
InvokesURLConnection.connect()
in a DANE verified fashion.HttpsURLConnection
verifiedConnect(HttpsURLConnection conn, X509TrustManager trustManager)
InvokesURLConnection.connect()
in a DANE verified fashion.boolean
verify(SSLSession session)
Verifies the certificate chain in an activeSSLSession
.boolean
verify(SSLSocket socket)
Verifies the certificate chain in an activeSSLSocket
.boolean
verifyCertificateChain(X509Certificate[] chain, String hostName, int port)
Verifies a certificate chain to be valid when used with the given connection details using DANE.
-
-
-
Constructor Detail
-
DaneVerifier
public DaneVerifier()
-
DaneVerifier
public DaneVerifier(DnssecClient client)
-
-
Method Detail
-
verify
public boolean verify(SSLSocket socket) throws CertificateException
Verifies the certificate chain in an activeSSLSocket
. The socket must be connected.- Parameters:
socket
- A connectedSSLSocket
whose certificate chain shall be verified using DANE.- Returns:
- Whether the DANE verification is the only requirement according to the TLSA record.
If this method returns
false
, additional PKIX validation is required. - Throws:
CertificateException
- if the certificate chain provided differs from the one enforced using DANE.
-
verify
public boolean verify(SSLSession session) throws CertificateException
Verifies the certificate chain in an activeSSLSession
.- Parameters:
session
- An activeSSLSession
whose certificate chain shall be verified using DANE.- Returns:
- Whether the DANE verification is the only requirement according to the TLSA record.
If this method returns
false
, additional PKIX validation is required. - Throws:
CertificateException
- if the certificate chain provided differs from the one enforced using DANE.
-
verifyCertificateChain
public boolean verifyCertificateChain(X509Certificate[] chain, String hostName, int port) throws CertificateException
Verifies a certificate chain to be valid when used with the given connection details using DANE.- Parameters:
chain
- A certificate chain that should be verified using DANE.hostName
- The DNS name of the host this certificate chain belongs to.port
- The port number that was used to reach the server providing the certificate chain in question.- Returns:
- Whether the DANE verification is the only requirement according to the TLSA record.
If this method returns
false
, additional PKIX validation is required. - Throws:
CertificateException
- if the certificate chain provided differs from the one enforced using DANE.
-
verifiedConnect
public HttpsURLConnection verifiedConnect(HttpsURLConnection conn) throws IOException, CertificateException
InvokesURLConnection.connect()
in a DANE verified fashion. This method must be called beforeURLConnection.connect()
is invoked. If a SSLSocketFactory was set on this HttpsURLConnection, it will be ignored. You can useverifiedConnect(HttpsURLConnection, X509TrustManager)
to inject a customTrustManager
.- Parameters:
conn
- connection to be connected.- Returns:
- The
HttpsURLConnection
after being connected. - Throws:
IOException
- when the connection could not be established.CertificateException
- if there was an exception while verifying the certificate.
-
verifiedConnect
public HttpsURLConnection verifiedConnect(HttpsURLConnection conn, X509TrustManager trustManager) throws IOException, CertificateException
InvokesURLConnection.connect()
in a DANE verified fashion. This method must be called beforeURLConnection.connect()
is invoked. If a SSLSocketFactory was set on this HttpsURLConnection, it will be ignored.- Parameters:
conn
- connection to be connected.trustManager
- A non-defaultTrustManager
to be used.- Returns:
- The
HttpsURLConnection
after being connected. - Throws:
IOException
- when the connection could not be established.CertificateException
- if there was an exception while verifying the certificate.
-
-