Class DaneVerifier


  • public class DaneVerifier
    extends java.lang.Object
    A helper class to validate the usage of TLSA records.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      javax.net.ssl.HttpsURLConnection verifiedConnect​(javax.net.ssl.HttpsURLConnection conn)
      Invokes URLConnection.connect() in a DANE verified fashion.
      javax.net.ssl.HttpsURLConnection verifiedConnect​(javax.net.ssl.HttpsURLConnection conn, javax.net.ssl.X509TrustManager trustManager)
      Invokes URLConnection.connect() in a DANE verified fashion.
      boolean verify​(javax.net.ssl.SSLSession session)
      Verifies the certificate chain in an active SSLSession.
      boolean verify​(javax.net.ssl.SSLSocket socket)
      Verifies the certificate chain in an active SSLSocket.
      boolean verifyCertificateChain​(java.security.cert.X509Certificate[] chain, java.lang.String hostName, int port)
      Verifies a certificate chain to be valid when used with the given connection details using DANE.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Method Detail

      • verify

        public boolean verify​(javax.net.ssl.SSLSocket socket)
                       throws java.security.cert.CertificateException
        Verifies the certificate chain in an active SSLSocket. The socket must be connected.
        Parameters:
        socket - A connected SSLSocket whose certificate chain shall be verified using DANE.
        Returns:
        Whether the DANE verification is the only requirement according to the TLSA record. If this method returns false, additional PKIX validation is required.
        Throws:
        java.security.cert.CertificateException - if the certificate chain provided differs from the one enforced using DANE.
      • verify

        public boolean verify​(javax.net.ssl.SSLSession session)
                       throws java.security.cert.CertificateException
        Verifies the certificate chain in an active SSLSession.
        Parameters:
        session - An active SSLSession whose certificate chain shall be verified using DANE.
        Returns:
        Whether the DANE verification is the only requirement according to the TLSA record. If this method returns false, additional PKIX validation is required.
        Throws:
        java.security.cert.CertificateException - if the certificate chain provided differs from the one enforced using DANE.
      • verifyCertificateChain

        public boolean verifyCertificateChain​(java.security.cert.X509Certificate[] chain,
                                              java.lang.String hostName,
                                              int port)
                                       throws java.security.cert.CertificateException
        Verifies a certificate chain to be valid when used with the given connection details using DANE.
        Parameters:
        chain - A certificate chain that should be verified using DANE.
        hostName - The DNS name of the host this certificate chain belongs to.
        port - The port number that was used to reach the server providing the certificate chain in question.
        Returns:
        Whether the DANE verification is the only requirement according to the TLSA record. If this method returns false, additional PKIX validation is required.
        Throws:
        java.security.cert.CertificateException - if the certificate chain provided differs from the one enforced using DANE.
      • verifiedConnect

        public javax.net.ssl.HttpsURLConnection verifiedConnect​(javax.net.ssl.HttpsURLConnection conn)
                                                         throws java.io.IOException,
                                                                java.security.cert.CertificateException
        Invokes URLConnection.connect() in a DANE verified fashion. This method must be called before URLConnection.connect() is invoked. If a SSLSocketFactory was set on this HttpsURLConnection, it will be ignored. You can use verifiedConnect(HttpsURLConnection, X509TrustManager) to inject a custom TrustManager.
        Parameters:
        conn - connection to be connected.
        Returns:
        The HttpsURLConnection after being connected.
        Throws:
        java.io.IOException - when the connection could not be established.
        java.security.cert.CertificateException - if there was an exception while verifying the certificate.
      • verifiedConnect

        public javax.net.ssl.HttpsURLConnection verifiedConnect​(javax.net.ssl.HttpsURLConnection conn,
                                                                javax.net.ssl.X509TrustManager trustManager)
                                                         throws java.io.IOException,
                                                                java.security.cert.CertificateException
        Invokes URLConnection.connect() in a DANE verified fashion. This method must be called before URLConnection.connect() is invoked. If a SSLSocketFactory was set on this HttpsURLConnection, it will be ignored.
        Parameters:
        conn - connection to be connected.
        trustManager - A non-default TrustManager to be used.
        Returns:
        The HttpsURLConnection after being connected.
        Throws:
        java.io.IOException - when the connection could not be established.
        java.security.cert.CertificateException - if there was an exception while verifying the certificate.