Package org.minidns.dane
Class DaneVerifier
- java.lang.Object
-
- org.minidns.dane.DaneVerifier
-
public class DaneVerifier extends java.lang.Object
A helper class to validate the usage of TLSA records.
-
-
Constructor Summary
Constructors Constructor Description DaneVerifier()
DaneVerifier(DnssecClient client)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description javax.net.ssl.HttpsURLConnection
verifiedConnect(javax.net.ssl.HttpsURLConnection conn)
InvokesURLConnection.connect()
in a DANE verified fashion.javax.net.ssl.HttpsURLConnection
verifiedConnect(javax.net.ssl.HttpsURLConnection conn, javax.net.ssl.X509TrustManager trustManager)
InvokesURLConnection.connect()
in a DANE verified fashion.boolean
verify(javax.net.ssl.SSLSession session)
Verifies the certificate chain in an activeSSLSession
.boolean
verify(javax.net.ssl.SSLSocket socket)
Verifies the certificate chain in an activeSSLSocket
.boolean
verifyCertificateChain(java.security.cert.X509Certificate[] chain, java.lang.String hostName, int port)
Verifies a certificate chain to be valid when used with the given connection details using DANE.
-
-
-
Constructor Detail
-
DaneVerifier
public DaneVerifier()
-
DaneVerifier
public DaneVerifier(DnssecClient client)
-
-
Method Detail
-
verify
public boolean verify(javax.net.ssl.SSLSocket socket) throws java.security.cert.CertificateException
Verifies the certificate chain in an activeSSLSocket
. The socket must be connected.- Parameters:
socket
- A connectedSSLSocket
whose certificate chain shall be verified using DANE.- Returns:
- Whether the DANE verification is the only requirement according to the TLSA record.
If this method returns
false
, additional PKIX validation is required. - Throws:
java.security.cert.CertificateException
- if the certificate chain provided differs from the one enforced using DANE.
-
verify
public boolean verify(javax.net.ssl.SSLSession session) throws java.security.cert.CertificateException
Verifies the certificate chain in an activeSSLSession
.- Parameters:
session
- An activeSSLSession
whose certificate chain shall be verified using DANE.- Returns:
- Whether the DANE verification is the only requirement according to the TLSA record.
If this method returns
false
, additional PKIX validation is required. - Throws:
java.security.cert.CertificateException
- if the certificate chain provided differs from the one enforced using DANE.
-
verifyCertificateChain
public boolean verifyCertificateChain(java.security.cert.X509Certificate[] chain, java.lang.String hostName, int port) throws java.security.cert.CertificateException
Verifies a certificate chain to be valid when used with the given connection details using DANE.- Parameters:
chain
- A certificate chain that should be verified using DANE.hostName
- The DNS name of the host this certificate chain belongs to.port
- The port number that was used to reach the server providing the certificate chain in question.- Returns:
- Whether the DANE verification is the only requirement according to the TLSA record.
If this method returns
false
, additional PKIX validation is required. - Throws:
java.security.cert.CertificateException
- if the certificate chain provided differs from the one enforced using DANE.
-
verifiedConnect
public javax.net.ssl.HttpsURLConnection verifiedConnect(javax.net.ssl.HttpsURLConnection conn) throws java.io.IOException, java.security.cert.CertificateException
InvokesURLConnection.connect()
in a DANE verified fashion. This method must be called beforeURLConnection.connect()
is invoked. If a SSLSocketFactory was set on this HttpsURLConnection, it will be ignored. You can useverifiedConnect(HttpsURLConnection, X509TrustManager)
to inject a customTrustManager
.- Parameters:
conn
- connection to be connected.- Returns:
- The
HttpsURLConnection
after being connected. - Throws:
java.io.IOException
- when the connection could not be established.java.security.cert.CertificateException
- if there was an exception while verifying the certificate.
-
verifiedConnect
public javax.net.ssl.HttpsURLConnection verifiedConnect(javax.net.ssl.HttpsURLConnection conn, javax.net.ssl.X509TrustManager trustManager) throws java.io.IOException, java.security.cert.CertificateException
InvokesURLConnection.connect()
in a DANE verified fashion. This method must be called beforeURLConnection.connect()
is invoked. If a SSLSocketFactory was set on this HttpsURLConnection, it will be ignored.- Parameters:
conn
- connection to be connected.trustManager
- A non-defaultTrustManager
to be used.- Returns:
- The
HttpsURLConnection
after being connected. - Throws:
java.io.IOException
- when the connection could not be established.java.security.cert.CertificateException
- if there was an exception while verifying the certificate.
-
-