Package org.minidns.dane
Class DaneVerifier
java.lang.Object
org.minidns.dane.DaneVerifier
A helper class to validate the usage of TLSA records.
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionInvokesURLConnection.connect()in a DANE verified fashion.verifiedConnect(HttpsURLConnection conn, X509TrustManager trustManager) InvokesURLConnection.connect()in a DANE verified fashion.booleanverify(SSLSession session) Verifies the certificate chain in an activeSSLSession.booleanVerifies the certificate chain in an activeSSLSocket.booleanverifyCertificateChain(X509Certificate[] chain, String hostName, int port) Verifies a certificate chain to be valid when used with the given connection details using DANE.
-
Constructor Details
-
DaneVerifier
public DaneVerifier() -
DaneVerifier
-
-
Method Details
-
verify
Verifies the certificate chain in an activeSSLSocket. The socket must be connected.- Parameters:
socket- A connectedSSLSocketwhose certificate chain shall be verified using DANE.- Returns:
- Whether the DANE verification is the only requirement according to the TLSA record.
If this method returns
false, additional PKIX validation is required. - Throws:
CertificateException- if the certificate chain provided differs from the one enforced using DANE.
-
verify
Verifies the certificate chain in an activeSSLSession.- Parameters:
session- An activeSSLSessionwhose certificate chain shall be verified using DANE.- Returns:
- Whether the DANE verification is the only requirement according to the TLSA record.
If this method returns
false, additional PKIX validation is required. - Throws:
CertificateException- if the certificate chain provided differs from the one enforced using DANE.
-
verifyCertificateChain
public boolean verifyCertificateChain(X509Certificate[] chain, String hostName, int port) throws CertificateException Verifies a certificate chain to be valid when used with the given connection details using DANE.- Parameters:
chain- A certificate chain that should be verified using DANE.hostName- The DNS name of the host this certificate chain belongs to.port- The port number that was used to reach the server providing the certificate chain in question.- Returns:
- Whether the DANE verification is the only requirement according to the TLSA record.
If this method returns
false, additional PKIX validation is required. - Throws:
CertificateException- if the certificate chain provided differs from the one enforced using DANE.
-
verifiedConnect
public HttpsURLConnection verifiedConnect(HttpsURLConnection conn) throws IOException, CertificateException InvokesURLConnection.connect()in a DANE verified fashion. This method must be called beforeURLConnection.connect()is invoked. If a SSLSocketFactory was set on this HttpsURLConnection, it will be ignored. You can useverifiedConnect(HttpsURLConnection, X509TrustManager)to inject a customTrustManager.- Parameters:
conn- connection to be connected.- Returns:
- The
HttpsURLConnectionafter being connected. - Throws:
IOException- when the connection could not be established.CertificateException- if there was an exception while verifying the certificate.
-
verifiedConnect
public HttpsURLConnection verifiedConnect(HttpsURLConnection conn, X509TrustManager trustManager) throws IOException, CertificateException InvokesURLConnection.connect()in a DANE verified fashion. This method must be called beforeURLConnection.connect()is invoked. If a SSLSocketFactory was set on this HttpsURLConnection, it will be ignored.- Parameters:
conn- connection to be connected.trustManager- A non-defaultTrustManagerto be used.- Returns:
- The
HttpsURLConnectionafter being connected. - Throws:
IOException- when the connection could not be established.CertificateException- if there was an exception while verifying the certificate.
-