Package org.minidns.dane

Class DaneVerifier

java.lang.Object
org.minidns.dane.DaneVerifier
public class DaneVerifier extends Object
A helper class to validate the usage of TLSA records.

  • Constructor Details

    • DaneVerifier

      public DaneVerifier()

    • DaneVerifier

      public DaneVerifier(DnssecClient client)

  • Method Details

    • verify

      public boolean verify(SSLSocket socket) throws CertificateException
      Verifies the certificate chain in an active SSLSocket. The socket must be connected.
      Parameters:
      socket - A connected SSLSocket whose certificate chain shall be verified using DANE.
      Returns:
      Whether the DANE verification is the only requirement according to the TLSA record. If this method returns false, additional PKIX validation is required.
      Throws:
      CertificateException - if the certificate chain provided differs from the one enforced using DANE.

    • verify

      public boolean verify(SSLSession session) throws CertificateException
      Verifies the certificate chain in an active SSLSession.
      Parameters:
      session - An active SSLSession whose certificate chain shall be verified using DANE.
      Returns:
      Whether the DANE verification is the only requirement according to the TLSA record. If this method returns false, additional PKIX validation is required.
      Throws:
      CertificateException - if the certificate chain provided differs from the one enforced using DANE.

    • verifyCertificateChain

      public boolean verifyCertificateChain(X509Certificate[] chain, String hostName, int port) throws CertificateException
      Verifies a certificate chain to be valid when used with the given connection details using DANE.
      Parameters:
      chain - A certificate chain that should be verified using DANE.
      hostName - The DNS name of the host this certificate chain belongs to.
      port - The port number that was used to reach the server providing the certificate chain in question.
      Returns:
      Whether the DANE verification is the only requirement according to the TLSA record. If this method returns false, additional PKIX validation is required.
      Throws:
      CertificateException - if the certificate chain provided differs from the one enforced using DANE.

    • verifiedConnect

      public HttpsURLConnection verifiedConnect(HttpsURLConnection conn) throws IOException, CertificateException
      Invokes URLConnection.connect() in a DANE verified fashion. This method must be called before URLConnection.connect() is invoked. If a SSLSocketFactory was set on this HttpsURLConnection, it will be ignored. You can use verifiedConnect(HttpsURLConnection, X509TrustManager) to inject a custom TrustManager.
      Parameters:
      conn - connection to be connected.
      Returns:
      The HttpsURLConnection after being connected.
      Throws:
      IOException - when the connection could not be established.
      CertificateException - if there was an exception while verifying the certificate.

    • verifiedConnect

      public HttpsURLConnection verifiedConnect(HttpsURLConnection conn, X509TrustManager trustManager) throws IOException, CertificateException
      Invokes URLConnection.connect() in a DANE verified fashion. This method must be called before URLConnection.connect() is invoked. If a SSLSocketFactory was set on this HttpsURLConnection, it will be ignored.
      Parameters:
      conn - connection to be connected.
      trustManager - A non-default TrustManager to be used.
      Returns:
      The HttpsURLConnection after being connected.
      Throws:
      IOException - when the connection could not be established.
      CertificateException - if there was an exception while verifying the certificate.