Remove SmackDaneVerifier.finish(SSLSocket)

This commit is contained in:
Florian Schmaus 2019-02-04 09:47:59 +01:00
parent 658fd08d20
commit 5705f18f58
3 changed files with 3 additions and 24 deletions

View File

@ -1,6 +1,6 @@
/**
*
* Copyright 2015-2018 Florian Schmaus
* Copyright 2015-2019 Florian Schmaus
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -23,7 +23,6 @@ import java.security.cert.CertificateException;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.X509TrustManager;
/**
@ -32,8 +31,5 @@ import javax.net.ssl.X509TrustManager;
public interface SmackDaneVerifier {
void init(SSLContext context, KeyManager[] km, X509TrustManager tm, SecureRandom random) throws KeyManagementException;
// TODO: Remove this method in favor of finish(SSLSession).
void finish(SSLSocket socket) throws CertificateException;
void finish(SSLSession sslSession) throws CertificateException;
}

View File

@ -1,6 +1,6 @@
/**
*
* Copyright 2015-2018 Florian Schmaus
* Copyright 2015-2019 Florian Schmaus
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -24,11 +24,9 @@ import java.util.logging.Logger;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.jivesoftware.smack.util.CloseableUtil;
import org.jivesoftware.smack.util.dns.SmackDaneVerifier;
import org.minidns.dane.DaneVerifier;
@ -54,21 +52,6 @@ public class MiniDnsDaneVerifier implements SmackDaneVerifier {
context.init(km, new TrustManager[] {expectingTrustManager}, random);
}
@Override
public void finish(SSLSocket sslSocket) throws CertificateException {
if (VERIFIER.verify(sslSocket)) {
// DANE verification was the only requirement according to the TLSA RR. We can return here.
return;
}
// DANE verification was successful, but according to the TLSA RR we also must perform PKIX validation.
if (expectingTrustManager.hasException()) {
// PKIX validation has failed. Throw an exception but close the socket first.
CloseableUtil.maybeClose(sslSocket, LOGGER);
throw expectingTrustManager.getException();
}
}
@Override
public void finish(SSLSession sslSession) throws CertificateException {
if (VERIFIER.verify(sslSession)) {

View File

@ -669,7 +669,7 @@ public class XMPPTCPConnection extends AbstractXMPPConnection {
sslSocket.startHandshake();
if (smackTlsContext.daneVerifier != null) {
smackTlsContext.daneVerifier.finish(sslSocket);
smackTlsContext.daneVerifier.finish(sslSocket.getSession());
}
final HostnameVerifier verifier = getConfiguration().getHostnameVerifier();