tuweni / org.apache.tuweni.net.tls / VertxTrustOptions

VertxTrustOptions

class VertxTrustOptions (source)

Vert.x TrustOptions for fingerprinting clients and servers.

This class depends upon the Vert.X library being available on the classpath, along with its dependencies. See https://vertx.io/download/. Vert.X can be included using the gradle dependency 'io.vertx:vertx-core'.

Functions

recordClientFingerprints

static fun recordClientFingerprints(knownClientsFile: Path): TrustOptions
static fun recordClientFingerprints(repository: FingerprintRepository): TrustOptions
static fun recordClientFingerprints(knownClientsFile: Path, tmf: TrustManagerFactory): TrustOptions
static fun recordClientFingerprints(repository: FingerprintRepository, tmf: TrustManagerFactory): TrustOptions

Accept all client certificates, recording certificate fingerprints for those that are not CA-signed.

Excepting when a client presents a CA-signed certificate, the certificate common name and fingerprint will be written to knownClientsFile.

Important: this provides no security as it is vulnerable to man-in-the-middle attacks.

static fun recordClientFingerprints(knownClientsFile: Path, skipCASigned: Boolean): TrustOptions
static fun recordClientFingerprints(repository: FingerprintRepository, skipCASigned: Boolean): TrustOptions

Accept all client certificates, recording certificate fingerprints.

For all connections, the common name and fingerprint of the presented certificate will be written to knownClientsFile.

Important: this provides no security as it is vulnerable to man-in-the-middle attacks.

recordServerFingerprints

static fun recordServerFingerprints(knownServersFile: Path): TrustOptions
static fun recordServerFingerprints(repository: FingerprintRepository): TrustOptions
static fun recordServerFingerprints(knownServersFile: Path, tmf: TrustManagerFactory): TrustOptions
static fun recordServerFingerprints(repository: FingerprintRepository, tmf: TrustManagerFactory): TrustOptions

Accept all server certificates, recording certificate fingerprints for those that are not CA-signed.

Excepting when a server presents a CA-signed certificate, the server host+port and the certificate fingerprint will be written to knownServersFile.

Important: this provides no security as it is vulnerable to man-in-the-middle attacks.

static fun recordServerFingerprints(knownServersFile: Path, skipCASigned: Boolean): TrustOptions
static fun recordServerFingerprints(repository: FingerprintRepository, skipCASigned: Boolean): TrustOptions

Accept all server certificates, recording certificate fingerprints.

For all connections, the server host+port and the fingerprint of the presented certificate will be written to knownServersFile.

Important: this provides no security as it is vulnerable to man-in-the-middle attacks.

trustClientOnFirstAccess

static fun trustClientOnFirstAccess(knownClientsFile: Path): TrustOptions
static fun trustClientOnFirstAccess(repository: FingerprintRepository): TrustOptions

Accept CA-signed client certificates, and otherwise trust client certificates on first access.

Except when a client presents a CA-signed certificate, on first connection to this server the common name and fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected if the fingerprint has changed.

Note: unlike the seemingly equivalent #trustServerOnFirstUse(Path) method for authenticating servers, this method for authenticating clients is insecure and provides zero confidence in client identity. Unlike the server version, which bases the identity on the hostname and port the connection is being established to, the client version only uses the common name of the certificate that the connecting client presents. Therefore, clients can circumvent access control by using a different common name from any previously recorded client.

static fun trustClientOnFirstAccess(knownClientsFile: Path, acceptCASigned: Boolean): TrustOptions
static fun trustClientOnFirstAccess(repository: FingerprintRepository, acceptCASigned: Boolean): TrustOptions

Trust client certificates on first access.

On first connection to this server the common name and fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected if the fingerprint has changed.

Note: unlike the seemingly equivalent #trustServerOnFirstUse(Path) method for authenticating servers, this method for authenticating clients is insecure and provides zero confidence in client identity. Unlike the server version, which bases the identity on the hostname and port the connection is being established to, the client version only uses the common name of the certificate that the connecting client presents. Therefore, clients can circumvent access control by using a different common name from any previously recorded client.

static fun trustClientOnFirstAccess(knownClientsFile: Path, tmf: TrustManagerFactory): TrustOptions
static fun trustClientOnFirstAccess(repository: FingerprintRepository, tmf: TrustManagerFactory): TrustOptions

Accept CA-signed certificates, and otherwise trust client certificates on first access.

Except when a client presents a CA-signed certificate, on first connection to this server the common name and fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected if the fingerprint has changed.

Note: unlike the seemingly equivalent #trustServerOnFirstUse(Path) method for authenticating servers, this method for authenticating clients is insecure and provides zero confidence in client identity. Unlike the server version, which bases the identity on the hostname and port the connection is being established to, the client version only uses the common name of the certificate that the connecting client presents. Therefore, clients can circumvent access control by using a different common name from any previously recorded client.

trustServerOnFirstUse

static fun trustServerOnFirstUse(knownServersFile: Path): TrustOptions
static fun trustServerOnFirstUse(repository: FingerprintRepository): TrustOptions
static fun trustServerOnFirstUse(knownServersFile: Path, tmf: TrustManagerFactory): TrustOptions
static fun trustServerOnFirstUse(repository: FingerprintRepository, tmf: TrustManagerFactory): TrustOptions

Accept CA-signed certificates, and otherwise trust server certificates on first use.

Except when a server presents a CA-signed certificate, on first connection to a server (identified by host+port) the fingerprint of the presented certificate will be recorded. On subsequent connections, the presented certificate will be matched to the stored fingerprint to ensure it has not changed.

static fun trustServerOnFirstUse(knownServersFile: Path, acceptCASigned: Boolean): TrustOptions
static fun trustServerOnFirstUse(repository: FingerprintRepository, acceptCASigned: Boolean): TrustOptions

Trust server certificates on first use.

On first connection to a server (identified by host+port) the fingerprint of the presented certificate will be recorded. On subsequent connections, the presented certificate will be matched to the stored fingerprint to ensure it has not changed.

whitelistClients

static fun whitelistClients(knownClientsFile: Path): TrustOptions
static fun whitelistClients(repository: FingerprintRepository): TrustOptions
static fun whitelistClients(knownClientsFile: Path, tmf: TrustManagerFactory): TrustOptions
static fun whitelistClients(repository: FingerprintRepository, tmf: TrustManagerFactory): TrustOptions

Require clients to present known certificates, or CA-signed certificates.

If a certificate is not CA-signed, then its common name and fingerprint must be present in the knownClientsFile.

static fun whitelistClients(knownClientsFile: Path, acceptCASigned: Boolean): TrustOptions
static fun whitelistClients(repository: FingerprintRepository, acceptCASigned: Boolean): TrustOptions

Require clients to present known certificates.

The common name and fingerprint for a client certificate must be present in knownClientsFile.

whitelistServers

static fun whitelistServers(knownServersFile: Path): TrustOptions
static fun whitelistServers(repository: FingerprintRepository): TrustOptions
static fun whitelistServers(knownServersFile: Path, tmf: TrustManagerFactory): TrustOptions
static fun whitelistServers(repository: FingerprintRepository, tmf: TrustManagerFactory): TrustOptions

Require servers to present known certificates, or CA-signed certificates.

If a certificate is not CA-signed, then its fingerprint must be present in the known servers file, associated with the server (identified by host+port).

static fun whitelistServers(knownServersFile: Path, acceptCASigned: Boolean): TrustOptions
static fun whitelistServers(repository: FingerprintRepository, acceptCASigned: Boolean): TrustOptions

Require servers to present known certificates.

The fingerprint for a server certificate must be present in the known servers file, associated with the server (identified by host+port).