net / org.apache.tuweni.net.tls / TrustManagerFactories

TrustManagerFactories

class TrustManagerFactories (source)

Trust manager factories for fingerprinting clients and servers.

Functions

recordClientFingerprints

static fun recordClientFingerprints(knownClientsFile: Path): TrustManagerFactory
static fun recordClientFingerprints(repository: FingerprintRepository): TrustManagerFactory
static fun recordClientFingerprints(knownClientsFile: Path, tmf: TrustManagerFactory): TrustManagerFactory
static fun recordClientFingerprints(repository: FingerprintRepository, tmf: TrustManagerFactory): TrustManagerFactory

Accept all client certificates, recording certificate fingerprints for those that are not CA-signed.

Excepting when a client presents a CA-signed certificate, the certificate fingerprint will be written to knownClientsFile.

Important: this provides no security as it is vulnerable to man-in-the-middle attacks.

static fun recordClientFingerprints(knownClientsFile: Path, skipCASigned: Boolean): TrustManagerFactory
static fun recordClientFingerprints(repository: FingerprintRepository, skipCASigned: Boolean): TrustManagerFactory

Accept all client certificates, recording certificate fingerprints.

For all connections, the fingerprint of the presented certificate will be written to knownClientsFile.

Important: this provides no security as it is vulnerable to man-in-the-middle attacks.

recordServerFingerprints

static fun recordServerFingerprints(knownServersFile: Path): TrustManagerFactory
static fun recordServerFingerprints(repository: FingerprintRepository): TrustManagerFactory
static fun recordServerFingerprints(knownServersFile: Path, tmf: TrustManagerFactory): TrustManagerFactory
static fun recordServerFingerprints(repository: FingerprintRepository, tmf: TrustManagerFactory): TrustManagerFactory

Accept all server certificates, recording certificate fingerprints for those that are not CA-signed.

Excepting when a server presents a CA-signed certificate, the server host+port and the certificate fingerprint will be written to knownServersFile.

Important: this provides no security as it is vulnerable to man-in-the-middle attacks.

static fun recordServerFingerprints(knownServersFile: Path, skipCASigned: Boolean): TrustManagerFactory
static fun recordServerFingerprints(repository: FingerprintRepository, skipCASigned: Boolean): TrustManagerFactory

Accept all server certificates, recording certificate fingerprints.

For all connections, the server host+port and the fingerprint of the presented certificate will be written to knownServersFile.

Important: this provides no security as it is vulnerable to man-in-the-middle attacks.

trustClientOnFirstAccess

static fun trustClientOnFirstAccess(knownClientsFile: Path): TrustManagerFactory
static fun trustClientOnFirstAccess(repository: FingerprintRepository): TrustManagerFactory

Accept CA-signed client certificates, and otherwise trust client certificates on first access.

Except when a client presents a CA-signed certificate, on first connection to this server the common name and fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected if the fingerprint has changed.

Note: unlike the seemingly equivalent #trustServerOnFirstUse(Path) method for authenticating servers, this method for authenticating clients is insecure and provides zero confidence in client identity. Unlike the server version, which bases the identity on the hostname and port the connection is being established to, the client version only uses the common name of the certificate that the connecting client presents. Therefore, clients can circumvent access control by using a different common name from any previously recorded client.

static fun trustClientOnFirstAccess(knownClientsFile: Path, acceptCASigned: Boolean): TrustManagerFactory
static fun trustClientOnFirstAccess(repository: FingerprintRepository, acceptCASigned: Boolean): TrustManagerFactory

Trust client certificates on first access.

on first connection to this server the common name and fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected if the fingerprint has changed.

Note: unlike the seemingly equivalent #trustServerOnFirstUse(Path) method for authenticating servers, this method for authenticating clients is insecure and provides zero confidence in client identity. Unlike the server version, which bases the identity on the hostname and port the connection is being established to, the client version only uses the common name of the certificate that the connecting client presents. Therefore, clients can circumvent access control by using a different common name from any previously recorded client.

static fun trustClientOnFirstAccess(knownClientsFile: Path, tmf: TrustManagerFactory): TrustManagerFactory
static fun trustClientOnFirstAccess(repository: FingerprintRepository, tmf: TrustManagerFactory): TrustManagerFactory

Accept CA-signed certificates, and otherwise trust client certificates on first access.

Except when a client presents a CA-signed certificate, on first connection to this server the common name and fingerprint of the presented certificate will be recorded. On subsequent connections, the client will be rejected if the fingerprint has changed.

Note: unlike the seemingly equivalent #trustServerOnFirstUse(Path) method for authenticating servers, this method for authenticating clients is insecure and provides zero confidence in client identity. Unlike the server version, which bases the identity on the hostname and port the connection is being established to, the client version only uses the common name of the certificate that the connecting client presents. Therefore, clients can circumvent access control by using a different common name from any previously recorded client.

trustServerOnFirstUse

static fun trustServerOnFirstUse(knownServersFile: Path): TrustManagerFactory
static fun trustServerOnFirstUse(repository: FingerprintRepository): TrustManagerFactory
static fun trustServerOnFirstUse(knownServersFile: Path, tmf: TrustManagerFactory): TrustManagerFactory
static fun trustServerOnFirstUse(repository: FingerprintRepository, tmf: TrustManagerFactory): TrustManagerFactory

Accept CA-signed certificates, and otherwise trust server certificates on first use.

Except when a server presents a CA-signed certificate, on first connection to a server (identified by host+port) the fingerprint of the presented certificate will be recorded in knownServersFile. On subsequent connections, the presented certificate will be matched to the stored fingerprint to ensure it has not changed.

static fun trustServerOnFirstUse(knownServersFile: Path, acceptCASigned: Boolean): TrustManagerFactory
static fun trustServerOnFirstUse(repository: FingerprintRepository, acceptCASigned: Boolean): TrustManagerFactory

Trust server certificates on first use.

On first connection to a server (identified by host+port) the fingerprint of the presented certificate will be recorded in knownServersFile. On subsequent connections, the presented certificate will be matched to the stored fingerprint to ensure it has not changed.

whitelistClients

static fun whitelistClients(knownClientsFile: Path): TrustManagerFactory
static fun whitelistClients(repository: FingerprintRepository): TrustManagerFactory
static fun whitelistClients(knownClientsFile: Path, tmf: TrustManagerFactory): TrustManagerFactory
static fun whitelistClients(repository: FingerprintRepository, tmf: TrustManagerFactory): TrustManagerFactory

Require servers to present known certificates, or CA-signed certificates.

If a certificate is not CA-signed, then its fingerprint must be present in the knownClientsFile.

static fun whitelistClients(knownClientsFile: Path, acceptCASigned: Boolean): TrustManagerFactory
static fun whitelistClients(repository: FingerprintRepository, acceptCASigned: Boolean): TrustManagerFactory

Require clients to present known certificates.

The fingerprint for a client certificate must be present in knownClientsFile.

whitelistServers

static fun whitelistServers(knownServersFile: Path): TrustManagerFactory
static fun whitelistServers(repository: FingerprintRepository): TrustManagerFactory
static fun whitelistServers(knownServersFile: Path, tmf: TrustManagerFactory): TrustManagerFactory
static fun whitelistServers(repository: FingerprintRepository, tmf: TrustManagerFactory): TrustManagerFactory

Require servers to present known certificates, or CA-signed certificates.

If a certificate is not CA-signed, then its fingerprint must be present in the knownServersFile, associated with the server (identified by host+port).

static fun whitelistServers(knownServersFile: Path, acceptCASigned: Boolean): TrustManagerFactory
static fun whitelistServers(repository: FingerprintRepository, acceptCASigned: Boolean): TrustManagerFactory

Require servers to present known certificates.

The fingerprint for a server certificate must be present in the knownServersFile, associated with the server (identified by host+port).