@Contract(threading=IMMUTABLE) public final class SpkiPinningClientTlsStrategy extends DefaultClientTlsStrategy
SPKI pinning decorator for client-side TLS.
This strategy enforces one or more sha256/<base64(SPKI)> pins for a given
host or single-label wildcard (e.g. *.example.com) after the standard
trust manager and hostname verification succeed. Pins are matched against the
SubjectPublicKeyInfo (SPKI) of any certificate in the peer chain.
Host matching is performed on the IDNA ASCII (Punycode) lowercase form.
Wildcards are single-label only (e.g. *.example.com matches
a.example.com but not a.b.example.com).
Warning: Certificate pinning increases operational risk. Always ship at least two pins (active + backup) and keep normal PKI + hostname verification enabled.
Thread-safety: immutable and thread-safe.
| Modifier and Type | Class and Description |
|---|---|
static class |
SpkiPinningClientTlsStrategy.Builder
Builder for
SpkiPinningClientTlsStrategy. |
| Modifier and Type | Method and Description |
|---|---|
protected void |
initializeEngine(SSLEngine sslEngine) |
protected void |
initializeSocket(SSLSocket socket) |
static SpkiPinningClientTlsStrategy.Builder |
newBuilder(SSLContext sslContext)
Create a new builder.
|
SSLSocket |
upgrade(Socket socket,
String target,
int port,
Object attachment,
HttpContext context)
Upgrades the given plain socket and executes the TLS handshake over it.
|
boolean |
upgrade(TransportSecurityLayer tlsSession,
HttpHost host,
SocketAddress localAddress,
SocketAddress remoteAddress,
Object attachment,
Timeout handshakeTimeout)
|
void |
upgrade(TransportSecurityLayer tlsSession,
NamedEndpoint endpoint,
Object attachment,
Timeout handshakeTimeout,
FutureCallback<TransportSecurityLayer> callback) |
protected void |
verifySession(String hostname,
SSLSession sslSession)
Invoked after the default trust and hostname checks.
|
createDefault, createSystemDefault, getDefault, getSystemDefaultprotected void verifySession(String hostname, SSLSession sslSession) throws SSLException
hostname, at least one pin must match any SPKI in the peer chain.SSLExceptionpublic static SpkiPinningClientTlsStrategy.Builder newBuilder(SSLContext sslContext)
sslContext - SSL context used for handshakes (trust + keys).@Deprecated public boolean upgrade(TransportSecurityLayer tlsSession, HttpHost host, SocketAddress localAddress, SocketAddress remoteAddress, Object attachment, Timeout handshakeTimeout)
upgrade in interface TlsStrategypublic void upgrade(TransportSecurityLayer tlsSession, NamedEndpoint endpoint, Object attachment, Timeout handshakeTimeout, FutureCallback<TransportSecurityLayer> callback)
upgrade in interface TlsStrategyprotected void initializeEngine(SSLEngine sslEngine)
protected void initializeSocket(SSLSocket socket)
public SSLSocket upgrade(Socket socket, String target, int port, Object attachment, HttpContext context) throws IOException
TlsSocketStrategyupgrade in interface TlsSocketStrategysocket - the existing plain sockettarget - the name of the target host.port - the port to connect to on the target host.attachment - connect request attachment.context - the actual HTTP context.IOExceptionCopyright © 1999–2021 The Apache Software Foundation. All rights reserved.