com.gemalto.idp.mobile.core.net

Class TlsConfiguration

java.lang.Object

com.gemalto.idp.mobile.core.net.TlsConfiguration

public final class TlsConfiguration
extends Object

The configuration class for TLS.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	TlsConfiguration.Permit Attributes of a TLS connection that can be overridden to permit the specified behavior.

Field Summary

Fields

Modifier and Type	Field and Description
static int	DEFAULT_TIMEOUT Default timeout for a connection is 30 seconds.

Constructor Summary

Constructors

Constructor and Description
TlsConfiguration() Constructs a TlsConfiguration object whose timeout is set to the value of DEFAULT_TIMEOUT and no TlsConfiguration.Permit values specified.
TlsConfiguration(int timeout) Constructs a TlsConfiguration object whose timeout is configured in this constructor and no TlsConfiguration.Permit values specified.
TlsConfiguration(int timeout, TlsConfiguration.Permit... permits) Constructs a TlsConfiguration object whose settings are configured in this constructor.
TlsConfiguration(int timeout, X509Certificate[] certificates, TlsConfiguration.Permit... permits) Constructs a TlsConfiguration object whose settings are configured in this constructor.
TlsConfiguration(TlsConfiguration.Permit... permits) Constructs a TlsConfiguration object whose settings are configured in this constructor.
TlsConfiguration(X509Certificate[] certificates, TlsConfiguration.Permit... permits) Constructs a TlsConfiguration object whose settings are configured in this constructor.

Method Summary

Modifier and Type	Method and Description
X509Certificate[]	getCertificates() Get the Pins set.
TlsConfiguration.Permit[]	getPermits() Get the Permits for this connection.
int	getTimeout() Get the timeout of the connection.
boolean	isHostnameMismatchPermitted() Is a server certificates whose common name (CN) that does not match the domain name of the URL being connected to permitted?
boolean	isInsecureConnectionsPermitted() Is an insecure connection permitted?
boolean	isSelfSignedServerCertificatesPermitted() Is a self signed certificate permitted?

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_TIMEOUT

public static final int DEFAULT_TIMEOUT

Default timeout for a connection is 30 seconds.

See Also:

Constant Field Values

Constructor Detail

TlsConfiguration

public TlsConfiguration()

Constructs a TlsConfiguration object whose timeout is set to the value of DEFAULT_TIMEOUT and no TlsConfiguration.Permit values specified. This is the most secure configuration for the communication link.

TlsConfiguration

public TlsConfiguration(TlsConfiguration.Permit... permits)

Constructs a TlsConfiguration object whose settings are configured in this constructor. Warning! It is not recommended to override these settings in a production environment. Allowing any of these configurations will reduce the security of the communication link with the server.

Parameters:

permits - The caller may request certain attributes of a TLS connection to be permitted.

TlsConfiguration

public TlsConfiguration(int timeout)

Constructs a TlsConfiguration object whose timeout is configured in this constructor and no TlsConfiguration.Permit values specified.

Parameters:

timeout - The timeout of the connection in milliseconds.

TlsConfiguration

public TlsConfiguration(int timeout,
                        TlsConfiguration.Permit... permits)

Constructs a TlsConfiguration object whose settings are configured in this constructor. Warning! It is not recommended to override these settings in a production environment. Allowing any of these configurations will reduce the security of the communication link with the server. Warning! The insecure permits could only be used in debug mode for test purpose. They were not allowed to be used in release mode.

Parameters:

timeout - The timeout of the connection in milliseconds.

permits - The caller may request certain attributes of a TLS connection to be permitted.

TlsConfiguration

public TlsConfiguration(X509Certificate[] certificates,
                        TlsConfiguration.Permit... permits)

Constructs a TlsConfiguration object whose settings are configured in this constructor. Array of certificate(s) is/are required to be passed for validating the certificate path with respect to Server presented certificate. From these certificates, pinning is matched with SPKI(Subject Public Key Info) of server presented certificates during a TLS session. It is required that at least SPKI info matches for at least 1 certificate. Warning! It is not recommended to override these settings in a production environment. Allowing any of these configurations will reduce the security of the communication link with the server.

Parameters:

certificates - Array of X.509 Certificates generated from Base64 encoded DER format. CertificateFactory.getInstance("X.509").generateCertificate(InputStream) can be used to generate X.509 Certificate Certificate list should be set, if Permit.SELF_SIGNED_CERTIFICATES is passed.

permits - Allow Self Signed certificates and Hostname Mismatch. Insecure connection cannot be set in release mode. This is optional field from 4.2.1, to allow certificate pinning check for trusted certificates.

TlsConfiguration

public TlsConfiguration(int timeout,
                        X509Certificate[] certificates,
                        TlsConfiguration.Permit... permits)

Constructs a TlsConfiguration object whose settings are configured in this constructor. Array of certificate(s) is/are required to be passed for validating the chain of trust and at least 1 public key pin matches with the server presented certificate during a TLS session. Warning! It is not recommended to override these settings in a production environment. Allowing any of these configurations will reduce the security of the communication link with the server.

Parameters:

timeout - The timeout of the connection in milliseconds.

certificates - Array of X.509 Certificates generated from Base64 encoded DER format. CertificateFactory.getInstance("X.509").generateCertificate(InputStream) can be used to generate X.509 Certificate Certifcate list should be set, if Permit.SELF_SIGNED_CERTIFICATES is passed.

permits - Allow Self Signed certificates and Host name mismatch. Insecure connection cannot be set in release mode

Since:

4.1

Method Detail

isInsecureConnectionsPermitted

public boolean isInsecureConnectionsPermitted()

Is an insecure connection permitted?

Returns:

If true, then either an unencrypted (http) or an encrypted (https) connection is permitted. If false, then only an encrypted connection is permitted.

isSelfSignedServerCertificatesPermitted

public boolean isSelfSignedServerCertificatesPermitted()

Is a self signed certificate permitted?

Returns:

If true, then a connection will accept a self signed server certificate. If false, then a connection whose server certificate is not signed by a certificate authority on the device is rejected.

isHostnameMismatchPermitted

public boolean isHostnameMismatchPermitted()

Is a server certificates whose common name (CN) that does not match the domain name of the URL being connected to permitted?

Returns:

If true, then a connection will accept a server certificate whose common name (CN) does not match the URL's domain. If false, then a connection whose server certificate's CN does not match the URL's domain is rejected. This setting returns true if either TlsConfiguration.Permit.HOSTNAME_MISMATCH or TlsConfiguration.Permit.SELF_SIGNED_CERTIFICATES is permitted.

getTimeout

public int getTimeout()

Get the timeout of the connection.

Returns:

Returns the timeout in milliseconds.

getPermits

public TlsConfiguration.Permit[] getPermits()

Get the Permits for this connection.

Returns:

Returns the Permits.

getCertificates

public X509Certificate[] getCertificates()

Get the Pins set.

Returns:

Returns the public key Pins set.