Merge b460ab5 into c7a4a43

MiniDNS · Jul 28, 2020 · bf2c4f1 · bf2c4f1
2 parents c7a4a43 + b460ab5
commit bf2c4f1
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 4 deletions.
diff --git a/minidns-core/src/main/java/org/minidns/record/TLSA.java b/minidns-core/src/main/java/org/minidns/record/TLSA.java
@@ -22,11 +22,55 @@ public class TLSA extends Data {
 
     private static final Map<Byte, CertUsage> CERT_USAGE_LUT = new HashMap<>();
 
+    /**
+     * The certificate usage field.
+     *
+     * @see <a href="https://tools.ietf.org/html/rfc6698#section-2.1.1">RFC 6698 § 2.1.1</a>
+     *
+     */
     public enum CertUsage {
 
+        /**
+         * The given <b>CA</b> certificate (or its public key) MUST be found in at least
+         * one PKIX path to the end entity certificate.
+         *
+         * <p>
+         * PKIX-TA(0)
+         * </p>
+         */
         caConstraint((byte) 0),
+
+        /**
+         * The given certificate (or its public key) MUST match the end entity
+         * certificate and MUST pass PKIX validation. Note that the requirement to pass
+         * PKIX validation is what makes this different from
+         * {@link #domainIssuedCertificate}.
+         *
+         * <p>
+         * PKIX-EE(1)
+         * </p>
+         */
         serviceCertificateConstraint((byte) 1),
+
+        /**
+         * The given certificate (or its public key) MUST be used as trust anchor when
+         * validating the end entity certificate.
+         *
+         * <p>
+         * DANE-TA(2)
+         * </p>
+         */
         trustAnchorAssertion((byte) 2),
+
+        /**
+         * The given certificate (or its public key) MUST match the end entity
+         * certificate. Unlike {@link #serviceCertificateConstraint}, this does not
+         * require PKIX validation.
+         *
+         * <p>
+         * DANE-EE(3)
+         * </p>
+         */
         domainIssuedCertificate((byte) 3),
         ;
 

diff --git a/minidns-dnssec/src/main/java/org/minidns/dane/DaneVerifier.java b/minidns-dnssec/src/main/java/org/minidns/dane/DaneVerifier.java
@@ -148,11 +148,11 @@ private static boolean checkCertificateMatches(X509Certificate cert, TLSA tlsa,
         }
 
         switch (tlsa.certUsage) {
-        case serviceCertificateConstraint:
-        case domainIssuedCertificate:
+        case serviceCertificateConstraint: // PKIX-EE
+        case domainIssuedCertificate: // DANE-EE
             break;
-        case caConstraint:
-        case trustAnchorAssertion:
+        case caConstraint: // PKIX-TA
+        case trustAnchorAssertion: // DANE-TA
         default:
             LOGGER.warning("TLSA certificate usage " + tlsa.certUsage + " (" + tlsa.certUsageByte + ") not supported while verifying " + hostName);
             return false;