iaik.security.ssl
Class CertificateAuthorities

java.lang.Object
  extended by iaik.security.ssl.Extension
      extended by iaik.security.ssl.CertificateAuthorities
All Implemented Interfaces:
java.lang.Cloneable

public class CertificateAuthorities
extends Extension
implements java.lang.Cloneable

This class implements the TLS 1.3 CertificateAuthorities (certificate_authorities) TLS extension as specified by RFC 8446.

TLS 1.3 defines the CertificateAuthorities extension as list of the distinguished names of certificate authorities that may be accepted as peer certificate issuing authorities:

   opaque DistinguishedName<1..2^16-1>;

   struct {
       DistinguishedName authorities<3..2^16-1>;
   } CertificateAuthoritiesExtension;erverHello;
 
The client may send the certificate_authorities extension in the ClientHello message, the server may send it in the CertificateRequest message.

On the server side when building the CertificateRequest message iSaSiLk automatically calculates the certificate_authorities extension from the ChainVerifier- configured trusted authorities. No interaction from the application is required.

On the client side the application has to decide if it wants to send a certificate_authorities extension with the ClientHello message. For instance, the client may get the trusted authorities from the ChainVerifier and use them when creating the CertificateAuthorities extension:

 SSLClientContext clientContext = ...;
 ExtensionList extensions = new ExtensionList();
 ...
 ChainVerifier chainVerifier = context.getChainVerifier();
 Principal[] trustedCAs = chainVerifier.getTrustedPrincipalsArray();
 CertificateAuthorities certAuthorities = new CertificateAuthorities(trustedPrincipals);
 extensions.addExtension(certAuthorities);
 ...
 clientContext.setExtensions(extensions);
 
Note that an iSaSiLk server does not process a certificate_authorities extension received within the ClientHello message automatically. By default an iSaSiLk server will ignore the certificate_authorities sent by the client and not use it for server certificate selection. To tell an iSaSiLk server to process a certificate_authorities extensions received from the client and application has to set an empty CertificateAuthorities extension object for its server context:
 SSLServerContext serverContext = ...;
 ExtensionList extensions = new ExtensionList();
 ...
 CertificateAuthorities certAuthorities = new CertificateAuthorities();
 extensions.addExtension(certAuthorities);
 ...
 serverContext.setExtensions(extensions);
 
The critical flag has no meaning for the CertificateAuthorities extension.

Version:
File Revision 41
See Also:
Extension, ExtensionList

Field Summary
static ExtensionType TYPE
          The type (47) of the certificate_authorities extension.
 
Constructor Summary
CertificateAuthorities()
          Default Constructor.
CertificateAuthorities(java.security.Principal[] authorities)
          Creates a CertificateAuthorities extension for the given authorities.
CertificateAuthorities(java.security.cert.X509Certificate[] certificates)
          Creates a CertificateAuthorities extension from the given ca certificates.
 
Method Summary
 void addAuthority(java.security.Principal authority)
          Adds the given authority.
 void addAuthority(java.security.cert.X509Certificate certificate)
          Adds the given authority (subjectDN of the given ca certificate).
 java.lang.Object clone()
          Returns a clone of this CertificateAuthorities extension object.
 java.security.Principal[] getAuthorities()
          Gets the authorities included in this CertificateAuthorities extension.
 void setCritical(boolean critical)
          Does nothing since the critical value has no meaning for this extension.
 int size()
          Gets the number of authorities included in this CertificateAuthorities extension.
 java.lang.String toString()
          Gets a String representation of this CertificateAuthorities object.
 
Methods inherited from class iaik.security.ssl.Extension
getAllowedProtocolVersions, getExtensionType, getName, getType
 
Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

TYPE

public static final ExtensionType TYPE
The type (47) of the certificate_authorities extension.

Constructor Detail

CertificateAuthorities

public CertificateAuthorities()
Default Constructor.


CertificateAuthorities

public CertificateAuthorities(java.security.Principal[] authorities)
Creates a CertificateAuthorities extension for the given authorities.

Parameters:
authorities - the list of authorities as Principal objects

CertificateAuthorities

public CertificateAuthorities(java.security.cert.X509Certificate[] certificates)
Creates a CertificateAuthorities extension from the given ca certificates.

The authorities list is build from the subjectDNs of the given certificates.

Parameters:
certificates - the certificates from which to create the CertificateAuthorities extension
Method Detail

addAuthority

public void addAuthority(java.security.Principal authority)
Adds the given authority.

Parameters:
authority - to be added as Principal object

addAuthority

public void addAuthority(java.security.cert.X509Certificate certificate)
Adds the given authority (subjectDN of the given ca certificate).

Parameters:
certificate - the certificate from which to get the subjectDN

getAuthorities

public java.security.Principal[] getAuthorities()
Gets the authorities included in this CertificateAuthorities extension.

Returns:
the authorities or null if no authorities are included

size

public int size()
Gets the number of authorities included in this CertificateAuthorities extension.

Returns:
the number of authorities included in this CertificateAuthorities extension

setCritical

public void setCritical(boolean critical)
Does nothing since the critical value has no meaning for this extension.

Overrides:
setCritical in class Extension
Parameters:
critical - true if the extension is critical, false if not

clone

public java.lang.Object clone()
Returns a clone of this CertificateAuthorities extension object.

Overrides:
clone in class Extension
Returns:
a clone of this CertificateAuthorities extension object

toString

public java.lang.String toString()
Gets a String representation of this CertificateAuthorities object.

Specified by:
toString in class Extension
Returns:
a String representation of the CertificateAuthorities object

This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note).

iSaSiLk 6.0, (c) 2002 IAIK, (c) 2003 - 2015 SIC