iaik.security.ssl
Class ClientCertificateURL

java.lang.Object
  extended by iaik.security.ssl.Extension
      extended by iaik.security.ssl.ClientCertificateURL
All Implemented Interfaces:
java.lang.Cloneable

public class ClientCertificateURL
extends Extension
implements java.lang.Cloneable

This class implements the client_certificate_url TLS extension.

In constrained environments a client may want to not store his certificates. In this case he may send an empty client_certificate_url extension to the server to indicate that he will send a CertificateURL handshake message (instead of a Certificate message) containing a list of urls from where the server may download the client certificate(s). If the server agrees to use client certificate urls he responds with an -- also empty -- client_certificate_url extension in his extended ServerHello message.

Since the "extension_data" field of the client_certificate_url extension is always empty, you only must put an (empty) ClientCertificateURL object into your client/server ExtensionList to tell your iSaSiLk SSLClientContext/SSLServerContext that client certificates maybe used (e.g, on the client side):

 // create ClientCertificateURL
 ClientCertificateURL clientCertificateURL = new ClientCertificateURL();
 // add to ExtensionList
 ExtensionList extensions = new ExtensionList();
 ...
 extensions.addExtension(clientCertificateURL);
 ...
 // set extensions for the SSLClientContext configuration:
 SSLClientContext clientContext = new SSLClientContext();
 // extensions are only defined for TLS
 clientContext.setAllowedProtocolVersions(SSLContext.VERSION_TLS10, SSLContext.VERSION_TLS12); 
 ...
 clientContext.setExtensions(extensions);
 ...
 
If you set the critical flag of a client-side ClientCertificateURL to true (client-side default), the handshake will be aborted if the server does not respond with a client_certificate_url extension.

On the server side the proceeding is quite the same:

 // create ClientCertificateURL
 ClientCertificateURL clientCertificateURL = new ClientCertificateURL();
 // add to ExtensionList
 ExtensionList extensions = new ExtensionList();
 ...
 extensions.addExtension(clientCertificateURL);
 ...
 // set extensions for the SSLServerContext configuration:
 SSLServerContext serverContext = new SSLServerContext();
 ...
 serverContext.setExtensions(extensions);
 ...
 
If you set the critical flag of a server-side client_certificate_url extension to true, the handshake will be aborted if the client does not send a client_certificate_url extension within the extended ClientHello message.

For using client certificate urls no additional configuration is required on the server side. However, on the client side you must configure your SSLClientContext with client credentials of type KeyAndCertURL to tell iSaSiLk which url(s) shall be sent to the server (see (see javadoc of class KeyAndCertUrl for a detailed desciption and an usage example). From the configured KeyAndCertUrl credentials iSaSiLk then will take the url(s) to be sent to the server within a CertificateURL handshake message (instead of sending a Certificate message). If you have configured your iSaSiLk client to use client certificate urls (and the server has agreed to use it), but you did not have set client KeyAndCertURL credentials (but only common KeyAndCert credentials) the the client will send a full Certificate message (instead of a CertificateURL message) of you have configured your ClientCertificateURL extension as being NOT critical.

Version:
File Revision 11
See Also:
Extension, ExtensionList, KeyAndCertURL, URLAndOptionalHash

Field Summary
static ExtensionType TYPE
          The type (2) of the client_certificate_url extension.
 
Constructor Summary
ClientCertificateURL()
          Creates a new ClientCertificateURL extension object.
 
Method Summary
 java.lang.Object clone()
          Returns a clone of this ClientCertificateURL extension object.
 java.lang.String toString()
          Gets a String representation of this ClientCertificateURL.
 
Methods inherited from class iaik.security.ssl.Extension
getExtensionType, getName, getType, setCritical
 
Methods inherited from class java.lang.Object
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

TYPE

public static final ExtensionType TYPE
The type (2) of the client_certificate_url extension.

Constructor Detail

ClientCertificateURL

public ClientCertificateURL()
Creates a new ClientCertificateURL extension object.
This constructor may be used on client or server side to enable client_certificate_url extension support for the SSLClientContext/SSLServerContext configuration:

Client-side:

 // create ClientCertificateURL
 ClientCertificateURL clientCertificateURL = new ClientCertificateURL();
 // add to ExtensionList
 ExtensionList extensions = new ExtensionList();
 ...
 extensions.addExtension(clientCertificateURL);
 ...
 // set extensions for the SSLClientContext configuration:
 SSLClientContext clientContext = new SSLClientContext();
 ...
 clientContext.setExtensions(extensions);
 ...
 
If you set the critical flag of a client-side extension to true (client-side default), the handshake will be aborted if the server does not respond with a client_certificate_url extension.

Server-side:

 // create ClientCertificateURL
 ClientCertificateURL clientCertificateURL = new ClientCertificateURL();
 // add to ExtensionList
 ExtensionList extensions = new ExtensionList();
 ...
 extensions.addExtension(clientCertificateURL);
 ...
 // set extensions for the SSLServerContext configuration:
 SSLServerContext serverContext = new SSLServerContext();
 ...
 serverContext.setExtensions(extensions);
 ...
 
If you set the critical flag of this extension to true, the handshake will be aborted if the client does not send a client_certificate_url extension within the extended ClientHello message.

If the client has sent a client_certificate_url extension, the server will respond with a client_certificate_url extension if he is willing to process (is configured to) use client certificate urls.

Method Detail

clone

public java.lang.Object clone()
Returns a clone of this ClientCertificateURL extension object.

Overrides:
clone in class Extension
Returns:
a clone of this ClientCertificateURL

toString

public java.lang.String toString()
Gets a String representation of this ClientCertificateURL.

Specified by:
toString in class Extension
Returns:
"empty", since a client_certificate_url extension does not have a contents

This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note).

iSaSiLk 5.104, (c) 2002 IAIK, (c) 2003 - 2015 SIC