iaik.security.ssl.Extension
iaik.security.ssl.ClientCertificateURL
|
|||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
java.lang.Object
public class ClientCertificateURL
This class implements the client_certificate_url TLS extension.
In constrained environments a client may want to not store his
certificates. In this case he may send an empty
client_certificate_url extension to the server to indicate
that he will send a CertificateURL handshake message
(instead of a Certificate message) containing a list of urls from where the
server may download the client certificate(s). If the server
agrees to use client certificate urls he responds with an -- also empty --
client_certificate_url extension in his extended ServerHello
message.
Since the "extension_data" field of the client_certificate_url
extension is always empty, you only must put an (empty)
ClientCertificateURL object into your client/server
ExtensionList to tell your iSaSiLk
SSLClientContext/SSLServerContext
that client certificates maybe used (e.g, on the client side):
// create ClientCertificateURL ClientCertificateURL clientCertificateURL = new ClientCertificateURL(); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(clientCertificateURL); ... // set extensions for the SSLClientContext configuration: SSLClientContext clientContext = new SSLClientContext(); // extensions are only defined for TLS clientContext.setAllowedProtocolVersions(SSLContext.VERSION_TLS10, SSLContext.VERSION_TLS12); ... clientContext.setExtensions(extensions); ...If you set the
criticalClientCertificateURL to true
(client-side default), the handshake will be aborted if the server does
not respond with a client_certificate_url extension.
On the server side the proceeding is quite the same:
// create ClientCertificateURL ClientCertificateURL clientCertificateURL = new ClientCertificateURL(); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(clientCertificateURL); ... // set extensions for the SSLServerContext configuration: SSLServerContext serverContext = new SSLServerContext(); ... serverContext.setExtensions(extensions); ...If you set the
criticaltrue, the
handshake will be aborted if the client does not send a client_certificate_url
extension within the extended ClientHello message.
For using client certificate urls no additional configuration is required
on the server side. However, on the client side you must configure your
SSLClientContext with client credentials of type KeyAndCertURL to tell iSaSiLk which url(s) shall be
sent to the server (see (see javadoc of class
KeyAndCertUrl for a detailed desciption and an usage example).
From the configured KeyAndCertUrl credentials iSaSiLk then
will take the url(s) to be sent to the server within a CertificateURL
handshake message (instead of sending a Certificate message).
If you have configured your iSaSiLk client to use client certificate urls
(and the server has agreed to use it), but you did not have set client
KeyAndCertURL credentials (but only common KeyAndCert credentials) the
the client will send a full Certificate message (instead
of a CertificateURL message) of you have configured your
ClientCertificateURL extension as being NOT critical.
Extension,
ExtensionList,
KeyAndCertURL,
URLAndOptionalHash| Field Summary | |
|---|---|
static ExtensionType |
TYPE
The type (2) of the client_certificate_url extension. |
| Constructor Summary | |
|---|---|
ClientCertificateURL()
Creates a new ClientCertificateURL extension object. |
|
| Method Summary | |
|---|---|
java.lang.Object |
clone()
Returns a clone of this ClientCertificateURL extension object. |
java.lang.String |
toString()
Gets a String representation of this ClientCertificateURL. |
| Methods inherited from class iaik.security.ssl.Extension |
|---|
getAllowedProtocolVersions, getExtensionType, getName, getType, setCritical |
| Methods inherited from class java.lang.Object |
|---|
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
| Field Detail |
|---|
public static final ExtensionType TYPE
| Constructor Detail |
|---|
public ClientCertificateURL()
client_certificate_url extension support for
the SSLClientContext/SSLServerContext
configuration:
Client-side:
// create ClientCertificateURL ClientCertificateURL clientCertificateURL = new ClientCertificateURL(); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(clientCertificateURL); ... // set extensions for the SSLClientContext configuration: SSLClientContext clientContext = new SSLClientContext(); ... clientContext.setExtensions(extensions); ...If you set the
criticaltrue (client-side default),
the handshake will be aborted if the server does not respond with a
client_certificate_url extension.
Server-side:
// create ClientCertificateURL ClientCertificateURL clientCertificateURL = new ClientCertificateURL(); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(clientCertificateURL); ... // set extensions for the SSLServerContext configuration: SSLServerContext serverContext = new SSLServerContext(); ... serverContext.setExtensions(extensions); ...If you set the
criticaltrue, the handshake will be aborted
if the client does not send a client_certificate_url extension within the
extended ClientHello message.
If the client has sent a client_certificate_url extension, the server will respond with a client_certificate_url extension if he is willing to process (is configured to) use client certificate urls.
| Method Detail |
|---|
public java.lang.Object clone()
clone in class Extensionpublic java.lang.String toString()
toString in class Extension
|
This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note). | ||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
iSaSiLk 6.0, (c) 2002 IAIK, (c) 2003 - 2015 SIC