iaik.security.ssl
Class SignatureAlgorithms

java.lang.Object
  extended by iaik.security.ssl.Extension
      extended by iaik.security.ssl.SignatureAlgorithms
All Implemented Interfaces:
java.lang.Cloneable

public class SignatureAlgorithms
extends Extension
implements java.lang.Cloneable

This class implements the TLS 1.2 signature_algorithms extension as specified by RFC 5246.

A TLS 1.2 client may send a SignatureAlgorithms extension with the ClientHello extension list to tell the server which SignatureAndHashAlgorithms the client can process to, e.g., verify the server certificates or, e.g., sign the CertificateVerify message.
The extension contains a list of SignatureAndHashAlgorithm elements specifying the supported signature algorithms as pairs of hash and signature algorithm ids:

    enum {
        none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
        sha512(6), (255)
    } HashAlgorithm;

     enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
       SignatureAlgorithm;

     struct {
          HashAlgorithm hash;
          SignatureAlgorithm signature;
    } SignatureAndHashAlgorithm;

    SignatureAndHashAlgorithm
      supported_signature_algorithms<2..2^16-2>;
 
The following SignatureAndHash algorithms are supported by iSaSiLk: Only TLS clients can send a signature_algorithms extension, TLS servers MUST not send such an extension.

The signature_algorithms extension is managed automatically by iSaSiLk; thus an application usually does not have to take any care about it. If TLS 1.2 is enabled by an iSaSiLk client, iSaSiLk automatically includes a default list containing all algorithms using SHA-256, SHA-512 or SHA-1 as hash/mac algorithms and RSA, ECDSA or DSA as signature algorithms. The algorithms are listed in the following order:

If any of these algorithms is not supported by the cryptographic capabilities of the installed SecurityProvider is is removed from the list.

An application only has to deal with the signature_algorithms extension if it wants to explicitly limit the list of supported algorithms to be sent to the server. If you, for instance, only want to use the SHA512withRSA, SHA512withECDSA algorithms you may create a SignatureAlgorithms extension with these two SignatureAndHashAlgorithms elements:

 SignatureAndHashAlgorithm[] algorithms = {
   SignatureAndHashAlgorithm.SHA512withRSA,
   SignatureAndHashAlgorithm.SHA512withECDSA
 };
 SignatureAlgorithms signatureAlgorithms = 
   new SignatureAlgorithms(algorithms);
 // add to ExtensionList
 ExtensionList extensions = new ExtensionList();
 ...
 extensions.addExtension(signatureAlgorithms);
 ...
 // set extensions for the SSLClientContext configuration:
 SSLClientContext clientContext = new SSLClientContext();
 // SignatureAlgorithms only meaningful since TLS 1.2
 clientContext.setAllowedProtocolVersions(SSLContext.VERSION_TLS12, SSLContext.VERSION_TLS12); 
 ...
 clientContext.setExtensions(extensions);
 ...
 
Although a server is not allowed to send a signature_algorithms extension iSaSiLk allows to add a SignatureAlgorithms extension to the extension list of an iSaSiLk server. The extension is ignored from the list sent to the client, and only will be used if you want to limit the signature algorithms used by the server (e.g. for signing the ServerKeyExchange message, or suggesting supported signature algorithms for the client CertificateVerify when sending the CertificateRequest message).

SignatureAndHashAlgorithms by this class are those suggested to the peer within the signature_algorithms extension or, e.g. the CeritficateVerify message. They must not contain all algorithms that are supported. When receiving the supported algorithms list from the peer iSaSiLk by default does not check against the sent list only, but also against all supported algorithms. If you strictly want to use the suggested algorithms only you may mark this extension as critical. By default, both client-side and server-side SignatireAlgorithms extensions are considered as NOT critical.

Version:
File Revision 27
See Also:
Extension, SignatureAndHashAlgorithm, SignatureAndHashAlgorithmList

Field Summary
static ExtensionType TYPE
          The type (13) of the signature_algorithms extension.
 
Constructor Summary
SignatureAlgorithms()
          Default constructor.
SignatureAlgorithms(SignatureAndHashAlgorithmList supportedAlgorithms)
          Creates a SignatureAlgorithms extension from the given list of supported signature algorithms.
 
Method Summary
 java.lang.Object clone()
          Returns a clone of this SignatureAlgorithms extension.
 boolean equals(java.lang.Object obj)
          Checks if this SignatureAlgorithms extension is equal to the given object.
 SignatureAndHashAlgorithmList getSupportedAlgorithms()
          Gets the supported signature algorithms included in this signature algorithms extension.
 int hashCode()
          Gets a hash code of this SignatureAlgorithms extension.
 void setIgnorePeerPreferenceOrder(boolean ignore)
          Whether to ignore the preference order of the algorithm list sent by the peer when selecting an signature algorithm for the current session.
 java.lang.String toString()
          Gets a String representation of this SignatureAlgorithms extension.
 
Methods inherited from class iaik.security.ssl.Extension
getExtensionType, getName, getType, setCritical
 
Methods inherited from class java.lang.Object
finalize, getClass, notify, notifyAll, wait, wait, wait
 

Field Detail

TYPE

public static final ExtensionType TYPE
The type (13) of the signature_algorithms extension.

Constructor Detail

SignatureAlgorithms

public SignatureAlgorithms()
Default constructor. Creates a new SignatureAlgorithms extension with the default algorithm set.


SignatureAlgorithms

public SignatureAlgorithms(SignatureAndHashAlgorithmList supportedAlgorithms)
Creates a SignatureAlgorithms extension from the given list of supported signature algorithms.
This constructor shall be used on the client side to specify the supported signature algorithms that shall be sent to the server within an extended ClientHello message, e.g.:
 SignatureAndHashAlgorithm[] algorithms = {
   SignatureAndHashAlgorithm.SHA256withRSA,
   SignatureAndHashAlgorithm.SHA1withRSA,
 };
 SignatureAlgorithms signatureAlgorithms = 
   new SignatureAlgorithms(new SignatureAndHashAlgorithmList(algorithms));
 // add to ExtensionList
 ExtensionList extensions = new ExtensionList();
 ...
 extensions.addExtension(signatureAlgorithms);
 ...
 // set extensions for the SSLClientContext configuration:
 SSLClientContext clientContext = new SSLClientContext();
 // SignatureAlgorithms only meaningful since TLS 1.2
 clientContext.setAllowedProtocolVersions(SSLContext.VERSION_TLS10, SSLContext.VERSION_TLS12); 
 ...
 clientContext.setExtensions(extensions);
 ...
 
On the server side this constructor may be used to limit the list of supported signature algorithms used by the server. The extension will be not sent to the client.

Parameters:
supportedAlgorithms - the supported signature algorithms to be used
Throws:
java.lang.IllegalArgumentException - if the given algorithm list is null or empty
Method Detail

getSupportedAlgorithms

public SignatureAndHashAlgorithmList getSupportedAlgorithms()
Gets the supported signature algorithms included in this signature algorithms extension.

Returns:
the supported signature algorithms as list of SignatureAndHashAlgorithm

setIgnorePeerPreferenceOrder

public void setIgnorePeerPreferenceOrder(boolean ignore)
Whether to ignore the preference order of the algorithm list sent by the peer when selecting an signature algorithm for the current session. By default the algorithm is selected according to the preference order sent by the peer.

Parameters:
ignore - whether to ignore the peer algorithm list preference order when selecting the signature algorithm for the current session

hashCode

public int hashCode()
Gets a hash code of this SignatureAlgorithms extension.

Overrides:
hashCode in class java.lang.Object
Returns:
a hash code of this SignatureAlgorithms extension

equals

public boolean equals(java.lang.Object obj)
Checks if this SignatureAlgorithms extension is equal to the given object.

Two SignatureAlgorithms extensions are treated as equal if they contain the same SignatureAndHashAlgorithm objects (same number and same order). The critical value is not checked by this method.

Overrides:
equals in class java.lang.Object
Returns:
true if this SignatureAlgorithms extension is equal to the given object, false if it is not equal to it

clone

public java.lang.Object clone()
Returns a clone of this SignatureAlgorithms extension.

Overrides:
clone in class Extension
Returns:
a clone of this SignatureAlgorithms extension

toString

public java.lang.String toString()
Gets a String representation of this SignatureAlgorithms extension.

Specified by:
toString in class Extension
Returns:
a String representation of the SignatureAlgorithms extension

This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note).

iSaSiLk 5.104, (c) 2002 IAIK, (c) 2003 - 2015 SIC