iaik.security.ssl
Class TLS13OCSPCertStatusChainVerifier

java.lang.Object
  extended by iaik.security.ssl.ChainVerifier
      extended by iaik.security.ssl.OCSPCertStatusChainVerifier
          extended by iaik.security.ssl.TLS13OCSPCertStatusChainVerifier

public class TLS13OCSPCertStatusChainVerifier
extends OCSPCertStatusChainVerifier

This class represents a ChainVerifier to may be used for checking OCSP certificate status information about the peer certificate.

When a TLS version prior 1.2 is used certificate status information may be only provided by the server by sending a certificate_status handshake message in response to a status_request extension sent by the client.

When a TLS version of TLS 1.3 or later is used certificate status information may be provided by both client and server. If the client wants to get certificate status information from the server the client sends a status_request extension in the ClientHello message. The server then can provide certificate status information by including a status_request extension in the certificate entries of the server certificate message.
If the server requests client authentication and wants that the client provides status information along with its certificates the server sends a status_request extension with its certificate_request message. The client then can provide certificate status information by including a status_request extension in the certificate entries of the client certificate message.

When a TLS version prior 1.2 is used this ChainVerifier can be used to check OCSP status information for the server certificate by calling method verifyChain(X509Certificate[] certs, SSLTransport transport, int statusType, byte[] statusRequest, byte[] statusResponse).

When a TLS version of TLS 1.3 or later is used this ChainVerifier can be used to check OCSP status information for both client and server certificates by calling method verifyChain(CertificateEntry[] certEntries, SSLTransport transport, int statusType, byte[] statusRequest).

This class works in the same way as the parent ChainVerifier class, except for that it additionally checks OCSP status information sent by the server.

Since OCSP cannot be handled in a crypto-provider independent way, using this class requires that you have IAIK-JCE (iaik_jce(_full).jar)) in your classpath. Note that by default the standard ChainVerifier is used for certificate chain verification. To enable this TLS13OCSPCertStatusChainVerifier set it for your SSLClientContext:

  SSLContext context = ...;
  ...
  TLS13OCSPCertStatusChainVerifier ocspCertStatusChainVerifier = new TLS13OCSPCertStatusChainVerifier();
  context.setChainVerifier(ocspCertStatusChainVerifier);
 
If the peer has sent an OCSP status information, this class -- after having verified the peer certificate chain -- checks the provided status information and rejects the peer certificate(s) if any of the following conditions occur: Note that this ChainVerifier tries to verify status information for any certificate of the peer certificate chain as long as status information is provided for this certificate. This means that this ChainVerifier skips the status information verification for any certificate for which no status information is provided. However, if the status_request extension sent to the peer has been marked as being critical iSaSiLk will reject the peer certificate chain if no status information is provided for the client/server certificate (certificate at index 0 of the peer certificate chain). Note that this check is already done before calling the verifyChain method because the ChainVerifier does not have access to the critical flag of the status_request extension.

See Also:
ChainVerifier, OCSPCertStatusChainVerifier, CertificateStatusRequest

Field Summary
 
Fields inherited from class iaik.security.ssl.ChainVerifier
CACHE_SIZE, cachedCerts, cacheSize, checkServerName, nullTrusted, trustedCerts
 
Constructor Summary
TLS13OCSPCertStatusChainVerifier()
          Creates a new ChainVerifier.
 
Method Summary
 boolean verifyChain(TLS13Certificate.CertificateEntry[] certEntries, SSLTransport transport, int statusType, byte[] statusRequest)
          Verifies a TLS 1.3 certificate chain.
 
Methods inherited from class iaik.security.ssl.OCSPCertStatusChainVerifier
setAccuracy, setTrustedResponders, verifyChain, verifyDelegatedResponderCert
 
Methods inherited from class iaik.security.ssl.ChainVerifier
addTrustedCertificate, cacheCertificate, cacheCertificates, clearCachedCertificates, clearTrustedCertificates, dumpCertificateChain, getCertificateChain, getCheckServerName, getIssuerCertificate, getTrustedCertificates, getTrustedCertificatesArray, getTrustedPrincipals, getTrustedPrincipalsArray, isCachedCertificate, isTrustedCertificate, removeTrustedCertificate, setCacheSize, setCheckServerName, size, verifyCertificate, verifyChain, verifyClient, verifyServer
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

TLS13OCSPCertStatusChainVerifier

public TLS13OCSPCertStatusChainVerifier()
Creates a new ChainVerifier. Initially the list of trusted certificates is empty.

Method Detail

verifyChain

public boolean verifyChain(TLS13Certificate.CertificateEntry[] certEntries,
                           SSLTransport transport,
                           int statusType,
                           byte[] statusRequest)
                    throws SSLCertificateRuntimeException
Verifies a TLS 1.3 certificate chain.

This method works in the same way as the same-named verifyChain(CertificateEntry[], SSLTransport, int, byte[]) method of the parent ChainVerifier class, but additionally also checks OCSP status information, if provided by the peer in response to a certificate status_request.

The statusRequest parameter is only meaningful if a CertificateStatusRequest extension has sent to the peer. In this case the certificate entries of the peer certificate message may contain status information.

Overrides:
verifyChain in class ChainVerifier
Parameters:
certEntries - the TLS 1.3 certificate entries sent within the TLS 1.3 peer certificate message
transport - the SSLTransport, maybe required to query for information (e.g. client mode) and/or printing debug information
statusType - the type of the certificate status request sent to the peer (and of the status response received from the peer), or -1 if no status_request extension has been sent to the peer
statusRequest - the (TLS) encoded status request sent to the peer, or null if no status_request extension has been sent to the peer
Throws:
SSLCertificateRuntimeException - maybe used by an application to wrap an exception thrown by some self-designed ChainVerifier implementation
See Also:
TLS13OCSPCertStatusChainVerifier

This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note).

iSaSiLk 6.0, (c) 2002 IAIK, (c) 2003 - 2015 SIC