iaik.security.ssl.Extension
iaik.security.ssl.TrustedAuthorities
|
|||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
java.lang.Object
public class TrustedAuthorities
This class implements the TrustedAuthorities structure
as used by the trusted_ca_keys TLS extension.
A TLS client may use the trusted_ca_keys extension
to indicate to the server which ca keys he is willing to trust.
This information maybe used by the server to select a proper
certificate chain for authenticating itself to the client.
The trusted_ca_keys extension allows a client to send a list
of trusted authorities within the extended ClientHello message. The server
then may check if he has a certificate that has been issued by any
of the trusted authorities received from the client. TLS specifies
several types -- pre_agreed (no information),
key_sha1_hash (SHA-1 hash of the public
ca key), x509_name (DER encoded distinguished
name of the CA), cert_sha1_hash
(SHA-1 hash of the DER encoded CA certificate) -- that may be used
for identifying a trusted ca (see RFC 4366):
struct {
TrustedAuthority trusted_authorities_list<0..2^16-1>;
} TrustedAuthorities;
struct {
IdentifierType identifier_type;
select (identifier_type) {
case pre_agreed: struct {};
case key_sha1_hash: SHA1Hash;
case x509_name: DistinguishedName;
case cert_sha1_hash: SHA1Hash;
} identifier;
} TrustedAuthority;
enum {
pre_agreed(0), key_sha1_hash(1), x509_name(2),
cert_sha1_hash(3), (255)
} IdentifierType;
opaque DistinguishedName<1..2^16-1>;
On the client side, if you want to send a trusted_ca_keys extension
to the server, you may let iSaSiLk calculate the trusted authorities
or you may explicitly calculate and set them when creating a TrustedAuthorities object.
In the first case iSaSiLk will ask the inherent client ChainVerifier for a list of trusted ca certificates to calculate a corresponding list of TrustedAuthority
elements. All these elements will all have the identifier type that you have specified when
creating the TrustedAuthorities object:
// identifier type int identifierType = TrustedAuthority.ID_CERT_SHA1_HASH; // create TrustedAuthorities TrustedAuthorities trustedAuthorities = new TrustedAuthorities(identifierType); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(trustedAuthorities); ... // set extensions for the SSLClientContext configuration: SSLClientContext clientContext = new SSLClientContext(); // extensions are only defined for TLS clientContext.setAllowedProtocolVersions(SSLContext.VERSION_TLS10, SSLContext.VERSION_TLS12); ... clientContext.setExtensions(extensions); ...
When setting the
TrustedAuthorities list of a trusted_ca_keys
extension for an SSLClientContext, iSaSiLk
asks the client chain verifier for the trusted CA certificates and
calculates a TrustedAuthority of identifier type
CERT_SHA1_HASH
for each trusted CA certificate.
You also can use the empty default constructor
to create a TrustedAuthorities object on the client side.
In this case iSaSiLk will calculate and send a TrustedAuthority
of identifier type CERT_SHA1_HASH
for each trusted CA certificate.
On the client side, if you set the criticaltrue
(client-side default), the handshake will be aborted if the server does
not respond with a trusted_ca_keys extension.
On the server side you only have to tell the SSLServerContext
configuration whether to support the trusted_ca_keys extension
or not. The server only will send an empty
TrustedAuthorities list in response to a trusted_ca_keys
extension received from the client. Thus no trusted authorities are required
when configuring the SSLServerContext to support the
trusted_ca_keys extension:
// create TrustedAuthorities TrustedAuthorities trustedAuthorities = new TrustedAuthorities(); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(trustedAuthorities); ... // set extensions for the SSLServerContext configuration: SSLServerContext serverContext = new SSLServerContext(); ... serverContext.setExtensions(extensions); ...If you set the
criticaltrue, the
handshake will be aborted if the client does not send a trusted_ca_keys
extension within the extended ClientHello message.
TrustedAuthority,
Extension,
ExtensionList| Field Summary | |
|---|---|
static ExtensionType |
TYPE
The type (3) of the trusted_ca_keys extension. |
| Constructor Summary | |
|---|---|
TrustedAuthorities()
Creates a new TrustedAuthorities object. |
|
TrustedAuthorities(int identifierType)
Creates a TrustedAuthorities object with the given identifier type. |
|
TrustedAuthorities(int identifierType,
java.security.cert.X509Certificate[] certificates)
Creates a TrustedAuthorities object with the given identifier type for certificates of several trusted authorities. |
|
TrustedAuthorities(TrustedAuthority[] authorities)
Creates a TrustedAuthorities object with the given authorities. |
|
| Method Summary | |
|---|---|
java.lang.Object |
clone()
Returns a clone of this TrustedAuthorities object. |
boolean |
contains(TrustedAuthority trustedAuthority)
Checks id this TrustedAuthorities object contains the given TrustedAuthority element. |
TrustedAuthority[] |
getTrustedAuthorities()
Gets the trusted authorities included in this TrustedAuthorities list. |
TrustedAuthority[] |
getTrustedAuthorities(int identifierType)
Gets all trusted authorities included in this TrustedAuthorities list that have the given identifier. |
java.lang.String |
toString()
Gets a String representation of this TrustedAuthorities object. |
| Methods inherited from class iaik.security.ssl.Extension |
|---|
getAllowedProtocolVersions, getExtensionType, getName, getType, setCritical |
| Methods inherited from class java.lang.Object |
|---|
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
| Field Detail |
|---|
public static final ExtensionType TYPE
| Constructor Detail |
|---|
public TrustedAuthorities()
trusted_ca_keys extension support for
the SSLServerContext configuration:
// create TrustedAuthorities TrustedAuthorities trustedAuthorities = new TrustedAuthorities(); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(trustedAuthorities); ... // set extensions for the SSLServerContext configuration: SSLServerContext serverContext = new SSLServerContext(); ... serverContext.setExtensions(extensions); ...If you set the
criticaltrue, the handshake will be aborted
if the client does not send a trusted_ca_keys extension within the
extended ClientHello message.
If the client has sent a trusted_ca_keys extension, the server will respond with an empty trusted_ca_keys extension.
If this constructor is used on the client side iSaSiLk tries to calculate and send
a list of trusted authorities of type CERT_SHA1_HASH
from the trusted ca keys
that have been configured for the iSaSiLk client.
public TrustedAuthorities(int identifierType)
trusted ca keys that have been configured for the iSaSiLk client.
To, for instance, calculate and send trusted authorities of identifier
type CERT_SHA1_HASH specifiy TrustedAuthority.ID_CERT_SHA1_HASHTrustedauthorities object:
// create TrustedAuthorities int identifierType = TrustedAuthority.ID_CERT_SHA1_HASH; TrustedAuthorities trustedAuthorities = new TrustedAuthorities(identifierType); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(trustedAuthorities); ... // set extensions for the SSLClientContext configuration: SSLClientContext clientContext = new SSLClientContext(); ... clientContext.setExtensions(extensions); ...
When now sending a trusted_ca_keys extension to the server, iSaSiLk
asks the client chain verifier for the trusted CA certificates and
calculates a TrustedAuthority of identifier type
CERT_SHA1_HASH
for each trusted CA certificate. (Note that the same identifier type
(CERT_SHA1_HASH) will
be used when you create a TrustedAuthorities object
with the empty default constructor
on the client side). If the client chain verifier does not contain
trusted ca certificates, no trusted_ca_keys extension will
be sent at all.
If you set the criticaltrue (client-side default), the
handshake will be aborted if the server does not respond with a
trusted_ca_keys extension.
identifierType - the identifier type of the trusted authorities
to be calculated
java.lang.IllegalArgumentException - if identifierType is invalid (not
PRE_AGREED (0),
KEY_SHA1_HASH (1),
KEY_X509_NAME (2), or
CERT_SHA1_HASH (3))
public TrustedAuthorities(int identifierType,
java.security.cert.X509Certificate[] certificates)
throws java.lang.Exception
trusted ca keys that have been configured for the iSaSiLk client, e.g.:
// get trusted certs from ChainVerifier ChainVerifier chainVerifier = ...; X509Certificate trustedCerts = chainVerifier.getTrustedCertificatesArray(); // create TrustedAuthorities int identifierType = TrustedAuthority.ID_CERT_SHA1_HASH; TrustedAuthorities trustedAuthorities = new TrustedAuthorities(identifierType, trustedCerts); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(trustedAuthorities); ... // set extensions for the SSLClientContext configuration: SSLClientContext clientContext = new SSLClientContext(); ... clientContext.setExtensions(extensions); ...
Now iSaSiLk tries to calculate a TrustedAuthority
of identifier type CERT_SHA1_HASH
for each of the given trusted CA certificate.
If you set the criticaltrue (client-side default), the
handshake will be aborted if the server does not respond with a
trusted_ca_keys extension.
identifierType - the identifier type of the trusted authorities
to be calculatedcertificates - the trusted certificates from which the trusted authorities
of the requested type shall be calculated
java.lang.IllegalArgumentException - if identifierType is invalid (not
PRE_AGREED (0),
KEY_SHA1_HASH (1),
KEY_X509_NAME (2), or
CERT_SHA1_HASH (3))
java.lang.Exception - if an error occurs when calculating the TrustedAuthority
for any of the given certificatespublic TrustedAuthorities(TrustedAuthority[] authorities)
// create TrustedAuthorities TrustedAuthority[] authorities = ...; TrustedAuthorities trustedAuthorities = new TrustedAuthorities(authorities); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(trustedAuthorities); ... // set extensions for the SSLClientContext configuration: SSLClientContext clientContext = new SSLClientContext(); ... clientContext.setExtensions(extensions); ...If you set the
criticaltrue (client-side default), the
handshake will be aborted if the server does not respond with a
trusted_ca_keys extension.
authorities - the trusted authorities to be sent to the server
(the authorities array is not cloned or copied by this method)| Method Detail |
|---|
public TrustedAuthority[] getTrustedAuthorities()
TrustedAuthoritynull or empty if no trusted
authorities are included in the list
(the returned array is not cloned or copied by this method)public TrustedAuthority[] getTrustedAuthorities(int identifierType)
null
if there are no trusted authorities with this identifierpublic boolean contains(TrustedAuthority trustedAuthority)
trustedAuthority - the trusted authority to be asked for
true if the given trusted authority is included,
false if it is not inlcludedpublic java.lang.Object clone()
clone in class Extensionpublic java.lang.String toString()
toString in class Extension
|
This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note). | ||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||
iSaSiLk 6.0, (c) 2002 IAIK, (c) 2003 - 2015 SIC