|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object iaik.security.ssl.Extension iaik.security.ssl.CertificateAuthorities
public class CertificateAuthorities
This class implements the TLS 1.3 CertificateAuthorities
(certificate_authorities) TLS extension as specified by RFC 8446.
TLS 1.3 defines the CertificateAuthorities
extension as list
of the distinguished names of certificate authorities that may be accepted
as peer certificate issuing authorities:
opaque DistinguishedName<1..2^16-1>; struct { DistinguishedName authorities<3..2^16-1>; } CertificateAuthoritiesExtension;erverHello;The client may send the certificate_authorities extension in the ClientHello message, the server may send it in the CertificateRequest message.
On the server side when building the CertificateRequest message iSaSiLk automatically calculates the certificate_authorities extension from the ChainVerifier- configured trusted authorities. No interaction from the application is required.
On the client side the application has to decide if it wants to send a
certificate_authorities extension with the ClientHello message.
For instance, the client may get the trusted authorities from the ChainVerifier
and use them when creating
the CertificateAuthorities extension:
SSLClientContext clientContext = ...; ExtensionList extensions = new ExtensionList(); ... ChainVerifier chainVerifier = context.getChainVerifier(); Principal[] trustedCAs = chainVerifier.getTrustedPrincipalsArray(); CertificateAuthorities certAuthorities = new CertificateAuthorities(trustedPrincipals); extensions.addExtension(certAuthorities); ... clientContext.setExtensions(extensions);Note that an iSaSiLk server does not process a certificate_authorities extension received within the ClientHello message automatically. By default an iSaSiLk server will ignore the certificate_authorities sent by the client and not use it for server certificate selection. To tell an iSaSiLk server to process a certificate_authorities extensions received from the client and application has to set an
empty
CertificateAuthorities extension object for its server context:
SSLServerContext serverContext = ...; ExtensionList extensions = new ExtensionList(); ... CertificateAuthorities certAuthorities = new CertificateAuthorities(); extensions.addExtension(certAuthorities); ... serverContext.setExtensions(extensions);The
critical
flag has
no meaning for the CertificateAuthorities extension.
Extension
,
ExtensionList
Field Summary | |
---|---|
static ExtensionType |
TYPE
The type (47) of the certificate_authorities extension. |
Constructor Summary | |
---|---|
CertificateAuthorities()
Default Constructor. |
|
CertificateAuthorities(java.security.Principal[] authorities)
Creates a CertificateAuthorities extension for the given authorities. |
|
CertificateAuthorities(java.security.cert.X509Certificate[] certificates)
Creates a CertificateAuthorities extension from the given ca certificates. |
Method Summary | |
---|---|
void |
addAuthority(java.security.Principal authority)
Adds the given authority. |
void |
addAuthority(java.security.cert.X509Certificate certificate)
Adds the given authority (subjectDN of the given ca certificate). |
java.lang.Object |
clone()
Returns a clone of this CertificateAuthorities extension object. |
java.security.Principal[] |
getAuthorities()
Gets the authorities included in this CertificateAuthorities extension. |
void |
setCritical(boolean critical)
Does nothing since the critical value has no meaning for this extension. |
int |
size()
Gets the number of authorities included in this CertificateAuthorities extension. |
java.lang.String |
toString()
Gets a String representation of this CertificateAuthorities object. |
Methods inherited from class iaik.security.ssl.Extension |
---|
getAllowedProtocolVersions, getExtensionType, getName, getType |
Methods inherited from class java.lang.Object |
---|
equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
Field Detail |
---|
public static final ExtensionType TYPE
Constructor Detail |
---|
public CertificateAuthorities()
public CertificateAuthorities(java.security.Principal[] authorities)
authorities
- the list of authorities as Principal objectspublic CertificateAuthorities(java.security.cert.X509Certificate[] certificates)
The authorities list is build from the subjectDNs of the given certificates.
certificates
- the certificates from which to create the CertificateAuthorities extensionMethod Detail |
---|
public void addAuthority(java.security.Principal authority)
authority
- to be added as Principal objectpublic void addAuthority(java.security.cert.X509Certificate certificate)
certificate
- the certificate from which to get the subjectDNpublic java.security.Principal[] getAuthorities()
null
if no authorities are includedpublic int size()
public void setCritical(boolean critical)
setCritical
in class Extension
critical
- true
if the extension is critical,
false
if notpublic java.lang.Object clone()
clone
in class Extension
public java.lang.String toString()
toString
in class Extension
|
This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note). | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |