iSaSiLk 6.1, (c) 2002 IAIK, (c) 2003 - 2015 SICpublic class ClientCertificateURL extends Extension implements java.lang.Cloneable
In constrained environments a client may want to not store his
certificates. In this case he may send an empty
client_certificate_url extension to the server to indicate
that he will send a CertificateURL handshake message
(instead of a Certificate message) containing a list of urls from where the
server may download the client certificate(s). If the server
agrees to use client certificate urls he responds with an -- also empty --
client_certificate_url extension in his extended ServerHello
message.
Since the "extension_data" field of the client_certificate_url
extension is always empty, you only must put an (empty)
ClientCertificateURL object into your client/server
ExtensionList to tell your iSaSiLk
SSLClientContext/SSLServerContext
that client certificates maybe used (e.g, on the client side):
// create ClientCertificateURL ClientCertificateURL clientCertificateURL = new ClientCertificateURL(); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(clientCertificateURL); ... // set extensions for the SSLClientContext configuration: SSLClientContext clientContext = new SSLClientContext(); // extensions are only defined for TLS clientContext.setAllowedProtocolVersions(SSLContext.VERSION_TLS10, SSLContext.VERSION_TLS12); ... clientContext.setExtensions(extensions); ...If you set the
criticalClientCertificateURL to true
(client-side default), the handshake will be aborted if the server does
not respond with a client_certificate_url extension.
On the server side the proceeding is quite the same:
// create ClientCertificateURL ClientCertificateURL clientCertificateURL = new ClientCertificateURL(); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(clientCertificateURL); ... // set extensions for the SSLServerContext configuration: SSLServerContext serverContext = new SSLServerContext(); ... serverContext.setExtensions(extensions); ...If you set the
criticaltrue, the
handshake will be aborted if the client does not send a client_certificate_url
extension within the extended ClientHello message.
For using client certificate urls no additional configuration is required
on the server side. However, on the client side you must configure your
SSLClientContext with client credentials of type KeyAndCertURL to tell iSaSiLk which url(s) shall be
sent to the server (see (see javadoc of class
KeyAndCertUrl for a detailed desciption and an usage example).
From the configured KeyAndCertUrl credentials iSaSiLk then
will take the url(s) to be sent to the server within a CertificateURL
handshake message (instead of sending a Certificate message).
If you have configured your iSaSiLk client to use client certificate urls
(and the server has agreed to use it), but you did not have set client
KeyAndCertURL credentials (but only common KeyAndCert credentials) the
the client will send a full Certificate message (instead
of a CertificateURL message) of you have configured your
ClientCertificateURL extension as being NOT critical.
Extension,
ExtensionList,
KeyAndCertURL,
URLAndOptionalHash| Modifier and Type | Field and Description |
|---|---|
static ExtensionType |
TYPE
The type (2) of the client_certificate_url extension.
|
| Constructor and Description |
|---|
ClientCertificateURL()
Creates a new ClientCertificateURL extension object.
|
| Modifier and Type | Method and Description |
|---|---|
java.lang.Object |
clone()
Returns a clone of this ClientCertificateURL extension object.
|
java.lang.String |
toString()
Gets a String representation of this ClientCertificateURL.
|
getAllowedProtocolVersions, getExtensionType, getName, getType, setCriticalpublic static final ExtensionType TYPE
public ClientCertificateURL()
client_certificate_url extension support for
the SSLClientContext/SSLServerContext
configuration:
Client-side:
// create ClientCertificateURL ClientCertificateURL clientCertificateURL = new ClientCertificateURL(); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(clientCertificateURL); ... // set extensions for the SSLClientContext configuration: SSLClientContext clientContext = new SSLClientContext(); ... clientContext.setExtensions(extensions); ...If you set the
criticaltrue (client-side default),
the handshake will be aborted if the server does not respond with a
client_certificate_url extension.
Server-side:
// create ClientCertificateURL ClientCertificateURL clientCertificateURL = new ClientCertificateURL(); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(clientCertificateURL); ... // set extensions for the SSLServerContext configuration: SSLServerContext serverContext = new SSLServerContext(); ... serverContext.setExtensions(extensions); ...If you set the
criticaltrue, the handshake will be aborted
if the client does not send a client_certificate_url extension within the
extended ClientHello message.
If the client has sent a client_certificate_url extension, the server will respond with a client_certificate_url extension if he is willing to process (is configured to) use client certificate urls.