|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object iaik.security.ssl.Extension iaik.security.ssl.SignatureAlgorithms iaik.security.ssl.SignatureAlgorithmsCert
public class SignatureAlgorithmsCert
This class implements the signature_algorithms_cert
extension
RFC 8446.
Although the SignatureAlgorithmsCert extension is specified for TLS 1.3 (RFC 8446) it may also be used for TLS 1.2. The SignatureAlgorithmsCert extension is intended to be used if different sets of signature algorithms/schemes shall be used for certificate signatures and signatures used within TLS handshake messages (e.g. ServerKeyExchange, CertficateVerify).
A TLS client may send a SignatureAlgorithmsCert extension with the ClientHello
extension list to tell the server which signature algorithms the client can
process to verify certificate signatures. In TLS 1.3 the server may include
a SignatureAlgorithmsCert extension within the CertificateRequest message to
tell the client which signature algorithms may be used for the client certificate.
The SignatureAlgorithmsCert extension has the same structure as the SignatureAlgorithms
extension (see RFC 8446):
enum { // RSASSA-PKCS1-v1_5 algorithms rsa_pkcs1_sha256(0x0401), rsa_pkcs1_sha384(0x0501), rsa_pkcs1_sha512(0x0601), // ECDSA algorithms ecdsa_secp256r1_sha256(0x0403), ecdsa_secp384r1_sha384(0x0503), ecdsa_secp521r1_sha512(0x0603), // RSASSA-PSS algorithms with public key OID rsaEncryption rsa_pss_rsae_sha256(0x0804), rsa_pss_rsae_sha384(0x0805), rsa_pss_rsae_sha512(0x0806), // EdDSA algorithms ed25519(0x0807), ed448(0x0808), // RSASSA-PSS algorithms with public key OID RSASSA-PSS rsa_pss_pss_sha256(0x0809), rsa_pss_pss_sha384(0x080a), rsa_pss_pss_sha512(0x080b), // Legacy algorithms rsa_pkcs1_sha1(0x0201), ecdsa_sha1(0x0203), // Reserved Code Points private_use(0xFE00..0xFFFF), (0xFFFF) } SignatureScheme; struct { SignatureScheme supported_signature_algorithms<2..2^16-2>; } SignatureSchemeList;An application that wants to use the
signature_algorithms_cert
extension
may create
it for the list of
algorithms it wants be use for certificate signatures. If you, for instance, only want
to use the SHA512withRSA, SHA512withECDSA algorithms for certificate signatures
you may create a SignatureAlgorithmsCert
extension with these two
SignatureScheme
elements:
SignatureScheme[] signatureSchemes = { SignatureScheme.rsa_pkcs1_sha256, SignatureScheme.ecsa_secp256r1_sha256 }; SignatureAlgorithmsCert signatureAlgorithms = new SignatureAlgorithmsCert(new SignatureSchemeList(signatureSchemes)); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(signatureAlgorithmsCert); ... // set extensions for the SSLContext configuration: SSLContext context = ...; // SignatureAlgorithmsCert only meaningful since TLS 1.2 context.setAllowedProtocolVersions(SSLContext.VERSION_TLS12, SSLContext.VERSION_TLS13); ... context.setExtensions(extensions); ...
When setting the SignatureAlgorithmsCert extension to
iSaSiLk checks if the certificates sent from the peer are actually signed with
any of the suggested algorithm(s) (except for (self-signed) trust anchors that
are out of scope of certificate validation).
critical
Extension
,
SignatureScheme
,
SignatureSchemeList
,
SignatureAndHashAlgorithm
,
SignatureAndHashAlgorithmList
,
SignatureAlgorithms
Field Summary | |
---|---|
static ExtensionType |
TYPE
The type (50) of the signature_algorithms extension. |
Constructor Summary | |
---|---|
SignatureAlgorithmsCert()
Default constructor. |
|
SignatureAlgorithmsCert(SignatureAndHashAlgorithmList supportedAlgorithms)
Creates a SignatureAlgorithmsCert extension from the given list of supported signature algorithms. |
|
SignatureAlgorithmsCert(SignatureSchemeList supportedSignatureSchems)
Creates a SignatureAlgorithmsCert extension from the given list of supported signature schemes. |
Method Summary | |
---|---|
java.lang.Object |
clone()
Returns a clone of this SignatureAlgorithmsCert extension. |
boolean |
equals(java.lang.Object obj)
Checks if this SignatureAlgorithmsCert extension is equal to the given object. |
SignatureAndHashAlgorithmList |
getSupportedAlgorithms()
Gets the supported signature algorithms included in this signature algorithms extension. |
SignatureSchemeList |
getSupportedSignatureSchemes()
Gets the supported signature schemes included in this signature algorithms extension. |
Methods inherited from class iaik.security.ssl.SignatureAlgorithms |
---|
clone, hashCode, setIgnorePeerPreferenceOrder, toString |
Methods inherited from class iaik.security.ssl.Extension |
---|
getAllowedProtocolVersions, getExtensionType, getName, getType, setCritical |
Methods inherited from class java.lang.Object |
---|
finalize, getClass, notify, notifyAll, wait, wait, wait |
Field Detail |
---|
public static final ExtensionType TYPE
Constructor Detail |
---|
public SignatureAlgorithmsCert()
public SignatureAlgorithmsCert(SignatureAndHashAlgorithmList supportedAlgorithms)
SignatureAndHashAlgorithm[] algorithms = { SignatureAndHashAlgorithm.SHA256withRSA, SignatureAndHashAlgorithm.SHA256withECDSA }; SignatureAlgorithmsCert signatureAlgorithmsCert = new SignatureAlgorithmsCert(new SignatureAndHashAlgorithmList(algorithms)); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(signatureAlgorithmsCert); ... // set extensions for the SSLContext configuration: SSLContext context = ...; // SignatureAlgorithms only meaningful since TLS 1.2 context.setAllowedProtocolVersions(SSLContext.VERSION_TLS12, SSLContext.VERSION_TLS13); ... context.setExtensions(extensions); ...
supportedAlgorithms
- the supported signature algorithms to be used
java.lang.IllegalArgumentException
- if the given algorithm list is null
or empty(TLS 1.3 interoperability; TLS 1.3 uses the term "SignatureSchemeList")
public SignatureAlgorithmsCert(SignatureSchemeList supportedSignatureSchems)
SignatureScheme[] signatureSchemes = { SignatureScheme.rsa_pkcs1_sha256, SignatureScheme.ecdsa_secp256r1_sha256 }; SignatureAlgorithmsCert signatureAlgorithmsCert = new SignatureAlgorithmsCert(new SignatureSchemeList(signatureSchemes)); // add to ExtensionList ExtensionList extensions = new ExtensionList(); ... extensions.addExtension(signatureAlgorithmsCert); ... // set extensions for the SSLContext configuration: SSLContext context = ...; // SignatureAlgorithms only meaningful since TLS 1.2 context.setAllowedProtocolVersions(SSLContext.VERSION_TLS12, SSLContext.VERSION_TLS13); ... context.setExtensions(extensions); ...
supportedSignatureSchems
- the supported signature algorithms to be used
java.lang.IllegalArgumentException
- if the given algorithm list is null
or empty(TLS 1.2 interoperability; TLS 1.2 uses the term "SignatureAndHashAlgorithmList")
Method Detail |
---|
public boolean equals(java.lang.Object obj)
Two SignatureAlgorithmsCert extensions are treated as equal if they contain the same
signature algorithm / scheme objects (same number and same order). The critical
value is not checked by this method.
equals
in class SignatureAlgorithms
true
if this SignatureAlgorithmsCert extension is equal to the
given object, false
if it is not equal
to itpublic SignatureAndHashAlgorithmList getSupportedAlgorithms()
getSupportedAlgorithms
in class SignatureAlgorithms
(TLS 1.3 interoperability; TLS 1.3 uses the term "SignatureScheme")
public SignatureSchemeList getSupportedSignatureSchemes()
getSupportedSignatureSchemes
in class SignatureAlgorithms
(TLS 1.2 interoperability; TLS 1.2 uses the term "SignatureAndHashAlgorithm")
public java.lang.Object clone()
clone
in class SignatureAlgorithms
|
This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note). | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |