|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object iaik.security.ssl.ChainVerifier iaik.security.ssl.OCSPCertStatusChainVerifier iaik.security.ssl.TLS13OCSPCertStatusChainVerifier
public class TLS13OCSPCertStatusChainVerifier
This class represents a ChainVerifier to may be used for checking OCSP certificate status information about the peer certificate.
When a TLS version prior 1.2 is used certificate status information may be only provided
by the server by sending a certificate_status handshake message in response to a
status_request
extension sent by the client.
When a TLS version of TLS 1.3 or later is used certificate status information
may be provided by both client and server. If the client wants to get certificate status
information from the server the client sends a status_request
extension in the ClientHello message. The server then
can provide certificate status information by including a status_request
extension in the certificate entries
of the server certificate
message.
If the server requests client authentication and wants that the client provides
status information along with its certificates the server sends a status_request
extension with its certificate_request message.
The client then can provide certificate status information by including a status_request
extension in the certificate entries
of the client certificate
message.
When a TLS version prior 1.2 is used this ChainVerifier can be used to check
OCSP status information for the server certificate by calling method verifyChain(X509Certificate[] certs, SSLTransport transport, int statusType,
byte[] statusRequest, byte[] statusResponse)
.
When a TLS version of TLS 1.3 or later is used this ChainVerifier can be used to check
OCSP status information for both client and server certificates by calling method verifyChain(CertificateEntry[] certEntries, SSLTransport transport, int statusType,
byte[] statusRequest)
.
This class works in the same way as the parent ChainVerifier
class, except for
that it additionally checks OCSP status information sent by the server.
Since OCSP cannot be handled in a crypto-provider independent way,
using this class requires that you have IAIK-JCE (iaik_jce(_full).jar)
)
in your classpath. Note that by default the standard ChainVerifier
is used for certificate chain
verification. To enable this TLS13OCSPCertStatusChainVerifier
set it for your
:
SSLClientContext
SSLContext context = ...; ... TLS13OCSPCertStatusChainVerifier ocspCertStatusChainVerifier = new TLS13OCSPCertStatusChainVerifier(); context.setChainVerifier(ocspCertStatusChainVerifier);If the peer has sent an OCSP status information, this class -- after having verified the peer certificate chain -- checks the provided status information and rejects the peer certificate(s) if any of the following conditions occur:
ocsp
ExtendedKeyUsage
extension
(if the response signer is different from the server certificate issuer); or if
the response signer is registered as trusted responder (if trusted responders
have been set).
SingleResponse
for the
peer certificate
status_request
extension sent to
the peer has been marked as being critical
iSaSiLk will reject the peer certificate chain if no status information is provided
for the client/server certificate (certificate at index 0 of the peer certificate
chain). Note that this check is already done before calling the verifyChain
method because the ChainVerifier does not have access to the critical
flag of the status_request
extension.
ChainVerifier
,
OCSPCertStatusChainVerifier
,
CertificateStatusRequest
Field Summary |
---|
Fields inherited from class iaik.security.ssl.ChainVerifier |
---|
CACHE_SIZE, cachedCerts, cacheSize, checkServerName, nullTrusted, trustedCerts |
Constructor Summary | |
---|---|
TLS13OCSPCertStatusChainVerifier()
Creates a new ChainVerifier. |
Method Summary | |
---|---|
boolean |
verifyChain(TLS13Certificate.CertificateEntry[] certEntries,
SSLTransport transport,
int statusType,
byte[] statusRequest)
Verifies a TLS 1.3 certificate chain. |
Methods inherited from class iaik.security.ssl.OCSPCertStatusChainVerifier |
---|
setAccuracy, setTrustedResponders, verifyChain, verifyDelegatedResponderCert |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public TLS13OCSPCertStatusChainVerifier()
Method Detail |
---|
public boolean verifyChain(TLS13Certificate.CertificateEntry[] certEntries, SSLTransport transport, int statusType, byte[] statusRequest) throws SSLCertificateRuntimeException
This method works in the same way as the same-named verifyChain(CertificateEntry[], SSLTransport, int, byte[]) method
of the parent ChainVerifier
class, but additionally
also checks OCSP status information, if provided by the peer in response to
a certificate status_request
.
The statusRequest
parameter is only meaningful if a
CertificateStatusRequest
extension
has sent to the peer. In this case the certificate entries
of the peer certificate
message
may contain status information.
verifyChain
in class ChainVerifier
certEntries
- the TLS 1.3 certificate entries sent within the TLS 1.3 peer
certificate messagetransport
- the SSLTransport, maybe required to query for information (e.g. client mode)
and/or printing debug informationstatusType
- the type of the certificate status request sent to the peer
(and of the status response received from the peer), or
-1
if no status_request extension has been
sent to the peerstatusRequest
- the (TLS) encoded status request sent to the peer, or
null
if no status_request extension has been
sent to the peer
SSLCertificateRuntimeException
- maybe used by an application to wrap an exception thrown
by some self-designed ChainVerifier implementationTLS13OCSPCertStatusChainVerifier
|
This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note). | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |