public class DefaultTlsTmSecurityCallback extends java.lang.Object implements TlsTmSecurityCallback<java.security.cert.X509Certificate>
DefaultTlsTmSecurityCallback
resolves the
tmSecurityName
for incoming requests through
a mapping table based on the peer certificates,
resolves the local certificate alias through a mapping table
based on the target address and accepts peer certificates
based on a list of trusted peer and issuer certificates.Modifier and Type | Field and Description |
---|---|
private java.util.Set<java.lang.String> |
acceptedIssuerDN |
private java.util.Set<java.lang.String> |
acceptedSubjectDN |
private java.util.Map<Address,java.lang.String> |
localCertMapping |
private LogAdapter |
LOGGER |
private java.util.Map<SecurityNameMapping,OctetString> |
securityNameMapping |
Constructor and Description |
---|
DefaultTlsTmSecurityCallback() |
Modifier and Type | Method and Description |
---|---|
void |
addAcceptedIssuerDN(java.lang.String issuerDN) |
void |
addAcceptedSubjectDN(java.lang.String subjectDN) |
void |
addLocalCertMapping(Address address,
java.lang.String certAlias)
Map a target address to a local certificate alias.
|
void |
addSecurityNameMapping(OctetString fingerprint,
SecurityNameMapping.CertMappingType type,
OctetString data,
OctetString securityName)
Adds a mapping to derive a security name from a certificate.
|
java.lang.String |
getLocalCertificateAlias(Address targetAddress)
Gets the local certificate alias to be used for the supplied
target address.
|
OctetString |
getSecurityName(java.security.cert.X509Certificate[] peerCertificateChain)
Gets the tmSecurityName (see RFC 5953) from the certificate chain
of the communication peer that needs to be authenticated.
|
boolean |
isAcceptedIssuer(java.security.cert.X509Certificate issuerCertificate)
Check if the supplied issuer certificate is accepted as server.
|
boolean |
isClientCertificateAccepted(java.security.cert.X509Certificate peerEndCertificate)
Check if the supplied peer end certificate is accepted as client.
|
boolean |
isServerCertificateAccepted(java.security.cert.X509Certificate[] peerCertificateChain)
Check if the supplied peer certificate chain is accepted as server.
|
private OctetString |
mapCertToTSN(java.security.cert.X509Certificate cert,
SecurityNameMapping.CertMappingType mappingType,
OctetString data) |
boolean |
removeAcceptedIssuerDN(java.lang.String issuerDN) |
boolean |
removeAcceptedSubjectDN(java.lang.String subjectDN) |
java.lang.String |
removeLocalCertMapping(Address address)
Remove the local certificate mapping for the given target address.
|
OctetString |
removeSecurityNameMapping(OctetString fingerprint,
SecurityNameMapping.CertMappingType type,
OctetString data) |
private LogAdapter LOGGER
private java.util.Map<SecurityNameMapping,OctetString> securityNameMapping
private java.util.Map<Address,java.lang.String> localCertMapping
private java.util.Set<java.lang.String> acceptedSubjectDN
private java.util.Set<java.lang.String> acceptedIssuerDN
public OctetString getSecurityName(java.security.cert.X509Certificate[] peerCertificateChain)
TlsTmSecurityCallback
getSecurityName
in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
peerCertificateChain
- an array of Certificate
s with the peer's own certificate
first followed by any CA authorities.private OctetString mapCertToTSN(java.security.cert.X509Certificate cert, SecurityNameMapping.CertMappingType mappingType, OctetString data) throws java.security.cert.CertificateParsingException
java.security.cert.CertificateParsingException
public boolean isClientCertificateAccepted(java.security.cert.X509Certificate peerEndCertificate)
TlsTmSecurityCallback
isClientCertificateAccepted
in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
peerEndCertificate
- a client Certificate instance to check acceptance for.public boolean isServerCertificateAccepted(java.security.cert.X509Certificate[] peerCertificateChain)
TlsTmSecurityCallback
isServerCertificateAccepted
in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
peerCertificateChain
- a server Certificate chain to check acceptance for.public boolean isAcceptedIssuer(java.security.cert.X509Certificate issuerCertificate)
TlsTmSecurityCallback
isAcceptedIssuer
in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
issuerCertificate
- an issuer Certificate instance to check acceptance for.public java.lang.String getLocalCertificateAlias(Address targetAddress)
TlsTmSecurityCallback
getLocalCertificateAlias
in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
targetAddress
- a target address or null if the default local
certificate alias needs to be retrieved.public void addSecurityNameMapping(OctetString fingerprint, SecurityNameMapping.CertMappingType type, OctetString data, OctetString securityName)
fingerprint
- an (optional) cryptographic hash of a X.509 certificate. Whether the trusted CA in
the certificate validation path or the certificate itself is matched against the
fingerprint is specified by the type
parameter.type
- specifies the mapping type of the security name derivation from a certificate.data
- auxiliary data used as optional configuration information for some mapping types.
It must be ignored for any mapping type that does not use auxiliary data.securityName
- specifies the mapped security name. This parameter is optional and only required if
the mapping type does not dictate a method to derive the security name from a
certificates meta data (like subjectAltName).public OctetString removeSecurityNameMapping(OctetString fingerprint, SecurityNameMapping.CertMappingType type, OctetString data)
public void addAcceptedIssuerDN(java.lang.String issuerDN)
public boolean removeAcceptedIssuerDN(java.lang.String issuerDN)
public void addAcceptedSubjectDN(java.lang.String subjectDN)
public boolean removeAcceptedSubjectDN(java.lang.String subjectDN)
public void addLocalCertMapping(Address address, java.lang.String certAlias)
certAlias
for a target address
address
when applied to a client mode TLSTM
.address
- a TlsAddress
instance or null
if the local certificate should mapped to any target address.certAlias
- the certificate alias in the local key store to be used to authenticate
at TLS server instances.public java.lang.String removeLocalCertMapping(Address address)
address
- a TlsAddress
instance or null
if the default local certificate mapping should be removed.null
if there is no such mapping.