org.eclipse.californium.scandium.dtls

Class CertificateRequest

java.lang.Object

org.eclipse.californium.scandium.dtls.AbstractMessage

org.eclipse.californium.scandium.dtls.HandshakeMessage

org.eclipse.californium.scandium.dtls.CertificateRequest

All Implemented Interfaces:

DTLSMessage

public final class CertificateRequest
extends HandshakeMessage

A non-anonymous server can optionally request a certificate from the client, if appropriate for the selected cipher suite.

This message, if sent, will immediately follow the ServerKeyExchange message (if it is sent; otherwise, this message follows the server's CertificateMessage message).

See Also:

RFC 5246, 7.4.4. Certificate Request

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	CertificateRequest.ClientCertificateType Certificate types that the client may offer.

Field Summary

Fields inherited from class org.eclipse.californium.scandium.dtls.HandshakeMessage

FRAGMENT_LENGTH_BITS, FRAGMENT_OFFSET_BITS, MESSAGE_HEADER_LENGTH_BYTES, MESSAGE_LENGTH_BITS, MESSAGE_SEQ_BITS, MESSAGE_TYPE_BITS

Constructor Summary

Constructors

Constructor and Description
CertificateRequest(InetSocketAddress peerAddress) Initializes an empty certificate request.
CertificateRequest(List<CertificateRequest.ClientCertificateType> certificateTypes, List<SignatureAndHashAlgorithm> supportedSignatureAlgorithms, List<X500Principal> certificateAuthorities, InetSocketAddress peerAddress)

Method Summary

Methods

Modifier and Type	Method and Description
boolean	addCerticiateAuthorities(List<X500Principal> authorities) Takes a list of trusted certificates, extracts the subject principal and adds the DER-encoded distinguished name to the certificate authorities.
boolean	addCertificateAuthority(X500Principal authority) Adds a distinguished name to the list of acceptable certificate authorities.
void	addCertificateType(CertificateRequest.ClientCertificateType certificateType) Adds a certificate type to the list of supported certificate types.
void	addSignatureAlgorithm(SignatureAndHashAlgorithm signatureAndHashAlgorithm) Appends a signature and hash algorithm to the end of the list of supported algorithms.
void	addSignatureAlgorithms(List<SignatureAndHashAlgorithm> signatureAndHashAlgorithms) Appends a list of signature and hash algorithms to the end of the list of supported algorithms.
byte[]	fragmentToByteArray() The serialization of the handshake body (without the handshake header).
static HandshakeMessage	fromReader(org.eclipse.californium.elements.util.DatagramReader reader, InetSocketAddress peerAddress) Parses a certificate request message from its binary encoding.
List<X500Principal>	getCertificateAuthorities() Gets the distinguished names of certificate authorities trusted by the server.
List<CertificateRequest.ClientCertificateType>	getCertificateTypes() Gets the certificate types that the client may offer.
int	getMessageLength() Must be implemented by each subclass.
HandshakeType	getMessageType() Returns the type of the handshake message.
SignatureAndHashAlgorithm	getSignatureAndHashAlgorithm(List<X509Certificate> chain) Gets a signature algorithm that is compatible with a given certificate chain.
SignatureAndHashAlgorithm	getSignatureAndHashAlgorithm(PublicKey key) Gets the signature algorithm that is compatible with a given public key.
List<SignatureAndHashAlgorithm>	getSupportedSignatureAlgorithms() Gets the signature algorithms that the server is able to verify.
void	selectSignatureAlgorithms(List<SignatureAndHashAlgorithm> supportedSignatureAndHashAlgorithms) Select received supported signature and hash algorithms by the supported signature and hash algorithms of this peer.
String	toString()

Methods inherited from class org.eclipse.californium.scandium.dtls.HandshakeMessage

fragmentChanged, fromByteArray, fromGenericHandshakeMessage, getContentType, getFragmentLength, getFragmentOffset, getMessageSeq, getNextHandshakeMessage, getRawMessage, setMessageSeq, setNextHandshakeMessage, size, toByteArray, writeTo

Methods inherited from class org.eclipse.californium.scandium.dtls.AbstractMessage

getPeer

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

CertificateRequest

public CertificateRequest(InetSocketAddress peerAddress)

Initializes an empty certificate request.

Parameters:

peerAddress - the IP address and port of the peer this message has been received from or should be sent to

CertificateRequest

public CertificateRequest(List<CertificateRequest.ClientCertificateType> certificateTypes,
                  List<SignatureAndHashAlgorithm> supportedSignatureAlgorithms,
                  List<X500Principal> certificateAuthorities,
                  InetSocketAddress peerAddress)

Parameters:

certificateTypes - the list of allowed client certificate types.

supportedSignatureAlgorithms - the list of supported signature and hash algorithms.

certificateAuthorities - the list of allowed certificate authorities.

peerAddress - the IP address and port of the peer this message has been received from or should be sent to

Method Detail

getMessageType

public HandshakeType getMessageType()

Description copied from class: HandshakeMessage

Returns the type of the handshake message. See HandshakeType.

Specified by:

getMessageType in class HandshakeMessage

Returns:

the HandshakeType.

getMessageLength

public int getMessageLength()

Description copied from class: HandshakeMessage

Must be implemented by each subclass. The length is given in bytes and only includes the length of the subclass' specific fields (not the handshake message header).

Specified by:

getMessageLength in class HandshakeMessage

Returns:

the length of the message in bytes.

toString

public String toString()

Overrides:

toString in class HandshakeMessage

fragmentToByteArray

public byte[] fragmentToByteArray()

Description copied from class: HandshakeMessage

The serialization of the handshake body (without the handshake header). Must be implemented by each subclass. Except the ClientHello, the fragments are considered to be not modified. If a modification is required, call HandshakeMessage.fragmentChanged().

Specified by:

fragmentToByteArray in class HandshakeMessage

Returns:

the raw byte representation of the handshake body.

fromReader

public static HandshakeMessage fromReader(org.eclipse.californium.elements.util.DatagramReader reader,
                          InetSocketAddress peerAddress)

Parses a certificate request message from its binary encoding.

Parameters:

reader - reader for the binary encoding of the message.

peerAddress - The origin address of the message.

Returns:

The parsed instance.

addCertificateType

public void addCertificateType(CertificateRequest.ClientCertificateType certificateType)

Adds a certificate type to the list of supported certificate types.

Parameters:

certificateType - The type to add.

addSignatureAlgorithm

public void addSignatureAlgorithm(SignatureAndHashAlgorithm signatureAndHashAlgorithm)

Appends a signature and hash algorithm to the end of the list of supported algorithms.

The algorithm's position in list indicates least preference to the recipient (the DTLS client) of the message.

Parameters:

signatureAndHashAlgorithm - The algorithm to add.

addSignatureAlgorithms

public void addSignatureAlgorithms(List<SignatureAndHashAlgorithm> signatureAndHashAlgorithms)

Appends a list of signature and hash algorithms to the end of the list of supported algorithms.

The algorithm's position in list indicates least preference to the recipient (the DTLS client) of the message.

Parameters:

signatureAndHashAlgorithms - The algorithms to add.

Since:

2.3

selectSignatureAlgorithms

public void selectSignatureAlgorithms(List<SignatureAndHashAlgorithm> supportedSignatureAndHashAlgorithms)

Select received supported signature and hash algorithms by the supported signature and hash algorithms of this peer. Ensure, that the other peer doesn't sent unsupported signature and hash algorithms by this peer.

Parameters:

supportedSignatureAndHashAlgorithms - supported signature and hash algorithms of this peer

addCertificateAuthority

public boolean addCertificateAuthority(X500Principal authority)

Adds a distinguished name to the list of acceptable certificate authorities.

Parameters:

authority - The authority to add.

Returns:

false if the authority could not be added because it would exceed the maximum encoded length allowed for the certificate request message's certificate authorities vector (2^16 - 1 bytes).

Throws:

NullPointerException - if the authority is null.

addCerticiateAuthorities

public boolean addCerticiateAuthorities(List<X500Principal> authorities)

Takes a list of trusted certificates, extracts the subject principal and adds the DER-encoded distinguished name to the certificate authorities.

Parameters:

authorities - authorities of the trusted certificates to add.

Returns:

false if not all certificates could not be added because it would exceed the maximum encoded length allowed for the certificate request message's certificate authorities vector (2^16 - 1 bytes).

getCertificateTypes

public List<CertificateRequest.ClientCertificateType> getCertificateTypes()

Gets the certificate types that the client may offer.

Returns:

The certificate types (never null.

getSignatureAndHashAlgorithm

public SignatureAndHashAlgorithm getSignatureAndHashAlgorithm(PublicKey key)

Gets the signature algorithm that is compatible with a given public key.

Parameters:

key - The public key.

Returns:

A signature algorithm that can be used with the given key or null if the given key is not compatible with any of the supported certificate types or any of the supported signature algorithms.

getSignatureAndHashAlgorithm

public SignatureAndHashAlgorithm getSignatureAndHashAlgorithm(List<X509Certificate> chain)

Gets a signature algorithm that is compatible with a given certificate chain.

Parameters:

chain - The certificate chain.

Returns:

A signature algorithm that can be used with the key contained in the given chain's end entity certificate or null if any of the chain's certificates is not compatible with any of the supported certificate types or any of the supported signature algorithms.

getSupportedSignatureAlgorithms

public List<SignatureAndHashAlgorithm> getSupportedSignatureAlgorithms()

Gets the signature algorithms that the server is able to verify.

Returns:

The supported algorithms in order of preference (never null).

getCertificateAuthorities

public List<X500Principal> getCertificateAuthorities()

Gets the distinguished names of certificate authorities trusted by the server.

The names are provided in DER-encoded ASN.1 format. The list is between 0 and 2¹⁶-1 bytes long, while one distinguished name can range from 1 to 2¹⁶-1 bytes length. Therefore, the length in the serialization must be handled carefully.

Returns:

The distinguished names (never null).