org.eclipse.californium.scandium.dtls.x509

Interface NewAdvancedCertificateVerifier

All Known Implementing Classes:

AsyncNewAdvancedCertificateVerifier, BridgeCertificateVerifier, StaticNewAdvancedCertificateVerifier

public interface NewAdvancedCertificateVerifier

New advanced certificate verifier. Returns certificate verification result. If required, the certificate verification result maybe returned asynchronously using a HandshakeResultHandler.

Synchronous example:

 @Override
 public CertificateVerificationResult verifyCertificate(ConnectionId cid, ServerNames serverName,
                Boolean clientUsage, boolean truncateCertificatePath, CertificateMessage message, DTLSSession session) {
        CertPath verifiedCertificate = ... verify certificate ...;
        return new CertificateVerificationResult(cid, verifiedCertificate, null);
 }
 

Asynchronous example returning the master secret:

 @Override
 public CertificateVerificationResult verifyCertificate(ConnectionId cid, ServerNames serverName,
                Boolean clientUsage, boolean truncateCertificatePath, CertificateMessage message, DTLSSession session) {
        
                start ... verify certificate ... 
                        // calls processResult with verified certificate path asynchronous;
                return null; // returns null for asynchronous processing
 }
 
 @Override
 public void setResultHandler(HandshakeResultHandler resultHandler) {
                this.resultHandler = resultHandler;
 }
 
        private void verifyCertificateAsynchronous(ConnectionId cid, ServerNames serverName, Boolean clientUsage,
                        boolean truncateCertificatePath, CertificateMessage message, DTLSSession session) {
                // executed by different thread!
                CertificateVerificationResult result = ... verify certificate ...
                resultHandler.apply(result);
 }
 

Since:

2.5

Method Summary

Methods

Modifier and Type	Method and Description
List<X500Principal>	getAcceptedIssuers() Return an list of certificate authorities which are trusted for authenticating peers.
List<CertificateType>	getSupportedCertificateType() Get the list of supported certificate types in order of preference.
void	setResultHandler(HandshakeResultHandler resultHandler) Set the handler for asynchronous handshake results.
CertificateVerificationResult	verifyCertificate(ConnectionId cid, ServerNames serverName, Boolean clientUsage, boolean truncateCertificatePath, CertificateMessage message, DTLSSession session) Validates the X.509 certificate chain provided by the the peer as part of the certificate message.

Method Detail

getSupportedCertificateType

List<CertificateType> getSupportedCertificateType()

Get the list of supported certificate types in order of preference.

Returns:

the list of supported certificate types.

verifyCertificate

CertificateVerificationResult verifyCertificate(ConnectionId cid,
                                              ServerNames serverName,
                                              Boolean clientUsage,
                                              boolean truncateCertificatePath,
                                              CertificateMessage message,
                                              DTLSSession session)

Validates the X.509 certificate chain provided by the the peer as part of the certificate message.

Parameters:

cid - connection ID

serverName - indicated server names.

clientUsage - indicator to check certificate usage. null don't check key usage, true, check key usage for client, false for server.

truncateCertificatePath - true truncate certificate path at a trusted certificate before validation.

message - certificate message to be validated

session - dtls session to be used for validation

Returns:

certificate verification result, or null, if result is provided asynchronous.

getAcceptedIssuers

List<X500Principal> getAcceptedIssuers()

Return an list of certificate authorities which are trusted for authenticating peers.

Returns:

a non-null (possibly empty) list of accepted CA issuers.

setResultHandler

void setResultHandler(HandshakeResultHandler resultHandler)

Set the handler for asynchronous handshake results. Called during initialization of the DTLSConnector. Synchronous implementations may just ignore this using an empty implementation.

Parameters:

resultHandler - handler for asynchronous master secret results. This handler MUST NOT be called from the thread calling verifyCertificate(ConnectionId, ServerNames, Boolean, boolean, CertificateMessage, DTLSSession), instead just return the result there.