- java.lang.Object
-
- org.snmp4j.transport.tls.DefaultTlsTmSecurityCallback
-
- All Implemented Interfaces:
TlsTmSecurityCallback<java.security.cert.X509Certificate>
public class DefaultTlsTmSecurityCallback extends java.lang.Object implements TlsTmSecurityCallback<java.security.cert.X509Certificate>
TheDefaultTlsTmSecurityCallbackresolves thetmSecurityNamefor incoming requests through a mapping table based on the peer certificates, resolves the local certificate alias through a mapping table based on the target address and accepts peer certificates based on a list of trusted peer and issuer certificates.- Since:
- 3.3.2
- Version:
- 3.3.0
- Author:
- Frank Fock
-
-
Constructor Summary
Constructors Constructor Description DefaultTlsTmSecurityCallback()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description voidaddAcceptedIssuerDN(java.lang.String issuerDN)voidaddAcceptedSubjectDN(java.lang.String subjectDN)voidaddLocalCertMapping(Address address, java.lang.String certAlias)Map a target address to a local certificate alias.voidaddSecurityNameMapping(OctetString fingerprint, SecurityNameMapping.CertMappingType type, OctetString data, OctetString securityName)Adds a mapping to derive a security name from a certificate.java.lang.StringgetLocalCertificateAlias(Address targetAddress)Gets the local certificate alias to be used for the supplied target address.OctetStringgetSecurityName(java.security.cert.X509Certificate[] peerCertificateChain)Gets the tmSecurityName (see RFC 5953) from the certificate chain of the communication peer that needs to be authenticated.booleanisAcceptedIssuer(java.security.cert.X509Certificate issuerCertificate)Check if the supplied issuer certificate is accepted as server.booleanisClientCertificateAccepted(java.security.cert.X509Certificate peerEndCertificate)Check if the supplied peer end certificate is accepted as client.booleanisServerCertificateAccepted(java.security.cert.X509Certificate[] peerCertificateChain)Check if the supplied peer certificate chain is accepted as server.booleanremoveAcceptedIssuerDN(java.lang.String issuerDN)booleanremoveAcceptedSubjectDN(java.lang.String subjectDN)java.lang.StringremoveLocalCertMapping(Address address)Remove the local certificate mapping for the given target address.OctetStringremoveSecurityNameMapping(OctetString fingerprint, SecurityNameMapping.CertMappingType type, OctetString data)
-
-
-
Method Detail
-
getSecurityName
public OctetString getSecurityName(java.security.cert.X509Certificate[] peerCertificateChain)
Description copied from interface:TlsTmSecurityCallbackGets the tmSecurityName (see RFC 5953) from the certificate chain of the communication peer that needs to be authenticated.- Specified by:
getSecurityNamein interfaceTlsTmSecurityCallback<java.security.cert.X509Certificate>- Parameters:
peerCertificateChain- an array ofCertificates with the peer's own certificate first followed by any CA authorities.- Returns:
- the tmSecurityName as defined by RFC 5953.
-
isClientCertificateAccepted
public boolean isClientCertificateAccepted(java.security.cert.X509Certificate peerEndCertificate) throws java.security.cert.CertificateExceptionDescription copied from interface:TlsTmSecurityCallbackCheck if the supplied peer end certificate is accepted as client.- Specified by:
isClientCertificateAcceptedin interfaceTlsTmSecurityCallback<java.security.cert.X509Certificate>- Parameters:
peerEndCertificate- a client Certificate instance to check acceptance for.- Returns:
trueif the certificate is accepted,falseotherwise, i.e. if verification could not performed, i.e. because it was not configured sufficiently.- Throws:
java.security.cert.CertificateException- if the certificate is rejected.
-
isServerCertificateAccepted
public boolean isServerCertificateAccepted(java.security.cert.X509Certificate[] peerCertificateChain) throws java.security.cert.CertificateExceptionDescription copied from interface:TlsTmSecurityCallbackCheck if the supplied peer certificate chain is accepted as server.- Specified by:
isServerCertificateAcceptedin interfaceTlsTmSecurityCallback<java.security.cert.X509Certificate>- Parameters:
peerCertificateChain- a server Certificate chain to check acceptance for.- Returns:
trueif the certificate is accepted,falseotherwise, i.e. if verification could not performed, i.e. because it was not configured sufficiently.- Throws:
java.security.cert.CertificateException- if the certificate is rejected.
-
isAcceptedIssuer
public boolean isAcceptedIssuer(java.security.cert.X509Certificate issuerCertificate) throws java.security.cert.CertificateExceptionDescription copied from interface:TlsTmSecurityCallbackCheck if the supplied issuer certificate is accepted as server.- Specified by:
isAcceptedIssuerin interfaceTlsTmSecurityCallback<java.security.cert.X509Certificate>- Parameters:
issuerCertificate- an issuer Certificate instance to check acceptance for.- Returns:
trueif the certificate is accepted,falseotherwise, i.e. if verification could not performed, i.e. because it was not configured sufficiently.- Throws:
java.security.cert.CertificateException- if the certificate is rejected.
-
getLocalCertificateAlias
public java.lang.String getLocalCertificateAlias(Address targetAddress)
Description copied from interface:TlsTmSecurityCallbackGets the local certificate alias to be used for the supplied target address.- Specified by:
getLocalCertificateAliasin interfaceTlsTmSecurityCallback<java.security.cert.X509Certificate>- Parameters:
targetAddress- a target address ornullif the default local certificate alias needs to be retrieved.- Returns:
- the requested local certificate alias, if known. Otherwise
nullis returned which could cause a protocol violation if the local key store contains more than one certificate.
-
addSecurityNameMapping
public void addSecurityNameMapping(OctetString fingerprint, SecurityNameMapping.CertMappingType type, OctetString data, OctetString securityName)
Adds a mapping to derive a security name from a certificate. A mapping corresponds to a row in the snmpTlstmCertToTSNTable of RFC 5953.- Parameters:
fingerprint- an (optional) cryptographic hash of a X.509 certificate. Whether the trusted CA in the certificate validation path or the certificate itself is matched against the fingerprint is specified by thetypeparameter.type- specifies the mapping type of the security name derivation from a certificate.data- auxiliary data used as optional configuration information for some mapping types. It must be ignored for any mapping type that does not use auxiliary data.securityName- specifies the mapped security name. This parameter is optional and only required if the mapping type does not dictate a method to derive the security name from a certificates meta data (like subjectAltName).
-
removeSecurityNameMapping
public OctetString removeSecurityNameMapping(OctetString fingerprint, SecurityNameMapping.CertMappingType type, OctetString data)
-
addAcceptedIssuerDN
public void addAcceptedIssuerDN(java.lang.String issuerDN)
-
removeAcceptedIssuerDN
public boolean removeAcceptedIssuerDN(java.lang.String issuerDN)
-
addAcceptedSubjectDN
public void addAcceptedSubjectDN(java.lang.String subjectDN)
-
removeAcceptedSubjectDN
public boolean removeAcceptedSubjectDN(java.lang.String subjectDN)
-
addLocalCertMapping
public void addLocalCertMapping(Address address, java.lang.String certAlias)
Map a target address to a local certificate alias. The security mapping will use the certificatecertAliasfor a target addressaddresswhen applied to a client modeTLSTM.- Parameters:
address- aTlsAddressinstance ornullif the local certificate should mapped to any target address.certAlias- the certificate alias in the local key store to be used to authenticate at TLS server instances.
-
removeLocalCertMapping
public java.lang.String removeLocalCertMapping(Address address)
Remove the local certificate mapping for the given target address.- Parameters:
address- aTlsAddressinstance ornullif the default local certificate mapping should be removed.- Returns:
- the removed mapping or
nullif there is no such mapping.
-
-