java.lang.Object
org.snmp4j.transport.tls.DefaultTlsTmSecurityCallback
- All Implemented Interfaces:
TlsTmSecurityCallback<X509Certificate>
public class DefaultTlsTmSecurityCallback
extends Object
implements TlsTmSecurityCallback<X509Certificate>
The
DefaultTlsTmSecurityCallback
resolves the
tmSecurityName
for incoming requests through
a mapping table based on the peer certificates,
resolves the local certificate alias through a mapping table
based on the target address and accepts peer certificates
based on a list of trusted peer and issuer certificates.- Since:
- 3.3.2
- Version:
- 3.3.0
- Author:
- Frank Fock
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionvoid
addAcceptedIssuerDN
(String issuerDN) void
addAcceptedSubjectDN
(String subjectDN) void
addLocalCertMapping
(Address address, String certAlias) Map a target address to a local certificate alias.void
addSecurityNameMapping
(OctetString fingerprint, SecurityNameMapping.CertMappingType type, OctetString data, OctetString securityName) Adds a mapping to derive a security name from a certificate.getLocalCertificateAlias
(Address targetAddress) Gets the local certificate alias to be used for the supplied target address.getSecurityName
(X509Certificate[] peerCertificateChain) Gets the tmSecurityName (see RFC 5953) from the certificate chain of the communication peer that needs to be authenticated.boolean
isAcceptedIssuer
(X509Certificate issuerCertificate) Check if the supplied issuer certificate is accepted as server.boolean
isClientCertificateAccepted
(X509Certificate peerEndCertificate) Check if the supplied peer end certificate is accepted as client.boolean
isServerCertificateAccepted
(X509Certificate[] peerCertificateChain) Check if the supplied peer certificate chain is accepted as server.boolean
removeAcceptedIssuerDN
(String issuerDN) boolean
removeAcceptedSubjectDN
(String subjectDN) removeLocalCertMapping
(Address address) Remove the local certificate mapping for the given target address.removeSecurityNameMapping
(OctetString fingerprint, SecurityNameMapping.CertMappingType type, OctetString data)
-
Constructor Details
-
DefaultTlsTmSecurityCallback
public DefaultTlsTmSecurityCallback()
-
-
Method Details
-
getSecurityName
Description copied from interface:TlsTmSecurityCallback
Gets the tmSecurityName (see RFC 5953) from the certificate chain of the communication peer that needs to be authenticated.- Specified by:
getSecurityName
in interfaceTlsTmSecurityCallback<X509Certificate>
- Parameters:
peerCertificateChain
- an array ofCertificate
s with the peer's own certificate first followed by any CA authorities.- Returns:
- the tmSecurityName as defined by RFC 5953.
-
isClientCertificateAccepted
public boolean isClientCertificateAccepted(X509Certificate peerEndCertificate) throws CertificateException Description copied from interface:TlsTmSecurityCallback
Check if the supplied peer end certificate is accepted as client.- Specified by:
isClientCertificateAccepted
in interfaceTlsTmSecurityCallback<X509Certificate>
- Parameters:
peerEndCertificate
- a client Certificate instance to check acceptance for.- Returns:
true
if the certificate is accepted,false
otherwise, i.e. if verification could not performed, i.e. because it was not configured sufficiently.- Throws:
CertificateException
- if the certificate is rejected.
-
isServerCertificateAccepted
public boolean isServerCertificateAccepted(X509Certificate[] peerCertificateChain) throws CertificateException Description copied from interface:TlsTmSecurityCallback
Check if the supplied peer certificate chain is accepted as server.- Specified by:
isServerCertificateAccepted
in interfaceTlsTmSecurityCallback<X509Certificate>
- Parameters:
peerCertificateChain
- a server Certificate chain to check acceptance for.- Returns:
true
if the certificate is accepted,false
otherwise, i.e. if verification could not performed, i.e. because it was not configured sufficiently.- Throws:
CertificateException
- if the certificate is rejected.
-
isAcceptedIssuer
Description copied from interface:TlsTmSecurityCallback
Check if the supplied issuer certificate is accepted as server.- Specified by:
isAcceptedIssuer
in interfaceTlsTmSecurityCallback<X509Certificate>
- Parameters:
issuerCertificate
- an issuer Certificate instance to check acceptance for.- Returns:
true
if the certificate is accepted,false
otherwise, i.e. if verification could not performed, i.e. because it was not configured sufficiently.- Throws:
CertificateException
- if the certificate is rejected.
-
getLocalCertificateAlias
Description copied from interface:TlsTmSecurityCallback
Gets the local certificate alias to be used for the supplied target address.- Specified by:
getLocalCertificateAlias
in interfaceTlsTmSecurityCallback<X509Certificate>
- Parameters:
targetAddress
- a target address ornull
if the default local certificate alias needs to be retrieved.- Returns:
- the requested local certificate alias, if known. Otherwise
null
is returned which could cause a protocol violation if the local key store contains more than one certificate.
-
addSecurityNameMapping
public void addSecurityNameMapping(OctetString fingerprint, SecurityNameMapping.CertMappingType type, OctetString data, OctetString securityName) Adds a mapping to derive a security name from a certificate. A mapping corresponds to a row in the snmpTlstmCertToTSNTable of RFC 5953.- Parameters:
fingerprint
- an (optional) cryptographic hash of a X.509 certificate. Whether the trusted CA in the certificate validation path or the certificate itself is matched against the fingerprint is specified by thetype
parameter.type
- specifies the mapping type of the security name derivation from a certificate.data
- auxiliary data used as optional configuration information for some mapping types. It must be ignored for any mapping type that does not use auxiliary data.securityName
- specifies the mapped security name. This parameter is optional and only required if the mapping type does not dictate a method to derive the security name from a certificates meta data (like subjectAltName).
-
removeSecurityNameMapping
public OctetString removeSecurityNameMapping(OctetString fingerprint, SecurityNameMapping.CertMappingType type, OctetString data) -
addAcceptedIssuerDN
-
removeAcceptedIssuerDN
-
addAcceptedSubjectDN
-
removeAcceptedSubjectDN
-
addLocalCertMapping
Map a target address to a local certificate alias. The security mapping will use the certificatecertAlias
for a target addressaddress
when applied to a client modeTLSTM
.- Parameters:
address
- aTlsAddress
instance ornull
if the local certificate should be mapped to any target address.certAlias
- the certificate alias in the local key store to be used to authenticate at TLS server instances.
-
removeLocalCertMapping
Remove the local certificate mapping for the given target address.- Parameters:
address
- aTlsAddress
instance ornull
if the default local certificate mapping should be removed.- Returns:
- the removed mapping or
null
if there is no such mapping.
-