- java.lang.Object
-
- org.snmp4j.transport.tls.TLSTMUtil
-
public class TLSTMUtil extends java.lang.Object
- Since:
- 3.0
- Version:
- 3.6.0
-
-
Field Summary
Fields Modifier and Type Field Description private static LogAdapter
logger
private static int
MD_SHA_PREFIX_LENGTH
-
Constructor Summary
Constructors Constructor Description TLSTMUtil()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description protected static void
addCRLCertStore(java.lang.String crlFilePath, java.security.cert.PKIXBuilderParameters pkixBuilderParameters)
Return the initialization parameters for a TrustManager for doing cert path validation with CRL revocation based on a CRL file.static java.security.cert.PKIXRevocationChecker
createDefaultPKIXRevocationChecker()
Creates a default revocation checker with CRL check only (no OCSP) and check is limited to end entity only.static javax.net.ssl.SSLContext
createSSLContext(java.lang.String protocol, java.lang.String keyStore, java.lang.String keyStorePassword, java.lang.String trustStore, java.lang.String trustStorePassword, TransportStateReference transportStateReference, TLSTMTrustManagerFactory trustManagerFactory, boolean useClientMode, TlsTmSecurityCallback<java.security.cert.X509Certificate> securityCallback, java.lang.String localCertificateAlias, java.security.cert.PKIXRevocationChecker pkixRevocationChecker, java.lang.String crlURI)
private static void
filterCertificates(java.security.KeyStore ks, TransportStateReference transportStateReference, TlsTmSecurityCallback<java.security.cert.X509Certificate> securityCallback, java.lang.String localCertificateAlias)
static OctetString
getFingerprint(java.security.cert.X509Certificate cert)
static OctetString
getIpAddressFromSubjAltName(java.util.Collection<java.util.List<?>> altNames)
static java.lang.Object
getSubjAltName(java.util.Collection<java.util.List<?>> subjAltNames, int type)
private static java.util.Collection<? extends java.security.cert.CRL>
getX509CRLs(java.lang.String crlUrl)
static boolean
isMatchingFingerprint(java.security.cert.X509Certificate[] x509Certificates, OctetString fingerprint, boolean useClientMode, CounterSupport tlstmCounters, LogAdapter logger, java.lang.Object eventSource)
Checks if any of the certificates in the provided array matches the given fingerprint.
-
-
-
Field Detail
-
logger
private static final LogAdapter logger
-
MD_SHA_PREFIX_LENGTH
private static final int MD_SHA_PREFIX_LENGTH
-
-
Method Detail
-
getFingerprint
public static OctetString getFingerprint(java.security.cert.X509Certificate cert)
-
isMatchingFingerprint
public static boolean isMatchingFingerprint(java.security.cert.X509Certificate[] x509Certificates, OctetString fingerprint, boolean useClientMode, CounterSupport tlstmCounters, LogAdapter logger, java.lang.Object eventSource) throws java.security.cert.CertificateException
Checks if any of the certificates in the provided array matches the given fingerprint. If the fingerprint to match isnull
or zero length,false
will be returned, because a matching cannot be performed.- Parameters:
x509Certificates
- the certificates to match.fingerprint
- the searched fingerprintuseClientMode
- defines if server or client mode is active to emit the right counter events.tlstmCounters
- the counters to increase on matchinglogger
- where to logeventSource
- the source object for events emitted by the matching.- Returns:
true
if there is a match,false
if matching could not be performed due tonull
or zero length fingerprint- Throws:
java.security.cert.CertificateException
- if there is no matching, but fingerprint is non-null and has a length greater than zero.
-
getSubjAltName
public static java.lang.Object getSubjAltName(java.util.Collection<java.util.List<?>> subjAltNames, int type)
-
getIpAddressFromSubjAltName
public static OctetString getIpAddressFromSubjAltName(java.util.Collection<java.util.List<?>> altNames)
-
createSSLContext
public static javax.net.ssl.SSLContext createSSLContext(java.lang.String protocol, java.lang.String keyStore, java.lang.String keyStorePassword, java.lang.String trustStore, java.lang.String trustStorePassword, TransportStateReference transportStateReference, TLSTMTrustManagerFactory trustManagerFactory, boolean useClientMode, TlsTmSecurityCallback<java.security.cert.X509Certificate> securityCallback, java.lang.String localCertificateAlias, java.security.cert.PKIXRevocationChecker pkixRevocationChecker, java.lang.String crlURI) throws java.security.GeneralSecurityException
- Throws:
java.security.GeneralSecurityException
-
createDefaultPKIXRevocationChecker
public static java.security.cert.PKIXRevocationChecker createDefaultPKIXRevocationChecker()
Creates a default revocation checker with CRL check only (no OCSP) and check is limited to end entity only.- Returns:
- a simple revocation checker to be used with
#setPKIXRevocationChecker(PKIXRevocationChecker)
. - Since:
- 3.6.0
-
addCRLCertStore
protected static void addCRLCertStore(java.lang.String crlFilePath, java.security.cert.PKIXBuilderParameters pkixBuilderParameters)
Return the initialization parameters for a TrustManager for doing cert path validation with CRL revocation based on a CRL file. Currently, only the defaultPKIX
is supported.- Parameters:
crlFilePath
- the path to the CRL file that provides the CRL collection for checking revocation.pkixBuilderParameters
- thePKIXBuilderParameters
to modify.- Since:
- 3.6.0
-
getX509CRLs
private static java.util.Collection<? extends java.security.cert.CRL> getX509CRLs(java.lang.String crlUrl)
-
filterCertificates
private static void filterCertificates(java.security.KeyStore ks, TransportStateReference transportStateReference, TlsTmSecurityCallback<java.security.cert.X509Certificate> securityCallback, java.lang.String localCertificateAlias)
-
-