001package com.nimbusds.openid.connect.provider.spi.clientauth; 002 003 004import java.security.cert.X509Certificate; 005import java.util.List; 006import java.util.Set; 007 008import com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException; 009 010 011/** 012 * X.509 certificate verification for a {@code private_key_jwt} client 013 * authentication. 014 */ 015public interface CertificateVerification { 016 017 018 /** 019 * The X.509 certificate verification context. 020 */ 021 interface Context { 022 023 024 /** 025 * Returns the locations where the X.509 certificate to be 026 * verified was found - the JWS header of the 027 * {@code private_key_jwt} assertion, in a registered client 028 * JWK, or both. Can be used to enforce a particular policy on 029 * how a client must pass or reference the certificate when one 030 * is required for a {@code private_key_jwt} authentication. 031 * 032 * @return The certificate location(s). Includes at least one 033 * location. 034 */ 035 Set<CertificateLocation> getCertificateLocations(); 036 } 037 038 039 /** 040 * Called to verify the specified X.509 certificate for a 041 * {@code private_key_jwt} client authentication. 042 * 043 * @param x5c The X.509 certificate, with optional chain. Not 044 * {@code null} or empty. 045 * @param ctx The certificate verification context. Not {@code null}. 046 * 047 * @throws InvalidClientException If the X.509 certificate is invalid. 048 * Throwing an {@link ExposedInvalidClientException} will override the 049 * default Connect2id server {@code error_description} and 050 * {@code error_uri} in the HTTP 401 Unauthorized error response. 051 */ 052 void verify(final List<X509Certificate> x5c, final Context ctx) 053 throws InvalidClientException; 054}