001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.auth.verifier; 019 020 021import java.security.cert.X509Certificate; 022 023import com.nimbusds.oauth2.sdk.id.ClientID; 024 025 026/** 027 * Client X.509 certificate binding verifier. Intended for verifying that a 028 * client X.509 certificate submitted during successful PKI mutual TLS 029 * authentication (in 030 * {@link com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod#TLS_CLIENT_AUTH 031 * tls_client_auth}) matches one of the registered values for the client. 032 * These can be: {@code tls_client_auth_subject_dn}, 033 * {@code tls_client_auth_san_dns}, 034 * {@code tls_client_auth_san_uri}, 035 * {@code tls_client_auth_san_ip} or 036 * {@code tls_client_auth_san_email}. 037 * 038 * <p>Implementations must be tread-safe. 039 */ 040public interface PKIClientX509CertificateBindingVerifier<T> { 041 042 043 /** 044 * Verifies that the specified X.509 certificate binds to 045 * the claimed client ID. 046 * 047 * @param clientID The claimed client ID. Not {@code null}. 048 * @param certificate The X.509 certificate. Not {@code null}. 049 * @param context Additional context. May be {@code null}. 050 * 051 * @throws InvalidClientException If client ID and certificate don't 052 * bind or are invalid. 053 */ 054 void verifyCertificateBinding(final ClientID clientID, 055 final X509Certificate certificate, 056 final Context<T> context) 057 throws InvalidClientException; 058}