Module org.snmp4j
Package org.snmp4j.transport.tls

Class DefaultTlsTmSecurityCallback

  • All Implemented Interfaces:
    TlsTmSecurityCallback<java.security.cert.X509Certificate>
    public class DefaultTlsTmSecurityCallback
extends java.lang.Object
implements TlsTmSecurityCallback<java.security.cert.X509Certificate>
    The DefaultTlsTmSecurityCallback resolves the tmSecurityName for incoming requests through a mapping table based on the peer certificates, resolves the local certificate alias through a mapping table based on the target address and accepts peer certificates based on a list of trusted peer and issuer certificates.
    Since:
    2.0
    Version:
    3.3.0
    Author:
    Frank Fock

    • Constructor Detail

      • DefaultTlsTmSecurityCallback

        public DefaultTlsTmSecurityCallback()

    • Method Detail

      • getSecurityName

        public OctetString getSecurityName​(java.security.cert.X509Certificate[] peerCertificateChain)
        Description copied from interface: TlsTmSecurityCallback
        Gets the tmSecurityName (see RFC 5953) from the certificate chain of the communication peer that needs to be authenticated.
        Specified by:
        getSecurityName in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
        Parameters:
        peerCertificateChain - an array of Certificates with the peer's own certificate first followed by any CA authorities.
        Returns:
        the tmSecurityName as defined by RFC 5953.

      • isClientCertificateAccepted

        public boolean isClientCertificateAccepted​(java.security.cert.X509Certificate peerEndCertificate)
                                    throws java.security.cert.CertificateException
        Description copied from interface: TlsTmSecurityCallback
        Check if the supplied peer end certificate is accepted as client.
        Specified by:
        isClientCertificateAccepted in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
        Parameters:
        peerEndCertificate - a client Certificate instance to check acceptance for.
        Returns:
        true if the certificate is accepted, false otherwise, i.e. if verification could not performed, i.e. because it was not configured sufficiently.
        Throws:
        java.security.cert.CertificateException - if the certificate is rejected.

      • isServerCertificateAccepted

        public boolean isServerCertificateAccepted​(java.security.cert.X509Certificate[] peerCertificateChain)
                                    throws java.security.cert.CertificateException
        Description copied from interface: TlsTmSecurityCallback
        Check if the supplied peer certificate chain is accepted as server.
        Specified by:
        isServerCertificateAccepted in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
        Parameters:
        peerCertificateChain - a server Certificate chain to check acceptance for.
        Returns:
        true if the certificate is accepted, false otherwise, i.e. if verification could not performed, i.e. because it was not configured sufficiently.
        Throws:
        java.security.cert.CertificateException - if the certificate is rejected.

      • isAcceptedIssuer

        public boolean isAcceptedIssuer​(java.security.cert.X509Certificate issuerCertificate)
                         throws java.security.cert.CertificateException
        Description copied from interface: TlsTmSecurityCallback
        Check if the supplied issuer certificate is accepted as server.
        Specified by:
        isAcceptedIssuer in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
        Parameters:
        issuerCertificate - an issuer Certificate instance to check acceptance for.
        Returns:
        true if the certificate is accepted, false otherwise, i.e. if verification could not performed, i.e. because it was not configured sufficiently.
        Throws:
        java.security.cert.CertificateException - if the certificate is rejected.

      • getLocalCertificateAlias

        public java.lang.String getLocalCertificateAlias​(Address targetAddress)
        Description copied from interface: TlsTmSecurityCallback
        Gets the local certificate alias to be used for the supplied target address.
        Specified by:
        getLocalCertificateAlias in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
        Parameters:
        targetAddress - a target address or null if the default local certificate alias needs to be retrieved.
        Returns:
        the requested local certificate alias, if known. Otherwise null is returned which could cause a protocol violation if the local key store contains more than one certificate.

      • addSecurityNameMapping

        public void addSecurityNameMapping​(OctetString fingerprint,
                                   SecurityNameMapping.CertMappingType type,
                                   OctetString data,
                                   OctetString securityName)
        Adds a mapping to derive a security name from a certificate. A mapping corresponds to a row in the snmpTlstmCertToTSNTable of RFC 5953.
        Parameters:
        fingerprint - an (optional) cryptographic hash of a X.509 certificate. Whether the trusted CA in the certificate validation path or the certificate itself is matched against the fingerprint is specified by the type parameter.
        type - specifies the mapping type of the security name derivation from a certificate.
        data - auxiliary data used as optional configuration information for some mapping types. It must be ignored for any mapping type that does not use auxiliary data.
        securityName - specifies the mapped security name. This parameter is optional and only required if the mapping type does not dictate a method to derive the security name from a certificates meta data (like subjectAltName).

      • addAcceptedIssuerDN

        public void addAcceptedIssuerDN​(java.lang.String issuerDN)

      • removeAcceptedIssuerDN

        public boolean removeAcceptedIssuerDN​(java.lang.String issuerDN)

      • addAcceptedSubjectDN

        public void addAcceptedSubjectDN​(java.lang.String subjectDN)

      • removeAcceptedSubjectDN

        public boolean removeAcceptedSubjectDN​(java.lang.String subjectDN)

      • addLocalCertMapping

        public void addLocalCertMapping​(Address address,
                                java.lang.String certAlias)
        Map a target address to a local certificate alias. The security mapping will use the certificate certAlias for a target address address when applied to a client mode TLSTM.
        Parameters:
        address - a TlsAddress instance or null if the local certificate should mapped to any target address.
        certAlias - the certificate alias in the local key store to be used to authenticate at TLS server instances.

      • removeLocalCertMapping

        public java.lang.String removeLocalCertMapping​(Address address)
        Remove the local certificate mapping for the given target address.
        Parameters:
        address - a TlsAddress instance or null if the default local certificate mapping should be removed.
        Returns:
        the removed mapping or null if there is no such mapping.