Package org.snmp4j.transport.tls

Class DefaultTlsTmSecurityCallback

java.lang.Object
org.snmp4j.transport.tls.DefaultTlsTmSecurityCallback
All Implemented Interfaces:
TlsTmSecurityCallback<X509Certificate>
public class DefaultTlsTmSecurityCallback extends Object implements TlsTmSecurityCallback<X509Certificate>
The DefaultTlsTmSecurityCallback resolves the tmSecurityName for incoming requests through a mapping table based on the peer certificates, resolves the local certificate alias through a mapping table based on the target address and accepts peer certificates based on a list of trusted peer and issuer certificates.
Since:
2.0
Version:
2.8.1
Author:
Frank Fock

  • Constructor Details

    • DefaultTlsTmSecurityCallback

      public DefaultTlsTmSecurityCallback()

  • Method Details

    • getSecurityName

      public OctetString getSecurityName(X509Certificate[] peerCertificateChain)
      Description copied from interface: TlsTmSecurityCallback
      Gets the tmSecurityName (see RFC 5953) from the certificate chain of the communication peer that needs to be authenticated.
      Specified by:
      getSecurityName in interface TlsTmSecurityCallback<X509Certificate>
      Parameters:
      peerCertificateChain - an array of Certificates with the peer's own certificate first followed by any CA authorities.
      Returns:
      the tmSecurityName as defined by RFC 5953.

    • isClientCertificateAccepted

      public boolean isClientCertificateAccepted(X509Certificate peerEndCertificate) throws CertificateException
      Description copied from interface: TlsTmSecurityCallback
      Check if the supplied peer end certificate is accepted as client.
      Specified by:
      isClientCertificateAccepted in interface TlsTmSecurityCallback<X509Certificate>
      Parameters:
      peerEndCertificate - a client Certificate instance to check acceptance for.
      Returns:
      true if the certificate is accepted, false otherwise, i.e. if verification could not performed, i.e. because it was not configured sufficiently.
      Throws:
      CertificateException - if the certificate is rejected.

    • isServerCertificateAccepted

      public boolean isServerCertificateAccepted(X509Certificate[] peerCertificateChain) throws CertificateException
      Description copied from interface: TlsTmSecurityCallback
      Check if the supplied peer certificate chain is accepted as server.
      Specified by:
      isServerCertificateAccepted in interface TlsTmSecurityCallback<X509Certificate>
      Parameters:
      peerCertificateChain - a server Certificate chain to check acceptance for.
      Returns:
      true if the certificate is accepted, false otherwise, i.e. if verification could not performed, i.e. because it was not configured sufficiently.
      Throws:
      CertificateException - if the certificate is rejected.

    • isAcceptedIssuer

      public boolean isAcceptedIssuer(X509Certificate issuerCertificate) throws CertificateException
      Description copied from interface: TlsTmSecurityCallback
      Check if the supplied issuer certificate is accepted as server.
      Specified by:
      isAcceptedIssuer in interface TlsTmSecurityCallback<X509Certificate>
      Parameters:
      issuerCertificate - an issuer Certificate instance to check acceptance for.
      Returns:
      true if the certificate is accepted, false otherwise, i.e. if verification could not performed, i.e. because it was not configured sufficiently.
      Throws:
      CertificateException - if the certificate is rejected.

    • getLocalCertificateAlias

      public String getLocalCertificateAlias(Address targetAddress)
      Description copied from interface: TlsTmSecurityCallback
      Gets the local certificate alias to be used for the supplied target address.
      Specified by:
      getLocalCertificateAlias in interface TlsTmSecurityCallback<X509Certificate>
      Parameters:
      targetAddress - a target address or null if the default local certificate alias needs to be retrieved.
      Returns:
      the requested local certificate alias, if known. Otherwise null is returned which could cause a protocol violation if the local key store contains more than one certificate.

    • addSecurityNameMapping

      public void addSecurityNameMapping(OctetString fingerprint, SecurityNameMapping.CertMappingType type, OctetString data, OctetString securityName)
      Adds a mapping to derive a security name from a certificate. A mapping corresponds to a row in the snmpTlstmCertToTSNTable of RFC 5953.
      Parameters:
      fingerprint - an (optional) cryptographic hash of a X.509 certificate. Whether the trusted CA in the certificate validation path or the certificate itself is matched against the fingerprint is specified by the type parameter.
      type - specifies the mapping type of the security name derivation from a certificate.
      data - auxiliary data used as optional configuration information for some mapping types. It must be ignored for any mapping type that does not use auxiliary data.
      securityName - specifies the mapped security name. This parameter is optional and only required if the mapping type does not dictate a method to derive the security name from a certificates meta data (like subjectAltName).

    • removeSecurityNameMapping

      public OctetString removeSecurityNameMapping(OctetString fingerprint, SecurityNameMapping.CertMappingType type, OctetString data)

    • addAcceptedIssuerDN

      public void addAcceptedIssuerDN(String issuerDN)

    • removeAcceptedIssuerDN

      public boolean removeAcceptedIssuerDN(String issuerDN)

    • addAcceptedSubjectDN

      public void addAcceptedSubjectDN(String subjectDN)

    • removeAcceptedSubjectDN

      public boolean removeAcceptedSubjectDN(String subjectDN)

    • addLocalCertMapping

      public void addLocalCertMapping(Address address, String certAlias)
      Map a target address to a local certificate alias. The security mapping will use the certificate certAlias for a target address address when applied to a client mode TLSTM.
      Parameters:
      address - a TlsAddress instance or null if the local certificate should mapped to any target address.
      certAlias - the certificate alias in the local key store to be used to authenticate at TLS server instances.

    • removeLocalCertMapping

      public String removeLocalCertMapping(Address address)
      Remove the local certificate mapping for the given target address.
      Parameters:
      address - a TlsAddress instance or null if the default local certificate mapping should be removed.
      Returns:
      the removed mapping or null if there is no such mapping.