Module org.snmp4j

Class DefaultTlsTmSecurityCallback

  • All Implemented Interfaces:
    TlsTmSecurityCallback<java.security.cert.X509Certificate>

    public class DefaultTlsTmSecurityCallback
    extends java.lang.Object
    implements TlsTmSecurityCallback<java.security.cert.X509Certificate>
    The DefaultTlsTmSecurityCallback resolves the tmSecurityName for incoming requests through a mapping table based on the peer certificates, resolves the local certificate alias through a mapping table based on the target address and accepts peer certificates based on a list of trusted peer and issuer certificates.
    Since:
    2.0
    Author:
    Frank Fock
    • Constructor Detail

      • DefaultTlsTmSecurityCallback

        public DefaultTlsTmSecurityCallback()
    • Method Detail

      • getSecurityName

        public OctetString getSecurityName​(java.security.cert.X509Certificate[] peerCertificateChain)
        Description copied from interface: TlsTmSecurityCallback
        Gets the tmSecurityName (see RFC 5953) from the certificate chain of the communication peer that needs to be authenticated.
        Specified by:
        getSecurityName in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
        Parameters:
        peerCertificateChain - an array of Certificates with the peer's own certificate first followed by any CA authorities.
        Returns:
        the tmSecurityName as defined by RFC 5953.
      • isClientCertificateAccepted

        public boolean isClientCertificateAccepted​(java.security.cert.X509Certificate peerEndCertificate)
        Description copied from interface: TlsTmSecurityCallback
        Check if the supplied peer end certificate is accepted as client.
        Specified by:
        isClientCertificateAccepted in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
        Parameters:
        peerEndCertificate - a client Certificate instance to check acceptance for.
        Returns:
        true if the certificate is accepted.
      • isServerCertificateAccepted

        public boolean isServerCertificateAccepted​(java.security.cert.X509Certificate[] peerCertificateChain)
        Description copied from interface: TlsTmSecurityCallback
        Check if the supplied peer certificate chain is accepted as server.
        Specified by:
        isServerCertificateAccepted in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
        Parameters:
        peerCertificateChain - a server Certificate chain to check acceptance for.
        Returns:
        true if the certificate chain is accepted.
      • isAcceptedIssuer

        public boolean isAcceptedIssuer​(java.security.cert.X509Certificate issuerCertificate)
        Description copied from interface: TlsTmSecurityCallback
        Check if the supplied issuer certificate is accepted as server.
        Specified by:
        isAcceptedIssuer in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
        Parameters:
        issuerCertificate - an issuer Certificate instance to check acceptance for.
        Returns:
        true if the certificate is accepted.
      • getLocalCertificateAlias

        public java.lang.String getLocalCertificateAlias​(Address targetAddress)
        Description copied from interface: TlsTmSecurityCallback
        Gets the local certificate alias to be used for the supplied target address.
        Specified by:
        getLocalCertificateAlias in interface TlsTmSecurityCallback<java.security.cert.X509Certificate>
        Parameters:
        targetAddress - a target address or null if the default local certificate alias needs to be retrieved.
        Returns:
        the requested local certificate alias, if known. Otherwise null is returned which could cause a protocol violation if the local key store contains more than one certificate.
      • addSecurityNameMapping

        public void addSecurityNameMapping​(OctetString fingerprint,
                                           SecurityNameMapping.CertMappingType type,
                                           OctetString data,
                                           OctetString securityName)
        Adds a mapping to derive a security name from a certificate. A mapping corresponds to a row in the snmpTlstmCertToTSNTable of RFC 5953.
        Parameters:
        fingerprint - an (optional) cryptographic hash of a X.509 certificate. Whether the trusted CA in the certificate validation path or the certificate itself is matched against the fingerprint is specified by the type parameter.
        type - specifies the mapping type of the security name derivation from a certificate.
        data - auxiliary data used as optional configuration information for some mapping types. It must be ignored for any mapping type that does not use auxiliary data.
        securityName - specifies the mapped security name. This parameter is optional and only required if the mapping type does not dictate a method to derive the security name from a certificates meta data (like subjectAltName).
      • addAcceptedIssuerDN

        public void addAcceptedIssuerDN​(java.lang.String issuerDN)
      • removeAcceptedIssuerDN

        public boolean removeAcceptedIssuerDN​(java.lang.String issuerDN)
      • addAcceptedSubjectDN

        public void addAcceptedSubjectDN​(java.lang.String subjectDN)
      • removeAcceptedSubjectDN

        public boolean removeAcceptedSubjectDN​(java.lang.String subjectDN)
      • addLocalCertMapping

        public void addLocalCertMapping​(Address address,
                                        java.lang.String certAlias)
        Map a target address to a local certificate alias. The security mapping will use the certificate certAlias for a target address address when applied to a client mode TLSTM.
        Parameters:
        address - a TlsAddress instance or null if the local certificate should mapped to any target address.
        certAlias - the certificate alias in the local key store to be used to authenticate at TLS server instances.
      • removeLocalCertMapping

        public java.lang.String removeLocalCertMapping​(Address address)
        Remove the local certificate mapping for the given target address.
        Parameters:
        address - a TlsAddress instance or null if the default local certificate mapping should be removed.
        Returns:
        the removed mapping or null if there is no such mapping.