Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cf-2.5.0 : remove deprecate usage of TrustedRpkStore/CertificateVerifier
- Loading branch information
1 parent
caa03d1
commit 7970701
Showing
4 changed files
with
167 additions
and
109 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
76 changes: 76 additions & 0 deletions
76
...src/main/java/org/eclipse/leshan/client/californium/DefaultLeshanCertificateVerifier.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
package org.eclipse.leshan.client.californium; | ||
|
||
import java.security.cert.Certificate; | ||
import java.util.ArrayList; | ||
import java.util.List; | ||
|
||
import javax.security.auth.x500.X500Principal; | ||
|
||
import org.eclipse.californium.scandium.dtls.AlertMessage; | ||
import org.eclipse.californium.scandium.dtls.AlertMessage.AlertDescription; | ||
import org.eclipse.californium.scandium.dtls.AlertMessage.AlertLevel; | ||
import org.eclipse.californium.scandium.dtls.CertificateMessage; | ||
import org.eclipse.californium.scandium.dtls.CertificateType; | ||
import org.eclipse.californium.scandium.dtls.CertificateVerificationResult; | ||
import org.eclipse.californium.scandium.dtls.ConnectionId; | ||
import org.eclipse.californium.scandium.dtls.DTLSSession; | ||
import org.eclipse.californium.scandium.dtls.HandshakeException; | ||
import org.eclipse.californium.scandium.dtls.HandshakeResultHandler; | ||
import org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier; | ||
import org.eclipse.californium.scandium.util.ServerNames; | ||
|
||
public class DefaultLeshanCertificateVerifier implements NewAdvancedCertificateVerifier { | ||
|
||
private final Certificate expectedServerCertificate; | ||
private final List<CertificateType> supportedCertificateType; | ||
|
||
public DefaultLeshanCertificateVerifier(Certificate expectedServerCertificate) { | ||
this.expectedServerCertificate = expectedServerCertificate; | ||
this.supportedCertificateType = new ArrayList<>(1); | ||
this.supportedCertificateType.add(CertificateType.X_509); | ||
} | ||
|
||
@Override | ||
public List<X500Principal> getAcceptedIssuers() { | ||
return null; | ||
} | ||
|
||
@Override | ||
public List<CertificateType> getSupportedCertificateType() { | ||
return supportedCertificateType; | ||
} | ||
|
||
@Override | ||
public CertificateVerificationResult verifyCertificate(ConnectionId cid, ServerNames serverName, | ||
Boolean clientUsage, boolean truncateCertificatePath, CertificateMessage message, DTLSSession session) { | ||
// As specify in the LWM2M spec 1.0, we only support "domain-issued certificate" usage | ||
// Defined in : https://tools.ietf.org/html/rfc6698#section-2.1.1 (3 -- Certificate usage 3) | ||
|
||
// Get server certificate from certificate message | ||
if (message.getCertificateChain() == null || message.getCertificateChain().getCertificates().size() == 0) { | ||
AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE, | ||
session.getPeer()); | ||
HandshakeException handshakeException = new HandshakeException( | ||
"Certificate chain could not be validated : server cert chain is empty", alert); | ||
return new CertificateVerificationResult(cid, handshakeException, null); | ||
} | ||
Certificate receivedServerCertificate = message.getCertificateChain().getCertificates().get(0); | ||
|
||
// Validate certificate | ||
if (!expectedServerCertificate.equals(receivedServerCertificate)) { | ||
AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE, | ||
session.getPeer()); | ||
HandshakeException handshakeException = new HandshakeException( | ||
"Certificate chain could not be validated: server certificate does not match expected one ('domain-issue certificate' usage)", | ||
alert); | ||
return new CertificateVerificationResult(cid, handshakeException, null); | ||
} | ||
|
||
return new CertificateVerificationResult(cid, message.getCertificateChain(), null); | ||
} | ||
|
||
@Override | ||
public void setResultHandler(HandshakeResultHandler resultHandler) { | ||
// we don't use async mode. | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.