Merge pull request eclipse-leshan#27 from sbernard31/rpk_without_cert

add API on config to allow to use RPK without certifcate
mike-scott · Dec 3, 2014 · 1a94c3e · 1a94c3e
2 parents 38121d4 + fb5988c
commit 1a94c3e
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 13 deletions.
diff --git a/src/main/java/org/eclipse/californium/scandium/DTLSConnectorConfig.java b/src/main/java/org/eclipse/californium/scandium/DTLSConnectorConfig.java
@@ -19,6 +19,7 @@
 package org.eclipse.californium.scandium;
 
 import java.security.PrivateKey;
+import java.security.PublicKey;
 import java.security.cert.Certificate;
 
 import org.eclipse.californium.scandium.dtls.cipher.CipherSuite;
@@ -59,6 +60,9 @@ public class DTLSConnectorConfig {
 	/** the private key for RPK and X509 mode */
 	public PrivateKey privateKey = null;
 
+	/** the public key for RPK mode */
+	public PublicKey publicKey = null;
+
 	/** the certificate for RPK and X509 mode */
 	public Certificate[] certChain = null;
 
@@ -90,7 +94,28 @@ public void setPskStore(PskStore pskStore) {
 	}
 
 	/**
-	 * Sets the private key and corresponding issuer certificate chain. In
+	 * Sets the private key and public key for RPK mode.
+	 * Use to configure RPK only, if you want to configure RPK and certificate 
+	 * authentication mode use {@link #setPrivateKey(PrivateKey, Certificate[], boolean)} instead.
+	 * @param private key
+	 *            the private key
+	 * @param public key
+	 *            the public key associate to the private key
+	 * @see #setPrivateKey(PrivateKey, Certificate[], boolean) if you want to use X509 certification too.
+	 */
+	public void setPrivateKey(PrivateKey privateKey, PublicKey publicKey) {
+		assertNotStarted();
+		if (privateKey == null)
+			throw new IllegalArgumentException("the privateKey should not be null");
+		if (publicKey == null)
+			throw new IllegalArgumentException("the publicKey should not be null");
+		this.privateKey = privateKey;
+		this.publicKey = publicKey;
+		this.sendRawKey = true;
+	}
+
+	/**
+	 * Sets the private key and corresponding issuer certificate chain for RPK and X509 mode. In
 	 * server mode the key and certificates are used to prove the server's
 	 * identity to the client. In client mode the key and certificates are used
 	 * to prove the client's identity to the server.
@@ -104,12 +129,18 @@ public void setPskStore(PskStore pskStore) {
 	 *            <code>true</code> if only the <em>RawPublicKey</em> for the
 	 *            private key should be exchanged with a peer instead of the
 	 *            X.509 certificate chain
+	 * @see #setPrivateKey(PrivateKey, PublicKey) if you don't need X509 authentication.
 	 */
 	public void setPrivateKey(PrivateKey key, Certificate[] certChain,
 			boolean sendRawKey) {
 		assertNotStarted();
+		if (key == null)
+			throw new IllegalArgumentException("the key should not be null");
+		if (certChain == null || certChain.length < 1)
+			throw new IllegalArgumentException("the certChain should not be null or empty");
 		this.privateKey = key;
 		this.certChain = certChain;
+		this.publicKey =  certChain[0].getPublicKey();
 		this.sendRawKey = sendRawKey;
 	}
 

diff --git a/src/main/java/org/eclipse/californium/scandium/dtls/CertificateMessage.java b/src/main/java/org/eclipse/californium/scandium/dtls/CertificateMessage.java
@@ -92,15 +92,9 @@ public class CertificateMessage extends HandshakeMessage {
 	 * @param certificateChain
 	 *            the certificate chain (first certificate must be the
 	 *            server's).
-	 * @param useRawPublicKey
-	 *            whether only the raw public key (SubjectPublicKeyInfo) is
-	 *            needed.
 	 */
-	public CertificateMessage(Certificate[] certificateChain, boolean useRawPublicKey) {
+	public CertificateMessage(Certificate[] certificateChain) {
 		this.certificateChain = certificateChain;
-		if (useRawPublicKey) {
-			this.rawPublicKeyBytes = certificateChain[0].getPublicKey().getEncoded();
-		}
 	}
 
 	/**
@@ -365,7 +359,7 @@ public static HandshakeMessage fromByteArray(byte[] byteArray, boolean useRawPub
 				}
 			}
 
-			message = new CertificateMessage(certs.toArray(new X509Certificate[certs.size()]), useRawPublicKey);
+			message = new CertificateMessage(certs.toArray(new X509Certificate[certs.size()]));
 		}
 
 		return message;

diff --git a/src/main/java/org/eclipse/californium/scandium/dtls/ClientHandshaker.java b/src/main/java/org/eclipse/californium/scandium/dtls/ClientHandshaker.java
@@ -103,6 +103,7 @@ public ClientHandshaker(InetSocketAddress endpointAddress, RawData message, DTLS
 		this.message = message;
 		this.privateKey = config.privateKey;
 		this.certificates = config.certChain;
+		this.publicKey = certificates != null && certificates.length > 0 ? certificates[0].getPublicKey() : config.publicKey;
 		this.pskStore = config.pskStore;
 		this.useRawPublicKey = config.sendRawKey;
 		this.preferredCipherSuite = config.preferredCipherSuite;
@@ -407,8 +408,11 @@ private DTLSFlight receivedServerHelloDone(ServerHelloDone message) throws Hands
 		if (certificateRequest != null) {
 			// TODO load the client's certificate according to the allowed
 			// parameters in the CertificateRequest
-			clientCertificate = new CertificateMessage(certificates, session.sendRawPublicKey());
-
+			if (session.sendRawPublicKey()){
+				clientCertificate = new CertificateMessage(publicKey.getEncoded());
+			} else {
+				clientCertificate = new CertificateMessage(certificates);
+			}
 			flight.addMessage(wrapMessage(clientCertificate));
 		}
 

diff --git a/src/main/java/org/eclipse/californium/scandium/dtls/Handshaker.java b/src/main/java/org/eclipse/californium/scandium/dtls/Handshaker.java
@@ -20,6 +20,7 @@
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
+import java.security.PublicKey;
 import java.security.cert.Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -144,6 +145,9 @@ public abstract class Handshaker {
 	/** The handshaker's private key. */
 	protected PrivateKey privateKey;
 
+	/** The handshaker's public key. */
+	protected PublicKey publicKey;
+
 	/** The handshaker's certificate chain. */
 	protected Certificate[] certificates;
 

diff --git a/src/main/java/org/eclipse/californium/scandium/dtls/ServerHandshaker.java b/src/main/java/org/eclipse/californium/scandium/dtls/ServerHandshaker.java
@@ -108,7 +108,8 @@ public ServerHandshaker(InetSocketAddress endpointAddress, DTLSSession session,
 
 		this.privateKey = config.privateKey;
 		this.certificates = config.certChain;
-
+		this.publicKey = certificates != null && certificates.length > 0 ? certificates[0].getPublicKey() : config.publicKey;
+
 		this.clientAuthenticationRequired = config.requireClientAuth;
 
 		this.supportedClientCertificateTypes = new ArrayList<>();
@@ -474,7 +475,11 @@ private DTLSFlight receivedClientHello(ClientHello message) throws HandshakeExce
 			CertificateMessage certificateMessage = null;
 			switch (keyExchange) {
 			case EC_DIFFIE_HELLMAN:
-				certificateMessage = new CertificateMessage(certificates, session.sendRawPublicKey());
+				if (session.sendRawPublicKey()){
+					certificateMessage = new CertificateMessage(publicKey.getEncoded());
+				} else {
+					certificateMessage = new CertificateMessage(certificates);
+				}
 				break;
 
 			default: