Swiftdiff options
| author | Nick Hudson <nick.hudson@isode.com> | 2012-03-08 10:16:55 (GMT) |
|---|---|---|
| committer | Kevin Smith <git@kismith.co.uk> | 2012-03-08 21:51:02 (GMT) |
| commit | c5392b36c368ebdca2e8ab356eb0d1fb0d36a5cb (patch) | |
| tree | 38c40c5661bce2b5655d91e6e7dadcc3b536fac5 /src/com/isode/stroke/client | |
| parent | 0470264fd4f9e7e73d1b655dc680e5ca7c10513c (diff) | |
| download | stroke-c5392b36c368ebdca2e8ab356eb0d1fb0d36a5cb.zip stroke-c5392b36c368ebdca2e8ab356eb0d1fb0d36a5cb.tar.bz2 | |
Implement "CertificateWithKey" and add support for setting client certificates
This change provides the functionality to allow clients to specify a
PKCS#12 file containing client certificate/key for use when starting
TLS sessions.
The PKCS12Certificate class now subclasses "CertificateWithKey"
(matching the Swiften implementation).
Swiften also has "CAPICertificate", which is another subclass of
CertificateWithKey. This has not been provided in this patch.
From a client's point of view, all that's necessary to specify a
certificate to be used for TLS is to do something like
CertificateWithKey myCert = new PKCS12Certificate(
"/home/fred/myp12file.p12",
"secret".toCharArray());
coreClient.setCertificate(myCert);
before calling "CoreClient.connect".
Matching the Swiften functionality, constructing a new
PKCS12Certificate does not actually perform validation of the P12
file/passphrase; that takes place when the p12 file is used.
There is limited scope for returning to the caller errors describing
possible problems, but JSSEContext uses the "emitError" method which
does maintain error information, which is available in a debugger, or
from the JSSEContext.toString() method.
Test-information:
Set up an M-Link server with TLS verified that
- when I specify a client certificate with suitable SAN, the client
sends it and the server reports authentication using the certificate
- when I specify a client certificate without a suitable SAN, the
client sends it but the server rejects it
Diffstat (limited to 'src/com/isode/stroke/client')
| -rw-r--r-- | src/com/isode/stroke/client/CoreClient.java | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/src/com/isode/stroke/client/CoreClient.java b/src/com/isode/stroke/client/CoreClient.java index c01d57a..49b6df7 100644 --- a/src/com/isode/stroke/client/CoreClient.java +++ b/src/com/isode/stroke/client/CoreClient.java @@ -31,6 +31,7 @@ import com.isode.stroke.signals.Slot; import com.isode.stroke.signals.Slot1; import com.isode.stroke.tls.CertificateTrustChecker; import com.isode.stroke.tls.CertificateVerificationError; +import com.isode.stroke.tls.CertificateWithKey; import com.isode.stroke.tls.PKCS12Certificate; import com.isode.stroke.tls.PlatformTLSFactories; @@ -169,8 +170,8 @@ public class CoreClient { assert (sessionStream_ == null); sessionStream_ = new BasicSessionStream(StreamType.ClientStreamType, connection_, payloadParserFactories_, payloadSerializers_, tlsFactories.getTLSContextFactory(), networkFactories.getTimerFactory(), eventLoop_); - if (certificate_ != null && !certificate_.isEmpty()) { - sessionStream_.setTLSCertificate(new PKCS12Certificate(certificate_, password_)); + if (certificate_ != null && !certificate_.isNull()) { + sessionStream_.setTLSCertificate(certificate_); } sessionStreamDataReadConnection_ = sessionStream_.onDataRead.connect(new Slot1<String>() { @@ -228,7 +229,7 @@ public class CoreClient { } } - public void setCertificate(String certificate) { + public void setCertificate(CertificateWithKey certificate) { certificate_ = certificate; } @@ -454,7 +455,7 @@ public class CoreClient { private Connection connection_; private BasicSessionStream sessionStream_; private ClientSession session_; - private String certificate_; + private CertificateWithKey certificate_; private boolean disconnectRequested_; private ClientOptions options; private CertificateTrustChecker certificateTrustChecker; |