Class TlsServerEndpoint


  • public final class TlsServerEndpoint
    extends java.lang.Object
    Utilitiy for extracting the "tls-server-end-point" channel binding data.
    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.lang.String TLS_SERVER_END_POINT
      The "tls-server-end-point" Channel Binding Type.
    • Constructor Summary

      Constructors 
      Modifier Constructor Description
      private TlsServerEndpoint()  
    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static byte @NotNull [] getChannelBindingData​(@NotNull java.security.cert.X509Certificate serverCert)
      The hash of the TLS server's certificate [RFC5280] as it appears, octet for octet, in the server's Certificate message.
      private static java.security.MessageDigest getDigestAlgorithm​(java.lang.String signatureAlgorithm)
      Get the digest algorithm that would be used for a given signature algorithm name.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • TLS_SERVER_END_POINT

        public static final java.lang.String TLS_SERVER_END_POINT
        The "tls-server-end-point" Channel Binding Type.
        See Also:
        Constant Field Values
    • Constructor Detail

      • TlsServerEndpoint

        private TlsServerEndpoint()
    • Method Detail

      • getDigestAlgorithm

        private static java.security.MessageDigest getDigestAlgorithm​(java.lang.String signatureAlgorithm)
        Get the digest algorithm that would be used for a given signature algorithm name.

        The TLS server's certificate bytes need to be hashed with SHA-256 if its signature algorithm is MD5 or SHA-1 as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1). If something else is used, the same hash as the signature algorithm is used.

        Parameters:
        signatureAlgorithm - the signature algorithm name for the certificate signature algorithm
        Returns:
        the MessageDigest algorithm, or null if the name is not recognized
        See Also:
        The tls-server-end-point Channel Binding Type
      • getChannelBindingData

        public static byte @NotNull [] getChannelBindingData​(@NotNull
                                                             @NotNull java.security.cert.X509Certificate serverCert)
                                                      throws java.security.cert.CertificateEncodingException
        The hash of the TLS server's certificate [RFC5280] as it appears, octet for octet, in the server's Certificate message. Note that the Certificate message contains a certificate_list, in which the first element is the server's certificate.

        The TLS server's certificate bytes need to be hashed with SHA-256 if its signature algorithm is MD5 or SHA-1 as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1). If something else is used, the same hash as the signature algorithm is used.

        Parameters:
        serverCert - the TLS server's peer certificate
        Returns:
        the hash of the TLS server's peer certificate
        Throws:
        java.security.cert.CertificateEncodingException - if an encoding error occurs.