Add support for server certificate authenticity verification #24
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…verifying server certificates Similarly to JDK, I have moved the key exchange algorithm into an enum. This is helpful to verifying client certificates because I can leverage the algorithm name."
…e validating key usage During testing I was running into the following exception : Exception in thread "main" net.jradius.exception.RadiusException: java.lang.IllegalArgumentException: illegal object in getInstance: org.bouncycastle.asn1.x509.X509Extension. It appears that there is an updated KeyUsage.fromExtensions API that fixes this issue. In order to leverage this I had to update some of the bouncy castle classes to use newer versions.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reviewer: @wlanmac
This addresses part of my concern raised in #23
I personally only have use for EAP-TTLS so I have no need to send client certificates.
In short, this performs server certificate verification upon receipt of a certificate during the handshake when a valid
X509TrustManagercan be found. In order to verify the server certificate dynamically I had to pass the key exchange algorithm into the trust manager. I extended theKeyExchangeinterface and created enum values instead of static integers. This allows the enum to hold a name string as well as the integer value. The name string is what is passed to the trust manager dynamically.I also made some changes to how the
KeyUsageobject was constructed in theKeyExchangeimplementations since I was getting an IllegalArgumentException during testing. I updated some of the bouncy castle classes so that I could leverageKeyUsage.fromExtensions. This seemed to alleviate the problem.