--- /dev/null 2017-07-18 10:08:09.829212503 -0300 +++ new/src/java.base/share/classes/javax/net/ssl/CertificateAuthority.java 2017-07-18 14:01:59.907796292 -0300 @@ -0,0 +1,82 @@ +/* + * Copyright (c) 2017, Red Hat, Inc. and/or its affiliates. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +package javax.net.ssl; + +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; + +/** + * {@code CertificateAuthority} class contains information to + * identify a single certificate in the context of the Certificate Authorities + * TLS Extension (TLS 1.3). + *
+ * Client and servers may optionally provide one or multiple indications + * regarding its trusted certification authorities (either root or subordinate) + * as a hint for the other side to select a certificate. This decreases + * the probability of a handshake failure caused by an untrusted certificate + * chain. + *
+ * This class can be mapped to a single element of the {@code authorities} member + * in {@code CertificateAuthoritiesExtension} structure, as specified in + * TLS 1.3. + * + * @see CertificateAuthoritiesExtension + * + * @author Martin Balao (mbalao@redhat.com) + */ +public interface CertificateAuthority { + + /** + * Returns a byte array containing a single certificate authority indication, + * encoded according to + * TLS 1.3. + * + * @return byte array containing a single certificate authority indication. + */ + public byte[] getEncoded(); + + /** + * Returns whether or not a X.509 certificate is indicated by a + * single certificate authority indication. This decision is based + * on the certificate's subject distinguished name. Thus, it is + * possible that multiple certificates match a given certificate + * authority indication. Further decision on which certificate to + * use is based on other TLS session parameters such as supported + * ciphersuites. + * + * @param certificate X.509 certificate to be checked against a single + * certificate authority indication. + * @return whether or not a X.509 certificate is indicated by a + * single certificate authority indication. + * @throws CertificateEncodingException X.509 certificate is not correctly + * encoded. + * @throws Exception an internal error occurred while matching the X.509 + * certificate against a certificate authority indication. + * This generic exception is unlikely to be thrown and may be caused + * by errors when encoding DER values. + */ + public boolean implies(X509Certificate certificate) + throws CertificateEncodingException, Exception; + +}