Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2016, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.oauth2.sdk.auth;
019
020
021import com.nimbusds.oauth2.sdk.ParseException;
022import com.nimbusds.oauth2.sdk.http.HTTPRequest;
023import com.nimbusds.oauth2.sdk.id.ClientID;
024import com.nimbusds.oauth2.sdk.util.MultivaluedMapUtils;
025import com.nimbusds.oauth2.sdk.util.StringUtils;
026import net.jcip.annotations.Immutable;
027
028import javax.net.ssl.SSLSocketFactory;
029import java.security.cert.X509Certificate;
030import java.util.List;
031import java.util.Map;
032import java.util.Objects;
033
034
035/**
036 * Self-signed certificate mutual TLS client authentication at the Token
037 * endpoint. The client certificate is self-signed, as opposed to
038 * {@link PKITLSClientAuthentication tls_client_auth} which relies on PKI
039 * binding. Implements
040 * {@link ClientAuthenticationMethod#SELF_SIGNED_TLS_CLIENT_AUTH}.
041 *
042 * <p>Related specifications:
043 *
044 * <ul>
045 *     <li>OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound
046 *         Access Tokens (RFC 8705)
047 * </ul>
048 */
049@Immutable
050public class SelfSignedTLSClientAuthentication extends TLSClientAuthentication {
051        
052        
053        /**
054         * Creates a new self-signed certificate mutual TLS client
055         * authentication. This constructor is intended for an outgoing token
056         * request.
057         *
058         * @param clientID         The client identifier. Must not be
059         *                         {@code null}.
060         * @param sslSocketFactory The SSL socket factory to use for the
061         *                         outgoing HTTPS request and to present the
062         *                         client certificate(s), {@code null} to use
063         *                         the default one.
064         */
065        public SelfSignedTLSClientAuthentication(final ClientID clientID,
066                                                 final SSLSocketFactory sslSocketFactory) {
067                
068                super(ClientAuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH, clientID, sslSocketFactory);
069        }
070        
071        
072        /**
073         * Creates a new self-signed certificate mutual TLS client
074         * authentication. This constructor is intended for a received token
075         * request.
076         *
077         * @param clientID    The client identifier. Must not be {@code null}.
078         * @param certificate The validated client X.509 certificate from the
079         *                    received HTTPS request. Must not be {@code null}.
080         */
081        public SelfSignedTLSClientAuthentication(final ClientID clientID,
082                                                 final X509Certificate certificate) {
083                
084                super(ClientAuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH, clientID, Objects.requireNonNull(certificate));
085        }
086        
087        
088        /**
089         * Parses a self-signed certificate mutual TLS client authentication
090         * from the specified HTTP request.
091         *
092         * @param httpRequest The HTTP request to parse. Must not be
093         *                    {@code null} and must include a validated client
094         *                    X.509 certificate.
095         *
096         * @return The self-signed TLS / X.509 certificate client
097         *         authentication.
098         *
099         * @throws ParseException If the {@code client_id} or client X.509
100         *                        certificate is missing.
101         */
102        public static SelfSignedTLSClientAuthentication parse(final HTTPRequest httpRequest)
103                throws ParseException {
104                
105                Map<String,List<String>> params = httpRequest.getBodyAsFormParameters();
106                
107                String clientIDString = MultivaluedMapUtils.getFirstValue(params, "client_id");
108                
109                if (StringUtils.isBlank(clientIDString)) {
110                        throw new ParseException("Missing client_id parameter");
111                }
112                
113                X509Certificate cert = httpRequest.getClientX509Certificate();
114                
115                if (cert == null) {
116                        throw new ParseException("Missing client X.509 certificate");
117                }
118                
119                return new SelfSignedTLSClientAuthentication(new ClientID(clientIDString), cert);
120        }
121}