Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2016, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.oauth2.sdk.auth.verifier;
019
020
021import java.security.cert.X509Certificate;
022
023import com.nimbusds.oauth2.sdk.id.ClientID;
024
025
026/**
027 * Client X.509 certificate binding verifier. Intended for verifying that a
028 * client X.509 certificate submitted during successful PKI mutual TLS
029 * authentication (in
030 * {@link com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod#TLS_CLIENT_AUTH
031 * tls_client_auth}) matches one of the the registered values for the client.
032 * These can be: {@code tls_client_auth_subject_dn}, {@code tls_client_auth_san_dns},
033 * {@code tls_client_auth_san_uri}, {@code tls_client_auth_san_ip} or
034 * {@code tls_client_auth_san_email}.
035 *
036 * <p>Implementations must be tread-safe.
037 */
038public interface PKIClientX509CertificateBindingVerifier<T> {
039        
040        
041        /**
042         * Verifies that the specified X.509 certificate binds to
043         * the claimed client ID.
044         *
045         * @param clientID    The claimed client ID. Not {@code null}.
046         * @param certificate The X.509 certificate. Not {@code null}.
047         * @param context     Additional context. May be {@code null}.
048         *
049         * @throws InvalidClientException If client ID and certificate don't
050         *                                bind or are invalid.
051         */
052        void verifyCertificateBinding(final ClientID clientID,
053                                      final X509Certificate certificate,
054                                      final Context<T> context)
055                throws InvalidClientException;
056}