ResumableX509ExtendedTrustManager Type — netty Architecture

Source Code

handler/src/main/java/io/netty/handler/ssl/ResumableX509ExtendedTrustManager.java lines 49–110

public interface ResumableX509ExtendedTrustManager extends X509TrustManager {
    /**
     * Given the partial or complete certificate chain recovered from the session ticket,
     * and the {@link SSLEngine} being used, restore the application state of the associated
     * SSL session.
     * <p>
     * This method should obtain the {@link SSLSession} from the {@link SSLEngine#getSession()}
     * method.
     * <p>
     * <strong>Note:</strong> If this method throws {@link CertificateException}, the TLS handshake will not
     * necessarily be rejected. The TLS handshake "Finished" message may have already been sent to the peer
     * by the time this method is called.
     * <p>
     * Implementors should be aware, that peers may make multiple connection attempts using the same session
     * ticket. So this method may be called more than once for the same client, even if prior calls have thrown
     * exceptions or invalidated their sessions.
     * <p>
     * The given certificate chain is not guaranteed to be the authenticated chain. Implementations that need the
     * authenticated certificate chain will have to re-authenticate the certificates. It is recommended to do so
     * with a {@link PKIXBuilderParameters#setDate(Date)} set to the session creation date from
     * {@link SSLSession#getCreationTime()}. Otherwise, the authentication may fail due to the certificate expiring
     * before the session ticket.
     * <p>
     * This method is called on the server-side, restoring sessions for clients.
     *
     * @param chain The peer certificate chain.
     * @param engine The begine used for this connection.
     * @throws CertificateException If the session cannot be restored. Locally, the handshake will appear to have
     * failed, but the peer may have observed a finished handshake.
     */
    void resumeClientTrusted(X509Certificate[] chain, SSLEngine engine) throws CertificateException;

    /**
     * Given the partial or complete certificate chain recovered of the peer, and the {@link SSLEngine}
     * being used, restore the application state of the associated SSL session.
     * <p>
     * This method should obtain the {@link SSLSession} from the {@link SSLEngine#getSession()}
     * method.
     * <p>
     * <strong>Note:</strong> If this method throws {@link CertificateException}, the TLS handshake will not
     * necessarily be rejected. The TLS handshake "Finished" message may have already been sent to the peer
     * by the time this method is called.
     * <p>
     * Implementors should be aware, that peers may make multiple connection attempts using the same session
     * ticket. So this method may be called more than once for the same client, even if prior calls have thrown
     * exceptions or invalidated their sessions.
     * <p>
     * The given certificate chain is not guaranteed to be the authenticated chain. Implementations that need the
     * authenticated certificate chain will have to re-authenticate the certificates. It is recommended to do so
     * with a {@link PKIXBuilderParameters#setDate(Date)} set to the session creation date from
     * {@link SSLSession#getCreationTime()}. Otherwise, the authentication may fail due to the certificate expiring
     * before the session ticket.
     * <p>
     * This method is called on the client-side, restoring sessions for servers.
     *
     * @param chain The peer certificate chain.
     * @param engine The begine used for this connection.
     * @throws CertificateException If the session cannot be restored. Locally, the handshake will appear to have
     * failed, but the peer may have observed a finished handshake.
     */
    void resumeServerTrusted(X509Certificate[] chain, SSLEngine engine) throws CertificateException;
}