TLS-Design » History » Version 10
Tobias Wich, 10/15/2012 01:24 PM
| 1 | 5 | Tobias Wich | h1. TLS-Design (iteration from 2012-10-08) |
|---|---|---|---|
| 2 | |||
| 3 | h2. TLS and related Classes |
||
| 4 | |||
| 5 | h3. BouncyCastle Classes |
||
| 6 | |||
| 7 | This diagram shows the TLS classes as available in the BouncyCastle library. |
||
| 8 | 7 | Tobias Wich | |
| 9 | The "TlsCredentials":http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/tls/TlsCredentials.html and "TlsSignerCredentials":http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/tls/TlsSignerCredentials.html interface are located in the upper left of the diagram. These interfaces are used in a TLS client authentication to get the client certificate and to produce a signature. For the use of software certificates, BouncyCastle comes with the implementation "DefaultTlsSignerCredentials":http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/tls/DefaultTlsSignerCredentials.html. |
||
| 10 | |||
| 11 | 9 | Tobias Wich | The common etry point for TLS based communication is the "TlsClient":http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/tls/TlsClient.html interface in the lower left. In the current BC version, it has three abstract implementations ("DefaultTlsClient":http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/tls/DefaultTlsClient.html "PSKTlsClient":http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/tls/PSKTlsClient.html "SRPTlsClient":http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/tls/SRPTlsClient.html) which are missing the "getAuthentication()":http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/tls/TlsClient.html#getAuthentication() function. |
| 12 | The class returned by this function has two responsibilities. The fist is the validation of the server certificate and the second is the selection of a client credential depending on the supplied CAs. The CAs can be extracted from the "CertificateRequest":http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/tls/CertificateRequest.html (see upper right) parameter in "getClientCredentials()":http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/tls/TlsAuthentication.html#getClientCredentials(org.bouncycastle.crypto.tls.CertificateRequest). |
||
| 13 | |||
| 14 | The last relevant class in this diagram is the "TlsProtocolHandler":http://www.bouncycastle.org/docs/docs1.5on/org/bouncycastle/crypto/tls/TlsProtocolHandler.html. Given a bidirectional stream (usually based on a socket) and a TlsClient, a new bidirectional stream can be extracted which wraps the original stream in a TLS channel. This handler implements the general TLS protocol and triggers the certificate validation and client authentication. |
||
| 15 | |||
| 16 | 5 | Tobias Wich | !bc-tls-classes.png! |
| 17 | |||
| 18 | h3. Open eCard Classes |
||
| 19 | |||
| 20 | This diagram shows classes that make use of the BouncyCastle classes in order to select and use custom credentials for the TLS authentication. |
||
| 21 | 10 | Tobias Wich | |
| 22 | The TlsClient interface introduced in [[BouncyCastle Classes|TLS-Design#BouncyCastle-Classes]] is extended with a @setAuthentication()@ function and called @ClientCertTlsClient@. Each client implementing this new interface can be configured at runtime to use a different server certificate validation and to support client authentication. The implementations are derived from the ones in BouncyCastle, so no functions other than @getAuthentication@ and @setAuthentication@ must be implemented. |
||
| 23 | |||
| 24 | The @TlsAuthentication@ interface has no implementation in BouncyCastle. With the new capability to compose the @TlsClient@ at runtime, it also makes sense to compose the @TlsAuthentication@ this way. |
||
| 25 | @TlsNoAuthentication@ implements the certificate verification part, but raises an error, when client authentication is requested. Based on this implementation, the @TlsAuthenticationSelector@ creates the appropriate @TlsSignerCredentials@ for the requested CAs and given restrictions (ConnectionHandle) by the activation (see diagram in [[Credential Selection|TLS-Design#Credential-Selection]]. |
||
| 26 | The credential is either selected from a softcert keystore (@SoftKeyStore@) or by inspecting the SALs token. In the latter case, a @SALSignerCredentials@ instance is created and memorized in the selector if further TLS channels must be opened. |
||
| 27 | |||
| 28 | 6 | Tobias Wich | !oec-tls-classes.png! |
| 29 | 5 | Tobias Wich | |
| 30 | h3. Apache http-core Classes |
||
| 31 | |||
| 32 | !http-core-classes.png! |
||
| 33 | |||
| 34 | h2. Client creation |
||
| 35 | |||
| 36 | The two following diagrams show how the a TLS channel is established and reused. |
||
| 37 | |||
| 38 | !tls-client-creation.png! |
||
| 39 | !tls-client-reuse.png! |
||
| 40 | |||
| 41 | h2. Credential Selection |
||
| 42 | |||
| 43 | The following two activity charts show the process how a credential is selected for the authentication. |
||
| 44 | |||
| 45 | !select-certificate.png! |
||
| 46 | !select-certificate-from-handles.png! |
||
| 47 | |||
| 48 | |||
| 49 | h1. TLS Design (old version left here until design is finished) |
||
| 50 | 1 | Tobias Wich | |
| 51 | 2 | Tobias Wich | h2. Bouncy Castle TLS authentication classes |
| 52 | 1 | Tobias Wich | !bc-tls.png! |
| 53 | |||
| 54 | 2 | Tobias Wich | h2. TLS authentication implementation classes |
| 55 | 1 | Tobias Wich | !sal-tls.png! |
| 56 | |||
| 57 | 2 | Tobias Wich | h2. TLS authentication sequence |
| 58 | 1 | Tobias Wich | !sal-tls-sequence.png! |
| 59 | 3 | Simon Potzernheim | |
| 60 | h1. TLS Design by HSCoburg |
||
| 61 | |||
| 62 | h2. Bouncycastle Implementation Design - class diagramm |
||
| 63 | 4 | Simon Potzernheim | |
| 64 | Description: TODO |
||
| 65 | |||
| 66 | 3 | Simon Potzernheim | !uml_bouncycastleimplementation.png! |