This addresses part of my concern raised in https://github.com/coova/jradius/issues/23
I personally only have use for EAP-TTLS so I have no need to send client certificates.
In short, this performs server certificate verification upon receipt of a certificate during the handshake when a valid X509TrustManager can be found. In order to verify the server certificate dynamically I had to pass the key exchange algorithm into the trust manager. I extended the KeyExchange interface and created enum values instead of static integers. This allows the enum to hold a name string as well as the integer value. The name string is what is passed to the trust manager dynamically.
I also made some changes to how the KeyUsage object was constructed in the KeyExchange implementations since I was getting an IllegalArgumentException during testing. I updated some of the bouncy castle classes so that I could leverage KeyUsage.fromExtensions. This seemed to alleviate the problem.
Reviewer: @wlanmac
This addresses part of my concern raised in https://github.com/coova/jradius/issues/23 I personally only have use for EAP-TTLS so I have no need to send client certificates.
In short, this performs server certificate verification upon receipt of a certificate during the handshake when a valid
X509TrustManagercan be found. In order to verify the server certificate dynamically I had to pass the key exchange algorithm into the trust manager. I extended theKeyExchangeinterface and created enum values instead of static integers. This allows the enum to hold a name string as well as the integer value. The name string is what is passed to the trust manager dynamically.I also made some changes to how the
KeyUsageobject was constructed in theKeyExchangeimplementations since I was getting an IllegalArgumentException during testing. I updated some of the bouncy castle classes so that I could leverageKeyUsage.fromExtensions. This seemed to alleviate the problem.