Class OpenSslCredentialBuilder

java.lang.Object

io.netty.handler.ssl.OpenSslCredentialBuilder

public final class OpenSslCredentialBuilder
extends Object

Builder for creating OpenSslCredential instances.

This builder provides a fluent API for configuring SSL credentials with support for:

• X.509 credentials
• Certificate chains and private keys
• Trust anchor identifiers (optional)

Example usage:

// Create credential with trust anchor (optional)
ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier("1.3.6.1.4.1.11129.9.10"); // Google's taiWE1
byte[] trustAnchorBytes = oid.getEncoded();

OpenSslCredential credential = OpenSslCredentialBuilder.forX509(privateKey, cert1, cert2, cert3)
    .trustAnchorId(trustAnchorBytes)  // optional
    .build();

This is a BoringSSL-specific feature.

Method Summary

Modifier and Type	Method	Description
OpenSslCredential	build()	Builds the OpenSslCredential instance.
static OpenSslCredentialBuilder	forX509(PrivateKey privateKey, X509Certificate... certificateChain)	Creates a new builder for an X.509 credential with a Java PrivateKey.
OpenSslCredentialBuilder	mustMatchIssuer(boolean mustMatchIssuer)	Sets whether the issuer must match for this credential.
OpenSslCredentialBuilder	trustAnchorId(byte[] trustAnchorId)	Sets the trust anchor identifier for this credential.

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

forX509

public static OpenSslCredentialBuilder forX509(PrivateKey privateKey,
 X509Certificate... certificateChain)

Creates a new builder for an X.509 credential with a Java PrivateKey.

Parameters:

privateKey - the private key (required)

certificateChain - the certificate chain, starting with the leaf certificate (required)

Returns:

a new builder instance

trustAnchorId

public OpenSslCredentialBuilder trustAnchorId(byte[] trustAnchorId)

Sets the trust anchor identifier for this credential.

The trust anchor identifier should be ASN.1 DER encoded bytes. To convert from an OID string, use BouncyCastle's ASN1Encodable:

// Example: Google's taiWE1 OID from https://pki.goog/oids/index.html
ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier("1.3.6.1.4.1.11129.9.10");
byte[] encoded = oid.getEncoded();
credential.trustAnchorId(encoded);

Parameters:

trustAnchorId - the trust anchor identifier as ASN.1 DER encoded bytes

Returns:

this builder for chaining

mustMatchIssuer

public OpenSslCredentialBuilder mustMatchIssuer(boolean mustMatchIssuer)

Sets whether the issuer must match for this credential.

Parameters:

mustMatchIssuer - true if issuer must match

Returns:

this builder for chaining

build

public OpenSslCredential build()

Builds the OpenSslCredential instance.

Returns:

a new credential instance

Throws:

IllegalStateException - if an error occurs during credential creation