[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl] Interpretation of the 3 arguments of getCertificate() method for Client Authentication



We have to implement Client Authentication in our project. We therefore
seek clarifications mainly wrt getCertificate() method of
ClientTrustDecider.

1) When coding for Client Authentication, I assume that we have to check
if each of the Client Certificates in the Chain matches with any of the
byte[]  certificateTypes sent by the Server in the getCertificates()
method. (byte [] certificateTypes are defined constants defined in
ClientTrustDecider class.)
(Refer method : public SSLCertificate getCertificate(byte[]
certificateTypes, Principal[] certificateAuthorities, String
strServerKeyExchAlg).

a) Which method in iaik.x509.X509Certificate (or
java.security.cert.X509Certificate or Certificate) will return a byte
which we can use to check for a match with one of the certificateTypes
in byte [] certificateTypes sent by the server ?

b) I would like to know the difference in the KeyEchangeAlgorithm part
of the CipherSuite for certificateTypes =  rsa_sign and dss_sign ( ????
in table below).
c) Pl let me know the difference between :
rsa_sign and rsa_fixed_dh
dss_sign and dss_fixed_dh

The table below is Table 1.3 of iSaSiLk 2.0 Final User Manual
superimposed with ClientTrustDecider constants.

Pl confirm if the foll is true :-

KeyExchange Algorithm
ClientTrustDecider Constant byte

    DH_RSA/DH_RSA_EXPORT
rsa_fixed_dh                 = 3

    DHE_RSA/DHE_RSA_EXPORT
rsa_ephemeral_dh        = 5


    DH_DSS/DH_DSS_EXPORT
dss_fixed_dh                =  4

    DHE_DSS/DHE_DSS_EXPORT
dss_ephemeral_dh        = 6


????
rsa_sign                        = 1


????
dss_sign                       =  2


2) In getCertificate() method above if byte[] certificateTypes is
already indicative of the KeyExchange Algorithm, what is the purpose of
the 3rd argument :
String strServerKeyExchAlg ?
ie, what is the diff betn the 1st and the 3rd arguments of this method
getCertificate() ?

Pl confirm/comment :
"The String strServerKeyExchAlg is not part of a Certificate unlike the
other 2 arguments to this method. This means that before we set the
ClientTrustDecider in the Client pgm (say SSLClient), we have to first
pick the KeyExchangeAlgorithms from the enabled CipherSuites in the
Client and set a variable Stirng [] strArrKeyExAlg in
ClientTrustDecider, the elements of which array, will then be checked
for a match with the strServerKeyExchAlg sent by the Server."

We are trying this code snippet  for checking if the Client side's
strArrKeyExAlg array has a match for the strServerKeyExchAlg sent by the
Server.

    boolean bKeyExchAlg   = false ;
    for ( int i = 0 ; i < strArrKeyExAlg.length ; i++ ) {
        if ( strArrKeyExAlg[i].equals(strServerKeyExchAlg) ) {  // if
any of Client's KEAlg matches with the strServerKeyExchAlg sent by the
Server, break.
            bKeyExchAlg = true ;
            break ;
        }
    }



3) In getCertificate() method above, does the 2nd argument Principal[]
certificateAuthorities refer to IssuerDNs (or SubjectDNs?) of all
certificates in a chain of certificates ? ie, should we check if
getIssuerDN() (or getSubjectDN()?) of each certificate in the client
chain matches with any of the certificateAuthorities sent by the server
? A code eg can be :

    boolean bIssuerDNType   = false ;
    for ( int i = 0 ; i < clientCertChain.length ; i++ ) {
        bIssuerDNType = false ;
        for ( int j = 0 ; j < certificateAuthorities.length ; j++ ) {
            if ( ( clientCertChain[i].getIssuerDN()
).equals(certificateAuthorities[j]) ) {  // EACH Cl Cert's CA with ANY
of the Server CAs
                bIssuerDNType = true ;
                break ;     // NOT continue here!   break out of for - j
loop if we get a match.
            }
        }
    }

Should we check for Server's Principal[] certificateAuthorities with a
Client Certificate's getIssuerDN() or getSubjectDN() method ?

Thanks in advance

Sundar Krishnan



--
Mailinglist-archive at http://jcewww.iaik.tu-graz.ac.at/mailarchive/iaik-ssl/maillist.html

To unsubscribe send an email to listserv@iaik.tu-graz.ac.at with the folowing content: UNSUBSCRIBE iaik-ssl