Thanks for your suggestions on how to create separate DER and PEM files
and for confirmation about PrivateKey vs PrivateKeyInfo.
I had also sent some queries earlier on the interpretation of the arguments
of the getCertificate() method for Client Authentication :
certificateTypes, certificateAuthorities and keyExchangeAlgorithm.
I have made those queries much shorter here.
Most important are 1-a and 1-b. 2 and 3 are just requests for confirmations.
Eagerly waiting for comments/confirmation on these.
We have to implement Client Authentication in our project. We therefore
seek clarifications mainly wrt getCertificate() method of
1) When coding for Client Authentication, I assume that we have to check
if each of the Client Certificates in the Chain matches with any of the
byte certificateTypes sent by the Server in the getCertificate()
1-a) Which method in iaik.x509.X509Certificate
(or java.security.cert.X509Certificate or Certificate) will return a byte
which we can use to check for a match with one of the certificateTypes
in byte  certificateTypes sent by the server ?
1-b) I would like to know the difference in the KeyEchangeAlgorithm
of the CipherSuite for certificateTypes = rsa_sign and dss_sign ( ????
in table below).
c) Pl let me know the difference between :
rsa_sign and rsa_fixed_dh
dss_sign and dss_fixed_dh
The table below is Table 1.3 of iSaSiLk 2.0 Final User Manual
superimposed with ClientTrustDecider constants.
Pl confirm if the foll is true :-
KeyExchange Algorithm ClientTrustDecider Constant byte
DH_RSA/DH_RSA_EXPORT rsa_fixed_dh = 3
DHE_RSA/DHE_RSA_EXPORT rsa_ephemeral_dh = 5
DH_DSS/DH_DSS_EXPORT dss_fixed_dh = 4
DHE_DSS/DHE_DSS_EXPORT dss_ephemeral_dh = 6
RSA_EXPORT ???? rsa_sign = 1
2) I earlier thought (wrongly) that keyExchangeAlgorithm is sent by
Server as part of the CertificateRequest message. But after I went through
the SSL spec, I feel that the only purpose of providing that is to send
to the Server an appropriate Client certificate from a choice of
RSA, or DSA or DH certificates if there are all these types at the Client side.
However, if the we have just RSA type certificate, we do not have to do
anything with this argument, so it seems. Pl confirm this analysis,
and that this argument is NOT sent by the server. It is the negotiated
algorithm which the IAIK implementation adds as an argument
in the getCertificate() method. This implies that the Handshake protocol
betn the Client and the Server would have already arrived at the
negotiated keyExchangeAlgorithm before the Client (IAIK's implementation)
internally calls getCertificate(). Pl confirm/comment if i am wrong.
3) In getCertificate() method above, does the 2nd argument Principal
certificateAuthorities refer to IssuerDNs (or SubjectDNs?) of all
certificates in a chain of certificates ? ie, should we check if
getIssuerDN() (or getSubjectDN()?) of each certificate in the client
chain matches with any of the certificateAuthorities sent by the server ?
Thanks in advance