[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl] Client Authentication - methods to retrieve matching args for args in getCertificate()



Mr Dieter Bratko,

1) The IAIK's ssl page gives this message :
"Invalid URL
The URL http://jcewww.iaik.tu-graz.ac.at/iSaSiLk/DOC/betaJavaDoc/index.html
that you requested is not available on that server."

Is there an alternate URL for seeing documentation of iaik.ssl pkg classes ?
For eg, we need to see ClientTrustDecider and SSLContext and
CipherSuite docs.

2) I have observed one more discrepency in the docs.
The documentation shows countComponents() method in both ASN1
and ASN1Object. However, it seems that this method is not available
in ASN1Object.
// ..."\n asn1o.countComponents()   = " + asn1o.countComponents() +
// e.getMessage() = ASN1: INTEGER does not support countComponents()!

Pl comment/correct if I am wrong.
 

3) Among the many things I printed out, some are :-
cert.getType()                                         = X.509
cert.getPublicKey().getAlgorithm()          = RSA
cert.getSigAlgName()                             = md5WithRSAEncryption

In the following text version of a typical certificate chain (see at the end),
Signature Algorithm: md5WithRSAEncryption appears twice,
and
Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit): ......         appears once.

a) In getCertificate() method, the input arg certificateTypes is rsa_sign.
Which method will return rsa_sign ? [ getType() returns X509.]

b) Which method will return the Subject Public Key Info field,
and which one will reurn rsaEncryption as the Public Key Algorithm ?
[I have experimented with ASN, ASN1 and ASN1Object - that is when
I observed the error in documentation.]

4) At the Server side, (the Server is WebLogic's Tengah Server),
the Client Authentication fails with a
java.lang.ArrayIndexOutOfBoundsException
                at weblogic.security.RSApkcs1.decrypt(Compiled Code)
                at weblogic.security.RSAMDSignature.verify(Compiled Code)
                at weblogic.security.X509.verifySignature(Compiled Code)
                at weblogic.security.X509.verify(Compiled Code)
                at weblogic.security.SSL.SSLCertificate.verify(Compiled Code)
                at weblogic.security.SSL.SSLCertificate.input(Compiled Code)
                at weblogic.security.SSL.Handshake.input(Compiled Code)
                at weblogic.security.SSL.SSLSocket.getHandshake(Compiled Code)
                ..........

To help us resolve this problem, pl let me know if the Handshake implementation
of IAIK takes care of sending the ClientKeyExchange
(EncryptedPremasterSecret) and the CertificateVerify with Signature to
authenticate itself in addition to sending the Certificate(Chain) returned by
the getCertificate() method.
ie, we users do NOT have to do anything other than returning an SSLCertificate
constructed with java.security.cert.X509Certificate [] in the getCertificate() method.
If this is true, can you offer any clues for the failure in Client Authentication ?

Regards

Sundar Krishnan

****************************************************************

(Reference for Point No 3 above)
Typical Certificate :
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=INDIA, ST=Karnataka, O=Hewlett Packard ISO, O=Testing by Sundar Krishnan, OU=ICOM
        Validity
            Not Before: Jun  4 11:53:01 1999 GMT
            Not After : Jun  3 11:53:01 2000 GMT
        Subject: C=INDIA, ST=Karnataka, O=Hewlett Packard ISO, O=Testing by Sundar Krishnan, OU=ICOM
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:b5:b4:32:1a:2f:87:9c:7b:56:2a:7f:de:5c:0b:
                    37:98:2c:52:9c:4b:90:78:ed:7b:7c:8d:cf:ef:d2:
                    ae:9b:dd:5e:02:b3:f2:04:8c:38:62:61:94:e8:0f:
                    31:3f:74:a2:5b:97:1b:30:ed:16:26:42:ce:94:09:
                    9c:65:fc:ae:79
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
        b9:6b:44:82:f0:53:81:81:cd:45:2a:0b:c5:8e:e9:94:ee:90:
        fa:26:24:35:76:a8:ac:42:2e:e4:bd:1e:4c:1c:90:80:b2:ee:
        48:a0:d9:fa:a4:75:3f:e6:88:53:1b:70:bf:ed:96:71:bd:16:
        8f:46:0e:f0:e7:92:9f:4e:69:b5
-----BEGIN CERTIFICATE-----
MIIB1jCCAYACAQEwDQYJKoZIhvcNAQEEBQAwdjEOMAwGA1UEBhMFSU5ESUExEjAQ
BgNVBAgTCUthcm5hdGFrYTEcMBoGA1UEChMTSGV3bGV0dCBQYWNrYXJkIElTTzEj
MCEGA1UEChMaVGVzdGluZyBieSBTdW5kYXIgS3Jpc2huYW4xDTALBgNVBAsTBElD
T00wHhcNOTkwNjA0MTE1MzAxWhcNMDAwNjAzMTE1MzAxWjB2MQ4wDAYDVQQGEwVJ
TkRJQTESMBAGA1UECBMJS2FybmF0YWthMRwwGgYDVQQKExNIZXdsZXR0IFBhY2th
cmQgSVNPMSMwIQYDVQQKExpUZXN0aW5nIGJ5IFN1bmRhciBLcmlzaG5hbjENMAsG
A1UECxMESUNPTTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC1tDIaL4ece1Yqf95c
CzeYLFKcS5B47Xt8jc/v0q6b3V4Cs/IEjDhiYZToDzE/dKJblxsw7RYmQs6UCZxl
/K55AgMBAAEwDQYJKoZIhvcNAQEEBQADQQC5a0SC8FOBgc1FKgvFjumU7pD6JiQ1
dqisQi7kvR5MHJCAsu5IoNn6pHU/5ohTG3C/7ZZxvRaPRg7w55KfTmm1
-----END CERTIFICATE-----