[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl] certificateTypes check in getCertificate() with RSAPublicKey i/f



Hi,

My clarification was only wrt the usage of java.security.interfaces.RSAPublicKey - this is only the later half of the logic.
The real logic is definitely to check with if ( certificateTypes[j] == ClientTrustDecider.rsa_sign ).
Here goes the full logic as far certficateTypes is concerned. Again, check of certificateAuthorities is a different logic.

            -----
            /*
            a-2) Check if EACH of the Client Certificate's type matches with one of those approved by the Server.
                At the end if bCertType is true, we are sure that EACH of the Certificates' types in the Client Chain
                matches with some approved Server type.
            */
            boolean bCertType   = false ;

            /*
            The following logic is based on the difference between a
            X_sign Cert which has a signing capability ie, the Cert contains a Public key,
            and X_fixed_dh Cert which has NO signing capability ie, no Priv/Publ Keys, only DH pars.
            Here, we consider only rsa_sign, dss_sign is not.
            EACH Cl Cert's certificateTypes compared with the Server certificateType ("rsa_sign" only)
            */
            for ( int i = 0 ; i < clientCertChain.length ; i++ ) {
                bCertType = false ; // to ensure that EACH Cert in the chain matches with the Server's (rsa_sign)
                for ( int j = 0 ; j < certificateTypes.length ; j++ ) {  // rsa_sign from WL's Tengah Server
                  if ( certificateTypes[j] == ClientTrustDecider.rsa_sign ) { // Check only for rsa_sign            // this is the main logic

                        // if ( (clientCertChain[i].getPublicKey().getAlgorithm()).equalsIgnoreCase("RSA") )

                        // The above single criterion should be enough. The reco was to check if :
                        // (clientCertChain[i].getPublicKey() instanceof java.security.interfaces.RSAPublicKey)
                        // java.security.interfaces.RSAPublicKey is available in jdk11x_update.jar.
                        // [ Note however, that we are NOT referring to javax.crypto.interfaces.RSAPublicKey.
                        // In fact, 2 i/fs : javax.crypto.interfaces.RSAPublicKey & DHPublicKey extend from
                        // javax.security.PublicKey
                        // However, javax.crypto.interfaces.RSAPublicKey is not available in any of these jar files :
                        // iaik_ssl.jar or iaik_jce.jar (it however, contains javax.crypto.interfaces.DHPublicKey)
                        // or rsa_rc4.jar (it however, contains iaik.security.rsa.RSAPublicKey).]

                        debugG
                            ( "\n i = " + i + " ; j = " + j +
                              "\n clientCertChain[i].getPublicKey() = " + clientCertChain[i].getPublicKey() ) ;
                        debugG
                            ( "\n (clientCertChain[i].getPublicKey() instanceof java.security.interfaces.RSAPublicKey) = " +
                              (clientCertChain[i].getPublicKey() instanceof java.security.interfaces.RSAPublicKey) ) ;

                      // Note that we are using the single "full" |. A double short-ckted || should also be OK.
                      if ( (clientCertChain[i].getPublicKey().getAlgorithm()).equalsIgnoreCase("RSA") |
                             (clientCertChain[i].getPublicKey() instanceof java.security.interfaces.RSAPublicKey) ) {        // the portion I sent earlier

                            bCertType = true ;
                            break ;     // NOT continue here!   break out of for - j loop if we get a match.
                        }
                        else {
                            bCertType = false ;
                        }
                    }
                } // for - j loop
            }

            // Finally, if bCertType is true
            if (bCertType)
            {
                String strLogOK = "All the Client's certificateTypes match with \"rsa_sign\". " ;
                // "Each of the Client's certificateType matches with the acceptable list of the Server." ;
                System.out.println
                    ("\n\n " + strLogOK +
                     "\n bCertType = " + bCertType );
            }
            else
            {
                String strExc2 = "The certificateTypes do not match with \"rsa_sign\". " ;
                // "NOT ALL the Client's certificateType match with the acceptable list of the Server." ;
                System.out.println
                    ("\n\n " + strExc2 +
                     "\n bCertType = " + bCertType );
            }

                                            /* ************************ */

            -----

Hope this clarifies.

Do drop a line if the same logic is helpful in your application.

Regards

Sundar Krishnan
 
 

sangeeta gopalan wrote:

hi , i am confused about the definition of certificate types. in the SSL
protocol specification, netscape has defined a valid certificate type
value as "X509certificate", so what is ur definition of a certificate
type? if you compare the algorithm to be a RSA algorithm then what is
the use of the negotiated cipher suite??
please clarify the correct definition of the certificate type list that
the SSL server sends during the handshake process.

Sundar Krishnan wrote:

> I think I may be wrong in my earlier email.
> The recommendation was to check for an instance of
> java.security.interfaces.RSAPublicKey, not
> javax.crypto.interfaces.RSAPublicKey. I am sorry for any confusion. So
> my logic now is :
>
>     // Note that we are using the single "full" |. A double
> short-ckted || should also be OK.
>     if (
> (clientCertChain[i].getPublicKey().getAlgorithm()).equalsIgnoreCase("RSA")
> |
>          (clientCertChain[i].getPublicKey() instanceof
> java.security.interfaces.RSAPublicKey) ) {
>              bCertType = true ;
>              break ;     // NOT continue here!   break out of for - j
> loop if we get a match.
>      }
>      else {
>              bCertType = false ;
>       }
>       ---
> This works !
>
> *********************************
> My earlier (wrong) email :
>
>> Sometime back, I had received a reply in the IAIK Mailing List
>> indicating something to this effect :
>> [During Client Authentication for certificateTypes' check within
>> getCertificate() method, we should preferably check :
>>     if (clientCertChain[i].getPublicKey() instanceof
>> javax.crypto.interfaces.RSAPublicKey)
>> ]