[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] help on SampleClientTrustDecider



Heya,

Conturbia Riccardo wrote:
> 
> Hi, I have two questions about SampleClientTrustDecider:
> 
> 1) If I correctly understand, isTrustedPeer verify that the server
> certificate chain is consistent. But what if I want to accept
> connections only with servers certified by a particular set of CA?

You could keep a copy of the CA's that are valid in your client
Application (eg. In a keystore) and compare the last in chain to these
CA's and see that they are valid.

I have the same setup, but what I have is my CA's HARD coded in an
updatable module, that contains the CA as a final static private byte[].
You can generate an X509Certificate instance from this, and do an
equals() to the one that comes in. Of course you have to be able to
update the Class file containg the hard coded cert.
 
> 2) In SampleClientTrustDecider different kind of certificates are
> supported (rsa, dh, etc...). If I have only one type of certificate, can
> I ignore the parameter certificateTypes in getCertificate method?

This parameter indicates what types of client certificates your server
can expect. If you do not use Client Certificates you can ignore this
call altogether. If you only use one Client Cert type, but the server
expects another type you have a problem.

> Thank you!

Your Welcome!

> 
> Riccardo Conturbia
> --
> Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html
> 
> To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl
> 

-- 
-----------------------------------------
 Gil Peeters
 CANCAS I.T. (bvba)
 Willemsstraat 2
 3000 Leuven
-----------------------------------------
 JAVA and Distributed Object Specialists
-----------------------------------------
--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl