[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-jce] Client Authentication - methods to retrieve matching args for args in getCertificate()



>>The IAIK's ssl page gives this message :
>>"Invalid URL The URL http://jcewww.iaik.tu-graz.ac.at/iSaSiLk/DOC/betaJavaDoc/index.html
>>that you requested is not available on that server."
 
This has been a link to the beta Javadoc when JCE2.0 and JCE2.5beta have been simultaneously on the Web. Now this link should not be available.
 
>> I have observed one more discrepency in the docs.
>> The documentation shows countComponents() method in both ASN1
>> and ASN1Object. However, it seems that this method is not available
>> in ASN1Object.
>> // ..."\n asn1o.countComponents()   = " + asn1o.countComponents() +
>> // e.getMessage() = ASN1: INTEGER does not support countComponents()!
 
The Javadoc for countComponents() in ASN1Object says:
 
"Throws a CodingException. Since querying for the number of components only is reasonable when dealing with a constructed ASN.1 object, ..."
 
>>In getCertificate() method, the input arg certificateTypes is rsa_sign.
>>Which method will return rsa_sign ? [ getType() returns X509.]
 
You do not need this.
 
>>Which method will return the Subject Public Key Info field,
>>and which one will reurn rsaEncryption as the Public Key Algorithm ?
To get information about the public key, use the getPublic() key and query the obtained public key for information.
 
>>...and the CertificateVerify with Signature to authenticate itself in addition to sending the Certificate(Chain) returned by
>>the getCertificate() method
 
When a certificate has been sent on server request, the client handshaker itself takes care for the CertificateVerify message. It teherfore gets the private key from the client trust decider by means of the getPrivateKey() method.
 
Dieter Bratko
 
-----Ursprüngliche Nachricht-----
Von: Sundar Krishnan
An: Dieter Bratko ; iaik-ssl@iaik.tu-graz.ac.at ; iaik-jce@iaik.tu-graz.ac.at
Gesendet: Montag, 07. Juni 1999 03:58
Betreff: [iaik-jce] Client Authentication - methods to retrieve matching args for args in getCertificate()

Mr Dieter Bratko,

1) The IAIK's ssl page gives this message :
"Invalid URL
The URL http://jcewww.iaik.tu-graz.ac.at/iSaSiLk/DOC/betaJavaDoc/index.html
that you requested is not available on that server."

Is there an alternate URL for seeing documentation of iaik.ssl pkg classes ?
For eg, we need to see ClientTrustDecider and SSLContext and
CipherSuite docs.

2) I have observed one more discrepency in the docs.
The documentation shows countComponents() method in both ASN1
and ASN1Object. However, it seems that this method is not available
in ASN1Object.
// ..."\n asn1o.countComponents()   = " + asn1o.countComponents() +
// e.getMessage() = ASN1: INTEGER does not support countComponents()!

Pl comment/correct if I am wrong.
 

3) Among the many things I printed out, some are :-
cert.getType()                                         = X.509
cert.getPublicKey().getAlgorithm()          = RSA
cert.getSigAlgName()                             = md5WithRSAEncryption

In the following text version of a typical certificate chain (see at the end),
Signature Algorithm: md5WithRSAEncryption appears twice,
and
Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit): ......         appears once.

a) In getCertificate() method, the input arg certificateTypes is rsa_sign.
Which method will return rsa_sign ? [ getType() returns X509.]

b) Which method will return the Subject Public Key Info field,
and which one will reurn rsaEncryption as the Public Key Algorithm ?
[I have experimented with ASN, ASN1 and ASN1Object - that is when
I observed the error in documentation.]

4) At the Server side, (the Server is WebLogic's Tengah Server),
the Client Authentication fails with a
java.lang.ArrayIndexOutOfBoundsException
                at weblogic.security.RSApkcs1.decrypt(Compiled Code)
                at weblogic.security.RSAMDSignature.verify(Compiled Code)
                at weblogic.security.X509.verifySignature(Compiled Code)
                at weblogic.security.X509.verify(Compiled Code)
                at weblogic.security.SSL.SSLCertificate.verify(Compiled Code)
                at weblogic.security.SSL.SSLCertificate.input(Compiled Code)
                at weblogic.security.SSL.Handshake.input(Compiled Code)
                at weblogic.security.SSL.SSLSocket.getHandshake(Compiled Code)
                ..........

To help us resolve this problem, pl let me know if the Handshake implementation
of IAIK takes care of sending the ClientKeyExchange
(EncryptedPremasterSecret) and the CertificateVerify with Signature to
authenticate itself in addition to sending the Certificate(Chain) returned by
the getCertificate() method.
ie, we users do NOT have to do anything other than returning an SSLCertificate
constructed with java.security.cert.X509Certificate [] in the getCertificate() method.
If this is true, can you offer any clues for the failure in Client Authentication ?

Regards

Sundar Krishnan

****************************************************************

(Reference for Point No 3 above)
Typical Certificate :
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=INDIA, ST=Karnataka, O=Hewlett Packard ISO, O=Testing by Sundar Krishnan, OU=ICOM
        Validity
            Not Before: Jun  4 11:53:01 1999 GMT
            Not After : Jun  3 11:53:01 2000 GMT
        Subject: C=INDIA, ST=Karnataka, O=Hewlett Packard ISO, O=Testing by Sundar Krishnan, OU=ICOM
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (512 bit)
                Modulus (512 bit):
                    00:b5:b4:32:1a:2f:87:9c:7b:56:2a:7f:de:5c:0b:
                    37:98:2c:52:9c:4b:90:78:ed:7b:7c:8d:cf:ef:d2:
                    ae:9b:dd:5e:02:b3:f2:04:8c:38:62:61:94:e8:0f:
                    31:3f:74:a2:5b:97:1b:30:ed:16:26:42:ce:94:09:
                    9c:65:fc:ae:79
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
        b9:6b:44:82:f0:53:81:81:cd:45:2a:0b:c5:8e:e9:94:ee:90:
        fa:26:24:35:76:a8:ac:42:2e:e4:bd:1e:4c:1c:90:80:b2:ee:
        48:a0:d9:fa:a4:75:3f:e6:88:53:1b:70:bf:ed:96:71:bd:16:
        8f:46:0e:f0:e7:92:9f:4e:69:b5
-----BEGIN CERTIFICATE-----
MIIB1jCCAYACAQEwDQYJKoZIhvcNAQEEBQAwdjEOMAwGA1UEBhMFSU5ESUExEjAQ
BgNVBAgTCUthcm5hdGFrYTEcMBoGA1UEChMTSGV3bGV0dCBQYWNrYXJkIElTTzEj
MCEGA1UEChMaVGVzdGluZyBieSBTdW5kYXIgS3Jpc2huYW4xDTALBgNVBAsTBElD
T00wHhcNOTkwNjA0MTE1MzAxWhcNMDAwNjAzMTE1MzAxWjB2MQ4wDAYDVQQGEwVJ
TkRJQTESMBAGA1UECBMJS2FybmF0YWthMRwwGgYDVQQKExNIZXdsZXR0IFBhY2th
cmQgSVNPMSMwIQYDVQQKExpUZXN0aW5nIGJ5IFN1bmRhciBLcmlzaG5hbjENMAsG
A1UECxMESUNPTTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC1tDIaL4ece1Yqf95c
CzeYLFKcS5B47Xt8jc/v0q6b3V4Cs/IEjDhiYZToDzE/dKJblxsw7RYmQs6UCZxl
/K55AgMBAAEwDQYJKoZIhvcNAQEEBQADQQC5a0SC8FOBgc1FKgvFjumU7pD6JiQ1
dqisQi7kvR5MHJCAsu5IoNn6pHU/5ohTG3C/7ZZxvRaPRg7w55KfTmm1
-----END CERTIFICATE-----

smime.p7s