[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-jce] certificateTypes check in getCertificate() with RSAPublicKey i/f



Hi,

Even I had the same doubt earlier about "certificateType" being "X509certificate". No, we are checking certificateType wrt the constants defined in ClientTrustDecider class like ClientTrustDecider.rsa_sign. Pl read the highlighted explanation below regarding X_sign Cert and X_fixed_dh Cert.

I suggest that you also read SSL 3.0 specs + Appendix,  and then, IAIK's final docs like me. If you then get to some "feel" of X_sign Cert and X_fixed_dh Cert, things may get simpler. I did this, and only then , the enigma of "certficateType" got somewhat resolved. I am not an expert though still on this "sign-capable/not capable" certs etc.

Sundar Krishnan

sangeeta gopalan wrote:

Hi,
Does this mean that we are not checking for the type of the certificate
i.e. if the certificate is a X509certificate? also is there some
standard logic to decide how to choose the correct client certificate
when the user possesses multiple client certificate issued by different
CAs and different algorithms? I guess this selection should be
implemented in the getCertificate() method of the ClientTrustDecider. Is
this right??

Thanks with regards
Sangeeta

Sundar Krishnan wrote:

> Hi,
>
> My clarification was only wrt the usage of
> java.security.interfaces.RSAPublicKey - this is only the later half of
> the logic.
> The real logic is definitely to check with if ( certificateTypes[j] ==
> ClientTrustDecider.rsa_sign ).
> Here goes the full logic as far certficateTypes is concerned. Again,
> check of certificateAuthorities is a different logic.
>
>             -----
>             /*
>             a-2) Check if EACH of the Client Certificate's type
> matches with one of those approved by the Server.
>                 At the end if bCertType is true, we are sure that EACH
> of the Certificates' types in the Client Chain
>                 matches with some approved Server type.
>             */
>             boolean bCertType   = false ;
>
>             /*
>             The following logic is based on the difference between a
>             X_sign Cert which has a signing capability ie, the Cert
> contains a Public key,
>             and X_fixed_dh Cert which has NO signing capability ie, no
> Priv/Publ Keys, only DH pars.
>             Here, we consider only rsa_sign, dss_sign is not.
>             EACH Cl Cert's certificateTypes compared with the Server
> certificateType ("rsa_sign" only)
>             */
>             for ( int i = 0 ; i < clientCertChain.length ; i++ ) {
>                 bCertType = false ; // to ensure that EACH Cert in the
> chain matches with the Server's (rsa_sign)
>                 for ( int j = 0 ; j < certificateTypes.length ; j++ )
> {  // rsa_sign from WL's Tengah Server
>                  if ( certificateTypes[j] ==
> ClientTrustDecider.rsa_sign ) { // Check only for rsa_sign
> // this is the main logic
>
>                         // if (
> (clientCertChain[i].getPublicKey().getAlgorithm()).equalsIgnoreCase("RSA")
> )
>
>                         // The above single criterion should be
> enough. The reco was to check if :
>                         // (clientCertChain[i].getPublicKey()
> instanceof java.security.interfaces.RSAPublicKey)
>                         // java.security.interfaces.RSAPublicKey is
> available in jdk11x_update.jar.
>                         // [ Note however, that we are NOT referring
> to javax.crypto.interfaces.RSAPublicKey.
>                         // In fact, 2 i/fs :
> javax.crypto.interfaces.RSAPublicKey & DHPublicKey extend from
>                         // javax.security.PublicKey
>                         // However,
> javax.crypto.interfaces.RSAPublicKey is not available in any of these
> jar files :
>                         // iaik_ssl.jar or iaik_jce.jar (it however,
> contains javax.crypto.interfaces.DHPublicKey)
>                         // or rsa_rc4.jar (it however, contains
> iaik.security.rsa.RSAPublicKey).]
>
>                         debugG
>                             ( "\n i = " + i + " ; j = " + j +
>                               "\n clientCertChain[i].getPublicKey() =
> " + clientCertChain[i].getPublicKey() ) ;
>                         debugG
>                             ( "\n (clientCertChain[i].getPublicKey()
> instanceof java.security.interfaces.RSAPublicKey) = " +
>                               (clientCertChain[i].getPublicKey()
> instanceof java.security.interfaces.RSAPublicKey) ) ;
>
>                      // Note that we are using the single "full" |. A
> double short-ckted || should also be OK.
>                      if (
> (clientCertChain[i].getPublicKey().getAlgorithm()).equalsIgnoreCase("RSA")
> |
>                              (clientCertChain[i].getPublicKey()
> instanceof java.security.interfaces.RSAPublicKey) ) {        // the
> portion I sent earlier
>
>                             bCertType = true ;
>                             break ;     // NOT continue here!   break
> out of for - j loop if we get a match.
>                         }
>                         else {
>                             bCertType = false ;
>                         }
>                     }
>                 } // for - j loop
>             }
>
>             // Finally, if bCertType is true
>             if (bCertType)
>             {
>                 String strLogOK = "All the Client's certificateTypes
> match with \"rsa_sign\". " ;
>                 // "Each of the Client's certificateType matches with
> the acceptable list of the Server." ;
>                 System.out.println
>                     ("\n\n " + strLogOK +
>                      "\n bCertType = " + bCertType );
>             }
>             else
>             {
>                 String strExc2 = "The certificateTypes do not match
> with \"rsa_sign\". " ;
>                 // "NOT ALL the Client's certificateType match with
> the acceptable list of the Server." ;
>                 System.out.println
>                     ("\n\n " + strExc2 +
>                      "\n bCertType = " + bCertType );
>             }
>
>                                             /*
> ************************ */
>
>             -----
>
> Hope this clarifies.
>
> Do drop a line if the same logic is helpful in your application.
>
> Regards
>
> Sundar Krishnan
>
>
>
> sangeeta gopalan wrote:
>
>> hi , i am confused about the definition of certificate types. in the
>> SSL
>> protocol specification, netscape has defined a valid certificate
>> type
>> value as "X509certificate", so what is ur definition of a
>> certificate
>> type? if you compare the algorithm to be a RSA algorithm then what
>> is
>> the use of the negotiated cipher suite??
>> please clarify the correct definition of the certificate type list
>> that
>> the SSL server sends during the handshake process.
>>
>> Sundar Krishnan wrote:
>>
>> > I think I may be wrong in my earlier email.
>> > The recommendation was to check for an instance of
>> > java.security.interfaces.RSAPublicKey, not
>> > javax.crypto.interfaces.RSAPublicKey. I am sorry for any
>> confusion. So
>> > my logic now is :
>> >
>> >     // Note that we are using the single "full" |. A double
>> > short-ckted || should also be OK.
>> >     if (
>> >
>> (clientCertChain[i].getPublicKey().getAlgorithm()).equalsIgnoreCase("RSA")
>>
>> > |
>> >          (clientCertChain[i].getPublicKey() instanceof
>> > java.security.interfaces.RSAPublicKey) ) {
>> >              bCertType = true ;
>> >              break ;     // NOT continue here!   break out of for
>> - j
>> > loop if we get a match.
>> >      }
>> >      else {
>> >              bCertType = false ;
>> >       }
>> >       ---
>> > This works !
>> >
>> > *********************************
>> > My earlier (wrong) email :
>> >
>> >> Sometime back, I had received a reply in the IAIK Mailing List
>> >> indicating something to this effect :
>> >> [During Client Authentication for certificateTypes' check within
>> >> getCertificate() method, we should preferably check :
>> >>     if (clientCertChain[i].getPublicKey() instanceof
>> >> javax.crypto.interfaces.RSAPublicKey)
>> >> ]