Wrox Programmer Forums
|
BOOK: Beginning Cryptography with Java
This is the forum to discuss the Wrox book Beginning Cryptography with Java by David Hook; ISBN: 9780764596339
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning Cryptography with Java section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old February 23rd, 2006, 12:10 PM
Authorized User
 
Join Date: Feb 2006
Posts: 13
Thanks: 1
Thanked 0 Times in 0 Posts
Default

I added methods to Utils.java in Ch. 7 & 8 to generate a self-signed V3
endCredential certificate and a single-level chain for the keystores.
I tried the single-level chain using V3 certificates to perform client-
side authentication and it worked.

However the scenario doesn't work with two-level chain V3 client which was
my original intention. Once I turn on client-side authentication, it will fail
unless I put the root(or intermediate) certificate in the server's trust store.
Ironically, the server-side authentication works if I put the end certificate
into the client's trust store.

It appears that SSL/TLS requires ca certificates in the server's trust store
when using two-level chained V3 certificates and turning on client-side
authentication. I was designing a program to use exchanged public "end"
certificates to establish a secure socket between users so that they could send
text messages between them, but it appears I'll have to turn off client-side authentication or come up with an alternative way to send the ca certificates
with the end certs...

If anyone has an example of using two two-level chained V3 certficates to
establish an SSL/TLS socket with client-side authentication and not inserting
the ca cert in the server's trust store, I'd be grateful if you would share
your code design. Thanks,

Jim
 
Old February 24th, 2006, 12:19 AM
dgh dgh is offline
Wrox Author
 
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

The server end can't authenticate a client if it can't verify the certificates are sent. To do that it needs the trust anchor for the certificate path being used.

Are you sure you need to use client side authentication? If all you are trying to do is encrypt the traffic between the two users, server side is enough.

Regards,

David

 
Old March 24th, 2006, 03:29 PM
Authorized User
 
Join Date: Feb 2006
Posts: 13
Thanks: 1
Thanked 0 Times in 0 Posts
Default

I came up with a methodology to save the certificate chain and
exchange it with other users of my application so that they could
connect via SSL/TLS socket and exchange text messages securely.

On a side note, I figured out that using a self-authenticated certificate
(V1 or V3) for SSL/TLS, the Subject and Issuer fields must be identical.
For some reason, the client and server authentication will fail with the
"certificate not found" message because the issuer does not match the
subject. Thus, if one decides to use self-authenticated certificates
in SSL/TLS, those fields must contain the same exact information.
 
Old March 24th, 2006, 07:29 PM
dgh dgh is offline
Wrox Author
 
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

Ah. Thanks for the update.

Yes this does make sense - if the issuer and the subject are different then the certificate is not self signed, it just means that the certificate has been signed by someone else who coincidently has the same private key as the certificate does. This is why you get "certificate not found", the different issuer means that the validator goes off looking for a certificate with that subject - it's only when the issuer and subject are the same that it knows to stop.

Regards,

David

 
Old April 2nd, 2006, 09:26 PM
Registered User
 
Join Date: Apr 2006
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Here is the problem I have. I use Bouncycastle's X509V3CertificateGenerator to create a self-signed x509v3 certificate. If the storeType is JCEKS, jsse fails even for server authentication. If the storetype is JKS, server authentication works, but client authentication ( setNeedClientAuth(true ) ) fails with 'null cert chain' error. If I use keytool to create x5093 v1 self-signed certificates, jsse mutual authentication works.
I'm not sure whether jsse actually does not work with v3 certificate, JCEKS or the problem is actually caused by Bouncycastle's X509V3CertificateGenerator class, but I have to use v3 certificate as a requirement. Can anyone help to explain if I have to use other tools such as openssl to create v3 certificate off line and then import to Java key store for JSSE mutual authentication. I also need to make it work with NCipher key store as well with x509v3 certificate.

James

 
Old April 3rd, 2006, 06:17 AM
dgh dgh is offline
Wrox Author
 
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

The first problem may be due to the unrestricted policy files not being installed.

Both JSSE and Bouncy Castle will work with V3 certificates. Be careful of what extensions you use though and make sure your self signed certificates have the same issuer as subject.

 
Old April 3rd, 2006, 05:53 PM
Registered User
 
Join Date: Apr 2006
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thaks, David.
Not sure what you meant by unrestricted policy files. I added BouncyCastle as provider through Java code.
To make it work first, I tried not to use any extension attributes initially and the names for issuer and subject shaer the same string so that they must be the same. What else could be wrong?

 
Old April 3rd, 2006, 06:37 PM
dgh dgh is offline
Wrox Author
 
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

You can find the unrestricted policy files at the same place you downloaded the JDK. They're required to turn on stronger encryption, if you see weird errors using JCE code the lack of them is often the reason.

It sounds a bit like it's looking in wrong spot to authenticate the client try setting -Djavax.net.debug=all and see what it tells you.

Regards,

David

 
Old June 23rd, 2006, 06:57 AM
Authorized User
 
Join Date: Dec 2005
Posts: 29
Thanks: 0
Thanked 0 Times in 0 Posts
Default

An example of creating an SSL Client Socket(Java SSL tutorial)
try {
        int port = 225;
        String hostname = "hotdir.biz";
        SocketFactory socketFactory = SSLSocketFactory.getDefault();
        Socket socket = socketFactory.createSocket(hostname, port);

        InputStream in = socket.getInputStream();
        OutputStream out = socket.getOutputStream();
        in.close();
        out.close();
    } catch(IOException e) {
    }

See here

http://www.developerzone.biz/index.p...d=97&Itemid=36


http://www.filig.com/
http://www.hotdir.biz/





Similar Threads
Thread Thread Starter Forum Replies Last Post
What is SSL varuna22 Beginning PHP 1 September 18th, 2008 08:13 AM
Javascript and SSL jdhemphill Other Programming Languages 0 January 30th, 2007 05:22 PM
HttpWebRequest over SSL Suhrit ASP.NET 2.0 Professional 0 December 7th, 2006 03:41 AM
SSL implementation piyush_vish ASP.NET 1.0 and 1.1 Professional 0 January 6th, 2006 07:30 AM
SSL shs BOOK: Beginning ASP.NET 1.0 0 August 24th, 2004 06:16 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.