I added methods to Utils.java in Ch. 7 & 8 to generate a self-signed V3
endCredential certificate and a single-level chain for the keystores.
I tried the single-level chain using V3 certificates to perform client-
side authentication and it worked.

However the scenario doesn't work with two-level chain V3 client which was
my original intention. Once I turn on client-side authentication, it will fail
unless I put the root(or intermediate) certificate in the server's trust store.
Ironically, the server-side authentication works if I put the end certificate
into the client's trust store.

It appears that SSL/TLS requires ca certificates in the server's trust store
when using two-level chained V3 certificates and turning on client-side
authentication. I was designing a program to use exchanged public "end"
certificates to establish a secure socket between users so that they could send
text messages between them, but it appears I'll have to turn off client-side authentication or come up with an alternative way to send the ca certificates
with the end certs...

If anyone has an example of using two two-level chained V3 certficates to
establish an SSL/TLS socket with client-side authentication and not inserting
the ca cert in the server's trust store, I'd be grateful if you would share
your code design. Thanks,

Jim

The server end can't authenticate a client if it can't verify the certificates are sent. To do that it needs the trust anchor for the certificate path being used.

Are you sure you need to use client side authentication? If all you are trying to do is encrypt the traffic between the two users, server side is enough.

Regards,

David

I came up with a methodology to save the certificate chain and
exchange it with other users of my application so that they could
connect via SSL/TLS socket and exchange text messages securely.

On a side note, I figured out that using a self-authenticated certificate
(V1 or V3) for SSL/TLS, the Subject and Issuer fields must be identical.
For some reason, the client and server authentication will fail with the
"certificate not found" message because the issuer does not match the
subject. Thus, if one decides to use self-authenticated certificates
in SSL/TLS, those fields must contain the same exact information.

Ah. Thanks for the update.

Yes this does make sense - if the issuer and the subject are different then the certificate is not self signed, it just means that the certificate has been signed by someone else who coincidently has the same private key as the certificate does. This is why you get "certificate not found", the different issuer means that the validator goes off looking for a certificate with that subject - it's only when the issuer and subject are the same that it knows to stop.

Regards,

David

Here is the problem I have. I use Bouncycastle's X509V3CertificateGenerator to create a self-signed x509v3 certificate. If the storeType is JCEKS, jsse fails even for server authentication. If the storetype is JKS, server authentication works, but client authentication ( setNeedClientAuth(true ) ) fails with 'null cert chain' error. If I use keytool to create x5093 v1 self-signed certificates, jsse mutual authentication works.
I'm not sure whether jsse actually does not work with v3 certificate, JCEKS or the problem is actually caused by Bouncycastle's X509V3CertificateGenerator class, but I have to use v3 certificate as a requirement. Can anyone help to explain if I have to use other tools such as openssl to create v3 certificate off line and then import to Java key store for JSSE mutual authentication. I also need to make it work with NCipher key store as well with x509v3 certificate.

James

The first problem may be due to the unrestricted policy files not being installed.

Both JSSE and Bouncy Castle will work with V3 certificates. Be careful of what extensions you use though and make sure your self signed certificates have the same issuer as subject.

Thaks, David.
Not sure what you meant by unrestricted policy files. I added BouncyCastle as provider through Java code.
To make it work first, I tried not to use any extension attributes initially and the names for issuer and subject shaer the same string so that they must be the same. What else could be wrong?

You can find the unrestricted policy files at the same place you downloaded the JDK. They're required to turn on stronger encryption, if you see weird errors using JCE code the lack of them is often the reason.

It sounds a bit like it's looking in wrong spot to authenticate the client try setting -Djavax.net.debug=all and see what it tells you.

Regards,

David

An example of creating an SSL Client Socket(Java SSL tutorial)
try {
        int port = 225;
        String hostname = "hotdir.biz";
        SocketFactory socketFactory = SSLSocketFactory.getDefault();
        Socket socket = socketFactory.createSocket(hostname, port);

        InputStream in = socket.getInputStream();
        OutputStream out = socket.getOutputStream();
        in.close();
        out.close();
    } catch(IOException e) {
    }

See here

http://www.developerzone.biz/index.p...d=97&Itemid=36


http://www.filig.com/
http://www.hotdir.biz/