Wrox Programmer Forums
|
BOOK: Beginning Cryptography with Java
This is the forum to discuss the Wrox book Beginning Cryptography with Java by David Hook; ISBN: 9780764596339
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning Cryptography with Java section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old February 18th, 2006, 01:06 PM
Authorized User
 
Join Date: Feb 2006
Posts: 13
Thanks: 1
Thanked 0 Times in 0 Posts
Default SSL Using Java 1.4.2

I've been designing a program to use SSL to exchange text
messages between two computers and using Bouncy Castle
latest version 1.31 under Java 1.4.2. I've been able to
connect and send messages only using server authentication
but not client authentication (ie. setNeedClientAuth(true)).

I purchased "Cryptography with Java" book and am trying to
compile the samples using the JVM 1.4.2 instead of the 1.5.
I ran into problems in the Chapter 9 sample with the references
to javax.mail package. Do you have a suggested workaround?

Do you know if there is a problem with client authentication
under the JVM 1.4? I noticed the keystores used are PKCS12
instead of JKS while performing client authentication. Would
that make a difference and cause a null cert chain exception
(which I'm currently experiencing when turning on client auth).

On a side note, when generating the keystores with the keytool.exe
program, I can successfully perform client authentication.
Any help would be appreciated...

Jim Wong
 
Old February 19th, 2006, 06:00 AM
dgh dgh is offline
Wrox Author
 
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

With javax.mail you need to download the JavaMail API - make sure you either use version 1.3.2 or the beta of 1.4. You can find JavaMail at http://java.sun.com/products/javamail/

With SSL, you will find that using PKCS12 can causes these exceptions. While ASN.1 does provide the equivalent to a serialized array, PKCS12 stores certificates in a structure that is separate from keys so an array of loosely connected certificates is not enough - extensions such as the AuthorityKeyIdentifier are required to reconstruct the chain. The JSSE with JDK 1.4 does ship with a PKCS12 parser, but certificate chains that are not constructed with the proper extensions will result in the problem.

Having said that, it is worth working out your issues with PKCS12 rather than settling on JKS - it's the most commonly supported file format for keys used in browsers and the like so using it will make it easier to extend your application beyond just JSSE based clients.

The examples not using the session.getPeerPrincipal() method in Chapter 10 have been tested against JDK 1.4. Once you've got everything compiling up to Chapter 10 you should find it works okay.

Regards,

David

 
Old February 19th, 2006, 01:32 PM
Authorized User
 
Join Date: Feb 2006
Posts: 13
Thanks: 1
Thanked 0 Times in 0 Posts
Default

David, Thanks for the response on allowing Java 1.4 to
work in Chapter 10. All samples compiled and worked except
for the one you clarified was using a Java 1.5 method.

Regarding the problem with client authentication, I've
been creating KeyStores using the "JKS" spec and "SUN"
provider instead of the "PKCS12" spec. I'm willing to
convert my keystores but I'd like to get my current version
with JKS working. As a side note, I was also using the
org.bouncycastle.jce.X509V3CertificateGenerator but noticed
it was deprecated so I'm converting to org.bouncycastle.X509.

Were you suggesting the null cert chain problem was caused by
the creation of the certificates with improper extensions and
chaining them incorrectly? I looked over the book sample for
certificate generation and added the KeyUsage extension since
I'm already using the other extensions, but experienced no luck.
I don't have an intermediate CA Certificate, only a CA certificate
and end entity certificate. I also created a two element array
of Certificates when calling the setKeyEntry in my keystores
with the end cert at 0 and ca cert at 1. Again thanks for your
help and any suggestions and examples are appreciated...

Jim
 
Old February 19th, 2006, 05:11 PM
dgh dgh is offline
Wrox Author
 
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

Most of the details of certificate generation and processing are described in Chapters 6 and 7. I would recommend you having a look at them more closely, but here are a few things to check that can cause problems:

- is your root certificate a version 1 certificate?
- does your end entity certificate include the following extensions?
         AuthorityKeyIdentifier
         SubjectKeyIdentifier
         BasicConstraints

Regards,

David

 
Old February 20th, 2006, 01:05 AM
Authorized User
 
Join Date: Feb 2006
Posts: 13
Thanks: 1
Thanked 0 Times in 0 Posts
Default

I will definitely check out Chapter 6 and 7. My current
certificates in my keystores contain the three extensions
you mentioned but I'm converting them to initialize with
the same classes you have in your chapter 7 examples.

My root certificate is a version 3. Does that matter for
SSL? I tried a new keystore with a self validated version 1
certifcate trying to imitate the keystores generated with
the keytool.exe program but that failed the client authentication
as well. I'm surprized at how difficult it is to get the
client authentication feature of SSL/TLS to work.

Jim
 
Old February 20th, 2006, 01:29 AM
dgh dgh is offline
Wrox Author
 
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

Technically I don't think there's anything wrong with having a self-signed version 3 certificate as your trust anchor, it's just some implementations don't expect to find them there.

Don't forget for client side authentication to work the client's CA certificate must be present in the server's store of trusted certificates before the session is established. This is also a common source of difficulty.

Regards,

David

 
Old February 20th, 2006, 12:07 PM
Authorized User
 
Join Date: Feb 2006
Posts: 13
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Would you clarify why the server's store for trusted
certificates needs the CA certificate and not the end
certificate when doing client side authentication? In the
samples I downloaded from the Sun Java site, they don't
use a CA certficate but they put the client end certificate
in the server's trust store and it worked for client side
authentication. It seems there are a couple of ways that
client side authentication works depending on the whether
CA certificates are used. Is there a definitive definition
of what goes in the trust store for both ends when peforming
client side and server side authentication or is it a depends
scenario when using CA Certificates? Thanks again for your
answers and patience.

Jim
 
Old February 20th, 2006, 05:25 PM
dgh dgh is offline
Wrox Author
 
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

Either will do. If the client's end certificate is present then the server can recognize it as it already trusts it. If the client's CA certificate is present then the client certificate can be recognized as it signed by someone the server trusts.

Regards,

David

 
Old February 21st, 2006, 07:23 PM
Authorized User
 
Join Date: Feb 2006
Posts: 13
Thanks: 1
Thanked 0 Times in 0 Posts
Default

During client authentication testing I changed the server's
key store to use separately generated keys and its own end
certificate instead of the root certificate from the client.
I created a client trust store that contained the server's
end certificate.

Using the server's trust store with the client's root certificate,
the client authentication worked and the Hello World msg was
received.

I changed server's trust store and inserted the client's end
certificate instead of the root certificate. The client
authentication failed under this scenario. I tried substituting
the intermediate certifcate into the server's trust store and
client authentication worked again.

Does SSL require the root or intermediate trust certificates
from the client certificate chain in order to perform
authentication? Is there some setting required in order to
use the client's end certificate?

I'd like to use the end certificates instead of having to
distribute root/intermediate certificates in order to use client
authentication under SSL. Do you have any idea why the client's
end certificate fails giving the null cert chain found message?
Thanks,

Jim
 
Old February 22nd, 2006, 05:57 AM
dgh dgh is offline
Wrox Author
 
Join Date: Aug 2005
Posts: 206
Thanks: 0
Thanked 20 Times in 20 Posts
Default

I'm not sure! It sounds like there is something wrong with the setup somewhere.

Try modifying the chapter10.CreateKeyStores class so that it only uses the root credentials for the client and the server. This will give you a single level chain. You should find that that works with the examples. Have a look at the differences, that should point to the problem.

Regards,

David






Similar Threads
Thread Thread Starter Forum Replies Last Post
What is SSL varuna22 Beginning PHP 1 September 18th, 2008 08:13 AM
Javascript and SSL jdhemphill Other Programming Languages 0 January 30th, 2007 05:22 PM
HttpWebRequest over SSL Suhrit ASP.NET 2.0 Professional 0 December 7th, 2006 03:41 AM
SSL implementation piyush_vish ASP.NET 1.0 and 1.1 Professional 0 January 6th, 2006 07:30 AM
SSL shs BOOK: Beginning ASP.NET 1.0 0 August 24th, 2004 06:16 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.