wood burning stoves 2.0*
The moose likes Security and the fly likes SSL and client certificates Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Engineering » Security
Bookmark "SSL and client certificates" Watch "SSL and client certificates" New topic
Author

SSL and client certificates

Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
If I was to use a client certificate when connecting to a server over HTTPS, how would the SSL implementation (JSSE) figure out which certificate to send (assuming there are many in the client's keystore)?


Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
Alex Black
Greenhorn

Joined: Apr 28, 2001
Posts: 16
Each certificate in a keystore is identified by an "alias" string.
Once you have your keystore object you can retrieve the pertinent certificate by calling a getCertificate(String alias) method.
You could read up on this through this link: http://java.sun.com/j2se/1.4.2/docs/api/java/security/KeyStore.html.
Cheers,
Alex
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
Thanks Alex,
However, I already knew that much. What I'm wondering is what happens under the covers if I don't locate the Certificate myself but instead let the JSSE "https" handler take care of everything -- will it blindly pick the first certificate from the keystore or use some kind of "preference" logic to determine the "best match" to what the server is requesting during the handshake?
Please, just say so if I'm way off here. I'm really new to client certificates...
Alex Black
Greenhorn

Joined: Apr 28, 2001
Posts: 16
Hi Lasse,
I am not sure what you mean by letting the "https" handler take care of everything... Could you provide some code instead?
Alex
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
What I'm after is that instead of doing

we can (with JDK 1.4) do this instead:

And the actual question is whether we can do the latter if a client certificate is required by the server?
Alex Black
Greenhorn

Joined: Apr 28, 2001
Posts: 16
Hi Lasse,
Yes a client certificate is still required in spite of this not really being evident in the second snippet of code.
All the implementation hidden underneath the HttpsURLConnection is literally (almost) identical to the first code snippet.
It makes sense because it makes the whole ordeal of setting up SSL convenient for developers. Yet again the trade off is leaving us blind to what is actually going on.
Hope that helps.
Cheers,
Alex
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
Originally posted by Alex Black:
It makes sense because it makes the whole ordeal of setting up SSL convenient for developers. Yet again the trade off is leaving us blind to what is actually going on.
So would it be a fair guess that "under the hood", the code is actually just picking the first certificate from the keystore? The other option, I think, would be that the server indicates some sort of preferences for the client certificate (a bit like the client advertises all the algorithms it knows upon starting the handshake) based on which the "https" protocol handler selects one of the client's certificates to be sent.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: SSL and client certificates