Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / December 2003

Tip: Looking for answers? Try searching our database.

javax.net.ssl vs java.security.cert

Thread view: 
Enable EMail AlertsStart New Thread
JK - 12 Dec 2003 13:31 GMT
Hi,

does anybody know if there is some unification work of the packages
javax.net.ssl and java.security.cert in progress?

I am currently having a hard time to make the two cooperate, even though
both deal with certificates. E.g., KeyStore and CertStore work in a
completely different way. KeyStore uses aliases for certificate lookup,
while CertStore uses selectors. TrustManager and CertPathBuilder do not
share the slightest amount of functionality, even though the decision,
if a certificate is trusted should also be based on the fact that it is
verifiable. SSL doesn't accept CertPaths and prefers arrays of
certificates where the certpath API offers lists....

There must be more people with the same problems. If you want to use
SSL, you need certificates, i.e. you need to store them, build and
verify certificate chains etc. I see that the SSL package is written
with  small scale certificate management in mind, but there must be an
easier way to switch to a larger scale.

Does anybody have a solution?
JK.
Reply to this Message
Wolfgang Bauer - 12 Dec 2003 15:54 GMT
> Hi,

> I am currently having a hard time to make the two cooperate, even though
> both deal with certificates. E.g., KeyStore and CertStore work in a
> completely different way.

... and they have a completely different field of application :-)
Usually you use a KeyStore to store secrets (e.g. private keys and its
associated certificate). Therefore the content of a keystore has to be
password protected.
I'm not familiar with the certpath API but I assume the CertStore deals
with certificates only.

> while CertStore uses selectors. TrustManager and CertPathBuilder do not
> share the slightest amount of functionality, even though the decision,
> if a certificate is trusted should also be based on the fact that it is
> verifiable.
> SSL doesn't accept CertPaths and prefers arrays of
> certificates where the certpath API offers lists....

IMHO it makes sense to decouple the 2 APIs. But I aggree with you that
it makes sense to have a X509TrustManager based on the certpath API (but
the implementation effort should not too high).

Wolfgang
Reply to this Message
JK - 16 Dec 2003 10:33 GMT
>> I am currently having a hard time to make the two cooperate, even
>> though both deal with certificates. E.g., KeyStore and CertStore work
[quoted text clipped - 6 lines]
> I'm not familiar with the certpath API but I assume the CertStore deals
> with certificates only.

Certainly true, but the keystore also stores a chain of certificates for
each key entry, that would excellently fit in a
java.security.cert.CertPath object.  ;-)

I am currently trying to implement something like an efficient (fast)
PKI. Within that, I need CertPaths to store verfied certificate paths
immutably. I have not figured out yet how to convert an array of
X509Certificates into a CertPath in an elegant way. Of course it works
somehow like

    X509Certificate[] certChain;
    Vector certVector = new Vector();
    for (int i=0; i< certChain.length; ++i) {
        certVector.add(certChain[i]);
    }
    try {
        CertificateFactory certFactory =
            CertificateFactory.getInstance("X509");
        CertPath certPath =
            certFactory.generateCertPath(certVector);
    } catch a million exceptions...

The array to list conversion is quite annoying. You cannot extend
CertificateFactory to add a method accepting an array of certificates
because it is final and you cannot implement your own
CertificateFactorySpi without a certificate from Sun. The policy is Sun
doesn't want you to add methods to the API. Alright from a security
perspective. But OTOH the API is incomplete. You have the choice: Work
around the design flaws and ruin your clean design or build your own API.

And I didn't even start to tell you about incomaptibilities between
BouncyCastle's and Sun's X509Names, where you have to reverse the list
of attributes in the DNs...

>> while CertStore uses selectors. TrustManager and CertPathBuilder do
>> not share the slightest amount of functionality, even though the
[quoted text clipped - 5 lines]
> it makes sense to have a X509TrustManager based on the certpath API (but
> the implementation effort should not too high).

Decoupling is OK, but it should be easier to plug them together if you
want to. I am just fed up of writing adapter classes.

> Wolfgang

JK.
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.