complete certificate path validation

Tue Jul 12 02:32:02 UTC 2011

On 7/12/2011 9:59 AM, David Pomeroy wrote:
> Hi Xuelei,
> 
> The requirement is to keep the client certificate as small as possible. 
> I'd rather not have to store the sub CA certificate on the client.
> 
> I see that the server is sending a "certificate request" as part of the
> TLS handshake protocol.  The DNs of the trusted certificates are
> specified in the request.
> 
> It looks like the Sun JSSE provider does not support this
> configuration.  Can you confirm?
> 
It depends.

If there is no way to build a certification path to the trusted
certificates sent by server, Oracle JSSE provider, SunJSSE, cannot work
by default.

JSSE is an flexible framework, you can do a lot of customization. Please
refer to JSSE reference guide if you want change the default behaviors
of SunJSSE,
http://download.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html.

Xuelei

> Thanks, Dave
> 
> 
> On Mon, Jul 11, 2011 at 6:21 PM, Xuelei Fan <xuelei.fan at oracle.com
> <mailto:xuelei.fan at oracle.com>> wrote:
> 
>     Hi Dave,
> 
>     What's the underlying requirements that the client cannot send a full
>     certification path? That's not the way TLS works.
> 
>     You may be also interesting in the post, "Best Practice: to Include the
>     Complete Certificate Chain in the KeyStore",
>     http://sim.ivi.co/2011/06/best-practice-to-include-compelete.html
> 
>     Regards,
>     Xuelei
> 
>     On 7/12/2011 7:13 AM, David Pomeroy wrote:
>     > Hello All,
>     >
>     > I'm trying to figure out if a certain security configuration is
>     > supported in openJDK or not.
>     >
>     > I want to do client authentication at the server with one trusted root
>     > self-signed anchor certificate.  Then I want the client to send up
>     only
>     > a client certificate, that was issued by a subordinate CA.  I want to
>     > use the "PKIX" TrustManagerFactory to accomplish this.
>     >
>     > The client authentication succeeds when the subordinate CA certificate
>     > is added to the truststore used to initialize the
>     PKIXBuilderParameters
>     > that is fed into the TrustManagerFactory.  However, the subordinate CA
>     > is not a root (self-signed) certificate and the PKIXCertPathValidator
>     > doesn't seem to care about that.  This doesn't meet my requirements,
>     > since the client cert path is not built all the way up to a root
>     > certificate.
>     >
>     > If I do not include the subordinate CA certificate in the truststore,
>     > the client cannot connect and it doesn't seem like the validator is
>     > invoked at all.  I know I would have to include the sub CA certificate
>     > somehow but I'm not sure how to do this.
>     >
>     > Is this configuration even supported?  I have tried openJDK 6 and 7,
>     > same results with each.
>     >
>     > I imagine if the client sent up the sub CA certificate as well as the
>     > client certificate, the chain would be validated from the root all the
>     > way down. However, this is not the desired configuration.
>     >
>     > Any help here would be appreciated.
>     >
>     > Thanks!
>     > Dave P
> 
> 