Re: Certificate chaining

David Brownell (db@Eng)
Thu, 28 May 1998 17:26:42 -0700

Date: Thu, 28 May 1998 17:26:42 -0700
From: David Brownell <db@Eng>
To: Baber Amin <bamin@novell.com>
Subject: Re: Certificate chaining

Although JDK 1.x doesn't support cert chains, the SSL package
used by HotJava Browser 1.1.2 (the most current version) in fact
does support them! SSL couldn't work without them. Per most of
the implementations I looked at a while back, the X509v1 code just
ignores any V3 extensions that exist.

The problem looks to be support of a particular signature algorithm,
with OID 1.2.840.113549.1.1.5 (some RSA ID). If that's some hash
algorithm like SHA1 (i.e, one without patent issues) encrypted with
RSA, our fix is pretty simple but does call for changes in JDK 1.1.x
as well as the SSL package's security provider. I'm not sure how
that plays out in JDK 1.2, but that "isTrustedFor" method would be
what checks the V3 extensions.

I think you'll just find that for the moment, we don't support that
particular algorithm in certificates. Please let us know what it is.

- Dave

p.s. I'm not sure why you see those exception stacktraces on the
console! But it should be clear what's happening: the
signature in the cert chain can't be verified, hence that
server isn't being trusted and so HotJava is terminating
the authorization check of that SSLTrustUI callback.

Baber Amin wrote:
>
> Hi, I am having problems with a certificate that we generated with our
> PKI product. It is x509V3 with certificate chains. I know that
> JDK1.1.3 does not support cert chains. Is it added in JDK1.1.6 yet?
> I am using Hot Java Browser 1.1.2, which version of JDK is it using?
> I have included the output from the console window, if that helps, your
> help is appreciated.
>
> Could you please reply back instead of posting a reply, or atleast send
> me pointer as to where I can read the posted reply.
>
> Thanks
> Baber
>
> bamin@novell.com
>
> ______________ Output from the console window -___________________
> java.security.SignatureException: Unsupported signature algorithm
> (OID.1.2.840.113549.1.1.5)
> at sun.security.x509.X509V1CertImpl.verify(X509V1CertImpl.java:144)
> at sun.security.x509.X509V1CertImpl.verify(X509V1CertImpl.java:122)
> at sunw.hotjava.security.SSLTrustUI.isTrustedFor(SSLTrustUI.java:156)
> at sun.security.ssl.Handshaker.peerCertificate(Handshaker.java:755)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
>
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:256)
> at sun.security.ssl.SSLSocketImpl.clearPipeline(SSLSocketImpl.java:625)
>
> at sun.security.ssl.SSLSocketImpl.write(SSLSocketImpl.java:437)
> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71)
> at java.io.OutputStream.write(OutputStream.java:71)
> at sun.net.www.https.HttpsClient.doConnect(HttpsClient.java:329)
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:268)
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:313)
> at sun.net.www.http.HttpClient.<init>(HttpClient.java:211)
> at sun.net.www.http.HttpClient.<init>(HttpClient.java:215)
> at sun.net.www.https.HttpsClient.<init>(HttpsClient.java:229)
> at sun.net.www.https.HttpsClient.New(HttpsClient.java:242)
> at
> sun.net.www.protocol.https.HttpsURLConnection.connect(HttpsURLConnection.java:99)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:328)
>
> at sunw.hotjava.doc.DocParser.run(DocParser.java:390)
> at java.lang.Thread.run(Thread.java:474)
>
> javax.net.ssl.SSLException: untrusted server cert chain
> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1071)
> at sun.security.ssl.Handshaker.peerCertificate(Handshaker.java:758)
> at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:128)
>
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:256)
> at sun.security.ssl.SSLSocketImpl.clearPipeline(SSLSocketImpl.java:625)
>
> at sun.security.ssl.SSLSocketImpl.write(SSLSocketImpl.java:437)
> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:71)
> at java.io.OutputStream.write(OutputStream.java:71)
> at sun.net.www.https.HttpsClient.doConnect(HttpsClient.java:329)
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:268)
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:313)
> at sun.net.www.http.HttpClient.<init>(HttpClient.java:211)
> at sun.net.www.http.HttpClient.<init>(HttpClient.java:215)
> at sun.net.www.https.HttpsClient.<init>(HttpsClient.java:229)
> at sun.net.www.https.HttpsClient.New(HttpsClient.java:242)
> at
> sun.net.www.protocol.https.HttpsURLConnection.connect(HttpsURLConnection.java:99)
>
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:328)
>
> at sunw.hotjava.doc.DocParser.run(DocParser.java:390)
> at java.lang.Thread.run(Thread.java:474)