0

Refer http://java-buddy.blogspot.com/2016/07/java-example-of-ssl-server-and-client.html

So I have tried the same procedure of running the client and server code by passing the keystore to server and truststore for client as suggested in the above blog link.

Question 1> So i have used the same keystore at server as a truststore at client, which was generated by command 'keytool -genkey -alias signFiles -keystore examplestore'. Whats going on here ?. How does the client pick the Trusted CA from that examplestore(which is keystore for server but truststore for client) file or more appropriately how does the keystore act as truststore and what does that file exactly consist of ?.

So what i know is, the keystore has public and private key pair along with the cert. for cuurent scenario its not yet a signed cert by a CA.

Question 2> So we need to create that .crt file and get it signed by the CA and then again embed it within the keyStore. Embedding the crt file means importing .Is this correct understanding? What does it mean by self signing the cert ? Does the command 'keytool -genkey -alias signFiles -keystore examplestore' create a self signed cert ?

I also tried appending keystore for client and truststore for server which refers the same file generated by command 'keytool -genkey -alias signFiles1 -keystore examplestore1', in the arguments while running respective code. And the code ran successfully.

I also tried playing with the arguments like changing the truststore of server to something that doesn't verify the keystore of client. But still the code worked.

But the code threw following exception "javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown" when i tried changing the truststore of client that doesn't verify the server keystore.

PRIME QUESTION:

Question 3> Does this mean that its not triggering mutual authentication and if so, how to make it trigger ? And does it SUPPORT mutual authentication in first place ?

Mandar Autade
  • 336
  • 2
  • 12
  • Asking multiple questions at once is a bad idea. See: [Why isn't t good to ask multiple questions](https://meta.stackoverflow.com/questions/371614/why-isnt-it-good-to-ask-multiple-questions-and-answers-in-one-question) and [Questions to avoid asking](https://stackoverflow.com/help/dont-ask) – Nevus Aug 18 '19 at 12:09

1 Answers1

0

First of all, let's clarify a few points:

  • A JKS file consists of entries where each entry is either a PrivateKeyEntry or trustedCertEntry. (There are other types for symmetric keys, yes, but let's forget about them while talking about public key cryptography.)
  • When you run genkey, you are generating a private key entry. It contains both private & public key, as you guess.
  • You can export only public key from a private key entry, and then import it into another JKS, which turns out to be a trusted cert entry this time, since it only contains public key.
  • Every generated certificate is initially self-signed. It's not self-signed only if another private key entry (of a CA) is used to sign it. A trusted cert entry may be either self-signed or CA-signed. Root CA certificates are always self-signed though.
  • Using a JKS as truststore means you are trusting the entries in it, whether they are self-signed or CA signed. You can create your own CA, import its public key to a JKS file and use it as your truststore. This means that you trust only the certificates that are signed (directly or indirectly) by your CA. (Indirectly means there are intermediate certificates that are signed by your CA and used again for signing other certificates.)

Now for your questions,

Q1

As stated above, using keystore as truststore means "trust the entries in it", so it works. No need to be signed by another party (i.e. CA).

Q2

"Embedding the crt file means importing .Is this correct understanding?"

Yes.

"Does the command 'keytool -genkey -alias signFiles -keystore examplestore' create a self signed cert ?"

Yes.

Regarding your trials with different keystore & truststore configurations: In a typical SSL setup, only the server has a private key and presents its certificate. Only the client verifies the server, not vice versa. If the servers were configured to ask for certificates (it's possible to do that), then you would have to select your private key while browsing https sites. It is quite uncommon to verify clients. That's why, both providing a keystore to the client and a truststore to the server has no effect. It fails only if you give an invalid truststore to the client.

Q3 SSL supports mutual authentication, yes. Check here for a good answer.

ram
  • 1,099
  • 1
  • 7
  • 22
  • Also does the handshake actually happen when server or client, anybody writes to the stream. – Mandar Autade Aug 27 '19 at 08:08
  • HTTPS encapsulates HTTP, as you know, and always the client requests something. Server responds according to the request. So this handshake takes place before the client attempts to connect & write something. – ram Aug 27 '19 at 18:58