RE: Certificate chaining w/javakey generated DSA certificates

David Brownell (David.Brownell@Eng)
Wed, 17 Sep 1997 11:28:35 -0700

Date: Wed, 17 Sep 1997 11:28:35 -0700
From: David.Brownell@Eng (David Brownell)
Message-Id: <199709171828.LAA08991@argon.eng.sun.com>
To: gchung@openhorizon.com
Subject: RE: Certificate chaining w/javakey generated DSA certificates

> Are there plans for future java interfaces to support certificate chaining
> that a PKI service provider could/should provide an implementation for?

When you say "PKI service provider" what do you mean? Is this a network
service (e.g. SSL-LDAP server, CA, etc) or is it someone who provides PKI
libraries for folk to code against? Or is it vague, "both"? The answer
varies depending on exactly what your question means!

The SSL extension just talks in terms of arrays of X509 certs, with the
root CA last. That array is returned as representing the peer identity.
There's also an API, currently internal:

public interface TrustDecider
{
boolean isTrustedFor (
X509Cert entity [],
String purpose,
Date when
);

X509Cert [] getAcceptedCAs (String purpose);
}

We provide one implementation of isTrustedFor() which validates the chain
using X.509v1 rules, and will in the future support PKIX style validation
using the upcoming X.509v3 APIs. Since it's a pluggable component, other
rules could be supported, accessing other (secured!) lists of trusted CAs
for use in validating. The getAcceptedCAs() method provides the list of
CAs supported for the specified purpose, e.g. SSL client authentication;
that list is clearly required by any implementation of isTrustedFor.

Similarly, the SSL extension also provides basic CA support for generating
PKCS #10 cert requests (that code moved from the SSL package into the JDK)
and importing responses, constructing cert chains, and storing them securely
along with their (passphrase encrypted) private keys. Also, adding new
CAs to the list of "trusted" CAs. All the PKI support started out with the
SSL extension; some of it has moved into JDK 1.1, other parts have been
incorporated (in various ways :-) into upcoming JDK releases.

As of JDK1.1 all of the PKI support is internal, subject to change, etc.

I can't speak to what upcoming JDK releases are providing for enhanced code
signing support, where analagous cert chain support is likewise essential!

- Dave