The KeyStore for a server can have many entries. The JavaDocs say:
Each entry in a keystore is identified by an "alias" string. In the case of private keys and their associated certificate chains, these strings distinguish among the different ways in which the entity may authenticate itself. For example, the entity may authenticate itself using different certificate authorities, or using different public key algorithms.
But which entry is passed back to the client? By stepping through the OpenJDK code, I came to this point:
Thread [main] (Suspended)
SunX509KeyManagerImpl.chooseServerAlias(String, Principal[], Socket) line: 271
ServerHandshaker.setupPrivateKeyAndChain(String) line: 1011
ServerHandshaker.trySetCipherSuite(CipherSuite) line: 879
SSLServerSocketImpl.checkEnabledSuites() line: 313
SSLServerSocketImpl.accept() line: 272
.
.
Where I saw this:
if ((aliases != null) && (aliases.length > 0)) {
return aliases[0];
}
The first alias is given to the client no matter what! And thus the private key on the ServerHandshaker object is set.
So, beware if you have other keys in your KeyStore as you might not be giving your client the right one.
Each entry in a keystore is identified by an "alias" string. In the case of private keys and their associated certificate chains, these strings distinguish among the different ways in which the entity may authenticate itself. For example, the entity may authenticate itself using different certificate authorities, or using different public key algorithms.
But which entry is passed back to the client? By stepping through the OpenJDK code, I came to this point:
Thread [main] (Suspended)
SunX509KeyManagerImpl.chooseServerAlias(String, Principal[], Socket) line: 271
ServerHandshaker.setupPrivateKeyAndChain(String) line: 1011
ServerHandshaker.trySetCipherSuite(CipherSuite) line: 879
SSLServerSocketImpl.checkEnabledSuites() line: 313
SSLServerSocketImpl.accept() line: 272
.
.
Where I saw this:
if ((aliases != null) && (aliases.length > 0)) {
return aliases[0];
}
The first alias is given to the client no matter what! And thus the private key on the ServerHandshaker object is set.
So, beware if you have other keys in your KeyStore as you might not be giving your client the right one.
No comments:
Post a Comment