Date: Thu, 13 Aug 1998 14:22:42 -0700 (PDT)
From: Roni Korenshtein <ronikoren@yahoo.com>
Subject: Relationship between Certificate & other classes
To: java-security@java.sun.com
Hi,
I am still a little confused by the subtle and undocumented (yet)
relationship between
Certificate, CertificateFactory and KeyStore
Perhaps someone can clarify these for me:
Is this true:
1. When Keystore saves a certificate instance
it simply calls cert.getType() and cert.getEncoded()
and writes the String and byte array.
2. When Keystore loads a certificate instance
it simply reads a string representing the type
then it gets an instance of a certificate factory
which corresponds to this type and calls its
generateCertificate method passing it the stream
containing the byte array
3. there are only 2 ways directly supported by the JCA
classes to instantiate a certificate:
1. by calling a constructor which calls super(type)
2. by pointing a certificate factory instance of a
specific type at an input stream containing
bytes which represent the content of the
resultant instance
4. there is only one way to save a certificate instance
in secondary storage: call getEncoded and
save it as is or parse it (if you know the structure), extract
the info from it and save it
in any other way you want, as long as you have
a factory that knows how to read this saved format.
5. getType returns a string representing the type
of certificate this is. this type has 2 meanings:
1. it indicates what logical information
are stored in this cerificate
2. it indicates what getEncoded returns which is
its externalized format.
the current implementation therefore dictates
that for a given type of "logical" certificate
there is 1 and no more than 1 standard for writing
this type out to a file.
Questions:
1. why is Cerificate so unique and different from
the rest of the JCA? why aren't there a
CertificateGenerator, CertificateSpec,
AlgorithmParameterSpec, etc' in a manner consistent
with other JCA components?
2. assuming 5 above is correct... why is that?
as in model-view pattern
shouldn't there be a separation between
abstract logical content of the certificate (model)
and its many possible externalized formats (views)?
3. KeyStore allows accessing the certChain
but replacing the certificate chain requires
the password. why is that?
and is the answer consistent with
the fact that setCertificateEntry does not require
a password
4. it would be nice if keyStore allowed an object
of type Object to be stored in the keystore
in association with the alias.
it would be even nicer if there could be 2 objects
one of which was pasword protected.
if these objects were serializable KeyStore
would be more user friendly. currently if one wants
to save "other info" associated with the alias
one has to either create some higher level association which
wraps KeyStore
or implement one's own KeyStoreSpi.
(5. How does RMI handle Certificates if they're not
serializable?)
Thanks in advance, I appreciate the help.
i've read what's out there... perhaps you can
make it clearer.
Roni
_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com