Re: X.509 Certificate Testing...

2016-09-16 Thread Sean Mullan 
The NIST PKITS test suite is a good one and contains a whole bunch of 
certificates/CRLs for testing compliance with RFC 3280: 
http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html


--Sean

On 09/15/2016 07:19 PM, Milton Smith wrote:

Hi All,

I'm looking for a set of certificates, self-signed certs, cross-signed
certs, small chains, large chains, different critical and non-critical
sections, revoked certs, blacklisted certs, invalid, not yet valid, time
stamped, etc.  I realize it's difficult to be comprehensive but is there
anything anyone can recommend for unit tests or CD/CI builds?  Trying to
avoid creating all this if it exists already.  Thanks!

Regards,
Milton

Re: Intended behavior of the -providerName option of keytool

2016-09-16 Thread Wang Weijun 

> On Sep 15, 2016, at 11:53 PM, Michael Wang  wrote:
> 
> Hi,
> 
> I'm trying to understand what the -providerName option of keytool does. The 
> documentation for -providerName just says:
> 
> "Used to identify a cryptographic service provider's name when listed in the 
> security properties file."
> 
> Which doesn't really say anything about how it should be used and the 
> resulting behavior.
> 
> I looked at the latest Java 9 source code for keytool, the only 2 places that 
> I see that uses providerName are
> 
> a. Getting an instance of the keystore, with:
> KeyStore.getInstance(storetype, providerName);
> 
> b. Getting an instance of key pair generator, with:
> new CertAndKeyGen(keyAlgName, sigAlgName, providerName);
> 
> It looks like all other calls in keytool that requires the services of a 
> provider does not use providerName, so it defaults to looking up the matching 
> provider from the providers list.
> 
> This behavior doesn't seem very clear cut to me.
> I think -providerName should used to either:
> 
> 1. Specify the provider of the keystore only. All other services used by 
> keytool that requires a provider will look up the provider using the default 
> providers list.
> 
> 2. Specify the provider of all services used by keytool that requires a 
> provider, including keystore.

This is the intended behavior. However, we only use providerName when it's 
necessary:

The reason why you see it is not used everywhere can be due to several reasons:

1. storetype is already different for different providers so it's not necessary.

2. some object is smart enough to switch provider even after getInstance. For 
example, if you call sig = Signature.getInstance("SHA1withRSA") to get a 
signature object it is not actually fully initialized. Next when you call 
sig.initSign(key), it will use the provider of key as its provider if necessary.

Thanks
Max


> 
> I just want to understand what the intended behavior should be.
> 
> Thanks,
> Michael Wang