SSL and client certificates

If I was to use a client certificate when connecting to a server over HTTPS, how would the SSL implementation (JSSE) figure out which certificate to send (assuming there are many in the client's keystore)?

Each certificate in a keystore is identified by an "alias" string.
Once you have your keystore object you can retrieve the pertinent certificate by calling a getCertificate(String alias) method.
You could read up on this through this link: http://java.sun.com/j2se/1.4.2/docs/api/java/security/KeyStore.html.
Cheers,
Alex

Thanks Alex,
However, I already knew that much. What I'm wondering is what happens under the covers if I don't locate the Certificate myself but instead let the JSSE "https" handler take care of everything -- will it blindly pick the first certificate from the keystore or use some kind of "preference" logic to determine the "best match" to what the server is requesting during the handshake?
Please, just say so if I'm way off here. I'm really new to client certificates...

Hi Lasse,
I am not sure what you mean by letting the "https" handler take care of everything... Could you provide some code instead?
Alex

What I'm after is that instead of doing
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault(); SSLSocket sslsock=(SSLSocket)factory.createSocket("www.domain.com", 443); SSLSession session = sslsock.getSession(); X509Certificate cert = (X509Certificate)session.getPeerCertificates()[0]; OutputStream out = sslsock.getOutputStream(); out.write("GET /foo HTTP/1.0\r\n"); ...
we can (with JDK 1.4) do this instead:
URL url = new URL("https://www.domain.com/foo"); HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
And the actual question is whether we can do the latter if a client certificate is required by the server?

Hi Lasse,
Yes a client certificate is still required in spite of this not really being evident in the second snippet of code.
All the implementation hidden underneath the HttpsURLConnection is literally (almost) identical to the first code snippet.
It makes sense because it makes the whole ordeal of setting up SSL convenient for developers. Yet again the trade off is leaving us blind to what is actually going on.
Hope that helps.
Cheers,
Alex

Originally posted by Alex Black:
It makes sense because it makes the whole ordeal of setting up SSL convenient for developers. Yet again the trade off is leaving us blind to what is actually going on.

So would it be a fair guess that "under the hood", the code is actually just picking the first certificate from the keystore? The other option, I think, would be that the server indicates some sort of preferences for the client certificate (a bit like the client advertises all the algorithms it knows upon starting the handshake) based on which the "https" protocol handler selects one of the client's certificates to be sent.