Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Obtaining the certificate chain

Tags:

java

certificate

x509certificate

cryptography

digital-certificate

I am working with X509 certificates in Java. Given a certificate is it possible to find all other certificates in the signing hierarchy until you reach the root certificate?

I have a certificate file (with a .cer extension) and I want to extract the parent signing certificate. I want to keep finding the parent of that certificate untill I get the final root certificate, which is self signed.

I have checked the X509Certificate certificate APIs and relevant APIs in java.security.cert but could not find anything useful.

like image 639
user496934 Avatar asked Jun 19 '12 08:06

user496934

People also ask

How do you find the certificate chain?

You can check for your SSL certificate chain using your browser. For my case, I used Google Chrome. With Chrome, click the padlock icon on the address bar, click certificate, a window will pop-up.

What is the certificate chain of trust?

The chain of trust of a certificate chain is an ordered list of certificates, containing an end-user subscriber certificate and intermediate certificates (that represents the intermediate CA), that enables the receiver to verify that the sender and all intermediate certificates are trustworthy.

1 Answers

That is not hard - assuming you've somehow/out of band got all the intermediate certificates and the root cert in one or more keychains.

Have a look at 

http://codeautomate.org/blog/2012/02/certificate-validation-using-java/

for a code snipped which does just that. The key bit is in validateKeyChain() and basically consists of

   cert = cert-to-validate
   while(not self signed) {
       extract issuer from cert
       scan keychain(s) to find cert with a subject equal to the issuer
       if none found - error
       check if the signature is correct.
       cert = issuers_cert
   }
   if not at the top/root - error

As to how you get the intermediate/root certificates - that is a different issue. Note that this code is a little bit naive - and does not quite understand cross-signing. The java pkix calls though though - BouncyCastle has an example.

You can generally build the root certs into a key chain; but the intermediate certificates often need to be 'gathered' or discovered more dynamically. This generally requires querying the SSL stack during TLS or similar.

like image 136
Dirk-Willem van Gulik Avatar answered Sep 20 '22 10:09

Dirk-Willem van Gulik
Sign in to Comment

Related questions

How does remote debugging work? Does code need to be compiled on the local box?
Java ssl/https client using a self-signed certificate
How to preserve XML nodes that are not bound to an object when using SAX for parsing
Tokenization, and indexing with Lucene, how to handle external tokenize and part-of-speech?
Hibernate UnUniqueify a column in table
Autowiring beans from a different module
How to obtain instance of Instrumentation in Java
Socket issues in simple Scala TCP server
PowerMockito: got InvalidUseOfMatchersException when use matchers mocking static method
How to deploy a web service to amazon EC2?
Unit tests for printing in Java Swing
How to auto connect a WiFi with specified SSID?
JMock - several invocations with different arguments
How do I prevent implicit Java compilation when the class exists in the classpath?
Maven Release Plugin not updating SNAPSHOTs in dependencyManagement
Using FragmentManager and FragmentTransaction in a DialogFragment
Cipher / 3DES / CFB / Java and PHP
Java Runtime exec throws no such file or permission denied
Decrypt the encrypted file content?
How to read the second column in a large file

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!