I am working with X509 certificates in Java. Given a certificate is it possible to find all other certificates in the signing hierarchy until you reach the root certificate?
I have a certificate file (with a .cer
extension) and I want to extract the parent signing certificate. I want to keep finding the parent of that certificate untill I get the final root certificate, which is self signed.
I have checked the X509Certificate certificate APIs and relevant APIs in java.security.cert
but could not find anything useful.
You can check for your SSL certificate chain using your browser. For my case, I used Google Chrome. With Chrome, click the padlock icon on the address bar, click certificate, a window will pop-up.
The chain of trust of a certificate chain is an ordered list of certificates, containing an end-user subscriber certificate and intermediate certificates (that represents the intermediate CA), that enables the receiver to verify that the sender and all intermediate certificates are trustworthy.
That is not hard - assuming you've somehow/out of band got all the intermediate certificates and the root cert in one or more keychains.
Have a look at
http://codeautomate.org/blog/2012/02/certificate-validation-using-java/
for a code snipped which does just that. The key bit is in validateKeyChain() and basically consists of
cert = cert-to-validate
while(not self signed) {
extract issuer from cert
scan keychain(s) to find cert with a subject equal to the issuer
if none found - error
check if the signature is correct.
cert = issuers_cert
}
if not at the top/root - error
As to how you get the intermediate/root certificates - that is a different issue. Note that this code is a little bit naive - and does not quite understand cross-signing. The java pkix calls though though - BouncyCastle has an example.
You can generally build the root certs into a key chain; but the intermediate certificates often need to be 'gathered' or discovered more dynamically. This generally requires querying the SSL stack during TLS or similar.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With