All geek questions in one place

JAVA-Android - X509 certificate confirmation for CA certificate (issuer certificate)

This may be a recurring question, but I did not get full clarity from the previous question, so I am posting a new question. please take a look at this. I put the Ca certificate in my resources folder for ca certificate authentication, and the same ca certificate will also be there on the server.

  • I am creating a .crt file that is not signed by any certificate and does not send it to the server.
  • the server will sign the .crt file using the ca certificate and send the file again to me.
  • after receiving the signed crt file, I need to check with my ca certificate, which I already have in the resources folder.

I can create a trustmanager with my ca certificate using the following code:

AssetManager assetManager = getResources().getAssets(); InputStream inputStream = null; try { inputStream = assetManager.open("Issuer certificate"); if (inputStream != null) } catch (IOException e) { e.printStackTrace(); } InputStream caInput = new BufferedInputStream(inputStream); Certificate ca; try { ca = cf.generateCertificate(caInput); System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN()); } finally { caInput.close(); } // Create a KeyStore containing our trusted CAs String keyStoreType = KeyStore.getDefaultType(); KeyStore keyStore = KeyStore.getInstance(keyStoreType); keyStore.load(null, null); keyStore.setCertificateEntry("ca", ca); // Create a TrustManager that trusts the CAs in our KeyStore String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory .getInstance(tmfAlgorithm); tmf.init(keyStore);

After receiving this trust manager, how do I compare the crt certificate that I received from the server ... My doubt is: do I need to create another trust manager even after these two trust managers compare the names of the providers? Please provide any information about this process if I am mistaken.

+6
source share
2 answers

Finally, the ability to verify the certificate with the following process. Hope this helps others ...

 public void validateCertificate() throws Exception { try { String issuerCertPath = "Issuer Certifate"; String certPath = "Issued Certificate"; X509Certificate issuerCert = getCertFromFile(issuerCertPath); X509Certificate c1 = getCertFromFile(certPath); TrustAnchor anchor = new TrustAnchor(issuerCert, null); Set anchors = Collections.singleton(anchor); CertificateFactory cf = CertificateFactory.getInstance("X.509"); List list = Arrays.asList(new Certificate[] { c1 }); CertPath path = cf.generateCertPath(list); PKIXParameters params = new PKIXParameters(anchors); params.setRevocationEnabled(false); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator .validate(path, params); // If // not // valid // will // throw System.out.println("VALID"); } catch (Exception e) { System.out.println("EXCEPTION " + e.getMessage()); e.printStackTrace(); } } private X509Certificate getCertFromFile(String path) throws Exception { AssetManager assetManager = MyActivity.this.getResources().getAssets(); InputStream inputStream = null; try { inputStream = assetManager.open(path); } catch (IOException e) { e.printStackTrace(); } InputStream caInput = new BufferedInputStream(inputStream); X509Certificate cert = null; CertificateFactory cf = CertificateFactory.getInstance("X509"); cert = (X509Certificate) cf.generateCertificate(caInput); cert.getSerialNumber(); return cert; }
+4
source

Referring to the comment made by @Flow on the answer to the question, I was able to add the step of checking the host name using the following code fragment

  X509Certificate cert; DefaultHostnameVerifier hv = new DefaultHostnameVerifier(); hv.verify("dummyhostname.com", cert);

The host name verifier is available in org.apache.http.conn.ssl.DefaultHostnameVerifier and is used in SSLConnectionSocketFactory . If someone thinks this is wrong, I would like to know this was the result of some short Google search.

0
source

Source: https://habr.com/ru/post/953895/

More articles:


All Articles