Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
267 views
in Technique[技术] by (71.8m points)

java - Issue in checking server certificate in checkServerTrusted

I am referring Validate X.509 certificate against CA in Java this post.

My implementation of checkServerTrusted look like:

@Override
            public void checkServerTrusted(X509Certificate[] certs, String authType) throws  CertificateException{
                 InputStream inStream;
                try {
                        inStream = new FileInputStream("E:\Desktop\cert\domain.crt");
                        CertificateFactory cf = CertificateFactory.getInstance("X.509");
                        X509Certificate Mycert = (X509Certificate)cf.generateCertificate(inStream);
                        inStream.close();      

                        if (certs == null || certs.length == 0 || authType == null
                                || authType.length() == 0) {
                            throw new IllegalArgumentException("null or zero-length parameter");
                        }

                         for (X509Certificate cert : certs) {
                             cert.verify(Mycert.getPublicKey());
                         }


                } catch (Exception e) {
                    // TODO Auto-generated catch block
                    throw new CertificateException("error in validating certificate" , e);
                }

            }

file domain.crt is exported from browser after opening website. certificate path look like enter image description here.

If i open this file in notepad only one BEGIN CERTIFICATE and END CERTIFICATE is their so its not chain of certificate.

If I debug code then, in for loop @ LOC cert.verify(Mycert.getPublicKey()); at the very first cert[0] certificate I got exception as java.security.SignatureException: Signature does not match.

Where I am doing wrong?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

It doesn't make sense to try to verify all the certificates in the chain against a single public key. Most of them won't have been signed by it, so the procedure is bound to fail, and throw an exception to the caller.

You need to review what it is you're supposed to do in this method. See the Javadoc. You're trying to establish a certificate path from this chain to a trusted root certificate.

In this case the trusted root certificate is presumably the one you loaded from the file.

What you should be doing therefore is:

  1. Look for that certificate in the chain, and if not found
  2. Verify the last certificate in the chain against this public key, as that is the topmost signer, and that's the only one you need to trust. The rest of them are trusted by their respective sucessors in the chain, and none of their successors are this trusted root certificate, by (1).
  3. If the certificate is found in the chain, verify the previous certificate. i.e. the one signed by this certificate, with this public key.

It isn't clear to me whether you need to also verify each certificate in the chain, except the last, with the next one's public key, but it can't hurt.

EDIT You should also implement the suggestion in this answer.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...