CODEWITHSUNDEEP
javasslopensslssl-certificatex509certificate
Lolly
Lolly

Reputation: 36432

Load certificate file into Certificate Object

I am trying to load certificate file into certificate object, but I am getting the below exception.

    java.security.cert.CertificateParsingException: invalid DER-encoded certificate data
    at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1701)
    at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:303)
    at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:532)
    at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:417)
    at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:427)

Below is the code I am using to read the certificate file,

    final CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
    final Collection<? extends Certificate> certs =
         (Collection<? extends Certificate>) certFactory.generateCertificates(new ByteArrayInputStream(FileUtils.readFileToByteArray(serverCertFile)));

Below is the contents of certificate file,

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        c1:cb:80:07:27:ce:4b:62
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=qw, ST=ewe, L=rew, O=rwerwe, OU=rwer, CN=rew/emailAddress=rewrew
    Validity
        Not Before: Jan 28 06:17:34 2013 GMT
        Not After : Feb 27 06:17:34 2013 GMT
    Subject: C=qw, ST=ewe, L=rew, O=rwerwe, OU=rwer, CN=rew/emailAddress=rewrew
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (1024 bit)
            Modulus (1024 bit):
                00:b6:d5:fd:01:2b:6d:ab:e2:da:a9:b4:a9:67:48:
                ce:72:d9:15:de:66:22:8e:68:a8:7b:7e:55:06:97:
                56:d2:bd:6a:2e:04:89:df:6a:36:9e:3d:ba:fc:32:
                b2:8b:f0:69:5d:54:54:b6:3e:b5:55:38:89:1f:1c:
                d0:4b:21:de:76:b3:be:fc:41:b5:62:b8:b8:3b:dc:
                ad:6d:e1:fc:1c:56:6d:90:1a:b3:6c:57:7e:66:a0:
                07:b9:16:99:cc:d4:c9:ee:05:7c:9d:1c:fb:6b:8f:
                a3:4b:d6:1c:a9:aa:51:e1:41:0d:10:a9:fe:b6:1b:
                f0:33:0c:ea:52:b9:9b:8e:5d
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Subject Key Identifier: 
            FF:24:75:B1:32:C2:74:6D:B4:CB:22:A9:92:CF:F4:B6:4A:5F:0B:56
        X509v3 Authority Key Identifier: 
            keyid:FF:24:75:B1:32:C2:74:6D:B4:CB:22:A9:92:CF:F4:B6:4A:5F:0B:56
            DirName:/C=qw/ST=ewe/L=rew/O=rwerwe/OU=rwer/CN=rew/emailAddress=rewrew
            serial:C1:CB:80:07:27:CE:4B:62

        X509v3 Basic Constraints: 
            CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
    46:14:65:27:c2:cd:55:ba:b4:0f:92:ac:8c:e4:bd:e5:e5:8d:
    e3:3b:59:52:9b:40:6a:dc:e3:cf:2c:03:49:e4:56:33:88:f6:
    94:10:de:64:00:2e:c6:2a:13:98:d0:16:71:25:8a:ea:04:3f:
    14:af:bf:8d:e1:7f:aa:54:78:68:32:86:67:9d:1d:42:fc:cb:
    1d:f2:7c:0b:1d:24:2f:e5:3f:bd:01:bd:d7:2d:74:4a:e9:7b:
    2f:25:97:64:7e:10:ba:bf:dd:49:6d:8a:91:e4:50:d8:a3:04:
    cc:37:8c:45:bd:13:b7:88:72:ef:24:20:b1:aa:05:6c:37:36:
    05:c6
    -----BEGIN CERTIFICATE-----
    MIIDLjCCApegAwIBAgIJAMHLgAcnzktiMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
    BAYTAnF3MQwwCgYDVQQIEwNld2UxDDAKBgNVBAcTA3JldzEPMA0GA1UEChMGcndl
    cndlMQ0wCwYDVQQLEwRyd2VyMQwwCgYDVQQDEwNyZXcxFTATBgkqhkiG9w0BCQEW
    BnJld3JldzAeFw0xMzAxMjgwNjE3MzRaFw0xMzAyMjcwNjE3MzRaMG4xCzAJBgNV
    BAYTAnF3MQwwCgYDVQQIEwNld2UxDDAKBgNVBAcTA3JldzEPMA0GA1UEChMGcndl
    cndlMQ0wCwYDVQQLEwRyd2VyMQwwCgYDVQQDEwNyZXcxFTATBgkqhkiG9w0BCQEW
    BnJld3JldzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAttX9ASttq+LaqbSp
    Z0jOctkV3mYijmioe35VBpdW0r1qLgSJ32o2nj26/DKyi/BpXVRUtj61VTiJHxzQ
    SyHedrO+/EG1Yri4O9ytbeH8HFZtkBqzbFd+ZqAHuRaZzNTJ7gV8nRz7a4+jS9Yc
    qapR4UENEKn+thvwMwzqUrmbjl0CAwEAAaOB0zCB0DAdBgNVHQ4EFgQU/yR1sTLC
    dG20yyKpks/0tkpfC1YwgaAGA1UdIwSBmDCBlYAU/yR1sTLCdG20yyKpks/0tkpf
    C1ahcqRwMG4xCzAJBgNVBAYTAnF3MQwwCgYDVQQIEwNld2UxDDAKBgNVBAcTA3Jl
    dzEPMA0GA1UEChMGcndlcndlMQ0wCwYDVQQLEwRyd2VyMQwwCgYDVQQDEwNyZXcx
    FTATBgkqhkiG9w0BCQEWBnJld3Jld4IJAMHLgAcnzktiMAwGA1UdEwQFMAMBAf8w
    DQYJKoZIhvcNAQEFBQADgYEARhRlJ8LNVbq0D5KsjOS95eWN4ztZUptAatzjzywD
    SeRWM4j2lBDeZAAuxioTmNAWcSWK6gQ/FK+/jeF/qlR4aDKGZ50dQvzLHfJ8Cx0k
    L+U/vQG91y10Sul7LyWXZH4Qur/dSW2KkeRQ2KMEzDeMRb0Tt4hy7yQgsaoFbDc2
    BcY=
    -----END CERTIFICATE-----

If I use the same code with removing the contents in certificate file from top till BEGIN CERTIFICATE, its working fine. But my requirement is certificate file will have those contents. Have anyone faced this error ? Any help will be really appreciated.

Upvotes: 3

Views: 24638

Answers (2)

GreyBeardedGeek
GreyBeardedGeek

Reputation: 30088

It looks to me like your certificate file may not be in the correct format.

The documentation for CertificateFactory.generateCertificates says,

In the case of a certificate factory for X.509 certificates, the certificate provided in inStream must be DER-encoded and may be supplied in binary or printable (Base64) encoding. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.

I don't believe that the problem is as simple as adding the boundary markers to your existing certificate.

I've only ever used PEM format, which is base-64 encoded DER, so I don't know for sure that yours is the wrong format, but I'm guessing that a binary DER-encoded certificate is not human-readable text.

So, I'd suggest that you go back to the source certificate, and make sure that you get a copy with the correct format. If you have a different format for the original cert, you can convert it to pem format with openssl.

Upvotes: 1

Bruno
Bruno

Reputation: 122719

The problem is that the CertificateFactory only reads a certificate in PEM format if it starts with -----BEGIN CERTIFICATE----- straight away. Some tools add extra information (here, the result of openssl x509 -text) first, but the certificate factory doesn't ignore it and treat it as a badly formed certificate.

Instead, use a BuffedReader and readLine() to read your file, ignoring any line until you get to -----BEGIN CERTIFICATE-----. Then, add all the lines until -----END CERTIFICATE----- to a temporary string variable (or similar, e.g. StringBuilder). Pass this to the CertificateFactory.

Upvotes: 2

Related Questions