CODEWITHSUNDEEP
javavalidationcertificatex509certificate
user2739823
user2739823

Reputation: 407

Validate Certificate chain with java bouncing castle

I would like to validate a certificate chain which will be imported into my app. I do not know how.

My coleagues told me, that I have to use Bouncing castle for validation. I saw several examples and still do not have any progress.

I have a List<X509Certificate> which contains all certificates which are imported from the UI, and also the PrivateKey.

Could you please show me how to validate the certificate chain with Bouncing castle.

Upvotes: 3

Views: 7140

Answers (2)

Markus Kreusch
Markus Kreusch

Reputation: 2121

It is vital that the cert path is actually validated. As mentioned in Uwe Plonus' answer you can create a CertPath object by using CertificateFactory. The answer is missing the actual validation logic as mentioned by Juha Palomäki. To validate the CertPath additional steps must be performed:

// Load the CertPath;
CertificateFactory certificatFactory = CertificateFactory.getInstance("X.509");
CertPath certPath = certificatFactory.generateCertPath(certificateInput);

// Load a KeyStore initialized with the root CA certificates to trust
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(trustStoreInput, trustStorePassword);

// Initialize a CertPathValidator
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");

// Do the validation
certPathValidator.validate(certPath, new PKIXParameters(trustStore));

The validate method will throw an CertPathValidatorException if the path does not validate. Otherwise it returns an instance of PKIXCertPathValidatorResult that contains details about the used trust anchor and subject public key. CertPathValidator in the default configuration will check that the certificates in the chain are linked, not expired and not revoked.

Upvotes: 1

Uwe Plonus
Uwe Plonus

Reputation: 9954

You can use the java.security.cert.CertificateFactory to validate your certificate chain.

InputStream inStream = ByteArrayInputStream(<data>);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
CertPath cp = cf.generateCertPath(inStream);
List<Certificate> certs = cp.getCertificates();

The certs now contains the certificate chain. The first entry in certs (certs[0]) contais the certificate and the following certificates are the chain.

The last entry in certs is the root certificate which should be compared to a already existing certificate in your application.

In the case that the certification path could not be built up the above code will throw a CertificateException.

Upvotes: 0

Related Questions