Cryptography in Java. Certificate Class
- Transfer
Hello, Habr! I present to you the translation of the final article "Java Certificate" by Jakob Jenkov from a series of articles for beginners who want to learn the basics of cryptography in Java.
Table of contents:
- Java cryptography
- Java cipher
- Messagedigest
- Mac
- Signature
- Keypair
- Keygenerator
- KeyPairGenerator
- Keystore
- Keytool
- Certificate
- CertificateFactory
- CertPath
Java Certificate
The certificate class ( java.security.cert.Certificate ) is a certificate that certifies that an entity belongs to, for example, a user. An instance of the certificate class contains the name and other information about the object that it identifies, as well as, possibly, a digital signature from a certification authority (CA). A class Certificateis an abstract class, therefore, you can use a variable type Certificate, and your variable will always point to a subclass. This class has one subclass - X509Certificate, which represents the X.509 certificate, which is used as a certificate in the HTTPS and TLS protocols.
Obtaining a Certificate Instance
You can get a certificate instance in the following ways:
- Of
CertificateFactory. - From the keystore .
See these two guides for more information on obtaining a certificate instance.
getEncoded ()
The getEncoded()certificate method returns the encoded version of the certificate as a byte array. For example, if the certificate is an X509 certificate, the returned byte array will contain an X.590 encoded version of the certificate instance (ASN.1 DER). Here is an example using the method getEncoded():
byte[] encodedCertificate = certificate.getEncoded();getPublicKey ()
The certificate method getPublicKey()returns the public key of this certificate instance. Here is an example method getPublicKey():
PublicKey certificatePublicKey = certificate.getPublicKey();getType ()
The method getType()returns the type of certificate instance. An example getType():
String certificateType = certificate.getType();verify ()
The certificate class contains three methods verify(). These methods can be used to verify that the certificate is indeed signed with the private key corresponding to the expected public key. Here is an example of certificate verification:
// получение ожидаемого открытого ключа (не из сертификата!)
PublicKey expectedPublicKey = ... ;
try{
certificate.verify(expectedPublicKey);
} catch (InvalidKeyException e) {
// сертификат не был подписан данным открытым ключом
} catch (NoSuchAlgorithmException |
NoSuchProviderException |
SignatureException |
CertificateException e){
// что-то еще пошло не так
}The method verify()does not return a value. If the test fails, an exception will be thrown InvalidKeyException. If no exception is thrown, the certificate instance can be considered verified.
Java CertificateFactory (Certificate Factory
The class CertificateFactory( java.security.cert.CertificateFactory ) is able to create certificate instances ( Certificate) from binary certificate data encoded in X.509 (ASN.1 DER). CertificateFactorycan also create instances CertPath. CertPath- This is a chain of certificates, where each certificate is signed by the next certificate in this chain.
Creating an instance of CertificateFactory
Before you can create instances Certificate, you must create an instance CertificateFactory. Example:
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");This example creates an instance CertificateFactorythat can instantiate X.509 certificate ( X509Certificate- a subclass Certificate).
Create Certificate Instance
By creating an instance CertificateFactory, you can start creating instances Certificate. This is done by calling the method generateCertificate(). Example method call generateCertificate():
InputStream certificateInputStream = new FileInputStream("my-x509-certificate.crt");
Certificate certificate = certificateFactory.generateCertificate(certificateInputStream);Creating an instance of CertPath
CertificateFactorycan also create an instance CertPath. An instance CertPathis created by calling the method generateCertPath():
InputStream certificateInputStream = new FileInputStream("my-x509-certificate-chain.crt");
CertPath certPath = certificateFactory.generateCertPath(certificateInputStream);Java CertPath (Certificate Chain)
The class CertPath( java.security.cert.CertPath ) represents a chain of certificates (objects Certificate), where each certificate is a digital signer of the next certificate in the chain. A class is CertPathtypically used to verify an identity certificate, along with certificates from certification authorities (CAs) that have signed the certificate.
Getting an instance of CertPath
Typically, an instance is CertPathobtained from a certificate factory ( CertificateFactory или CertPathBuilder).
getCertificates ()
Having received an instance CertPath, you can get the instances Certificateof which it consists CertPathby calling the method getCertificates(). Here is an example of obtaining certificates from an instance CertPath:
List certificates = certPath.getCertificates(); getType ()
The method getType()returns a string indicating what type of certificates (for example, X.509) is contained in this instance CertPath. Here is an example of getting a type CertPaththrough a method getType():
String type = certPath.getType();