0

I trying to implement X509TrustManager to check server certificate with the certificate that I have in my application (say in classes folder).

I am hitting and https web site so when checkServerTrusted() method get called the method is passed an X.509 certificate array.

Can I safely assume that the certificate of the server that is called is the first in the array?

Just to clarify, in the checkServerTrusted() method, I have to validate the server's certificate.

Here is code look like :

@Override
            public void checkServerTrusted(X509Certificate[] certs, String authType) throws  CertificateException{
                 InputStream inStream;
                try {
                        inStream = new FileInputStream("E:\\Desktop\\cert\\domain.crt");
                        CertificateFactory cf = CertificateFactory.getInstance("X.509");
                        X509Certificate Mycert = (X509Certificate)cf.generateCertificate(inStream);
                        inStream.close();      

                        if (certs == null || certs.length == 0 || authType == null
                                || authType.length() == 0) {
                            throw new IllegalArgumentException("null or zero-length parameter");
                        }    

                             certs[0].verify(Mycert.getPublicKey());    

                } catch (Exception e) {
                    // TODO Auto-generated catch block
                    throw new CertificateException("error in validating certificate" , e);
                }

            }

So is it safe to verify with first certificate only?

Amogh
  • 4,453
  • 11
  • 45
  • 106

2 Answers2

1

in the checkServerTrusted() method, I have to validate the server's certificate.

That's not what it says in the Javadoc. You have to establish a certificate path from the chain supplied to a trusted root.

So is it safe to verify with first certificate only?

No.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • Ohh okay, I have tried some code in `checkServerTrusted()` but I am facing some issue, I have it as separate question I will be highly obliged on your kind help in this http://stackoverflow.com/questions/28195159/issue-in-checking-server-certificate-in-checkservertrusted – Amogh Jan 29 '15 at 06:19
  • Why I said first is because the code that I have posted in http://stackoverflow.com/questions/28195159/issue-in-checking-server-certificate-in-checkservertrusted is not throwing exception in case of first certificate in array passed in `checkServerTrusted()` after that exception get occurred for next certs[1] – Amogh Jan 29 '15 at 06:20
1
  1. Not necessarily. I have seen the end entity certificate, the intermediate CA certificate configured on web servers in no order. And the Java docs do not mention that there would be any order in what is provided to you. You could test by configuring a test web server with a jumbled up order of certificates and see the order in the argument of this method. That is one way.
  2. You can verify the certificates that are provided to you in terms of validity, host name matching etc but another critical thing is to verify the certificate chain from the end entity certificate to an intermediate CA/s (if any) to the CA that is trusted by you i.e. in your trusted store.
Khanna111
  • 3,627
  • 1
  • 23
  • 25
  • The TLS 1.2 specification explicitly states "The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it." While I don't doubt your experience that there are many misconfigured servers, if you're able to, it seems acceptable to only verify the first certificate. https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2 – Orion Edwards Sep 15 '21 at 05:05