I must write a Java implementation of an X.509 openssl certificate parser, but I have a problem: I do not know how to get the sha1 for the validation of certificates.
Can anyone help me to understand what I should do? I know that there is a method getTBSCertificate() in Java, but I have to rewrite it for my purpose.
Asked
Active
Viewed 3,192 times
3
-
2Have a look here: http://stackoverflow.com/questions/143523/x509-certificate-parsing-libraries-for-java – Francis Upton IV Dec 31 '11 at 10:54
1 Answers
7
Assuming you mean the sha1 which is commonly shown as the 'fingerprint' in the browsers and OS tools -- you need 1) the raw cert as DER; and then 2) sha1 it and 3) translate that to the usual double-digit-hex/colon separated string.
As to 1; getEncoded() from java.security.cert.Certificate gets you that.
As to 2: MessageDigest has that function.
As to 3: I'll leave that to you :)
... someFoo(X509Certificate cert) {
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
System.out.println(" Subject " + cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getEncoded());
System.out.println(" sha1 " + toHexString(sha1.digest()));
System.out.println();
}
should do the trick. This output matches that of the java keytool.
Dw.
Dirk-Willem van Gulik
- 7,566
- 2
- 35
- 40
-
That's correct for the fingerprint indeed. My guess is that the question may also be about verifying the signature... Here are a couple of recent related questions: [about fingerprints](http://security.stackexchange.com/q/14330/2435) and [about signatures (and CAs)](http://stackoverflow.com/q/10411433/372643). – Bruno May 08 '12 at 16:34