Cryptography in Java. Certificate class

Hi, Habr! I present to you the translation of the final article "Java Certificate" by Jakob Jenkov from a series of articles for beginners who want to learn the basics of cryptography in Java.

Table of contents:

1. Java cryptography
2. Java cipher
3. MessageDigest
4. Mac
5. Signature
6. KeyPair
7. KeyGenerator
8. KeyPairGenerator
9. KeyStore
10. Keytool
11. Certificate
12. CertificateFactory
13. Certpath

Java Certificate (Certificate)

A certificate class ( java.security.cert.Certificate ) is a certificate certifying the identity of a subject, for example, a user. The certificate class instance contains the name and other information about the object it identifies, as well as possibly a digital signature from a certification authority (CA). The Certificate class is an abstract class, so you can use Certificate as the variable type, and your variable will always point to a subclass. This class has one subclass, X509Certificate , which represents the X.509 certificate used as a certificate in the HTTPS and TLS protocols.

Retrieving Certificate Instance

You can get a copy of the certificate in the following ways:

• From CertificateFactory .
• From the keystore .

See these two guides for more information on obtaining a copy of the certificate.

getEncoded ()

The getEncoded() method of the certificate returns the encoded version of the certificate as a byte array. For example, if the certificate is an X509 certificate, the byte array returned will contain the version of the certificate instance in X.590 encoding (ASN.1 DER). Here is an example of using the getEncoded() method:

 byte[] encodedCertificate = certificate.getEncoded(); 

getPublicKey ()

The certificate method getPublicKey() returns the public key of this certificate instance. Here is an example of the getPublicKey() method:

 PublicKey certificatePublicKey = certificate.getPublicKey(); 

getType ()

The getType() method returns the type of certificate instance. Example getType() :

 String certificateType = certificate.getType(); 

verify ()

The certificate class contains three verify() methods. These methods can be used to verify that the certificate is indeed signed with the private key corresponding to the expected public key. Here is an example of certificate verification:

 //     (  !) PublicKey expectedPublicKey = ... ; try{ certificate.verify(expectedPublicKey); } catch (InvalidKeyException e) { //        } catch (NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e){ // -     } 

The verify() method does not return a value. If validation fails, an InvalidKeyException will be InvalidKeyException . If no exception is generated, the certificate instance can be considered verified.

Java CertificateFactory (Certificate Factory

The CertificateFactory class ( java.security.cert.CertificateFactory ) is able to create Certificate instances from binary data of certificates with X.509 encodings (ASN.1 DER). CertificateFactory can also create instances of CertPath . CertPath is a chain of certificates where each certificate is signed by the next certificate in the chain.

Creating an instance of CertificateFactory

Before you can create Certificate instances, you must create a CertificateFactory instance. Example:

 CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); 

This example creates a CertificateFactory instance that can create instances of an X.509 certificate ( X509Certificate is a subclass of Certificate ).

Creating an instance of Certificate

By creating an instance of CertificateFactory , you can start creating Certificate instances. This is done by calling the generateCertificate() method. An example of calling the generateCertificate() method:

 InputStream certificateInputStream = new FileInputStream("my-x509-certificate.crt"); Certificate certificate = certificateFactory.generateCertificate(certificateInputStream); 

Creating a CertPath Instance

CertificateFactory can also create an instance of CertPath . A CertPath instance CertPath created by calling the generateCertPath() method:

 InputStream certificateInputStream = new FileInputStream("my-x509-certificate-chain.crt"); CertPath certPath = certificateFactory.generateCertPath(certificateInputStream); 

Java CertPath (Certificate Chain)

The CertPath class ( java.security.cert.CertPath ) represents a chain of certificates ( Certificate objects), where each certificate is a digital signer of the next certificate in the chain. The CertPath class CertPath typically used to verify an identity certificate along with certificates of certification authorities (CAs) that have signed the certificate.

Getting a CertPath instance

Typically, a CertPath instance CertPath obtained from a certificate factory ( CertificateFactory CertPathBuilder ).

getCertificates ()

After receiving a CertPath instance, you can get the Certificate instances of which CertPath consists of by calling the getCertificates() method. Here is an example of getting certificates from a CertPath instance:

 List<Certificate> certificates = certPath.getCertificates(); 

getType ()

The getType() method returns a string indicating what type of certificate (for example, X.509) is contained in this CertPath instance. Here is an example of getting the type CertPath through the getType() method:

 String type = certPath.getType();