BAEL-6700 - Check if Certificate is Self-Signed or CA Signed with Java (#14628)
* BAEL-6700 - Check if Certificate is Self-Signed or CA Signed with Java * Added new module to parent pom * Update test method names
This commit is contained in:
parent
add56cced9
commit
259de2ed39
|
@ -0,0 +1,7 @@
|
|||
## Core Java Security
|
||||
|
||||
This module contains articles about core Java Security
|
||||
|
||||
### Relevant Articles:
|
||||
|
||||
- More articles: [[<-- prev]](/core-java-modules/core-java-security-3)
|
|
@ -0,0 +1,16 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<artifactId>core-java-security-4</artifactId>
|
||||
<name>core-java-security-4</name>
|
||||
<packaging>jar</packaging>
|
||||
|
||||
<parent>
|
||||
<groupId>com.baeldung.core-java-modules</groupId>
|
||||
<artifactId>core-java-modules</artifactId>
|
||||
<version>0.0.1-SNAPSHOT</version>
|
||||
</parent>
|
||||
|
||||
</project>
|
|
@ -0,0 +1,51 @@
|
|||
package com.baeldung.certificate;
|
||||
|
||||
import java.security.KeyStore;
|
||||
import java.security.KeyStoreException;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.Enumeration;
|
||||
|
||||
public class RootCertificateUtil {
|
||||
|
||||
private RootCertificateUtil() {
|
||||
}
|
||||
|
||||
public static X509Certificate getRootCertificate(X509Certificate endEntityCertificate, KeyStore trustStore)
|
||||
throws Exception {
|
||||
X509Certificate issuerCertificate = findIssuerCertificate(endEntityCertificate, trustStore);
|
||||
if (issuerCertificate != null) {
|
||||
if (isRoot(issuerCertificate)) {
|
||||
return issuerCertificate;
|
||||
} else {
|
||||
return getRootCertificate(issuerCertificate, trustStore);
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
private static X509Certificate findIssuerCertificate(X509Certificate certificate, KeyStore trustStore)
|
||||
throws KeyStoreException {
|
||||
Enumeration<String> aliases = trustStore.aliases();
|
||||
while (aliases.hasMoreElements()) {
|
||||
String alias = aliases.nextElement();
|
||||
Certificate cert = trustStore.getCertificate(alias);
|
||||
if (cert instanceof X509Certificate) {
|
||||
X509Certificate x509Cert = (X509Certificate) cert;
|
||||
if (x509Cert.getSubjectX500Principal().equals(certificate.getIssuerX500Principal())) {
|
||||
return x509Cert;
|
||||
}
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
private static boolean isRoot(X509Certificate certificate) {
|
||||
try {
|
||||
certificate.verify(certificate.getPublicKey());
|
||||
return certificate.getKeyUsage() != null && certificate.getKeyUsage()[5];
|
||||
} catch (Exception e) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,76 @@
|
|||
package com.baeldung.certificate;
|
||||
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import java.security.KeyStore;
|
||||
import java.security.SignatureException;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
import static com.baeldung.certificate.RootCertificateUtil.getRootCertificate;
|
||||
import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
|
||||
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||
import static org.junit.jupiter.api.Assertions.assertNotEquals;
|
||||
import static org.junit.jupiter.api.Assertions.assertNotNull;
|
||||
import static org.junit.jupiter.api.Assertions.assertNull;
|
||||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||
import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||
|
||||
class SignedCertificateUnitTest {
|
||||
|
||||
private KeyStore keyStore;
|
||||
|
||||
private KeyStore trustStore;
|
||||
|
||||
@BeforeEach
|
||||
public void setUp() throws Exception {
|
||||
char[] passwd = "changeit".toCharArray();
|
||||
keyStore = KeyStore.getInstance("JKS");
|
||||
keyStore.load(this.getClass().getClassLoader().getResourceAsStream("keystore.jks"), passwd);
|
||||
trustStore = KeyStore.getInstance("JKS");
|
||||
trustStore.load(this.getClass().getClassLoader().getResourceAsStream("truststore.jks"), passwd);
|
||||
}
|
||||
|
||||
@Test
|
||||
void whenCertificateIsSelfSigned_thenSubjectIsEqualToIssuer() throws Exception {
|
||||
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("selfsigned");
|
||||
assertEquals(certificate.getSubjectDN(), certificate.getIssuerDN());
|
||||
}
|
||||
|
||||
@Test
|
||||
void whenCertificateIsSelfSigned_thenItCanBeVerifiedWithItsOwnPublicKey() throws Exception {
|
||||
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("selfsigned");
|
||||
assertDoesNotThrow(() -> certificate.verify(certificate.getPublicKey()));
|
||||
}
|
||||
|
||||
@Test
|
||||
void whenCertificateIsCASigned_thenItCantBeVerifiedWithItsOwnPublicKey() throws Exception {
|
||||
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("baeldung");
|
||||
assertThrows(SignatureException.class, () -> certificate.verify(certificate.getPublicKey()));
|
||||
}
|
||||
|
||||
@Test
|
||||
void whenCertificateIsCASigned_thenRootCanBeFoundInTruststore() throws Exception {
|
||||
X509Certificate endEntityCertificate = (X509Certificate) keyStore.getCertificate("baeldung");
|
||||
X509Certificate rootCertificate = getRootCertificate(endEntityCertificate, trustStore);
|
||||
assertNotNull(rootCertificate);
|
||||
}
|
||||
|
||||
@Test
|
||||
void whenCertificateIsCA_thenItCanBeUsedToSignOtherCertificates() throws Exception {
|
||||
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("cloudflare");
|
||||
assertTrue(certificate.getKeyUsage()[5]);
|
||||
}
|
||||
|
||||
@Test
|
||||
void whenCertificateIsCA_thenBasicConstrainsReturnsZeroOrGreaterThanZero() throws Exception {
|
||||
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("cloudflare");
|
||||
assertNotEquals(-1, certificate.getBasicConstraints());
|
||||
}
|
||||
|
||||
@Test
|
||||
void whenCertificateIsSelfSigned_thenItCantBeUsedToSignOtherCertificates() throws Exception {
|
||||
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("selfsigned");
|
||||
assertNull(certificate.getKeyUsage());
|
||||
}
|
||||
}
|
|
@ -127,6 +127,7 @@
|
|||
<module>core-java-scanner</module>
|
||||
<module>core-java-security-2</module>
|
||||
<module>core-java-security-3</module>
|
||||
<module>core-java-security-4</module>
|
||||
<module>core-java-security-algorithms</module>
|
||||
<module>core-java-streams</module>
|
||||
<module>core-java-streams-3</module>
|
||||
|
|
Loading…
Reference in New Issue