BAEL-6700 - Check if Certificate is Self-Signed or CA Signed with Java (#14628)

* BAEL-6700 - Check if Certificate is Self-Signed or CA Signed with Java

* Added new module to parent pom

* Update test method names
This commit is contained in:
Ana Peterlić 2023-08-29 08:32:19 +02:00 committed by GitHub
parent add56cced9
commit 259de2ed39
7 changed files with 151 additions and 0 deletions

View File

@ -0,0 +1,7 @@
## Core Java Security
This module contains articles about core Java Security
### Relevant Articles:
- More articles: [[<-- prev]](/core-java-modules/core-java-security-3)

View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>core-java-security-4</artifactId>
<name>core-java-security-4</name>
<packaging>jar</packaging>
<parent>
<groupId>com.baeldung.core-java-modules</groupId>
<artifactId>core-java-modules</artifactId>
<version>0.0.1-SNAPSHOT</version>
</parent>
</project>

View File

@ -0,0 +1,51 @@
package com.baeldung.certificate;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
public class RootCertificateUtil {
private RootCertificateUtil() {
}
public static X509Certificate getRootCertificate(X509Certificate endEntityCertificate, KeyStore trustStore)
throws Exception {
X509Certificate issuerCertificate = findIssuerCertificate(endEntityCertificate, trustStore);
if (issuerCertificate != null) {
if (isRoot(issuerCertificate)) {
return issuerCertificate;
} else {
return getRootCertificate(issuerCertificate, trustStore);
}
}
return null;
}
private static X509Certificate findIssuerCertificate(X509Certificate certificate, KeyStore trustStore)
throws KeyStoreException {
Enumeration<String> aliases = trustStore.aliases();
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
Certificate cert = trustStore.getCertificate(alias);
if (cert instanceof X509Certificate) {
X509Certificate x509Cert = (X509Certificate) cert;
if (x509Cert.getSubjectX500Principal().equals(certificate.getIssuerX500Principal())) {
return x509Cert;
}
}
}
return null;
}
private static boolean isRoot(X509Certificate certificate) {
try {
certificate.verify(certificate.getPublicKey());
return certificate.getKeyUsage() != null && certificate.getKeyUsage()[5];
} catch (Exception e) {
return false;
}
}
}

View File

@ -0,0 +1,76 @@
package com.baeldung.certificate;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import java.security.KeyStore;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import static com.baeldung.certificate.RootCertificateUtil.getRootCertificate;
import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
class SignedCertificateUnitTest {
private KeyStore keyStore;
private KeyStore trustStore;
@BeforeEach
public void setUp() throws Exception {
char[] passwd = "changeit".toCharArray();
keyStore = KeyStore.getInstance("JKS");
keyStore.load(this.getClass().getClassLoader().getResourceAsStream("keystore.jks"), passwd);
trustStore = KeyStore.getInstance("JKS");
trustStore.load(this.getClass().getClassLoader().getResourceAsStream("truststore.jks"), passwd);
}
@Test
void whenCertificateIsSelfSigned_thenSubjectIsEqualToIssuer() throws Exception {
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("selfsigned");
assertEquals(certificate.getSubjectDN(), certificate.getIssuerDN());
}
@Test
void whenCertificateIsSelfSigned_thenItCanBeVerifiedWithItsOwnPublicKey() throws Exception {
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("selfsigned");
assertDoesNotThrow(() -> certificate.verify(certificate.getPublicKey()));
}
@Test
void whenCertificateIsCASigned_thenItCantBeVerifiedWithItsOwnPublicKey() throws Exception {
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("baeldung");
assertThrows(SignatureException.class, () -> certificate.verify(certificate.getPublicKey()));
}
@Test
void whenCertificateIsCASigned_thenRootCanBeFoundInTruststore() throws Exception {
X509Certificate endEntityCertificate = (X509Certificate) keyStore.getCertificate("baeldung");
X509Certificate rootCertificate = getRootCertificate(endEntityCertificate, trustStore);
assertNotNull(rootCertificate);
}
@Test
void whenCertificateIsCA_thenItCanBeUsedToSignOtherCertificates() throws Exception {
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("cloudflare");
assertTrue(certificate.getKeyUsage()[5]);
}
@Test
void whenCertificateIsCA_thenBasicConstrainsReturnsZeroOrGreaterThanZero() throws Exception {
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("cloudflare");
assertNotEquals(-1, certificate.getBasicConstraints());
}
@Test
void whenCertificateIsSelfSigned_thenItCantBeUsedToSignOtherCertificates() throws Exception {
X509Certificate certificate = (X509Certificate) keyStore.getCertificate("selfsigned");
assertNull(certificate.getKeyUsage());
}
}

View File

@ -127,6 +127,7 @@
<module>core-java-scanner</module>
<module>core-java-security-2</module>
<module>core-java-security-3</module>
<module>core-java-security-4</module>
<module>core-java-security-algorithms</module>
<module>core-java-streams</module>
<module>core-java-streams-3</module>