|
|
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Page 4 of 5
public
static
boolean
verify
(
X509Certificate x509certificateRoot,
Collection collectionX509CertificateChain,
String stringTarget
)
{
int nSize = collectionX509CertificateChain.size();
X509Certificate [] arx509certificate = new X509Certificate [nSize];
collectionX509CertificateChain.toArray(arx509certificate);
// Working down the chain, for every certificate in the chain,
// verify that the subject of the certificate is the issuer of the
// next certificate in the chain.
Principal principalLast = null;
for (int i = 0; i < nSize; i++)
{
X509Certificate x509certificate = arx509certificate[i];
Principal principalIssuer = x509certificate.getIssuerDN();
Principal principalSubject = x509certificate.getSubjectDN();
if (principalLast != null)
{
if (principalIssuer.equals(principalLast))
{
try
{
PublicKey publickey = arx509certificate[i - 1].getPublicKey();
arx509certificate[i].verify(publickey);
}
catch (GeneralSecurityException generalsecurityexception)
{
System.out.println("signature verification failed");
return false;
}
}
else
{
System.out.println("subject/issuer verification failed");
return false;
}
}
principalLast = principalSubject;
}
// Verify that the the first certificate in the chain was issued
// by a third-party that the client trusts.
try
{
PublicKey publickey = x509certificateRoot.getPublicKey();
arx509certificate[0].verify(publickey);
}
catch (GeneralSecurityException generalsecurityexception)
{
System.out.println("signature verification failed");
return false;
}
// Verify that the last certificate in the chain corresponds to
// the server we desire to authenticate.
Principal principalSubject = arx509certificate[nSize -
1].getSubjectDN();
if (!stringTarget.equals(principalSubject.getName()))
{
System.out.println("target verification failed");
return false;
}
// For every certificate in the chain, verify that the certificate
// is valid at the current time.
Date date = new Date();
for (int i = 0; i < nSize; i++)
{
try
{
arx509certificate[i].checkValidity(date);
}
catch (GeneralSecurityException generalsecurityexception)
{
System.out.println("invalid date");
return false;
}
}
return true;
}
In Resources I've included a client that performs these operations on a chain of certificates. Assuming you've added the appropriate jar
files to your CLASSPATH -- the example uses RSA (Rivest-Shamir-Adleman) certificates, so you'll also need to download and install JCE (Java Cryptography
Extension) and JSSE -- you run the client as follows:
java Client <> <>
The client will attempt to verify the certificate chain using the techniques I've presented in this article. It will print the result of this authentication step to the console.
Earlier I mentioned that certificate verification is a lengthy process, and that implementers are prone to making mistakes. Luckily, help is on the way. Java Specification Request #55, Certification Path API, lead by Sean Mullen of Sun, will provide a general purpose API for completing X.509 certification path (or chain) verification according to the emerging PKIX standards. If carried out correctly, it will greatly simplify the process of certificate verification.