🗒️
notes
  • Journal
  • URLs
  • Java Card
    • SCP02
    • Rapid Notes
    • _FIXVALS_
    • Mifare
    • Chain Of Trust
  • Encoding
    • CBEFF
    • Bytes
  • Snippets
    • JNI_OnLoad
  • float to byte[]
  • Protobuf
  • C/C++
    • Containers
    • Basics
    • JNI
    • gcov
    • Castings
  • chess
    • Untitled
  • Compression
    • Untitled
  • Snippets
    • Untitled
  • Build Systems
    • Maven
    • Windows
  • Gradle
  • CMake
  • Java
    • Untitled
    • Certificates
  • Android
    • Mifare
  • Python
    • ctypes
  • WebSub
    • References
  • Spring Boot
    • Form-based Authentication
    • Basic Access Authentication
    • JWT Authentication
  • QR Code
    • Denso QR Code
  • Philosophical Inquiry
    • First
  • XML
    • xmlstarlet
Powered by GitBook
On this page

Was this helpful?

  1. Java

Certificates

Demystifying digital certificates

Three things:

  • Certificate generator - It has the public key and the private key

  • Self-signed certificate - It has a copy of the public key, and it has signature generated by itself. It has issuer equal to subject. All certificates starts life as self-signed.

  • Signed certificate - It has copy of public key, and a signature that is generated by another certificate. The issuer is not equal to subject.

A signer certificate must posses the CA extension and this is done during construction. The last certificate known as leaf certificate does not have the CA extension, and thus cannot be used to sign another certificate. 

CertAndKeyGen generator 
  = new CertAndKeyGen("RSA", "SHA1WithRSA", null);
generator.generate(1024);
PrivateKey privkey = generator.getPrivateKey();
byte[] buf = privkey.getEncoded();
buf = generator.getPublicKey().getEncoded();

X509Certificate cert = keyGen.getSelfCertificate(
  new X500Name("CN=ROOT"), (long)365 * 24 * 60 * 60);

buf = cert.getSignature();
buf = cert.getPublicKey().getEncoded();
System.out.println(cert.getIssuerDN().toString());
System.out.println(cert.getSubjectDN().toString());

Observe in where places to get the private key, the public key and the signature. Both the private key and the public key can be found in generator. The generator creates the cert and the public key is copied into the cert.

When one certificate signs another certificate looks like this:

userCertificate = createSignedCertificate(
      userCertificate,
      signerCertificate,
      signerPrivateKey);

Notice the first param input and the output. So in essence, the createSignedCertificate( ) in above snippet does a transform to userCertificate. After the transformation, the signature in the certificate is value produced by the signerCertificate. Of most important is the private key needed to compute the signature. The signerCertificate is passed in the param to extract the signer's name, and embed it into the signed certificate.

In X.509 trust chain: A -> B -> C

A is the root CA and B is an intermediate CA. In this scenario, the C certificate can only be verified by the pubkey of B and not A .

Keystore

Store private keys into a keystore. Each private key has an associated certificate chain. A private key alone and without a certificate chain has no value because it cannot prove itself. The private key is the link to identity and the associated chain is the proof of this identity. Sure, the public key can also prove identity, but the certificate chain of X.509 root of trusts are in every browsers and phones that forms a hierarchy. Imagine a world where every user publishes his own public key. So every one will have to find where to download these public keys.

PreviousUntitledNextMifare

Last updated 4 years ago

Was this helpful?