java - Issue in checking server certificate in checkServerTrusted

Question

I am referring Validate X.509 certificate against CA in Java this post.

My implementation of checkServerTrusted look like:

@Override
            public void checkServerTrusted(X509Certificate[] certs, String authType) throws  CertificateException{
                 InputStream inStream;
                try {
                        inStream = new FileInputStream("E:\Desktop\cert\domain.crt");
                        CertificateFactory cf = CertificateFactory.getInstance("X.509");
                        X509Certificate Mycert = (X509Certificate)cf.generateCertificate(inStream);
                        inStream.close();      

                        if (certs == null || certs.length == 0 || authType == null
                                || authType.length() == 0) {
                            throw new IllegalArgumentException("null or zero-length parameter");
                        }

                         for (X509Certificate cert : certs) {
                             cert.verify(Mycert.getPublicKey());
                         }


                } catch (Exception e) {
                    // TODO Auto-generated catch block
                    throw new CertificateException("error in validating certificate" , e);
                }

            }

file domain.crt is exported from browser after opening website. certificate path look like .

If i open this file in notepad only one BEGIN CERTIFICATE and END CERTIFICATE is their so its not chain of certificate.

If I debug code then, in for loop @ LOC cert.verify(Mycert.getPublicKey()); at the very first cert[0] certificate I got exception as java.security.SignatureException: Signature does not match.

Where I am doing wrong?

Answer 1

It doesn't make sense to try to verify all the certificates in the chain against a single public key. Most of them won't have been signed by it, so the procedure is bound to fail, and throw an exception to the caller.

You need to review what it is you're supposed to do in this method. See the Javadoc. You're trying to establish a certificate path from this chain to a trusted root certificate.

In this case the trusted root certificate is presumably the one you loaded from the file.

What you should be doing therefore is:

1. Look for that certificate in the chain, and if not found
2. Verify the last certificate in the chain against this public key, as that is the topmost signer, and that's the only one you need to trust. The rest of them are trusted by their respective sucessors in the chain, and none of their successors are this trusted root certificate, by (1).
3. If the certificate is found in the chain, verify the previous certificate. i.e. the one signed by this certificate, with this public key.

It isn't clear to me whether you need to also verify each certificate in the chain, except the last, with the next one's public key, but it can't hurt.

EDIT You should also implement the suggestion in this answer.