java.security.cert

1. Certificate Factory

CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(new FileInputStream("cert.der"));

2. Certificate Encodings

byte[] encoded = cert.getEncoded();
cert = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(encoded));

3. Key Usage

boolean[] keyUsage = cert.getKeyUsage();
if (keyUsage != null) {
    System.out.println("Key usage: " + Arrays.toString(keyUsage));
}

4. Extended Key Usage

List<String> extendedKeyUsage = cert.getExtendedKeyUsage();
if (extendedKeyUsage != null) {
    System.out.println("Extended key usage: " + extendedKeyUsage);
}

5. Subject Alternative Names

List<GeneralName> subjectAltNames = cert.getSubjectAlternativeNames();
if (subjectAltNames != null) {
    System.out.println("Subject alternative names: " + subjectAltNames);
}

6. Issuer and Serial Number

X500Principal issuer = cert.getIssuerX500Principal();
BigInteger serialNumber = cert.getSerialNumber();
System.out.println("Issuer: " + issuer + ", Serial number: " + serialNumber);

7. Validity Period

Date notBefore = cert.getNotBefore();
Date notAfter = cert.getNotAfter();
System.out.println("Validity period: " + notBefore + " to " + notAfter);

8. Signature

byte[] signature = cert.getSignature();
String algorithm = cert.getSigAlgName();
System.out.println("Signature algorithm: " + algorithm + ", Signature: " + Arrays.toString(signature));

9. Public Key

PublicKey publicKey = cert.getPublicKey();

10. CRL Distribution Points

List<CRLDistributionPoint> crlDistributionPoints = cert.getCRLDistributionPoints();
if (crlDistributionPoints != null) {
    System.out.println("CRL distribution points: " + crlDistributionPoints);
}

11. Authority Information Access

List<AuthorityInformationAccess> authorityInfoAccess = cert.getAuthorityInfoAccess();
if (authorityInfoAccess != null) {
    System.out.println("Authority information access: " + authorityInfoAccess);
}

12. Basic Constraints

boolean ca = cert.getBasicConstraints() != -1;
System.out.println("Certificate authority: " + ca);

13. Trust Anchor

TrustAnchor trustAnchor = new TrustAnchor(cert, null);

14. Certificate Chain Verification

CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate rootCert = (X509Certificate) cf.generateCertificate(new FileInputStream("root.crt"));
X509Certificate intermediateCert = (X509Certificate) cf.generateCertificate(new FileInputStream("intermediate.crt"));
X509Certificate leafCert = (X509Certificate) cf.generateCertificate(new FileInputStream("leaf.crt"));
CertPath certPath = CertPath.getInstance("X.509");
certPath.addCertificate(leafCert);
certPath.addCertificate(intermediateCert);
certPath.addCertificate(rootCert);
PKIXParameters params = new PKIXParameters(Collections.singleton(trustAnchor));
params.setRevocationEnabled(false);
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator.validate(certPath, params);

15. Certificate Revocation

CRL crl = CRLFactory.getInstance("PKIX").generateCRL(new FileInputStream("crl.der"));
if (crl.isRevoked(cert)) {
    System.out.println("Certificate has been revoked");
}

16. OCSP Validation

OCSPClient client = new OCSPClient();
OCSPResp response = client.checkCertStatus(cert, new URL("http://ocsp.example.com"));
if (response.getStatus() == CertificateStatus.GOOD) {
    System.out.println("Certificate is valid");
}

17. HTTPS Client

URL url = new URL("https://www.example.com");
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
X509Certificate[] certs = connection.getServerCertificates();

18. HTTPS Server

SSLContext sslContext = SSLContext.getInstance("TLS");
KeyManager[] keyManagers = { new KeyManagerImpl() };
TrustManager[] trustManagers = { new TrustManagerImpl() };
sslContext.init(keyManagers, trustManagers, null);
SSLServerSocketFactory factory = sslContext.getServerSocketFactory();

19. LDAP Certificate Retrieval

LDAPContext ctx = new InitialLdapContext(new Properties(), null);
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results = ctx.search(dn, "(&(objectClass=user)(cn=john))", controls);
byte[] certBytes = results.next().getAttributes().get("userCertificate").get();

20. DNSSEC Validation

DNSNameResolver resolver = new DNSNameResolver();
resolver.setServerAddress(InetAddress.getByName("dns.example.com"));
List<DNSRecord> records = resolver.lookupRecords(name, DClass.IN, DType.TXT);

21. Certificate Chain Builder

CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate intermediateCert = (X509Certificate) cf.generateCertificate(new FileInputStream("intermediate.crt"));
X509Certificate rootCert = (X509Certificate) cf.generateCertificate(new FileInputStream("root.crt"));
CertChainBuilder builder = CertChainBuilder.getInstance("PKIX");
CertPathBuilderResult result = builder.build(new CertPathParameters.Builder(leafCert).addCertPathChecker(new PKIXCertPathChecker()).build());

22. KeyStore

KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("keystore.jks"), "password");

23. Certificate Encoding

byte[] encoded = cert.getEncoded();

24. Certificate Decoding

CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(encoded));

25. Certificate Fingerprint

MessageDigest md = MessageDigest.getInstance("SHA-1");
byte[] fingerprint = md.digest(cert.getEncoded());

26. Certificate Validity Checking

if (cert.getNotBefore().after(new Date()) || cert.getNotAfter().before(new Date())) {
    System.out.println("Certificate is not valid");
}

27. Certificate Expiration Checking

Date expirationDate = cert.getNotAfter();
if (expirationDate.before(new Date())) {
    System.out.println("Certificate has expired");
}

28. Certificate Chain Validation

CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
PKIXParameters params = new PKIXParameters(Collections.singleton(trustAnchor));
CertPathValidationResult result = validator.validate(certPath, params);

29. CRL Retrieval

CRL crl = CRLFactory.getInstance("PKIX").generateCRL(new URL("http://crl.example.com"));

30. CRL Validation

if (crl.isRevoked(cert)) {
    System.out.println("Certificate has been revoked");
}

31. OCSP Retrieval

OCSPClient client = new OCSPClient();
OCSPResp response = client.checkCertStatus(cert, new URL("http://ocsp.example.com"));

32. OCSP Validation

if (response.getStatus() == CertificateStatus.GOOD) {
    System.out.println("Certificate is valid");
}

33. HTTPS Client with Certificate Validation

HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.setHostnameVerifier(new HostnameVerifier() {
    public boolean verify(String hostname, SSLSession session) {
        return session.getPeerCertificates()[0].getSubjectDN().getName().equals("CN=www.example.com");
    }
});

34. HTTPS Server with Certificate Authentication

SSLContext sslContext = SSLContext.getInstance("TLS");
KeyManager[] keyManagers = { new KeyManagerImpl() };
TrustManager[] trustManagers = { new TrustManagerImpl() };
sslContext.init(keyManagers, trustManagers, null);
SSLServerSocketFactory factory = sslContext.getServerSocketFactory();

35. LDAP Certificate Retrieval

LDAPContext ctx = new InitialLdapContext(new Properties(), null);
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results = ctx.search(dn, "(&(objectClass=user)(cn=john))", controls);
byte[] certBytes = results.next().getAttributes().get("userCertificate").get();

36. DNSSEC Validation

DNSNameResolver resolver = new DNSNameResolver();
resolver.setServerAddress(InetAddress.getByName("dns.example.com"));
List<DNSRecord> records = resolver.lookupRecords(name, DClass.IN, DType.TXT);

37. Certificate Encoding

byte[] encoded = cert.getEncoded();

38. Certificate Decoding

CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(encoded));

39. Certificate Fingerprint

MessageDigest md = MessageDigest.getInstance("SHA-1");
byte[] fingerprint = md.digest(cert.getEncoded());

40. Certificate Validity Checking

if (cert.getNotBefore().after(new Date()) || cert.getNotAfter().before(new Date())) {
    System.out.println("Certificate is not valid");
}

41. Certificate Expiration Checking

Date expirationDate = cert.getNotAfter();
if (expirationDate.before(new Date())) {
    System.out.println("Certificate has expired");
}

42. Certificate Chain Validation

CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
PKIXParameters params = new PKIXParameters(Collections.singleton(trustAnchor));
CertPathValidationResult result = validator.validate(certPath, params);

43. CRL Retrieval

CRL crl = CRLFactory.getInstance("PKIX").generateCRL(new URL("http://crl.example.com"));

44. CRL Validation

if (crl.isRevoked(cert)) {
    System.out.println("Certificate has been revoked");
}

45. OCSP Retrieval

OCSPClient client = new OCSPClient();
OCSPResp response = client.checkCertStatus(cert, new URL("http://ocsp.example.com"));

46. OCSP Validation

if (response.getStatus() == CertificateStatus.GOOD) {
    System.out.println("Certificate is valid");
}

47. HTTPS Client with Certificate Validation

HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.setHostnameVerifier(new HostnameVerifier() {
    public boolean verify(String hostname, SSLSession session) {
        return session.getPeerCertificates()[0].getSubjectDN().getName().equals("CN=www.example.com");
    }
});

48. HTTPS Server with Certificate Authentication

SSLContext sslContext = SSLContext.getInstance("TLS");
KeyManager[] keyManagers = { new KeyManagerImpl() };
TrustManager[] trustManagers = { new TrustManagerImpl() };
sslContext.init(keyManagers, trustManagers, null);
SSLServerSocketFactory factory = sslContext.getServerSocketFactory();

49. LDAP Certificate Retrieval

LDAPContext ctx = new InitialLdapContext(new Properties(), null);
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results = ctx.search(dn, "(&(objectClass=user)(cn=john))", controls);
byte[] certBytes = results.next().getAttributes().get("userCertificate").get();

50. DNSSEC Validation

DNSNameResolver resolver = new DNSNameResolver();
resolver.setServerAddress(InetAddress.getByName("dns.example.com"));
List<DNSRecord> records = resolver.lookupRecords(name, DClass.IN, DType.TXT);

Previousjava.security.acl Nextjava.security.interfaces