# java.security.cert *** **1. Certificate Factory** ```java CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate cert = (X509Certificate) cf.generateCertificate(new FileInputStream("cert.der")); ``` **2. Certificate Encodings** ```java byte[] encoded = cert.getEncoded(); cert = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(encoded)); ``` **3. Key Usage** ```java boolean[] keyUsage = cert.getKeyUsage(); if (keyUsage != null) { System.out.println("Key usage: " + Arrays.toString(keyUsage)); } ``` **4. Extended Key Usage** ```java List extendedKeyUsage = cert.getExtendedKeyUsage(); if (extendedKeyUsage != null) { System.out.println("Extended key usage: " + extendedKeyUsage); } ``` **5. Subject Alternative Names** ```java List subjectAltNames = cert.getSubjectAlternativeNames(); if (subjectAltNames != null) { System.out.println("Subject alternative names: " + subjectAltNames); } ``` **6. Issuer and Serial Number** ```java X500Principal issuer = cert.getIssuerX500Principal(); BigInteger serialNumber = cert.getSerialNumber(); System.out.println("Issuer: " + issuer + ", Serial number: " + serialNumber); ``` **7. Validity Period** ```java Date notBefore = cert.getNotBefore(); Date notAfter = cert.getNotAfter(); System.out.println("Validity period: " + notBefore + " to " + notAfter); ``` **8. Signature** ```java byte[] signature = cert.getSignature(); String algorithm = cert.getSigAlgName(); System.out.println("Signature algorithm: " + algorithm + ", Signature: " + Arrays.toString(signature)); ``` **9. Public Key** ```java PublicKey publicKey = cert.getPublicKey(); ``` **10. CRL Distribution Points** ```java List crlDistributionPoints = cert.getCRLDistributionPoints(); if (crlDistributionPoints != null) { System.out.println("CRL distribution points: " + crlDistributionPoints); } ``` **11. Authority Information Access** ```java List authorityInfoAccess = cert.getAuthorityInfoAccess(); if (authorityInfoAccess != null) { System.out.println("Authority information access: " + authorityInfoAccess); } ``` **12. Basic Constraints** ```java boolean ca = cert.getBasicConstraints() != -1; System.out.println("Certificate authority: " + ca); ``` **13. Trust Anchor** ```java TrustAnchor trustAnchor = new TrustAnchor(cert, null); ``` **14. Certificate Chain Verification** ```java CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate rootCert = (X509Certificate) cf.generateCertificate(new FileInputStream("root.crt")); X509Certificate intermediateCert = (X509Certificate) cf.generateCertificate(new FileInputStream("intermediate.crt")); X509Certificate leafCert = (X509Certificate) cf.generateCertificate(new FileInputStream("leaf.crt")); CertPath certPath = CertPath.getInstance("X.509"); certPath.addCertificate(leafCert); certPath.addCertificate(intermediateCert); certPath.addCertificate(rootCert); PKIXParameters params = new PKIXParameters(Collections.singleton(trustAnchor)); params.setRevocationEnabled(false); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator.validate(certPath, params); ``` **15. Certificate Revocation** ```java CRL crl = CRLFactory.getInstance("PKIX").generateCRL(new FileInputStream("crl.der")); if (crl.isRevoked(cert)) { System.out.println("Certificate has been revoked"); } ``` **16. OCSP Validation** ```java OCSPClient client = new OCSPClient(); OCSPResp response = client.checkCertStatus(cert, new URL("http://ocsp.example.com")); if (response.getStatus() == CertificateStatus.GOOD) { System.out.println("Certificate is valid"); } ``` **17. HTTPS Client** ```java URL url = new URL("https://www.example.com"); HttpsURLConnection connection = (HttpsURLConnection) url.openConnection(); X509Certificate[] certs = connection.getServerCertificates(); ``` **18. HTTPS Server** ```java SSLContext sslContext = SSLContext.getInstance("TLS"); KeyManager[] keyManagers = { new KeyManagerImpl() }; TrustManager[] trustManagers = { new TrustManagerImpl() }; sslContext.init(keyManagers, trustManagers, null); SSLServerSocketFactory factory = sslContext.getServerSocketFactory(); ``` **19. LDAP Certificate Retrieval** ```java LDAPContext ctx = new InitialLdapContext(new Properties(), null); SearchControls controls = new SearchControls(); controls.setSearchScope(SearchControls.SUBTREE_SCOPE); NamingEnumeration results = ctx.search(dn, "(&(objectClass=user)(cn=john))", controls); byte[] certBytes = results.next().getAttributes().get("userCertificate").get(); ``` **20. DNSSEC Validation** ```java DNSNameResolver resolver = new DNSNameResolver(); resolver.setServerAddress(InetAddress.getByName("dns.example.com")); List records = resolver.lookupRecords(name, DClass.IN, DType.TXT); ``` **21. Certificate Chain Builder** ```java CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate intermediateCert = (X509Certificate) cf.generateCertificate(new FileInputStream("intermediate.crt")); X509Certificate rootCert = (X509Certificate) cf.generateCertificate(new FileInputStream("root.crt")); CertChainBuilder builder = CertChainBuilder.getInstance("PKIX"); CertPathBuilderResult result = builder.build(new CertPathParameters.Builder(leafCert).addCertPathChecker(new PKIXCertPathChecker()).build()); ``` **22. KeyStore** ```java KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream("keystore.jks"), "password"); ``` **23. Certificate Encoding** ```java byte[] encoded = cert.getEncoded(); ``` **24. Certificate Decoding** ```java CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(encoded)); ``` **25. Certificate Fingerprint** ```java MessageDigest md = MessageDigest.getInstance("SHA-1"); byte[] fingerprint = md.digest(cert.getEncoded()); ``` **26. Certificate Validity Checking** ```java if (cert.getNotBefore().after(new Date()) || cert.getNotAfter().before(new Date())) { System.out.println("Certificate is not valid"); } ``` **27. Certificate Expiration Checking** ```java Date expirationDate = cert.getNotAfter(); if (expirationDate.before(new Date())) { System.out.println("Certificate has expired"); } ``` **28. Certificate Chain Validation** ```java CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); PKIXParameters params = new PKIXParameters(Collections.singleton(trustAnchor)); CertPathValidationResult result = validator.validate(certPath, params); ``` **29. CRL Retrieval** ```java CRL crl = CRLFactory.getInstance("PKIX").generateCRL(new URL("http://crl.example.com")); ``` **30. CRL Validation** ```java if (crl.isRevoked(cert)) { System.out.println("Certificate has been revoked"); } ``` **31. OCSP Retrieval** ```java OCSPClient client = new OCSPClient(); OCSPResp response = client.checkCertStatus(cert, new URL("http://ocsp.example.com")); ``` **32. OCSP Validation** ```java if (response.getStatus() == CertificateStatus.GOOD) { System.out.println("Certificate is valid"); } ``` **33. HTTPS Client with Certificate Validation** ```java HttpsURLConnection connection = (HttpsURLConnection) url.openConnection(); connection.setHostnameVerifier(new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return session.getPeerCertificates()[0].getSubjectDN().getName().equals("CN=www.example.com"); } }); ``` **34. HTTPS Server with Certificate Authentication** ```java SSLContext sslContext = SSLContext.getInstance("TLS"); KeyManager[] keyManagers = { new KeyManagerImpl() }; TrustManager[] trustManagers = { new TrustManagerImpl() }; sslContext.init(keyManagers, trustManagers, null); SSLServerSocketFactory factory = sslContext.getServerSocketFactory(); ``` **35. LDAP Certificate Retrieval** ```java LDAPContext ctx = new InitialLdapContext(new Properties(), null); SearchControls controls = new SearchControls(); controls.setSearchScope(SearchControls.SUBTREE_SCOPE); NamingEnumeration results = ctx.search(dn, "(&(objectClass=user)(cn=john))", controls); byte[] certBytes = results.next().getAttributes().get("userCertificate").get(); ``` **36. DNSSEC Validation** ```java DNSNameResolver resolver = new DNSNameResolver(); resolver.setServerAddress(InetAddress.getByName("dns.example.com")); List records = resolver.lookupRecords(name, DClass.IN, DType.TXT); ``` **37. Certificate Encoding** ```java byte[] encoded = cert.getEncoded(); ``` **38. Certificate Decoding** ```java CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(encoded)); ``` **39. Certificate Fingerprint** ```java MessageDigest md = MessageDigest.getInstance("SHA-1"); byte[] fingerprint = md.digest(cert.getEncoded()); ``` **40. Certificate Validity Checking** ```java if (cert.getNotBefore().after(new Date()) || cert.getNotAfter().before(new Date())) { System.out.println("Certificate is not valid"); } ``` **41. Certificate Expiration Checking** ```java Date expirationDate = cert.getNotAfter(); if (expirationDate.before(new Date())) { System.out.println("Certificate has expired"); } ``` **42. Certificate Chain Validation** ```java CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); PKIXParameters params = new PKIXParameters(Collections.singleton(trustAnchor)); CertPathValidationResult result = validator.validate(certPath, params); ``` **43. CRL Retrieval** ```java CRL crl = CRLFactory.getInstance("PKIX").generateCRL(new URL("http://crl.example.com")); ``` **44. CRL Validation** ```java if (crl.isRevoked(cert)) { System.out.println("Certificate has been revoked"); } ``` **45. OCSP Retrieval** ```java OCSPClient client = new OCSPClient(); OCSPResp response = client.checkCertStatus(cert, new URL("http://ocsp.example.com")); ``` **46. OCSP Validation** ```java if (response.getStatus() == CertificateStatus.GOOD) { System.out.println("Certificate is valid"); } ``` **47. HTTPS Client with Certificate Validation** ```java HttpsURLConnection connection = (HttpsURLConnection) url.openConnection(); connection.setHostnameVerifier(new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { return session.getPeerCertificates()[0].getSubjectDN().getName().equals("CN=www.example.com"); } }); ``` **48. HTTPS Server with Certificate Authentication** ```java SSLContext sslContext = SSLContext.getInstance("TLS"); KeyManager[] keyManagers = { new KeyManagerImpl() }; TrustManager[] trustManagers = { new TrustManagerImpl() }; sslContext.init(keyManagers, trustManagers, null); SSLServerSocketFactory factory = sslContext.getServerSocketFactory(); ``` **49. LDAP Certificate Retrieval** ```java LDAPContext ctx = new InitialLdapContext(new Properties(), null); SearchControls controls = new SearchControls(); controls.setSearchScope(SearchControls.SUBTREE_SCOPE); NamingEnumeration results = ctx.search(dn, "(&(objectClass=user)(cn=john))", controls); byte[] certBytes = results.next().getAttributes().get("userCertificate").get(); ``` **50. DNSSEC Validation** ```java DNSNameResolver resolver = new DNSNameResolver(); resolver.setServerAddress(InetAddress.getByName("dns.example.com")); List records = resolver.lookupRecords(name, DClass.IN, DType.TXT); ```