JAVA-Android- Validating the X509Certificate Against CA Certificate(Issuer Certificate)

link之家

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams

May be this is duplicate question but i didn't get complete clarity from the previous question, that is why i am posting a new question. please have a look in to this. I will place the Ca certificate in my resource folder to authenticate ca certified certificates and same ca certificate will be there in the server also.

I am creating the .crt file which is not signed by any certificate and sending it to the server.

server will sign the .crt file using ca certificate and sending that file back to me again.

after receiving that signed crt file i need to verify with my ca certificate which i already have in resource folder..

I am able to create a trustmanager with my ca certificate using following code :

AssetManager assetManager = getResources().getAssets();
InputStream inputStream = null;
try {
    inputStream = assetManager.open("Issuer certificate");
    if (inputStream != null)
} catch (IOException e) {
    e.printStackTrace();
InputStream caInput = new BufferedInputStream(inputStream);
Certificate ca;
try {
    ca = cf.generateCertificate(caInput);
    System.out.println("ca="
            + ((X509Certificate) ca).getSubjectDN());
} finally {
    caInput.close();
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory
        .getInstance(tmfAlgorithm);
tmf.init(keyStore);
After getting this trust manager how should i compare the crt certificate which i got from the server... 
My Doubt : Do i need to create another trust manager and after getting those two trust managers comparing any provider names like that???
please provide any information about this process if i am wrong.
                Please explain your workflow in more detail. Do you really send a certificate to a server/CA to let it sign? shouldn't that be a certificate request, because a certificate is already signed per definition.
– flx
                Sep 16, 2013 at 7:34
Finally Able to Validate the Certificate with the following Process. I hope this will helps for others...
public void validateCertificate() throws Exception {
    try {
        String issuerCertPath = "Issuer Certifate";
        String certPath = "Issued Certificate";
        X509Certificate issuerCert = getCertFromFile(issuerCertPath);
        X509Certificate c1 = getCertFromFile(certPath);
        TrustAnchor anchor = new TrustAnchor(issuerCert, null);
        Set anchors = Collections.singleton(anchor);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        List list = Arrays.asList(new Certificate[] { c1 });
        CertPath path = cf.generateCertPath(list);
        PKIXParameters params = new PKIXParameters(anchors);
        params.setRevocationEnabled(false);
        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
        PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator
                .validate(path, params);
        // If
        // not
        // valid
        // will
        // throw
        System.out.println("VALID");
    } catch (Exception e) {
        System.out.println("EXCEPTION " + e.getMessage());
        e.printStackTrace();
private X509Certificate getCertFromFile(String path) throws Exception {
    AssetManager assetManager = MyActivity.this.getResources().getAssets();
    InputStream inputStream = null;
    try {
        inputStream = assetManager.open(path);
    } catch (IOException e) {
        e.printStackTrace();
    InputStream caInput = new BufferedInputStream(inputStream);
    X509Certificate cert = null;
    CertificateFactory cf = CertificateFactory.getInstance("X509");
    cert = (X509Certificate) cf.generateCertificate(caInput);
    cert.getSerialNumber();
    return cert;
                This does not validate the hostname and is therefore prone to MitM attacks. You should add a Hostname verification step.
– Flow
                Aug 15, 2014 at 7:50
                How to add the host name check. Is it there in the certificate file or do I have to get it is as a function parameter?
– nsp
                May 15, 2015 at 13:47
Addressing the comment made by @Flow on the question answer, I was able to add a hostname verification step using the following piece of code
   X509Certificate cert;
   DefaultHostnameVerifier hv = new DefaultHostnameVerifier();
   hv.verify("dummyhostname.com", cert);
The hostname verifier is available in org.apache.http.conn.ssl.DefaultHostnameVerifier and is used in SSLConnectionSocketFactory.
If anyone thinks this is wrong I would love to know, this was the result of somewhat short googling.
        Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.