I wanted to know if there is a way to sign CSR with the Java security library. We are trying to avoid to use Bouncy Castle library. We don't wont any additional dependency in our project.
Our CSR, CA private and pulic key are in PEM format.
Regards,
There is no standard Java API to do that. However, you can use the -certreq option of the keytool utility to create CSRs using private keys stored in a keystore.
Related
We have a .pfx and use the windows signtool to sign a DLL with it. I want to programmatically verify that the DLL is signed with our certificate when I load it. I use WinVerifyTrust, but that just verifies that is signed by a trusted publisher (I think). To verify that it is signed with our certificate, I think I should use CryptVerifyCertificateSignature. How do I create the "BLOB" of "CERT_SIGNED_CONTENT_INFO" from my DLL to pass to this function?
Or... is there a better or easier way to verify that the DLL is signed with our cert?
Have a look at this answer: C# implementation to get SignedCms from signed file
If you would provide some more details - for instance programming language - the community would be able to help you further and answer more accurate :-)
During installation of Eclipse (using Eclipse Installer) I get asked "Do you trust these certificates?", listing two certificates for Bouncy Castle (one signed by Sun, one by Oracle) and one certificate for Eclipse (signed by Sun). How can I validate these certificates?
I understand that this are code signing certificates for JCE (Java Cryptography Extension), i.e. certificates signed by Oracle for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. I also know that Bouncy Castle is in common use for providing algorithms related to encryption.
Two questions:
All certificates are signed by the same two CAs, but I cannot find a (public) list of "official" CA certificate fingerprints. How can I validate these?
JCE Code Signing CA, issued by and to Sun Microsystems Inc, valid to 2020-04-25, fingerprint 57:37:D1:E1:16:2F:F6:FE:26:B9:87:88:D2:86:DA:66:7F:98:54:3C
JCE Code Signing CA, issued by and to Oracle Corporation, valid to 2030-12-31, fingerprint F4:B9:C6:4A:52:AD:22:3C:E4:BF:BA:52:52:87:9C:9F:71:1D:4B:33
Why are those CAs not trusted by default, i.e. included in some trust store supplied with the JDK/JRE? The CAs are operated by Oracle (at least the CA certificates say so 😉), the JRE I'm using is provided by Oracle (openjdk 11.0.2), I see no reason the CAs should not be trusted (given they are indeed legit).
I have some difficulties to understand the difference between code signing and PKI.
Is it possible to use a PKI (with a hierarchy of CA) to issue certificate used to sign code source, and then use the revocation to invalid some software (for instance an old version that should not be used) ? Or are X.509 certificate incompatible with code signing and i'm missing something ?
Thanks your very much.
The PKI is an infrastructure that allows you to issue certificates with which you sign your binaries (among other things). You don't sign the source code.
You can create a separate certificate for every software release you have, however, I didn't see anybody use it this way and for that purpose.
Usually you enroll a few certificates and use them to sign all releases until they expire.
Even if a certificate does expire, it won't prevent from the customer keep using your software.
i am working on an iphone application which should decrypt a string encrypted by a public key generated by a JAVA program hosted in a remote server.
i was wondering if Iphone SDK Support RSA Encryption. If So how should i proceed to accomplish this task
Look in Docs. You can also try to use openssl for decrypting stuff: http://www.x2on.de/2010/07/13/tutorial-iphone-app-with-compiled-openssl-1-0-0a-library/
The security API's on iOS only seem to cover extracting certain parts of the certificate.
Has anyone used openSSL or asn1c to allow the retrieval of Extensions, Policies etc from the certificate bytes?
Yes, you can use openSSL to parse a certificate, but it is not a easy job, since the lack of openSSL iOS docs.
First, you need the openSSL lib for iOS, and use openSSL to generate x509 cert. Then use the method in the openSSL to try to parse it.
Here is an example of how to extract UPN from a certificate extension (I answered myself). It works fine by now. Other element is similar to fetch.