Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / August 2006

Tip: Looking for answers? Try searching our database.

fingerprint of a x.509 certificate

Thread view: 
Enable EMail AlertsStart New Thread
emrefan - 26 Aug 2006 02:22 GMT
While I realize perhaps comp.lang.java.security is a more appropriate
ng for my question, I think perhaps it isn't entirely inappropriate for
this one, so here I go. (I have posted on this in
comp.lang.java.security but it appeared that it wasn't so popular a ng
I thought it was afterall.)

My question is this: how to calculate the fingerprint of an x.509
certificate, programmatically in java, that is. I have already tried
this below but the result didn't look like what I
obtained otherwise (running "openssl x509 -noout -fingerprint -sha1 -in

<the cert file>"), so...

MessageDigest md = MessageDigest.getInstance( "SHA1" );
X509Certificate cert = X509Certificate.getInstance( new
FileInputStream( "somecert.crt" ) );
md.update( cert.getEncoded() );
byte[] fp = md.digest();

Please don't worry about not having the correct X509Certificate object
to do that digest operation on, because in the product code the same
object is obtained by another way and other operation on the cert
object had been successful.
Reply to this Message
Babu Kalakrishnan - 27 Aug 2006 09:14 GMT
> My question is this: how to calculate the fingerprint of an x.509
> certificate, programmatically in java, that is. I have already tried
> this below but the result didn't look like what I
> obtained otherwise (running "openssl x509 -noout -fingerprint -sha1 -in
>
> <the cert file>"), so...

> MessageDigest md = MessageDigest.getInstance( "SHA1" );
> X509Certificate cert = X509Certificate.getInstance( new
> FileInputStream( "somecert.crt" ) );
> md.update( cert.getEncoded() );
> byte[] fp = md.digest();

In my experience the above method of obtaining the fingerprint works
fine, and does give results that match with openssl outputs. How are
you comparing the two ? Here's a utility routine that I use to dump the
fingerprint in a format that matches the output of openssl. Try using
this to dump the byte array "fp" and see if matches.

public static char[] HEX_CHARS =
{'0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F'};
public static String dumpHex(byte[] data)
{
   int n = data.length;
   StringBuffer sb = new StringBuffer(n*3-1);
   for (int i=0; i < n; i++)
   {
       if (i > 0) sb.append(':');
       sb.append(HEX_CHARS[(data[i] >> 4) & 0x0F]);
       sb.append(HEX_CHARS[data[i] & 0x0F]);
   }
   return sb.toString();
}

BK
Reply to this Message
Alex Artemiev - 27 Aug 2006 12:06 GMT
Try KeyStore object. I think, this is how "keytool" from Sun is done.

>> My question is this: how to calculate the fingerprint of an x.509
>> certificate, programmatically in java, that is. I have already tried
[quoted text clipped - 31 lines]
>
> BK

----== Posted via Newsgroups.com - Usenet Access to over 100,000 Newsgroups ==----
Get Anonymous, Uncensored, Access to West and East Coast Server Farms at!
----== Highest Retention and Completion Rates! HTTP://WWW.NEWSGROUPS.COM ==----
Reply to this Message
emrefan - 28 Aug 2006 10:40 GMT
> > My question is this: how to calculate the fingerprint of an x.509
> > certificate, programmatically in java, that is. I have already tried
[quoted text clipped - 29 lines]
>     return sb.toString();
> }

Thanks for Babu for the answer! Yes indeed I had the correct
fingerprint but was misprinting it. How silly! I was using a
left-pad-string function (lPad()) written by a colleague without close
examination. <blush>

public static String bytesToHexString( byte[] paBytes ) {

     StringBuffer sbRsltStr = new StringBuffer( paBytes.length * 3 );

     for (int aryNdx=0; aryNdx < paBytes.length; aryNdx++) {
         sbRsltStr.append(
            Integer.toHexString( lPad( paBytes[ aryNdx ] & 0xFF, 2,
'0' ) ) );
     }

     return sbRsltStr.toString();
}

I think the way I called lPad() caused this definition of lPad() to be
matched:

    public static String lPad( String str, int length, char padChr )

And the automatic conversion from int to String was quite beyond my
expectation.
Reply to this Message
emrefan - 28 Aug 2006 11:00 GMT
> > > My question is this: how to calculate the fingerprint of an x.509
> > > certificate, programmatically in java, that is. I have already tried
[quoted text clipped - 52 lines]
>
>      public static String lPad( String str, int length, char padChr )

Oops! Another mistake! It must be this below that I wrote (I corrected
the code and lost the bad version and I reconstructed it wrongly).

public static String bytesToHexString( byte[] paBytes ) {

     StringBuffer sbRsltStr = new StringBuffer( paBytes.length * 3 );

     for (int aryNdx=0; aryNdx < paBytes.length; aryNdx++) {
        sbRsltStr.append(
           lPad( Integer.toHexString( paBytes[ aryNdx ] & 0xFF ),
                   2, '0' ) );
     }

     return sbRsltStr.toString();
  }

Anyway, I will have to restudy this thing carefully. Thanks for the
patience.
Reply to this Message
Babu Kalakrishnan - 28 Aug 2006 11:44 GMT
> > > > My question is this: how to calculate the fingerprint of an x.509
> > > > certificate, programmatically in java, that is. I have already tried
> > > > this below but the result didn't look like what I
> > > > obtained otherwise (running "openssl x509 -noout -fingerprint -sha1 -in

> Anyway, I will have to restudy this thing carefully. Thanks for the
> patience.

Well, it could also be that you used a "-sha" argument instead of
"-sha1" while running openssl. (and could therefore have been comparing
two different Hash values - SHA-0 vs. SHA-1), I got bitten by that one
once before (before I realized that typical openssl implementations
found on linux machines have SHA-0 compiled in, and the -sha option
gives the hash value using SHA-0 instead of the more common SHA-1 ) :-)

BK
Reply to this Message
emrefan - 29 Aug 2006 01:58 GMT
> Well, it could also be that you used a "-sha" argument instead of
> "-sha1" while running openssl. (and could therefore have been comparing
> two different Hash values - SHA-0 vs. SHA-1), I got bitten by that one
> once before (before I realized that typical openssl implementations
> found on linux machines have SHA-0 compiled in, and the -sha option
> gives the hash value using SHA-0 instead of the more common SHA-1 ) :-)

Nope, that was not the mistake. I had it correct and the fingerprint
was the same as what IE told me. All down to how I presented the
fingerprint in human readable form (well, sort of).
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.