 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / August 2006how to calculate the fingerprint of an x.509 certificate?
I wonder if anybody here can enlighten me as to how to calculate the fingerprint of an x.509 certificate, programmatically in java, that is. I have already tried this below but the result didn't look like what I obtained otherwise (running "openssl x509 -noout -fingerprint -sha1 -in <the cert file>"), so... MessageDigest md = MessageDigest.getInstance( "SHA1" ); X509Certificate cert = X509Certificate.getInstance( new FileInputStream( "somecert.crt" ) ); md.update( cert.getEncoded() ); byte[] fp = md.digest(); your java-code is correct for calculating the SHA-1 fingerprint. (note if you use toolkits like IAIK-JCE, the X.509 certificate class contains a getFingerprint(String algorithm) method where the application can specify the digest algorithm) assuming that your certificate is in binary DER format, you have to use the additional option "-inform DER" for openssl. then you should get the same fingerprint. regards Karl Scheibelhofer -- Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.tugraz.at> Institute for Applied Information Processing and Communications (IAIK) at Graz University of Technology, Inffeldgasse 16a, 8010 Graz, Austria http://www.iaik.tugraz.at and http://jce.iaik.tugraz.at/ >I wonder if anybody here can enlighten me as to how to calculate the > fingerprint of an x.509 certificate, programmatically in java, that is. [quoted text clipped - 7 lines] > md.update( cert.getEncoded() ); > byte[] fp = md.digest(); > your java-code is correct for calculating the SHA-1 fingerprint. (note if > you use toolkits like IAIK-JCE, the X.509 certificate class contains a [quoted text clipped - 3 lines] > additional option "-inform DER" for openssl. then you should get the same > fingerprint. Thank Karl for answering. Unfortunately the code (well, it's similar to what I posted) did NOT give the same result as what I obtained by that openssl command or by viewing it in IE after I've imported the cert. And there needn't be worries about the cert being of wrong format or can't be loaded into memory (and indeed made into a java object) because in the production code, the cert object is a client cert obtained by a servlet after the client has obtained access to the servlet (and it requires a client cert) and a myriad of other operations have been done with that cert (all with success, of course). is that the only certificate that causes such problems or do other certificate also cause the same problem? you may try a different JCA/JCE provider in Java for parsing the certificate and getting the fingerprint, e.g. the IAIK-JCE provider. X509Certificate cert = X509Certificate.getInstance(new FileInputStream("somecert.crt"), "IAIK"); you may also simply try a different Java version. you may also send me the certificate. then i can have a look at it. maybe it is encoded incorrectly. regards Karl Scheibelhofer -- Karl Scheibelhofer, <mailto:Karl.Scheibelhofer@iaik.tugraz.at> Institute for Applied Information Processing and Communications (IAIK) at Graz University of Technology, Inffeldgasse 16a, 8010 Graz, Austria http://www.iaik.tugraz.at and http://jce.iaik.tugraz.at/ >> your java-code is correct for calculating the SHA-1 fingerprint. (note if >> you use toolkits like IAIK-JCE, the X.509 certificate class contains a [quoted text clipped - 14 lines] > servlet (and it requires a client cert) and a myriad of other > operations have been done with that cert (all with success, of course). Thanks Karl for your kind offer. But after posting to comp.lang.java.programmer and getting help from there, it's now determined that I did have the correct fingerprint but was printing it out incorrectly - a string padding function written by a colleague that I used was causing the trouble - it would just eat one char on the right if the string handed to it was actually of the right length. :) > is that the only certificate that causes such problems or do other > certificate also cause the same problem? [quoted text clipped - 37 lines] > > servlet (and it requires a client cert) and a myriad of other > > operations have been done with that cert (all with success, of course). Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.