How to check if X509Certificate is CA certificate?

北慕城南 提交于 2019-11-29 02:34:15

问题


I have a X509Certificate instance in Java and I need to identify if it is a CA certificate or user certificate.

Can anyone provide any help?

Thanks in advance!


回答1:


According to research I have performed, it can be checked by checking basic constraints! Check the API for returning results of getBasicConstraints() method.

So if the method returns result != -1, a certificate can be considered as a CA certificate.

I have checked this with several CA certificates (root and intermediate), and it works as described. I have also checked this method with several user certificates, and the method returns -1 as result.




回答2:


X509Certificate.getKeyUsage() javadoc:

gets a boolean array representing bits of the KeyUsage extension, (OID = 2.5.29.15). The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. The ASN.1 definition for this is:

          KeyUsage ::= BIT STRING {
              digitalSignature        (0),
              nonRepudiation          (1),
              keyEncipherment         (2),
              dataEncipherment        (3),
              keyAgreement            (4),
              keyCertSign             (5),  --> true ONLY for CAs
              cRLSign                 (6),
              encipherOnly            (7),
              decipherOnly            (8) }

A certificate can be checked as follow:

X509Certificate cert = ...;
boolean[] keyUsage = cert.getKeyUsage();
if ( keyUsage[5] ) {
    // CA certificate
}
else {
    // User certificate
}



回答3:


A Root CA will be a self signed certificate with the keyCertSign flag enabled. In most scenarios the common name may include the word CA for convenience. An intermediate CA certificate may be signed by a Root CA (or another Intermediate!). Your brower key store will have examples of commonly trusted CA certificates.

From The Internet Engineering Task Force

The keyCertSign bit is asserted when the subject public key is
    used for verifying a signature on certificates.  This bit may only
    be asserted in CA certificates.


来源:https://stackoverflow.com/questions/12092457/how-to-check-if-x509certificate-is-ca-certificate

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!