manual certificate use or verification
843811Mar 21 2007 — edited Mar 23 2007Hi,
My company has C code that connects to a server over HTTPS using the OpenSSL libraries. In this code, I can specify the filename of a root CA certificate that lives on the client, and if the web server responds with a certificate signed by that root CA, the connection succeeds. I'm trying to do the same thing in Java but having a lot of trouble. I dug through the Apache HttpClient docs and didn't really see a way to do this. I thought maybe I could get the cert back from the server after handshaking and verify it against the root CA cert I had on the file system. To try this I wrote code that lets the connection establish using the EasySSLProtocolSocketFactory class discussed in the HttpClient SSL guide at http://jakarta.apache.org/commons/httpclient/sslguide.html.
Doing this, I can see the details of the returned certificate by getting the SSLSession from the socket, but I can't figure out a way to verify that this certificate was signed with the X509Certificate instance I load from the file that contains the root CA certificate. I thought that there would be a certificate chain returned when I called SSLSession.getPeerCertificateChain() that I could use to walk up to the root CA cert, which would be the same as the cert I load from the file system, but there is only one cert in the array, which is the one that was signed with the root CA cert, not the root CA cert itself. How can I get to the root CA cert so I can compare it's public key to the cert I load from the file system?
Thanks,
Scott