Introduction
This week we had a really nice challenge. As most companies we use certificates. They help us to keep the connections secure. The downside of certificates is that they need to be renewed now and then. It is so easy to notice an expired certificate by undesirable behaviour of the connection. If this happens your already to late. To be ahead of this, we decided to do a check up on this particular certificate.
The solution
To start of all you need an object of the type Certificate. In this mather I start with an certificate, which needed to be read from disk:
//Take the file from disk as an inputStream using the classloader for this.
InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("testCertificate/testCertificate.pem");
//getting the CertificateFactory of the type x.509
//(X509Certificate is the only child of Certificate)
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
Certificate certificate = certFactory.generateCertificate(inputStream);
Certificate certificate = certFactory.generateCertificate(inputStream);
// setting up the keystore with an default type. You can also use:
//getInstance(String type,Provider provider) | |
//getInstance(String type,
String provider)// Type could be pkcs12 or jks these are archive file formats for storing many //cryptography objects as a single file.// types could be SUN or bc (bouncy castle). |
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
//adding the certificate to the keystore with an alias
keyStore.setCertificateEntry("alias", certificate);
// creating the date object outside the scope of the try we can return it later.
Date notAfter = null;
try {
// initializing the keystore with null to prevent exceptions to be thrown later on.
// initializing the keystore with null to prevent exceptions to be thrown later on.
keyStore.load(null);
//checking if the keystore has an alias and retrieve the first one.
//(we only have one). If you know the alias you can loose this piece of code.
if(keyStore.aliases().hasMoreElements()) {
Enumeration<String> aliasses = keyStore.aliases();
String alias = aliasses.nextElement();
Enumeration<String> aliasses = keyStore.aliases();
String alias = aliasses.nextElement();
// cast it to the X509Certificate That has the getNotAfter method. Certificate
//doesn't have that.
X509Certificate certificate = (X509Certificate) keyStore.getCertificate(alias);
// assigning the date to the end date of the certificate.
notAfter = certificate.getNotAfter();
}
} catch (KeyStoreException ke) {
log.error("could not read keystore or certificate", ke);
} catch (CertificateException ce) {
log.error("no certifications in keystore", ce);
} catch (NoSuchAlgorithmException nse) {
log.error("wrong algorythm for certificate.", nse);
} catch (IOException ioe) {
log.error("could not read certificate.", ioe);
}
}
} catch (KeyStoreException ke) {
log.error("could not read keystore or certificate", ke);
} catch (CertificateException ce) {
log.error("no certifications in keystore", ce);
} catch (NoSuchAlgorithmException nse) {
log.error("wrong algorythm for certificate.", nse);
} catch (IOException ioe) {
log.error("could not read certificate.", ioe);
}
// returning the end date.
return notAfter;
Conclusion
To understand what is happening in this particular piece of code acquires some time and dedication. The fun part starts when you understand it. I still enjoy the moments where I crack a case like this and understand why it is needed to be done like this. I hope you enjoy it also.
Have fun!
Geen opmerkingen:
Een reactie posten