Re: JDK1.2 keytool

Hemma Prafullchandra (Hemma.Prafullchandra@Eng)
Thu, 13 Nov 1997 14:11:25 -0800 (PST)

Date: Thu, 13 Nov 1997 14:11:25 -0800 (PST)
From: Hemma Prafullchandra <Hemma.Prafullchandra@Eng>
Subject: Re: JDK1.2 keytool
To: java-security@web2.javasoft.com, todd@innovision.com

Hello Todd,

--> The second certificate (PEM below) fails. It is signed by
--> Open Financial Exchange CA, which is signed by a Verisign
--> root CA. This is not a PKCS #7 certificate, but a Subscriber
--> format.
-->
--> I am going to try to write an application to using the x.509
--> classes to display certificate info. What are my changes
--> of working with these certificates signed with the OFX CA?
-->
I just managed to parse the certificate:

*** Certificate ***
[
[
Version: V3
Subject: CN=ofxjsdc.innovision.com, OU=OFX Products, O=Innovision Corporation,
L=Lenexa, S=Kansas, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

Key: algorithm = RSA, unparsed keybits =
0000: 30 81 89 02 81 81 00 C4 DE 3C BD D4 B3 45 90 21 0........<...E.!
0010: D4 F8 FA F2 6C 7B 29 2E 69 B7 7E 46 7E 0B E3 2B ....l.).i..F...+
0020: C5 0A 97 7C D5 9D 03 9A 29 87 23 1F B1 77 C0 79 ........).#..w.y
0030: 97 29 CA DF 8D D2 6A 4B 7A E2 D3 EC DC FE 6F CA .)....jKz.....o.
0040: D9 3A 0E FB 2B E6 88 DB 27 93 A7 2E A8 FD 37 B5 .:..+...'.....7.
0050: 58 39 8A 2F 51 1C DD F4 70 CA 3F D7 B0 AD 1F DC X9./Q...p.?.....
0060: 9E 45 5B 1F 25 5D BB 44 28 3A 69 53 BF B8 9B F5 .E[.%].D(:iS....
0070: 2B 5C 3D 2F 83 8E C1 E1 D9 A5 98 02 EF C6 CE 69 +\=/...........i
0080: EC 45 AC 8E 3E 94 AB 02 03 01 00 01 .E..>.......

Validity: [From: Wed Sep 24 17:00:00 PDT 1997,
To: Fri Sep 25 16:59:59 PDT 1998]
Issuer: OU="www.verisign.com/CPS Incorp. By Ref.,LIAB. LTD. (c) 97 VeriSign",
OU=Open Financial Exchange CA - Class 3, O=VeriSign Trust Network
SerialNumber: [ 7ff57a95 479f00c8 f2781b18 1d275483 ]
Extension[0] = ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
Extension[1] = ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
Extension[2] = ObjectId: 2.5.29.32 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 81 A7 30 80 30 80 06 0B 60 86 48 01 86 F8 45 ...0.0...`.H...E
0010: 01 07 01 01 30 80 30 28 06 08 2B 06 01 05 05 07 ....0.0(..+.....
0020: 02 01 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E ....https://www.
0030: 76 65 72 69 73 69 67 6E 2E 63 6F 6D 2F 43 50 53 verisign.com/CPS
0040: 30 62 06 08 2B 06 01 05 05 07 02 02 30 56 30 15 0b..+.......0V0.
0050: 16 0E 56 65 72 69 53 69 67 6E 2C 20 49 6E 63 2E ..VeriSign, Inc.
0060: 30 03 02 01 01 1A 3D 56 65 72 69 53 69 67 6E 27 0.....=VeriSign'
0070: 73 20 43 50 53 20 69 6E 63 6F 72 70 2E 20 62 79 s CPS incorp. by
0080: 20 72 65 66 65 72 65 6E 63 65 20 6C 69 61 62 2E reference liab.
0090: 20 6C 74 64 2E 20 28 63 29 39 37 20 56 65 72 69 ltd. (c)97 Veri
00A0: 53 69 67 6E 00 00 00 00 00 00 Sign......

]
Algorithm: [MD5withRSA]
Signature:
0000: 54 F8 DE 37 32 54 7E 54 5A 3C 4E F8 10 F3 DD 14 T..72T.TZ<N.....
0010: D9 F4 94 E2 42 AA EA B8 14 C4 DF F5 FE 22 8F 4E ....B........".N
0020: EC 58 D8 FB 80 3D 9E 1A 0D 4F 06 D3 38 EE 9C 77 .X...=...O..8..w
0030: 45 32 92 C2 5A 29 D0 07 1F 91 13 84 FF E9 A9 16 E2..Z)..........
0040: EB 9A 52 8B A0 CB 1A 26 3B 05 C2 9F 6D CE 33 C6 ..R....&;...m.3.
0050: 94 49 D4 85 77 2E 4A 38 A9 AE 09 E2 8B 84 AE 66 .I..w.J8.......f
0060: F9 68 87 64 7B AF 58 1C CE 07 F0 75 1D 83 1D BA .h.d..X....u....
0070: C2 3C 8E 6E A7 9A D0 4D EA E5 5C 19 0A 1B 01 96 .<.n...M..\.....

]
*** End Certificate ***

What release are you working with ??
A number of changes have been made recently, one may be significant
to you - in the past we always threw an exception on unrecognized/
unsupported extensions (e.g. 2.5.29.32 == certificatePolicies).
Now, we only throw an exception if the extension is also marked critical
(ie. it is important to the validation process).
Also, I assume you have access to an RSA provider to be able to verify
the md5/rsa signatures.

hope this helps,
Hemma