5

I have a X509Certificate (version 1) instance in Java and I need to identify if it is a CA certificate or user certificate.

I tried this How to check if X509Certificate is CA certificate?, but with the solutions provided there i could differentiate the certificates which has certificateExtension (by utilising getBasicConstraints() method and checking the keyCertSign flag in keyUsage ie V3 certificates will have extension field which v1 or v2 wont have) 

if (x509Cert != null) {
    isCA = x509Cert.getBasicConstraints() != -1 ? true : false;
}

but I've few certificates that doesn't have certificateExtension field in the X509Certificate instance(as they are V1 version certificates), so i'm getting isCA flag as false. Also i tried decoding the certificate in online ssl decoders like https://certlogik.com/decoder/ there i can be able to differentiate the certificate type!

Any other approach to programmatically find the type of certificate that doesn't have certificateExtension?

sample CA cert:

-----BEGIN CERTIFICATE-----
MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
-----END CERTIFICATE-----

It's X509
[
[
  Version: V1
  Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

  Key:  Sun RSA public key, 1024 bits
  modulus: 104674226241368487598835828377585222181792546532354327780214427055917513664449991602803276678454577364904540367827644455215731003386468752240014232146814457308076052176227490263634768927290191763858631579785604655038492469791381988347440106477066514204303723029602991655085187937840556671697442212352844587673
  public exponent: 65537
  Validity: [From: Thu Aug 13 05:59:00 IST 1998,
           To: Tue Aug 14 05:29:00 IST 2018]
  Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
  SerialNumber: [    01a5]

]
  Algorithm: [MD5withRSA]
  Signature:
0000: 6D EB 1B 09 E9 5E D9 51   DB 67 22 61 A4 2A 3C 48  m....^.Q.g"a.*<H
0010: 77 E3 A0 7C A6 DE 73 A2   14 03 85 3D FB AB 0E 30  w.....s....=...0
0020: C5 83 16 33 81 13 08 9E   7B 34 4E DF 40 C8 74 D7  ...3.....4N.@.t.
0030: B9 7D DC F4 76 55 7D 9B   63 54 18 E9 F0 EA F3 5C  ....vU..cT.....\
0040: B1 D9 8B 42 1E B9 C0 95   4E BA FA D5 E2 7C F5 68  ...B....N......h
0050: 61 BF 8E EC 05 97 5F 5B   B0 D7 A3 85 34 C4 24 A7  a....._[....4.$.
0060: 0D 0F 95 93 EF CB 94 D8   9E 1F 9D 5C 85 6D C7 AA  ...........\.m..
0070: AE 4F 1F 22 B5 CD 95 AD   BA A7 CC F9 AB 0B 7A 7F  .O."..........z.

]

when decoding the certificate file content it is shown as CA cert

enter image description here Thanks in advance!

Community
  • 1
  • 1
technaren
  • 120
  • 1
  • 12
  • You're ignoring the other answers in the duplicate. – user207421 Mar 19 '15 at 10:11
  • 1
    @EJP all other answers are based on certificateExtension field only, but my question to check certificate that does not have certificateExtension field. – technaren Mar 19 '15 at 10:25
  • 1
    for X.509 V1 certificates you cannot safely determine whether the certificate is end-entity or CA certificate. Depending on requirement, you can check for certificate version and explicitly assume it as CA or not. Otherwise, rely on Basic Constraints extension. – Crypt32 Mar 19 '15 at 11:18
  • @technaren As I read those answers, and the RFC cited there, a certificate without that extension can't be a CA certificate. Do you have some evidence to the contrary? – user207421 Mar 19 '15 at 11:41
  • @CryptoGuy Thanks. Is there any other way to find it out rather than assumption? online ssl decoders were able to differentiate the category? – technaren Mar 19 '15 at 11:45
  • no, it was one of X.509 V1 certificate fundamental limitation and no workaround exist for V1 certs. "online ssl decoders were able to differentiate the category?" -- no, they weren't. – Crypt32 Mar 19 '15 at 11:49
  • "As I read those answers, and the RFC cited there, a certificate without that extension can't be a CA certificate." it is related to X.509 V3 certificates. Basic Constraints extension absence in X.509 V3 cert means end-entity certificate. – Crypt32 Mar 19 '15 at 11:52
  • @CryptoGuy i've just posted a sample certificate and the online ssl decoder result – technaren Mar 19 '15 at 12:04
  • I can't read the image. It is too small. – Crypt32 Mar 19 '15 at 13:13
  • 1
    As I said, with V1 certificates it is impossible to determine whether the certificate is CA cert or end-entity. Some applications may assume it as CA cert, others may assume as end-entity and it depends on each particular application. Of course, you can use sort of complex heuristics, known CA database, etc., but it doesn't guarantee anything. – Crypt32 Mar 19 '15 at 13:22
  • @CryptoGuy but i badly need to differentiate it for our application, anyway thanks for your efforts. – technaren Mar 20 '15 at 05:37
  • @EJP like CryptoGuy that deals with V3 type of certificates and my question was all about V1 – technaren Mar 20 '15 at 05:37
  • The code is `(X509CertImpl)x509).getBasicConstraintsExtension().get("is_ca")` but uses an internal API which is removed in newer Java versions. BouncyCastle may be required. – tresf Jan 25 '19 at 02:20

0 Answers0