I have a Root CA certificate and a User certificate that has been signed by the CA. Under Windows using Certutil or OpenSSL I can verify that the CA's signature on the User certificate signature is OK. Now I am trying to verify the same signature under Android.
I use Spongy Castle, though I am not sure that it is totally necessary for this step. I use ECDH 384-bit key pairs. The signature is "SHA384WITHECDSA". I can generate a self-signed certificate and verify its signature either by the certificate.verify method or by calculating the signature:
public static byte[] GenerateMyClientCertificate()
throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException
{
// Create the keys
KeyPairGenerator ClientkeyPair = KeyPairGenerator.getInstance("ECDH", "SC");
ECGenParameterSpec ecParamSpec2 = new ECGenParameterSpec("P-384");
ClientkeyPair.initialize(ecParamSpec2);
KeyPair clientKeyPair = ClientkeyPair.generateKeyPair();
PublicKey publicKey = clientKeyPair.getPublic();
PrivateKey privateKey = clientKeyPair.getPrivate();
X509Certificate x509cert = null;
byte[] derCert = null;
// generate the certificate
try {
x509cert = generateV3Certificate(clientKeyPair);
derCert = x509cert.getEncoded();
//Certificate test using verify:
x509cert.checkValidity(new Date());
x509cert.verify(x509cert.getPublicKey(), "SC"); //This cert is self-signed...
System.out.println("valid certificate generated");
//Another test: (verify not using cert.verify but rather calculating the signature)
Signature verifier = Signature.getInstance("SHA384WITHECDSA", "SC");
boolean result=false;
verifier.initVerify(x509cert.getPublicKey()); // This cert is self-signed
verifier.update(x509cert.getTBSCertificate()); //TBS is to get the "To Be Signed" part of the certificate - .getEncoded() gets the whole cert, which includes the signature
result = verifier.verify(x509cert.getSignature());
if (result == false)
{
System.out.println("signature validation failed");
}
//end of another verification
}
catch (Exception e)
{
//
}
return derCert;
} //GenerateMyClientCertificate
In the same way, I can check the CA certificate, which is also a self-signed certificate:
//Certificate validity test using verify: -- This seems to work well for self-signed certificates...
RootCaX509Cert.checkValidity(new Date());
RootCaX509Cert.verify(RootCaX509Cert.getPublicKey(), "SC"); //This cert is self-signed...
System.out.println("valid certificate generated");
//Another test: (verify not using cert.verify but rather calculating the signature)
Signature verifier = Signature.getInstance("SHA384WITHECDSA", "SC");
boolean result=false;
verifier.initVerify(RootCaX509Cert.getPublicKey()); // This cert is self-signed
verifier.update(RootCaX509Cert.getTBSCertificate()); //TBS is to get the "To Be Signed" part of the certificate - .getEncoded() gets the whole cert, which includes the signature
result = verifier.verify(RootCaX509Cert.getSignature());
if (result == false)
{
System.out.println("signature validation failed");
}
Now I want to check the User certificate, using the public key of the CA certificate. But neither of the above verify methods work:
//Certificate validity test using verify: -- This seems to work well for self-signed certificates...
ServerX509Cert.checkValidity(new Date());
ServerX509Cert.verify(RootCaX509Cert.getPublicKey(), "SC"); //This cert was signed by CA
System.out.println("valid certificate generated");
//Another test: (verify not using cert.verify but rather calculating the signature)
Signature verifier = Signature.getInstance("SHA384WITHECDSA", "SC");
boolean result=false;
verifier.initVerify(RootCaX509Cert.getPublicKey()); // This cert is signed by CA
verifier.update(ServerX509Cert.getTBSCertificate()); //TBS is to get the "To Be Signed" part of the certificate - .getEncoded() gets the whole cert, which includes the signature
result = verifier.verify(ServerX509Cert.getSignature());
if (result == false)
{
System.out.println("signature validation failed");
}
So currently I can only check self-signed certificates :( I would have thought that using RootCaX509Cert.getPublicKey() as the key here would have worked, but it does not. Maybe I misunderstand how this CA signature verification should be done?
