-1

How does my java application get a public key, for example the google or facebook domains WITHOUT THE NEED to add their .cer files in cacerts keystore?

I suspect that the reason is that such domains use well-known Certification authority, CA, that may already be in java cacerts keystore file (depending on version java? I tried to see if there are certificates up to 2030-2040 validity, or I'm wrong in my theory). But if I guess correctly, then where are the public keys from these domains stored? I would like an expert opinion on this matter.

Andrey Pylyptiy
  • 1
  • 2
  • 1
    It gets the certificate from the server when requesting a HTTPS website. – tkausl Jan 23 '23 at 05:52
  • @tkausl: that's technically correct, but it **trusts** the certificates it gets from the server, because they are signed by the well-known CAs. – Joachim Sauer Jan 23 '23 at 15:01

1 Answers1

0

You are correct - if a cert provided by a server is not signed by recognised CA then the cert that signed the provided cert needs to be added to CACERTS. By recognised CA I mean one that is the CACERTS of the default Java install.

Strictly speaking it's a bit more complicated. A cert will be trusted if it's signing path (signed-by, signed-by...) can be traced back in the cert chain provided by the server to one in CACERTS.

The public keys are part of the certs. If you want to see all the public keys in CACERTS run the following from your JAVA_HOME with bin on the path:

keytool -list -rfc -keystore jre/lib/security/cacerts

password is changeit

This will give you lots of output that will include the actual certs, eg:

-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIQZ8jh6OO+HL38kTuOpiOHSTANBgkqhkiG9w0BAQUFADCB
izELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxML
RHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUVGhhd3RlIENl
cnRpZmljYXRpb24xHzAdBgNVBAMTFlRoYXd0ZSBUaW1lc3RhbXBpbmcgQ0EwHhcN
OTcwMTAxMDAwMDAwWhcNMjEwMTAxMjM1OTU5WjCBizELMAkGA1UEBhMCWkExFTAT
BgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNV
BAoTBlRoYXd0ZTEdMBsGA1UECxMUVGhhd3RlIENlcnRpZmljYXRpb24xHzAdBgNV
BAMTFlRoYXd0ZSBUaW1lc3RhbXBpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBANYrWHhhRYZT6jR7UZztsOYuGA7+4F+oJ9O0yeB8WU4WDnNUYMF/9p8u
6TqFJBU820cEY8OexJQaWt9MevPZQx08EHp5JduQ/vBR5zDWQQD9nyjfeb6Uu522
FOMjhdepQeBMpHmwKxqL8vg7ij5FrHGSALSQQZj7X+36ty6K+Ig3AgMBAAGjEzAR
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAS+mqF4EF+3kKMZ/F
QfRWVKvpwuWXjhj+kckMPiZkyaFMJ2SnvQGTVXFuF0853BvcSTUQOSP/ypvIz2Y/
3Ewa1IEGQlIf4SaxFhe65nByMUToTo1b5NP50OOPJWQx5yr4GIg2GlLFDUE1G2m3
JvUXzMEZXkt8XOKDgJH6L/uatxY=
-----END CERTIFICATE-----

Then use a site like this to inspect the public key - it is under 'RAW OUTPUT"

   Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (1024 bit)
            Modulus:
                 00:d6:2b:58:78:61:45:86:53:ea:34:7b:51:9c:ed:
                b0:e6:2e:18:0e:fe:e0:5f:a8:27:d3:b4:c9:e0:7c:
                59:4e:16:0e:73:54:60:c1:7f:f6:9f:2e:e9:3a:85:
                24:15:3c:db:47:04:63:c3:9e:c4:94:1a:5a:df:4c:
                7a:f3:d9:43:1d:3c:10:7a:79:25:db:90:fe:f0:51:
                e7:30:d6:41:00:fd:9f:28:df:79:be:94:bb:9d:b6:
                14:e3:23:85:d7:a9:41:e0:4c:a4:79:b0:2b:1a:8b:
                f2:f8:3b:8a:3e:45:ac:71:92:00:b4:90:41:98:fb:
                5f:ed:fa:b7:2e:8a:f8:88:37
            Exponent: 65537 (0x10001)
John Williams
  • 4,252
  • 2
  • 9
  • 18