Extract certificate chain information from signed X509 certificate (CSR response) in Android / BouncyCastle

StackOverflow https://stackoverflow.com//questions/12699853

Question

Am I able to extract certificate chain information from a CA-signed X509 client certificate using Android or BouncyCastle libs?

I have an Android client that receives a CA-signed X509 certificate from a trusted server. I want to save the signed client certificate and my private key to a PKCS12 (.p12) file. I am currently doing this by creating a KeyStore object and adding the certificate and private key. When I add the client PrivateKey with the KeyStore.setKeyEntry() method, a Certificate[] chain is the last argument, which currently only contains the client certificate. Will this prevent my certificate from being verifiable because I don't have the CA certificate in the Certificate[] chain? And if yes, is it possible to populate a certificate chain with information extracted from the signed X509Certificate?

Most examples seem to load the CA chain from a PEM file, BKS trust store, or already have access to a list of certificates.

Here is what I have:

    X509Certificate cert;      // signed client cert
    PrivateKey pkey;           // client private key
    String password; 

    KeyStore store;
    store = KeyStore.getInstance("PKCS12", "BC");
    store.load(null, null);

    // adding the signed cert
    store.setCertificateEntry("Client certificate", cert);

    // creating the cert chain
    X509Certificate[] chain = new X509Certificate[1];
    chain[0] = cert;
    // add rest of the certs in the chain here

    // adding the private key   
    store.setKeyEntry("Client private key", pkey, password.toCharArray(), chain);

    FileOutputStream fos;
    fos = openFileOutput("clientCredentials.p12", Context.MODE_PRIVATE);
    store.store(fos, password.toCharArray());
    fos.flush();
    fos.close();

Thanks in advance!

Was it helpful?

Solution

The CA certificate(s) are not included in your signed certificate. You have to get them from somewhere (pre-install, download from trusted server, etc.). As for not installing the full chain, if the verifier already has access to necessary CA certificates, they can always verify your end entity certificate. How do you intend to use your key and certificate?

BTW, your call to setCertificateEntry() creates a trusted certificate entry which is probably not what you want with an end entity certificate.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top