Validate Certificate Using X509 Thumprint

Question

I have successfully read the ThumbPrint of X509 Certificate. Is it possible to validate certificate using thumbprint value ? I just want a safe server certificate verification.

public class certificate {    

    public static void main(String[] args) {
        FileInputStream is;
        try {
            is = new FileInputStream("certificate.crt");
            CertificateFactory x509CertFact = CertificateFactory.getInstance("X.509");
            X509Certificate cert = (X509Certificate)x509CertFact.generateCertificate(is);

            String thumbprint = getThumbPrint(cert);
            System.out.println("Thumb Print : " + thumbprint);

        } catch (FileNotFoundException e) {
            e.printStackTrace();
        } catch (CertificateException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
    }    

    public static String getThumbPrint(X509Certificate cert) 
        throws NoSuchAlgorithmException, CertificateEncodingException {
        MessageDigest md = MessageDigest.getInstance("SHA-1");
        byte[] der = cert.getEncoded();
        md.update(der);
        byte[] digest = md.digest();
        return hexify(digest);
    }

    public static String hexify (byte bytes[]) {
        char[] hexDigits = {'0', '1', '2', '3', '4', '5', '6', '7', 
                '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        StringBuffer buf = new StringBuffer(bytes.length * 2);

        for (int i = 0; i < bytes.length; ++i) {
            buf.append(hexDigits[(bytes[i] & 0xf0) >> 4]);
            buf.append(hexDigits[bytes[i] & 0x0f]);
        }

        return buf.toString();
    }      

}

Answer 1

Is it possible to validate certificate using thumbprint value?

Yes.

---

I just want a safe server certificate verification.

Keep in mind if you are verifying Google (and other sites), then the thumbprint will change about every 30 days. That's because Google uses short-lived certificates (30 day expiration) to keep the revocation lists (CRLs) manageable. However, Google recertifies the same public key, so you could pin the public key rather then the certificate.

For more reading on pinning, see OWASP's Certificate and Public Key Pinning.

Also, the IETF has an initiative Public Key Pinning Extension for HTTP.

Finally, you can take all of this to the next level with a security diversification strategy. See Peter Gutmann's Engineering Security.

Answer 2

The digest of a certificate has no meaning on its own. I am not aware of any certificate-based scheme that uses SHA-1 or any other kind of digest of the certificate body as the sole means to verify the certificate.

The java.security.cert.Certificate API has a well-defined methods to verify the certificate using the public key which is supposed to belong to the authority that issued the certificate (which leads to the notion of certificate chain).

The proper certificate verification should use the java.security.cert.CertPathValidator API and supply the certificate or certificate chain whose validity should be checked AND a trust store that contains the trusted CA roots. The core idea of verification is to check that each certificate in the chain is signed with public key from the next item in the chain and that the last certificate is among the trusted roots.