Code example for Certificate

Methods: getEncoded

  static IssuerInformation issuerInformationFromPreCertificateSigningCert( 
      Certificate certificate, byte[] keyHash) {
    try { 
      ASN1InputStream aIssuerIn = new ASN1InputStream(certificate.getEncoded());
      org.bouncycastle.asn1.x509.Certificate parsedIssuerCert =
      Extensions issuerExtensions = parsedIssuerCert.getTBSCertificate().getExtensions();
      Extension x509authorityKeyIdentifier = null;
      if (issuerExtensions != null) {
        x509authorityKeyIdentifier =
            issuerExtensions.getExtension(new ASN1ObjectIdentifier(X509_AUTHORITY_KEY_IDENTIFIER));
      return new IssuerInformation( 
          parsedIssuerCert.getIssuer(), keyHash, x509authorityKeyIdentifier, true);
    } catch (CertificateEncodingException e) {
      throw new CertificateTransparencyException( 
          "Certificate could not be encoded: " + e.getMessage(), e);
    } catch (IOException e) {
      throw new CertificateTransparencyException( 
          "Error during ASN.1 parsing of certificate: " + e.getMessage(), e);
  // Produces issuer information in case the PreCertificate is signed by a regular CA cert, 
  // not PreCertificate Signing Cert. In this case, the only thing that's needed is the 
  // issuer key hash - the Precertificate will already have the right value for the issuer 
  // name and K509 Authority Key Identifier extension. 
  static IssuerInformation issuerInformationFromCertificateIssuer(Certificate certificate) {
    return new IssuerInformation(null, getKeyHash(certificate), null, false);
   * Verifies the CT Log's signature over the SCT and certificate. 
   * Works for the following cases: 
   * * Ordinary X509 certificate sent to the log. 
   * * PreCertificate signed by an ordinary CA certificate. 
   * * PreCertificate signed by a PreCertificate Signing Cert. In this case the PreCertificate 
   *   signing certificate must be 2nd on the chain, the CA cert itself 3rd. 
   * It does not work for verifying a final certificate with the CT extension. 
   * TODO(eranm): Add the ability to remove the CT extension and verify a final certificate. 
   * @param sct SignedCertificateTimestamp received from the log. 
   * @param chain The certificates chain as sent to the log. 
   * @return true if the log's signature over this SCT can be verified, false otherwise. 
  public boolean verifySignature(Ct.SignedCertificateTimestamp sct, List<Certificate> chain) {
    if (!logInfo.isSameLogId(sct.getId().getKeyId().toByteArray())) {
      throw new CertificateTransparencyException(String.format(
          "Log ID of SCT (%s) does not match this log's ID.", sct.getId().getKeyId()));
    X509Certificate leafCert = (X509Certificate) chain.get(0);
    if (!CertificateInfo.isPreCertificate(leafCert)) {
      byte[] toVerify = serializeSignedSCTData(leafCert, sct);
      return verifySCTSignatureOverBytes(sct, toVerify);
    } else { 
      Preconditions.checkArgument(chain.size() >= 2,
          "Chain with PreCertificate must contain issuer."); 
      // PreCertificate 
      Certificate issuerCert = chain.get(1);
      IssuerInformation issuerInformation;
      if (!CertificateInfo.isPreCertificateSigningCert(issuerCert)) {
        issuerInformation = issuerInformationFromCertificateIssuer(issuerCert);
      } else { 
        Preconditions.checkArgument(chain.size() >= 3,
            "Chain with PreCertificate signed by PreCertificate Signing Cert must contain issuer."); 
        issuerInformation = issuerInformationFromPreCertificateSigningCert(