Skip navigation
All People > Alameyo > Alameyo's GSoC 2017 Blog > 2017 > June
2017

Hey there ,

This week I finally extracted extensions form certificates. X509Certificate class doesn't contain methods that would just say what extensions are included in certificate. Instead there are two methods getCriticalExtensionOIDs() and getNonCriticalExtensionOIDs() where OID stands for Object Identifier. Such OID number may look like this: "2.5.29.31", as I worked a bit around this I might remember by heart that it stands for "CRL Distiribution Points" but normal people will doesn't know that. To make it human readable I mapped around 100 OID's descriptions in language files. The whole problem is that there is much more OIDs for certificates and I cannot map all of them especially as some are just in use by certain companies. I had to make field in GUI for listing extensions/OIDs that are unknown. I also created new class OIDTranslator as additional level of abstraction to translate OID values. That wasn't necessary but in the future there can be added some additional methods as getOIDBrothers/Children/Father() which might be helpful.

 

Having prepared translation for OIDs I could start working on getting extensions and theirs values. Thanks to Bouncy Castle library for most of the extensions I could use similar pice of code:

ASN1Primitive primitive = JcaX509ExtensionUtils.parseExtensionValue(cert.getExtensionValue(oid));
CRLDistPoint point = CRLDistPoint.getInstance(primitive);


 

Unfortunately this way wasn't working in all cases but if it worked, then depending on extension, I could use it's methods to get values from it's different fields or sometimes just use toString() method. At this point structure of extension varied a lot. Sometimes it could be arrays of bytes, then before saving it into displayable String I changed their format into easier readable Hex digits. Some values could be null what I also had to handle. Basically every certificate extension required me some research about it's structure and some of them I still had to left unsupported as I was unable to read them well.

 

One thing that I still want to do now is option for deleting certificates from Truststore and then I will move to creating lists of exceptions/valid_but_distrusted_certificates/etc... For now the idea is to create separate Keystore for each such list to store it properly.

 

See you next week ,

Paweł

Hello ,

Github's pull request of this week included options for adding certificates to the Truststore. Over week I have made long way updating it as initially it was asking user for alias for certificate which he wants to store. Currently it take common name (CN) from subject field of certificate and use it as alias. I also added checking if certificate doesn't exist in Keystore to prevent having many copies of the same certificate (though user can still add copy of certificates with third party tools as Java Keytool or OpenVPN).

 

Overall creating GUI can be time consuming if someone want make it nice looking and easy to use for end user . The biggest issue with graphic interface that I have meet is that it looks sometimes different on different computers. While I PR something what looked for me like this:

spark_my_gui.png

Maybe not totally perfect, some work still will be done here (as adding delete button and fields saying if certificate is valid). But it's look far better than thing that my mentor saw:

spark_guus_screen.png

That spacing at top looks odd and also makes scroll pane with certificates fields smaller . Earlier there were also issues with missing labels. That means there will be need for excessive testing of that GUI with different OS/computers. That's also nice surprise for me as I thought Java should work to quite nice extend independently from platform. Well it was even Java's slogan .

 

For next week I plan to add option to delete certificate as well as take final steps to display certificate extensions.

See you next week,

Paweł

Alameyo

#5 Certificates extensions

Posted by Alameyo Jun 16, 2017

Hello,

How was going this week? Well, it took a bit longer to merge code from last PR into Spark's base code, but now there are also buttons for showing certificates (earlier it was shown only after double click on table) and button to upload certificate. Other thing that occurs more complicated that I initially thought, is extracting certificates extensions. Java's X509Certificate class provide methods that return extensions OID (object identifier) for critical and noncritical extensions. It provides also method getExtensionValue( OID ) which returns extensions but encoded. Using some of the Bouncy Castle classes I am able to decode some of this values but they have different structures to which I have to adjust extracted values and map the names of the elements in the structure. Unfortunately some of the values are still enigmatic for me or I can't decode them well yet. On the other hand when I will solve this problems similar work can be done for Openfire to show certificates extensions also there.

 

See you next week,

Paweł

Hello,

This week I have made another panel for certificates. The one that I did last week was listing all certificates in truststore and the new one shows details about selected certificate. This details include all fields basic fields of certificate such as issuers, signature, or public key value and others. The one thing I still have to add are certificate's extensions. Number of them can be various so number of text fields and labels that have to be added can also vary. Even some standard certificate's attributes, such as value of public key, can take much space on the screen and this have to be somehow accommodated. That means new single certificate panel have to be scrollable to allow see all cert's basic attributes and extensions.

Effect is visible on this screenshots:

certTable.jpgsingleCertificate.jpg

It's not perfect yet, for example "Valid" column shows for each row false value because it's not checking validity isn't yet implemented. Second panel also might need some additional indicators of certificate validity expiration. That goes for next week and also another issues as adding certificates extensions. One of my bigger concerns for now is way of storing list of exemptions but I have nice suggestion from my mentor which I might try.

 

See you next week,

Paweł

Ahoy ,

Part of the GSoC is time managing and this week I had 2 days laboratories outside of the city, on the lake with Department of Marine Electronics Systems. Just at the start of the first week of coding . As I was unaware of my programming capabilities there I started a bit earlier delivering first chunk of code on Tuesday evening .

 

It include part of the graphic interface listing certificates in table and some of the classes supporting that. Such "support" classes are model class for certificates which will contain all certificate fields and controller class which help in suiting certificates to table and in the future will serve for extracting content of the truststores. Generally that wasn't hard but once I stupidly stuck siting to about 2.00 AM wondering how to display checkbox in the table. To my defense, in the morning next day I figured it in less than 5 minutes so maybe I just didn't slept enough .

 

As I mentioned in the beginning I had laboratories on the lake where I and my student group were driving the boat across lake and working with different echolocation equipment as radars, sonars, ultrasonic wave speed meters, echo sounding sonar and radar guns. Some of the experiments and measurements were conducted on the boat while others in the laboratory building on the pier. Summarizing that was pretty cool, not standard lab. I will throw here picture of the boat as I don't think I will have opportunity to add any picture soon (but you can see code on the Spark's github).

C538OgT.jpgSo what are task for next week?

I have half finished panel listing certificates but I still need to extract data of the certificates into that panel. Also I want to add additional dialog that would show all fields of the particular certificate.

 

See you next week,
Paweł