I am developing authentication through the PKI. I am new to authenticate the user through the PKI so after reading on internet i came up with this solution. A user will create a public and private key. To validate the public key the user will apply for the Digital Certificate. The Digital certificate will have the public key, the meta data of the user and the Digital Signature of the Certificate Authority. To prove no data tampering the user will use the Digital Signature which will be the hash of the certificate with the private key of the user. The user will send both the Digital Certificate, Digital Signature and the data to the server.
The server in response verify the Digital Certificate and grab the public key to validate the Digital Signature and after verification the Server will encrypt the data using Public key and send to the user. I am also using https for the secure transfer of the information.
Now I am confuse how this will be done pragmatically.
Sorry I am newbie in the Digital Certificate and Digital Signature.
To prove no data tampering the user will use the Digital Signature which will be the hash of the certificate with the private key of the user.
No, the digital signature is generated over the message data using the private key. The certificate is used to verify it
The server in response verify the Digital Certificate and grab the public key to validate the Digital Signature and after verification the Server will encrypt the data using Public key and send to the user. I am also using https for the secure transfer of the information.
you should associate the public key to the user account during registration process
with https, additional encryption is redundant and useless
encryption with public key (assuming RSA) is limited to key size.
From where I can get the Digital Certificate, majorly which are the trustful CA ?
Each browser has its own trusted list. Additionally in EU exists a list of qualified certificate providers. The lists are different.
You can also build your own CA
Is there any REST API by the Certificate Authority where I send the certificate to validate a certificate?
the message format to request a certificate is standardized (pkcs # 10), but the connection protocol with the CA is not. It is possible that a CA has REST services, but in any case, a certificate will never be issued by the CA without validating the user data that is included in the certificate
Is there any library to parse the certificate to extract the information?
Of course, search for your programming language