I've spent the last few days trying to learn x509 certificates (issued by CAs) and I think I have a solid understanding of the principle of how they work. My understanding is that a digital certificate has an associated signature, and that signature should only be able to be decrypted with the public key of the CA that issued/signed it.
What I'm failing to understand is how to actually implement that verification logic in Java. Where do I retrieve that public key from to decrypt the signature and verify the digest? Is there a lookup table somewhere where you can provide a DN and get a public key back?
I've tried to use the javax.security.cert.X509Certificate class to load a certificate, and I notice the verify function that requires a public key. I just don't know where to get the public key.
You can grab the public key from the certificate itself. After all, a certificate is a public key, some metadata and a signature.
Now you still need a trusted source of certificates or public keys. And that is the application's truststore. This one is filled with certificates the application is allowed to trust (blindly). So any certificate contained in the truststore is trusted, but also any certificate that was signed by one of the trusted ones. With that, you can build a hierarchy and validate an enormous amount of certificates.
On top of just checking the signatures and trust chains, you will also want to contact the CAs for their certificate revocation list - just to ensure the certificate in question is not contained there.
See also