feature request: compare certificates

[thx1138-9]

There are situations where one needs to compare a renewed certificate with the older version, or when you want to double check if a certificate for a new domain has exactly the same properties, also in the whole certificate chain.
It can happen that changes are introduced in the newly requested certificate, for whatever reason, or that your CA has made changes that one is not aware of.

At this moment it is to my knowledge not possible to inspect 2 certificate files at the same time in the keystore explorer, so that one can inspect them side by side. Making print screens of the 2 certificates and comparing these is not an easy way.

I have also tried to export both certificates as detailed as possible to a txt format, and compared these i.e. with the compare plugin in notepad++, but this is also not easy, and risks of leaving traces on the filesystem.

A better way would be to do this compare inside the keystore explorer, where all details of the certificates are available, and where this compare can be done within a secure context.

[jpstotz]

I have also tried to export both certificates as detailed as possible to a txt format, and compared these i.e. with the compare plugin in notepad++, but this is also not easy, and risks of leaving traces on the filesystem.

Certificates are public, so if the text file only contains the certificate details (not details of the private key) it doesn't matter who can access the created files.

For comparing I would open use the text representation shown in View Details -> Certificate Chain Details -> ASN.1

[kaikramer]

Just to emphasize what @jpstotz wrote: You can actually keep the ASN.1 dump windows open and compare two or more certificates with them.

[jgrateron]

A component could be added to show the difference of two certificates in ansi format.

[kaikramer]

@jgrateron Not bad! Is this a mockup or do you already have something like this?

We could use this component also for other text comparisons. Like for example, via "Tools -> KeyStore Properties -> Copy" you can get the certificates of a keystore in a text format like this:

ou__globalsign_ecc_root_ca__r5,_o__globalsign,_cn__globalsign [jdk]
    Last Modified: 11/13/2012, 1:00:00 AM CET
    Version: 3
    Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
    Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
    Serial Number: 605949E0262EBB55F90A778A71F94AD86C
    Valid From: 11/13/2012, 1:00:00 AM CET
    Valid Until: 1/19/2038, 4:14:07 AM CET
    Public Key
        Algorithm: EC
        Key Size: 384 bits
        Format: X.509
        Encoded: 0x3076301006072A8648CE3D020106052B810400220362000447450E96FB7D5DBFE939D121F89F0BB6D57B1E923A48591CF062312DC07A28FE1AA75CB3B6CC97E745D458FAD1776D43A2C08765340A1F7ADDEB3C33A1C59D4DA46F4195387FC91E84EBD19E49928794870C3A854A669F9D59934D976106864A
    Signature Algorithm: SHA-384 with ECDSA
    MD5 Fingerprint: 9F:AD:3B:1C:02:1E:8A:BA:17:74:38:81:0C:A2:BC:08
    SHA-1 Fingerprint: 1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA

We could use the code that generates this summary and provide an item in the right-click menu when 2 certificates are selected "compare certificates". Maybe similar for ASN.1.

[jgrateron]

Hi

I have a project that compares text and displays the differences in two JEditorPane

https://github.com/jgrateron/CompareTexto, it is necessary to add a new dependency

		<groupId>io.github.java-diff-utils</groupId>
		<artifactId>java-diff-utils</artifactId>
		<version>4.12</version>.

The component compares texts, so it can work with any text format that is sent.

If you select two certificates I will add to the right-click menu the compare option.

[jgrateron]

The format ASN.1 is more complete than this output, e.g. the extensions keyUsage, AIA, etc. are not visible.

ou__globalsign_ecc_root_ca__r5,_o__globalsign,_cn__globalsign [jdk]
Last Modified: 11/13/2012, 1:00:00 AM CET
Version: 3
Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
Serial Number: 605949E0262EBB55F90A778A71F94AD86C
Valid From: 11/13/2012, 1:00:00 AM CET
Valid Until: 1/19/2038, 4:14:07 AM CET
Public Key
Algorithm: EC
Key Size: 384 bits
Format: X.509
Encoded: 0x3076301006072A8648CE3D020106052B810400220362000447450E96FB7D5DBFE939D121F89F0BB6D57B1E923A48591CF062312DC07A28FE1AA75CB3B6CC97E745D458FAD1776D43A2C08765340A1F7ADDEB3C33A1C59D4DA46F4195387FC91E84EBD19E49928794870C3A854A669F9D59934D976106864A
Signature Algorithm: SHA-384 with ECDSA
MD5 Fingerprint: 9F:AD:3B:1C:02:1E:8A:BA:17:74:38:81:0C:A2:BC:08
SHA-1 Fingerprint: 1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA

[jgrateron]

Will it be possible to add more information from KeyUsage?

            SEQUENCE
            {
                OBJECT IDENTIFIER=KeyUsage (2.5.29.15)
                BOOLEAN=true
                OCTET STRING, encapsulates:
                    BIT STRING=10100000

            }

It should appear

Digital Signature
Key Encipherment

I will look into it

[jgrateron]

first review, I welcome comments and feedback.

https://github.com/jgrateron/keystore-explorer/tree/compare

[jgrateron]

Fixed some errors and added more information for comparison.

[jgrateron]

Hi
Add KeyUsage and one color is enough.

[jgrateron]

For a conclusion message can we calculate the percentage of equal lines? I made several tests and these were the results.
The first value is the number of lines to compare, the second is the number of equal lines and the third is the percentage.

184 184 100.0
233 164 70.0
262 126 48.0
261 127 48.0
233 103 44.0

The first test I compared the same certificate, the second I made two almost identical certificates except for the public key and signature and the rest random certificates.

Can we add a label that says XX percentage of similarity?

[kaikramer]

Good work, I really like it!

About the question regarding the percentage of equal lines: Sounds useful, but I did not understand where you want to put that label.

[jgrateron]

the comparison label

[The-Lum]

[Just for traceability,] here is the corresponding PR:

• Compare Certificates #420

Thanks @jgrateron.

[jgrateron]

Hi @kaikramer

We can increase from 8 to 10 the hexadecimal dump, it is less lines to compare, for example the SKI, AKI extensions are 20 bytes (160 bits) so 10 would be enough to reduce lines.

[The-Lum]

Hi @jgrateron, @kaikramer, and all,

• We could even double the current value (8) and go to 16.
  Would it be possible?

Regards.

[kaikramer]

@jgrateron and @The-Lum: If 16 does not look insanely broad (we have 2x16 in the comparison view plus the additional ASCII columns), then it is fine for me. Modern monitors are quite wide anyway.

[The-Lum]

Good news. 👍

Then I have a lot of open questions, minor issues, wanted features on @jgrateron's Compare certificates PR (#420).
I will perhaps open a new Discussion about that to share those elements, or here?
(@kaikramer: what is the best solution? continue here (#360) or create a new issue?)

Regards.

[jgrateron]

Hi
@The-Lum the attachment of CompareCertificateAction.onlytwo.message is pending, could you generate a new PR, thanks.

[kaikramer]

@The-Lum There has been no release yet and we are still talking about the compare feature, so I think it is fitting to continue the discussion here.

[The-Lum]

Hi @kaikramer, @jgrateron, and all,

The attachment of CompareCertificateAction.onlytwo.message is pending, could you generate a new PR, thanks.

@jgrateron: Yes, but before I will exchange with you all my questions...

And as:

we are still talking about the compare feature, so I think it is fitting to continue the discussion here.

@kaikramer: Then here are all my open questions, minor issues, wanted features.... and open to debate...

---

1. Size of the Compare Cert. dialog windows

keystore-explorer/kse/src/org/kse/gui/dialogs/DCompareCertificates.java

Line 146 in 789b744

jspAsn1Dump.setPreferredSize(new Dimension(1350, 600));

The size is not so good managed.
For example, sometime the Compare Cert. windows is bigger than our screen and we need to make the windows on full screen for a better management.

Then perhaps changing the size of this dialog windows:

• kept this size, but if the size is near or bigger than the real screen size: change to enlarge to full screen
• or always put on full screen...

2. Test of the dependencies

• Could you add a test to confirm that the dependency is good installed?
  For example, if we don't have the java-diff-utils-4.12.jar lib, we observe not error or either...

3. Minor improvement on the word or letter diff.

Here are some screenshots:

Perhaps change inlineDiffByWord(true) to inlineDiffByWord(false) on:

keystore-explorer/kse/src/org/kse/gui/dialogs/DCompareCertificates.java

Lines 95 to 97 in 789b744

	DiffRowGenerator generator = DiffRowGenerator.create().showInlineDiffs(true).inlineDiffByWord(true)
	.oldTag(f -> f ? "<font color='red'><b>" : "</b></font>")
	.newTag(f -> f ? "<font color='red'><b>" : "</b></font>").build();

See:

• https://java-diff-utils.github.io/java-diff-utils/4.10/docs/apidocs/com/github/difflib/text/DiffRowGenerator.Builder.html#inlineDiffByWord-boolean-

4. Adding Compare Cert. command on top menu

It will be perhaps good to have the command on a top menu: Not only on right click context but add also a command on... Edit (or Tools) menu.
Perhaps Edit menu is the better choice...

5. Adding different colours for diff. between the two sides

keystore-explorer/kse/src/org/kse/gui/dialogs/DCompareCertificates.java

Lines 95 to 97 in 789b744

	DiffRowGenerator generator = DiffRowGenerator.create().showInlineDiffs(true).inlineDiffByWord(true)
	.oldTag(f -> f ? "<font color='red'><b>" : "</b></font>")
	.newTag(f -> f ? "<font color='red'><b>" : "</b></font>").build();

It will be good to have different colours between the two sides, in order to distinguish explicitly the 2 certificates.
Not Green/Red (#00FF00/#FF0000) as the beginning of the proposal PR, but why not Blue/Red (#0000FF/#FF0000),
But this wanted feature asks some questions about accessibility...
Ref.:

• Improve certificate expiry status icons #350
• https://www.w3.org/WAI/WCAG21/Understanding/use-of-color
• https://www.w3.org/WAI/WCAG21/Understanding/contrast-minimum
• https://www.w3.org/WAI/WCAG21/Understanding/contrast-enhanced

6. Adding names of compared cert. on dialog window title

Here are some proposals, using subject CN:

• Compare Certificates: 'CertShortName1' with 'CertShortName2'
• Compare Certificates: 'CertShortName1' vs 'CertShortName2'

I prefer the second proposal with vs, more compact...
To be conform or similar to:

keystore-explorer/kse/src/org/kse/gui/actions/resources.properties

Lines 369 to 376 in 789b744

	KeyDetailsAction.PrivateKeyDetailsEntry.Title = Private Key Details for Entry ''{0}''
	KeyDetailsAction.PublicKeyDetailsEntry.Title = Public Key Details for Entry ''{0}''
	KeyDetailsAction.SecretKeyDetailsEntry.Title = Secret Key Details for Entry ''{0}''
	KeyDetailsAction.statusbar = Display details of the Key entry
	KeyDetailsAction.text = Key Details
	KeyDetailsAction.tooltip = Details of Key entry
	KeyPairCertificateChainDetailsAction.CertDetailsEntry.Title = Certificate Details for Entry ''{0}''

7. Fix icon issues

Fix by putting KSE Icon for those windows (and not the JRE icon!)
See similar issue here:

• GUI - Minor issue on icon of the Display ASN.1 dump windows #352
• b529ac3

Screenshot for point 6 & 7:

---

Furthermore: Thanks a lot @jgrateron for your proposal and #420. That is a good beginning 👍
Now, we are open to debate, in order to make some minor enhancements, and have a super Compare Cert. feature. 🚀

Regards,
Th.
[Und wieder live aus Bonn]

[jgrateron]

Hi @The-Lum

Thank you for your comments, I will evaluate them as soon as I can.

[The-Lum]

Hi @jgrateron, @kaikramer, and all,

Here are some first attempts here:

• https://github.com/The-Lum/keystore-explorer/tree/ImproveCertCompare
  with:
• The-Lum@7f9329f

But I am not too satisfied with all the result... 👎
I will post my new remarks here (shortly)...

Open to discussion...
Regards.

[The-Lum]

Hi @jgrateron, @kaikramer, and all,

From my test:

		DiffRowGenerator generator = DiffRowGenerator.create().showInlineDiffs(true).inlineDiffByWord(false)
				.oldTag(f -> f ? "<font color='blue'><b>" : "</b></font>")
				.newTag(f -> f ? "<font color='red'><b>" : "</b></font>").build();

Here is a corresponding screenshot:

Pt 3 - Minor improvement on the word or letter diff.

Changing inlineDiffByWord(true) to inlineDiffByWord(false) corrects some things (see green #00FF00 rect.) but makes some other bugs on other things (see orange #FFA500 rect.)...

• I don't know if there is an byte-by-byte mode for the java-diff-utils library?

Pt 5 - Adding different colours for diff. between the two sides

The blue #0000FF colour is not so good! ever worst!
See accessibility consideration...

• What would be the best colours?

If that can help,
Regards.

[kaikramer]

Pt 5 - Adding different colours for diff. between the two sides

The blue #0000FF colour is not so good! ever worst!

Yes, the blue text on dark background stings my eyes. :-) There are websites with color tables that we should use and we also need different colors depending whether the current color scheme is light or dark.

Also most diff tools that I know do not color the text (foreground) differently but the background. Like this (colors used are #CD853F and #CD5C5C):

Regarding the accessability topic, I have found this web page, but of course I don't know, if this test is good enough.

Pt 3 - Minor improvement on the word or letter diff.

Regarding inlineDiffByWord(false), I agree, that this heavily depends on the actual text. In the following example it is not very helpful that "E", "c" and "y" are common letters in "EcPublicKey" and "RsaEncryption", same with "N" in "IDENTIFIER" and "NULL":

With inlineDiffByWord(true) it is coarser but less confusing (for this example):

Not so easy to find a "right" setting here, but I think setting it to true is the safer option.

Pt ??? - Width of hex dump

The width of the dialog is now around 1400 pixels minimum to see both sides fully. I am used to big and wide screens, where this is no problem, but this is certainly not the case for every user of KSE.

The resolution of 1366x768 pixels for example seems to be pretty popular: https://gs.statcounter.com/screen-resolution-stats

There are 1-2 letters not visible anymore when I change the width of the comparison dialog to 1366. That should still be fine I guess, but it's close...

[jgrateron]

Hi

I made some suggestions to improve the certificate comparison.

• Fix icons
• Dialog window title
• Change of background color instead of font color.
• french translations are added
• Size dialog

I agree to only use inlineDiffByWord(true), missing adding Compare Cert. command on top menu.

There is no need to check the dependencies as they are automatically included when building the project.

https://github.com/jgrateron/keystore-explorer/tree/compare_v2

[The-Lum]

Hi @kaikramer, @jgrateron, and all,

@jgrateron: I couldn't have managed to correct all these points so quickly... Thanks a lot. 👍

Then I will plan to test your version.
But I don't know how? I'm not fluent on this...
(clone your repo., and test...)
[Perhaps it will be relevant to add kse.jar as artifacts on CI GitHub Action? It make sense?]
@kaikramer: I can make a PR, If you want? (if it make sense...)

Here are first remarks:

Pt 1. Size of the compare windows:

It is mandatory to not fixed size window:

• Wouldn't it be better to do it directly in full screen?
  Especially for laptop screen who are smaller...

Pt 2. Test of the dependencies

There is no need to check the dependencies as they are automatically included when building the project.

Unfortunately, sometimes I deliver the kse.jar without the lib!

Other new pt.

And a minor request on the code:

• Change jspAsn1Dump to jspCompareCert (for more readability).

Regards.

[jgrateron]

Hi

add in the main menu the option to compare certificates.

I'm not good with layouts, they don't do what I want and I've spent enough time on that part, maybe you know how to adjust the dialog box to make it look nice when maximizing.

I don't know how to test dependencies.

thanks @The-Lum for your comments, and about Improve (enlarge) HexUtil and ASN.1 dump, we had agreed that I was going to keep the current measurements.

@kaikramer pull request submitted

Greetings

[kaikramer]

@jgrateron Thanks for the PR! I can take care of the resizing issue later.

@The-Lum

Then I will plan to test your version.
But I don't know how? I'm not fluent on this...
(clone your repo., and test...)
[Perhaps it will be relevant to add kse.jar as artifacts on CI GitHub Action? It make sense?]
@kaikramer: I can make a PR, If you want? (if it make sense...)

I don't think so, but I am also not sure what exactly does not work for you. It should be no problem to compile and run the application after cloning the repo with ./gradlew run (in the kse folder).

Unfortunately, sometimes I deliver the kse.jar without the lib!

You deliver the kse.jar? Well, that is a problem. The kse.jar is only a part of the application. There is the concept of "fat jars" that contain all dependencies, but this is not the case here and would make no sense for KSE anyway.

./gradlew build generates a zip file in the build/distributions folder that contains all dependencies.

[The-Lum]

Hi all,

Thanks @jgrateron for your PR (#426), I will plan to test them.

thanks @The-Lum for your comments, and about Improve (enlarge) HexUtil and ASN.1 dump, we had agreed that I was going to keep the current measurements.

@kaikramer: It (#425) is OK for you?

Then for my java questions:

Perhaps it will be relevant to add kse.jar as artifacts on CI GitHub Action? It make sense?
@kaikramer: I can make a PR, If you want? (if it make sense...)

I don't think so, but I am also not sure what exactly does not work for you. It should be no problem to compile and run the application after cloning the repo with ./gradlew run (in the kse folder).

Unfortunately, sometimes I deliver the kse.jar without the lib!

You deliver the kse.jar? Well, that is a problem. The kse.jar is only a part of the application. There is the concept of "fat jars" that contain all dependencies, but this is not the case here and would make no sense for KSE anyway.
./gradlew build generates a zip file in the build/distributions folder that contains all dependencies.

Forget my java considerations (coming from the fact that I don't have a local git repository and that I do everything online on the GitHub site).
The only consideration would be to have kse.jar as artifacts (in order to avoid to recompile the code all the time) but to see if it's ecologically good... (gain between recompilation and storage)...

Regards.

[The-Lum]

Hi all,

I will plan to test them.

I don't know (by java code) how to enlarge to full screen...
Only manually, and then there is attention also of the margin:

And for a next enhancement:

• Why not to add a shortcut for this command?
  Hint: why not Ctrl+Alt+C?

Regards.

[kaikramer]

Forget my java considerations (coming from the fact that I don't have a local git repository and that I do everything online on the GitHub site).

Oh, wow, sounds cumbersome, I couldn't work like that.

The only consideration would be to have kse.jar as artifacts (in order to avoid to recompile the code all the time) but to see if it's ecologically good... (gain between recompilation and storage)...

Ok, if it helps you, then it's fine for me. The kse.jar is only 2 MB in size, adding it as an artifact should be no big problem. But how do you compile kse currently?

I don't know (by java code) how to enlarge to full screen...
Only manually, and then there is attention also of the margin:

I can take care of these issues.

Why not to add a shortcut for this command?
Hint: why not Ctrl+Alt+C?

Good idea, and using Ctrl-Alt-C seems also like a good idea.

[jgrateron]

Do not forget to add this feature to the new 5.5.3 version.

Regards

[kaikramer]

@jgrateron Thanks for the hint!

[kaikramer]

Closing issues in preparation for release 5.5.3