New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature request: compare certificates #360
Comments
Certificates are public, so if the text file only contains the certificate details (not details of the private key) it doesn't matter who can access the created files. For comparing I would open use the text representation shown in View Details -> Certificate Chain Details -> ASN.1 |
Just to emphasize what @jpstotz wrote: You can actually keep the ASN.1 dump windows open and compare two or more certificates with them. |
@jgrateron Not bad! Is this a mockup or do you already have something like this? We could use this component also for other text comparisons. Like for example, via "Tools -> KeyStore Properties -> Copy" you can get the certificates of a keystore in a text format like this:
We could use the code that generates this summary and provide an item in the right-click menu when 2 certificates are selected "compare certificates". Maybe similar for ASN.1. |
Hi I have a project that compares text and displays the differences in two JEditorPane https://github.com/jgrateron/CompareTexto, it is necessary to add a new dependency
The component compares texts, so it can work with any text format that is sent. If you select two certificates I will add to the right-click menu the compare option. |
The format ASN.1 is more complete than this output, e.g. the extensions keyUsage, AIA, etc. are not visible. ou__globalsign_ecc_root_ca__r5,_o__globalsign,_cn__globalsign [jdk] |
Will it be possible to add more information from KeyUsage?
It should appear Digital Signature I will look into it |
first review, I welcome comments and feedback. |
For a conclusion message can we calculate the percentage of equal lines? I made several tests and these were the results. 184 184 100.0 The first test I compared the same certificate, the second I made two almost identical certificates except for the public key and signature and the rest random certificates. Can we add a label that says XX percentage of similarity? |
Good work, I really like it! About the question regarding the percentage of equal lines: Sounds useful, but I did not understand where you want to put that label. |
[Just for traceability,] here is the corresponding PR: Thanks @jgrateron. |
Hi @kaikramer We can increase from 8 to 10 the hexadecimal dump, it is less lines to compare, for example the SKI, AKI extensions are 20 bytes (160 bits) so 10 would be enough to reduce lines. |
Hi @jgrateron, @kaikramer, and all,
Regards. |
@jgrateron and @The-Lum: If 16 does not look insanely broad (we have 2x16 in the comparison view plus the additional ASCII columns), then it is fine for me. Modern monitors are quite wide anyway. |
Good news. 👍 Then I have a lot of open questions, minor issues, wanted features on @jgrateron's Compare certificates PR (#420). Regards. |
Hi |
@The-Lum There has been no release yet and we are still talking about the compare feature, so I think it is fitting to continue the discussion here. |
Hi @kaikramer, @jgrateron, and all,
@jgrateron: Yes, but before I will exchange with you all my questions... And as:
@kaikramer: Then here are all my open questions, minor issues, wanted features.... and open to debate... 1. Size of the
|
jspAsn1Dump.setPreferredSize(new Dimension(1350, 600)); |
The size is not so good managed.
For example, sometime the
Compare Cert.
windows is bigger than our screen and we need to make the windows on full screen for a better management.
Then perhaps changing the size of this dialog windows:
- kept this size, but if the size is near or bigger than the real screen size: change to enlarge to full screen
- or always put on full screen...
2. Test of the dependencies
- Could you add a test to confirm that the dependency is good installed?
For example, if we don't have thejava-diff-utils-4.12.jar
lib, we observe not error or either...
3. Minor improvement on the word or letter diff.
Perhaps change inlineDiffByWord(true)
to inlineDiffByWord(false)
on:
DiffRowGenerator generator = DiffRowGenerator.create().showInlineDiffs(true).inlineDiffByWord(true) | |
.oldTag(f -> f ? "<font color='red'><b>" : "</b></font>") | |
.newTag(f -> f ? "<font color='red'><b>" : "</b></font>").build(); |
See:
4. Adding Compare Cert.
command on top menu
It will be perhaps good to have the command on a top menu: Not only on right click context but add also a command on... Edit
(or Tools
) menu.
Perhaps Edit
menu is the better choice...
5. Adding different colours for diff. between the two sides
DiffRowGenerator generator = DiffRowGenerator.create().showInlineDiffs(true).inlineDiffByWord(true) | |
.oldTag(f -> f ? "<font color='red'><b>" : "</b></font>") | |
.newTag(f -> f ? "<font color='red'><b>" : "</b></font>").build(); |
It will be good to have different colours between the two sides, in order to distinguish explicitly the 2 certificates.
Not Green/Red (
#00FF00
/#FF0000
) as the beginning of the proposal PR, but why not Blue/Red (#0000FF
/#FF0000
),But this wanted feature asks some questions about accessibility...
Ref.:
- Improve certificate expiry status icons #350
- https://www.w3.org/WAI/WCAG21/Understanding/use-of-color
- https://www.w3.org/WAI/WCAG21/Understanding/contrast-minimum
- https://www.w3.org/WAI/WCAG21/Understanding/contrast-enhanced
6. Adding names of compared cert. on dialog window title
Here are some proposals, using subject CN
:
Compare Certificates: 'CertShortName1' with 'CertShortName2'
Compare Certificates: 'CertShortName1' vs 'CertShortName2'
I prefer the second proposal with vs
, more compact...
To be conform or similar to:
keystore-explorer/kse/src/org/kse/gui/actions/resources.properties
Lines 369 to 376 in 789b744
KeyDetailsAction.PrivateKeyDetailsEntry.Title = Private Key Details for Entry ''{0}'' | |
KeyDetailsAction.PublicKeyDetailsEntry.Title = Public Key Details for Entry ''{0}'' | |
KeyDetailsAction.SecretKeyDetailsEntry.Title = Secret Key Details for Entry ''{0}'' | |
KeyDetailsAction.statusbar = Display details of the Key entry | |
KeyDetailsAction.text = Key Details | |
KeyDetailsAction.tooltip = Details of Key entry | |
KeyPairCertificateChainDetailsAction.CertDetailsEntry.Title = Certificate Details for Entry ''{0}'' |
7. Fix icon issues
Fix by putting KSE Icon for those windows (and not the JRE icon!)
See similar issue here:
Furthermore: Thanks a lot @jgrateron for your proposal and #420. That is a good beginning 👍
Now, we are open to debate, in order to make some minor enhancements, and have a super Compare Cert.
feature. 🚀
Regards,
Th.
[Und wieder live aus Bonn]
Hi @The-Lum Thank you for your comments, I will evaluate them as soon as I can. |
Hi @jgrateron, @kaikramer, and all, Here are some first attempts here: But I am not too satisfied with all the result... 👎 Open to discussion... |
Hi @jgrateron, @kaikramer, and all, From my test: DiffRowGenerator generator = DiffRowGenerator.create().showInlineDiffs(true).inlineDiffByWord(false)
.oldTag(f -> f ? "<font color='blue'><b>" : "</b></font>")
.newTag(f -> f ? "<font color='red'><b>" : "</b></font>").build(); Here is a corresponding screenshot: Pt 3 - Minor improvement on the word or letter diff.Changing
Pt 5 - Adding different colours for diff. between the two sidesThe blue
If that can help, |
Pt 5 - Adding different colours for diff. between the two sides
Yes, the blue text on dark background stings my eyes. :-) There are websites with color tables that we should use and we also need different colors depending whether the current color scheme is light or dark. Also most diff tools that I know do not color the text (foreground) differently but the background. Like this (colors used are #CD853F and #CD5C5C): Regarding the accessability topic, I have found this web page, but of course I don't know, if this test is good enough. Pt 3 - Minor improvement on the word or letter diff.Regarding With Not so easy to find a "right" setting here, but I think setting it to true is the safer option. Pt ??? - Width of hex dumpThe width of the dialog is now around 1400 pixels minimum to see both sides fully. I am used to big and wide screens, where this is no problem, but this is certainly not the case for every user of KSE. The resolution of 1366x768 pixels for example seems to be pretty popular: https://gs.statcounter.com/screen-resolution-stats There are 1-2 letters not visible anymore when I change the width of the comparison dialog to 1366. That should still be fine I guess, but it's close... |
Hi I made some suggestions to improve the certificate comparison.
I agree to only use inlineDiffByWord(true), missing adding Compare Cert. command on top menu. There is no need to check the dependencies as they are automatically included when building the project. https://github.com/jgrateron/keystore-explorer/tree/compare_v2 |
Hi @kaikramer, @jgrateron, and all, @jgrateron: I couldn't have managed to correct all these points so quickly... Thanks a lot. 👍 Then I will plan to test your version. Here are first remarks: Pt 1. Size of the compare windows:It is mandatory to not fixed size window:
Pt 2. Test of the dependencies
Unfortunately, sometimes I deliver the Other new pt.And a minor request on the code:
Regards. |
Hi add in the main menu the option to compare certificates. I'm not good with layouts, they don't do what I want and I've spent enough time on that part, maybe you know how to adjust the dialog box to make it look nice when maximizing. I don't know how to test dependencies. thanks @The-Lum for your comments, and about Improve (enlarge) HexUtil and ASN.1 dump, we had agreed that I was going to keep the current measurements. @kaikramer pull request submitted Greetings |
@jgrateron Thanks for the PR! I can take care of the resizing issue later.
I don't think so, but I am also not sure what exactly does not work for you. It should be no problem to compile and run the application after cloning the repo with
You deliver the kse.jar? Well, that is a problem. The kse.jar is only a part of the application. There is the concept of "fat jars" that contain all dependencies, but this is not the case here and would make no sense for KSE anyway.
|
Hi all, Thanks @jgrateron for your PR (#426), I will plan to test them.
@kaikramer: It (#425) is OK for you? Then for my java questions:
Forget my java considerations (coming from the fact that I don't have a local git repository and that I do everything online on the GitHub site). Regards. |
Oh, wow, sounds cumbersome, I couldn't work like that.
Ok, if it helps you, then it's fine for me. The kse.jar is only 2 MB in size, adding it as an artifact should be no big problem. But how do you compile kse currently?
I can take care of these issues.
Good idea, and using Ctrl-Alt-C seems also like a good idea. |
Do not forget to add this feature to the new 5.5.3 version. Regards |
@jgrateron Thanks for the hint! |
- better window handling - different colors for light/dark background - added shortcut+mnemonic
Closing issues in preparation for release 5.5.3 |
There are situations where one needs to compare a renewed certificate with the older version, or when you want to double check if a certificate for a new domain has exactly the same properties, also in the whole certificate chain.
It can happen that changes are introduced in the newly requested certificate, for whatever reason, or that your CA has made changes that one is not aware of.
At this moment it is to my knowledge not possible to inspect 2 certificate files at the same time in the keystore explorer, so that one can inspect them side by side. Making print screens of the 2 certificates and comparing these is not an easy way.
I have also tried to export both certificates as detailed as possible to a txt format, and compared these i.e. with the compare plugin in notepad++, but this is also not easy, and risks of leaving traces on the filesystem.
A better way would be to do this compare inside the keystore explorer, where all details of the certificates are available, and where this compare can be done within a secure context.
The text was updated successfully, but these errors were encountered: