This week's book giveaway is in the OCPJP forum. We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line! See this thread for details.
Basically I am doing the w3c's xml-signature-verification-process for a web service on the sevrver side. For this I extract the certificate from the signature and compare it between requests. Say if I get the request for the first time then I'll extract the certificate as bytes and compute the message digest and put it in a javaHashMap as key (key being Certificates's SubjectDN) value object. Next time when the same request comes then I'll repeat the above process and compare the digest with the HashMap values and if a match is found then I would avoid signature verifiation process. Using all this I want to save the time consumed by xml-signatuere verification process.
Now my question is, how to uniquely identify a certificate. If I open the X509 Version 3 Certificate using tools like java keytool, KeyStore Explorer then I can MD5-Fingerprint and SHA1-Fingerprint and I guess these are unique to a certficate. Are these fingerprints unique for a certificate ? If my understanding is correct then are there any java API's available for us to extract these fingerprints and help me in uniquely identifying the certificates.
Look for the section 22.214.171.124 (Serial number).
There it saids that you should use the issuer (CA) name and the serial of the subject digital certificate to identify uniquely a digital certificate.
But if you just want to validate uniqueness for certificates issued by only one CA the certificate serial number is guaranteed to be unique.