Package google.registry.flows.certs

Class CertificateChecker

java.lang.Object

google.registry.flows.certs.CertificateChecker

public class CertificateChecker
extends Object

A utility to check that a given certificate meets our requirements

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static enum	CertificateChecker.CertificateViolation	The type of violation a certificate has based on the certificate requirements (go/registry-proxy-security).
static class	CertificateChecker.InsecureCertificateException	Exception to throw when a certificate has security violations.

Constructor Summary

Constructors

Constructor	Description
CertificateChecker(com.google.common.collect.ImmutableSortedMap<org.joda.time.DateTime,Integer> maxValidityDaysSchedule, int expirationWarningDays, int expirationWarningIntervalDays, int minimumRsaKeyLength, com.google.common.collect.ImmutableSet<String> allowedEcdsaCurves, Clock clock)	Constructs a CertificateChecker instance with the specified configuration parameters.

Method Summary

Modifier and Type	Method	Description
com.google.common.collect.ImmutableSet<CertificateChecker.CertificateViolation>	checkCertificate(String certificateString)	Converts a given string to a certificate and checks it for violations, returning a list of all the violations the certificate has.
com.google.common.collect.ImmutableSet<CertificateChecker.CertificateViolation>	checkCertificate(X509Certificate certificate)	Checks a given certificate for violations and returns a list of all the violations the certificate has.
X509Certificate	getCertificate(String certificateStr)	Converts the given string to a certificate object.
String	serializeCertificate(X509Certificate certificate)	Serializes the certificate object to a certificate string.
boolean	shouldReceiveExpiringNotification(org.joda.time.DateTime lastExpiringNotificationSentDate, String certificateStr)	Returns whether the client should receive a notification email.
void	validateCertificate(String certificateString)	Checks the given certificate string for violations and throws an exception if any violations exist.
void	validateCertificate(X509Certificate certificate)	Checks the given certificate string for violations and throws an exception if any violations exist.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

CertificateChecker

@Inject
public CertificateChecker(@Config("maxValidityDaysSchedule")
 com.google.common.collect.ImmutableSortedMap<org.joda.time.DateTime,Integer> maxValidityDaysSchedule,
 @Config("expirationWarningDays")
 int expirationWarningDays,
 @Config("expirationWarningIntervalDays")
 int expirationWarningIntervalDays,
 @Config("minimumRsaKeyLength")
 int minimumRsaKeyLength,
 @Config("allowedEcdsaCurves")
 com.google.common.collect.ImmutableSet<String> allowedEcdsaCurves,
 Clock clock)

Constructs a CertificateChecker instance with the specified configuration parameters.

The max validity length schedule is a sorted map of DateTime to Integer entries representing a maximum validity period for certificates issued on or after that date. The first entry must have a key of DateTimeUtils.START_OF_TIME, such that every possible date has an applicable max validity period. Since security requirements tighten over time, the max validity periods will be decreasing as the date increases.

The validity length schedule used by all major Web browsers as of 2020Q4 would be represented as:

   ImmutableSortedMap.of(
     START_OF_TIME, 825,
     DateTime.parse("2020-09-01T00:00:00Z"), 398
   );
 

Method Details

validateCertificate

public void validateCertificate(String certificateString)
                         throws CertificateChecker.InsecureCertificateException

Checks the given certificate string for violations and throws an exception if any violations exist.

Throws:

CertificateChecker.InsecureCertificateException

validateCertificate

public void validateCertificate(X509Certificate certificate)
                         throws CertificateChecker.InsecureCertificateException

Checks the given certificate string for violations and throws an exception if any violations exist.

Throws:

CertificateChecker.InsecureCertificateException

checkCertificate

public com.google.common.collect.ImmutableSet<CertificateChecker.CertificateViolation> checkCertificate(X509Certificate certificate)

Checks a given certificate for violations and returns a list of all the violations the certificate has.

checkCertificate

public com.google.common.collect.ImmutableSet<CertificateChecker.CertificateViolation> checkCertificate(String certificateString)

Converts a given string to a certificate and checks it for violations, returning a list of all the violations the certificate has.

getCertificate

public X509Certificate getCertificate(String certificateStr)

Converts the given string to a certificate object.

serializeCertificate

public String serializeCertificate(X509Certificate certificate)
                            throws Exception

Serializes the certificate object to a certificate string.

Throws:

Exception

shouldReceiveExpiringNotification

public boolean shouldReceiveExpiringNotification(org.joda.time.DateTime lastExpiringNotificationSentDate,
 String certificateStr)

Returns whether the client should receive a notification email.