Class CertificateChecker


  • public class CertificateChecker
    extends java.lang.Object
    An utility to check that a given certificate meets our requirements
    • Constructor Summary

      Constructors 
      Constructor Description
      CertificateChecker​(com.google.common.collect.ImmutableSortedMap<org.joda.time.DateTime,​java.lang.Integer> maxValidityDaysSchedule, int expirationWarningDays, int expirationWarningIntervalDays, int minimumRsaKeyLength, com.google.common.collect.ImmutableSet<java.lang.String> allowedEcdsaCurves, Clock clock)
      Constructs a CertificateChecker instance with the specified configuration parameters.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      com.google.common.collect.ImmutableSet<CertificateChecker.CertificateViolation> checkCertificate​(java.lang.String certificateString)
      Converts a given string to a certificate and checks it for violations, returning a list of all the violations the certificate has.
      com.google.common.collect.ImmutableSet<CertificateChecker.CertificateViolation> checkCertificate​(java.security.cert.X509Certificate certificate)
      Checks a given certificate for violations and returns a list of all the violations the certificate has.
      java.security.cert.X509Certificate getCertificate​(java.lang.String certificateStr)
      Converts the given string to a certificate object.
      java.lang.String serializeCertificate​(java.security.cert.X509Certificate certificate)
      Serializes the certificate object to a certificate string.
      boolean shouldReceiveExpiringNotification​(org.joda.time.DateTime lastExpiringNotificationSentDate, java.lang.String certificateStr)
      Returns whether the client should receive a notification email.
      void validateCertificate​(java.lang.String certificateString)
      Checks the given certificate string for violations and throws an exception if any violations exist.
      void validateCertificate​(java.security.cert.X509Certificate certificate)
      Checks the given certificate string for violations and throws an exception if any violations exist.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • CertificateChecker

        @Inject
        public CertificateChecker​(@Config("maxValidityDaysSchedule")
                                  com.google.common.collect.ImmutableSortedMap<org.joda.time.DateTime,​java.lang.Integer> maxValidityDaysSchedule,
                                  @Config("expirationWarningDays")
                                  int expirationWarningDays,
                                  @Config("expirationWarningIntervalDays")
                                  int expirationWarningIntervalDays,
                                  @Config("minimumRsaKeyLength")
                                  int minimumRsaKeyLength,
                                  @Config("allowedEcdsaCurves")
                                  com.google.common.collect.ImmutableSet<java.lang.String> allowedEcdsaCurves,
                                  Clock clock)
        Constructs a CertificateChecker instance with the specified configuration parameters.

        The max validity length schedule is a sorted map of DateTime to Integer entries representing a maximum validity period for certificates issued on or after that date. The first entry must have a key of DateTimeUtils.START_OF_TIME, such that every possible date has an applicable max validity period. Since security requirements tighten over time, the max validity periods will be decreasing as the date increases.

        The validity length schedule used by all major Web browsers as of 2020Q4 would be represented as:

           ImmutableSortedMap.of(
             START_OF_TIME, 825,
             DateTime.parse("2020-09-01T00:00:00Z"), 398
           );
         
    • Method Detail

      • checkCertificate

        public com.google.common.collect.ImmutableSet<CertificateChecker.CertificateViolation> checkCertificate​(java.security.cert.X509Certificate certificate)
        Checks a given certificate for violations and returns a list of all the violations the certificate has.
      • checkCertificate

        public com.google.common.collect.ImmutableSet<CertificateChecker.CertificateViolation> checkCertificate​(java.lang.String certificateString)
        Converts a given string to a certificate and checks it for violations, returning a list of all the violations the certificate has.
      • getCertificate

        public java.security.cert.X509Certificate getCertificate​(java.lang.String certificateStr)
        Converts the given string to a certificate object.
      • serializeCertificate

        public java.lang.String serializeCertificate​(java.security.cert.X509Certificate certificate)
                                              throws java.lang.Exception
        Serializes the certificate object to a certificate string.
        Throws:
        java.lang.Exception
      • shouldReceiveExpiringNotification

        public boolean shouldReceiveExpiringNotification​(org.joda.time.DateTime lastExpiringNotificationSentDate,
                                                         java.lang.String certificateStr)
        Returns whether the client should receive a notification email.