Package google.registry.flows.certs
Class CertificateChecker
- java.lang.Object
-
- google.registry.flows.certs.CertificateChecker
-
public class CertificateChecker extends java.lang.Object
An utility to check that a given certificate meets our requirements
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
CertificateChecker.CertificateViolation
The type of violation a certificate has based on the certificate requirements (go/registry-proxy-security).static class
CertificateChecker.InsecureCertificateException
Exception to throw when a certificate has security violations.
-
Constructor Summary
Constructors Constructor Description CertificateChecker(com.google.common.collect.ImmutableSortedMap<org.joda.time.DateTime,java.lang.Integer> maxValidityDaysSchedule, int expirationWarningDays, int expirationWarningIntervalDays, int minimumRsaKeyLength, com.google.common.collect.ImmutableSet<java.lang.String> allowedEcdsaCurves, Clock clock)
Constructs a CertificateChecker instance with the specified configuration parameters.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description com.google.common.collect.ImmutableSet<CertificateChecker.CertificateViolation>
checkCertificate(java.lang.String certificateString)
Converts a given string to a certificate and checks it for violations, returning a list of all the violations the certificate has.com.google.common.collect.ImmutableSet<CertificateChecker.CertificateViolation>
checkCertificate(java.security.cert.X509Certificate certificate)
Checks a given certificate for violations and returns a list of all the violations the certificate has.java.security.cert.X509Certificate
getCertificate(java.lang.String certificateStr)
Converts the given string to a certificate object.java.lang.String
serializeCertificate(java.security.cert.X509Certificate certificate)
Serializes the certificate object to a certificate string.boolean
shouldReceiveExpiringNotification(org.joda.time.DateTime lastExpiringNotificationSentDate, java.lang.String certificateStr)
Returns whether the client should receive a notification email.void
validateCertificate(java.lang.String certificateString)
Checks the given certificate string for violations and throws an exception if any violations exist.void
validateCertificate(java.security.cert.X509Certificate certificate)
Checks the given certificate string for violations and throws an exception if any violations exist.
-
-
-
Constructor Detail
-
CertificateChecker
@Inject public CertificateChecker(@Config("maxValidityDaysSchedule") com.google.common.collect.ImmutableSortedMap<org.joda.time.DateTime,java.lang.Integer> maxValidityDaysSchedule, @Config("expirationWarningDays") int expirationWarningDays, @Config("expirationWarningIntervalDays") int expirationWarningIntervalDays, @Config("minimumRsaKeyLength") int minimumRsaKeyLength, @Config("allowedEcdsaCurves") com.google.common.collect.ImmutableSet<java.lang.String> allowedEcdsaCurves, Clock clock)
Constructs a CertificateChecker instance with the specified configuration parameters.The max validity length schedule is a sorted map of
DateTime
toInteger
entries representing a maximum validity period for certificates issued on or after that date. The first entry must have a key ofDateTimeUtils.START_OF_TIME
, such that every possible date has an applicable max validity period. Since security requirements tighten over time, the max validity periods will be decreasing as the date increases.The validity length schedule used by all major Web browsers as of 2020Q4 would be represented as:
ImmutableSortedMap.of( START_OF_TIME, 825, DateTime.parse("2020-09-01T00:00:00Z"), 398 );
-
-
Method Detail
-
validateCertificate
public void validateCertificate(java.lang.String certificateString) throws CertificateChecker.InsecureCertificateException
Checks the given certificate string for violations and throws an exception if any violations exist.
-
validateCertificate
public void validateCertificate(java.security.cert.X509Certificate certificate) throws CertificateChecker.InsecureCertificateException
Checks the given certificate string for violations and throws an exception if any violations exist.
-
checkCertificate
public com.google.common.collect.ImmutableSet<CertificateChecker.CertificateViolation> checkCertificate(java.security.cert.X509Certificate certificate)
Checks a given certificate for violations and returns a list of all the violations the certificate has.
-
checkCertificate
public com.google.common.collect.ImmutableSet<CertificateChecker.CertificateViolation> checkCertificate(java.lang.String certificateString)
Converts a given string to a certificate and checks it for violations, returning a list of all the violations the certificate has.
-
getCertificate
public java.security.cert.X509Certificate getCertificate(java.lang.String certificateStr)
Converts the given string to a certificate object.
-
serializeCertificate
public java.lang.String serializeCertificate(java.security.cert.X509Certificate certificate) throws java.lang.Exception
Serializes the certificate object to a certificate string.- Throws:
java.lang.Exception
-
shouldReceiveExpiringNotification
public boolean shouldReceiveExpiringNotification(org.joda.time.DateTime lastExpiringNotificationSentDate, java.lang.String certificateStr)
Returns whether the client should receive a notification email.
-
-