Class TmchCertificateAuthority


  • @Immutable
    @ThreadSafe
    public final class TmchCertificateAuthority
    extends java.lang.Object
    Helper methods for accessing ICANN's TMCH root certificate and revocation list.

    There are two CRLs, a real one for the production environment and a pilot one for non-production environments. The Datastore singleton TmchCrl entity is used to cache this CRL once loaded and will always contain the proper one corresponding to the environment.

    The CRTs do not change and are included as files in the codebase that are not refreshed. They were downloaded from https://ca.icann.org/tmch.crt and https://ca.icann.org/tmch_pilot.crt

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      java.security.cert.X509Certificate getAndValidateRoot()  
      java.security.cert.X509CRL getCrl()  
      void updateCrl​(java.lang.String asciiCrl, java.lang.String url)
      Update to the latest TMCH X.509 certificate revocation list and save it to Datastore.
      void verify​(java.security.cert.X509Certificate cert)
      Check that cert is signed by the ICANN TMCH CA root and not revoked.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Method Detail

      • updateCrl

        public void updateCrl​(java.lang.String asciiCrl,
                              java.lang.String url)
                       throws java.security.GeneralSecurityException
        Update to the latest TMCH X.509 certificate revocation list and save it to Datastore.

        Your ASCII-armored CRL must be signed by the current ICANN root certificate.

        This will not take effect (either on this instance or on others) until the CRL_CACHE next refreshes itself.

        Throws:
        java.security.GeneralSecurityException - for unsupported protocols, certs not signed by the TMCH, incorrect keys, and for invalid, old, not-yet-valid or revoked certificates.
        See Also:
        X509Utils.verifyCrl(java.security.cert.X509Certificate, java.security.cert.X509CRL, java.security.cert.X509CRL, java.util.Date)
      • getAndValidateRoot

        public java.security.cert.X509Certificate getAndValidateRoot()
                                                              throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException
      • getCrl

        public java.security.cert.X509CRL getCrl()
                                          throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException