Package google.registry.tmch

Class TmchCertificateAuthority

java.lang.Object

google.registry.tmch.TmchCertificateAuthority

@Immutable
@ThreadSafe
public final class TmchCertificateAuthority
extends Object

Helper methods for accessing ICANN's TMCH root certificate and revocation list.

There are two CRLs, a real one for the production environment and a pilot one for non-production environments. The singleton TmchCrl entity is used to cache this CRL once loaded and will always contain the proper one corresponding to the environment.

The CRTs do not change and are included as files in the codebase that are not refreshed. They were downloaded from https://ca.icann.org/tmch.crt and https://ca.icann.org/tmch_pilot.crt

Constructor Summary

Constructors

Constructor	Description
TmchCertificateAuthority(RegistryConfig.ConfigModule.TmchCaMode tmchCaMode, Clock clock)

Method Summary

Modifier and Type	Method	Description
X509Certificate	getAndValidateRoot()
X509CRL	getCrl()
void	updateCrl(String asciiCrl, String url)	Update to the latest TMCH X.509 certificate revocation list and save it to the database.
void	verify(X509Certificate cert)	Check that cert is signed by the ICANN TMCH CA root and not revoked.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

TmchCertificateAuthority

@Inject
public TmchCertificateAuthority(@Config("tmchCaMode")
 RegistryConfig.ConfigModule.TmchCaMode tmchCaMode,
 Clock clock)

Method Details

verify

public void verify(X509Certificate cert)
            throws GeneralSecurityException

Check that cert is signed by the ICANN TMCH CA root and not revoked.

Support for certificate chains has not been implemented.

Throws:

GeneralSecurityException - for unsupported protocols, certs not signed by the TMCH, incorrect keys, and for invalid, old, not-yet-valid or revoked certificates.

See Also:

• X509Utils.verifyCertificate(java.security.cert.X509Certificate, java.security.cert.X509CRL, java.security.cert.X509Certificate, org.joda.time.DateTime)

updateCrl

public void updateCrl(String asciiCrl,
 String url)
               throws GeneralSecurityException

Update to the latest TMCH X.509 certificate revocation list and save it to the database.

Your ASCII-armored CRL must be signed by the current ICANN root certificate.

This will not take effect (either on this instance or on others) until the CRL_CACHE next refreshes itself.

Throws:

GeneralSecurityException - for unsupported protocols, certs not signed by the TMCH, incorrect keys, and for invalid, old, not-yet-valid or revoked certificates.

See Also:

• X509Utils.verifyCrl(java.security.cert.X509Certificate, java.security.cert.X509CRL, java.security.cert.X509CRL, org.joda.time.DateTime)

getAndValidateRoot

public X509Certificate getAndValidateRoot()
                                   throws GeneralSecurityException

Throws:

GeneralSecurityException

getCrl

public X509CRL getCrl()
               throws GeneralSecurityException

Throws:

GeneralSecurityException