Package google.registry.util
Class X509Utils
java.lang.Object
google.registry.util.X509Utils
X.509 Public Key Infrastructure (PKI) helper functions.
-
Method Summary
Modifier and TypeMethodDescriptionstatic StringencodeX509Certificate(X509Certificate certificate) Encodes an X.509 certificate in the same form that the proxy encodes a certificate before passing it via an HTTP header.static StringencodeX509CertificateFromPemString(String certificateString) Constructs an X.509 certificate from a PEM string and encodes it.static StringParse the encoded certificate and return a base64 encoded string (without padding) of the SHA-256 digest of the certificate.static X509CertificateloadCertificate(InputStream input) Loads an ASCII-armored public X.509 certificate.static X509CertificateloadCertificate(String asciiCrt) Loads an ASCII-armored public X.509 certificate.static X509CertificateloadCertificate(Path certPath) Loads an ASCII-armored public X.509 certificate.static X509CRLLoads an ASCII-armored X.509 certificate revocation list (CRL).static voidverifyCertificate(X509Certificate rootCert, X509CRL crl, X509Certificate cert, org.joda.time.DateTime now) Check thatcertis signed by thecaand not revoked.static voidverifyCrl(X509Certificate rootCert, X509CRL oldCrl, X509CRL newCrl, org.joda.time.DateTime now) Checks if an X.509 CRL you downloaded can safely replace your current CRL.
-
Method Details
-
getCertificateHash
Parse the encoded certificate and return a base64 encoded string (without padding) of the SHA-256 digest of the certificate.Note that this must match the method used by the GFE to generate the client certificate hash so that the two will match when we check against the allow list.
-
loadCertificate
Loads an ASCII-armored public X.509 certificate.- Throws:
CertificateParsingException- on parsing errors.
-
loadCertificate
Loads an ASCII-armored public X.509 certificate.- Throws:
CertificateParsingException- on parsing errors
-
loadCertificate
public static X509Certificate loadCertificate(Path certPath) throws CertificateParsingException, IOException Loads an ASCII-armored public X.509 certificate.- Throws:
CertificateParsingException- on parsing errorsIOException- on file system errors
-
loadCrl
Loads an ASCII-armored X.509 certificate revocation list (CRL).- Throws:
CRLException- on parsing errors.GeneralSecurityException
-
verifyCertificate
public static void verifyCertificate(X509Certificate rootCert, X509CRL crl, @Tainted X509Certificate cert, org.joda.time.DateTime now) throws GeneralSecurityException Check thatcertis signed by thecaand not revoked.Support for certificate chains has not been implemented.
- Throws:
GeneralSecurityException- for unsupported protocols, certs not signed by the TMCH, parsing errors, encoding errors, if the CRL is expired, or if the CRL is older than the one currently in memory.
-
verifyCrl
public static void verifyCrl(X509Certificate rootCert, @Nullable X509CRL oldCrl, @Tainted X509CRL newCrl, org.joda.time.DateTime now) throws GeneralSecurityException Checks if an X.509 CRL you downloaded can safely replace your current CRL.This routine makes sure
newCrlis signed byrootCertand that its timestamps are correct with respect tonow.- Throws:
GeneralSecurityException- for unsupported protocols, certs not signed by the TMCH, incorrect keys, and for invalid, old, not-yet-valid or revoked certificates.
-
encodeX509CertificateFromPemString
public static String encodeX509CertificateFromPemString(String certificateString) throws CertificateException Constructs an X.509 certificate from a PEM string and encodes it.- Throws:
CertificateException
-
encodeX509Certificate
public static String encodeX509Certificate(X509Certificate certificate) throws CertificateEncodingException Encodes an X.509 certificate in the same form that the proxy encodes a certificate before passing it via an HTTP header.- Throws:
CertificateEncodingException
-