google.registry.util.X509Utils.java Source code

Java tutorial

  1. HOME
  2. Java
  3. google.registry.util.X509Utils.java

Introduction

Here is the source code for google.registry.util.X509Utils.java

Source

// Copyright 2016 The Nomulus Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package google.registry.util;

import static com.google.common.base.MoreObjects.firstNonNull;
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Throwables.propagateIfInstanceOf;
import static com.google.common.io.BaseEncoding.base64;
import static java.nio.charset.StandardCharsets.US_ASCII;

import com.google.common.collect.FluentIterable;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Iterables;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.Extension;
import java.security.cert.X509CRL;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.NoSuchElementException;
import javax.annotation.Tainted;

/** X.509 Public Key Infrastructure (PKI) helper functions. */
public final class X509Utils {

    /**
     * Parse the encoded certificate and return a base64 encoded string (without padding) of the
     * SHA-256 digest of the certificate.
     *
     * <p>Note that this must match the method used by the GFE to generate the client certificate hash
     * so that the two will match when we check against the whitelist.
     */
    public static String getCertificateHash(X509Certificate cert) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(cert.getEncoded());
            return base64().omitPadding().encode(messageDigest.digest());
        } catch (CertificateException | NoSuchAlgorithmException e) {
            throw new IllegalArgumentException(e);
        }
    }

    /**
     * Loads an ASCII-armored public X.509 certificate.
     *
     * @throws CertificateParsingException on parsing errors.
     */
    public static X509Certificate loadCertificate(InputStream input) throws CertificateParsingException {
        try {
            return Iterables.getOnlyElement(
                    FluentIterable.from(CertificateFactory.getInstance("X.509").generateCertificates(input))
                            .filter(X509Certificate.class));
        } catch (CertificateException e) { // CertificateParsingException by specification.
            propagateIfInstanceOf(e, CertificateParsingException.class);
            throw new CertificateParsingException(e);
        } catch (NoSuchElementException e) {
            throw new CertificateParsingException("No X509Certificate found.");
        } catch (IllegalArgumentException e) {
            throw new CertificateParsingException("Multiple X509Certificate found.");
        }
    }

    /**
     * Loads an ASCII-armored public X.509 certificate.
     *
     * @throws CertificateParsingException on parsing errors
     */
    public static X509Certificate loadCertificate(String asciiCrt) throws CertificateParsingException {
        return loadCertificate(new ByteArrayInputStream(asciiCrt.getBytes(US_ASCII)));
    }

    /**
     * Loads an ASCII-armored public X.509 certificate.
     *
     * @throws CertificateParsingException on parsing errors
     * @throws IOException on file system errors
     */
    public static X509Certificate loadCertificate(Path certPath) throws CertificateParsingException, IOException {
        return loadCertificate(Files.newInputStream(certPath));
    }

    /**
     * Loads an ASCII-armored X.509 certificate revocation list (CRL).
     *
     * @throws CRLException on parsing errors.
     */
    public static X509CRL loadCrl(String asciiCrl) throws GeneralSecurityException {
        ByteArrayInputStream input = new ByteArrayInputStream(asciiCrl.getBytes(US_ASCII));
        try {
            return Iterables.getOnlyElement(FluentIterable
                    .from(CertificateFactory.getInstance("X.509").generateCRLs(input)).filter(X509CRL.class));
        } catch (NoSuchElementException e) {
            throw new CRLException("No X509CRL found.");
        } catch (IllegalArgumentException e) {
            throw new CRLException("Multiple X509CRL found.");
        }
    }

    /**
     * Check that {@code cert} is signed by the {@code ca} and not revoked.
     *
     * <p>Support for certificate chains has not been implemented.
     *
     * @throws GeneralSecurityException for unsupported protocols, certs not signed by the TMCH,
     *         parsing errors, encoding errors, if the CRL is expired, or if the CRL is older than the
     *         one currently in memory.
     */
    public static void verifyCertificate(X509Certificate rootCert, X509CRL crl, @Tainted X509Certificate cert,
            Date now) throws GeneralSecurityException {
        cert.checkValidity(checkNotNull(now, "now"));
        cert.verify(rootCert.getPublicKey());
        if (crl.isRevoked(cert)) {
            X509CRLEntry entry = crl.getRevokedCertificate(cert);
            throw new CertificateRevokedException(checkNotNull(entry.getRevocationDate(), "revocationDate"),
                    checkNotNull(entry.getRevocationReason(), "revocationReason"),
                    firstNonNull(entry.getCertificateIssuer(), crl.getIssuerX500Principal()),
                    ImmutableMap.<String, Extension>of());
        }
    }

    /**
     * Checks if an X.509 CRL you downloaded can safely replace your current CRL.
     *
     * <p>This routine makes sure {@code newCrl} is signed by {@code rootCert} and that its timestamps
     * are correct with respect to {@code now}.
     *
     * @throws GeneralSecurityException for unsupported protocols, certs not signed by the TMCH,
     *         incorrect keys, and for invalid, old, not-yet-valid or revoked certificates.
     */
    public static void verifyCrl(X509Certificate rootCert, X509CRL oldCrl, @Tainted X509CRL newCrl, Date now)
            throws GeneralSecurityException {
        if (newCrl.getThisUpdate().before(oldCrl.getThisUpdate())) {
            throw new CRLException(String.format("New CRL is more out of date than our current CRL. %s < %s\n%s",
                    newCrl.getThisUpdate(), oldCrl.getThisUpdate(), newCrl));
        }
        if (newCrl.getNextUpdate().before(now)) {
            throw new CRLException("CRL has expired.\n" + newCrl);
        }
        newCrl.verify(rootCert.getPublicKey());
    }

    private X509Utils() {
    }
}