Add a CertificateChecker class (#793)

* CertificateChecker with checks for expiration and key length * Add validity length check * Get rid of hard-coded constants and DSA checks * add files that for some reason weren't included in last commit * Rename violations and other fixes * Add displayMessage to CertificateViolation enum * Switch violations from an enum to a class * small changes * Get rid of ECDSA checks * add checks for old validity length * Change error message for validity length
2025-07-22 02:36:03 +02:00 · 2020-10-06 15:47:42 -04:00 · 2020-10-06 15:47:42 -04:00 · 35ebe371ba
commit 35ebe371ba
parent 31caff9010
77 changed files with 421 additions and 9 deletions
--- a/util/src/main/java/google/registry/util/CertificateChecker.java
+++ b/util/src/main/java/google/registry/util/CertificateChecker.java
@ -0,0 +1,141 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.util;
+
+import com.google.auto.value.AutoValue;
+import com.google.common.collect.ImmutableSet;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Date;
+import org.joda.time.DateTime;
+import org.joda.time.Days;
+
+/** An utility to check that a given certificate meets our requirements */
+public class CertificateChecker {
+
+  private final int maxValidityDays;
+  private final int daysToExpiration;
+  private final int minimumRsaKeyLength;
+  public final CertificateViolation certificateExpiredViolation;
+  public final CertificateViolation certificateNotYetValidViolation;
+  public final CertificateViolation certificateValidityLengthViolation;
+  public final CertificateViolation certificateOldValidityLengthValidViolation;
+  public final CertificateViolation certificateRsaKeyLengthViolation;
+  public final CertificateViolation certificateAlgorithmViolation;
+
+  public CertificateChecker(int maxValidityDays, int daysToExpiration, int minimumRsaKeyLength) {
+    this.maxValidityDays = maxValidityDays;
+    this.daysToExpiration = daysToExpiration;
+    this.minimumRsaKeyLength = minimumRsaKeyLength;
+    this.certificateExpiredViolation =
+        CertificateViolation.create("Expired Certificate", "This certificate is expired.");
+    this.certificateNotYetValidViolation =
+        CertificateViolation.create(
+            "Not Yet Valid", "This certificate's start date has not yet passed.");
+    this.certificateOldValidityLengthValidViolation =
+        CertificateViolation.create(
+            "Validity Period Too Long",
+            String.format(
+                "The certificate's validity length must be less than or equal to %d days, or %d"
+                    + " days if issued prior to 2020-09-01.",
+                maxValidityDays, 825));
+    this.certificateValidityLengthViolation =
+        CertificateViolation.create(
+            "Validity Period Too Long",
+            String.format(
+                "The certificate must have a validity length of less than %d days.",
+                maxValidityDays));
+    this.certificateRsaKeyLengthViolation =
+        CertificateViolation.create(
+            "RSA Key Length Too Long",
+            String.format("The minimum RSA key length is %d.", minimumRsaKeyLength));
+    this.certificateAlgorithmViolation =
+        CertificateViolation.create(
+            "Certificate Algorithm Not Allowed", "Only RSA and ECDSA keys are accepted.");
+  }
+
+  /**
+   * Checks a certificate for violations and returns a list of all the violations the certificate
+   * has.
+   */
+  public ImmutableSet<CertificateViolation> checkCertificate(
+      X509Certificate certificate, Date now) {
+    ImmutableSet.Builder<CertificateViolation> violations = new ImmutableSet.Builder<>();
+
+    // Check Expiration
+    if (certificate.getNotAfter().before(now)) {
+      violations.add(certificateExpiredViolation);
+    } else if (certificate.getNotBefore().after(now)) {
+      violations.add(certificateNotYetValidViolation);
+    }
+    int validityLength = getValidityLengthInDays(certificate);
+    if (validityLength > maxValidityDays) {
+      if (new DateTime(certificate.getNotBefore())
+          .isBefore(DateTime.parse("2020-09-01T00:00:00Z"))) {
+        if (validityLength > 825) {
+          violations.add(certificateOldValidityLengthValidViolation);
+        }
+      } else {
+        violations.add(certificateValidityLengthViolation);
+      }
+    }
+
+    // Check Key Strengths
+    PublicKey key = certificate.getPublicKey();
+    if (key.getAlgorithm().equals("RSA")) {
+      RSAPublicKey rsaPublicKey = (RSAPublicKey) key;
+      if (rsaPublicKey.getModulus().bitLength() < minimumRsaKeyLength) {
+        violations.add(certificateRsaKeyLengthViolation);
+      }
+    } else if (key.getAlgorithm().equals("EC")) {
+      // TODO(sarahbot): Add verification of ECDSA curves
+    } else {
+      violations.add(certificateAlgorithmViolation);
+    }
+    return violations.build();
+  }
+
+  /** Returns true if the certificate is nearing expiration. */
+  public boolean isNearingExpiration(X509Certificate certificate, Date now) {
+    Date nearingExpirationDate =
+        DateTime.parse(certificate.getNotAfter().toInstant().toString())
+            .minusDays(daysToExpiration)
+            .toDate();
+    return now.after(nearingExpirationDate);
+  }
+
+  private static int getValidityLengthInDays(X509Certificate certificate) {
+    DateTime start = DateTime.parse(certificate.getNotBefore().toInstant().toString());
+    DateTime end = DateTime.parse(certificate.getNotAfter().toInstant().toString());
+    return Days.daysBetween(start.withTimeAtStartOfDay(), end.withTimeAtStartOfDay()).getDays();
+  }
+}
+
+/**
+ * The type of violation a certificate has based on the certificate requirements
+ * (go/registry-proxy-security).
+ */
+@AutoValue
+abstract class CertificateViolation {
+
+  public abstract String name();
+
+  public abstract String displayMessage();
+
+  public static CertificateViolation create(String name, String displayMessage) {
+    return new AutoValue_CertificateViolation(name, displayMessage);
+  }
+}
--- a/util/src/main/java/google/registry/util/SelfSignedCaCertificate.java
+++ b/util/src/main/java/google/registry/util/SelfSignedCaCertificate.java
@ -0,0 +1,121 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.util;
+
+import static com.google.common.base.Preconditions.checkArgument;
+
+import com.google.common.collect.ImmutableMap;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Date;
+import java.util.Random;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.BasicConstraints;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+
+/** A self-signed certificate authority (CA) cert for use in tests. */
+// TODO(weiminyu): make this class test-only. Requires refactor in proxy and prober.
+public class SelfSignedCaCertificate {
+
+  private static final String DEFAULT_ISSUER_FQDN = "registry-test";
+  private static final Date DEFAULT_NOT_BEFORE =
+      Date.from(Instant.now().minus(Duration.ofHours(1)));
+  private static final Date DEFAULT_NOT_AFTER = Date.from(Instant.now().plus(Duration.ofDays(1)));
+
+  private static final Random RANDOM = new Random();
+  private static final BouncyCastleProvider PROVIDER = new BouncyCastleProvider();
+  private static final KeyPairGenerator keyGen = createKeyPairGenerator();
+  private static final ImmutableMap<String, String> KEY_SIGNATURE_ALGS =
+      ImmutableMap.of(
+          "EC", "SHA256WithECDSA", "DSA", "SHA256WithDSA", "RSA", "SHA256WithRSAEncryption");
+
+  private final PrivateKey privateKey;
+  private final X509Certificate cert;
+
+  public SelfSignedCaCertificate(PrivateKey privateKey, X509Certificate cert) {
+    this.privateKey = privateKey;
+    this.cert = cert;
+  }
+
+  public PrivateKey key() {
+    return privateKey;
+  }
+
+  public X509Certificate cert() {
+    return cert;
+  }
+
+  public static SelfSignedCaCertificate create() throws Exception {
+    return create(
+        keyGen.generateKeyPair(), DEFAULT_ISSUER_FQDN, DEFAULT_NOT_BEFORE, DEFAULT_NOT_AFTER);
+  }
+
+  public static SelfSignedCaCertificate create(String fqdn) throws Exception {
+    return create(fqdn, DEFAULT_NOT_BEFORE, DEFAULT_NOT_AFTER);
+  }
+
+  public static SelfSignedCaCertificate create(String fqdn, Date from, Date to) throws Exception {
+    return create(keyGen.generateKeyPair(), fqdn, from, to);
+  }
+
+  public static SelfSignedCaCertificate create(KeyPair keyPair, String fqdn, Date from, Date to)
+      throws Exception {
+    return new SelfSignedCaCertificate(keyPair.getPrivate(), createCaCert(keyPair, fqdn, from, to));
+  }
+
+  static KeyPairGenerator createKeyPairGenerator() {
+    try {
+      KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", PROVIDER);
+      keyGen.initialize(2048, new SecureRandom());
+      return keyGen;
+    } catch (Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  /** Returns a self-signed Certificate Authority (CA) certificate. */
+  static X509Certificate createCaCert(KeyPair keyPair, String fqdn, Date from, Date to)
+      throws Exception {
+    X500Name owner = new X500Name("CN=" + fqdn);
+    String publicKeyAlg = keyPair.getPublic().getAlgorithm();
+    checkArgument(KEY_SIGNATURE_ALGS.containsKey(publicKeyAlg), "Unexpected public key algorithm");
+    String signatureAlgorithm = KEY_SIGNATURE_ALGS.get(publicKeyAlg);
+    ContentSigner signer =
+        new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate());
+    X509v3CertificateBuilder builder =
+        new JcaX509v3CertificateBuilder(
+            owner, new BigInteger(64, RANDOM), from, to, owner, keyPair.getPublic());
+
+    // Mark cert as CA by adding basicConstraint with cA=true to the builder
+    BasicConstraints basicConstraints = new BasicConstraints(true);
+    builder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints);
+
+    X509CertificateHolder certHolder = builder.build(signer);
+    return new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certHolder);
+  }
+}
--- a/util/src/test/java/google/registry/util/CertificateCheckerTest.java
+++ b/util/src/test/java/google/registry/util/CertificateCheckerTest.java
@ -0,0 +1,184 @@
+// Copyright 2020 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.util;
+
+import static com.google.common.truth.Truth.assertThat;
+import static org.joda.time.DateTimeZone.UTC;
+
+import com.google.common.collect.ImmutableSet;
+import java.security.KeyPairGenerator;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.joda.time.DateTime;
+import org.junit.jupiter.api.Test;
+
+/** Unit tests for {@link CertificateChecker} */
+public class CertificateCheckerTest {
+
+  private static final String SSL_HOST = "www.example.tld";
+
+  private static CertificateChecker certificateChecker = new CertificateChecker(398, 30, 2048);
+
+  @Test
+  void test_compliantCertificate() throws Exception {
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(5).toDate(),
+                DateTime.now(UTC).plusDays(80).toDate())
+            .cert();
+    assertThat(certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate()))
+        .isEqualTo(ImmutableSet.of());
+  }
+
+  @Test
+  void test_certificateWithSeveralIssues() throws Exception {
+    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", new BouncyCastleProvider());
+    keyGen.initialize(1024, new SecureRandom());
+
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                keyGen.generateKeyPair(),
+                SSL_HOST,
+                DateTime.now(UTC).plusDays(5).toDate(),
+                DateTime.now(UTC).plusDays(1000).toDate())
+            .cert();
+
+    ImmutableSet<CertificateViolation> violations =
+        certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations).hasSize(3);
+    assertThat(violations)
+        .isEqualTo(
+            ImmutableSet.of(
+                certificateChecker.certificateNotYetValidViolation,
+                certificateChecker.certificateValidityLengthViolation,
+                certificateChecker.certificateRsaKeyLengthViolation));
+    ;
+  }
+
+  @Test
+  void test_expiredCertificate() throws Exception {
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(50).toDate(),
+                DateTime.now(UTC).minusDays(10).toDate())
+            .cert();
+    ImmutableSet<CertificateViolation> violations =
+        certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations).containsExactly(certificateChecker.certificateExpiredViolation);
+  }
+
+  @Test
+  void test_notYetValid() throws Exception {
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.now(UTC).plusDays(10).toDate(),
+                DateTime.now(UTC).plusDays(50).toDate())
+            .cert();
+    ImmutableSet<CertificateViolation> violations =
+        certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations).containsExactly(certificateChecker.certificateNotYetValidViolation);
+  }
+
+  @Test
+  void test_checkValidityLength() throws Exception {
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(10).toDate(),
+                DateTime.now(UTC).plusDays(1000).toDate())
+            .cert();
+    ImmutableSet<CertificateViolation> violations =
+        certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations).containsExactly(certificateChecker.certificateValidityLengthViolation);
+
+    certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.parse("2020-08-01T00:00:00Z").toDate(),
+                DateTime.parse("2023-11-01T00:00:00Z").toDate())
+            .cert();
+    violations = certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations)
+        .containsExactly(certificateChecker.certificateOldValidityLengthValidViolation);
+
+    certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.parse("2020-08-01T00:00:00Z").toDate(),
+                DateTime.parse("2021-11-01T00:00:00Z").toDate())
+            .cert();
+    violations = certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations).isEmpty();
+  }
+
+  @Test
+  void test_nearingExpiration() throws Exception {
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(50).toDate(),
+                DateTime.now(UTC).plusDays(10).toDate())
+            .cert();
+    assertThat(certificateChecker.isNearingExpiration(certificate, DateTime.now(UTC).toDate()))
+        .isTrue();
+
+    certificate =
+        SelfSignedCaCertificate.create(
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(50).toDate(),
+                DateTime.now(UTC).plusDays(100).toDate())
+            .cert();
+    assertThat(certificateChecker.isNearingExpiration(certificate, DateTime.now(UTC).toDate()))
+        .isFalse();
+  }
+
+  @Test
+  void test_checkRsaKeyLength() throws Exception {
+    // Key length too low
+    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", new BouncyCastleProvider());
+    keyGen.initialize(1024, new SecureRandom());
+
+    X509Certificate certificate =
+        SelfSignedCaCertificate.create(
+                keyGen.generateKeyPair(),
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(5).toDate(),
+                DateTime.now(UTC).plusDays(100).toDate())
+            .cert();
+
+    ImmutableSet<CertificateViolation> violations =
+        certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
+    assertThat(violations).containsExactly(certificateChecker.certificateRsaKeyLengthViolation);
+
+    // Key length higher than required
+    keyGen = KeyPairGenerator.getInstance("RSA", new BouncyCastleProvider());
+    keyGen.initialize(4096, new SecureRandom());
+
+    certificate =
+        SelfSignedCaCertificate.create(
+                keyGen.generateKeyPair(),
+                SSL_HOST,
+                DateTime.now(UTC).minusDays(5).toDate(),
+                DateTime.now(UTC).plusDays(100).toDate())
+            .cert();
+
+    assertThat(certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate()))
+        .isEqualTo(ImmutableSet.of());
+  }
+}