mirror of
https://github.com/google/nomulus.git
synced 2025-04-30 03:57:51 +02:00
Add a CertificateChecker class (#793)
* CertificateChecker with checks for expiration and key length * Add validity length check * Get rid of hard-coded constants and DSA checks * add files that for some reason weren't included in last commit * Rename violations and other fixes * Add displayMessage to CertificateViolation enum * Switch violations from an enum to a class * small changes * Get rid of ECDSA checks * add checks for old validity length * Change error message for validity length
This commit is contained in:
sarahcaseybot
GitHub
parent
31caff9010
commit
35ebe371ba
77 changed files with 421 additions and 9 deletions
|
|
@ -202,6 +202,7 @@ org.apache.httpcomponents:httpclient:4.5.11
|
|||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.apache.logging.log4j:log4j-api:2.6.2
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -200,6 +200,7 @@ org.apache.httpcomponents:httpclient:4.5.11
|
|||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.apache.logging.log4j:log4j-api:2.6.2
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -204,6 +204,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -202,6 +202,7 @@ org.apache.httpcomponents:httpclient:4.5.11
|
|||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.apache.logging.log4j:log4j-api:2.6.2
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -201,6 +201,7 @@ org.apache.httpcomponents:httpclient:4.5.11
|
|||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.apache.logging.log4j:log4j-api:2.6.2
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -204,6 +204,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -202,6 +202,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -204,6 +204,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -204,6 +204,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -208,6 +208,7 @@ org.apache.logging.log4j:log4j-api:2.13.3
|
|||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.apiguardian:apiguardian-api:1.1.0
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -207,6 +207,7 @@ org.apache.logging.log4j:log4j-api:2.13.3
|
|||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.apiguardian:apiguardian-api:1.1.0
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -208,6 +208,7 @@ org.apache.logging.log4j:log4j-api:2.13.3
|
|||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.apiguardian:apiguardian-api:1.1.0
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -208,6 +208,7 @@ org.apache.logging.log4j:log4j-api:2.13.3
|
|||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.apiguardian:apiguardian-api:1.1.0
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ import com.google.common.collect.ImmutableList;
|
|||
import dagger.Lazy;
|
||||
import dagger.Module;
|
||||
import dagger.Provides;
|
||||
import google.registry.networking.util.SelfSignedCaCertificate;
|
||||
import google.registry.util.SelfSignedCaCertificate;
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStreamReader;
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ import static google.registry.networking.handler.SslInitializerTestUtils.signKey
|
|||
import static google.registry.networking.handler.SslInitializerTestUtils.verifySslException;
|
||||
|
||||
import com.google.common.collect.ImmutableList;
|
||||
import google.registry.networking.util.SelfSignedCaCertificate;
|
||||
import google.registry.util.SelfSignedCaCertificate;
|
||||
import io.netty.channel.Channel;
|
||||
import io.netty.channel.ChannelHandler;
|
||||
import io.netty.channel.ChannelPipeline;
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ import static com.google.common.truth.Truth.assertThat;
|
|||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||
|
||||
import com.google.common.base.Throwables;
|
||||
import google.registry.networking.util.SelfSignedCaCertificate;
|
||||
import google.registry.util.SelfSignedCaCertificate;
|
||||
import io.netty.channel.Channel;
|
||||
import io.netty.channel.ChannelFuture;
|
||||
import io.netty.handler.ssl.SslHandler;
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ import static google.registry.networking.handler.SslServerInitializer.CLIENT_CER
|
|||
|
||||
import com.google.common.base.Suppliers;
|
||||
import com.google.common.collect.ImmutableList;
|
||||
import google.registry.networking.util.SelfSignedCaCertificate;
|
||||
import google.registry.util.SelfSignedCaCertificate;
|
||||
import io.netty.channel.ChannelHandler;
|
||||
import io.netty.channel.ChannelInitializer;
|
||||
import io.netty.channel.ChannelPipeline;
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ import dagger.Component;
|
|||
import dagger.Module;
|
||||
import dagger.Provides;
|
||||
import google.registry.networking.module.CertificateSupplierModule.Mode;
|
||||
import google.registry.networking.util.SelfSignedCaCertificate;
|
||||
import google.registry.util.SelfSignedCaCertificate;
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.OutputStreamWriter;
|
||||
import java.security.KeyPair;
|
||||
|
|
|
|||
|
|
@ -23,9 +23,9 @@ import static java.nio.charset.StandardCharsets.UTF_8;
|
|||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||
|
||||
import com.google.common.base.Throwables;
|
||||
import google.registry.networking.util.SelfSignedCaCertificate;
|
||||
import google.registry.proxy.handler.HttpsRelayServiceHandler.NonOkHttpResponseException;
|
||||
import google.registry.testing.FakeClock;
|
||||
import google.registry.util.SelfSignedCaCertificate;
|
||||
import io.netty.buffer.ByteBuf;
|
||||
import io.netty.buffer.Unpooled;
|
||||
import io.netty.channel.embedded.EmbeddedChannel;
|
||||
|
|
|
|||
|
|
@ -27,10 +27,10 @@ import static org.mockito.Mockito.verify;
|
|||
import static org.mockito.Mockito.verifyNoMoreInteractions;
|
||||
|
||||
import com.google.common.base.Throwables;
|
||||
import google.registry.networking.util.SelfSignedCaCertificate;
|
||||
import google.registry.proxy.TestUtils;
|
||||
import google.registry.proxy.handler.HttpsRelayServiceHandler.NonOkHttpResponseException;
|
||||
import google.registry.proxy.metric.FrontendMetrics;
|
||||
import google.registry.util.SelfSignedCaCertificate;
|
||||
import io.netty.buffer.ByteBuf;
|
||||
import io.netty.buffer.Unpooled;
|
||||
import io.netty.channel.ChannelInitializer;
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -203,6 +203,7 @@ org.apache.httpcomponents:httpcore:4.4.13
|
|||
org.apache.logging.log4j:log4j-api:2.13.3
|
||||
org.apache.logging.log4j:log4j-core:2.13.3
|
||||
org.bouncycastle:bcpg-jdk15on:1.61
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
|
|
|
|||
|
|
@ -32,6 +32,8 @@ dependencies {
|
|||
compile deps['javax.xml.bind:jaxb-api']
|
||||
compile deps['joda-time:joda-time']
|
||||
compile deps['org.yaml:snakeyaml']
|
||||
compile deps['org.bouncycastle:bcpkix-jdk15on']
|
||||
compile deps['org.bouncycastle:bcprov-jdk15on']
|
||||
compile project(':common')
|
||||
runtime deps['com.google.auto.value:auto-value']
|
||||
testCompile deps['com.google.appengine:appengine-api-stubs']
|
||||
|
|
|
|||
|
|
@ -34,5 +34,7 @@ javax.xml.bind:jaxb-api:2.3.0
|
|||
joda-time:joda-time:2.9.2
|
||||
org.apache.httpcomponents:httpclient:4.5.11
|
||||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
org.yaml:snakeyaml:1.17
|
||||
|
|
|
|||
|
|
@ -34,5 +34,7 @@ javax.xml.bind:jaxb-api:2.3.0
|
|||
joda-time:joda-time:2.9.2
|
||||
org.apache.httpcomponents:httpclient:4.5.11
|
||||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
org.yaml:snakeyaml:1.17
|
||||
|
|
|
|||
|
|
@ -35,5 +35,7 @@ javax.xml.bind:jaxb-api:2.3.0
|
|||
joda-time:joda-time:2.9.2
|
||||
org.apache.httpcomponents:httpclient:4.5.11
|
||||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
org.yaml:snakeyaml:1.17
|
||||
|
|
|
|||
|
|
@ -35,5 +35,7 @@ javax.xml.bind:jaxb-api:2.3.0
|
|||
joda-time:joda-time:2.9.2
|
||||
org.apache.httpcomponents:httpclient:4.5.11
|
||||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
org.yaml:snakeyaml:1.17
|
||||
|
|
|
|||
|
|
@ -35,5 +35,7 @@ javax.xml.bind:jaxb-api:2.3.0
|
|||
joda-time:joda-time:2.9.2
|
||||
org.apache.httpcomponents:httpclient:4.5.11
|
||||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
org.yaml:snakeyaml:1.17
|
||||
|
|
|
|||
|
|
@ -35,5 +35,7 @@ javax.xml.bind:jaxb-api:2.3.0
|
|||
joda-time:joda-time:2.9.2
|
||||
org.apache.httpcomponents:httpclient:4.5.11
|
||||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
org.yaml:snakeyaml:1.17
|
||||
|
|
|
|||
|
|
@ -42,6 +42,8 @@ net.bytebuddy:byte-buddy:1.10.5
|
|||
org.apache.httpcomponents:httpclient:4.5.11
|
||||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.apiguardian:apiguardian-api:1.1.0
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
org.hamcrest:hamcrest-all:1.3
|
||||
|
|
|
|||
|
|
@ -42,6 +42,8 @@ net.bytebuddy:byte-buddy:1.10.5
|
|||
org.apache.httpcomponents:httpclient:4.5.11
|
||||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.apiguardian:apiguardian-api:1.1.0
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
org.hamcrest:hamcrest-all:1.3
|
||||
|
|
|
|||
|
|
@ -44,6 +44,8 @@ net.bytebuddy:byte-buddy:1.10.5
|
|||
org.apache.httpcomponents:httpclient:4.5.11
|
||||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.apiguardian:apiguardian-api:1.1.0
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
org.hamcrest:hamcrest-all:1.3
|
||||
|
|
|
|||
|
|
@ -44,6 +44,8 @@ net.bytebuddy:byte-buddy:1.10.5
|
|||
org.apache.httpcomponents:httpclient:4.5.11
|
||||
org.apache.httpcomponents:httpcore:4.4.13
|
||||
org.apiguardian:apiguardian-api:1.1.0
|
||||
org.bouncycastle:bcpkix-jdk15on:1.61
|
||||
org.bouncycastle:bcprov-jdk15on:1.61
|
||||
org.checkerframework:checker-compat-qual:2.5.5
|
||||
org.checkerframework:checker-qual:2.11.1
|
||||
org.hamcrest:hamcrest-all:1.3
|
||||
|
|
|
|||
141
util/src/main/java/google/registry/util/CertificateChecker.java
Normal file
141
util/src/main/java/google/registry/util/CertificateChecker.java
Normal file
|
|
@ -0,0 +1,141 @@
|
|||
// Copyright 2020 The Nomulus Authors. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package google.registry.util;
|
||||
|
||||
import com.google.auto.value.AutoValue;
|
||||
import com.google.common.collect.ImmutableSet;
|
||||
import java.security.PublicKey;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.security.interfaces.RSAPublicKey;
|
||||
import java.util.Date;
|
||||
import org.joda.time.DateTime;
|
||||
import org.joda.time.Days;
|
||||
|
||||
/** An utility to check that a given certificate meets our requirements */
|
||||
public class CertificateChecker {
|
||||
|
||||
private final int maxValidityDays;
|
||||
private final int daysToExpiration;
|
||||
private final int minimumRsaKeyLength;
|
||||
public final CertificateViolation certificateExpiredViolation;
|
||||
public final CertificateViolation certificateNotYetValidViolation;
|
||||
public final CertificateViolation certificateValidityLengthViolation;
|
||||
public final CertificateViolation certificateOldValidityLengthValidViolation;
|
||||
public final CertificateViolation certificateRsaKeyLengthViolation;
|
||||
public final CertificateViolation certificateAlgorithmViolation;
|
||||
|
||||
public CertificateChecker(int maxValidityDays, int daysToExpiration, int minimumRsaKeyLength) {
|
||||
this.maxValidityDays = maxValidityDays;
|
||||
this.daysToExpiration = daysToExpiration;
|
||||
this.minimumRsaKeyLength = minimumRsaKeyLength;
|
||||
this.certificateExpiredViolation =
|
||||
CertificateViolation.create("Expired Certificate", "This certificate is expired.");
|
||||
this.certificateNotYetValidViolation =
|
||||
CertificateViolation.create(
|
||||
"Not Yet Valid", "This certificate's start date has not yet passed.");
|
||||
this.certificateOldValidityLengthValidViolation =
|
||||
CertificateViolation.create(
|
||||
"Validity Period Too Long",
|
||||
String.format(
|
||||
"The certificate's validity length must be less than or equal to %d days, or %d"
|
||||
+ " days if issued prior to 2020-09-01.",
|
||||
maxValidityDays, 825));
|
||||
this.certificateValidityLengthViolation =
|
||||
CertificateViolation.create(
|
||||
"Validity Period Too Long",
|
||||
String.format(
|
||||
"The certificate must have a validity length of less than %d days.",
|
||||
maxValidityDays));
|
||||
this.certificateRsaKeyLengthViolation =
|
||||
CertificateViolation.create(
|
||||
"RSA Key Length Too Long",
|
||||
String.format("The minimum RSA key length is %d.", minimumRsaKeyLength));
|
||||
this.certificateAlgorithmViolation =
|
||||
CertificateViolation.create(
|
||||
"Certificate Algorithm Not Allowed", "Only RSA and ECDSA keys are accepted.");
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks a certificate for violations and returns a list of all the violations the certificate
|
||||
* has.
|
||||
*/
|
||||
public ImmutableSet<CertificateViolation> checkCertificate(
|
||||
X509Certificate certificate, Date now) {
|
||||
ImmutableSet.Builder<CertificateViolation> violations = new ImmutableSet.Builder<>();
|
||||
|
||||
// Check Expiration
|
||||
if (certificate.getNotAfter().before(now)) {
|
||||
violations.add(certificateExpiredViolation);
|
||||
} else if (certificate.getNotBefore().after(now)) {
|
||||
violations.add(certificateNotYetValidViolation);
|
||||
}
|
||||
int validityLength = getValidityLengthInDays(certificate);
|
||||
if (validityLength > maxValidityDays) {
|
||||
if (new DateTime(certificate.getNotBefore())
|
||||
.isBefore(DateTime.parse("2020-09-01T00:00:00Z"))) {
|
||||
if (validityLength > 825) {
|
||||
violations.add(certificateOldValidityLengthValidViolation);
|
||||
}
|
||||
} else {
|
||||
violations.add(certificateValidityLengthViolation);
|
||||
}
|
||||
}
|
||||
|
||||
// Check Key Strengths
|
||||
PublicKey key = certificate.getPublicKey();
|
||||
if (key.getAlgorithm().equals("RSA")) {
|
||||
RSAPublicKey rsaPublicKey = (RSAPublicKey) key;
|
||||
if (rsaPublicKey.getModulus().bitLength() < minimumRsaKeyLength) {
|
||||
violations.add(certificateRsaKeyLengthViolation);
|
||||
}
|
||||
} else if (key.getAlgorithm().equals("EC")) {
|
||||
// TODO(sarahbot): Add verification of ECDSA curves
|
||||
} else {
|
||||
violations.add(certificateAlgorithmViolation);
|
||||
}
|
||||
return violations.build();
|
||||
}
|
||||
|
||||
/** Returns true if the certificate is nearing expiration. */
|
||||
public boolean isNearingExpiration(X509Certificate certificate, Date now) {
|
||||
Date nearingExpirationDate =
|
||||
DateTime.parse(certificate.getNotAfter().toInstant().toString())
|
||||
.minusDays(daysToExpiration)
|
||||
.toDate();
|
||||
return now.after(nearingExpirationDate);
|
||||
}
|
||||
|
||||
private static int getValidityLengthInDays(X509Certificate certificate) {
|
||||
DateTime start = DateTime.parse(certificate.getNotBefore().toInstant().toString());
|
||||
DateTime end = DateTime.parse(certificate.getNotAfter().toInstant().toString());
|
||||
return Days.daysBetween(start.withTimeAtStartOfDay(), end.withTimeAtStartOfDay()).getDays();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The type of violation a certificate has based on the certificate requirements
|
||||
* (go/registry-proxy-security).
|
||||
*/
|
||||
@AutoValue
|
||||
abstract class CertificateViolation {
|
||||
|
||||
public abstract String name();
|
||||
|
||||
public abstract String displayMessage();
|
||||
|
||||
public static CertificateViolation create(String name, String displayMessage) {
|
||||
return new AutoValue_CertificateViolation(name, displayMessage);
|
||||
}
|
||||
}
|
||||
|
|
@ -12,8 +12,11 @@
|
|||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package google.registry.networking.util;
|
||||
package google.registry.util;
|
||||
|
||||
import static com.google.common.base.Preconditions.checkArgument;
|
||||
|
||||
import com.google.common.collect.ImmutableMap;
|
||||
import java.math.BigInteger;
|
||||
import java.security.KeyPair;
|
||||
import java.security.KeyPairGenerator;
|
||||
|
|
@ -47,6 +50,9 @@ public class SelfSignedCaCertificate {
|
|||
private static final Random RANDOM = new Random();
|
||||
private static final BouncyCastleProvider PROVIDER = new BouncyCastleProvider();
|
||||
private static final KeyPairGenerator keyGen = createKeyPairGenerator();
|
||||
private static final ImmutableMap<String, String> KEY_SIGNATURE_ALGS =
|
||||
ImmutableMap.of(
|
||||
"EC", "SHA256WithECDSA", "DSA", "SHA256WithDSA", "RSA", "SHA256WithRSAEncryption");
|
||||
|
||||
private final PrivateKey privateKey;
|
||||
private final X509Certificate cert;
|
||||
|
|
@ -96,8 +102,11 @@ public class SelfSignedCaCertificate {
|
|||
static X509Certificate createCaCert(KeyPair keyPair, String fqdn, Date from, Date to)
|
||||
throws Exception {
|
||||
X500Name owner = new X500Name("CN=" + fqdn);
|
||||
String publicKeyAlg = keyPair.getPublic().getAlgorithm();
|
||||
checkArgument(KEY_SIGNATURE_ALGS.containsKey(publicKeyAlg), "Unexpected public key algorithm");
|
||||
String signatureAlgorithm = KEY_SIGNATURE_ALGS.get(publicKeyAlg);
|
||||
ContentSigner signer =
|
||||
new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate());
|
||||
new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate());
|
||||
X509v3CertificateBuilder builder =
|
||||
new JcaX509v3CertificateBuilder(
|
||||
owner, new BigInteger(64, RANDOM), from, to, owner, keyPair.getPublic());
|
||||
|
|
@ -0,0 +1,184 @@
|
|||
// Copyright 2020 The Nomulus Authors. All Rights Reserved.
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package google.registry.util;
|
||||
|
||||
import static com.google.common.truth.Truth.assertThat;
|
||||
import static org.joda.time.DateTimeZone.UTC;
|
||||
|
||||
import com.google.common.collect.ImmutableSet;
|
||||
import java.security.KeyPairGenerator;
|
||||
import java.security.SecureRandom;
|
||||
import java.security.cert.X509Certificate;
|
||||
import org.bouncycastle.jce.provider.BouncyCastleProvider;
|
||||
import org.joda.time.DateTime;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
/** Unit tests for {@link CertificateChecker} */
|
||||
public class CertificateCheckerTest {
|
||||
|
||||
private static final String SSL_HOST = "www.example.tld";
|
||||
|
||||
private static CertificateChecker certificateChecker = new CertificateChecker(398, 30, 2048);
|
||||
|
||||
@Test
|
||||
void test_compliantCertificate() throws Exception {
|
||||
X509Certificate certificate =
|
||||
SelfSignedCaCertificate.create(
|
||||
SSL_HOST,
|
||||
DateTime.now(UTC).minusDays(5).toDate(),
|
||||
DateTime.now(UTC).plusDays(80).toDate())
|
||||
.cert();
|
||||
assertThat(certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate()))
|
||||
.isEqualTo(ImmutableSet.of());
|
||||
}
|
||||
|
||||
@Test
|
||||
void test_certificateWithSeveralIssues() throws Exception {
|
||||
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", new BouncyCastleProvider());
|
||||
keyGen.initialize(1024, new SecureRandom());
|
||||
|
||||
X509Certificate certificate =
|
||||
SelfSignedCaCertificate.create(
|
||||
keyGen.generateKeyPair(),
|
||||
SSL_HOST,
|
||||
DateTime.now(UTC).plusDays(5).toDate(),
|
||||
DateTime.now(UTC).plusDays(1000).toDate())
|
||||
.cert();
|
||||
|
||||
ImmutableSet<CertificateViolation> violations =
|
||||
certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
|
||||
assertThat(violations).hasSize(3);
|
||||
assertThat(violations)
|
||||
.isEqualTo(
|
||||
ImmutableSet.of(
|
||||
certificateChecker.certificateNotYetValidViolation,
|
||||
certificateChecker.certificateValidityLengthViolation,
|
||||
certificateChecker.certificateRsaKeyLengthViolation));
|
||||
;
|
||||
}
|
||||
|
||||
@Test
|
||||
void test_expiredCertificate() throws Exception {
|
||||
X509Certificate certificate =
|
||||
SelfSignedCaCertificate.create(
|
||||
SSL_HOST,
|
||||
DateTime.now(UTC).minusDays(50).toDate(),
|
||||
DateTime.now(UTC).minusDays(10).toDate())
|
||||
.cert();
|
||||
ImmutableSet<CertificateViolation> violations =
|
||||
certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
|
||||
assertThat(violations).containsExactly(certificateChecker.certificateExpiredViolation);
|
||||
}
|
||||
|
||||
@Test
|
||||
void test_notYetValid() throws Exception {
|
||||
X509Certificate certificate =
|
||||
SelfSignedCaCertificate.create(
|
||||
SSL_HOST,
|
||||
DateTime.now(UTC).plusDays(10).toDate(),
|
||||
DateTime.now(UTC).plusDays(50).toDate())
|
||||
.cert();
|
||||
ImmutableSet<CertificateViolation> violations =
|
||||
certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
|
||||
assertThat(violations).containsExactly(certificateChecker.certificateNotYetValidViolation);
|
||||
}
|
||||
|
||||
@Test
|
||||
void test_checkValidityLength() throws Exception {
|
||||
X509Certificate certificate =
|
||||
SelfSignedCaCertificate.create(
|
||||
SSL_HOST,
|
||||
DateTime.now(UTC).minusDays(10).toDate(),
|
||||
DateTime.now(UTC).plusDays(1000).toDate())
|
||||
.cert();
|
||||
ImmutableSet<CertificateViolation> violations =
|
||||
certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
|
||||
assertThat(violations).containsExactly(certificateChecker.certificateValidityLengthViolation);
|
||||
|
||||
certificate =
|
||||
SelfSignedCaCertificate.create(
|
||||
SSL_HOST,
|
||||
DateTime.parse("2020-08-01T00:00:00Z").toDate(),
|
||||
DateTime.parse("2023-11-01T00:00:00Z").toDate())
|
||||
.cert();
|
||||
violations = certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
|
||||
assertThat(violations)
|
||||
.containsExactly(certificateChecker.certificateOldValidityLengthValidViolation);
|
||||
|
||||
certificate =
|
||||
SelfSignedCaCertificate.create(
|
||||
SSL_HOST,
|
||||
DateTime.parse("2020-08-01T00:00:00Z").toDate(),
|
||||
DateTime.parse("2021-11-01T00:00:00Z").toDate())
|
||||
.cert();
|
||||
violations = certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
|
||||
assertThat(violations).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
void test_nearingExpiration() throws Exception {
|
||||
X509Certificate certificate =
|
||||
SelfSignedCaCertificate.create(
|
||||
SSL_HOST,
|
||||
DateTime.now(UTC).minusDays(50).toDate(),
|
||||
DateTime.now(UTC).plusDays(10).toDate())
|
||||
.cert();
|
||||
assertThat(certificateChecker.isNearingExpiration(certificate, DateTime.now(UTC).toDate()))
|
||||
.isTrue();
|
||||
|
||||
certificate =
|
||||
SelfSignedCaCertificate.create(
|
||||
SSL_HOST,
|
||||
DateTime.now(UTC).minusDays(50).toDate(),
|
||||
DateTime.now(UTC).plusDays(100).toDate())
|
||||
.cert();
|
||||
assertThat(certificateChecker.isNearingExpiration(certificate, DateTime.now(UTC).toDate()))
|
||||
.isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
void test_checkRsaKeyLength() throws Exception {
|
||||
// Key length too low
|
||||
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", new BouncyCastleProvider());
|
||||
keyGen.initialize(1024, new SecureRandom());
|
||||
|
||||
X509Certificate certificate =
|
||||
SelfSignedCaCertificate.create(
|
||||
keyGen.generateKeyPair(),
|
||||
SSL_HOST,
|
||||
DateTime.now(UTC).minusDays(5).toDate(),
|
||||
DateTime.now(UTC).plusDays(100).toDate())
|
||||
.cert();
|
||||
|
||||
ImmutableSet<CertificateViolation> violations =
|
||||
certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate());
|
||||
assertThat(violations).containsExactly(certificateChecker.certificateRsaKeyLengthViolation);
|
||||
|
||||
// Key length higher than required
|
||||
keyGen = KeyPairGenerator.getInstance("RSA", new BouncyCastleProvider());
|
||||
keyGen.initialize(4096, new SecureRandom());
|
||||
|
||||
certificate =
|
||||
SelfSignedCaCertificate.create(
|
||||
keyGen.generateKeyPair(),
|
||||
SSL_HOST,
|
||||
DateTime.now(UTC).minusDays(5).toDate(),
|
||||
DateTime.now(UTC).plusDays(100).toDate())
|
||||
.cert();
|
||||
|
||||
assertThat(certificateChecker.checkCertificate(certificate, DateTime.now(UTC).toDate()))
|
||||
.isEqualTo(ImmutableSet.of());
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Reference in a new issue