Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gracefully handle certificate renewals #396

Merged
merged 3 commits into from Dec 21, 2018

Conversation

Projects
None yet
2 participants
@lukas-w
Copy link
Contributor

lukas-w commented Dec 19, 2018

This is like #391 but the renewal info is stored in the certificate itself as was decided in #391 (comment). The format of digital-certificate.txt is not changed, so certificates will remain backwards compatible. I still included eb96fc4 which ensures that changes to the certificate file will be possible in the future.

Closes #43

lukas-w added some commits Dec 4, 2018

Certificate: Don't decode Base64 certificate for forward compatibility
In the future, certificates may contain additional data after the end of
the intermediate certificate (see #43). By using the Base64 string directly
instead of decoding it ourselves, CertificateFactory can detect the
"-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" boundaries,
ignoring anything outside.
Certificate: Add support for reading renewal information
Reads renewal information from the certificate as generated on the website.
This is used to automatically whitelist a renewed certificate if the
previous certificate was already whitelisted.

Closes #43

X509Certificate theIntermediateCertificate;
if (split.length == 2) {
byte[] intermediateCertificate = Base64.decode(split[1].replaceAll(X509Constants.BEGIN_CERT, "").replaceAll(X509Constants.END_CERT, ""));
theIntermediateCertificate = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(intermediateCertificate));
theIntermediateCertificate = (X509Certificate)cf.generateCertificate(new StringBufferInputStream(split[1]));

This comment has been minimized.

@tresf

tresf Dec 21, 2018

Contributor

According to Oracle, this should be completely valid and return either a casted X509Certifcate or raise a CertificateException. In reality, the library fails to parse the cert without \r and/or \n per http://www.doublecloud.org/2014/03/reading-x-509-certificate-in-java-how-to-handle-format-issue/. I will be reverting to the Base64 code to avoid any backwards compatibility issues.

@tresf

This comment has been minimized.

Copy link
Contributor

tresf commented Dec 21, 2018

Had to revert to the base64 parsing due to some undesired behavior with Java's DER encoder. Quite coincidentally I just so happened to be missing the newlines between -----BEGIN CERTIFICATE----- and the base64 data and was able to catch this during testing. 😅

I'm having some issues with the portal setting up the new id-at-description (2.5.4.13) renewal field. Once those issues are resolved, we should be good to merge.

@tresf tresf merged commit d86a2c1 into qzind:2.0 Dec 21, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@lukas-w lukas-w deleted the lukas-w:cert-renewal branch Dec 23, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.