Skip to content

Commit

Permalink
[util-security] add deserializeAndFilterOutInvalidCertificates
Browse files Browse the repository at this point in the history 
Problem/Solution:

Add `deserializeAndFilterOutInvalidCertificates` which wraps the `deserializeX509`
call  in a `Try` (as `certificate.checkValidity()` can return
`CertificateExpiredException`,  `CertificateNotYetValidException`) and
separates out any expired or not yet valid certificates detected.

JIRA Issues: PSEC-16977

Differential Revision: https://phabricator.twitter.biz/D1107551
  • Loading branch information
@mattdickinson5
mattdickinson5 authored and jenkins committed Oct 31, 2023
1 parent 0571f97 commit 053248d
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 0 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ Runtime Behavior Changes

* util: Bump version of Jackson to 2.14.3. ``PHAB_ID=D1069160``

* util-securty: Add `deserializeAndFilterOutInvalidCertificates` Which wraps
the `deserializeX509` call in a Try. ``PHAB_ID=D1107551``

22.12.0
-------

Expand Down
24 changes: 24 additions & 0 deletions util-security/src/main/scala/com/twitter/util/security/X509CertificateDeserializer.scala
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,4 +52,28 @@ object X509CertificateDeserializer {

messages.map(_.map(deserializeX509))
}

/**
* Deserializes an [[InputStream]] that contains PEM-encoded X.509
* Certificates. Wraps the `deserializeX509` call in a Try
* (as `certificate.checkValidity()` can return CertificateExpiredException, CertificateNotYetValidException)
* and separates out any expired or not yet valid certificates detected.
*
* Closes the InputStream once it has finished reading.
*/
def deserializeAndFilterOutInvalidCertificates(
rawPem: String,
name: String
): (Seq[Try[X509Certificate]], Seq[Try[X509Certificate]]) = {
val pemBytes = new PemBytes(rawPem, name)
val messages: Try[Seq[Array[Byte]]] = pemBytes
.readMessages(MessageType)
messages
.map(certs => {
certs
.map(cert => {
Try(deserializeX509(cert))
}).partition(_.isReturn)
}).get()
}
}

0 comments on commit 053248d

Please sign in to comment.