All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.sshd.common.config.keys.OpenSshCertificate Maven / Gradle / Ivy

The newest version!
/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
package org.apache.sshd.common.config.keys;

import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.TimeUnit;

import org.apache.sshd.common.util.ValidateUtils;

/**
 * An OpenSSH certificate key as specified by OpenSSH.
 *
 * @author Apache MINA SSHD Project
 * @see    PROTOCOL.certkeys
 */
public interface OpenSshCertificate extends PublicKey, PrivateKey {

    /**
     * {@link OpenSshCertificate}s have a type indicating whether the certificate if for a host key (certifying a host
     * identity) or for a user key (certifying a user identity). Note: values order is significant
     */
    enum Type {
        /** User key certificate. */
        USER,
        /** Host key certificate. */
        HOST,
        ;

        public static final List VALUES = Collections.unmodifiableList(Arrays.asList(values()));

        public int getCode() {
            return ordinal() + 1;
        }

        public static Type fromCode(int code) {
            ValidateUtils.checkTrue((code > 0) && (code <= VALUES.size()),
                    "Invalid type code: %d", code);
            return VALUES.get(code - 1);
        }
    }

    /**
     * The minimal {@link #getValidAfter()} or {@link #getValidBefore()} value, corresponding to {@code Instant#EPOCH}.
     */
    long MIN_EPOCH = 0L;

    /**
     * The maximum {@link #getValidAfter()} or {@link #getValidBefore()} value.
     * 

* Note that timestamps in OpenSSH certificates are unsigned 64-bit values. *

* * @see #isValidNow(OpenSshCertificate) */ long INFINITY = 0xffff_ffff_ffff_ffffL; /** * Retrieves the raw SSH key type of this certificate. * * @return the key type, for instance "ssh-rsa" for a "[email protected]" certificate */ String getRawKeyType(); /** * Retrieves the nonce of this certificate. * * @return the nonce. */ byte[] getNonce(); /** * Retrieves the SSH key type of this certificate. * * @return the key type, for instance "[email protected]" */ String getKeyType(); /** * Retrieves the certified public key. * * @return the {@link PublicKey} */ PublicKey getCertPubKey(); /** * Retrieves the serial number of this certificate. * * @return the serial number */ long getSerial(); /** * Retrieves the type of certificate. * * @return the {@link Type} */ Type getType(); /** * Retrieves a free-form text set by the CA when the certificate was generated; intended to identify the identity * principal in log message. * * @return the id; never {@code null} but may be empty. */ String getId(); /** * Retrieves the principals mentioned in the certificate. * * @return the collection of principals, never {@code null} but possibly empty */ Collection getPrincipals(); /** * Retrieves the time in number of seconds since the {@link java.time.Instant#EPOCH} at which this certificate * becomes or became valid. * * @return the number of seconds since the {@link java.time.Instant#EPOCH} as an unsigned 64bit value * @see #isValidNow(OpenSshCertificate) */ long getValidAfter(); /** * Retrieves the time in number of seconds since the {@link java.time.Instant#EPOCH} at which this certificate * becomes or became invalid. * * @return the number of seconds since the {@link java.time.Instant#EPOCH} as an unsigned 64bit value * @see #isValidNow(OpenSshCertificate) */ long getValidBefore(); /** * Retrieves the critical options set in the certificate. * * @return the critical options as a list, never {@code null} but possibly empty */ List getCriticalOptions(); /** * Retrieves the extensions set in the certificate. * * @return the extensions as a list, never {@code null} but possibly empty */ List getExtensions(); /** * Retrieves the "reserved" field of the certificate. OpenSSH currently doesn't use it and ignores it. * * @return the "reserved" field. */ String getReserved(); /** * Retrieves the CA public key of this certificate. * * @return the {@link PublicKey} */ PublicKey getCaPubKey(); /** * Retrieves the raw byte content of the certificate, minus the signature. This is the data that was signed. * * @return the part of the certificate raw data that was signed */ byte[] getMessage(); /** * Retrieves the signature of the certificate, including the signature algorithm. * * @return the signature bytes * @see #getRawSignature() */ byte[] getSignature(); /** * Retrieves the signature algorithm used for the signature. * * @return the signature algorithm as recorded in the certificate */ String getSignatureAlgorithm(); /** * Retrieves the raw signature bytes, without the signature algorithm. * * @return the signature bytes * @see #getSignature() */ byte[] getRawSignature(); /** * Determines whether the given {@link OpenSshCertificate} is valid at the current local system time. * * @param cert to check * @return {@code true} if the certificate is valid according to its timestamps, {@code false} otherwise */ static boolean isValidNow(OpenSshCertificate cert) { long now = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis()); return Long.compareUnsigned(cert.getValidAfter(), now) <= 0 && Long.compareUnsigned(now, cert.getValidBefore()) < 0; } /** * Certificate Options are a set of bytes that is * *
     * [overall length][name(string)][[length of buffer][[length of string][data(string)]]]...
     * 
*

* Where each Certificate Option is encoded as a name (string) and data (string packed in a buffer). The entire name * (string) + data (buffer) are added as bytes (which will get a length prefix). *

* * @see PROTOCOL.certkeys */ class CertificateOption { private final String name; private final String data; /** * Creates a new {@link CertificateOption} with the given name and data. * * @param name of the option; must be neither {@code null} nor empty * @param data for the option; may be {@code null} or empty */ public CertificateOption(String name, String data) { this.name = ValidateUtils.checkNotNullAndNotEmpty(name, "CertificateOption name must be set"); this.data = data; } /** * Creates a new {@link CertificateOption} with a name without data. * * @param name of the option; must be neither {@code null} nor empty */ public CertificateOption(String name) { this(name, null); } /** * Retrieves the name. * * @return the name, never {@code null} */ public final String getName() { return name; } /** * Retrieves the data. * * @return the data, may be{@code null} or empty */ public final String getData() { return data; } @Override public String toString() { return "CertificateOption{name='" + name + "', data='" + data + "'}"; } @Override public boolean equals(Object obj) { if (obj == null) { return false; } if (obj == this) { return true; } if (getClass() != obj.getClass()) { return false; } CertificateOption other = (CertificateOption) obj; return Objects.equals(name, other.name) && Objects.equals(data, other.data); } @Override public int hashCode() { return Objects.hash(name, data); } } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy