/** * Decodes certificate * * @param certificate * Base64 encoded certificate * @return X509Certificate * @throws CertificateException */ public static X509Certificate decodeCertificate(String certificate) throws CertificateException { certificate = certificate != null ? certificate.trim() : null; if (certificate != null && (certificate = certificate.trim()).length() > 0) { if (!certificate.startsWith("-----BEGIN")) { String cert_begin = "-----BEGIN CERTIFICATE-----\n"; String end_cert = "\n-----END CERTIFICATE-----"; certificate = String.format("%s%s%s", cert_begin, certificate, end_cert); } return decodeCertificate(certificate.getBytes()); } return null; }
/** * PSC 6.5 SAML requirement due to Bouncycastle library conflicts. */ public static String toPEMFormat(Key key, ServiceHost host) { if (useAuthConfig(host)) { return keyToPEMFormat(key); } else { return KeyUtil.toPEMFormat(key); } }
KeyPair pair = KeyUtil.generateRSAKeyPair();
/** * Validates that certificate CN equals the hostname specified by user. Docker daemon will be * later instructed to find and trust this certificate only if these two matches. See: * https://docs.docker.com/docker-trusted-registry/userguide/ */ private void validateHostAddress(RegistryState state, SslTrustCertificateState sslTrust) { String hostname = UriUtilsExtended.extractHost(state.address); X509Certificate certificate = null; try { certificate = KeyUtil.decodeCertificate(sslTrust.certificate); } catch (CertificateException e1) { throw new LocalizableValidationException( String.format("Invalid certificate provided from host: %s", hostname), "compute.registry.host.address.invalid.certificate", hostname); } try { new DefaultHostnameVerifier().verify(hostname, certificate); } catch (SSLException e) { String errorMessage = String.format( "Registry hostname (%s) does not match certificates CN (%s).", hostname, sslTrust.commonName); throw new LocalizableValidationException(errorMessage, "compute.registry.host.name.mismatch", hostname, sslTrust.commonName); } }