Class SpiffeUtil


  • public final class SpiffeUtil
    extends java.lang.Object
    Provides utilities to manage SPIFFE bundles, extract SPIFFE IDs from X.509 certificate chains, and parse SPIFFE IDs.
    See Also:
    Standard
    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  SpiffeUtil.SpiffeBundle
      Represents a SPIFFE trust bundle; that is, a map from trust domain to set of trusted certificates.
      static class  SpiffeUtil.SpiffeId
      Represents a SPIFFE ID as defined in the SPIFFE standard.
    • Constructor Summary

      Constructors 
      Modifier Constructor Description
      private SpiffeUtil()  
    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      private static void checkJwkEntry​(java.util.Map<java.lang.String,​?> jwkNode, java.lang.String trustDomainName)  
      private static void doInitialUriValidation​(java.lang.String uri)  
      private static java.util.List<java.security.cert.X509Certificate> extractCert​(java.util.List<java.util.Map<java.lang.String,​?>> keysNode, java.lang.String trustDomainName)  
      static com.google.common.base.Optional<SpiffeUtil.SpiffeId> extractSpiffeId​(java.security.cert.X509Certificate[] certChain)
      Returns the SPIFFE ID from the leaf certificate, if present.
      static SpiffeUtil.SpiffeBundle loadTrustBundleFromFile​(java.lang.String trustBundleFile)
      Loads a SPIFFE trust bundle from a file, parsing it from the JSON format.
      static SpiffeUtil.SpiffeId parse​(java.lang.String uri)
      Parses a URI string, applies validation rules described in SPIFFE standard, and, in case of success, returns parsed TrustDomain and Path.
      private static java.util.Map<java.lang.String,​?> readTrustDomainsFromFile​(java.lang.String filePath)  
      private static void validatePath​(java.lang.String path)  
      private static void validatePathSegment​(java.lang.String pathSegment)  
      private static void validateTrustDomain​(java.lang.String trustDomain)  
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • URI_SAN_TYPE

        private static final java.lang.Integer URI_SAN_TYPE
      • USE_PARAMETER_VALUE

        private static final java.lang.String USE_PARAMETER_VALUE
        See Also:
        Constant Field Values
      • KTY_PARAMETER_VALUE

        private static final java.lang.String KTY_PARAMETER_VALUE
        See Also:
        Constant Field Values
      • CERTIFICATE_PREFIX

        private static final java.lang.String CERTIFICATE_PREFIX
        See Also:
        Constant Field Values
      • CERTIFICATE_SUFFIX

        private static final java.lang.String CERTIFICATE_SUFFIX
        See Also:
        Constant Field Values
    • Constructor Detail

      • SpiffeUtil

        private SpiffeUtil()
    • Method Detail

      • parse

        public static SpiffeUtil.SpiffeId parse​(java.lang.String uri)
        Parses a URI string, applies validation rules described in SPIFFE standard, and, in case of success, returns parsed TrustDomain and Path.
        Parameters:
        uri - a String representing a SPIFFE ID
      • doInitialUriValidation

        private static void doInitialUriValidation​(java.lang.String uri)
      • validateTrustDomain

        private static void validateTrustDomain​(java.lang.String trustDomain)
      • validatePath

        private static void validatePath​(java.lang.String path)
      • validatePathSegment

        private static void validatePathSegment​(java.lang.String pathSegment)
      • extractSpiffeId

        public static com.google.common.base.Optional<SpiffeUtil.SpiffeId> extractSpiffeId​(java.security.cert.X509Certificate[] certChain)
                                                                                    throws java.security.cert.CertificateParsingException
        Returns the SPIFFE ID from the leaf certificate, if present.
        Parameters:
        certChain - certificate chain to extract SPIFFE ID from
        Throws:
        java.security.cert.CertificateParsingException
      • loadTrustBundleFromFile

        public static SpiffeUtil.SpiffeBundle loadTrustBundleFromFile​(java.lang.String trustBundleFile)
                                                               throws java.io.IOException
        Loads a SPIFFE trust bundle from a file, parsing it from the JSON format. In case of success, returns SpiffeUtil.SpiffeBundle. If any element of the JSON content is invalid or unsupported, an IllegalArgumentException is thrown and the entire Bundle is considered invalid.
        Parameters:
        trustBundleFile - the file path to the JSON file containing the trust bundle
        Throws:
        java.io.IOException
        See Also:
        JSON format, JWK entry format, x5c (certificate) parameter
      • readTrustDomainsFromFile

        private static java.util.Map<java.lang.String,​?> readTrustDomainsFromFile​(java.lang.String filePath)
                                                                                 throws java.io.IOException
        Throws:
        java.io.IOException
      • checkJwkEntry

        private static void checkJwkEntry​(java.util.Map<java.lang.String,​?> jwkNode,
                                          java.lang.String trustDomainName)
      • extractCert

        private static java.util.List<java.security.cert.X509Certificate> extractCert​(java.util.List<java.util.Map<java.lang.String,​?>> keysNode,
                                                                                      java.lang.String trustDomainName)