Refactored AuditVerify (part 1).

The code that retrieves and verifies the signing certificate in AuditVerify has been moved into a new setSigningCert() method. https://pagure.io/dogtagpki/issue/2634 Change-Id: I37b9d73a2ff162735359d2eed222296bbb1fcd60
author: Endi S. Dewata <edewata@redhat.com> 2017-06-12 17:12:12 +0200
committer: Endi S. Dewata <edewata@redhat.com> 2017-06-13 06:45:53 +0200
commit: e481a42fd64864a7b1ce8061b4d74d6331125729 (patch)
tree: b3976fc156492659c9d45521fe792433d233b3f3
parent: 53564487e46040a9115fba51c8403ecacb50187e (diff)
download: pki-e481a42fd64864a7b1ce8061b4d74d6331125729.tar.gz
pki-e481a42fd64864a7b1ce8061b4d74d6331125729.tar.xz
pki-e481a42fd64864a7b1ce8061b4d74d6331125729.zip
1 files changed, 49 insertions, 36 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
index 82323ab09..9363c7fcd 100644
--- a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
+++ b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
@@ -30,14 +30,14 @@ import java.security.interfaces.RSAPublicKey;
 import java.util.StringTokenizer;
 import java.util.Vector;
 
-import netscape.security.x509.X509CertImpl;
-
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.crypto.ObjectNotFoundException;
 import org.mozilla.jss.crypto.X509Certificate;
 
 import com.netscape.cmsutil.util.Utils;
 
+import netscape.security.x509.X509CertImpl;
+
 /**
  * Tool for verifying signed audit logs
  *
@@ -45,23 +45,60 @@ import com.netscape.cmsutil.util.Utils;
  */
 public class AuditVerify {
 
+    public static final String CRYPTO_PROVIDER = "Mozilla-JSS";
+
+    // We always sign 0x0a as the line separator, regardless of what
+    // line separator characters are used in the log file. This helps
+    // signature verification be platform-independent.
+    private static final byte LINE_SEP_BYTE = 0x0a;
+
+    boolean verbose;
+    X509Certificate signingCert;
+
+    public AuditVerify() {
+    }
+
+    public void setVerbose(boolean verbose) {
+        this.verbose = verbose;
+    }
+
+    public void setSigningCert(X509Certificate signingCert) throws Exception {
+
+        // verify audit signing certificate
+        // not checking validity because we want to allow verifying old logs
+
+        if (signingCert == null) {
+            throw new Exception("Missing signing certificate");
+        }
+
+        byte[] bytes = signingCert.getEncoded();
+        X509CertImpl cert = new X509CertImpl(bytes);
+
+        boolean[] keyUsage = cert.getKeyUsage();
+
+        if (keyUsage == null || keyUsage.length < 1) {
+            throw new Exception("Missing signing certificate key usage");
+        }
+
+        boolean valid = keyUsage[0];
+
+        if (!valid) {
+            throw new Exception("Invalid signing certificate key usage");
+        }
+
+        this.signingCert = signingCert;
+    }
+
     private static void usage() {
         System.out
                 .println("Usage: AuditVerify -d <dbdir> -n <signing certificate nickname> -a <log list file> [-P <cert/key db prefix>] [-v]");
         System.exit(1);
     }
 
-    public static final String CRYPTO_PROVIDER = "Mozilla-JSS";
-
     public static byte[] base64decode(String input) throws Exception {
         return Utils.base64decode(input);
     }
 
-    // We always sign 0x0a as the line separator, regardless of what
-    // line separator characters are used in the log file. This helps
-    // signature verification be platform-independent.
-    private static final byte LINE_SEP_BYTE = 0x0a;
-
     private static void output(int linenum, String mesg) throws IOException {
         System.out.println("Line " + linenum + ": " + mesg);
     }
@@ -104,17 +141,6 @@ public class AuditVerify {
         return (matchingFiles.length > 0);
     }
 
-    public static boolean isSigningCert(X509CertImpl cert) {
-        boolean[] keyUsage = null;
-
-        try {
-            keyUsage = cert.getKeyUsage();
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-        return (keyUsage == null) ? false : keyUsage[0];
-    }
-
     public static void main(String args[]) {
         try {
 
@@ -192,22 +218,9 @@ public class AuditVerify {
             CryptoManager cm = CryptoManager.getInstance();
             X509Certificate signerCert = cm.findCertByNickname(signerNick);
 
-            X509CertImpl cert_i = null;
-            if (signerCert != null) {
-                byte[] signerCert_b = signerCert.getEncoded();
-                cert_i = new X509CertImpl(signerCert_b);
-            } else {
-                System.out.println("ERROR: signing certificate not found");
-                System.exit(1);
-            }
-
-            // verify signer's certificate
-            //  not checking validity because we want to allow verifying old logs
-            //
-            if (!isSigningCert(cert_i)) {
-                System.out.println("info: signing certificate is not a signing certificate");
-                System.exit(1);
-            }
+            AuditVerify verifier = new AuditVerify();
+            verifier.setVerbose(verbose);
+            verifier.setSigningCert(signerCert);
 
             PublicKey pubk = signerCert.getPublicKey();
             String sigAlgorithm = null;
author	Endi S. Dewata <edewata@redhat.com>	2017-06-12 17:12:12 +0200
committer	Endi S. Dewata <edewata@redhat.com>	2017-06-13 06:45:53 +0200
commit	e481a42fd64864a7b1ce8061b4d74d6331125729 (patch)
tree	b3976fc156492659c9d45521fe792433d233b3f3
parent	53564487e46040a9115fba51c8403ecacb50187e (diff)
download	pki-e481a42fd64864a7b1ce8061b4d74d6331125729.tar.gz pki-e481a42fd64864a7b1ce8061b4d74d6331125729.tar.xz pki-e481a42fd64864a7b1ce8061b4d74d6331125729.zip