diff options
author | Endi S. Dewata <edewata@redhat.com> | 2017-06-12 17:16:45 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2017-06-13 06:46:00 +0200 |
commit | fbcbc909481cf2e3a3046f5f2adfbb4293febb5c (patch) | |
tree | c602fd69db9a4bf342b8bff4cb88c1e64fae6880 /base/java-tools/src/com/netscape/cmstools/AuditVerify.java | |
parent | e481a42fd64864a7b1ce8061b4d74d6331125729 (diff) | |
download | pki-fbcbc909481cf2e3a3046f5f2adfbb4293febb5c.tar.gz pki-fbcbc909481cf2e3a3046f5f2adfbb4293febb5c.tar.xz pki-fbcbc909481cf2e3a3046f5f2adfbb4293febb5c.zip |
Refactored AuditVerify (part 2).
The code that performs the audit log verification in AuditVerify
has been moved into a new verify() method.
https://pagure.io/dogtagpki/issue/2634
Change-Id: Ic6d0f08b754feaac8779d7051e591ea03726df65
Diffstat (limited to 'base/java-tools/src/com/netscape/cmstools/AuditVerify.java')
-rw-r--r-- | base/java-tools/src/com/netscape/cmstools/AuditVerify.java | 240 |
1 files changed, 142 insertions, 98 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java index 9363c7fcd..b294ad17b 100644 --- a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java +++ b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java @@ -27,6 +27,7 @@ import java.security.PublicKey; import java.security.Signature; import java.security.interfaces.DSAPublicKey; import java.security.interfaces.RSAPublicKey; +import java.util.List; import java.util.StringTokenizer; import java.util.Vector; @@ -141,6 +142,139 @@ public class AuditVerify { return (matchingFiles.length > 0); } + public class Result { + public int goodSigCount; + public int badSigCount; + public int sigStartLine; + public int sigStopLine; + public String sigStartFile; + public String sigStopFile; + public int signedLines; + } + + public Result verify(List<String> logFiles) throws Exception { + + PublicKey pubk = signingCert.getPublicKey(); + + String sigAlgorithm = null; + if (pubk instanceof RSAPublicKey) { + sigAlgorithm = "SHA-256/RSA"; + } else if (pubk instanceof DSAPublicKey) { + sigAlgorithm = "SHA-256/DSA"; + } else { + throw new Exception("Unknown signing certificate key type: " + pubk.getAlgorithm()); + } + + Signature sig = Signature.getInstance(sigAlgorithm, CRYPTO_PROVIDER); + sig.initVerify(pubk); + + int goodSigCount = 0; + int badSigCount = 0; + + int lastFileWritten = -1; + + int sigStartLine = 1; + int sigStopLine = 1; + String sigStartFile = logFiles.get(0); + String sigStopFile = null; + int signedLines = 1; + + for (int curfile = 0; curfile < logFiles.size(); ++curfile) { + + String curfileName = logFiles.get(curfile); + BufferedReader br = new BufferedReader(new FileReader(curfileName)); + + if (verbose) { + writeFile(curfileName); + lastFileWritten = curfile; + } + + String curLine; + int linenum = 0; + + while ((curLine = br.readLine()) != null) { + + ++linenum; + + if (curLine.indexOf("AUDIT_LOG_SIGNING") != -1) { + + if (curfile == 0 && linenum == 1) { + + // Ignore the first signature of the first file, + // since it signs data we don't have access to. + if (verbose) { + output(linenum, "Ignoring first signature of log series"); + } + + } else { + + int sigStart = curLine.indexOf("sig: ") + 5; + + if (sigStart < 5) { + output(linenum, "INVALID SIGNATURE"); + ++badSigCount; + + } else { + + byte[] logSig = base64decode(curLine.substring(sigStart)); + + // verify the signature + if (sig.verify(logSig)) { + + // signature verifies correctly + if (verbose) { + writeSigStatus(linenum, sigStartFile, + sigStartLine, sigStopFile, sigStopLine, + "verification succeeded"); + } + + ++goodSigCount; + + } else { + + if (lastFileWritten < curfile) { + writeFile(curfileName); + lastFileWritten = curfile; + } + + writeSigStatus(linenum, sigStartFile, + sigStartLine, sigStopFile, sigStopLine, + "VERIFICATION FAILED"); + + ++badSigCount; + } + } + + sig.initVerify(pubk); + signedLines = 0; + sigStartLine = linenum; + sigStartFile = curfileName; + } + } + + byte[] lineBytes = curLine.getBytes("UTF-8"); + sig.update(lineBytes); + sig.update(LINE_SEP_BYTE); + ++signedLines; + sigStopLine = linenum; + sigStopFile = curfileName; + } + + br.close(); + } + + Result result = new Result(); + result.goodSigCount = goodSigCount; + result.badSigCount = badSigCount; + result.sigStartLine = sigStartLine; + result.sigStopLine = sigStopLine; + result.sigStartFile = sigStartFile; + result.sigStopFile = sigStopFile; + result.signedLines = signedLines; + + return result; + } + public static void main(String args[]) { try { @@ -222,113 +356,23 @@ public class AuditVerify { verifier.setVerbose(verbose); verifier.setSigningCert(signerCert); - PublicKey pubk = signerCert.getPublicKey(); - String sigAlgorithm = null; - if (pubk instanceof RSAPublicKey) { - sigAlgorithm = "SHA-256/RSA"; - } else if (pubk instanceof DSAPublicKey) { - sigAlgorithm = "SHA-256/DSA"; - } else { - System.out.println("Error: unknown key type: " + - pubk.getAlgorithm()); - System.exit(1); - } - Signature sig = Signature.getInstance(sigAlgorithm, CRYPTO_PROVIDER); - sig.initVerify(pubk); - - int goodSigCount = 0; - int badSigCount = 0; - - int lastFileWritten = -1; - - int sigStartLine = 1; - int sigStopLine = 1; - String sigStartFile = logFiles.elementAt(0); - String sigStopFile = null; - int signedLines = 1; - - for (int curfile = 0; curfile < logFiles.size(); ++curfile) { - String curfileName = logFiles.elementAt(curfile); - BufferedReader br = new BufferedReader(new FileReader(curfileName)); - - if (verbose) { - writeFile(curfileName); - lastFileWritten = curfile; - } - - String curLine; - int linenum = 0; - while ((curLine = br.readLine()) != null) { - ++linenum; - if (curLine.indexOf("AUDIT_LOG_SIGNING") != -1) { - if (curfile == 0 && linenum == 1) { - // Ignore the first signature of the first file, - // since it signs data we don't have access to. - if (verbose) { - output(linenum, - "Ignoring first signature of log series"); - } - } else { - int sigStart = curLine.indexOf("sig: ") + 5; - if (sigStart < 5) { - output(linenum, "INVALID SIGNATURE"); - ++badSigCount; - } else { - byte[] logSig = - base64decode(curLine.substring(sigStart)); - - // verify the signature - if (sig.verify(logSig)) { - // signature verifies correctly - if (verbose) { - writeSigStatus(linenum, sigStartFile, - sigStartLine, sigStopFile, sigStopLine, - "verification succeeded"); - } - ++goodSigCount; - } else { - if (lastFileWritten < curfile) { - writeFile(curfileName); - lastFileWritten = curfile; - } - writeSigStatus(linenum, sigStartFile, - sigStartLine, sigStopFile, sigStopLine, - "VERIFICATION FAILED"); - ++badSigCount; - } - } - sig.initVerify(pubk); - signedLines = 0; - sigStartLine = linenum; - sigStartFile = curfileName; - } - } - - byte[] lineBytes = curLine.getBytes("UTF-8"); - sig.update(lineBytes); - sig.update(LINE_SEP_BYTE); - ++signedLines; - sigStopLine = linenum; - sigStopFile = curfileName; - } - br.close(); - } + Result result = verifier.verify(logFiles); // Make sure there were no unsigned log entries at the end. // The first signed line is the previous signature, but anything // more than that is data. - if (signedLines > 1) { + if (result.signedLines > 1) { System.out.println( - "ERROR: log entries after " + sigStartFile - + ":" + sigStartLine + " are UNSIGNED"); - badSigCount++; + "ERROR: log entries after " + result.sigStartFile + + ":" + result.sigStartLine + " are UNSIGNED"); + result.badSigCount++; } System.out.println("\nVerification process complete."); - System.out.println("Valid signatures: " + goodSigCount); - System.out.println("Invalid signatures: " + badSigCount); + System.out.println("Valid signatures: " + result.goodSigCount); + System.out.println("Invalid signatures: " + result.badSigCount); - if (badSigCount > 0) { + if (result.badSigCount > 0) { System.exit(2); } else { System.exit(0); |