diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2015-12-01 23:34:41 +0100 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2015-12-01 21:10:43 +0100 |
| commit | 6a9990784b3a5ff18a800a288e8d1af173c7ae6e (patch) | |
| tree | ff43c432f868edb0765180d41c09e6f358d666c0 /base/server/cmscore/src | |
| parent | c44d643c8f1f1b34004e8a1c5eedbcb75e46860d (diff) | |
| download | pki-6a9990784b3a5ff18a800a288e8d1af173c7ae6e.tar.gz pki-6a9990784b3a5ff18a800a288e8d1af173c7ae6e.tar.xz pki-6a9990784b3a5ff18a800a288e8d1af173c7ae6e.zip | |
Fixed selftest error handling.
The selftest has been modified to throw an exception and provide
more specific error message if a test fails in order to help
troubleshoot the problem.
https://fedorahosted.org/pki/ticket/1328
Diffstat (limited to 'base/server/cmscore/src')
3 files changed, 104 insertions, 103 deletions
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java index 77f913636..1e1f844cd 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java @@ -24,7 +24,6 @@ import java.io.FileReader; import java.io.IOException; import java.math.BigInteger; import java.security.NoSuchAlgorithmException; -import java.security.PublicKey; import java.security.SignatureException; import java.security.cert.Certificate; import java.security.cert.CertificateEncodingException; @@ -44,32 +43,15 @@ import java.util.Vector; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; -import netscape.ldap.LDAPConnection; -import netscape.ldap.LDAPException; -import netscape.ldap.LDAPSSLSocketFactoryExt; -import netscape.security.extensions.CertInfo; -import netscape.security.pkcs.ContentInfo; -import netscape.security.pkcs.PKCS7; -import netscape.security.pkcs.SignerInfo; -import netscape.security.util.ObjectIdentifier; -import netscape.security.x509.AlgorithmId; -import netscape.security.x509.CertificateChain; -import netscape.security.x509.Extension; -import netscape.security.x509.GeneralName; -import netscape.security.x509.X509CRLImpl; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509CertInfo; - import org.apache.commons.lang.StringUtils; import org.apache.xerces.parsers.DOMParser; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.CryptoManager.CertificateUsage; -import org.mozilla.jss.util.PasswordCallback; +import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.Signature; import org.mozilla.jss.crypto.SignatureAlgorithm; -import org.mozilla.jss.crypto.CryptoToken; - +import org.mozilla.jss.util.PasswordCallback; import org.w3c.dom.Element; import org.w3c.dom.NodeList; @@ -184,8 +166,24 @@ import com.netscape.cmscore.util.Debug; import com.netscape.cmsutil.net.ISocketFactory; import com.netscape.cmsutil.password.IPasswordStore; import com.netscape.cmsutil.password.NuxwdogPasswordStore; -import com.netscape.cmsutil.util.Utils; import com.netscape.cmsutil.util.Cert; +import com.netscape.cmsutil.util.Utils; + +import netscape.ldap.LDAPConnection; +import netscape.ldap.LDAPException; +import netscape.ldap.LDAPSSLSocketFactoryExt; +import netscape.security.extensions.CertInfo; +import netscape.security.pkcs.ContentInfo; +import netscape.security.pkcs.PKCS7; +import netscape.security.pkcs.SignerInfo; +import netscape.security.util.ObjectIdentifier; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CertificateChain; +import netscape.security.x509.Extension; +import netscape.security.x509.GeneralName; +import netscape.security.x509.X509CRLImpl; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; public class CMSEngine implements ICMSEngine { private static final String ID = "MAIN"; @@ -1259,7 +1257,7 @@ public class CMSEngine implements ICMSEngine { return; } CMS.debug(method + "autoShutdown allowed"); - CryptoToken token = + CryptoToken token = ((org.mozilla.jss.pkcs11.PK11PrivKey) mSigningKey).getOwningToken(); SignatureAlgorithm signAlg = Cert.mapAlgorithmToJss("SHA256withRSA"); Signature signer = token.getSignatureContext(signAlg); @@ -1731,17 +1729,16 @@ public class CMSEngine implements ICMSEngine { } } - public boolean verifySystemCerts() { - return CertUtils.verifySystemCerts(); + public void verifySystemCerts() throws Exception { + CertUtils.verifySystemCerts(); } - public boolean verifySystemCertByTag(String tag) { - return CertUtils.verifySystemCertByTag(tag); + public void verifySystemCertByTag(String tag) throws Exception { + CertUtils.verifySystemCertByTag(tag); } - public boolean verifySystemCertByNickname(String nickname, String certificateUsage) { - CMS.debug("CMSEngine: verifySystemCertByNickname(" + nickname + ", " + certificateUsage + ")"); - return CertUtils.verifySystemCertByNickname(nickname, certificateUsage); + public void verifySystemCertByNickname(String nickname, String certificateUsage) throws Exception { + CertUtils.verifySystemCertByNickname(nickname, certificateUsage); } public CertificateUsage getCertificateUsage(String certusage) { @@ -1995,7 +1992,7 @@ public class CMSEngine implements ICMSEngine { crumb.createNewFile(); } catch (IOException e) { CMS.debug(method + " create autoShutdown crumb file failed on " + - mAutoSD_CrumbFile + "; nothing to do...keep shutting down:" + e.toString()); + mAutoSD_CrumbFile + "; nothing to do...keep shutting down:" + e); e.printStackTrace(); } } diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java index 244c36dc7..8c5c2ccc1 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java +++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java @@ -35,6 +35,15 @@ import java.util.Arrays; import java.util.Date; import java.util.StringTokenizer; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.CryptoManager.CertificateUsage; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.cmsutil.util.Utils; + import netscape.security.extensions.NSCertTypeExtension; import netscape.security.pkcs.PKCS10; import netscape.security.pkcs.PKCS7; @@ -54,15 +63,6 @@ import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509CertInfo; import netscape.security.x509.X509Key; -import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.CryptoManager.CertificateUsage; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.cmsutil.util.Utils; - /** * Utility class with assorted methods to check for * smime pairs, determining the type of cert - signature @@ -828,43 +828,42 @@ public class CertUtils { /* * verify a certificate by its nickname - * returns true if it verifies; false if any not + * @throws Exception if something is wrong */ - public static boolean verifySystemCertByNickname(String nickname, String certusage) { - CMS.debug("CertUtils: verifySystemCertByNickname(" + nickname + "," + certusage + ")"); - boolean r = true; - CertificateUsage cu = null; - cu = getCertificateUsage(certusage); + public static void verifySystemCertByNickname(String nickname, String certusage) throws Exception { + CMS.debug("CertUtils: verifySystemCertByNickname(" + nickname + ", " + certusage + ")"); + CertificateUsage cu = getCertificateUsage(certusage); int ccu = 0; if (cu == null) { CMS.debug("CertUtils: verifySystemCertByNickname() failed: " + nickname + " with unsupported certusage =" + certusage); - return false; + throw new Exception("Unsupported certificate usage " + certusage + " in certificate " + nickname); } if (certusage == null || certusage.equals("")) CMS.debug("CertUtils: verifySystemCertByNickname(): required certusage not defined, getting current certusage"); + CMS.debug("CertUtils: verifySystemCertByNickname(): calling isCertValid()"); try { CryptoManager cm = CryptoManager.getInstance(); if (cu.getUsage() != CryptoManager.CertificateUsage.CheckAllUsages.getUsage()) { if (cm.isCertValid(nickname, true, cu)) { - r = true; CMS.debug("CertUtils: verifySystemCertByNickname() passed: " + nickname); } else { CMS.debug("CertUtils: verifySystemCertByNickname() failed: " + nickname); - r = false; + throw new Exception("Invalid certificate " + nickname); } + } else { // find out about current cert usage ccu = cm.isCertValid(nickname, true); if (ccu == CertificateUsage.basicCertificateUsages) { /* cert is good for nothing */ - r = false; CMS.debug("CertUtils: verifySystemCertByNickname() failed: cert is good for nothing:" + nickname); + throw new Exception("Unusable certificate " + nickname); + } else { - r = true; CMS.debug("CertUtils: verifySystemCertByNickname() passed: " + nickname); if ((ccu & CryptoManager.CertificateUsage.SSLServer.getUsage()) != 0) @@ -893,31 +892,31 @@ public class CertUtils { CMS.debug("CertUtils: verifySystemCertByNickname(): cert is AnyCA"); } } + } catch (Exception e) { - CMS.debug("CertUtils: verifySystemCertByNickname() failed: " + - e.toString()); - r = false; + CMS.debug("CertUtils: verifySystemCertByNickname() failed: " + e); + throw e; } - return r; } /* * verify a certificate by its tag name - * returns true if it verifies; false if any not + * @throws Exception if something is wrong */ - public static boolean verifySystemCertByTag(String tag) { + public static void verifySystemCertByTag(String tag) throws Exception { CMS.debug("CertUtils: verifySystemCertByTag(" + tag + ")"); String auditMessage = null; IConfigStore config = CMS.getConfigStore(); - boolean r = true; + try { String subsysType = config.getString("cs.type", ""); if (subsysType.equals("")) { CMS.debug("CertUtils: verifySystemCertByTag() cs.type not defined in CS.cfg. System certificates verification not done"); - r = false; + throw new Exception("Missing cs.type in CS.cfg"); } + subsysType = toLowerCaseSubsystemType(subsysType); if (subsysType == null) { CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done"); @@ -928,39 +927,32 @@ public class CertUtils { ""); audit(auditMessage); - r = false; - return r; + throw new Exception("Invalid cs.type in CS.cfg"); } + String nickname = config.getString(subsysType + ".cert." + tag + ".nickname", ""); if (nickname.equals("")) { CMS.debug("CertUtils: verifySystemCertByTag() nickname for cert tag " + tag + " undefined in CS.cfg"); - r = false; + throw new Exception("Missing nickname for " + tag + " certificate"); } + String certusage = config.getString(subsysType + ".cert." + tag + ".certusage", ""); if (certusage.equals("")) { CMS.debug("CertUtils: verifySystemCertByTag() certusage for cert tag " + tag + " undefined in CS.cfg, getting current certificate usage"); + // throw new Exception("Missing certificate usage for " + tag + " certificate"); ? } - r = verifySystemCertByNickname(nickname, certusage); - if (r == true) { - // audit here - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.SUCCESS, - nickname); - audit(auditMessage); - } else { - // audit here - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - nickname); + verifySystemCertByNickname(nickname, certusage); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.SUCCESS, + nickname); + + audit(auditMessage); - audit(auditMessage); - } } catch (Exception e) { CMS.debug("CertUtils: verifySystemCertsByTag() failed: " + e.toString()); @@ -971,10 +963,8 @@ public class CertUtils { ""); audit(auditMessage); - r = false; + throw e; } - - return r; } /* @@ -1015,13 +1005,13 @@ public class CertUtils { /* * goes through all system certs and check to see if they are good * and audit the result - * returns true if all verifies; false if any not + * @throws Exception if something is wrong */ - public static boolean verifySystemCerts() { + public static void verifySystemCerts() throws Exception { + String auditMessage = null; IConfigStore config = CMS.getConfigStore(); - boolean verifyResult = true; - boolean r = true; /* the final return value */ + try { String subsysType = config.getString("cs.type", ""); if (subsysType.equals("")) { @@ -1033,8 +1023,9 @@ public class CertUtils { ""); audit(auditMessage); - return false; + throw new Exception("Missing cs.type in CS.cfg"); } + subsysType = toLowerCaseSubsystemType(subsysType); if (subsysType == null) { CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done"); @@ -1045,8 +1036,9 @@ public class CertUtils { ""); audit(auditMessage); - return false; + throw new Exception("Invalid cs.type in CS.cfg"); } + String certlist = config.getString(subsysType + ".cert.list", ""); if (certlist.equals("")) { CMS.debug("CertUtils: verifySystemCerts() " @@ -1058,17 +1050,17 @@ public class CertUtils { ""); audit(auditMessage); - return false; + throw new Exception("Missing " + subsysType + ".cert.list in CS.cfg"); } + StringTokenizer tokenizer = new StringTokenizer(certlist, ","); while (tokenizer.hasMoreTokens()) { String tag = tokenizer.nextToken(); tag = tag.trim(); CMS.debug("CertUtils: verifySystemCerts() cert tag=" + tag); - verifyResult = verifySystemCertByTag(tag); - if (verifyResult == false) - r = false; //r captures the value for final return + verifySystemCertByTag(tag); } + } catch (Exception e) { // audit here auditMessage = CMS.getLogMessage( @@ -1078,10 +1070,8 @@ public class CertUtils { ""); audit(auditMessage); - r = false; - CMS.debug("CertUtils: verifySystemCerts():" + e.toString()); + throw e; } - return r; } public static String toLowerCaseSubsystemType(String s) { diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java index d060f8180..14fab26e4 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java @@ -1328,13 +1328,24 @@ public class SelfTestSubsystem loggerFullName, loggerValue)); - throw new EInvalidSelfTestException(loggerFullName, - loggerValue); + throw new EInvalidSelfTestException( + "The self test plugin named " + + loggerFullName + " contains a value " + + loggerValue + " which is not an instance of ILogEventListener."); } // initialize the self tests logger mLogger = (ILogEventListener) o; mLogger.init(this, loggerConfig); + + } catch (EMissingSelfTestException e) { + // already logged + throw e; + + } catch (EInvalidSelfTestException e) { + // already logged + throw e; + } catch (EBaseException e) { // self test property name EBaseException @@ -1351,8 +1362,8 @@ public class SelfTestSubsystem loggerFullName, loggerValue)); - throw new EInvalidSelfTestException(loggerFullName, - loggerValue); + throw e; + } catch (Exception e) { // NOTE: These messages can only be logged to the // "transactions" log, since the "selftests.log" @@ -1369,8 +1380,7 @@ public class SelfTestSubsystem CMS.debugStackTrace(); - throw new EInvalidSelfTestException(loggerFullName, - loggerValue); + throw new EBaseException(e); } } @@ -1481,6 +1491,11 @@ public class SelfTestSubsystem throw new EMissingSelfTestException(instanceFullName, instanceValue); } + + } catch (EMissingSelfTestException e) { + // already logged + throw e; + } catch (EBaseException e) { // self test property name EBaseException log(mLogger, @@ -1489,8 +1504,7 @@ public class SelfTestSubsystem instanceFullName, instanceValue)); - throw new EInvalidSelfTestException(instanceFullName, - instanceValue); + throw e; } // verify that the associated class is a valid instance of ISelfTest |