summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java
diff options
context:
space:
mode:
authorcfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2011-01-11 18:57:21 +0000
committercfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2011-01-11 18:57:21 +0000
commit3a0e4d837fdd82c87a460d436033eb76efef7fd2 (patch)
tree1af28a01afb2a7a3d748a295040e13f98ee84653 /pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java
parentba3183c6a53f3bbfc96b11668f650af40389ae8a (diff)
downloadpki-3a0e4d837fdd82c87a460d436033eb76efef7fd2.tar.gz
pki-3a0e4d837fdd82c87a460d436033eb76efef7fd2.tar.xz
pki-3a0e4d837fdd82c87a460d436033eb76efef7fd2.zip
Bug 661142 - Verification should fail when a revoked certificate is added
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1722 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java')
-rw-r--r--pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java53
1 files changed, 46 insertions, 7 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java b/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java
index 6e38a4b4f..6731ae35d 100644
--- a/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java
+++ b/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java
@@ -789,6 +789,7 @@ public class CertUtils {
boolean r = true;
CertificateUsage cu = null;
cu = getCertificateUsage(certusage);
+ int ccu = 0;
if (cu == null) {
CMS.debug("CertUtils: verifySystemCertByNickname() failed: "+
@@ -797,16 +798,54 @@ public class CertUtils {
}
if (certusage == "")
- CMS.debug("CertUtils: verifySystemCertByNickname(): certusage not defined, bypassing certusage check");
+ CMS.debug("CertUtils: verifySystemCertByNickname(): required certusage not defined, getting current certusage");
CMS.debug("CertUtils: verifySystemCertByNickname(): calling isCertValid()");
try {
CryptoManager cm = CryptoManager.getInstance();
- if (cm.isCertValid(nickname, true, cu)) {
- r = true;
- CMS.debug("CertUtils: verifySystemCertByNickname() passed:" + nickname);
+ if (cu.getUsage() != CryptoManager.CertificateUsage.CheckAllUsages.getUsage()) {
+ if (cm.isCertValid(nickname, true, cu)) {
+ r = true;
+ CMS.debug("CertUtils: verifySystemCertByNickname() passed:" + nickname);
+ } else {
+ CMS.debug("CertUtils: verifySystemCertByNickname() failed:" + nickname);
+ r = false;
+ }
} else {
- CMS.debug("CertUtils: verifySystemCertByNickname() failed:" + nickname);
- r = false;
+ // find out about current cert usage
+ ccu = cm.isCertValid(nickname, true);
+ if (ccu == CertificateUsage.basicCertificateUsages) {
+ /* cert is good for nothing */
+ r = false;
+ CMS.debug("CertUtils: verifySystemCertByNickname() failed: cert is good for nothing:"+ nickname);
+ } else {
+ r = true;
+ CMS.debug("CertUtils: verifySystemCertByNickname() passed:" + nickname);
+
+ if ((ccu & CryptoManager.CertificateUsage.SSLServer.getUsage()) != 0)
+ CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLServer");
+ if ((ccu & CryptoManager.CertificateUsage.SSLClient.getUsage()) != 0)
+ CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLClient");
+ if ((ccu & CryptoManager.CertificateUsage.SSLServerWithStepUp.getUsage()) != 0)
+ CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLServerWithStepUp");
+ if ((ccu & CryptoManager.CertificateUsage.SSLCA.getUsage()) != 0)
+ CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLCA");
+ if ((ccu & CryptoManager.CertificateUsage.EmailSigner.getUsage()) != 0)
+ CMS.debug("CertUtils: verifySystemCertByNickname(): cert is EmailSigner");
+ if ((ccu & CryptoManager.CertificateUsage.EmailRecipient.getUsage()) != 0)
+ CMS.debug("CertUtils: verifySystemCertByNickname(): cert is EmailRecipient");
+ if ((ccu & CryptoManager.CertificateUsage.ObjectSigner.getUsage()) != 0)
+ CMS.debug("CertUtils: verifySystemCertByNickname(): cert is ObjectSigner");
+ if ((ccu & CryptoManager.CertificateUsage.UserCertImport.getUsage()) != 0)
+ CMS.debug("CertUtils: verifySystemCertByNickname(): cert is UserCertImport");
+ if ((ccu & CryptoManager.CertificateUsage.VerifyCA.getUsage()) != 0)
+ CMS.debug("CertUtils: verifySystemCertByNickname(): cert is VerifyCA");
+ if ((ccu & CryptoManager.CertificateUsage.ProtectedObjectSigner.getUsage()) != 0)
+ CMS.debug("CertUtils: verifySystemCertByNickname(): cert is ProtectedObjectSigner");
+ if ((ccu & CryptoManager.CertificateUsage.StatusResponder.getUsage()) != 0)
+ CMS.debug("CertUtils: verifySystemCertByNickname(): cert is StatusResponder");
+ if ((ccu & CryptoManager.CertificateUsage.AnyCA.getUsage()) != 0)
+ CMS.debug("CertUtils: verifySystemCertByNickname(): cert is AnyCA");
+ }
}
} catch (Exception e) {
CMS.debug("CertUtils: verifySystemCertByNickname() failed: "+
@@ -850,7 +889,7 @@ public class CertUtils {
}
String certusage = config.getString(subsysType+".cert."+tag+".certusage", "");
if (certusage.equals("")) {
- CMS.debug("CertUtils: verifySystemCertByTag() certusage for cert tag " + tag + " undefined in CS.cfg, not checking certificate usage");
+ CMS.debug("CertUtils: verifySystemCertByTag() certusage for cert tag " + tag + " undefined in CS.cfg, getting current certificate usage");
}
r = verifySystemCertByNickname(nickname, certusage);
if (r == true) {
generated by cgit (git 2.34.1) at 2024-06-13 08:19:54 +0000