summaryrefslogtreecommitdiffstats
path: root/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2011-12-07 16:58:12 -0500
committerAde Lee <alee@redhat.com>2011-12-07 16:58:12 -0500
commit32150d3ee32f8ac27118af7c792794b538c78a2f (patch)
tree52dd96f664a6fa51be25b28b6f10adc5f2c9f660 /pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
parentf05d58a46795553beb8881039cc922974b40db34 (diff)
downloadpki-32150d3ee32f8ac27118af7c792794b538c78a2f.tar.gz
pki-32150d3ee32f8ac27118af7c792794b538c78a2f.tar.xz
pki-32150d3ee32f8ac27118af7c792794b538c78a2f.zip
Formatting
Formatted project according to eclipse project settings
Diffstat (limited to 'pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java')
-rw-r--r--pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java390
1 files changed, 198 insertions, 192 deletions
diff --git a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
index aa8ffe9a4..7679c9f23 100644
--- a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
+++ b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cmstools;
-
import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
@@ -45,7 +44,8 @@ import org.mozilla.jss.crypto.X509Certificate;
public class AuditVerify {
private static void usage() {
- System.out.println("Usage: AuditVerify -d <dbdir> -n <signing certificate nickname> -a <log list file> [-P <cert/key db prefix>] [-v]");
+ System.out
+ .println("Usage: AuditVerify -d <dbdir> -n <signing certificate nickname> -a <log list file> [-P <cert/key db prefix>] [-v]");
System.exit(1);
}
@@ -69,34 +69,34 @@ public class AuditVerify {
}
private static void writeSigStatus(int linenum, String sigStartFile,
- int sigStartLine, String sigStopFile, int sigStopLine, String mesg)
- throws IOException
- {
- output(linenum, mesg + ": signature of " + sigStartFile + ":" +
- sigStartLine + " to " + sigStopFile + ":" + sigStopLine);
+ int sigStartLine, String sigStopFile, int sigStopLine, String mesg)
+ throws IOException {
+ output(linenum, mesg + ": signature of " + sigStartFile + ":"
+ + sigStartLine + " to " + sigStopFile + ":" + sigStopLine);
}
private static class PrefixFilter implements FilenameFilter {
private String prefix;
+
public PrefixFilter(String prefix) {
this.prefix = prefix;
}
+
public boolean accept(File dir, String name) {
// look for <prefix>cert* in this directory
- return( name.indexOf(prefix + "cert") != -1 );
+ return (name.indexOf(prefix + "cert") != -1);
}
}
public static boolean validPrefix(String configDir, String prefix)
- throws IOException
- {
+ throws IOException {
File dir = new File(configDir);
- if( ! dir.isDirectory() ) {
+ if (!dir.isDirectory()) {
System.out.println("ERROR: \"" + dir + "\" is not a directory");
usage();
}
- String matchingFiles[] = dir.list( new PrefixFilter(prefix) );
+ String matchingFiles[] = dir.list(new PrefixFilter(prefix));
// prefix may be valid if at least one file matched the pattern
return (matchingFiles.length > 0);
@@ -113,218 +113,224 @@ public class AuditVerify {
return (keyUsage == null) ? false : keyUsage[0];
}
-
public static void main(String args[]) {
- try {
-
- String dbdir = null;
- String logListFile = null;
- String signerNick = null;
- String prefix = null;
- boolean verbose = false;
-
- for(int i = 0; i < args.length; ++i) {
- if( args[i].equals("-d") ) {
- if( ++i >= args.length ) usage();
- dbdir = args[i];
- } else if( args[i].equals("-a") ) {
- if( ++i >= args.length ) usage();
- logListFile = args[i];
- } else if( args[i].equals("-n") ) {
- if( ++i >= args.length ) usage();
- signerNick = args[i];
- } else if( args[i].equals("-P") ) {
- if( ++i >= args.length ) usage();
- prefix = args[i];
- } else if( args[i].equals("-v") ) {
- verbose = true;
- } else {
- System.out.println("Unrecognized argument(" + i + "): "
- + args[i]);
+ try {
+
+ String dbdir = null;
+ String logListFile = null;
+ String signerNick = null;
+ String prefix = null;
+ boolean verbose = false;
+
+ for (int i = 0; i < args.length; ++i) {
+ if (args[i].equals("-d")) {
+ if (++i >= args.length)
+ usage();
+ dbdir = args[i];
+ } else if (args[i].equals("-a")) {
+ if (++i >= args.length)
+ usage();
+ logListFile = args[i];
+ } else if (args[i].equals("-n")) {
+ if (++i >= args.length)
+ usage();
+ signerNick = args[i];
+ } else if (args[i].equals("-P")) {
+ if (++i >= args.length)
+ usage();
+ prefix = args[i];
+ } else if (args[i].equals("-v")) {
+ verbose = true;
+ } else {
+ System.out.println("Unrecognized argument(" + i + "): "
+ + args[i]);
+ usage();
+ }
+ }
+ if (dbdir == null || logListFile == null || signerNick == null) {
+ System.out.println("Argument omitted");
usage();
}
- }
- if( dbdir == null || logListFile == null || signerNick == null) {
- System.out.println("Argument omitted");
- usage();
- }
- // get list of log files
- Vector logFiles = new Vector();
- BufferedReader r = new BufferedReader(new FileReader(logListFile));
- String listLine;
- while( (listLine = r.readLine()) != null ) {
- StringTokenizer tok = new StringTokenizer(listLine, ",");
- while( tok.hasMoreElements() ) {
- logFiles.addElement( ((String)tok.nextElement()).trim());
+ // get list of log files
+ Vector logFiles = new Vector();
+ BufferedReader r = new BufferedReader(new FileReader(logListFile));
+ String listLine;
+ while ((listLine = r.readLine()) != null) {
+ StringTokenizer tok = new StringTokenizer(listLine, ",");
+ while (tok.hasMoreElements()) {
+ logFiles.addElement(((String) tok.nextElement()).trim());
+ }
+ }
+ if (logFiles.size() == 0) {
+ System.out.println("Error: no log files listed in "
+ + logListFile);
+ System.exit(1);
}
- }
- if( logFiles.size() == 0 ) {
- System.out.println("Error: no log files listed in " + logListFile);
- System.exit(1);
- }
- // initialize crypto stuff
- if( prefix == null ) {
- if( ! validPrefix(dbdir, "")) {
- System.out.println("ERROR: \"" + dbdir +
- "\" does not contain any security databases");
- usage();
+ // initialize crypto stuff
+ if (prefix == null) {
+ if (!validPrefix(dbdir, "")) {
+ System.out.println("ERROR: \"" + dbdir
+ + "\" does not contain any security databases");
+ usage();
+ }
+ CryptoManager.initialize(dbdir);
+ } else {
+ if (!validPrefix(dbdir, prefix)) {
+ System.out.println("ERROR: \"" + prefix
+ + "\" is not a valid prefix");
+ usage();
+ }
+ CryptoManager
+ .initialize(new CryptoManager.InitializationValues(
+ dbdir, prefix, prefix, "secmod.db"));
}
- CryptoManager.initialize(dbdir);
- } else {
- if( ! validPrefix(dbdir, prefix) ) {
- System.out.println("ERROR: \"" + prefix +
- "\" is not a valid prefix");
- usage();
+ CryptoManager cm = CryptoManager.getInstance();
+ X509Certificate signerCert = cm.findCertByNickname(signerNick);
+
+ X509CertImpl cert_i = null;
+ if (signerCert != null) {
+ byte[] signerCert_b = signerCert.getEncoded();
+ cert_i = new X509CertImpl(signerCert_b);
+ } else {
+ System.out.println("ERROR: signing certificate not found");
+ System.exit(1);
}
- CryptoManager.initialize(
- new CryptoManager.InitializationValues(dbdir, prefix, prefix,
- "secmod.db")
- );
- }
- CryptoManager cm = CryptoManager.getInstance();
- X509Certificate signerCert = cm.findCertByNickname(signerNick);
-
- X509CertImpl cert_i = null;
- if (signerCert != null) {
- byte[] signerCert_b = signerCert.getEncoded();
- cert_i = new X509CertImpl(signerCert_b);
- } else {
- System.out.println("ERROR: signing certificate not found");
- System.exit(1);
- }
- // verify signer's certificate
- // not checking validity because we want to allow verifying old logs
- //
- if (!isSigningCert(cert_i)) {
- System.out.println("info: signing certificate is not a signing certificate");
- System.exit(1);
- }
+ // verify signer's certificate
+ // not checking validity because we want to allow verifying old logs
+ //
+ if (!isSigningCert(cert_i)) {
+ System.out
+ .println("info: signing certificate is not a signing certificate");
+ System.exit(1);
+ }
- PublicKey pubk = signerCert.getPublicKey();
- String sigAlgorithm=null;
- if( pubk instanceof RSAPublicKey ) {
- sigAlgorithm = "SHA-256/RSA";
- } else if( pubk instanceof DSAPublicKey ) {
- sigAlgorithm = "SHA-256/DSA";
- } else {
- System.out.println("Error: unknown key type: " +
- pubk.getAlgorithm());
- System.exit(1);
- }
- Signature sig = Signature.getInstance(sigAlgorithm, CRYPTO_PROVIDER);
- sig.initVerify(pubk);
+ PublicKey pubk = signerCert.getPublicKey();
+ String sigAlgorithm = null;
+ if (pubk instanceof RSAPublicKey) {
+ sigAlgorithm = "SHA-256/RSA";
+ } else if (pubk instanceof DSAPublicKey) {
+ sigAlgorithm = "SHA-256/DSA";
+ } else {
+ System.out.println("Error: unknown key type: "
+ + pubk.getAlgorithm());
+ System.exit(1);
+ }
+ Signature sig = Signature
+ .getInstance(sigAlgorithm, CRYPTO_PROVIDER);
+ sig.initVerify(pubk);
- int goodSigCount = 0;
- int badSigCount = 0;
+ int goodSigCount = 0;
+ int badSigCount = 0;
- int lastFileWritten = -1;
+ int lastFileWritten = -1;
- int sigStartLine = 1;
- int sigStopLine = 1;
- String sigStartFile = (String) logFiles.elementAt(0);
- String sigStopFile = null;
- int signedLines = 1;
+ int sigStartLine = 1;
+ int sigStopLine = 1;
+ String sigStartFile = (String) logFiles.elementAt(0);
+ String sigStopFile = null;
+ int signedLines = 1;
- boolean lastLineWasSig = false;
+ boolean lastLineWasSig = false;
- for( int curfile = 0; curfile < logFiles.size(); ++curfile) {
- String curfileName = (String) logFiles.elementAt(curfile);
- BufferedReader br = new BufferedReader(new FileReader(curfileName));
+ for (int curfile = 0; curfile < logFiles.size(); ++curfile) {
+ String curfileName = (String) logFiles.elementAt(curfile);
+ BufferedReader br = new BufferedReader(new FileReader(
+ curfileName));
- if( verbose ) {
- writeFile(curfileName);
- lastFileWritten = curfile;
- }
+ if (verbose) {
+ writeFile(curfileName);
+ lastFileWritten = curfile;
+ }
- String curLine;
- int linenum = 0;
- while( (curLine = br.readLine()) != null ) {
- ++linenum;
- if( curLine.indexOf("AUDIT_LOG_SIGNING") != -1 ) {
- if( curfile == 0 && linenum == 1 ) {
- // Ignore the first signature of the first file,
- // since it signs data we don't have access to.
- if( verbose ) {
- output(linenum,
- "Ignoring first signature of log series");
- }
- } else {
- int sigStart = curLine.indexOf("sig: ") + 5;
- if( sigStart < 5 ) {
- output(linenum, "INVALID SIGNATURE");
- ++badSigCount;
+ String curLine;
+ int linenum = 0;
+ while ((curLine = br.readLine()) != null) {
+ ++linenum;
+ if (curLine.indexOf("AUDIT_LOG_SIGNING") != -1) {
+ if (curfile == 0 && linenum == 1) {
+ // Ignore the first signature of the first file,
+ // since it signs data we don't have access to.
+ if (verbose) {
+ output(linenum,
+ "Ignoring first signature of log series");
+ }
} else {
- byte[] logSig =
- base64decode(curLine.substring(sigStart));
-
- // verify the signature
- if( sig.verify(logSig) ) {
- // signature verifies correctly
- if( verbose ) {
- writeSigStatus(linenum, sigStartFile,
- sigStartLine, sigStopFile, sigStopLine,
- "verification succeeded");
- }
- ++goodSigCount;
+ int sigStart = curLine.indexOf("sig: ") + 5;
+ if (sigStart < 5) {
+ output(linenum, "INVALID SIGNATURE");
+ ++badSigCount;
} else {
- if( lastFileWritten < curfile ) {
- writeFile(curfileName);
- lastFileWritten = curfile;
+ byte[] logSig = base64decode(curLine
+ .substring(sigStart));
+
+ // verify the signature
+ if (sig.verify(logSig)) {
+ // signature verifies correctly
+ if (verbose) {
+ writeSigStatus(linenum, sigStartFile,
+ sigStartLine, sigStopFile,
+ sigStopLine,
+ "verification succeeded");
+ }
+ ++goodSigCount;
+ } else {
+ if (lastFileWritten < curfile) {
+ writeFile(curfileName);
+ lastFileWritten = curfile;
+ }
+ writeSigStatus(linenum, sigStartFile,
+ sigStartLine, sigStopFile,
+ sigStopLine, "VERIFICATION FAILED");
+ ++badSigCount;
}
- writeSigStatus(linenum, sigStartFile,
- sigStartLine, sigStopFile, sigStopLine,
- "VERIFICATION FAILED");
- ++badSigCount;
}
+ sig.initVerify(pubk);
+ signedLines = 0;
+ sigStartLine = linenum;
+ sigStartFile = curfileName;
}
- sig.initVerify(pubk);
- signedLines = 0;
- sigStartLine = linenum;
- sigStartFile = curfileName;
}
+
+ byte[] lineBytes = curLine.getBytes("UTF-8");
+ sig.update(lineBytes);
+ sig.update(LINE_SEP_BYTE);
+ ++signedLines;
+ sigStopLine = linenum;
+ sigStopFile = curfileName;
}
- byte[] lineBytes = curLine.getBytes("UTF-8");
- sig.update(lineBytes);
- sig.update(LINE_SEP_BYTE);
- ++signedLines;
- sigStopLine = linenum;
- sigStopFile = curfileName;
}
- }
+ // Make sure there were no unsigned log entries at the end.
+ // The first signed line is the previous signature, but anything
+ // more than that is data.
+ if (signedLines > 1) {
+ System.out.println("ERROR: log entries after " + sigStartFile
+ + ":" + sigStartLine + " are UNSIGNED");
+ badSigCount++;
+ }
- // Make sure there were no unsigned log entries at the end.
- // The first signed line is the previous signature, but anything
- // more than that is data.
- if( signedLines > 1 ) {
- System.out.println(
- "ERROR: log entries after " + sigStartFile
- + ":" + sigStartLine + " are UNSIGNED");
- badSigCount++;
- }
+ System.out.println("\nVerification process complete.");
+ System.out.println("Valid signatures: " + goodSigCount);
+ System.out.println("Invalid signatures: " + badSigCount);
- System.out.println("\nVerification process complete.");
- System.out.println("Valid signatures: " + goodSigCount);
- System.out.println("Invalid signatures: " + badSigCount);
+ if (badSigCount > 0) {
+ System.exit(2);
+ } else {
+ System.exit(0);
+ }
- if( badSigCount > 0 ) {
- System.exit(2);
- } else {
- System.exit(0);
+ } catch (FileNotFoundException fnfe) {
+ System.out.println(fnfe);
+ } catch (ObjectNotFoundException onfe) {
+ System.out.println("ERROR: certificate not found");
+ } catch (Exception e) {
+ e.printStackTrace();
}
- } catch(FileNotFoundException fnfe) {
- System.out.println(fnfe);
- } catch(ObjectNotFoundException onfe) {
- System.out.println("ERROR: certificate not found");
- } catch(Exception e) {
- e.printStackTrace();
- }
-
System.out.println("Verification process FAILED.");
System.exit(1);
}
generated by cgit (git 2.34.1) at 2024-06-08 16:14:54 +0000