481237 - signed audit

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@183 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
author: cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2009-01-23 03:56:06 +0000
committer: cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2009-01-23 03:56:06 +0000
commit: 2f397c05020e7d85886a1146c963d5a7900e09f3 (patch)
tree: af6fa68d7c9d6d8b531e06ae9a7a3576a921eb4e /pki/base/java-tools/src
parent: 281568c660e81ca4b8943bd358ceb57fffa492d4 (diff)
download: pki-2f397c05020e7d85886a1146c963d5a7900e09f3.tar.gz
pki-2f397c05020e7d85886a1146c963d5a7900e09f3.tar.xz
pki-2f397c05020e7d85886a1146c963d5a7900e09f3.zip
1 files changed, 26 insertions, 5 deletions
diff --git a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
index 3207c2f76..955004c25 100644
--- a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
+++ b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
@@ -26,6 +26,7 @@ import org.mozilla.jss.crypto.ObjectNotFoundException;
 import org.mozilla.jss.util.Base64InputStream;
 import java.security.*;
 import java.security.interfaces.*;
+import netscape.security.x509.X509CertImpl;
 
 /**
  * Tool for verifying signed audit logs
@@ -92,6 +93,17 @@ public class AuditVerify {
         return (matchingFiles.length > 0);
     }
 
+    public static boolean isSigningCert(X509CertImpl cert) {
+        boolean[] keyUsage = null;
+
+        try {
+            keyUsage = cert.getKeyUsage();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return (keyUsage == null) ? false : keyUsage[0];
+    }
+
 
     public static void main(String args[]) {
       try {
@@ -165,12 +177,21 @@ public class AuditVerify {
         CryptoManager cm = CryptoManager.getInstance();
         X509Certificate signerCert = cm.findCertByNickname(signerNick);
         
+        X509CertImpl cert_i = null;
+        if (signerCert != null) {
+            byte[] signerCert_b = signerCert.getEncoded();
+            cert_i = new X509CertImpl(signerCert_b);
+        } else {
+           System.out.println("ERROR: signing certificate not found");
+           System.exit(1);
+        }
+
         // verify signer's certificate
-        if( ! cm.isCertValid(signerNick, true,
-                        CryptoManager.CertUsage.EmailSigner) )
-        {
-            System.out.println("Error: signing certificate is not valid");
-            System.exit(1);
+        //  not checking validity because we want to allow verifying old logs
+        // 
+        if (!isSigningCert(cert_i)) {
+           System.out.println("info: signing certificate is not a signing certificate");
+           System.exit(1);
         }
 
         PublicKey pubk = signerCert.getPublicKey();
author	cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2009-01-23 03:56:06 +0000
committer	cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2009-01-23 03:56:06 +0000
commit	2f397c05020e7d85886a1146c963d5a7900e09f3 (patch)
tree	af6fa68d7c9d6d8b531e06ae9a7a3576a921eb4e /pki/base/java-tools/src
parent	281568c660e81ca4b8943bd358ceb57fffa492d4 (diff)
download	pki-2f397c05020e7d85886a1146c963d5a7900e09f3.tar.gz pki-2f397c05020e7d85886a1146c963d5a7900e09f3.tar.xz pki-2f397c05020e7d85886a1146c963d5a7900e09f3.zip