diff options
author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-01-23 03:56:06 +0000 |
---|---|---|
committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-01-23 03:56:06 +0000 |
commit | 2f397c05020e7d85886a1146c963d5a7900e09f3 (patch) | |
tree | af6fa68d7c9d6d8b531e06ae9a7a3576a921eb4e /pki/base/java-tools/src | |
parent | 281568c660e81ca4b8943bd358ceb57fffa492d4 (diff) | |
download | pki-2f397c05020e7d85886a1146c963d5a7900e09f3.tar.gz pki-2f397c05020e7d85886a1146c963d5a7900e09f3.tar.xz pki-2f397c05020e7d85886a1146c963d5a7900e09f3.zip |
481237 - signed audit
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@183 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/java-tools/src')
-rw-r--r-- | pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java index 3207c2f76..955004c25 100644 --- a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java +++ b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java @@ -26,6 +26,7 @@ import org.mozilla.jss.crypto.ObjectNotFoundException; import org.mozilla.jss.util.Base64InputStream; import java.security.*; import java.security.interfaces.*; +import netscape.security.x509.X509CertImpl; /** * Tool for verifying signed audit logs @@ -92,6 +93,17 @@ public class AuditVerify { return (matchingFiles.length > 0); } + public static boolean isSigningCert(X509CertImpl cert) { + boolean[] keyUsage = null; + + try { + keyUsage = cert.getKeyUsage(); + } catch (Exception e) { + e.printStackTrace(); + } + return (keyUsage == null) ? false : keyUsage[0]; + } + public static void main(String args[]) { try { @@ -165,12 +177,21 @@ public class AuditVerify { CryptoManager cm = CryptoManager.getInstance(); X509Certificate signerCert = cm.findCertByNickname(signerNick); + X509CertImpl cert_i = null; + if (signerCert != null) { + byte[] signerCert_b = signerCert.getEncoded(); + cert_i = new X509CertImpl(signerCert_b); + } else { + System.out.println("ERROR: signing certificate not found"); + System.exit(1); + } + // verify signer's certificate - if( ! cm.isCertValid(signerNick, true, - CryptoManager.CertUsage.EmailSigner) ) - { - System.out.println("Error: signing certificate is not valid"); - System.exit(1); + // not checking validity because we want to allow verifying old logs + // + if (!isSigningCert(cert_i)) { + System.out.println("info: signing certificate is not a signing certificate"); + System.exit(1); } PublicKey pubk = signerCert.getPublicKey(); |