summaryrefslogtreecommitdiffstats
path: root/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
diff options
context:
space:
mode:
Diffstat (limited to 'base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java')
-rw-r--r--base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java120
1 files changed, 55 insertions, 65 deletions
diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
index 244c36dc7..8c5c2ccc1 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
@@ -35,6 +35,15 @@ import java.util.Arrays;
import java.util.Date;
import java.util.StringTokenizer;
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.CryptoManager.CertificateUsage;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.cmsutil.util.Utils;
+
import netscape.security.extensions.NSCertTypeExtension;
import netscape.security.pkcs.PKCS10;
import netscape.security.pkcs.PKCS7;
@@ -54,15 +63,6 @@ import netscape.security.x509.X509CertImpl;
import netscape.security.x509.X509CertInfo;
import netscape.security.x509.X509Key;
-import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.CryptoManager.CertificateUsage;
-
-import com.netscape.certsrv.apps.CMS;
-import com.netscape.certsrv.base.EBaseException;
-import com.netscape.certsrv.base.IConfigStore;
-import com.netscape.certsrv.logging.ILogger;
-import com.netscape.cmsutil.util.Utils;
-
/**
* Utility class with assorted methods to check for
* smime pairs, determining the type of cert - signature
@@ -828,43 +828,42 @@ public class CertUtils {
/*
* verify a certificate by its nickname
- * returns true if it verifies; false if any not
+ * @throws Exception if something is wrong
*/
- public static boolean verifySystemCertByNickname(String nickname, String certusage) {
- CMS.debug("CertUtils: verifySystemCertByNickname(" + nickname + "," + certusage + ")");
- boolean r = true;
- CertificateUsage cu = null;
- cu = getCertificateUsage(certusage);
+ public static void verifySystemCertByNickname(String nickname, String certusage) throws Exception {
+ CMS.debug("CertUtils: verifySystemCertByNickname(" + nickname + ", " + certusage + ")");
+ CertificateUsage cu = getCertificateUsage(certusage);
int ccu = 0;
if (cu == null) {
CMS.debug("CertUtils: verifySystemCertByNickname() failed: " +
nickname + " with unsupported certusage =" + certusage);
- return false;
+ throw new Exception("Unsupported certificate usage " + certusage + " in certificate " + nickname);
}
if (certusage == null || certusage.equals(""))
CMS.debug("CertUtils: verifySystemCertByNickname(): required certusage not defined, getting current certusage");
+
CMS.debug("CertUtils: verifySystemCertByNickname(): calling isCertValid()");
try {
CryptoManager cm = CryptoManager.getInstance();
if (cu.getUsage() != CryptoManager.CertificateUsage.CheckAllUsages.getUsage()) {
if (cm.isCertValid(nickname, true, cu)) {
- r = true;
CMS.debug("CertUtils: verifySystemCertByNickname() passed: " + nickname);
} else {
CMS.debug("CertUtils: verifySystemCertByNickname() failed: " + nickname);
- r = false;
+ throw new Exception("Invalid certificate " + nickname);
}
+
} else {
// find out about current cert usage
ccu = cm.isCertValid(nickname, true);
if (ccu == CertificateUsage.basicCertificateUsages) {
/* cert is good for nothing */
- r = false;
CMS.debug("CertUtils: verifySystemCertByNickname() failed: cert is good for nothing:" + nickname);
+ throw new Exception("Unusable certificate " + nickname);
+
} else {
- r = true;
CMS.debug("CertUtils: verifySystemCertByNickname() passed: " + nickname);
if ((ccu & CryptoManager.CertificateUsage.SSLServer.getUsage()) != 0)
@@ -893,31 +892,31 @@ public class CertUtils {
CMS.debug("CertUtils: verifySystemCertByNickname(): cert is AnyCA");
}
}
+
} catch (Exception e) {
- CMS.debug("CertUtils: verifySystemCertByNickname() failed: " +
- e.toString());
- r = false;
+ CMS.debug("CertUtils: verifySystemCertByNickname() failed: " + e);
+ throw e;
}
- return r;
}
/*
* verify a certificate by its tag name
- * returns true if it verifies; false if any not
+ * @throws Exception if something is wrong
*/
- public static boolean verifySystemCertByTag(String tag) {
+ public static void verifySystemCertByTag(String tag) throws Exception {
CMS.debug("CertUtils: verifySystemCertByTag(" + tag + ")");
String auditMessage = null;
IConfigStore config = CMS.getConfigStore();
- boolean r = true;
+
try {
String subsysType = config.getString("cs.type", "");
if (subsysType.equals("")) {
CMS.debug("CertUtils: verifySystemCertByTag() cs.type not defined in CS.cfg. System certificates verification not done");
- r = false;
+ throw new Exception("Missing cs.type in CS.cfg");
}
+
subsysType = toLowerCaseSubsystemType(subsysType);
if (subsysType == null) {
CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done");
@@ -928,39 +927,32 @@ public class CertUtils {
"");
audit(auditMessage);
- r = false;
- return r;
+ throw new Exception("Invalid cs.type in CS.cfg");
}
+
String nickname = config.getString(subsysType + ".cert." + tag + ".nickname", "");
if (nickname.equals("")) {
CMS.debug("CertUtils: verifySystemCertByTag() nickname for cert tag " + tag + " undefined in CS.cfg");
- r = false;
+ throw new Exception("Missing nickname for " + tag + " certificate");
}
+
String certusage = config.getString(subsysType + ".cert." + tag + ".certusage", "");
if (certusage.equals("")) {
CMS.debug("CertUtils: verifySystemCertByTag() certusage for cert tag "
+ tag + " undefined in CS.cfg, getting current certificate usage");
+ // throw new Exception("Missing certificate usage for " + tag + " certificate"); ?
}
- r = verifySystemCertByNickname(nickname, certusage);
- if (r == true) {
- // audit here
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
- ILogger.SYSTEM_UID,
- ILogger.SUCCESS,
- nickname);
- audit(auditMessage);
- } else {
- // audit here
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
- ILogger.SYSTEM_UID,
- ILogger.FAILURE,
- nickname);
+ verifySystemCertByNickname(nickname, certusage);
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
+ ILogger.SYSTEM_UID,
+ ILogger.SUCCESS,
+ nickname);
+
+ audit(auditMessage);
- audit(auditMessage);
- }
} catch (Exception e) {
CMS.debug("CertUtils: verifySystemCertsByTag() failed: " +
e.toString());
@@ -971,10 +963,8 @@ public class CertUtils {
"");
audit(auditMessage);
- r = false;
+ throw e;
}
-
- return r;
}
/*
@@ -1015,13 +1005,13 @@ public class CertUtils {
/*
* goes through all system certs and check to see if they are good
* and audit the result
- * returns true if all verifies; false if any not
+ * @throws Exception if something is wrong
*/
- public static boolean verifySystemCerts() {
+ public static void verifySystemCerts() throws Exception {
+
String auditMessage = null;
IConfigStore config = CMS.getConfigStore();
- boolean verifyResult = true;
- boolean r = true; /* the final return value */
+
try {
String subsysType = config.getString("cs.type", "");
if (subsysType.equals("")) {
@@ -1033,8 +1023,9 @@ public class CertUtils {
"");
audit(auditMessage);
- return false;
+ throw new Exception("Missing cs.type in CS.cfg");
}
+
subsysType = toLowerCaseSubsystemType(subsysType);
if (subsysType == null) {
CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done");
@@ -1045,8 +1036,9 @@ public class CertUtils {
"");
audit(auditMessage);
- return false;
+ throw new Exception("Invalid cs.type in CS.cfg");
}
+
String certlist = config.getString(subsysType + ".cert.list", "");
if (certlist.equals("")) {
CMS.debug("CertUtils: verifySystemCerts() "
@@ -1058,17 +1050,17 @@ public class CertUtils {
"");
audit(auditMessage);
- return false;
+ throw new Exception("Missing " + subsysType + ".cert.list in CS.cfg");
}
+
StringTokenizer tokenizer = new StringTokenizer(certlist, ",");
while (tokenizer.hasMoreTokens()) {
String tag = tokenizer.nextToken();
tag = tag.trim();
CMS.debug("CertUtils: verifySystemCerts() cert tag=" + tag);
- verifyResult = verifySystemCertByTag(tag);
- if (verifyResult == false)
- r = false; //r captures the value for final return
+ verifySystemCertByTag(tag);
}
+
} catch (Exception e) {
// audit here
auditMessage = CMS.getLogMessage(
@@ -1078,10 +1070,8 @@ public class CertUtils {
"");
audit(auditMessage);
- r = false;
- CMS.debug("CertUtils: verifySystemCerts():" + e.toString());
+ throw e;
}
- return r;
}
public static String toLowerCaseSubsystemType(String s) {
generated by cgit (git 2.34.1) at 2024-06-27 23:56:39 +0000