diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java')
-rw-r--r-- | pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java | 473 |
1 files changed, 231 insertions, 242 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java b/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java index 4b45c48cd..5a49d06e8 100644 --- a/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java +++ b/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmscore.cert; + import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; @@ -63,9 +64,10 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.osutil.OSUtil; /** - * Utility class with assorted methods to check for smime pairs, determining the - * type of cert - signature or encryption ..etc. - * + * Utility class with assorted methods to check for + * smime pairs, determining the type of cert - signature + * or encryption ..etc. + * * @author kanda * @version $Revision$, $Date$ */ @@ -76,17 +78,20 @@ public class CertUtils { public static final String CERT_REQUEST_TRAILER = "-----END CERTIFICATE REQUEST-----"; public static final String CERT_RENEWAL_HEADER = "-----BEGIN RENEWAL CERTIFICATE REQUEST-----"; public static final String CERT_RENEWAL_TRAILER = "-----END RENEWAL CERTIFICATE REQUEST-----"; - public static final String BEGIN_CRL_HEADER = "-----BEGIN CERTIFICATE REVOCATION LIST-----"; - public static final String END_CRL_HEADER = "-----END CERTIFICATE REVOCATION LIST-----"; + public static final String BEGIN_CRL_HEADER = + "-----BEGIN CERTIFICATE REVOCATION LIST-----"; + public static final String END_CRL_HEADER = + "-----END CERTIFICATE REVOCATION LIST-----"; protected static ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION = "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3"; + private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION = + "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3"; /** * Remove the header and footer in the PKCS10 request. */ public static String unwrapPKCS10(String request, boolean checkHeader) - throws EBaseException { + throws EBaseException { String unwrapped; String header = null; int head = -1; @@ -107,8 +112,7 @@ public class CertUtils { head = request.indexOf(CERT_REQUEST_HEADER); trail = request.indexOf(CERT_REQUEST_TRAILER); - // If this is not a request header, check if this is a renewal - // header. + // If this is not a request header, check if this is a renewal header. if (!(head == -1 && trail == -1)) { header = CERT_REQUEST_HEADER; @@ -126,12 +130,10 @@ public class CertUtils { // Now validate if any headers or trailers are in place if (head == -1 && checkHeader) { - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_MISSING_PKCS10_HEADER")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_MISSING_PKCS10_HEADER")); } if (trail == -1 && checkHeader) { - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_MISSING_PKCS10_TRAILER")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_MISSING_PKCS10_TRAILER")); } if (header != null) { @@ -160,44 +162,41 @@ public class CertUtils { pkcs10 = new PKCS10(decodedBytes); } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INTERNAL_ERROR", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); } return pkcs10; } - public static void setRSAKeyToCertInfo(X509CertInfo info, byte encoded[]) - throws EBaseException { + public static void setRSAKeyToCertInfo(X509CertInfo info, + byte encoded[]) throws EBaseException { try { if (info == null) { - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); } - X509Key key = new X509Key( - AlgorithmId.getAlgorithmId("RSAEncryption"), encoded); + X509Key key = new X509Key(AlgorithmId.getAlgorithmId( + "RSAEncryption"), encoded); info.set(X509CertInfo.KEY, key); } catch (Exception e) { - throw new EBaseException( - CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); } } - public static X509CertInfo createCertInfo(int ver, BigInteger serialno, - String alg, String issuerName, Date notBefore, Date notAfter) - throws EBaseException { + public static X509CertInfo createCertInfo(int ver, + BigInteger serialno, String alg, String issuerName, + Date notBefore, Date notAfter) throws EBaseException { try { X509CertInfo info = new X509CertInfo(); info.set(X509CertInfo.VERSION, new CertificateVersion(ver)); - info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber( - serialno)); - info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId( - AlgorithmId.getAlgorithmId(alg))); - info.set(X509CertInfo.ISSUER, new CertificateIssuerName( - new X500Name(issuerName))); - info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, - notAfter)); + info.set(X509CertInfo.SERIAL_NUMBER, new + CertificateSerialNumber(serialno)); + info.set(X509CertInfo.ALGORITHM_ID, new + CertificateAlgorithmId(AlgorithmId.getAlgorithmId(alg))); + info.set(X509CertInfo.ISSUER, new + CertificateIssuerName(new X500Name(issuerName))); + info.set(X509CertInfo.VALIDITY, new + CertificateValidity(notBefore, notAfter)); return info; } catch (Exception e) { System.out.println(e.toString()); @@ -234,20 +233,19 @@ public class CertUtils { return false; else if (keyUsage.length == 3) return keyUsage[2]; - else - return keyUsage[2] || keyUsage[3]; + else return keyUsage[2] || keyUsage[3]; } public static boolean haveSameValidityPeriod(X509CertImpl cert1, - X509CertImpl cert2) { + X509CertImpl cert2) { long notBefDiff = 0; long notAfterDiff = 0; try { - notBefDiff = Math.abs(cert1.getNotBefore().getTime() - - cert2.getNotBefore().getTime()); - notAfterDiff = Math.abs(cert1.getNotAfter().getTime() - - cert2.getNotAfter().getTime()); + notBefDiff = Math.abs(cert1.getNotBefore().getTime() - + cert2.getNotBefore().getTime()); + notAfterDiff = Math.abs(cert1.getNotAfter().getTime() - + cert2.getNotAfter().getTime()); } catch (Exception e) { e.printStackTrace(); } @@ -257,8 +255,7 @@ public class CertUtils { return true; } - public static boolean isSmimePair(X509CertImpl cert1, X509CertImpl cert2, - boolean matchSubjectDN) { + public static boolean isSmimePair(X509CertImpl cert1, X509CertImpl cert2, boolean matchSubjectDN) { // Check for subjectDN equality. if (matchSubjectDN) { String dn1 = cert1.getSubjectDN().toString(); @@ -267,27 +264,27 @@ public class CertUtils { if (!sameSubjectDN(dn1, dn2)) return false; } - + // Check for the presence of signing and encryption certs. boolean hasSigningCert = isSigningCert(cert1) || isSigningCert(cert2); if (!hasSigningCert) return false; - boolean hasEncryptionCert = isEncryptionCert(cert1) - || isEncryptionCert(cert2); + boolean hasEncryptionCert = isEncryptionCert(cert1) || isEncryptionCert(cert2); if (!hasEncryptionCert) return false; - // If both certs have signing & encryption usage set, they are - // not really pairs. - if ((isSigningCert(cert1) && isEncryptionCert(cert1)) - || (isSigningCert(cert2) && isEncryptionCert(cert2))) + // If both certs have signing & encryption usage set, they are + // not really pairs. + if ((isSigningCert(cert1) && isEncryptionCert(cert1)) || + (isSigningCert(cert2) && isEncryptionCert(cert2))) return false; - // See if the certs have the same validity. - boolean haveSameValidity = haveSameValidityPeriod(cert1, cert2); + // See if the certs have the same validity. + boolean haveSameValidity = + haveSameValidityPeriod(cert1, cert2); return haveSameValidity; } @@ -344,8 +341,7 @@ public class CertUtils { return ret; } - public static String getValidCertsDisplayInfo(String cn, - X509CertImpl[] validCerts) { + public static String getValidCertsDisplayInfo(String cn, X509CertImpl[] validCerts) { StringBuffer sb = new StringBuffer(1024); sb.append(cn + "'s Currently Valid Certificates\n\n"); @@ -353,8 +349,7 @@ public class CertUtils { return new String(sb); } - public static String getExpiredCertsDisplayInfo(String cn, - X509CertImpl[] expiredCerts) { + public static String getExpiredCertsDisplayInfo(String cn, X509CertImpl[] expiredCerts) { StringBuffer sb = new StringBuffer(1024); sb.append(cn + "'s Expired Certificates\n\n"); @@ -363,7 +358,7 @@ public class CertUtils { } public static String getRenewedCertsDisplayInfo(String cn, - X509CertImpl[] validCerts, X509CertImpl[] renewedCerts) { + X509CertImpl[] validCerts, X509CertImpl[] renewedCerts) { StringBuffer sb = new StringBuffer(1024); if (validCerts != null) { @@ -391,29 +386,25 @@ public class CertUtils { signingCert = validCerts[1]; encryptionCert = validCerts[0]; } - sb.append("Signing Certificate Serial No: " - + signingCert.getSerialNumber().toString(16).toUpperCase()); + sb.append("Signing Certificate Serial No: " + signingCert.getSerialNumber().toString(16).toUpperCase()); sb.append("\n"); - sb.append("Encryption Certificate Serial No: " - + encryptionCert.getSerialNumber().toString(16).toUpperCase()); + sb.append("Encryption Certificate Serial No: " + encryptionCert.getSerialNumber().toString(16).toUpperCase()); sb.append("\n"); - sb.append("Validity: From: " + signingCert.getNotBefore().toString() - + " To: " + signingCert.getNotAfter().toString()); + sb.append("Validity: From: " + signingCert.getNotBefore().toString() + " To: " + signingCert.getNotAfter().toString()); sb.append("\n"); return new String(sb); } /** * Returns the index of the given cert in an array of certs. - * - * Assumptions: The certs are issued by the same CA - * - * @param certArray The array of certs. - * @param givenCert The certificate we are lokking for in the array. + * + * Assumptions: The certs are issued by the same CA + * + * @param certArray The array of certs. + * @param givenCert The certificate we are lokking for in the array. * @return -1 if not found or the index of the given cert in the array. */ - public static int getCertIndex(X509CertImpl[] certArray, - X509CertImpl givenCert) { + public static int getCertIndex(X509CertImpl[] certArray, X509CertImpl givenCert) { int i = 0; for (; i < certArray.length; i++) { @@ -427,21 +418,21 @@ public class CertUtils { } /** - * Returns the most recently issued signing certificate from an an array of - * certs. - * - * Assumptions: The certs are issued by the same CA - * - * @param certArray The array of certs. - * @param givenCert The certificate we are lokking for in the array. + * Returns the most recently issued signing certificate from an + * an array of certs. + * + * Assumptions: The certs are issued by the same CA + * + * @param certArray The array of certs. + * @param givenCert The certificate we are lokking for in the array. * @return null if there is no recent cert or the most recent cert. */ public static X509CertImpl getRecentSigningCert(X509CertImpl[] certArray, - X509CertImpl currentCert) { + X509CertImpl currentCert) { if (certArray == null || currentCert == null) return null; - // Sort the certificate array. + // Sort the certificate array. Arrays.sort(certArray, new CertDateCompare()); // Get the index of the current cert in the array. @@ -455,9 +446,8 @@ public class CertUtils { for (; i < certArray.length; i++) { // Check if it is a signing cert and has its // NotAfter later than the current cert. - if (isSigningCert(certArray[i]) - && certArray[i].getNotAfter().after( - recentCert.getNotAfter())) + if (isSigningCert(certArray[i]) && + certArray[i].getNotAfter().after(recentCert.getNotAfter())) recentCert = certArray[i]; } return ((recentCert == currentCert) ? null : recentCert); @@ -476,13 +466,14 @@ public class CertUtils { // Is is object signing cert? try { - CertificateExtensions extns = (CertificateExtensions) cert - .get(X509CertImpl.NAME + "." + X509CertImpl.INFO + "." - + X509CertInfo.EXTENSIONS); + CertificateExtensions extns = (CertificateExtensions) + cert.get(X509CertImpl.NAME + "." + + X509CertImpl.INFO + "." + + X509CertInfo.EXTENSIONS); if (extns != null) { - NSCertTypeExtension nsExtn = (NSCertTypeExtension) extns - .get(NSCertTypeExtension.NAME); + NSCertTypeExtension nsExtn = (NSCertTypeExtension) + extns.get(NSCertTypeExtension.NAME); if (nsExtn != null) { String nsType = getNSExtensionInfo(nsExtn); @@ -494,7 +485,7 @@ public class CertUtils { } } } - } catch (Exception e) { + }catch (Exception e) { } return (sb.length() > 0) ? sb.toString() : null; } @@ -526,13 +517,14 @@ public class CertUtils { res = (Boolean) nsExtn.get(NSCertTypeExtension.OBJECT_SIGNING_CA); if (res.equals(Boolean.TRUE)) sb.append(" object_signing_CA"); - } catch (Exception e) { + }catch (Exception e) { } return (sb.length() > 0) ? sb.toString() : null; } - public static byte[] readFromFile(String fileName) throws IOException { + public static byte[] readFromFile(String fileName) + throws IOException { FileInputStream fin = new FileInputStream(fileName); int available = fin.available(); byte[] ba = new byte[available]; @@ -545,7 +537,7 @@ public class CertUtils { } public static void storeInFile(String fileName, byte[] ba) - throws IOException { + throws IOException { FileOutputStream fout = new FileOutputStream(fileName); fout.write(ba); @@ -554,15 +546,17 @@ public class CertUtils { public static String toMIME64(X509CertImpl cert) { try { - return "-----BEGIN CERTIFICATE-----\n" - + com.netscape.osutil.OSUtil.BtoA(cert.getEncoded()) - + "-----END CERTIFICATE-----\n"; + return + "-----BEGIN CERTIFICATE-----\n" + + com.netscape.osutil.OSUtil.BtoA(cert.getEncoded()) + + "-----END CERTIFICATE-----\n"; } catch (CertificateException e) { } return null; } - public static X509Certificate mapCert(String mime64) throws IOException { + public static X509Certificate mapCert(String mime64) + throws IOException { mime64 = stripCertBrackets(mime64.trim()); String newval = normalizeCertStr(mime64); byte rawPub[] = com.netscape.osutil.OSUtil.AtoB(newval); @@ -575,8 +569,8 @@ public class CertUtils { return cert; } - public static X509Certificate[] mapCertFromPKCS7(String mime64) - throws IOException { + public static X509Certificate[] mapCertFromPKCS7(String mime64) + throws IOException { mime64 = stripCertBrackets(mime64.trim()); String newval = normalizeCertStr(mime64); byte rawPub[] = com.netscape.osutil.OSUtil.AtoB(newval); @@ -590,7 +584,8 @@ public class CertUtils { } } - public static X509CRL mapCRL(String mime64) throws IOException { + public static X509CRL mapCRL(String mime64) + throws IOException { mime64 = stripCRLBrackets(mime64.trim()); String newval = normalizeCertStr(mime64); byte rawPub[] = com.netscape.osutil.OSUtil.AtoB(newval); @@ -603,7 +598,8 @@ public class CertUtils { return crl; } - public static X509CRL mapCRL1(String mime64) throws IOException { + public static X509CRL mapCRL1(String mime64) + throws IOException { mime64 = stripCRLBrackets(mime64.trim()); byte rawPub[] = OSUtil.AtoB(mime64); X509CRL crl = null; @@ -638,8 +634,8 @@ public class CertUtils { if (s == null) { return s; } - if ((s.startsWith("-----BEGIN CERTIFICATE REVOCATION LIST-----")) - && (s.endsWith("-----END CERTIFICATE REVOCATION LIST-----"))) { + if ((s.startsWith("-----BEGIN CERTIFICATE REVOCATION LIST-----")) && + (s.endsWith("-----END CERTIFICATE REVOCATION LIST-----"))) { return (s.substring(43, (s.length() - 41))); } return s; @@ -647,9 +643,8 @@ public class CertUtils { /** * strips out the begin and end certificate brackets - * * @param s the string potentially bracketed with - * "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" + * "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" * @return string without the brackets */ public static String stripCertBrackets(String s) { @@ -657,14 +652,14 @@ public class CertUtils { return s; } - if ((s.startsWith("-----BEGIN CERTIFICATE-----")) - && (s.endsWith("-----END CERTIFICATE-----"))) { + if ((s.startsWith("-----BEGIN CERTIFICATE-----")) && + (s.endsWith("-----END CERTIFICATE-----"))) { return (s.substring(27, (s.length() - 25))); } // To support Thawte's header and footer - if ((s.startsWith("-----BEGIN PKCS #7 SIGNED DATA-----")) - && (s.endsWith("-----END PKCS #7 SIGNED DATA-----"))) { + if ((s.startsWith("-----BEGIN PKCS #7 SIGNED DATA-----")) && + (s.endsWith("-----END PKCS #7 SIGNED DATA-----"))) { return (s.substring(35, (s.length() - 33))); } @@ -672,14 +667,13 @@ public class CertUtils { } /** - * Returns a string that represents a cert's fingerprint. The fingerprint is - * a MD5 digest of the DER encoded certificate. - * - * @param cert Certificate to get the fingerprint of. + * Returns a string that represents a cert's fingerprint. + * The fingerprint is a MD5 digest of the DER encoded certificate. + * @param cert Certificate to get the fingerprint of. * @return a String that represents the cert's fingerprint. */ - public static String getFingerPrint(Certificate cert) - throws CertificateEncodingException, NoSuchAlgorithmException { + public static String getFingerPrint(Certificate cert) + throws CertificateEncodingException, NoSuchAlgorithmException { byte certDer[] = cert.getEncoded(); MessageDigest md = MessageDigest.getInstance("MD5"); @@ -691,17 +685,16 @@ public class CertUtils { sb.append(pp.toHexString(digestedCert, 4, 20)); return sb.toString(); } - + /** - * Returns a string that has the certificate's fingerprint using MD5, MD2 - * and SHA1 hashes. A certificate's fingerprint is a hash digest of the DER - * encoded certificate. - * + * Returns a string that has the certificate's fingerprint using + * MD5, MD2 and SHA1 hashes. + * A certificate's fingerprint is a hash digest of the DER encoded + * certificate. * @param cert Certificate to get the fingerprints of. * @return a String with fingerprints using the MD5, MD2 and SHA1 hashes. - * For example, - * - * <pre> + * For example, + * <pre> * MD2: 78:7E:D1:F9:3E:AF:50:18:68:A7:29:50:C3:21:1F:71 * * MD5: 0E:89:91:AC:40:50:F7:BE:6E:7B:39:4F:56:73:75:75 @@ -710,33 +703,34 @@ public class CertUtils { * </pre> */ public static String getFingerPrints(Certificate cert) - throws NoSuchAlgorithmException, CertificateEncodingException { + throws NoSuchAlgorithmException, CertificateEncodingException { byte certDer[] = cert.getEncoded(); - /* - * String[] hashes = new String[] {"MD2", "MD5", "SHA1"}; String - * certFingerprints = ""; PrettyPrintFormat pp = new - * PrettyPrintFormat(":"); - * - * for (int i = 0; i < hashes.length; i++) { MessageDigest md = - * MessageDigest.getInstance(hashes[i]); - * - * md.update(certDer); certFingerprints += " " + hashes[i] + ":" + - * pp.toHexString(md.digest(), 6 - hashes[i].length()); } return - * certFingerprints; - */ - return getFingerPrints(certDer); - } + /* + String[] hashes = new String[] {"MD2", "MD5", "SHA1"}; + String certFingerprints = ""; + PrettyPrintFormat pp = new PrettyPrintFormat(":"); + for (int i = 0; i < hashes.length; i++) { + MessageDigest md = MessageDigest.getInstance(hashes[i]); + + md.update(certDer); + certFingerprints += " " + hashes[i] + ":" + + pp.toHexString(md.digest(), 6 - hashes[i].length()); + } + return certFingerprints; + */ + return getFingerPrints(certDer); + } + /** - * Returns a string that has the certificate's fingerprint using MD5, MD2 - * and SHA1 hashes. A certificate's fingerprint is a hash digest of the DER - * encoded certificate. - * + * Returns a string that has the certificate's fingerprint using + * MD5, MD2 and SHA1 hashes. + * A certificate's fingerprint is a hash digest of the DER encoded + * certificate. * @param cert Certificate to get the fingerprints of. * @return a String with fingerprints using the MD5, MD2 and SHA1 hashes. - * For example, - * - * <pre> + * For example, + * <pre> * MD2: 78:7E:D1:F9:3E:AF:50:18:68:A7:29:50:C3:21:1F:71 * * MD5: 0E:89:91:AC:40:50:F7:BE:6E:7B:39:4F:56:73:75:75 @@ -745,10 +739,9 @@ public class CertUtils { * </pre> */ public static String getFingerPrints(byte[] certDer) - throws NoSuchAlgorithmException/* , CertificateEncodingException */{ - // byte certDer[] = cert.getEncoded(); - String[] hashes = new String[] { "MD2", "MD5", "SHA1", "SHA256", - "SHA512" }; + throws NoSuchAlgorithmException/*, CertificateEncodingException*/ { + // byte certDer[] = cert.getEncoded(); + String[] hashes = new String[] {"MD2", "MD5", "SHA1", "SHA256", "SHA512"}; String certFingerprints = ""; PrettyPrintFormat pp = new PrettyPrintFormat(":"); @@ -756,42 +749,41 @@ public class CertUtils { MessageDigest md = MessageDigest.getInstance(hashes[i]); md.update(certDer); - certFingerprints += hashes[i] + ":\n" - + pp.toHexString(md.digest(), 8, 16); + certFingerprints += hashes[i] + ":\n" + + pp.toHexString(md.digest(), 8, 16); } return certFingerprints; } /** - * Check if a object identifier in string form is valid, that is a string in - * the form n.n.n.n and der encode and decode-able. - * + * Check if a object identifier in string form is valid, + * that is a string in the form n.n.n.n and der encode and decode-able. * @param attrName attribute name (from the configuration file) * @param value object identifier string. - */ + */ public static ObjectIdentifier checkOID(String attrName, String value) - throws EBaseException { + throws EBaseException { String msg = "value must be a object identifier in the form n.n.n.n"; String msg1 = "not a valid object identifier."; ObjectIdentifier oid; - try { - oid = ObjectIdentifier.getObjectIdentifier(value); + try { + oid = ObjectIdentifier.getObjectIdentifier(value); } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", attrName, msg)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + attrName, msg)); } // if the OID isn't valid (ex. n.n) the error isn't caught til // encoding time leaving a bad request in the request queue. - try { + try { DerOutputStream derOut = new DerOutputStream(); derOut.putOID(oid); new ObjectIdentifier(new DerInputStream(derOut.toByteArray())); } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage( - "CMS_BASE_INVALID_ATTR_VALUE", attrName, msg1)); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", + attrName, msg1)); } return oid; } @@ -811,21 +803,20 @@ public class CertUtils { return tmp.toString(); } - + /* - * verify a certificate by its nickname returns true if it verifies; false - * if any not + * verify a certificate by its nickname + * returns true if it verifies; false if any not */ - public static boolean verifySystemCertByNickname(String nickname, - String certusage) { + public static boolean verifySystemCertByNickname(String nickname, String certusage) { boolean r = true; - CertificateUsage cu = null; + CertificateUsage cu = null; cu = getCertificateUsage(certusage); int ccu = 0; if (cu == null) { - CMS.debug("CertUtils: verifySystemCertByNickname() failed: " - + nickname + " with unsupported certusage =" + certusage); + CMS.debug("CertUtils: verifySystemCertByNickname() failed: "+ + nickname + " with unsupported certusage ="+ certusage); return false; } @@ -834,15 +825,12 @@ public class CertUtils { CMS.debug("CertUtils: verifySystemCertByNickname(): calling isCertValid()"); try { CryptoManager cm = CryptoManager.getInstance(); - if (cu.getUsage() != CryptoManager.CertificateUsage.CheckAllUsages - .getUsage()) { + if (cu.getUsage() != CryptoManager.CertificateUsage.CheckAllUsages.getUsage()) { if (cm.isCertValid(nickname, true, cu)) { r = true; - CMS.debug("CertUtils: verifySystemCertByNickname() passed:" - + nickname); + CMS.debug("CertUtils: verifySystemCertByNickname() passed:" + nickname); } else { - CMS.debug("CertUtils: verifySystemCertByNickname() failed:" - + nickname); + CMS.debug("CertUtils: verifySystemCertByNickname() failed:" + nickname); r = false; } } else { @@ -851,60 +839,48 @@ public class CertUtils { if (ccu == CertificateUsage.basicCertificateUsages) { /* cert is good for nothing */ r = false; - CMS.debug("CertUtils: verifySystemCertByNickname() failed: cert is good for nothing:" - + nickname); + CMS.debug("CertUtils: verifySystemCertByNickname() failed: cert is good for nothing:"+ nickname); } else { r = true; - CMS.debug("CertUtils: verifySystemCertByNickname() passed:" - + nickname); + CMS.debug("CertUtils: verifySystemCertByNickname() passed:" + nickname); - if ((ccu & CryptoManager.CertificateUsage.SSLServer - .getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.SSLServer.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLServer"); - if ((ccu & CryptoManager.CertificateUsage.SSLClient - .getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.SSLClient.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLClient"); - if ((ccu & CryptoManager.CertificateUsage.SSLServerWithStepUp - .getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.SSLServerWithStepUp.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLServerWithStepUp"); if ((ccu & CryptoManager.CertificateUsage.SSLCA.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLCA"); - if ((ccu & CryptoManager.CertificateUsage.EmailSigner - .getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.EmailSigner.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is EmailSigner"); - if ((ccu & CryptoManager.CertificateUsage.EmailRecipient - .getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.EmailRecipient.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is EmailRecipient"); - if ((ccu & CryptoManager.CertificateUsage.ObjectSigner - .getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.ObjectSigner.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is ObjectSigner"); - if ((ccu & CryptoManager.CertificateUsage.UserCertImport - .getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.UserCertImport.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is UserCertImport"); - if ((ccu & CryptoManager.CertificateUsage.VerifyCA - .getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.VerifyCA.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is VerifyCA"); - if ((ccu & CryptoManager.CertificateUsage.ProtectedObjectSigner - .getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.ProtectedObjectSigner.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is ProtectedObjectSigner"); - if ((ccu & CryptoManager.CertificateUsage.StatusResponder - .getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.StatusResponder.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is StatusResponder"); if ((ccu & CryptoManager.CertificateUsage.AnyCA.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is AnyCA"); } } } catch (Exception e) { - CMS.debug("CertUtils: verifySystemCertByNickname() failed: " - + e.toString()); + CMS.debug("CertUtils: verifySystemCertByNickname() failed: "+ + e.toString()); r = false; } return r; } /* - * verify a certificate by its tag name returns true if it verifies; false - * if any not + * verify a certificate by its tag name + * returns true if it verifies; false if any not */ public static boolean verifySystemCertByTag(String tag) { String auditMessage = null; @@ -920,49 +896,52 @@ public class CertUtils { if (subsysType == null) { CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done"); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, ILogger.FAILURE, ""); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); audit(auditMessage); r = false; return r; } - String nickname = config.getString(subsysType + ".cert." + tag - + ".nickname", ""); + String nickname = config.getString(subsysType+".cert."+tag+".nickname", ""); if (nickname.equals("")) { - CMS.debug("CertUtils: verifySystemCertByTag() nickname for cert tag " - + tag + " undefined in CS.cfg"); + CMS.debug("CertUtils: verifySystemCertByTag() nickname for cert tag " + tag + " undefined in CS.cfg"); r = false; } - String certusage = config.getString(subsysType + ".cert." + tag - + ".certusage", ""); + String certusage = config.getString(subsysType+".cert."+tag+".certusage", ""); if (certusage.equals("")) { - CMS.debug("CertUtils: verifySystemCertByTag() certusage for cert tag " - + tag - + " undefined in CS.cfg, getting current certificate usage"); + CMS.debug("CertUtils: verifySystemCertByTag() certusage for cert tag " + tag + " undefined in CS.cfg, getting current certificate usage"); } r = verifySystemCertByNickname(nickname, certusage); if (r == true) { // audit here auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, ILogger.SUCCESS, nickname); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.SUCCESS, + nickname); audit(auditMessage); } else { // audit here auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, ILogger.FAILURE, nickname); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + nickname); audit(auditMessage); } } catch (Exception e) { - CMS.debug("CertUtils: verifySystemCertsByTag() failed: " - + e.toString()); + CMS.debug("CertUtils: verifySystemCertsByTag() failed: "+ + e.toString()); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, ILogger.FAILURE, ""); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); audit(auditMessage); r = false; @@ -1007,8 +986,9 @@ public class CertUtils { } /* - * goes through all system certs and check to see if they are good and audit - * the result returns true if all verifies; false if any not + * goes through all system certs and check to see if they are good + * and audit the result + * returns true if all verifies; false if any not */ public static boolean verifySystemCerts() { String auditMessage = null; @@ -1020,8 +1000,10 @@ public class CertUtils { if (subsysType.equals("")) { CMS.debug("CertUtils: verifySystemCerts() cs.type not defined in CS.cfg. System certificates verification not done"); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, ILogger.FAILURE, ""); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); audit(auditMessage); r = false; @@ -1031,21 +1013,23 @@ public class CertUtils { if (subsysType == null) { CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done"); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, ILogger.FAILURE, ""); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); audit(auditMessage); r = false; return r; } - String certlist = config.getString(subsysType + ".cert.list", ""); + String certlist = config.getString(subsysType+".cert.list", ""); if (certlist.equals("")) { - CMS.debug("CertUtils: verifySystemCerts() " - + subsysType - + ".cert.list not defined in CS.cfg. System certificates verification not done"); + CMS.debug("CertUtils: verifySystemCerts() "+subsysType+ ".cert.list not defined in CS.cfg. System certificates verification not done"); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, ILogger.FAILURE, ""); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); audit(auditMessage); r = false; @@ -1061,10 +1045,12 @@ public class CertUtils { } catch (Exception e) { // audit here auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, ILogger.FAILURE, ""); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); - audit(auditMessage); + audit(auditMessage); r = false; CMS.debug("CertUtils: verifySystemCerts():" + e.toString()); } @@ -1087,9 +1073,8 @@ public class CertUtils { } /** - * Signed Audit Log This method is called to store messages to the signed - * audit log. - * + * Signed Audit Log + * This method is called to store messages to the signed audit log. * @param msg signed audit log message */ private static void audit(String msg) { @@ -1099,8 +1084,12 @@ public class CertUtils { return; } - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, - ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg); + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); } + } |