diff options
Diffstat (limited to 'pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java')
-rw-r--r-- | pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java | 382 |
1 files changed, 192 insertions, 190 deletions
diff --git a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java index aa8ffe9a4..022fcfe00 100644 --- a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java +++ b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmstools; - import java.io.BufferedReader; import java.io.File; import java.io.FileNotFoundException; @@ -69,34 +68,34 @@ public class AuditVerify { } private static void writeSigStatus(int linenum, String sigStartFile, - int sigStartLine, String sigStopFile, int sigStopLine, String mesg) - throws IOException - { + int sigStartLine, String sigStopFile, int sigStopLine, String mesg) + throws IOException { output(linenum, mesg + ": signature of " + sigStartFile + ":" + - sigStartLine + " to " + sigStopFile + ":" + sigStopLine); + sigStartLine + " to " + sigStopFile + ":" + sigStopLine); } private static class PrefixFilter implements FilenameFilter { private String prefix; + public PrefixFilter(String prefix) { this.prefix = prefix; } + public boolean accept(File dir, String name) { // look for <prefix>cert* in this directory - return( name.indexOf(prefix + "cert") != -1 ); + return (name.indexOf(prefix + "cert") != -1); } } public static boolean validPrefix(String configDir, String prefix) - throws IOException - { + throws IOException { File dir = new File(configDir); - if( ! dir.isDirectory() ) { + if (!dir.isDirectory()) { System.out.println("ERROR: \"" + dir + "\" is not a directory"); usage(); } - String matchingFiles[] = dir.list( new PrefixFilter(prefix) ); + String matchingFiles[] = dir.list(new PrefixFilter(prefix)); // prefix may be valid if at least one file matched the pattern return (matchingFiles.length > 0); @@ -113,218 +112,221 @@ public class AuditVerify { return (keyUsage == null) ? false : keyUsage[0]; } - public static void main(String args[]) { - try { - - String dbdir = null; - String logListFile = null; - String signerNick = null; - String prefix = null; - boolean verbose = false; - - for(int i = 0; i < args.length; ++i) { - if( args[i].equals("-d") ) { - if( ++i >= args.length ) usage(); - dbdir = args[i]; - } else if( args[i].equals("-a") ) { - if( ++i >= args.length ) usage(); - logListFile = args[i]; - } else if( args[i].equals("-n") ) { - if( ++i >= args.length ) usage(); - signerNick = args[i]; - } else if( args[i].equals("-P") ) { - if( ++i >= args.length ) usage(); - prefix = args[i]; - } else if( args[i].equals("-v") ) { - verbose = true; - } else { - System.out.println("Unrecognized argument(" + i + "): " - + args[i]); + try { + + String dbdir = null; + String logListFile = null; + String signerNick = null; + String prefix = null; + boolean verbose = false; + + for (int i = 0; i < args.length; ++i) { + if (args[i].equals("-d")) { + if (++i >= args.length) + usage(); + dbdir = args[i]; + } else if (args[i].equals("-a")) { + if (++i >= args.length) + usage(); + logListFile = args[i]; + } else if (args[i].equals("-n")) { + if (++i >= args.length) + usage(); + signerNick = args[i]; + } else if (args[i].equals("-P")) { + if (++i >= args.length) + usage(); + prefix = args[i]; + } else if (args[i].equals("-v")) { + verbose = true; + } else { + System.out.println("Unrecognized argument(" + i + "): " + + args[i]); + usage(); + } + } + if (dbdir == null || logListFile == null || signerNick == null) { + System.out.println("Argument omitted"); usage(); } - } - if( dbdir == null || logListFile == null || signerNick == null) { - System.out.println("Argument omitted"); - usage(); - } - // get list of log files - Vector logFiles = new Vector(); - BufferedReader r = new BufferedReader(new FileReader(logListFile)); - String listLine; - while( (listLine = r.readLine()) != null ) { - StringTokenizer tok = new StringTokenizer(listLine, ","); - while( tok.hasMoreElements() ) { - logFiles.addElement( ((String)tok.nextElement()).trim()); + // get list of log files + Vector logFiles = new Vector(); + BufferedReader r = new BufferedReader(new FileReader(logListFile)); + String listLine; + while ((listLine = r.readLine()) != null) { + StringTokenizer tok = new StringTokenizer(listLine, ","); + while (tok.hasMoreElements()) { + logFiles.addElement(((String) tok.nextElement()).trim()); + } + } + if (logFiles.size() == 0) { + System.out.println("Error: no log files listed in " + logListFile); + System.exit(1); } - } - if( logFiles.size() == 0 ) { - System.out.println("Error: no log files listed in " + logListFile); - System.exit(1); - } - // initialize crypto stuff - if( prefix == null ) { - if( ! validPrefix(dbdir, "")) { - System.out.println("ERROR: \"" + dbdir + - "\" does not contain any security databases"); - usage(); + // initialize crypto stuff + if (prefix == null) { + if (!validPrefix(dbdir, "")) { + System.out.println("ERROR: \"" + dbdir + + "\" does not contain any security databases"); + usage(); + } + CryptoManager.initialize(dbdir); + } else { + if (!validPrefix(dbdir, prefix)) { + System.out.println("ERROR: \"" + prefix + + "\" is not a valid prefix"); + usage(); + } + CryptoManager.initialize( + new CryptoManager.InitializationValues(dbdir, prefix, prefix, + "secmod.db") + ); } - CryptoManager.initialize(dbdir); - } else { - if( ! validPrefix(dbdir, prefix) ) { - System.out.println("ERROR: \"" + prefix + - "\" is not a valid prefix"); - usage(); + CryptoManager cm = CryptoManager.getInstance(); + X509Certificate signerCert = cm.findCertByNickname(signerNick); + + X509CertImpl cert_i = null; + if (signerCert != null) { + byte[] signerCert_b = signerCert.getEncoded(); + cert_i = new X509CertImpl(signerCert_b); + } else { + System.out.println("ERROR: signing certificate not found"); + System.exit(1); } - CryptoManager.initialize( - new CryptoManager.InitializationValues(dbdir, prefix, prefix, - "secmod.db") - ); - } - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate signerCert = cm.findCertByNickname(signerNick); - - X509CertImpl cert_i = null; - if (signerCert != null) { - byte[] signerCert_b = signerCert.getEncoded(); - cert_i = new X509CertImpl(signerCert_b); - } else { - System.out.println("ERROR: signing certificate not found"); - System.exit(1); - } - // verify signer's certificate - // not checking validity because we want to allow verifying old logs - // - if (!isSigningCert(cert_i)) { - System.out.println("info: signing certificate is not a signing certificate"); - System.exit(1); - } + // verify signer's certificate + // not checking validity because we want to allow verifying old logs + // + if (!isSigningCert(cert_i)) { + System.out.println("info: signing certificate is not a signing certificate"); + System.exit(1); + } - PublicKey pubk = signerCert.getPublicKey(); - String sigAlgorithm=null; - if( pubk instanceof RSAPublicKey ) { - sigAlgorithm = "SHA-256/RSA"; - } else if( pubk instanceof DSAPublicKey ) { - sigAlgorithm = "SHA-256/DSA"; - } else { - System.out.println("Error: unknown key type: " + - pubk.getAlgorithm()); - System.exit(1); - } - Signature sig = Signature.getInstance(sigAlgorithm, CRYPTO_PROVIDER); - sig.initVerify(pubk); + PublicKey pubk = signerCert.getPublicKey(); + String sigAlgorithm = null; + if (pubk instanceof RSAPublicKey) { + sigAlgorithm = "SHA-256/RSA"; + } else if (pubk instanceof DSAPublicKey) { + sigAlgorithm = "SHA-256/DSA"; + } else { + System.out.println("Error: unknown key type: " + + pubk.getAlgorithm()); + System.exit(1); + } + Signature sig = Signature.getInstance(sigAlgorithm, CRYPTO_PROVIDER); + sig.initVerify(pubk); - int goodSigCount = 0; - int badSigCount = 0; + int goodSigCount = 0; + int badSigCount = 0; - int lastFileWritten = -1; + int lastFileWritten = -1; - int sigStartLine = 1; - int sigStopLine = 1; - String sigStartFile = (String) logFiles.elementAt(0); - String sigStopFile = null; - int signedLines = 1; + int sigStartLine = 1; + int sigStopLine = 1; + String sigStartFile = (String) logFiles.elementAt(0); + String sigStopFile = null; + int signedLines = 1; - boolean lastLineWasSig = false; + boolean lastLineWasSig = false; - for( int curfile = 0; curfile < logFiles.size(); ++curfile) { - String curfileName = (String) logFiles.elementAt(curfile); - BufferedReader br = new BufferedReader(new FileReader(curfileName)); + for (int curfile = 0; curfile < logFiles.size(); ++curfile) { + String curfileName = (String) logFiles.elementAt(curfile); + BufferedReader br = new BufferedReader(new FileReader(curfileName)); - if( verbose ) { - writeFile(curfileName); - lastFileWritten = curfile; - } + if (verbose) { + writeFile(curfileName); + lastFileWritten = curfile; + } - String curLine; - int linenum = 0; - while( (curLine = br.readLine()) != null ) { - ++linenum; - if( curLine.indexOf("AUDIT_LOG_SIGNING") != -1 ) { - if( curfile == 0 && linenum == 1 ) { - // Ignore the first signature of the first file, - // since it signs data we don't have access to. - if( verbose ) { - output(linenum, - "Ignoring first signature of log series"); - } - } else { - int sigStart = curLine.indexOf("sig: ") + 5; - if( sigStart < 5 ) { - output(linenum, "INVALID SIGNATURE"); - ++badSigCount; + String curLine; + int linenum = 0; + while ((curLine = br.readLine()) != null) { + ++linenum; + if (curLine.indexOf("AUDIT_LOG_SIGNING") != -1) { + if (curfile == 0 && linenum == 1) { + // Ignore the first signature of the first file, + // since it signs data we don't have access to. + if (verbose) { + output(linenum, + "Ignoring first signature of log series"); + } } else { - byte[] logSig = - base64decode(curLine.substring(sigStart)); - - // verify the signature - if( sig.verify(logSig) ) { - // signature verifies correctly - if( verbose ) { - writeSigStatus(linenum, sigStartFile, - sigStartLine, sigStopFile, sigStopLine, - "verification succeeded"); - } - ++goodSigCount; + int sigStart = curLine.indexOf("sig: ") + 5; + if (sigStart < 5) { + output(linenum, "INVALID SIGNATURE"); + ++badSigCount; } else { - if( lastFileWritten < curfile ) { - writeFile(curfileName); - lastFileWritten = curfile; + byte[] logSig = + base64decode(curLine.substring(sigStart)); + + // verify the signature + if (sig.verify(logSig)) { + // signature verifies correctly + if (verbose) { + writeSigStatus(linenum, sigStartFile, + sigStartLine, sigStopFile, sigStopLine, + "verification succeeded"); + } + ++goodSigCount; + } else { + if (lastFileWritten < curfile) { + writeFile(curfileName); + lastFileWritten = curfile; + } + writeSigStatus(linenum, sigStartFile, + sigStartLine, sigStopFile, sigStopLine, + "VERIFICATION FAILED"); + ++badSigCount; } - writeSigStatus(linenum, sigStartFile, - sigStartLine, sigStopFile, sigStopLine, - "VERIFICATION FAILED"); - ++badSigCount; } + sig.initVerify(pubk); + signedLines = 0; + sigStartLine = linenum; + sigStartFile = curfileName; } - sig.initVerify(pubk); - signedLines = 0; - sigStartLine = linenum; - sigStartFile = curfileName; } + + byte[] lineBytes = curLine.getBytes("UTF-8"); + sig.update(lineBytes); + sig.update(LINE_SEP_BYTE); + ++signedLines; + sigStopLine = linenum; + sigStopFile = curfileName; } - byte[] lineBytes = curLine.getBytes("UTF-8"); - sig.update(lineBytes); - sig.update(LINE_SEP_BYTE); - ++signedLines; - sigStopLine = linenum; - sigStopFile = curfileName; } - } + // Make sure there were no unsigned log entries at the end. + // The first signed line is the previous signature, but anything + // more than that is data. + if (signedLines > 1) { + System.out.println( + "ERROR: log entries after " + sigStartFile + + ":" + sigStartLine + " are UNSIGNED"); + badSigCount++; + } - // Make sure there were no unsigned log entries at the end. - // The first signed line is the previous signature, but anything - // more than that is data. - if( signedLines > 1 ) { - System.out.println( - "ERROR: log entries after " + sigStartFile - + ":" + sigStartLine + " are UNSIGNED"); - badSigCount++; - } + System.out.println("\nVerification process complete."); + System.out.println("Valid signatures: " + goodSigCount); + System.out.println("Invalid signatures: " + badSigCount); - System.out.println("\nVerification process complete."); - System.out.println("Valid signatures: " + goodSigCount); - System.out.println("Invalid signatures: " + badSigCount); + if (badSigCount > 0) { + System.exit(2); + } else { + System.exit(0); + } - if( badSigCount > 0 ) { - System.exit(2); - } else { - System.exit(0); + } catch (FileNotFoundException fnfe) { + System.out.println(fnfe); + } catch (ObjectNotFoundException onfe) { + System.out.println("ERROR: certificate not found"); + } catch (Exception e) { + e.printStackTrace(); } - } catch(FileNotFoundException fnfe) { - System.out.println(fnfe); - } catch(ObjectNotFoundException onfe) { - System.out.println("ERROR: certificate not found"); - } catch(Exception e) { - e.printStackTrace(); - } - System.out.println("Verification process FAILED."); System.exit(1); } |