diff options
Diffstat (limited to 'pki/base/java-tools/src/com')
| -rw-r--r-- | pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java index 3207c2f76..955004c25 100644 --- a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java +++ b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java @@ -26,6 +26,7 @@ import org.mozilla.jss.crypto.ObjectNotFoundException; import org.mozilla.jss.util.Base64InputStream; import java.security.*; import java.security.interfaces.*; +import netscape.security.x509.X509CertImpl; /** * Tool for verifying signed audit logs @@ -92,6 +93,17 @@ public class AuditVerify { return (matchingFiles.length > 0); } + public static boolean isSigningCert(X509CertImpl cert) { + boolean[] keyUsage = null; + + try { + keyUsage = cert.getKeyUsage(); + } catch (Exception e) { + e.printStackTrace(); + } + return (keyUsage == null) ? false : keyUsage[0]; + } + public static void main(String args[]) { try { @@ -165,12 +177,21 @@ public class AuditVerify { CryptoManager cm = CryptoManager.getInstance(); X509Certificate signerCert = cm.findCertByNickname(signerNick); + X509CertImpl cert_i = null; + if (signerCert != null) { + byte[] signerCert_b = signerCert.getEncoded(); + cert_i = new X509CertImpl(signerCert_b); + } else { + System.out.println("ERROR: signing certificate not found"); + System.exit(1); + } + // verify signer's certificate - if( ! cm.isCertValid(signerNick, true, - CryptoManager.CertUsage.EmailSigner) ) - { - System.out.println("Error: signing certificate is not valid"); - System.exit(1); + // not checking validity because we want to allow verifying old logs + // + if (!isSigningCert(cert_i)) { + System.out.println("info: signing certificate is not a signing certificate"); + System.exit(1); } PublicKey pubk = signerCert.getPublicKey(); |