From 2f397c05020e7d85886a1146c963d5a7900e09f3 Mon Sep 17 00:00:00 2001
From: cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>
Date: Fri, 23 Jan 2009 03:56:06 +0000
Subject: 481237 - signed audit

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@183 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
---
 .../src/com/netscape/cmstools/AuditVerify.java     | 31 ++++++++++++++++++----
 1 file changed, 26 insertions(+), 5 deletions(-)

(limited to 'pki/base/java-tools/src/com')

diff --git a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
index 3207c2f76..955004c25 100644
--- a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
+++ b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
@@ -26,6 +26,7 @@ import org.mozilla.jss.crypto.ObjectNotFoundException;
 import org.mozilla.jss.util.Base64InputStream;
 import java.security.*;
 import java.security.interfaces.*;
+import netscape.security.x509.X509CertImpl;
 
 /**
  * Tool for verifying signed audit logs
@@ -92,6 +93,17 @@ public class AuditVerify {
         return (matchingFiles.length > 0);
     }
 
+    public static boolean isSigningCert(X509CertImpl cert) {
+        boolean[] keyUsage = null;
+
+        try {
+            keyUsage = cert.getKeyUsage();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return (keyUsage == null) ? false : keyUsage[0];
+    }
+
 
     public static void main(String args[]) {
       try {
@@ -165,12 +177,21 @@ public class AuditVerify {
         CryptoManager cm = CryptoManager.getInstance();
         X509Certificate signerCert = cm.findCertByNickname(signerNick);
         
+        X509CertImpl cert_i = null;
+        if (signerCert != null) {
+            byte[] signerCert_b = signerCert.getEncoded();
+            cert_i = new X509CertImpl(signerCert_b);
+        } else {
+           System.out.println("ERROR: signing certificate not found");
+           System.exit(1);
+        }
+
         // verify signer's certificate
-        if( ! cm.isCertValid(signerNick, true,
-                        CryptoManager.CertUsage.EmailSigner) )
-        {
-            System.out.println("Error: signing certificate is not valid");
-            System.exit(1);
+        //  not checking validity because we want to allow verifying old logs
+        // 
+        if (!isSigningCert(cert_i)) {
+           System.out.println("info: signing certificate is not a signing certificate");
+           System.exit(1);
         }
 
         PublicKey pubk = signerCert.getPublicKey();
-- 
cgit