diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java')
| -rw-r--r-- | pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java | 473 |
1 files changed, 242 insertions, 231 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java b/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java index 5a49d06e..4b45c48c 100644 --- a/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java +++ b/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.cmscore.cert; - import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; @@ -64,10 +63,9 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.osutil.OSUtil; /** - * Utility class with assorted methods to check for - * smime pairs, determining the type of cert - signature - * or encryption ..etc. - * + * Utility class with assorted methods to check for smime pairs, determining the + * type of cert - signature or encryption ..etc. + * * @author kanda * @version $Revision$, $Date$ */ @@ -78,20 +76,17 @@ public class CertUtils { public static final String CERT_REQUEST_TRAILER = "-----END CERTIFICATE REQUEST-----"; public static final String CERT_RENEWAL_HEADER = "-----BEGIN RENEWAL CERTIFICATE REQUEST-----"; public static final String CERT_RENEWAL_TRAILER = "-----END RENEWAL CERTIFICATE REQUEST-----"; - public static final String BEGIN_CRL_HEADER = - "-----BEGIN CERTIFICATE REVOCATION LIST-----"; - public static final String END_CRL_HEADER = - "-----END CERTIFICATE REVOCATION LIST-----"; + public static final String BEGIN_CRL_HEADER = "-----BEGIN CERTIFICATE REVOCATION LIST-----"; + public static final String END_CRL_HEADER = "-----END CERTIFICATE REVOCATION LIST-----"; protected static ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION = - "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3"; + private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION = "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3"; /** * Remove the header and footer in the PKCS10 request. */ public static String unwrapPKCS10(String request, boolean checkHeader) - throws EBaseException { + throws EBaseException { String unwrapped; String header = null; int head = -1; @@ -112,7 +107,8 @@ public class CertUtils { head = request.indexOf(CERT_REQUEST_HEADER); trail = request.indexOf(CERT_REQUEST_TRAILER); - // If this is not a request header, check if this is a renewal header. + // If this is not a request header, check if this is a renewal + // header. if (!(head == -1 && trail == -1)) { header = CERT_REQUEST_HEADER; @@ -130,10 +126,12 @@ public class CertUtils { // Now validate if any headers or trailers are in place if (head == -1 && checkHeader) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_MISSING_PKCS10_HEADER")); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_MISSING_PKCS10_HEADER")); } if (trail == -1 && checkHeader) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_MISSING_PKCS10_TRAILER")); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_MISSING_PKCS10_TRAILER")); } if (header != null) { @@ -162,41 +160,44 @@ public class CertUtils { pkcs10 = new PKCS10(decodedBytes); } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", e.toString())); } return pkcs10; } - public static void setRSAKeyToCertInfo(X509CertInfo info, - byte encoded[]) throws EBaseException { + public static void setRSAKeyToCertInfo(X509CertInfo info, byte encoded[]) + throws EBaseException { try { if (info == null) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); } - X509Key key = new X509Key(AlgorithmId.getAlgorithmId( - "RSAEncryption"), encoded); + X509Key key = new X509Key( + AlgorithmId.getAlgorithmId("RSAEncryption"), encoded); info.set(X509CertInfo.KEY, key); } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); } } - public static X509CertInfo createCertInfo(int ver, - BigInteger serialno, String alg, String issuerName, - Date notBefore, Date notAfter) throws EBaseException { + public static X509CertInfo createCertInfo(int ver, BigInteger serialno, + String alg, String issuerName, Date notBefore, Date notAfter) + throws EBaseException { try { X509CertInfo info = new X509CertInfo(); info.set(X509CertInfo.VERSION, new CertificateVersion(ver)); - info.set(X509CertInfo.SERIAL_NUMBER, new - CertificateSerialNumber(serialno)); - info.set(X509CertInfo.ALGORITHM_ID, new - CertificateAlgorithmId(AlgorithmId.getAlgorithmId(alg))); - info.set(X509CertInfo.ISSUER, new - CertificateIssuerName(new X500Name(issuerName))); - info.set(X509CertInfo.VALIDITY, new - CertificateValidity(notBefore, notAfter)); + info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber( + serialno)); + info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId( + AlgorithmId.getAlgorithmId(alg))); + info.set(X509CertInfo.ISSUER, new CertificateIssuerName( + new X500Name(issuerName))); + info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, + notAfter)); return info; } catch (Exception e) { System.out.println(e.toString()); @@ -233,19 +234,20 @@ public class CertUtils { return false; else if (keyUsage.length == 3) return keyUsage[2]; - else return keyUsage[2] || keyUsage[3]; + else + return keyUsage[2] || keyUsage[3]; } public static boolean haveSameValidityPeriod(X509CertImpl cert1, - X509CertImpl cert2) { + X509CertImpl cert2) { long notBefDiff = 0; long notAfterDiff = 0; try { - notBefDiff = Math.abs(cert1.getNotBefore().getTime() - - cert2.getNotBefore().getTime()); - notAfterDiff = Math.abs(cert1.getNotAfter().getTime() - - cert2.getNotAfter().getTime()); + notBefDiff = Math.abs(cert1.getNotBefore().getTime() + - cert2.getNotBefore().getTime()); + notAfterDiff = Math.abs(cert1.getNotAfter().getTime() + - cert2.getNotAfter().getTime()); } catch (Exception e) { e.printStackTrace(); } @@ -255,7 +257,8 @@ public class CertUtils { return true; } - public static boolean isSmimePair(X509CertImpl cert1, X509CertImpl cert2, boolean matchSubjectDN) { + public static boolean isSmimePair(X509CertImpl cert1, X509CertImpl cert2, + boolean matchSubjectDN) { // Check for subjectDN equality. if (matchSubjectDN) { String dn1 = cert1.getSubjectDN().toString(); @@ -264,27 +267,27 @@ public class CertUtils { if (!sameSubjectDN(dn1, dn2)) return false; } - + // Check for the presence of signing and encryption certs. boolean hasSigningCert = isSigningCert(cert1) || isSigningCert(cert2); if (!hasSigningCert) return false; - boolean hasEncryptionCert = isEncryptionCert(cert1) || isEncryptionCert(cert2); + boolean hasEncryptionCert = isEncryptionCert(cert1) + || isEncryptionCert(cert2); if (!hasEncryptionCert) return false; - // If both certs have signing & encryption usage set, they are - // not really pairs. - if ((isSigningCert(cert1) && isEncryptionCert(cert1)) || - (isSigningCert(cert2) && isEncryptionCert(cert2))) + // If both certs have signing & encryption usage set, they are + // not really pairs. + if ((isSigningCert(cert1) && isEncryptionCert(cert1)) + || (isSigningCert(cert2) && isEncryptionCert(cert2))) return false; - // See if the certs have the same validity. - boolean haveSameValidity = - haveSameValidityPeriod(cert1, cert2); + // See if the certs have the same validity. + boolean haveSameValidity = haveSameValidityPeriod(cert1, cert2); return haveSameValidity; } @@ -341,7 +344,8 @@ public class CertUtils { return ret; } - public static String getValidCertsDisplayInfo(String cn, X509CertImpl[] validCerts) { + public static String getValidCertsDisplayInfo(String cn, + X509CertImpl[] validCerts) { StringBuffer sb = new StringBuffer(1024); sb.append(cn + "'s Currently Valid Certificates\n\n"); @@ -349,7 +353,8 @@ public class CertUtils { return new String(sb); } - public static String getExpiredCertsDisplayInfo(String cn, X509CertImpl[] expiredCerts) { + public static String getExpiredCertsDisplayInfo(String cn, + X509CertImpl[] expiredCerts) { StringBuffer sb = new StringBuffer(1024); sb.append(cn + "'s Expired Certificates\n\n"); @@ -358,7 +363,7 @@ public class CertUtils { } public static String getRenewedCertsDisplayInfo(String cn, - X509CertImpl[] validCerts, X509CertImpl[] renewedCerts) { + X509CertImpl[] validCerts, X509CertImpl[] renewedCerts) { StringBuffer sb = new StringBuffer(1024); if (validCerts != null) { @@ -386,25 +391,29 @@ public class CertUtils { signingCert = validCerts[1]; encryptionCert = validCerts[0]; } - sb.append("Signing Certificate Serial No: " + signingCert.getSerialNumber().toString(16).toUpperCase()); + sb.append("Signing Certificate Serial No: " + + signingCert.getSerialNumber().toString(16).toUpperCase()); sb.append("\n"); - sb.append("Encryption Certificate Serial No: " + encryptionCert.getSerialNumber().toString(16).toUpperCase()); + sb.append("Encryption Certificate Serial No: " + + encryptionCert.getSerialNumber().toString(16).toUpperCase()); sb.append("\n"); - sb.append("Validity: From: " + signingCert.getNotBefore().toString() + " To: " + signingCert.getNotAfter().toString()); + sb.append("Validity: From: " + signingCert.getNotBefore().toString() + + " To: " + signingCert.getNotAfter().toString()); sb.append("\n"); return new String(sb); } /** * Returns the index of the given cert in an array of certs. - * - * Assumptions: The certs are issued by the same CA - * - * @param certArray The array of certs. - * @param givenCert The certificate we are lokking for in the array. + * + * Assumptions: The certs are issued by the same CA + * + * @param certArray The array of certs. + * @param givenCert The certificate we are lokking for in the array. * @return -1 if not found or the index of the given cert in the array. */ - public static int getCertIndex(X509CertImpl[] certArray, X509CertImpl givenCert) { + public static int getCertIndex(X509CertImpl[] certArray, + X509CertImpl givenCert) { int i = 0; for (; i < certArray.length; i++) { @@ -418,21 +427,21 @@ public class CertUtils { } /** - * Returns the most recently issued signing certificate from an - * an array of certs. - * - * Assumptions: The certs are issued by the same CA - * - * @param certArray The array of certs. - * @param givenCert The certificate we are lokking for in the array. + * Returns the most recently issued signing certificate from an an array of + * certs. + * + * Assumptions: The certs are issued by the same CA + * + * @param certArray The array of certs. + * @param givenCert The certificate we are lokking for in the array. * @return null if there is no recent cert or the most recent cert. */ public static X509CertImpl getRecentSigningCert(X509CertImpl[] certArray, - X509CertImpl currentCert) { + X509CertImpl currentCert) { if (certArray == null || currentCert == null) return null; - // Sort the certificate array. + // Sort the certificate array. Arrays.sort(certArray, new CertDateCompare()); // Get the index of the current cert in the array. @@ -446,8 +455,9 @@ public class CertUtils { for (; i < certArray.length; i++) { // Check if it is a signing cert and has its // NotAfter later than the current cert. - if (isSigningCert(certArray[i]) && - certArray[i].getNotAfter().after(recentCert.getNotAfter())) + if (isSigningCert(certArray[i]) + && certArray[i].getNotAfter().after( + recentCert.getNotAfter())) recentCert = certArray[i]; } return ((recentCert == currentCert) ? null : recentCert); @@ -466,14 +476,13 @@ public class CertUtils { // Is is object signing cert? try { - CertificateExtensions extns = (CertificateExtensions) - cert.get(X509CertImpl.NAME + "." + - X509CertImpl.INFO + "." + - X509CertInfo.EXTENSIONS); + CertificateExtensions extns = (CertificateExtensions) cert + .get(X509CertImpl.NAME + "." + X509CertImpl.INFO + "." + + X509CertInfo.EXTENSIONS); if (extns != null) { - NSCertTypeExtension nsExtn = (NSCertTypeExtension) - extns.get(NSCertTypeExtension.NAME); + NSCertTypeExtension nsExtn = (NSCertTypeExtension) extns + .get(NSCertTypeExtension.NAME); if (nsExtn != null) { String nsType = getNSExtensionInfo(nsExtn); @@ -485,7 +494,7 @@ public class CertUtils { } } } - }catch (Exception e) { + } catch (Exception e) { } return (sb.length() > 0) ? sb.toString() : null; } @@ -517,14 +526,13 @@ public class CertUtils { res = (Boolean) nsExtn.get(NSCertTypeExtension.OBJECT_SIGNING_CA); if (res.equals(Boolean.TRUE)) sb.append(" object_signing_CA"); - }catch (Exception e) { + } catch (Exception e) { } return (sb.length() > 0) ? sb.toString() : null; } - public static byte[] readFromFile(String fileName) - throws IOException { + public static byte[] readFromFile(String fileName) throws IOException { FileInputStream fin = new FileInputStream(fileName); int available = fin.available(); byte[] ba = new byte[available]; @@ -537,7 +545,7 @@ public class CertUtils { } public static void storeInFile(String fileName, byte[] ba) - throws IOException { + throws IOException { FileOutputStream fout = new FileOutputStream(fileName); fout.write(ba); @@ -546,17 +554,15 @@ public class CertUtils { public static String toMIME64(X509CertImpl cert) { try { - return - "-----BEGIN CERTIFICATE-----\n" + - com.netscape.osutil.OSUtil.BtoA(cert.getEncoded()) + - "-----END CERTIFICATE-----\n"; + return "-----BEGIN CERTIFICATE-----\n" + + com.netscape.osutil.OSUtil.BtoA(cert.getEncoded()) + + "-----END CERTIFICATE-----\n"; } catch (CertificateException e) { } return null; } - public static X509Certificate mapCert(String mime64) - throws IOException { + public static X509Certificate mapCert(String mime64) throws IOException { mime64 = stripCertBrackets(mime64.trim()); String newval = normalizeCertStr(mime64); byte rawPub[] = com.netscape.osutil.OSUtil.AtoB(newval); @@ -569,8 +575,8 @@ public class CertUtils { return cert; } - public static X509Certificate[] mapCertFromPKCS7(String mime64) - throws IOException { + public static X509Certificate[] mapCertFromPKCS7(String mime64) + throws IOException { mime64 = stripCertBrackets(mime64.trim()); String newval = normalizeCertStr(mime64); byte rawPub[] = com.netscape.osutil.OSUtil.AtoB(newval); @@ -584,8 +590,7 @@ public class CertUtils { } } - public static X509CRL mapCRL(String mime64) - throws IOException { + public static X509CRL mapCRL(String mime64) throws IOException { mime64 = stripCRLBrackets(mime64.trim()); String newval = normalizeCertStr(mime64); byte rawPub[] = com.netscape.osutil.OSUtil.AtoB(newval); @@ -598,8 +603,7 @@ public class CertUtils { return crl; } - public static X509CRL mapCRL1(String mime64) - throws IOException { + public static X509CRL mapCRL1(String mime64) throws IOException { mime64 = stripCRLBrackets(mime64.trim()); byte rawPub[] = OSUtil.AtoB(mime64); X509CRL crl = null; @@ -634,8 +638,8 @@ public class CertUtils { if (s == null) { return s; } - if ((s.startsWith("-----BEGIN CERTIFICATE REVOCATION LIST-----")) && - (s.endsWith("-----END CERTIFICATE REVOCATION LIST-----"))) { + if ((s.startsWith("-----BEGIN CERTIFICATE REVOCATION LIST-----")) + && (s.endsWith("-----END CERTIFICATE REVOCATION LIST-----"))) { return (s.substring(43, (s.length() - 41))); } return s; @@ -643,8 +647,9 @@ public class CertUtils { /** * strips out the begin and end certificate brackets + * * @param s the string potentially bracketed with - * "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" + * "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" * @return string without the brackets */ public static String stripCertBrackets(String s) { @@ -652,14 +657,14 @@ public class CertUtils { return s; } - if ((s.startsWith("-----BEGIN CERTIFICATE-----")) && - (s.endsWith("-----END CERTIFICATE-----"))) { + if ((s.startsWith("-----BEGIN CERTIFICATE-----")) + && (s.endsWith("-----END CERTIFICATE-----"))) { return (s.substring(27, (s.length() - 25))); } // To support Thawte's header and footer - if ((s.startsWith("-----BEGIN PKCS #7 SIGNED DATA-----")) && - (s.endsWith("-----END PKCS #7 SIGNED DATA-----"))) { + if ((s.startsWith("-----BEGIN PKCS #7 SIGNED DATA-----")) + && (s.endsWith("-----END PKCS #7 SIGNED DATA-----"))) { return (s.substring(35, (s.length() - 33))); } @@ -667,13 +672,14 @@ public class CertUtils { } /** - * Returns a string that represents a cert's fingerprint. - * The fingerprint is a MD5 digest of the DER encoded certificate. - * @param cert Certificate to get the fingerprint of. + * Returns a string that represents a cert's fingerprint. The fingerprint is + * a MD5 digest of the DER encoded certificate. + * + * @param cert Certificate to get the fingerprint of. * @return a String that represents the cert's fingerprint. */ - public static String getFingerPrint(Certificate cert) - throws CertificateEncodingException, NoSuchAlgorithmException { + public static String getFingerPrint(Certificate cert) + throws CertificateEncodingException, NoSuchAlgorithmException { byte certDer[] = cert.getEncoded(); MessageDigest md = MessageDigest.getInstance("MD5"); @@ -685,16 +691,17 @@ public class CertUtils { sb.append(pp.toHexString(digestedCert, 4, 20)); return sb.toString(); } - + /** - * Returns a string that has the certificate's fingerprint using - * MD5, MD2 and SHA1 hashes. - * A certificate's fingerprint is a hash digest of the DER encoded - * certificate. + * Returns a string that has the certificate's fingerprint using MD5, MD2 + * and SHA1 hashes. A certificate's fingerprint is a hash digest of the DER + * encoded certificate. + * * @param cert Certificate to get the fingerprints of. * @return a String with fingerprints using the MD5, MD2 and SHA1 hashes. - * For example, - * <pre> + * For example, + * + * <pre> * MD2: 78:7E:D1:F9:3E:AF:50:18:68:A7:29:50:C3:21:1F:71 * * MD5: 0E:89:91:AC:40:50:F7:BE:6E:7B:39:4F:56:73:75:75 @@ -703,34 +710,33 @@ public class CertUtils { * </pre> */ public static String getFingerPrints(Certificate cert) - throws NoSuchAlgorithmException, CertificateEncodingException { + throws NoSuchAlgorithmException, CertificateEncodingException { byte certDer[] = cert.getEncoded(); - /* - String[] hashes = new String[] {"MD2", "MD5", "SHA1"}; - String certFingerprints = ""; - PrettyPrintFormat pp = new PrettyPrintFormat(":"); - - for (int i = 0; i < hashes.length; i++) { - MessageDigest md = MessageDigest.getInstance(hashes[i]); - - md.update(certDer); - certFingerprints += " " + hashes[i] + ":" + - pp.toHexString(md.digest(), 6 - hashes[i].length()); - } - return certFingerprints; - */ - return getFingerPrints(certDer); + /* + * String[] hashes = new String[] {"MD2", "MD5", "SHA1"}; String + * certFingerprints = ""; PrettyPrintFormat pp = new + * PrettyPrintFormat(":"); + * + * for (int i = 0; i < hashes.length; i++) { MessageDigest md = + * MessageDigest.getInstance(hashes[i]); + * + * md.update(certDer); certFingerprints += " " + hashes[i] + ":" + + * pp.toHexString(md.digest(), 6 - hashes[i].length()); } return + * certFingerprints; + */ + return getFingerPrints(certDer); } - + /** - * Returns a string that has the certificate's fingerprint using - * MD5, MD2 and SHA1 hashes. - * A certificate's fingerprint is a hash digest of the DER encoded - * certificate. + * Returns a string that has the certificate's fingerprint using MD5, MD2 + * and SHA1 hashes. A certificate's fingerprint is a hash digest of the DER + * encoded certificate. + * * @param cert Certificate to get the fingerprints of. * @return a String with fingerprints using the MD5, MD2 and SHA1 hashes. - * For example, - * <pre> + * For example, + * + * <pre> * MD2: 78:7E:D1:F9:3E:AF:50:18:68:A7:29:50:C3:21:1F:71 * * MD5: 0E:89:91:AC:40:50:F7:BE:6E:7B:39:4F:56:73:75:75 @@ -739,9 +745,10 @@ public class CertUtils { * </pre> */ public static String getFingerPrints(byte[] certDer) - throws NoSuchAlgorithmException/*, CertificateEncodingException*/ { - // byte certDer[] = cert.getEncoded(); - String[] hashes = new String[] {"MD2", "MD5", "SHA1", "SHA256", "SHA512"}; + throws NoSuchAlgorithmException/* , CertificateEncodingException */{ + // byte certDer[] = cert.getEncoded(); + String[] hashes = new String[] { "MD2", "MD5", "SHA1", "SHA256", + "SHA512" }; String certFingerprints = ""; PrettyPrintFormat pp = new PrettyPrintFormat(":"); @@ -749,41 +756,42 @@ public class CertUtils { MessageDigest md = MessageDigest.getInstance(hashes[i]); md.update(certDer); - certFingerprints += hashes[i] + ":\n" + - pp.toHexString(md.digest(), 8, 16); + certFingerprints += hashes[i] + ":\n" + + pp.toHexString(md.digest(), 8, 16); } return certFingerprints; } /** - * Check if a object identifier in string form is valid, - * that is a string in the form n.n.n.n and der encode and decode-able. + * Check if a object identifier in string form is valid, that is a string in + * the form n.n.n.n and der encode and decode-able. + * * @param attrName attribute name (from the configuration file) * @param value object identifier string. - */ + */ public static ObjectIdentifier checkOID(String attrName, String value) - throws EBaseException { + throws EBaseException { String msg = "value must be a object identifier in the form n.n.n.n"; String msg1 = "not a valid object identifier."; ObjectIdentifier oid; - try { - oid = ObjectIdentifier.getObjectIdentifier(value); + try { + oid = ObjectIdentifier.getObjectIdentifier(value); } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - attrName, msg)); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTR_VALUE", attrName, msg)); } // if the OID isn't valid (ex. n.n) the error isn't caught til // encoding time leaving a bad request in the request queue. - try { + try { DerOutputStream derOut = new DerOutputStream(); derOut.putOID(oid); new ObjectIdentifier(new DerInputStream(derOut.toByteArray())); } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTR_VALUE", - attrName, msg1)); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTR_VALUE", attrName, msg1)); } return oid; } @@ -803,20 +811,21 @@ public class CertUtils { return tmp.toString(); } - + /* - * verify a certificate by its nickname - * returns true if it verifies; false if any not + * verify a certificate by its nickname returns true if it verifies; false + * if any not */ - public static boolean verifySystemCertByNickname(String nickname, String certusage) { + public static boolean verifySystemCertByNickname(String nickname, + String certusage) { boolean r = true; - CertificateUsage cu = null; + CertificateUsage cu = null; cu = getCertificateUsage(certusage); int ccu = 0; if (cu == null) { - CMS.debug("CertUtils: verifySystemCertByNickname() failed: "+ - nickname + " with unsupported certusage ="+ certusage); + CMS.debug("CertUtils: verifySystemCertByNickname() failed: " + + nickname + " with unsupported certusage =" + certusage); return false; } @@ -825,12 +834,15 @@ public class CertUtils { CMS.debug("CertUtils: verifySystemCertByNickname(): calling isCertValid()"); try { CryptoManager cm = CryptoManager.getInstance(); - if (cu.getUsage() != CryptoManager.CertificateUsage.CheckAllUsages.getUsage()) { + if (cu.getUsage() != CryptoManager.CertificateUsage.CheckAllUsages + .getUsage()) { if (cm.isCertValid(nickname, true, cu)) { r = true; - CMS.debug("CertUtils: verifySystemCertByNickname() passed:" + nickname); + CMS.debug("CertUtils: verifySystemCertByNickname() passed:" + + nickname); } else { - CMS.debug("CertUtils: verifySystemCertByNickname() failed:" + nickname); + CMS.debug("CertUtils: verifySystemCertByNickname() failed:" + + nickname); r = false; } } else { @@ -839,48 +851,60 @@ public class CertUtils { if (ccu == CertificateUsage.basicCertificateUsages) { /* cert is good for nothing */ r = false; - CMS.debug("CertUtils: verifySystemCertByNickname() failed: cert is good for nothing:"+ nickname); + CMS.debug("CertUtils: verifySystemCertByNickname() failed: cert is good for nothing:" + + nickname); } else { r = true; - CMS.debug("CertUtils: verifySystemCertByNickname() passed:" + nickname); + CMS.debug("CertUtils: verifySystemCertByNickname() passed:" + + nickname); - if ((ccu & CryptoManager.CertificateUsage.SSLServer.getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.SSLServer + .getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLServer"); - if ((ccu & CryptoManager.CertificateUsage.SSLClient.getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.SSLClient + .getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLClient"); - if ((ccu & CryptoManager.CertificateUsage.SSLServerWithStepUp.getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.SSLServerWithStepUp + .getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLServerWithStepUp"); if ((ccu & CryptoManager.CertificateUsage.SSLCA.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLCA"); - if ((ccu & CryptoManager.CertificateUsage.EmailSigner.getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.EmailSigner + .getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is EmailSigner"); - if ((ccu & CryptoManager.CertificateUsage.EmailRecipient.getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.EmailRecipient + .getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is EmailRecipient"); - if ((ccu & CryptoManager.CertificateUsage.ObjectSigner.getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.ObjectSigner + .getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is ObjectSigner"); - if ((ccu & CryptoManager.CertificateUsage.UserCertImport.getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.UserCertImport + .getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is UserCertImport"); - if ((ccu & CryptoManager.CertificateUsage.VerifyCA.getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.VerifyCA + .getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is VerifyCA"); - if ((ccu & CryptoManager.CertificateUsage.ProtectedObjectSigner.getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.ProtectedObjectSigner + .getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is ProtectedObjectSigner"); - if ((ccu & CryptoManager.CertificateUsage.StatusResponder.getUsage()) != 0) + if ((ccu & CryptoManager.CertificateUsage.StatusResponder + .getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is StatusResponder"); if ((ccu & CryptoManager.CertificateUsage.AnyCA.getUsage()) != 0) CMS.debug("CertUtils: verifySystemCertByNickname(): cert is AnyCA"); } } } catch (Exception e) { - CMS.debug("CertUtils: verifySystemCertByNickname() failed: "+ - e.toString()); + CMS.debug("CertUtils: verifySystemCertByNickname() failed: " + + e.toString()); r = false; } return r; } /* - * verify a certificate by its tag name - * returns true if it verifies; false if any not + * verify a certificate by its tag name returns true if it verifies; false + * if any not */ public static boolean verifySystemCertByTag(String tag) { String auditMessage = null; @@ -896,52 +920,49 @@ public class CertUtils { if (subsysType == null) { CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done"); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - ""); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, ILogger.FAILURE, ""); audit(auditMessage); r = false; return r; } - String nickname = config.getString(subsysType+".cert."+tag+".nickname", ""); + String nickname = config.getString(subsysType + ".cert." + tag + + ".nickname", ""); if (nickname.equals("")) { - CMS.debug("CertUtils: verifySystemCertByTag() nickname for cert tag " + tag + " undefined in CS.cfg"); + CMS.debug("CertUtils: verifySystemCertByTag() nickname for cert tag " + + tag + " undefined in CS.cfg"); r = false; } - String certusage = config.getString(subsysType+".cert."+tag+".certusage", ""); + String certusage = config.getString(subsysType + ".cert." + tag + + ".certusage", ""); if (certusage.equals("")) { - CMS.debug("CertUtils: verifySystemCertByTag() certusage for cert tag " + tag + " undefined in CS.cfg, getting current certificate usage"); + CMS.debug("CertUtils: verifySystemCertByTag() certusage for cert tag " + + tag + + " undefined in CS.cfg, getting current certificate usage"); } r = verifySystemCertByNickname(nickname, certusage); if (r == true) { // audit here auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.SUCCESS, - nickname); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, ILogger.SUCCESS, nickname); audit(auditMessage); } else { // audit here auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - nickname); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, ILogger.FAILURE, nickname); audit(auditMessage); } } catch (Exception e) { - CMS.debug("CertUtils: verifySystemCertsByTag() failed: "+ - e.toString()); + CMS.debug("CertUtils: verifySystemCertsByTag() failed: " + + e.toString()); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - ""); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, ILogger.FAILURE, ""); audit(auditMessage); r = false; @@ -986,9 +1007,8 @@ public class CertUtils { } /* - * goes through all system certs and check to see if they are good - * and audit the result - * returns true if all verifies; false if any not + * goes through all system certs and check to see if they are good and audit + * the result returns true if all verifies; false if any not */ public static boolean verifySystemCerts() { String auditMessage = null; @@ -1000,10 +1020,8 @@ public class CertUtils { if (subsysType.equals("")) { CMS.debug("CertUtils: verifySystemCerts() cs.type not defined in CS.cfg. System certificates verification not done"); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - ""); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, ILogger.FAILURE, ""); audit(auditMessage); r = false; @@ -1013,23 +1031,21 @@ public class CertUtils { if (subsysType == null) { CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done"); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - ""); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, ILogger.FAILURE, ""); audit(auditMessage); r = false; return r; } - String certlist = config.getString(subsysType+".cert.list", ""); + String certlist = config.getString(subsysType + ".cert.list", ""); if (certlist.equals("")) { - CMS.debug("CertUtils: verifySystemCerts() "+subsysType+ ".cert.list not defined in CS.cfg. System certificates verification not done"); + CMS.debug("CertUtils: verifySystemCerts() " + + subsysType + + ".cert.list not defined in CS.cfg. System certificates verification not done"); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - ""); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, ILogger.FAILURE, ""); audit(auditMessage); r = false; @@ -1045,12 +1061,10 @@ public class CertUtils { } catch (Exception e) { // audit here auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - ""); + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, ILogger.FAILURE, ""); - audit(auditMessage); + audit(auditMessage); r = false; CMS.debug("CertUtils: verifySystemCerts():" + e.toString()); } @@ -1073,8 +1087,9 @@ public class CertUtils { } /** - * Signed Audit Log - * This method is called to store messages to the signed audit log. + * Signed Audit Log This method is called to store messages to the signed + * audit log. + * * @param msg signed audit log message */ private static void audit(String msg) { @@ -1084,12 +1099,8 @@ public class CertUtils { return; } - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, + ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg); } - } |