Replace CertUtils.verifySystemCertByNickname() with CertUtil.verifyCe…

…rtificateUsage()
dogtagpki · May 8, 2023 · 62c685d · 62c685d
1 parent 3c4b8d5
commit 62c685d
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 76 deletions.
diff --git a/base/server/src/main/java/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/src/main/java/com/netscape/cms/servlet/admin/CMSAdminServlet.java
@@ -37,6 +37,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.dogtag.util.cert.CertUtil;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.NoSuchTokenException;
 import org.mozilla.jss.NotInitializedException;
@@ -66,7 +67,6 @@
 import com.netscape.cmscore.apps.DatabaseConfig;
 import com.netscape.cmscore.apps.EngineConfig;
 import com.netscape.cmscore.base.ConfigStore;
-import com.netscape.cmscore.cert.CertUtils;
 import com.netscape.cmscore.ldapconn.LDAPConfig;
 import com.netscape.cmscore.logging.Auditor;
 import com.netscape.cmscore.security.JssSubsystem;
@@ -1452,7 +1452,7 @@ else if (index > 0 && (index < (nickname.length() - 1))) {
             boolean verified = false;
             try {
                 logger.debug("CMSAdminServlet: verifying system certificate " + nickname);
-                CertUtils.verifySystemCertByNickname(nickname, null);
+                CertUtil.verifyCertificateUsage(nickname, null);
                 verified = true;
 
                 auditMessage = CMS.getLogMessage(

diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/CMSEngine.java b/base/server/src/main/java/com/netscape/cmscore/apps/CMSEngine.java
@@ -39,6 +39,7 @@
 
 import org.apache.commons.lang3.StringUtils;
 import org.apache.tomcat.util.net.jss.TomcatJSS;
+import org.dogtag.util.cert.CertUtil;
 import org.dogtagpki.server.PKIClientSocketListener;
 import org.dogtagpki.server.PKIServerSocketListener;
 import org.dogtagpki.server.authentication.AuthenticationConfig;
@@ -1869,7 +1870,7 @@ public void verifySystemCertByTag(String tag, boolean checkValidityOnly) throws
             }
 
             if (!checkValidityOnly) {
-                CertUtils.verifySystemCertByNickname(nickname, certusage);
+                CertUtil.verifyCertificateUsage(nickname, certusage);
             } else {
                 CertUtils.verifySystemCertValidityByNickname(nickname);
             }

diff --git a/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java b/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java
@@ -37,7 +37,6 @@
 import java.util.StringTokenizer;
 
 import org.dogtag.util.cert.CertUtil;
-import org.mozilla.jss.CertificateUsage;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.asn1.SEQUENCE;
 import org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension;
@@ -849,78 +848,6 @@ public static void verifySystemCertValidityByNickname(String nickname) throws Ex
         }
     }
 
-    /*
-     * verify a certificate by its nickname
-     * @throws Exception if something is wrong
-     */
-    public static void verifySystemCertByNickname(String nickname, String certusage) throws Exception {
-        logger.debug("CertUtils: verifySystemCertByNickname(" + nickname + ", " + certusage + ")");
-        CertificateUsage cu = CertUtil.toCertificateUsage(certusage);
-        int ccu = 0;
-
-        if (cu == null) {
-            logger.debug("CertUtils: verifySystemCertByNickname() failed: " +
-                    nickname + " with unsupported certusage =" + certusage);
-            throw new Exception("Unsupported certificate usage " + certusage + " in certificate " + nickname);
-        }
-
-        if (certusage == null || certusage.equals(""))
-            logger.debug("CertUtils: verifySystemCertByNickname(): required certusage not defined, getting current certusage");
-
-        try {
-            CryptoManager cm = CryptoManager.getInstance();
-            if (cu.getUsage() != CertificateUsage.CheckAllUsages.getUsage()) {
-                logger.debug("CertUtils: verifySystemCertByNickname(): calling verifyCertificate(" + nickname + ", true, " + cu + ")");
-                try {
-                    cm.verifyCertificate(nickname, true, cu);
-                } catch (CertificateException e) {
-                    throw new Exception("Certificate " + nickname + " is invalid: " + e.getMessage(), e);
-                }
-
-            } else {
-                logger.debug("CertUtils: verifySystemCertByNickname(): calling isCertValid(" + nickname + ", true)");
-                // find out about current cert usage
-                ccu = cm.isCertValid(nickname, true);
-                if (ccu == CertificateUsage.basicCertificateUsages) {
-                    /* cert is good for nothing */
-                    logger.error("CertUtils: verifySystemCertByNickname() failed: cert is good for nothing:" + nickname);
-                    throw new Exception("Unusable certificate " + nickname);
-
-                }
-                logger.debug("CertUtils: verifySystemCertByNickname() passed: " + nickname);
-
-                if ((ccu & CertificateUsage.SSLServer.getUsage()) != 0)
-                    logger.debug("CertUtils: verifySystemCertByNickname(): cert is SSLServer");
-                if ((ccu & CertificateUsage.SSLClient.getUsage()) != 0)
-                    logger.debug("CertUtils: verifySystemCertByNickname(): cert is SSLClient");
-                if ((ccu & CertificateUsage.SSLServerWithStepUp.getUsage()) != 0)
-                    logger.debug("CertUtils: verifySystemCertByNickname(): cert is SSLServerWithStepUp");
-                if ((ccu & CertificateUsage.SSLCA.getUsage()) != 0)
-                    logger.debug("CertUtils: verifySystemCertByNickname(): cert is SSLCA");
-                if ((ccu & CertificateUsage.EmailSigner.getUsage()) != 0)
-                    logger.debug("CertUtils: verifySystemCertByNickname(): cert is EmailSigner");
-                if ((ccu & CertificateUsage.EmailRecipient.getUsage()) != 0)
-                    logger.debug("CertUtils: verifySystemCertByNickname(): cert is EmailRecipient");
-                if ((ccu & CertificateUsage.ObjectSigner.getUsage()) != 0)
-                    logger.debug("CertUtils: verifySystemCertByNickname(): cert is ObjectSigner");
-                if ((ccu & CertificateUsage.UserCertImport.getUsage()) != 0)
-                    logger.debug("CertUtils: verifySystemCertByNickname(): cert is UserCertImport");
-                if ((ccu & CertificateUsage.VerifyCA.getUsage()) != 0)
-                    logger.debug("CertUtils: verifySystemCertByNickname(): cert is VerifyCA");
-                if ((ccu & CertificateUsage.ProtectedObjectSigner.getUsage()) != 0)
-                    logger.debug("CertUtils: verifySystemCertByNickname(): cert is ProtectedObjectSigner");
-                if ((ccu & CertificateUsage.StatusResponder.getUsage()) != 0)
-                    logger.debug("CertUtils: verifySystemCertByNickname(): cert is StatusResponder");
-                if ((ccu & CertificateUsage.AnyCA.getUsage()) != 0)
-                    logger.debug("CertUtils: verifySystemCertByNickname(): cert is AnyCA");
-            }
-
-        } catch (Exception e) {
-            logger.error("CertUtils: verifySystemCertByNickname() failed: " + e.getMessage(), e);
-            throw e;
-        }
-    }
-
     /*
      * addCTpoisonExt adds the Certificate Transparency V1 poison extension
      * to the Ceritificate Info