From 62c685d157e6debee253b04a13b6616c8a0cdb32 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 8 May 2023 09:35:30 -0500 Subject: [PATCH] Replace CertUtils.verifySystemCertByNickname() with CertUtil.verifyCertificateUsage() --- .../cms/servlet/admin/CMSAdminServlet.java | 4 +- .../com/netscape/cmscore/apps/CMSEngine.java | 3 +- .../com/netscape/cmscore/cert/CertUtils.java | 73 ------------------- 3 files changed, 4 insertions(+), 76 deletions(-) diff --git a/base/server/src/main/java/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/src/main/java/com/netscape/cms/servlet/admin/CMSAdminServlet.java index eebd1c9f6ab..8e0ec15f94d 100644 --- a/base/server/src/main/java/com/netscape/cms/servlet/admin/CMSAdminServlet.java +++ b/base/server/src/main/java/com/netscape/cms/servlet/admin/CMSAdminServlet.java @@ -37,6 +37,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.dogtag.util.cert.CertUtil; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.NoSuchTokenException; import org.mozilla.jss.NotInitializedException; @@ -66,7 +67,6 @@ import com.netscape.cmscore.apps.DatabaseConfig; import com.netscape.cmscore.apps.EngineConfig; import com.netscape.cmscore.base.ConfigStore; -import com.netscape.cmscore.cert.CertUtils; import com.netscape.cmscore.ldapconn.LDAPConfig; import com.netscape.cmscore.logging.Auditor; import com.netscape.cmscore.security.JssSubsystem; @@ -1452,7 +1452,7 @@ else if (index > 0 && (index < (nickname.length() - 1))) { boolean verified = false; try { logger.debug("CMSAdminServlet: verifying system certificate " + nickname); - CertUtils.verifySystemCertByNickname(nickname, null); + CertUtil.verifyCertificateUsage(nickname, null); verified = true; auditMessage = CMS.getLogMessage( diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/CMSEngine.java b/base/server/src/main/java/com/netscape/cmscore/apps/CMSEngine.java index b04d4d38396..754fd26ccf5 100644 --- a/base/server/src/main/java/com/netscape/cmscore/apps/CMSEngine.java +++ b/base/server/src/main/java/com/netscape/cmscore/apps/CMSEngine.java @@ -39,6 +39,7 @@ import org.apache.commons.lang3.StringUtils; import org.apache.tomcat.util.net.jss.TomcatJSS; +import org.dogtag.util.cert.CertUtil; import org.dogtagpki.server.PKIClientSocketListener; import org.dogtagpki.server.PKIServerSocketListener; import org.dogtagpki.server.authentication.AuthenticationConfig; @@ -1869,7 +1870,7 @@ public void verifySystemCertByTag(String tag, boolean checkValidityOnly) throws } if (!checkValidityOnly) { - CertUtils.verifySystemCertByNickname(nickname, certusage); + CertUtil.verifyCertificateUsage(nickname, certusage); } else { CertUtils.verifySystemCertValidityByNickname(nickname); } diff --git a/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java b/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java index 62d1d49163b..acb48ac5e3c 100644 --- a/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java +++ b/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java @@ -37,7 +37,6 @@ import java.util.StringTokenizer; import org.dogtag.util.cert.CertUtil; -import org.mozilla.jss.CertificateUsage; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.asn1.SEQUENCE; import org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension; @@ -849,78 +848,6 @@ public static void verifySystemCertValidityByNickname(String nickname) throws Ex } } - /* - * verify a certificate by its nickname - * @throws Exception if something is wrong - */ - public static void verifySystemCertByNickname(String nickname, String certusage) throws Exception { - logger.debug("CertUtils: verifySystemCertByNickname(" + nickname + ", " + certusage + ")"); - CertificateUsage cu = CertUtil.toCertificateUsage(certusage); - int ccu = 0; - - if (cu == null) { - logger.debug("CertUtils: verifySystemCertByNickname() failed: " + - nickname + " with unsupported certusage =" + certusage); - throw new Exception("Unsupported certificate usage " + certusage + " in certificate " + nickname); - } - - if (certusage == null || certusage.equals("")) - logger.debug("CertUtils: verifySystemCertByNickname(): required certusage not defined, getting current certusage"); - - try { - CryptoManager cm = CryptoManager.getInstance(); - if (cu.getUsage() != CertificateUsage.CheckAllUsages.getUsage()) { - logger.debug("CertUtils: verifySystemCertByNickname(): calling verifyCertificate(" + nickname + ", true, " + cu + ")"); - try { - cm.verifyCertificate(nickname, true, cu); - } catch (CertificateException e) { - throw new Exception("Certificate " + nickname + " is invalid: " + e.getMessage(), e); - } - - } else { - logger.debug("CertUtils: verifySystemCertByNickname(): calling isCertValid(" + nickname + ", true)"); - // find out about current cert usage - ccu = cm.isCertValid(nickname, true); - if (ccu == CertificateUsage.basicCertificateUsages) { - /* cert is good for nothing */ - logger.error("CertUtils: verifySystemCertByNickname() failed: cert is good for nothing:" + nickname); - throw new Exception("Unusable certificate " + nickname); - - } - logger.debug("CertUtils: verifySystemCertByNickname() passed: " + nickname); - - if ((ccu & CertificateUsage.SSLServer.getUsage()) != 0) - logger.debug("CertUtils: verifySystemCertByNickname(): cert is SSLServer"); - if ((ccu & CertificateUsage.SSLClient.getUsage()) != 0) - logger.debug("CertUtils: verifySystemCertByNickname(): cert is SSLClient"); - if ((ccu & CertificateUsage.SSLServerWithStepUp.getUsage()) != 0) - logger.debug("CertUtils: verifySystemCertByNickname(): cert is SSLServerWithStepUp"); - if ((ccu & CertificateUsage.SSLCA.getUsage()) != 0) - logger.debug("CertUtils: verifySystemCertByNickname(): cert is SSLCA"); - if ((ccu & CertificateUsage.EmailSigner.getUsage()) != 0) - logger.debug("CertUtils: verifySystemCertByNickname(): cert is EmailSigner"); - if ((ccu & CertificateUsage.EmailRecipient.getUsage()) != 0) - logger.debug("CertUtils: verifySystemCertByNickname(): cert is EmailRecipient"); - if ((ccu & CertificateUsage.ObjectSigner.getUsage()) != 0) - logger.debug("CertUtils: verifySystemCertByNickname(): cert is ObjectSigner"); - if ((ccu & CertificateUsage.UserCertImport.getUsage()) != 0) - logger.debug("CertUtils: verifySystemCertByNickname(): cert is UserCertImport"); - if ((ccu & CertificateUsage.VerifyCA.getUsage()) != 0) - logger.debug("CertUtils: verifySystemCertByNickname(): cert is VerifyCA"); - if ((ccu & CertificateUsage.ProtectedObjectSigner.getUsage()) != 0) - logger.debug("CertUtils: verifySystemCertByNickname(): cert is ProtectedObjectSigner"); - if ((ccu & CertificateUsage.StatusResponder.getUsage()) != 0) - logger.debug("CertUtils: verifySystemCertByNickname(): cert is StatusResponder"); - if ((ccu & CertificateUsage.AnyCA.getUsage()) != 0) - logger.debug("CertUtils: verifySystemCertByNickname(): cert is AnyCA"); - } - - } catch (Exception e) { - logger.error("CertUtils: verifySystemCertByNickname() failed: " + e.getMessage(), e); - throw e; - } - } - /* * addCTpoisonExt adds the Certificate Transparency V1 poison extension * to the Ceritificate Info