Move CertUtils.verifySystemCertValidityByNickname() to CertUtil

dogtagpki · May 9, 2023 · e0500c5 · e0500c5
1 parent 1aae652
commit e0500c5
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 26 deletions.
diff --git a/base/common/src/main/java/org/dogtag/util/cert/CertUtil.java b/base/common/src/main/java/org/dogtag/util/cert/CertUtil.java
@@ -19,6 +19,8 @@
 
 import java.io.ByteArrayOutputStream;
 import java.io.PrintStream;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
 import java.util.Enumeration;
 import java.util.HashSet;
@@ -48,6 +50,7 @@
 import org.mozilla.jss.netscape.security.x509.GeneralNames;
 import org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension;
 import org.mozilla.jss.netscape.security.x509.X500Name;
+import org.mozilla.jss.netscape.security.x509.X509CertImpl;
 import org.mozilla.jss.pkcs11.PK11Store;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -409,4 +412,30 @@ public static void verifyCertificateUsage(String nickname, String certUsage) thr
         // check the specified usage
         cm.verifyCertificate(nickname, true, cu);
     }
+
+    /**
+     * Verify that the cert is currently valid (notBefore <= now <= notAfter).
+     */
+    public static void verifyCertValidity(String nickname) throws Exception {
+
+        logger.info("CertUtil: Checking cert validity for " + nickname);
+
+        try {
+            CryptoManager cm = CryptoManager.getInstance();
+            org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(nickname);
+
+            X509CertImpl impl = new X509CertImpl(cert.getEncoded());
+            impl.checkValidity();
+
+        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
+            String message = "Invalid certificate " + nickname + ": " + e.getMessage();
+            logger.error(message, e);
+            throw new Exception(message, e);
+
+        } catch (Exception e) {
+            String message = "Unable to validate certificate " + nickname + ": " + e.getMessage();
+            logger.error(message, e);
+            throw new Exception(message, e);
+        }
+    }
 }
diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/CMSEngine.java b/base/server/src/main/java/com/netscape/cmscore/apps/CMSEngine.java
@@ -69,7 +69,6 @@
 import com.netscape.cmscore.base.ConfigStorage;
 import com.netscape.cmscore.base.ConfigStore;
 import com.netscape.cmscore.base.FileConfigStorage;
-import com.netscape.cmscore.cert.CertUtils;
 import com.netscape.cmscore.cert.OidLoaderSubsystem;
 import com.netscape.cmscore.cert.X500NameSubsystem;
 import com.netscape.cmscore.dbs.DBSubsystem;
@@ -1872,7 +1871,7 @@ public void verifySystemCertByTag(String tag, boolean checkValidityOnly) throws
             if (!checkValidityOnly) {
                 CertUtil.verifyCertificateUsage(nickname, certusage);
             } else {
-                CertUtils.verifySystemCertValidityByNickname(nickname);
+                CertUtil.verifyCertValidity(nickname);
             }
 
             auditMessage = CMS.getLogMessage(

diff --git a/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java b/base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java
@@ -37,7 +37,6 @@
 import java.util.StringTokenizer;
 
 import org.dogtag.util.cert.CertUtil;
-import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.asn1.SEQUENCE;
 import org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension;
 import org.mozilla.jss.netscape.security.pkcs.PKCS10;
@@ -825,29 +824,6 @@ public static String trimB64E(String b64e) {
         return tmp.toString();
     }
 
-    public static void verifySystemCertValidityByNickname(String nickname) throws Exception {
-
-        logger.info("CertUtils: Validating certificate " + nickname);
-
-        try {
-            CryptoManager cm = CryptoManager.getInstance();
-            org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(nickname);
-
-            X509CertImpl impl = new X509CertImpl(cert.getEncoded());
-            impl.checkValidity();
-
-        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
-            String message = "Invalid certificate " + nickname + ": " + e.getMessage();
-            logger.error(message, e);
-            throw new Exception(message, e);
-
-        } catch (Exception e) {
-            String message = "Unable to validate certificate " + nickname + ": " + e.getMessage();
-            logger.error(message, e);
-            throw new Exception(message, e);
-        }
-    }
-
     /*
      * addCTpoisonExt adds the Certificate Transparency V1 poison extension
      * to the Ceritificate Info