protected boolean verify(String hostname, SSLSession session, boolean interactive) {
   LOGGER.log(
       Level.FINE, "hostname verifier for " + hostname + ", trying default verifier first");
   // if the default verifier accepts the hostname, we are done
   if (defaultVerifier.verify(hostname, session)) {
     LOGGER.log(Level.FINE, "default verifier accepted " + hostname);
     return true;
   }
   // otherwise, we check if the hostname is an alias for this cert in our keystore
   try {
     X509Certificate cert = (X509Certificate) session.getPeerCertificates()[0];
     // Log.d(TAG, "cert: " + cert);
     if (cert.equals(appKeyStore.getCertificate(hostname.toLowerCase(Locale.US)))) {
       LOGGER.log(Level.FINE, "certificate for " + hostname + " is in our keystore. accepting.");
       return true;
     } else {
       LOGGER.log(
           Level.FINE, "server " + hostname + " provided wrong certificate, asking user.");
       if (interactive) {
         return interactHostname(cert, hostname);
       } else {
         return false;
       }
     }
   } catch (Exception e) {
     e.printStackTrace();
     return false;
   }
 }
 public int compare(Object o1, Object o2) {
   X509Certificate c1 = (X509Certificate) o1;
   X509Certificate c2 = (X509Certificate) o2;
   if (c1 == c2) // this deals with case where both are null
   {
     return 0;
   }
   if (c1 == null) // non-null is always bigger than null
   {
     return -1;
   }
   if (c2 == null) {
     return 1;
   }
   if (c1.equals(c2)) {
     return 0;
   }
   Date d1 = c1.getNotAfter();
   Date d2 = c2.getNotAfter();
   int c = d1.compareTo(d2);
   if (c == 0) {
     String s1 = JavaImpl.getSubjectX500(c1);
     String s2 = JavaImpl.getSubjectX500(c2);
     c = s1.compareTo(s2);
     if (c == 0) {
       s1 = JavaImpl.getIssuerX500(c1);
       s2 = JavaImpl.getIssuerX500(c2);
       c = s1.compareTo(s2);
       if (c == 0) {
         BigInteger big1 = c1.getSerialNumber();
         BigInteger big2 = c2.getSerialNumber();
         c = big1.compareTo(big2);
         if (c == 0) {
           try {
             byte[] b1 = c1.getEncoded();
             byte[] b2 = c2.getEncoded();
             int len1 = b1.length;
             int len2 = b2.length;
             int i = 0;
             for (; i < len1 && i < len2; i++) {
               c = ((int) b1[i]) - ((int) b2[i]);
               if (c != 0) {
                 break;
               }
             }
             if (c == 0) {
               c = b1.length - b2.length;
             }
           } catch (CertificateEncodingException cee) {
             // I give up.  They can be equal if they
             // really want to be this badly.
             c = 0;
           }
         }
       }
     }
   }
   return c;
 }
 public boolean checkCertificate(X509Certificate certificate, String hostname) {
   try {
     return certificate.equals(appKeyStore.getCertificate(hostname.toLowerCase(Locale.US)))
         || interactHostname(certificate, hostname);
   } catch (KeyStoreException e) {
     LOGGER.error("error while checking certificate", e);
     return false;
   }
 }
Exemplo n.º 4
0
  /**
   * Find the index of the token corresponding to either the X509Certificate or PublicKey used to
   * sign the "signatureResult" argument.
   */
  private int findCorrespondingTokenIndex(
      WSSecurityEngineResult signatureResult, List<WSSecurityEngineResult> results) {
    // See what was used to sign this result
    X509Certificate cert =
        (X509Certificate) signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
    PublicKey publicKey = (PublicKey) signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);

    for (int i = 0; i < results.size(); i++) {
      WSSecurityEngineResult token = results.get(i);
      Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
      if (actInt == WSConstants.SIGN) {
        continue;
      }

      BinarySecurity binarySecurity =
          (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
      PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
      if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
        X509Certificate foundCert =
            (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
        if (foundCert.equals(cert)) {
          return i;
        }
      } else if (actInt.intValue() == WSConstants.ST_SIGNED
          || actInt.intValue() == WSConstants.ST_UNSIGNED) {
        SamlAssertionWrapper assertionWrapper =
            (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
        SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
        if (samlKeyInfo != null) {
          X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
          PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
          if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0]))
              || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
            return i;
          }
        }
      } else if (publicKey != null && publicKey.equals(foundPublicKey)) {
        return i;
      }
    }
    return -1;
  }
 protected static void processAttrCert4(
     X509Certificate acIssuerCert, ExtendedPKIXParameters pkixParams)
     throws CertPathValidatorException {
   Set set = pkixParams.getTrustedACIssuers();
   boolean trusted = false;
   for (Iterator it = set.iterator(); it.hasNext(); ) {
     TrustAnchor anchor = (TrustAnchor) it.next();
     if (acIssuerCert.getSubjectX500Principal().getName("RFC2253").equals(anchor.getCAName())
         || acIssuerCert.equals(anchor.getTrustedCert())) {
       trusted = true;
     }
   }
   if (!trusted) {
     throw new CertPathValidatorException("Attribute certificate issuer is not directly trusted.");
   }
 }
Exemplo n.º 6
0
 public synchronized boolean isCertificateAcceptedForHostname(
     String hostname, X509Certificate cert) {
   String prefix = hostname.toLowerCase() + ":";
   try {
     for (Enumeration<String> aliases = keyStore.aliases(); aliases.hasMoreElements(); ) {
       String alias = aliases.nextElement();
       if (alias.startsWith(prefix)) {
         X509Certificate c = (X509Certificate) keyStore.getCertificate(alias);
         if (c != null && c.equals(cert)) return true;
       }
     }
   } catch (KeyStoreException x) {
     ZimbraLog.security.warn(x);
   }
   return false;
 }
  public void testAutoCredentialCreationNoRenewal() {

    AssertionCredentialsManager cm = null;
    try {
      IdentityProviderProperties props = Utils.getIdentityProviderProperties();
      props.setAutoRenewAssertingCredentials(false);
      cm = new AssertionCredentialsManager(props, ca, db);
      X509Certificate cert = cm.getIdPCertificate();
      assertNotNull(cert);
      assertNotNull(cm.getIdPKey());
      String expectedSub = Utils.CA_SUBJECT_PREFIX + ",CN=" + AssertionCredentialsManager.CERT_DN;
      assertEquals(expectedSub, cert.getSubjectDN().toString());

      String subject = cert.getSubjectDN().toString();
      KeyPair pair = KeyUtil.generateRSAKeyPair1024();
      GregorianCalendar cal = new GregorianCalendar();
      Date start = cal.getTime();
      cal.add(Calendar.SECOND, 2);
      Date end = cal.getTime();
      cm.deleteAssertingCredentials();
      X509Certificate shortCert = ca.signCertificate(subject, pair.getPublic(), start, end);
      cm.storeCredentials(shortCert, pair.getPrivate());
      if (cert.equals(shortCert)) {
        assertTrue(false);
      }

      Thread.sleep(2500);
      assertTrue(CertUtil.isExpired(shortCert));

      try {
        cm.getIdPCertificate();
        assertTrue(false);
      } catch (DorianInternalFault fault) {

      }

    } catch (Exception e) {
      FaultUtil.printFault(e);
      assertTrue(false);
    } finally {
      try {
        cm.clearDatabase();
      } catch (Exception e) {
        e.printStackTrace();
      }
    }
  }
Exemplo n.º 8
0
  /**
   * Liefert alle Schluessel, die von diesem signiert wurden.
   *
   * @return Liste aller Schluessel, die von diesem signiert wurden. Die Funktion liefert nie NULL
   *     sondern hoechstens eine leere Liste.
   * @throws Exception
   */
  public List<Entry> getClients() throws Exception {
    if (this.clients != null) return this.clients;

    this.clients = new ArrayList<Entry>();

    if (CHECK_CA && !this.isCA()) return this.clients;

    X509Certificate x = this.getCertificate();

    byte[] sig = x.getPublicKey().getEncoded();
    X500Principal self = x.getSubjectX500Principal();

    // 2. Wir sind ein CA-Zertifikat, jetzt holen wir alle
    // Zertifikate, bei denen wir als CA eingetragen sind.
    List<Entry> all = this.store.getEntries();
    for (Entry e : all) {
      X509Certificate c = e.getCertificate();

      // sind wir selbst
      if (c.equals(x)) continue;

      // Checken, ob die Aussteller-Signatur angegeben ist
      byte[] issuerSig = x.getExtensionValue(Extension.authorityKeyIdentifier.getId());
      if (issuerSig != null && issuerSig.length > 0) {
        // Issuer-Signatur angegeben. Mal checken, ob es unsere ist
        if (Arrays.equals(issuerSig, sig)) {
          // jepp, passt
          this.clients.add(e);
          continue;
        }
      }

      // Checken, ob der DN uebereinstimmt.
      X500Principal p = c.getIssuerX500Principal();

      // passt, nehmen wir auch
      if (p != null && p.equals(self)) {
        this.clients.add(e);
        continue;
      }
    }

    Collections.sort(this.clients);
    return this.clients;
  }
  /*
   * Initializes the signerInfo and the VerifierInfo from the Certificate Pair
   */
  private void initializeCertificates() {
    X509Certificate certRoot = null;
    X509Certificate certIssuer = null;
    CertificatePair trustedCertificate;
    if (getFoundCertificate() == null) {
      CertificatePair[] certs = getRootCertificates();
      if (certs.length == 0) return;
      trustedCertificate = certs[0];
    } else {
      trustedCertificate = getFoundCertificate();
    }
    certRoot = (X509Certificate) trustedCertificate.getRoot();
    certIssuer = (X509Certificate) trustedCertificate.getIssuer();

    StringBuffer strb = new StringBuffer();
    strb.append(issuerString(certIssuer.getSubjectDN()));
    strb.append("\r\n"); // $NON-NLS-1$
    strb.append(
        NLS.bind(
            Messages.JarVerificationResult_ValidBetween,
            (new String[] {
              dateString(certIssuer.getNotBefore()), dateString(certIssuer.getNotAfter())
            })));
    strb.append(checkValidity(certIssuer));
    signerInfo = strb.toString();
    if (certIssuer != null && !certIssuer.equals(certRoot)) {
      strb = new StringBuffer();
      strb.append(issuerString(certIssuer.getIssuerDN()));
      strb.append("\r\n"); // $NON-NLS-1$
      strb.append(
          NLS.bind(
              Messages.JarVerificationResult_ValidBetween,
              (new String[] {
                dateString(certRoot.getNotBefore()), dateString(certRoot.getNotAfter())
              })));
      strb.append(checkValidity(certRoot));
      verifierInfo = strb.toString();
    }
  }
  public void testAutoCredentialCreationRenew() {
    AssertionCredentialsManager cm = null;
    try {
      cm = Utils.getAssertionCredentialsManager();
      X509Certificate cert = cm.getIdPCertificate();
      assertNotNull(cert);
      assertNotNull(cm.getIdPKey());
      String expectedSub = Utils.CA_SUBJECT_PREFIX + ",CN=" + AssertionCredentialsManager.CERT_DN;
      assertEquals(expectedSub, cert.getSubjectDN().toString());

      String subject = cert.getSubjectDN().toString();
      KeyPair pair = KeyUtil.generateRSAKeyPair1024();
      GregorianCalendar cal = new GregorianCalendar();
      Date start = cal.getTime();
      cal.add(Calendar.SECOND, 6);
      Date end = cal.getTime();
      cm.deleteAssertingCredentials();
      X509Certificate shortCert = ca.signCertificate(subject, pair.getPublic(), start, end);

      cm.storeCredentials(shortCert, pair.getPrivate());

      X509Certificate idpShortCert = cm.getIdPCertificate();

      assertEquals(shortCert, idpShortCert);
      if (cert.equals(idpShortCert)) {
        assertTrue(false);
      }

      Thread.sleep(6500);
      assertTrue(CertUtil.isExpired(idpShortCert));
      X509Certificate renewedCert = cm.getIdPCertificate();
      assertNotNull(renewedCert);

      PrivateKey renewedKey = cm.getIdPKey();
      assertNotNull(renewedKey);

      assertTrue(!CertUtil.isExpired(renewedCert));

      if (renewedCert.equals(idpShortCert)) {
        assertTrue(false);
      }

      if (renewedKey.equals(pair.getPrivate())) {
        assertTrue(false);
      }

      SAMLAssertion saml =
          cm.getAuthenticationAssertion(TEST_UID, TEST_FIRST_NAME, TEST_LAST_NAME, TEST_EMAIL);
      verifySAMLAssertion(saml, cm);
      String xml = SAMLUtils.samlAssertionToString(saml);
      SAMLAssertion saml2 = SAMLUtils.stringToSAMLAssertion(xml);
      verifySAMLAssertion(saml2, cm);

    } catch (Exception e) {
      FaultUtil.printFault(e);
      assertTrue(false);
    } finally {
      try {
        cm.clearDatabase();
      } catch (Exception e) {
        e.printStackTrace();
      }
    }
  }
Exemplo n.º 11
0
  /**
   * Verifies a matching certificate.
   *
   * <p>This method executes any of the validation steps in the PKIX path validation algorithm which
   * were not satisfied via filtering out non-compliant certificates with certificate matching
   * rules.
   *
   * <p>If the last certificate is being verified (the one whose subject matches the target subject,
   * then the steps in Section 6.1.4 of the Certification Path Validation algorithm are NOT
   * executed, regardless of whether or not the last cert is an end-entity cert or not. This allows
   * callers to certify CA certs as well as EE certs.
   *
   * @param cert the certificate to be verified
   * @param currentState the current state against which the cert is verified
   * @param certPathList the certPathList generated thus far
   */
  void verifyCert(X509Certificate cert, State currState, List certPathList)
      throws GeneralSecurityException {
    if (debug != null)
      debug.println(
          "ReverseBuilder.verifyCert(SN: "
              + Debug.toHexString(cert.getSerialNumber())
              + "\n  Subject: "
              + cert.getSubjectX500Principal()
              + ")");

    ReverseState currentState = (ReverseState) currState;

    /* we don't perform any validation of the trusted cert */
    if (currentState.isInitial()) {
      return;
    }

    /*
     * check for looping - abort a loop if
     * ((we encounter the same certificate twice) AND
     * ((policyMappingInhibited = true) OR (no policy mapping
     * extensions can be found between the occurences of the same
     * certificate)))
     * in order to facilitate the check to see if there are
     * any policy mapping extensions found between the occurences
     * of the same certificate, we reverse the certpathlist first
     */
    if ((certPathList != null) && (!certPathList.isEmpty())) {
      List reverseCertList = new ArrayList();
      Iterator iter = certPathList.iterator();
      while (iter.hasNext()) {
        reverseCertList.add(0, iter.next());
      }

      Iterator cpListIter = reverseCertList.iterator();
      boolean policyMappingFound = false;
      while (cpListIter.hasNext()) {
        X509Certificate cpListCert = (X509Certificate) cpListIter.next();
        X509CertImpl cpListCertImpl = X509CertImpl.toImpl(cpListCert);
        PolicyMappingsExtension policyMappingsExt = cpListCertImpl.getPolicyMappingsExtension();
        if (policyMappingsExt != null) {
          policyMappingFound = true;
        }
        if (debug != null) debug.println("policyMappingFound = " + policyMappingFound);
        if (cert.equals(cpListCert)) {
          if ((buildParams.isPolicyMappingInhibited()) || (!policyMappingFound)) {
            if (debug != null) debug.println("loop detected!!");
            throw new CertPathValidatorException("loop detected");
          }
        }
      }
    }

    /* check if target cert */
    boolean finalCert = cert.getSubjectX500Principal().equals(targetSubjectDN);

    /* check if CA cert */
    boolean caCert = (cert.getBasicConstraints() != -1 ? true : false);

    /* if there are more certs to follow, verify certain constraints */
    if (!finalCert) {

      /* check if CA cert */
      if (!caCert) throw new CertPathValidatorException("cert is NOT a CA cert");

      /* If the certificate was not self-issued, verify that
       * remainingCerts is greater than zero
       */
      if ((currentState.remainingCACerts <= 0) && !X509CertImpl.isSelfIssued(cert)) {
        throw new CertPathValidatorException("pathLenConstraint violated, path too long");
      }

      /*
       * Check keyUsage extension (only if CA cert and not final cert)
       */
      KeyChecker.verifyCAKeyUsage(cert);

    } else {

      /*
       * If final cert, check that it satisfies specified target
       * constraints
       */
      if (targetCertSelector.match(cert) == false) {
        throw new CertPathValidatorException("target certificate " + "constraints check failed");
      }
    }

    /*
     * Check revocation.
     */
    if (buildParams.isRevocationEnabled()) {

      boolean crlSign = currentState.crlChecker.check(cert, currentState.pubKey, true);

      // if this cert can't vouch for the CRL on the next cert, and
      // if this wasn't the last cert in the chain, then we can't
      // keep going from here!
      // NOTE: if we ever add indirect/idp support, this will have
      // to change...
      if ((!crlSign) && (!finalCert))
        throw new CertPathValidatorException("cert can't vouch for crl");
    }

    /* Check name constraints if this is not a self-issued cert */
    if (finalCert || !X509CertImpl.isSelfIssued(cert)) {
      if (currentState.nc != null) {
        try {
          if (!currentState.nc.verify(cert)) {
            throw new CertPathValidatorException("name constraints check failed");
          }
        } catch (IOException ioe) {
          throw new CertPathValidatorException(ioe);
        }
      }
    }

    /*
     * Check policy
     */
    X509CertImpl certImpl = X509CertImpl.toImpl(cert);
    currentState.rootNode =
        PolicyChecker.processPolicies(
            currentState.certIndex,
            initPolicies,
            currentState.explicitPolicy,
            currentState.policyMapping,
            currentState.inhibitAnyPolicy,
            buildParams.getPolicyQualifiersRejected(),
            currentState.rootNode,
            certImpl,
            finalCert);

    /*
     * Check CRITICAL private extensions
     */
    Set unresolvedCritExts = cert.getCriticalExtensionOIDs();
    if (unresolvedCritExts == null) {
      unresolvedCritExts = Collections.EMPTY_SET;
    }
    Iterator i = currentState.userCheckers.iterator();
    while (i.hasNext()) {
      PKIXCertPathChecker checker = (PKIXCertPathChecker) i.next();
      checker.check(cert, unresolvedCritExts);
    }
    /*
     * Look at the remaining extensions and remove any ones we have
     * already checked. If there are any left, throw an exception!
     */
    if (!unresolvedCritExts.isEmpty()) {
      unresolvedCritExts.remove(PKIXExtensions.BasicConstraints_Id.toString());
      unresolvedCritExts.remove(PKIXExtensions.NameConstraints_Id.toString());
      unresolvedCritExts.remove(PKIXExtensions.CertificatePolicies_Id.toString());
      unresolvedCritExts.remove(PKIXExtensions.PolicyMappings_Id.toString());
      unresolvedCritExts.remove(PKIXExtensions.PolicyConstraints_Id.toString());
      unresolvedCritExts.remove(PKIXExtensions.InhibitAnyPolicy_Id.toString());
      unresolvedCritExts.remove(PKIXExtensions.SubjectAlternativeName_Id.toString());
      unresolvedCritExts.remove(PKIXExtensions.KeyUsage_Id.toString());
      unresolvedCritExts.remove(PKIXExtensions.ExtendedKeyUsage_Id.toString());

      if (!unresolvedCritExts.isEmpty())
        throw new CertificateException("Unrecognized critical extension(s)");
    }

    /*
     * Check signature.
     */
    if (buildParams.getSigProvider() != null) {
      cert.verify(currentState.pubKey, buildParams.getSigProvider());
    } else {
      cert.verify(currentState.pubKey);
    }
  }
Exemplo n.º 12
0
  @Override
  protected Object _doExecute() throws Exception {
    X509ChangeCAEntry ey = getChangeCAEntry();
    String caName = ey.getName();
    out("checking CA" + caName);

    CAEntry entry = caManager.getCA(caName);
    if (entry == null) {
      throw new UnexpectedException("could not find CA '" + caName + "'");
    }

    if (entry instanceof X509CAEntry == false) {
      throw new UnexpectedException("CA '" + caName + "' is not an X509-CA");
    }

    X509CAEntry ca = (X509CAEntry) entry;

    // CA cert uris
    if (ey.getCaCertUris() != null) {
      List<String> ex = ey.getCaCertUris();
      List<String> is = ca.getCacertUris();
      MgmtQAShellUtil.assertEquals("CA cert uris", ex, is);
    }

    // CA certificate
    if (ey.getCert() != null) {
      X509Certificate ex = ey.getCert();
      X509Certificate is = ca.getCertificate();
      if (ex.equals(is) == false) {
        throw new CmdFailure("CA cert is not as expected");
      }
    }

    // CMP control name
    if (ey.getCmpControlName() != null) {
      String ex = ey.getCmpControlName();
      String is = ca.getCmpControlName();
      MgmtQAShellUtil.assertEquals("CMP control name", ex, is);
    }

    // CRL signer name
    if (ey.getCrlSignerName() != null) {
      String ex = ey.getCrlSignerName();
      String is = ca.getCrlSignerName();
      MgmtQAShellUtil.assertEquals("CRL signer name", ex, is);
    }

    // CRL uris
    if (ey.getCrlUris() != null) {
      List<String> ex = ey.getCrlUris();
      List<String> is = ca.getCrlUris();
      MgmtQAShellUtil.assertEquals("CRL uris", ex, is);
    }

    // DeltaCRL uris
    if (ey.getDeltaCrlUris() != null) {
      List<String> ex = ey.getDeltaCrlUris();
      List<String> is = ca.getDeltaCrlUris();
      MgmtQAShellUtil.assertEquals("Delta CRL uris", ex, is);
    }

    // Duplicate key mode
    if (ey.getDuplicateKeyMode() != null) {
      DuplicationMode ex = ey.getDuplicateKeyMode();
      DuplicationMode is = ca.getDuplicateKeyMode();
      if (ex.equals(is) == false) {
        throw new CmdFailure("Duplicate key mode: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // Duplicate subject mode
    if (ey.getDuplicateSubjectMode() != null) {
      DuplicationMode ex = ey.getDuplicateSubjectMode();
      DuplicationMode is = ca.getDuplicateSubjectMode();
      if (ex.equals(is) == false) {
        throw new CmdFailure("Duplicate subject mode: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // Expiration period
    if (ey.getExpirationPeriod() != null) {
      Integer ex = ey.getExpirationPeriod();
      Integer is = ca.getExpirationPeriod();
      if (ex.equals(is) == false) {
        throw new CmdFailure("Expiration period: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // Extra control
    if (ey.getExtraControl() != null) {
      String ex = ey.getExtraControl();
      String is = ca.getExtraControl();
      if (ex.equals(is) == false) {
        throw new CmdFailure("Extra control: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // Max validity
    if (ey.getMaxValidity() != null) {
      CertValidity ex = ey.getMaxValidity();
      CertValidity is = ca.getMaxValidity();
      if (ex.equals(is) == false) {
        throw new CmdFailure("Max validity: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // Num CRLs
    if (ey.getNumCrls() != null) {
      int ex = ey.getNumCrls();
      int is = ca.getNumCrls();
      if (ex != is) {
        throw new CmdFailure("num CRLs: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // OCSP uris
    if (ey.getOcspUris() != null) {
      List<String> ex = ey.getOcspUris();
      List<String> is = ca.getOcspUris();
      MgmtQAShellUtil.assertEquals("OCSP uris", ex, is);
    }

    // Permissions
    if (ey.getPermissions() != null) {
      Set<Permission> ex = ey.getPermissions();
      Set<Permission> is = ca.getPermissions();
      MgmtQAShellUtil.assertEquals("permissions", ex, is);
    }

    // Responder name
    if (ey.getResponderName() != null) {
      String ex = ey.getResponderName();
      String is = ca.getResponderName();
      MgmtQAShellUtil.assertEquals("responder name", ex, is);
    }

    // Signer Type
    if (ey.getSignerType() != null) {
      String ex = ey.getSignerType();
      String is = ca.getSignerType();
      MgmtQAShellUtil.assertEquals("signer type", ex, is);
    }

    if (ey.getSignerConf() != null) {
      CmpUtf8Pairs ex = new CmpUtf8Pairs(ey.getSignerConf());
      ex.removeUtf8Pair("keystore");
      CmpUtf8Pairs is = new CmpUtf8Pairs(ca.getSignerConf());
      is.removeUtf8Pair("keystore");
      if (ex.equals(is) == false) {
        throw new CmdFailure("signer conf: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // Status
    if (ey.getStatus() != null) {
      CAStatus ex = ey.getStatus();
      CAStatus is = ca.getStatus();
      if (ex.equals(is) == false) {
        throw new CmdFailure("status: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // validity mode
    if (ey.getValidityMode() != null) {
      ValidityMode ex = ey.getValidityMode();
      ValidityMode is = ca.getValidityMode();
      if (ex.equals(is) == false) {
        throw new CmdFailure("validity mode: is '" + is + "', but expected '" + ex + "'");
      }
    }

    out(" checked CA" + caName);
    return null;
  }