summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2016-03-03 14:36:52 -0500
committerEndi S. Dewata <edewata@redhat.com>2016-04-05 22:45:43 +0200
commit72a71cf51e1486532e8dc4f646c51eda0479734d (patch)
treed54867e9412d2378827eb3cc5ee1e453f10722db
parentdcf005b9d03e53d19a8829b3e616ed304490b66d (diff)
downloadpki-72a71cf51e1486532e8dc4f646c51eda0479734d.tar.gz
pki-72a71cf51e1486532e8dc4f646c51eda0479734d.tar.xz
pki-72a71cf51e1486532e8dc4f646c51eda0479734d.zip
Fix pkcs12 export
The utility for exporting certs and keys to a PKCS12 file did not handle the signing certificate correctly. This is because the signing certificate was imported multiple times during the export process - either with its key (and key id set) or as part of the cert chain for the other system certs (with no key set). Each import would override the previous import - so whether or not the key_id was set would depend on the order in which the certificates were imported. This becomes an issue for import into a clone certdb, because in the new mechanism, we rely on the cert attributes (ie. key_id) to determine if a key is to be imported or not. We fix this by specifying whether the entry in the export should be overwritten or not.
-rw-r--r--base/util/src/netscape/security/pkcs/PKCS12.java8
-rw-r--r--base/util/src/netscape/security/pkcs/PKCS12Util.java10
2 files changed, 11 insertions, 7 deletions
diff --git a/base/util/src/netscape/security/pkcs/PKCS12.java b/base/util/src/netscape/security/pkcs/PKCS12.java
index 19e9fd039..4f2f1600b 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12.java
@@ -166,8 +166,12 @@ public class PKCS12 {
return certInfosByNickname.values();
}
- public void addCertInfo(PKCS12CertInfo certInfo) {
- certInfosByNickname.put(certInfo.nickname, certInfo);
+ public void addCertInfo(PKCS12CertInfo certInfo, boolean replace) {
+ String nickname = certInfo.nickname;
+ if (!replace && certInfosByNickname.containsKey(nickname))
+ return;
+
+ certInfosByNickname.put(nickname, certInfo);
}
public PKCS12CertInfo getCertInfoByNickname(String nickname) {
diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
index b2c8f8667..35b9ed598 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
@@ -254,7 +254,7 @@ public class PKCS12Util {
loadCertChainFromNSS(pkcs12, cert);
}
- public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger keyID) throws Exception {
+ public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger keyID, boolean replace) throws Exception {
String nickname = cert.getNickname();
logger.info("Loading certificate \"" + nickname + "\" from NSS database");
@@ -264,7 +264,7 @@ public class PKCS12Util {
certInfo.nickname = nickname;
certInfo.cert = new X509CertImpl(cert.getEncoded());
certInfo.trustFlags = getTrustFlags(cert);
- pkcs12.addCertInfo(certInfo);
+ pkcs12.addCertInfo(certInfo, replace);
}
public void loadCertKeyFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger keyID) throws Exception {
@@ -300,14 +300,14 @@ public class PKCS12Util {
BigInteger keyID = createLocalKeyID(cert);
// load cert with key
- loadCertFromNSS(pkcs12, cert, keyID);
+ loadCertFromNSS(pkcs12, cert, keyID, true);
loadCertKeyFromNSS(pkcs12, cert, keyID);
// load parent certs without key
X509Certificate[] certChain = cm.buildCertificateChain(cert);
for (int i = 1; i < certChain.length; i++) {
X509Certificate c = certChain[i];
- loadCertFromNSS(pkcs12, c, null);
+ loadCertFromNSS(pkcs12, c, null, false);
}
}
@@ -488,7 +488,7 @@ public class PKCS12Util {
if (!oid.equals(SafeBag.CERT_BAG)) continue;
PKCS12CertInfo certInfo = getCertInfo(bag);
- pkcs12.addCertInfo(certInfo);
+ pkcs12.addCertInfo(certInfo, true);
}
}
}