Updated PKCS12Util.

The PKCSUtil has been updated to match the functionality provided
by JSS.

In order to import a certificate properly, the certificate needs
to be exported with its private key and certificate chain, so the
option to export without key or without the certificate chain has
been removed. The option to export only the certificate chain has
also been removed since it can be done by exporting the complete
certificate chain, then remove the leaf certificate while keeping
the chain.

The pki pkcs12-cert-add has been modified to provide an option
to create a new PKCS #12 file to store the certificate.

The pki pkcs12-export has been modified to always overwrite
existing file to match the behavior of PKCS12Export. It also has
been modified to accept a list of nicknames of certificates to
export.

https://fedorahosted.org/pki/ticket/1742

4 files changed, 59 insertions, 46 deletions

diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
index 6c9d8032e..ce7b3dd79 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
@@ -63,10 +63,8 @@ public class PKCS12CertAddCLI extends CLI {
         option.setArgName("path");
         options.addOption(option);
 
+        options.addOption(null, "new-file", false, "Create a new PKCS #12 file");
         options.addOption(null, "no-trust-flags", false, "Do not include trust flags");
-        options.addOption(null, "no-cert", false, "Do not include certificate itself");
-        options.addOption(null, "no-key", false, "Do not include certificate key");
-        options.addOption(null, "no-chain", false, "Do not include certificate chain");
 
         options.addOption("v", "verbose", false, "Run in verbose mode.");
         options.addOption(null, "debug", false, "Run in debug mode.");
@@ -139,10 +137,8 @@ public class PKCS12CertAddCLI extends CLI {
 
         Password password = new Password(passwordString.toCharArray());
 
+        boolean newFile = cmd.hasOption("new-file");
         boolean includeTrustFlags = !cmd.hasOption("no-trust-flags");
-        boolean includeCert = !cmd.hasOption("no-cert");
-        boolean includeKey = !cmd.hasOption("no-key");
-        boolean includeChain = !cmd.hasOption("no-chain");
 
         try {
             PKCS12Util util = new PKCS12Util();
@@ -150,13 +146,16 @@ public class PKCS12CertAddCLI extends CLI {
 
             PKCS12 pkcs12;
 
-            if (new File(filename).exists()) {
-                pkcs12 = util.loadFromFile(filename, password);
-            } else {
+            if (newFile || !new File(filename).exists()) {
+                // if new file requested or file does not exist, create a new file
                 pkcs12 = new PKCS12();
+
+            } else {
+                // otherwise, add into the same file
+                pkcs12 = util.loadFromFile(filename, password);
             }
 
-            util.loadFromNSS(pkcs12, nickname, includeCert, includeKey, includeChain);
+            util.loadCertFromNSS(pkcs12, nickname);
             util.storeIntoFile(pkcs12, filename, password);
 
         } finally {
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
index a5c9e2823..f17251284 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
@@ -18,7 +18,6 @@
 package com.netscape.cmstools.pkcs12;
 
 import java.io.BufferedReader;
-import java.io.File;
 import java.io.FileReader;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -45,7 +44,7 @@ public class PKCS12ExportCLI extends CLI {
     }
 
     public void printHelp() {
-        formatter.printHelp(getFullName() + " [OPTIONS...]", options);
+        formatter.printHelp(getFullName() + " [OPTIONS...] [nicknames...]", options);
     }
 
     public void createOptions() {
@@ -96,6 +95,7 @@ public class PKCS12ExportCLI extends CLI {
             Logger.getLogger("netscape").setLevel(Level.FINE);
         }
 
+        String[] nicknames = cmd.getArgs();
         String filename = cmd.getOptionValue("pkcs12");
 
         if (filename == null) {
@@ -130,15 +130,20 @@ public class PKCS12ExportCLI extends CLI {
             PKCS12Util util = new PKCS12Util();
             util.setTrustFlagsEnabled(trustFlagsEnabled);
 
-            PKCS12 pkcs12;
+            // overwrite existing file
+            PKCS12 pkcs12 = new PKCS12();
+
+            if (nicknames.length == 0) {
+                // load all certificates
+                util.loadFromNSS(pkcs12);
 
-            if (new File(filename).exists()) {
-                pkcs12 = util.loadFromFile(filename, password);
             } else {
-                pkcs12 = new PKCS12();
+                // load specified certificates
+                for (String nickname : nicknames) {
+                    util.loadCertFromNSS(pkcs12, nickname);
+                }
             }
 
-            util.loadFromNSS(pkcs12);
             util.storeIntoFile(pkcs12, filename, password);
 
         } finally {
diff --git a/base/util/src/netscape/security/pkcs/PKCS12.java b/base/util/src/netscape/security/pkcs/PKCS12.java
index da4023f12..19e9fd039 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12.java
@@ -175,6 +175,12 @@ public class PKCS12 {
     }
 
     public PKCS12CertInfo removeCertInfoByNickname(String nickname) {
-        return certInfosByNickname.remove(nickname);
+        // remove cert
+        PKCS12CertInfo certInfo = certInfosByNickname.remove(nickname);
+        if (certInfo == null) return null;
+
+        // remove private key
+        keyInfosByID.remove(certInfo.getKeyID());
+        return certInfo;
     }
 }
diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
index 8d189a9d7..665998e2f 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
@@ -240,34 +240,23 @@ public class PKCS12Util {
         CryptoToken token = cm.getInternalKeyStorageToken();
         CryptoStore store = token.getCryptoStore();
 
-        // load all certs
         for (X509Certificate cert : store.getCertificates()) {
-            loadCertFromNSS(pkcs12, cert, true); // load cert with private key
+            loadCertChainFromNSS(pkcs12, cert);
         }
     }
 
-    public void loadFromNSS(PKCS12 pkcs12, String nickname, boolean includeCert, boolean includeKey, boolean includeChain) throws Exception {
+    public void loadCertFromNSS(PKCS12 pkcs12, String nickname) throws Exception {
 
         CryptoManager cm = CryptoManager.getInstance();
-
         X509Certificate cert = cm.findCertByNickname(nickname);
-
-        if (includeCert) {
-            loadCertFromNSS(pkcs12, cert, includeKey);
-        }
-
-        if (includeChain) {
-            loadCertChainFromNSS(pkcs12, cert);
-        }
+        loadCertChainFromNSS(pkcs12, cert);
     }
 
-    public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, boolean includeKey) throws Exception {
+    public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert) throws Exception {
 
         String nickname = cert.getNickname();
         logger.info("Loading certificate \"" + nickname + "\" from NSS database");
 
-        CryptoManager cm = CryptoManager.getInstance();
-
         BigInteger keyID = createLocalKeyID(cert);
 
         PKCS12CertInfo certInfo = new PKCS12CertInfo();
@@ -276,17 +265,23 @@ public class PKCS12Util {
         certInfo.cert = new X509CertImpl(cert.getEncoded());
         certInfo.trustFlags = getTrustFlags(cert);
         pkcs12.addCertInfo(certInfo);
+    }
 
-        if (!includeKey) return;
+    public void loadCertKeyFromNSS(PKCS12 pkcs12, X509Certificate cert) throws Exception {
 
+        String nickname = cert.getNickname();
         logger.info("Loading private key for certificate \"" + nickname + "\" from NSS database");
 
+        CryptoManager cm = CryptoManager.getInstance();
+
         try {
             PrivateKey privateKey = cm.findPrivKeyByCert(cert);
             logger.fine("Certificate \"" + nickname + "\" has private key");
 
+            PKCS12CertInfo certInfo = pkcs12.getCertInfoByNickname(nickname);
+
             PKCS12KeyInfo keyInfo = new PKCS12KeyInfo();
-            keyInfo.id = keyID;
+            keyInfo.id = certInfo.getKeyID();
             keyInfo.subjectDN = cert.getSubjectDN().toString();
 
             byte[] privateData = getEncodedKey(privateKey);
@@ -302,15 +297,17 @@ public class PKCS12Util {
 
     public void loadCertChainFromNSS(PKCS12 pkcs12, X509Certificate cert) throws Exception {
 
-        logger.info("Loading certificate chain for \"" + cert.getNickname() + "\"");
-
         CryptoManager cm = CryptoManager.getInstance();
-        X509Certificate[] certChain = cm.buildCertificateChain(cert);
 
-        // load parent certificates only
+        // load cert with key
+        loadCertFromNSS(pkcs12, cert);
+        loadCertKeyFromNSS(pkcs12, cert);
+
+        // load parent certs without key
+        X509Certificate[] certChain = cm.buildCertificateChain(cert);
         for (int i = 1; i < certChain.length; i++) {
             X509Certificate c = certChain[i];
-            loadCertFromNSS(pkcs12, c, false); // do not include private key
+            loadCertFromNSS(pkcs12, c);
         }
     }
 
@@ -601,14 +598,20 @@ public class PKCS12Util {
         }
     }
 
-    public void importCert(PKCS12CertInfo certInfo) throws Exception {
-
-        logger.fine("Importing certificate " + certInfo.nickname);
+    public void importCert(PKCS12 pkcs12, PKCS12CertInfo certInfo) throws Exception {
 
         CryptoManager cm = CryptoManager.getInstance();
 
-        X509Certificate cert = cm.importUserCACertPackage(
-                certInfo.cert.getEncoded(), certInfo.nickname);
+        X509Certificate cert;
+
+        if (pkcs12.getKeyInfoByID(certInfo.getKeyID()) != null) { // cert has key
+            logger.fine("Importing user CA certificate " + certInfo.nickname);
+            cert = cm.importUserCACertPackage(certInfo.cert.getEncoded(), certInfo.nickname);
+
+        } else { // cert has no key
+            logger.fine("Importing CA certificate " + certInfo.nickname);
+            cert = cm.importCACertPackage(certInfo.cert.getEncoded());
+        }
 
         if (certInfo.trustFlags != null && trustFlagsEnabled)
             setTrustFlags(cert, certInfo.trustFlags);
@@ -617,7 +620,7 @@ public class PKCS12Util {
     public void importCerts(PKCS12 pkcs12) throws Exception {
 
         for (PKCS12CertInfo certInfo : pkcs12.getCertInfos()) {
-            importCert(certInfo);
+            importCert(pkcs12, certInfo);
         }
     }