Additional clean-ups for PKCS #12 utilities.

The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.

A default pki_server_external_certs_path has been added to
default.cfg.

The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.

The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.

https://fedorahosted.org/pki/ticket/1742

7 files changed, 38 insertions, 24 deletions

diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index 9bb917fa1..e6aa0a6c2 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -549,8 +549,10 @@ class NSSDatabase(object):
         finally:
             shutil.rmtree(tmpdir)
 
-    def export_pkcs12(self, pkcs12_file, nicknames=None, pkcs12_password=None,
-                      pkcs12_password_file=None):
+    def export_pkcs12(self, pkcs12_file,
+                      pkcs12_password=None,
+                      pkcs12_password_file=None,
+                      nicknames=None):
 
         tmpdir = tempfile.mkdtemp()
 
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
index c3c5ef489..48e4907cf 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
@@ -151,7 +151,7 @@ public class PKCS12CertAddCLI extends CLI {
                 pkcs12 = new PKCS12();
 
             } else {
-                // otherwise, add into the same file
+                // otherwise, add into the existing file
                 pkcs12 = util.loadFromFile(filename, password);
             }
 
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
index 52a993125..d42c449b4 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
@@ -18,6 +18,7 @@
 package com.netscape.cmstools.pkcs12;
 
 import java.io.BufferedReader;
+import java.io.File;
 import java.io.FileReader;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -60,6 +61,7 @@ public class PKCS12ExportCLI extends CLI {
         option.setArgName("path");
         options.addOption(option);
 
+        options.addOption(null, "new-file", false, "Create a new PKCS #12 file");
         options.addOption(null, "no-trust-flags", false, "Do not include trust flags");
 
         options.addOption("v", "verbose", false, "Run in verbose mode.");
@@ -124,14 +126,23 @@ public class PKCS12ExportCLI extends CLI {
 
         Password password = new Password(passwordString.toCharArray());
 
+        boolean newFile = cmd.hasOption("new-file");
         boolean trustFlagsEnabled = !cmd.hasOption("no-trust-flags");
 
         try {
             PKCS12Util util = new PKCS12Util();
             util.setTrustFlagsEnabled(trustFlagsEnabled);
 
-            // overwrite existing file
-            PKCS12 pkcs12 = new PKCS12();
+            PKCS12 pkcs12;
+
+            if (newFile || !new File(filename).exists()) {
+                // if new file requested or file does not exist, create a new file
+                pkcs12 = new PKCS12();
+
+            } else {
+                // otherwise, export into the existing file
+                pkcs12 = util.loadFromFile(filename, password);
+            }
 
             if (nicknames.length == 0) {
                 // load all certificates
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index c503e6345..3e4b38f54 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -109,8 +109,6 @@ pki_security_domain_https_port=8443
 pki_security_domain_name=%(pki_dns_domainname)s Security Domain
 pki_security_domain_password=
 pki_security_domain_user=caadmin
-pki_server_pkcs12_path=
-pki_server_pkcs12_password=
 #for supporting server cert SAN injection
 pki_san_inject=False
 pki_san_for_server_cert=
@@ -190,6 +188,9 @@ pki_subsystem_registry_link=%(pki_subsystem_path)s/registry
 ###############################################################################
 [Tomcat]
 pki_ajp_port=8009
+pki_server_pkcs12_path=
+pki_server_pkcs12_password=
+pki_server_external_certs_path=
 pki_clone=False
 pki_clone_pkcs12_password=
 pki_clone_pkcs12_path=
diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py
index 3119629e1..212a411cd 100644
--- a/base/server/python/pki/server/cli/instance.py
+++ b/base/server/python/pki/server/cli/instance.py
@@ -67,10 +67,10 @@ class InstanceCertExportCLI(pki.cli.CLI):
 
     def __init__(self):
         super(InstanceCertExportCLI, self).__init__(
-            'export', 'Export subsystem certificate')
+            'export', 'Export system certificates')
 
     def print_help(self):  # flake8: noqa
-        print('Usage: pki-server instance-cert-export [OPTIONS]')
+        print('Usage: pki-server instance-cert-export [OPTIONS] [nicknames...]')
         print()
         print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
         print('      --pkcs12-file <path>           Output file to store the exported certificate and key in PKCS #12 format.')
@@ -83,7 +83,7 @@ class InstanceCertExportCLI(pki.cli.CLI):
     def execute(self, argv):
 
         try:
-            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+            opts, args = getopt.gnu_getopt(argv, 'i:v', [
                 'instance=',
                 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
                 'verbose', 'help'])
@@ -93,6 +93,8 @@ class InstanceCertExportCLI(pki.cli.CLI):
             self.print_help()
             sys.exit(1)
 
+        nicknames = args
+
         instance_name = 'pki-tomcat'
         pkcs12_file = None
         pkcs12_password = None
@@ -139,7 +141,8 @@ class InstanceCertExportCLI(pki.cli.CLI):
             nssdb.export_pkcs12(
                 pkcs12_file=pkcs12_file,
                 pkcs12_password=pkcs12_password,
-                pkcs12_password_file=pkcs12_password_file)
+                pkcs12_password_file=pkcs12_password_file,
+                nicknames=nicknames)
         finally:
             nssdb.close()
 
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index 92d4c3deb..b6c694f88 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -576,9 +576,9 @@ class SubsystemCertExportCLI(pki.cli.CLI):
             try:
                 nssdb.export_pkcs12(
                     pkcs12_file=pkcs12_file,
-                    nicknames=nicknames,
                     pkcs12_password=pkcs12_password,
-                    pkcs12_password_file=pkcs12_password_file)
+                    pkcs12_password_file=pkcs12_password_file,
+                    nicknames=nicknames)
 
             finally:
                 nssdb.close()
diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
index a2ba8f436..0c3d606de 100644
--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py
+++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py
@@ -86,12 +86,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.mdict['pki_secmod_database'],
             perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
 
-        pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path']
+        # import system certificates before starting the server
 
+        pki_server_pkcs12_path = deployer.mdict['pki_server_pkcs12_path']
         if pki_server_pkcs12_path:
 
-            # importing system certificates
-
             pki_server_pkcs12_password = deployer.mdict[
                 'pki_server_pkcs12_password']
             if not pki_server_pkcs12_password:
@@ -106,9 +105,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 pkcs12_password=pki_server_pkcs12_password)
 
             # update external CA file (if needed)
-            external_cert_path = deployer.mdict['pki_server_external_cert_path']
-            if external_cert_path is not None:
-                self.update_external_cert_conf(external_cert_path, deployer)
+            external_certs_path = deployer.mdict['pki_server_external_certs_path']
+            if external_certs_path is not None:
+                self.update_external_certs_conf(external_certs_path, deployer)
 
         if len(deployer.instance.tomcat_instance_subsystems()) < 2:
             # only create a self signed cert for a new instance
@@ -183,20 +182,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         deployer.file.delete(deployer.mdict['pki_shared_pfile'])
         return self.rv
 
-    def update_external_cert_conf(self, external_path, deployer):
+    def update_external_certs_conf(self, external_path, deployer):
         external_certs = pki.server.PKIInstance.read_external_certs(
             external_path)
 
         if len(external_certs) > 0:
-            instance = pki.server.PKIInstance(
-                deployer.mdict['pki_instance_name'])
-            instance.load_external_certs(
+            deployer.instance.load_external_certs(
                 os.path.join(deployer.mdict['pki_instance_configuration_path'],
                              'external_certs.conf')
             )
 
             for cert in external_certs:
-                instance.add_external_cert(cert.nickname, cert.token)
+                deployer.instance.add_external_cert(cert.nickname, cert.token)
 
     def destroy(self, deployer):