diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-03-31 21:59:25 +0200 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-04-04 19:33:05 +0200 |
| commit | 6448bfea3282f2f3a81520b3381d2a833babd491 (patch) | |
| tree | d24371d40dc4eecf705ac1f4cd73886b8ceec82a | |
| parent | 5fc6095c21a01de7c1386759a10b3303a0861cfe (diff) | |
| download | pki-6448bfea3282f2f3a81520b3381d2a833babd491.tar.gz pki-6448bfea3282f2f3a81520b3381d2a833babd491.tar.xz pki-6448bfea3282f2f3a81520b3381d2a833babd491.zip | |
Fixed missing trust flags in certificate backup.
The ConfigurationUtils.backupKeys() has been modified to use
PKCS12Util to export the certificates and their trust flags into
a PKCS #12 file such that the file can be used for cloning.
The code to generate PFX object has been refactored from the
PKCS12Util.storeIntoFile() into a separate generatePFX() method.
The PKCS12Util.loadCertFromNSS() has been modified to provide
options to load a certificate from NSS database without the key
or the certificate chain. The CLIs have been modified to provide
the same options.
The PKCS12Util.getCertInfo() has modified to ignore missing
certificate attributes in the PKCS #12 file and generate a new
local ID.
https://fedorahosted.org/pki/ticket/2255
5 files changed, 98 insertions, 72 deletions
diff --git a/base/java-tools/bin/pki b/base/java-tools/bin/pki index e476cfcfe..88490f7da 100644 --- a/base/java-tools/bin/pki +++ b/base/java-tools/bin/pki @@ -138,6 +138,9 @@ class PKICLI(pki.cli.CLI): if self.token and self.token != 'internal': cmd.extend(['--token', self.token]) + if self.verbose: + cmd.extend(['--verbose']) + cmd.extend(args) if self.verbose: diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java index 48e4907cf..a422b200d 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java @@ -65,6 +65,8 @@ public class PKCS12CertAddCLI extends CLI { options.addOption(null, "new-file", false, "Create a new PKCS #12 file"); options.addOption(null, "no-trust-flags", false, "Do not include trust flags"); + options.addOption(null, "no-key", false, "Do not include private key"); + options.addOption(null, "no-chain", false, "Do not include certificate chain"); options.addOption("v", "verbose", false, "Run in verbose mode."); options.addOption(null, "debug", false, "Run in debug mode."); @@ -139,6 +141,8 @@ public class PKCS12CertAddCLI extends CLI { boolean newFile = cmd.hasOption("new-file"); boolean includeTrustFlags = !cmd.hasOption("no-trust-flags"); + boolean includeKey = !cmd.hasOption("no-key"); + boolean includeChain = !cmd.hasOption("no-chain"); try { PKCS12Util util = new PKCS12Util(); @@ -155,7 +159,8 @@ public class PKCS12CertAddCLI extends CLI { pkcs12 = util.loadFromFile(filename, password); } - util.loadCertFromNSS(pkcs12, nickname); + // load the specified certificate + util.loadCertFromNSS(pkcs12, nickname, includeKey, includeChain); util.storeIntoFile(pkcs12, filename, password); } finally { diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java index d42c449b4..fab5ecdda 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java @@ -63,6 +63,8 @@ public class PKCS12ExportCLI extends CLI { options.addOption(null, "new-file", false, "Create a new PKCS #12 file"); options.addOption(null, "no-trust-flags", false, "Do not include trust flags"); + options.addOption(null, "no-key", false, "Do not include private key"); + options.addOption(null, "no-chain", false, "Do not include certificate chain"); options.addOption("v", "verbose", false, "Run in verbose mode."); options.addOption(null, "debug", false, "Run in debug mode."); @@ -127,11 +129,13 @@ public class PKCS12ExportCLI extends CLI { Password password = new Password(passwordString.toCharArray()); boolean newFile = cmd.hasOption("new-file"); - boolean trustFlagsEnabled = !cmd.hasOption("no-trust-flags"); + boolean includeTrustFlags = !cmd.hasOption("no-trust-flags"); + boolean includeKey = !cmd.hasOption("no-key"); + boolean includeChain = !cmd.hasOption("no-chain"); try { PKCS12Util util = new PKCS12Util(); - util.setTrustFlagsEnabled(trustFlagsEnabled); + util.setTrustFlagsEnabled(includeTrustFlags); PKCS12 pkcs12; @@ -149,9 +153,9 @@ public class PKCS12ExportCLI extends CLI { util.loadFromNSS(pkcs12); } else { - // load specified certificates + // load the specified certificates for (String nickname : nicknames) { - util.loadCertFromNSS(pkcs12, nickname); + util.loadCertFromNSS(pkcs12, nickname, includeKey, includeChain); } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 51e5f0824..25838f1f3 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -30,7 +30,6 @@ import java.io.PrintStream; import java.math.BigInteger; import java.net.URI; import java.net.URISyntaxException; -import java.security.DigestException; import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.KeyPair; @@ -165,6 +164,8 @@ import netscape.ldap.LDAPSearchResults; import netscape.ldap.LDAPv3; import netscape.security.pkcs.ContentInfo; import netscape.security.pkcs.PKCS10; +import netscape.security.pkcs.PKCS12; +import netscape.security.pkcs.PKCS12Util; import netscape.security.pkcs.PKCS7; import netscape.security.pkcs.SignerInfo; import netscape.security.util.DerOutputStream; @@ -3331,11 +3332,8 @@ public class ConfigurationUtils { } } - public static void backupKeys(String pwd, String fname) throws EPropertyNotFound, EBaseException, - NotInitializedException, ObjectNotFoundException, TokenException, DigestException, - InvalidKeyException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidBERException, - CertificateEncodingException, IllegalStateException, IllegalBlockSizeException, BadPaddingException, - IOException { + public static void backupKeys(String pwd, String fname) throws Exception { + CMS.debug("backupKeys(): start"); IConfigStore cs = CMS.getConfigStore(); String certlist = cs.getString("preop.cert.list"); @@ -3344,39 +3342,37 @@ public class ConfigurationUtils { CryptoManager cm = CryptoManager.getInstance(); Password pass = new org.mozilla.jss.util.Password(pwd.toCharArray()); - SEQUENCE encSafeContents = new SEQUENCE(); - SEQUENCE safeContents = new SEQUENCE(); + + PKCS12Util util = new PKCS12Util(); + PKCS12 pkcs12 = new PKCS12(); + + // load system certificate (with key but without chain) while (st.hasMoreTokens()) { + String t = st.nextToken(); if (t.equals("sslserver")) continue; + String nickname = cs.getString("preop.cert." + t + ".nickname"); String modname = cs.getString("preop.module.token"); if (!modname.equals("Internal Key Storage Token")) nickname = modname + ":" + nickname; - X509Certificate x509cert = cm.findCertByNickname(nickname); - byte localKeyId[] = addCertBag(x509cert, nickname, safeContents); - PrivateKey pkey = cm.findPrivKeyByCert(x509cert); - addKeyBag(pkey, x509cert, pass, localKeyId, encSafeContents); + util.loadCertFromNSS(pkcs12, nickname, true, false); } - X509Certificate[] cacerts = cm.getCACerts(); - - for (int i = 0; i < cacerts.length; i++) { - String nickname = null; - addCertBag(cacerts[i], nickname, safeContents); + // load CA certificates (without keys or chains) + for (X509Certificate caCert : cm.getCACerts()) { + util.loadCertFromNSS(pkcs12, caCert, false, false); } - AuthenticatedSafes authSafes = new AuthenticatedSafes(); - authSafes.addSafeContents(safeContents); - authSafes.addSafeContents(encSafeContents); - PFX pfx = new PFX(authSafes); - pfx.computeMacData(pass, null, 5); + PFX pfx = util.generatePFX(pkcs12, pass); + ByteArrayOutputStream bos = new ByteArrayOutputStream(); pfx.encode(bos); byte[] output = bos.toByteArray(); + cs.putString("preop.pkcs12", CryptoUtil.byte2string(output)); pass.clear(); cs.commit(false); diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java index 7c9ab2fb4..967479b69 100644 --- a/base/util/src/netscape/security/pkcs/PKCS12Util.java +++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java @@ -162,13 +162,14 @@ public class PKCS12Util { } BigInteger createLocalID(X509Certificate cert) throws Exception { - // SHA1 hash of the X509Cert DER encoding - byte[] certDer = cert.getEncoded(); + return createLocalID(cert.getEncoded()); + } - MessageDigest md = MessageDigest.getInstance("SHA"); + BigInteger createLocalID(byte[] bytes) throws Exception { - md.update(certDer); + MessageDigest md = MessageDigest.getInstance("SHA"); + md.update(bytes); return new BigInteger(1, md.digest()); } @@ -244,21 +245,46 @@ public class PKCS12Util { CryptoStore store = token.getCryptoStore(); for (X509Certificate cert : store.getCertificates()) { - loadCertChainFromNSS(pkcs12, cert); + loadCertFromNSS(pkcs12, cert, true, true); } } - public void loadCertFromNSS(PKCS12 pkcs12, String nickname) throws Exception { + public void loadCertFromNSS(PKCS12 pkcs12, String nickname, boolean includeKey, boolean includeChain) throws Exception { CryptoManager cm = CryptoManager.getInstance(); X509Certificate[] certs = cm.findCertsByNickname(nickname); for (X509Certificate cert : certs) { - loadCertChainFromNSS(pkcs12, cert); + loadCertFromNSS(pkcs12, cert, includeKey, includeChain); } } - public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id, boolean replace) throws Exception { + public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, boolean includeKey, boolean includeChain) throws Exception { + + CryptoManager cm = CryptoManager.getInstance(); + + BigInteger id = createLocalID(cert); + + // load cert info + loadCertInfoFromNSS(pkcs12, cert, id, true); + + if (includeKey) { + // load key info if exists + loadKeyInfoFromNSS(pkcs12, cert, id); + } + + if (includeChain) { + // load cert chain + X509Certificate[] certChain = cm.buildCertificateChain(cert); + for (int i = 1; i < certChain.length; i++) { + X509Certificate c = certChain[i]; + BigInteger cid = createLocalID(c); + loadCertInfoFromNSS(pkcs12, c, cid, false); + } + } + } + + public void loadCertInfoFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id, boolean replace) throws Exception { String nickname = cert.getNickname(); logger.info("Loading certificate \"" + nickname + "\" from NSS database"); @@ -272,7 +298,7 @@ public class PKCS12Util { pkcs12.addCertInfo(certInfo, replace); } - public void loadCertKeyFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id) throws Exception { + public void loadKeyInfoFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id) throws Exception { String nickname = cert.getNickname(); logger.info("Loading private key for certificate \"" + nickname + "\" from NSS database"); @@ -298,30 +324,9 @@ public class PKCS12Util { } } - public void loadCertChainFromNSS(PKCS12 pkcs12, X509Certificate cert) throws Exception { - - CryptoManager cm = CryptoManager.getInstance(); + public PFX generatePFX(PKCS12 pkcs12, Password password) throws Exception { - BigInteger id = createLocalID(cert); - - // load cert key if exists - loadCertKeyFromNSS(pkcs12, cert, id); - - // load cert - loadCertFromNSS(pkcs12, cert, id, true); - - // load parent certs without key - X509Certificate[] certChain = cm.buildCertificateChain(cert); - for (int i = 1; i < certChain.length; i++) { - X509Certificate c = certChain[i]; - BigInteger cid = createLocalID(c); - loadCertFromNSS(pkcs12, c, cid, false); - } - } - - public void storeIntoFile(PKCS12 pkcs12, String filename, Password password) throws Exception { - - logger.info("Storing data into PKCS #12 file"); + logger.info("Generating PKCS #12 data"); SEQUENCE safeContents = new SEQUENCE(); @@ -342,6 +347,14 @@ public class PKCS12Util { PFX pfx = new PFX(authSafes); pfx.computeMacData(password, null, 5); + return pfx; + } + + public void storeIntoFile(PKCS12 pkcs12, String filename, Password password) throws Exception { + + PFX pfx = generatePFX(pkcs12, password); + + logger.info("Storing data into PKCS #12 file"); ByteArrayOutputStream bos = new ByteArrayOutputStream(); pfx.encode(bos); byte[] data = bos.toByteArray(); @@ -362,7 +375,7 @@ public class PKCS12Util { // get key attributes SET bagAttrs = bag.getBagAttributes(); - for (int i = 0; i < bagAttrs.size(); i++) { + for (int i = 0; bagAttrs != null && i < bagAttrs.size(); i++) { Attribute attr = (Attribute) bagAttrs.elementAt(i); OBJECT_IDENTIFIER oid = attr.getType(); @@ -376,7 +389,7 @@ public class PKCS12Util { BMPString subjectDN = (BMPString) new BMPString.Template().decode(bis); keyInfo.subjectDN = subjectDN.toString(); - logger.fine("Subject DN: " + keyInfo.subjectDN); + logger.fine(" Subject DN: " + keyInfo.subjectDN); } else if (oid.equals(SafeBag.LOCAL_KEY_ID)) { @@ -387,12 +400,10 @@ public class PKCS12Util { OCTET_STRING keyID = (OCTET_STRING) new OCTET_STRING.Template().decode(bis); keyInfo.id = new BigInteger(1, keyID.toByteArray()); - logger.fine("ID: " + keyInfo.id.toString(16)); + logger.fine(" ID: " + keyInfo.id.toString(16)); } } - logger.fine("Found private key " + keyInfo.subjectDN); - return keyInfo; } @@ -406,12 +417,11 @@ public class PKCS12Util { byte[] x509cert = certStr.toByteArray(); certInfo.cert = new X509CertImpl(x509cert); - logger.fine("Found certificate " + certInfo.cert.getSubjectDN()); + logger.fine(" Subject DN: " + certInfo.cert.getSubjectDN()); SET bagAttrs = bag.getBagAttributes(); - if (bagAttrs == null) return certInfo; - for (int i = 0; i < bagAttrs.size(); i++) { + for (int i = 0; bagAttrs != null && i < bagAttrs.size(); i++) { Attribute attr = (Attribute) bagAttrs.elementAt(i); OBJECT_IDENTIFIER oid = attr.getType(); @@ -425,7 +435,7 @@ public class PKCS12Util { BMPString nickname = (BMPString) (new BMPString.Template()).decode(bis); certInfo.nickname = nickname.toString(); - logger.fine("Nickname: " + certInfo.nickname); + logger.fine(" Nickname: " + certInfo.nickname); } else if (oid.equals(SafeBag.LOCAL_KEY_ID)) { @@ -437,7 +447,7 @@ public class PKCS12Util { OCTET_STRING keyID = (OCTET_STRING) new OCTET_STRING.Template().decode(bis); certInfo.id = new BigInteger(1, keyID.toByteArray()); - logger.fine("ID: " + certInfo.id.toString(16)); + logger.fine(" ID: " + certInfo.id.toString(16)); } else if (oid.equals(PKCS12.CERT_TRUST_FLAGS_OID) && trustFlagsEnabled) { @@ -448,16 +458,22 @@ public class PKCS12Util { BMPString trustFlags = (BMPString) (new BMPString.Template()).decode(is); certInfo.trustFlags = trustFlags.toString(); - logger.fine("Trust flags: " + certInfo.trustFlags); + logger.fine(" Trust flags: " + certInfo.trustFlags); } } + if (certInfo.id == null) { + logger.fine(" ID not specified, generating new ID"); + certInfo.id = createLocalID(x509cert); + logger.fine(" ID: " + certInfo.id.toString(16)); + } + return certInfo; } public void getKeyInfos(PKCS12 pkcs12, PFX pfx, Password password) throws Exception { - logger.fine("Getting private keys"); + logger.fine("Load private keys:"); AuthenticatedSafes safes = pfx.getAuthSafes(); @@ -472,6 +488,7 @@ public class PKCS12Util { if (!oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) continue; + logger.fine(" - Private key:"); PKCS12KeyInfo keyInfo = getKeyInfo(bag, password); pkcs12.addKeyInfo(keyInfo); } @@ -480,7 +497,7 @@ public class PKCS12Util { public void getCertInfos(PKCS12 pkcs12, PFX pfx, Password password) throws Exception { - logger.fine("Getting certificates"); + logger.fine("Loading certificates:"); AuthenticatedSafes safes = pfx.getAuthSafes(); @@ -495,6 +512,7 @@ public class PKCS12Util { if (!oid.equals(SafeBag.CERT_BAG)) continue; + logger.fine(" - Certificate:"); PKCS12CertInfo certInfo = getCertInfo(bag); pkcs12.addCertInfo(certInfo, true); } |