summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2016-04-16 02:43:03 +0200
committerEndi S. Dewata <edewata@redhat.com>2016-04-20 03:08:54 +0200
commitb24ea9e24233636d18806326a9e2883235eb38d7 (patch)
tree1b9f4133b4757f348d343f6ae51720e464bcec1b
parentffcbc6809c1329b290c29eed962efce2bc50392e (diff)
downloadpki-b24ea9e24233636d18806326a9e2883235eb38d7.zip
pki-b24ea9e24233636d18806326a9e2883235eb38d7.tar.gz
pki-b24ea9e24233636d18806326a9e2883235eb38d7.tar.xz
Fixed PKCS #12 export options.
The CLIs for exporting PKCS #12 file have been modified to accept options to export without trust flags, keys, and/or certificate chain. https://fedorahosted.org/pki/ticket/1736
-rw-r--r--base/common/python/pki/nssdb.py12
-rw-r--r--base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java2
-rw-r--r--base/server/python/pki/server/cli/instance.py21
-rw-r--r--base/server/python/pki/server/cli/subsystem.py21
-rw-r--r--base/util/src/netscape/security/pkcs/PKCS12Util.java6
5 files changed, 58 insertions, 4 deletions
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index 503bd41..30b1d47 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -545,6 +545,9 @@ class NSSDatabase(object):
pkcs12_password_file=None,
nicknames=None,
append=False,
+ include_trust_flags=True,
+ include_key=True,
+ include_chain=True,
debug=False):
tmpdir = tempfile.mkdtemp()
@@ -580,6 +583,15 @@ class NSSDatabase(object):
if append:
cmd.extend(['--append'])
+ if not include_trust_flags:
+ cmd.extend(['--no-trust-flags'])
+
+ if not include_key:
+ cmd.extend(['--no-key'])
+
+ if not include_chain:
+ cmd.extend(['--no-chain'])
+
if debug:
cmd.extend(['--debug'])
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
index 728a9ef..08a0850 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
@@ -150,7 +150,7 @@ public class PKCS12ExportCLI extends CLI {
if (nicknames.length == 0) {
// load all certificates
- util.loadFromNSS(pkcs12);
+ util.loadFromNSS(pkcs12, includeKey, includeChain);
} else {
// load the specified certificates
diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py
index 4eeee5d..7520b32 100644
--- a/base/server/python/pki/server/cli/instance.py
+++ b/base/server/python/pki/server/cli/instance.py
@@ -77,6 +77,9 @@ class InstanceCertExportCLI(pki.cli.CLI):
print(' --pkcs12-password <password> Password for the PKCS #12 file.')
print(' --pkcs12-password-file <path> Input file containing the password for the PKCS #12 file.')
print(' --append Append into an existing PKCS #12 file.')
+ print(' --no-trust-flags Do not include trust flags')
+ print(' --no-key Do not include private key')
+ print(' --no-chain Do not include certificate chain')
print(' -v, --verbose Run in verbose mode.')
print(' --debug Run in debug mode.')
print(' --help Show help message.')
@@ -88,7 +91,8 @@ class InstanceCertExportCLI(pki.cli.CLI):
opts, args = getopt.gnu_getopt(argv, 'i:v', [
'instance=',
'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
- 'append', 'verbose', 'debug', 'help'])
+ 'append', 'no-trust-flags', 'no-key', 'no-chain',
+ 'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
@@ -102,6 +106,9 @@ class InstanceCertExportCLI(pki.cli.CLI):
pkcs12_password = None
pkcs12_password_file = None
append = False
+ include_trust_flags = True
+ include_key = True
+ include_chain = True
debug = False
for o, a in opts:
@@ -120,6 +127,15 @@ class InstanceCertExportCLI(pki.cli.CLI):
elif o == '--append':
append = True
+ elif o == '--no-trust-flags':
+ include_trust_flags = False
+
+ elif o == '--no-key':
+ include_key = False
+
+ elif o == '--no-chain':
+ include_chain = False
+
elif o in ('-v', '--verbose'):
self.set_verbose(True)
@@ -154,6 +170,9 @@ class InstanceCertExportCLI(pki.cli.CLI):
pkcs12_password_file=pkcs12_password_file,
nicknames=nicknames,
append=append,
+ include_trust_flags=include_trust_flags,
+ include_key=include_key,
+ include_chain=include_chain,
debug=debug)
finally:
nssdb.close()
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index fe395aa..03d48f9 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -465,6 +465,9 @@ class SubsystemCertExportCLI(pki.cli.CLI):
print(' --pkcs12-password <password> Password for the PKCS #12 file.')
print(' --pkcs12-password-file <path> Input file containing the password for the PKCS #12 file.')
print(' --append Append into an existing PKCS #12 file.')
+ print(' --no-trust-flags Do not include trust flags')
+ print(' --no-key Do not include private key')
+ print(' --no-chain Do not include certificate chain')
print(' -v, --verbose Run in verbose mode.')
print(' --debug Run in debug mode.')
print(' --help Show help message.')
@@ -476,7 +479,8 @@ class SubsystemCertExportCLI(pki.cli.CLI):
opts, args = getopt.gnu_getopt(argv, 'i:v', [
'instance=', 'cert-file=', 'csr-file=',
'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
- 'append', 'verbose', 'debug', 'help'])
+ 'append', 'no-trust-flags', 'no-key', 'no-chain',
+ 'verbose', 'debug', 'help'])
except getopt.GetoptError as e:
print('ERROR: ' + str(e))
@@ -497,6 +501,9 @@ class SubsystemCertExportCLI(pki.cli.CLI):
pkcs12_password = None
pkcs12_password_file = None
append = False
+ include_trust_flags = True
+ include_key = True
+ include_chain = True
debug = False
for o, a in opts:
@@ -521,6 +528,15 @@ class SubsystemCertExportCLI(pki.cli.CLI):
elif o == '--append':
append = True
+ elif o == '--no-trust-flags':
+ include_trust_flags = False
+
+ elif o == '--no-key':
+ include_key = False
+
+ elif o == '--no-chain':
+ include_chain = False
+
elif o in ('-v', '--verbose'):
self.set_verbose(True)
@@ -591,6 +607,9 @@ class SubsystemCertExportCLI(pki.cli.CLI):
pkcs12_password_file=pkcs12_password_file,
nicknames=nicknames,
append=append,
+ include_trust_flags=include_trust_flags,
+ include_key=include_key,
+ include_chain=include_chain,
debug=debug)
finally:
diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
index 43435c8..571ee18 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
@@ -239,6 +239,10 @@ public class PKCS12Util {
}
public void loadFromNSS(PKCS12 pkcs12) throws Exception {
+ loadFromNSS(pkcs12, true, true);
+ }
+
+ public void loadFromNSS(PKCS12 pkcs12, boolean includeKey, boolean includeChain) throws Exception {
logger.info("Loading all certificate and keys from NSS database");
@@ -247,7 +251,7 @@ public class PKCS12Util {
CryptoStore store = token.getCryptoStore();
for (X509Certificate cert : store.getCertificates()) {
- loadCertFromNSS(pkcs12, cert, true, true);
+ loadCertFromNSS(pkcs12, cert, includeKey, includeChain);
}
}