diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-06-21 18:39:25 +0200 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-06-29 01:17:05 +0200 |
| commit | 8598a68ac954d1020f4e0063e257a20512961567 (patch) | |
| tree | f17df8bee056c9a2af57387851bed472c97cb7d0 /base/common/python/pki/cli | |
| parent | 66223629c5d8e74be9f5a59734ab091b081435bc (diff) | |
| download | pki-8598a68ac954d1020f4e0063e257a20512961567.tar.gz pki-8598a68ac954d1020f4e0063e257a20512961567.tar.xz pki-8598a68ac954d1020f4e0063e257a20512961567.zip | |
Fixed KRA cloning issue.
The pki pkcs12-import CLI has been modified not to import
certificates that already exist in the NSS database unless
specifically requested with the --overwrite parameter. This
will avoid changing the trust flags of the CA signing
certificate during KRA cloning.
The some other classes have been modified to provide better
debugging information.
https://fedorahosted.org/pki/ticket/2374
Diffstat (limited to 'base/common/python/pki/cli')
| -rw-r--r-- | base/common/python/pki/cli/pkcs12.py | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py index a7c32cc2b..3fcea35a4 100644 --- a/base/common/python/pki/cli/pkcs12.py +++ b/base/common/python/pki/cli/pkcs12.py @@ -55,6 +55,7 @@ class PKCS12ImportCLI(pki.cli.CLI): print(' --no-trust-flags Do not include trust flags') print(' --no-user-certs Do not import user certificates') print(' --no-ca-certs Do not import CA certificates') + print(' --overwrite Overwrite existing certificates') print(' -v, --verbose Run in verbose mode.') print(' --debug Run in debug mode.') print(' --help Show help message.') @@ -65,7 +66,7 @@ class PKCS12ImportCLI(pki.cli.CLI): try: opts, _ = getopt.gnu_getopt(args, 'v', [ 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'no-trust-flags', 'no-user-certs', 'no-ca-certs', + 'no-trust-flags', 'no-user-certs', 'no-ca-certs', 'overwrite', 'verbose', 'debug', 'help']) except getopt.GetoptError as e: @@ -79,6 +80,7 @@ class PKCS12ImportCLI(pki.cli.CLI): no_trust_flags = False import_user_certs = True import_ca_certs = True + overwrite = False debug = False for o, a in opts: @@ -100,6 +102,9 @@ class PKCS12ImportCLI(pki.cli.CLI): elif o == '--no-ca-certs': import_ca_certs = False + elif o == '--overwrite': + overwrite = True + elif o in ('-v', '--verbose'): self.set_verbose(True) @@ -221,6 +226,15 @@ class PKCS12ImportCLI(pki.cli.CLI): cert_id = cert_info['id'] nickname = cert_info['nickname'] + cert = nssdb.get_cert(nickname) + + if cert: + if not overwrite: + print('WARNING: cert %s already exists' % nickname) + continue + + nssdb.remove_cert(nickname) + if 'trust_flags' in cert_info: trust_flags = cert_info['trust_flags'] else: @@ -292,6 +306,9 @@ class PKCS12ImportCLI(pki.cli.CLI): if no_trust_flags: cmd.extend(['--no-trust-flags']) + if overwrite: + cmd.extend(['--overwrite']) + if self.verbose: cmd.extend(['--verbose']) |