Fixed KRA cloning issue.

The pki pkcs12-import CLI has been modified not to import certificates that already exist in the NSS database unless specifically requested with the --overwrite parameter. This will avoid changing the trust flags of the CA signing certificate during KRA cloning. The some other classes have been modified to provide better debugging information. https://fedorahosted.org/pki/ticket/2374
author: Endi S. Dewata <edewata@redhat.com> 2016-06-21 18:39:25 +0200
committer: Endi S. Dewata <edewata@redhat.com> 2016-06-29 01:17:05 +0200
commit: 8598a68ac954d1020f4e0063e257a20512961567 (patch)
tree: f17df8bee056c9a2af57387851bed472c97cb7d0 /base/common/python
parent: 66223629c5d8e74be9f5a59734ab091b081435bc (diff)
download: pki-8598a68ac954d1020f4e0063e257a20512961567.tar.gz
pki-8598a68ac954d1020f4e0063e257a20512961567.tar.xz
pki-8598a68ac954d1020f4e0063e257a20512961567.zip
2 files changed, 35 insertions, 6 deletions
diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
index a7c32cc2b..3fcea35a4 100644
--- a/base/common/python/pki/cli/pkcs12.py
+++ b/base/common/python/pki/cli/pkcs12.py
@@ -55,6 +55,7 @@ class PKCS12ImportCLI(pki.cli.CLI):
         print('      --no-trust-flags               Do not include trust flags')
         print('      --no-user-certs                Do not import user certificates')
         print('      --no-ca-certs                  Do not import CA certificates')
+        print('      --overwrite                    Overwrite existing certificates')
         print('  -v, --verbose                      Run in verbose mode.')
         print('      --debug                        Run in debug mode.')
         print('      --help                         Show help message.')
@@ -65,7 +66,7 @@ class PKCS12ImportCLI(pki.cli.CLI):
         try:
             opts, _ = getopt.gnu_getopt(args, 'v', [
                 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
-                'no-trust-flags', 'no-user-certs', 'no-ca-certs',
+                'no-trust-flags', 'no-user-certs', 'no-ca-certs', 'overwrite',
                 'verbose', 'debug', 'help'])
 
         except getopt.GetoptError as e:
@@ -79,6 +80,7 @@ class PKCS12ImportCLI(pki.cli.CLI):
         no_trust_flags = False
         import_user_certs = True
         import_ca_certs = True
+        overwrite = False
         debug = False
 
         for o, a in opts:
@@ -100,6 +102,9 @@ class PKCS12ImportCLI(pki.cli.CLI):
             elif o == '--no-ca-certs':
                 import_ca_certs = False
 
+            elif o == '--overwrite':
+                overwrite = True
+
             elif o in ('-v', '--verbose'):
                 self.set_verbose(True)
 
@@ -221,6 +226,15 @@ class PKCS12ImportCLI(pki.cli.CLI):
                     cert_id = cert_info['id']
                     nickname = cert_info['nickname']
 
+                    cert = nssdb.get_cert(nickname)
+
+                    if cert:
+                        if not overwrite:
+                            print('WARNING: cert %s already exists' % nickname)
+                            continue
+
+                        nssdb.remove_cert(nickname)
+
                     if 'trust_flags' in cert_info:
                         trust_flags = cert_info['trust_flags']
                     else:
@@ -292,6 +306,9 @@ class PKCS12ImportCLI(pki.cli.CLI):
             if no_trust_flags:
                 cmd.extend(['--no-trust-flags'])
 
+            if overwrite:
+                cmd.extend(['--overwrite'])
+
             if self.verbose:
                 cmd.extend(['--verbose'])
 
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index 0c27c3f19..f563fd81e 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -423,12 +423,20 @@ class NSSDatabase(object):
             output_format_option
         ])
 
-        cert_data = subprocess.check_output(cmd)
+        try:
+            cert_data = subprocess.check_output(cmd)
+
+            if output_format == 'base64':
+                cert_data = base64.b64encode(cert_data)
 
-        if output_format == 'base64':
-            cert_data = base64.b64encode(cert_data)
+            return cert_data
 
-        return cert_data
+        except subprocess.CalledProcessError:
+            # All certutil errors return the same code (i.e. 255).
+            # For now assume it was caused by missing certificate.
+            # TODO: Check error message. If it's caused by other
+            # issue, throw exception.
+            return None
 
     def remove_cert(self, nickname):
 
@@ -576,7 +584,8 @@ class NSSDatabase(object):
                       pkcs12_password=None,
                       pkcs12_password_file=None,
                       no_user_certs=False,
-                      no_ca_certs=False):
+                      no_ca_certs=False,
+                      overwrite=False):
 
         tmpdir = tempfile.mkdtemp()
 
@@ -613,6 +622,9 @@ class NSSDatabase(object):
             if no_ca_certs:
                 cmd.extend(['--no-ca-certs'])
 
+            if overwrite:
+                cmd.extend(['--overwrite'])
+
             subprocess.check_call(cmd)
 
         finally:
author	Endi S. Dewata <edewata@redhat.com>	2016-06-21 18:39:25 +0200
committer	Endi S. Dewata <edewata@redhat.com>	2016-06-29 01:17:05 +0200
commit	8598a68ac954d1020f4e0063e257a20512961567 (patch)
tree	f17df8bee056c9a2af57387851bed472c97cb7d0 /base/common/python
parent	66223629c5d8e74be9f5a59734ab091b081435bc (diff)
download	pki-8598a68ac954d1020f4e0063e257a20512961567.tar.gz pki-8598a68ac954d1020f4e0063e257a20512961567.tar.xz pki-8598a68ac954d1020f4e0063e257a20512961567.zip