Fixed pki pkcs12-import backward compatibility.

For backward compatibility the pki pkcs12-import has been modified
to generate default nicknames and trust flags for CA certificates
if they are not specified in the PKCS #12 file. The PKCS12Util was
also modified to find the certificate corresponding to a key more
accurately using the local ID instead of the subject DN.

The configuration servlet has been modified to provide better
debugging information when updating the security domain.

https://fedorahosted.org/pki/ticket/2255

1 files changed, 6 insertions, 1 deletions

diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
index dc999a120..a7c32cc2b 100644
--- a/base/common/python/pki/cli/pkcs12.py
+++ b/base/common/python/pki/cli/pkcs12.py
@@ -220,7 +220,12 @@ class PKCS12ImportCLI(pki.cli.CLI):
 
                     cert_id = cert_info['id']
                     nickname = cert_info['nickname']
-                    trust_flags = cert_info['trust_flags']
+
+                    if 'trust_flags' in cert_info:
+                        trust_flags = cert_info['trust_flags']
+                    else:
+                        # default trust flags for CA certificates
+                        trust_flags = 'CT,c,c'
 
                     if main_cli.verbose:
                         print('Exporting %s (%s) from PKCS #12 file' % (nickname, cert_id))