diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2014-09-09 15:02:47 -0400 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2014-09-19 15:28:17 -0400 |
| commit | 8bb918883ad8c1287d4085317e9330e18ec214b2 (patch) | |
| tree | 3d8475ffd348e7adbc4c3e4249bd0768927dcf41 /base/java-tools/src/com/netscape/cmstools | |
| parent | ab97c5a333cb0a86fc4a6983f39f1607d37577c7 (diff) | |
| download | pki-8bb918883ad8c1287d4085317e9330e18ec214b2.tar.gz pki-8bb918883ad8c1287d4085317e9330e18ec214b2.tar.xz pki-8bb918883ad8c1287d4085317e9330e18ec214b2.zip | |
Added option to import client cert from CA.
A new option has been added to the client-cert-import command to
import a certificate from CA by specifying the serial number.
The client-cert-import has also been modified to get the nickname
of the certificate to import from the CLI argument. For backward
compatibility, if no argument is specified the CLI will try to
get the nickname from the authentication option (-n).
Ticket #1152
Diffstat (limited to 'base/java-tools/src/com/netscape/cmstools')
| -rw-r--r-- | base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java | 146 |
1 files changed, 90 insertions, 56 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java index 90e3d0a3e..5080c55ea 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java @@ -20,13 +20,19 @@ package com.netscape.cmstools.client; import java.io.File; import java.io.FileOutputStream; +import java.io.FileWriter; +import java.io.PrintWriter; +import java.net.URI; import java.util.Arrays; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; -import org.apache.commons.io.FileUtils; +import com.netscape.certsrv.cert.CertClient; +import com.netscape.certsrv.cert.CertData; import com.netscape.certsrv.client.ClientConfig; +import com.netscape.certsrv.client.PKIClient; +import com.netscape.certsrv.dbs.certdb.CertId; import com.netscape.cmstools.cli.CLI; import com.netscape.cmstools.cli.MainCLI; @@ -45,7 +51,7 @@ public class ClientCertImportCLI extends CLI { } public void printHelp() { - formatter.printHelp(getFullName() + " [OPTIONS...]", options); + formatter.printHelp(getFullName() + " <nickname> [OPTIONS...]", options); } public void createOptions() { @@ -58,6 +64,14 @@ public class ClientCertImportCLI extends CLI { options.addOption(option); options.addOption(null, "ca-server", false, "Import CA certificate from CA server"); + + option = new Option(null, "serial", true, "Serial number of certificate in CA"); + option.setArgName("serial number"); + options.addOption(option); + + option = new Option(null, "trust", true, "Trust attributes. Default: u,u,u."); + option.setArgName("trust attributes"); + options.addOption(option); } public void execute(String[] args) throws Exception { @@ -81,100 +95,120 @@ public class ClientCertImportCLI extends CLI { String[] cmdArgs = cmd.getArgs(); - if (cmdArgs.length != 0) { + if (cmdArgs.length > 1) { System.err.println("Error: Too many arguments specified."); printHelp(); System.exit(-1); } - byte[] bytes = null; + MainCLI mainCLI = (MainCLI)parent.getParent(); + + String nickname = null; + + // Get nickname from command argument if specified. + if (cmdArgs.length > 0) { + nickname = cmdArgs[0]; + } + + // Otherwise, get nickname from authentication option -n. + // This code is used to provide backward compatibility. + // TODO: deprecate/remove this code in 10.3. + if (nickname == null) { + nickname = mainCLI.config.getCertNickname(); + } + + if (nickname == null) { + System.err.println("Error: Missing certificate nickname."); + System.exit(-1); + } String certPath = cmd.getOptionValue("cert"); String caCertPath = cmd.getOptionValue("ca-cert"); boolean importFromCAServer = cmd.hasOption("ca-server"); + String serialNumber = cmd.getOptionValue("serial"); + String trustAttributes = cmd.getOptionValue("trust", "u,u,u"); - boolean isCACert = false; + File certFile; // load the certificate if (certPath != null) { if (verbose) System.out.println("Loading certificate from " + certPath + "."); - bytes = FileUtils.readFileToByteArray(new File(certPath)); - + certFile = new File(certPath); } else if (caCertPath != null) { if (verbose) System.out.println("Loading CA certificate from " + caCertPath + "."); - bytes = FileUtils.readFileToByteArray(new File(caCertPath)); + certFile = new File(caCertPath); - isCACert = true; + trustAttributes = "CT,c,"; } else if (importFromCAServer) { // late initialization - MainCLI mainCLI = (MainCLI)parent.parent; mainCLI.init(); client = mainCLI.getClient(); - ClientConfig config = client.getConfig(); + URI serverURI = mainCLI.config.getServerURI(); - String caServerURI = "http://" + config.getServerURI().getHost() + ":8080/ca"; + String caServerURI = serverURI.getScheme() + "://" + + serverURI.getHost() + ":" + serverURI.getPort() + "/ca"; if (verbose) System.out.println("Downloading CA certificate from " + caServerURI + "."); - bytes = client.downloadCACertChain(caServerURI); + byte[] bytes = client.downloadCACertChain(caServerURI); - isCACert = true; + certFile = File.createTempFile("pki-client-cert-import-", ".crt", mainCLI.certDatabase); + certFile.deleteOnExit(); - } else { - System.err.println("Error: Missing certificate to import"); - printHelp(); - System.exit(-1); - } + try (FileOutputStream out = new FileOutputStream(certFile)) { + out.write(bytes); + } - MainCLI mainCLI = (MainCLI)parent.getParent(); + trustAttributes = "CT,c,"; - if (mainCLI.config.getCertNickname() == null) { - System.err.println("Error: Certificate nickname is required."); - System.exit(-1); - } + } else if (serialNumber != null) { - File certDatabase = mainCLI.certDatabase; - File certFile = new File(certDatabase, "import.crt"); + // connect to CA anonymously + ClientConfig config = new ClientConfig(mainCLI.config); + config.setCertDatabase(null); + config.setCertPassword(null); + config.setCertNickname(null); - try { - try (FileOutputStream out = new FileOutputStream(certFile)) { - out.write(bytes); - } + PKIClient client = new PKIClient(config, null); + CertClient certClient = new CertClient(client, "ca"); - String flag; - if (isCACert) { - if (verbose) System.out.println("Importing CA certificate."); - flag = "CT,c,"; + CertData certData = certClient.getCert(new CertId(serialNumber)); - } else { - if (verbose) System.out.println("Importing certificate."); - flag = "u,u,u"; - } + certFile = File.createTempFile("pki-client-cert-import-", ".crt", mainCLI.certDatabase); + certFile.deleteOnExit(); - String[] commands = { - "/usr/bin/certutil", "-A", - "-d", certDatabase.getAbsolutePath(), - "-i", certFile.getAbsolutePath(), - "-n", mainCLI.config.getCertNickname(), - "-t", flag - }; - - Runtime rt = Runtime.getRuntime(); - Process p = rt.exec(commands); - - int rc = p.waitFor(); - if (rc != 0) { - MainCLI.printMessage("Import failed"); - return; + String encoded = certData.getEncoded(); + try (PrintWriter out = new PrintWriter(new FileWriter(certFile))) { + out.write(encoded); } - MainCLI.printMessage("Imported certificate \"" + mainCLI.config.getCertNickname() + "\""); + } else { + System.err.println("Error: Missing certificate to import"); + printHelp(); + System.exit(-1); + return; + } - } finally { - certFile.delete(); + String[] commands = { + "/usr/bin/certutil", "-A", + "-d", mainCLI.certDatabase.getAbsolutePath(), + "-i", certFile.getAbsolutePath(), + "-n", nickname, + "-t", trustAttributes + }; + + Runtime rt = Runtime.getRuntime(); + Process p = rt.exec(commands); + + int rc = p.waitFor(); + if (rc != 0) { + MainCLI.printMessage("Import failed"); + return; } + + MainCLI.printMessage("Imported certificate \"" + nickname + "\""); } } |