Fixed user-cert-add --serial with remote CA.

The user-cert-add command has been modified to ask the user for
the CA server URI if the CA is not available locally.

A new SubsystemClient.exists() method has been added to check
whether a subsystem is deployed on the target instance.

The SubsystemCLI has been modified to call logout() only if
the operation is executed successfully.

The certificate approval callback class has been refactored out
of PKIConnection into a separate class to clean up circular
dependency with PKIClient.

https://fedorahosted.org/pki/ticket/1448

3 files changed, 48 insertions, 15 deletions

diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 4d63d9bc1..159e4ac5a 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -23,8 +23,10 @@ import java.io.Console;
 import java.io.File;
 import java.io.FileReader;
 import java.io.IOException;
+import java.io.InputStreamReader;
 import java.lang.reflect.Field;
 import java.net.InetAddress;
+import java.net.URI;
 import java.net.UnknownHostException;
 import java.util.Collection;
 import java.util.HashSet;
@@ -39,6 +41,7 @@ import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
 import org.mozilla.jss.util.IncorrectPasswordException;
 import org.mozilla.jss.util.Password;
 
+import com.netscape.certsrv.ca.CAClient;
 import com.netscape.certsrv.client.ClientConfig;
 import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.client.PKIConnection;
@@ -269,6 +272,36 @@ public class MainCLI extends CLI {
         return promptForPassword("Enter Password: ");
     }
 
+    public static CAClient createCAClient(PKIClient client) throws Exception {
+
+        ClientConfig config = client.getConfig();
+        CAClient caClient = new CAClient(client);
+
+        while (!caClient.exists()) {
+            System.err.println("ERROR: CA subsystem not available");
+
+            URI serverURI = config.getServerURI();
+            String uri = serverURI.getScheme() + "://" + serverURI.getHost() + ":" + serverURI.getPort();
+
+            System.out.print("CA server URI [" + uri + "]: ");
+            System.out.flush();
+
+            BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
+            String line = reader.readLine().trim();
+            if (!line.equals("")) {
+                uri = line;
+            }
+
+            config = new ClientConfig(client.getConfig());
+            config.setServerURI(uri);
+
+            client = new PKIClient(config);
+            caClient = new CAClient(client);
+        }
+
+        return caClient;
+    }
+
     public void parseOptions(CommandLine cmd) throws Exception {
 
         verbose = cmd.hasOption("v");
@@ -465,13 +498,14 @@ public class MainCLI extends CLI {
         client = new PKIClient(config, null);
         client.setVerbose(verbose);
 
-        PKIConnection connection = client.getConnection();
-        connection.setRejectedCertStatuses(rejectedCertStatuses);
-        connection.setIgnoredCertStatuses(ignoredCertStatuses);
+        client.setRejectedCertStatuses(rejectedCertStatuses);
+        client.setIgnoredCertStatuses(ignoredCertStatuses);
 
         if (output != null) {
             File file = new File(output);
             file.mkdirs();
+
+            PKIConnection connection = client.getConnection();
             connection.setOutput(file);
         }
     }
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/SubsystemCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/SubsystemCLI.java
index 310a4c29c..b28271dd7 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/SubsystemCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/SubsystemCLI.java
@@ -48,17 +48,15 @@ public class SubsystemCLI extends CLI {
 
         init();
 
-        try {
-            // login if username or nickname is specified
-            ClientConfig config = getClient().getConfig();
-            if (config.getUsername() != null || config.getCertNickname() != null) {
-                login();
-            }
+        // login if username or nickname is specified
+        ClientConfig config = getClient().getConfig();
+        if (config.getUsername() != null || config.getCertNickname() != null) {
+            login();
+        }
 
-            super.execute(args);
+        super.execute(args);
 
-        } finally {
-            logout();
-        }
+        // logout if there is no failures
+        logout();
     }
 }
diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java
index 4425e7003..3e96c1dee 100644
--- a/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCertAddCLI.java
@@ -25,6 +25,7 @@ import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.Option;
 import org.apache.commons.io.FileUtils;
 
+import com.netscape.certsrv.ca.CAClient;
 import com.netscape.certsrv.cert.CertClient;
 import com.netscape.certsrv.cert.CertData;
 import com.netscape.certsrv.dbs.certdb.CertId;
@@ -114,8 +115,8 @@ public class UserCertAddCLI extends CLI {
                 System.out.println("Downloading certificate " + serialNumber + ".");
             }
 
-            client = parent.getClient();
-            CertClient certClient = new CertClient(client, "ca");
+            CAClient caClient = MainCLI.createCAClient(parent.getClient());
+            CertClient certClient = new CertClient(caClient);
 
             CertData certData = certClient.getCert(new CertId(serialNumber));
             encoded = certData.getEncoded();