diff options
author | Endi S. Dewata <edewata@redhat.com> | 2016-03-17 15:23:34 +0100 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2016-03-18 22:29:26 +0100 |
commit | c14e8c52ae7a2c15433fe9568c393c1d0e7a1301 (patch) | |
tree | a9611500f648015bb92ae29546d633e86a95e112 /base/java-tools/src/com/netscape | |
parent | 04055a9bc40486950a3288acf610522e767c1e27 (diff) | |
download | pki-c14e8c52ae7a2c15433fe9568c393c1d0e7a1301.tar.gz pki-c14e8c52ae7a2c15433fe9568c393c1d0e7a1301.tar.xz pki-c14e8c52ae7a2c15433fe9568c393c1d0e7a1301.zip |
Added support for cloning 3rd-party CA certificates.
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
Diffstat (limited to 'base/java-tools/src/com/netscape')
3 files changed, 59 insertions, 20 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertCLI.java index 1ed88b1fa..fe7092c00 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertCLI.java @@ -18,9 +18,12 @@ package com.netscape.cmstools.pkcs12; +import java.math.BigInteger; + import com.netscape.certsrv.dbs.certdb.CertId; import com.netscape.cmstools.cli.CLI; +import netscape.security.pkcs.PKCS12; import netscape.security.pkcs.PKCS12CertInfo; /** @@ -37,18 +40,20 @@ public class PKCS12CertCLI extends CLI { addModule(new PKCS12CertRemoveCLI(this)); } - public static void printCertInfo(PKCS12CertInfo certInfo) throws Exception { + public static void printCertInfo(PKCS12 pkcs12, PKCS12CertInfo certInfo) throws Exception { + + BigInteger id = certInfo.getID(); + System.out.println(" Certificate ID: " + id.toString(16)); + System.out.println(" Serial Number: " + new CertId(certInfo.getCert().getSerialNumber()).toHexString()); System.out.println(" Nickname: " + certInfo.getNickname()); System.out.println(" Subject DN: " + certInfo.getCert().getSubjectDN()); System.out.println(" Issuer DN: " + certInfo.getCert().getIssuerDN()); - if (certInfo.getKeyID() != null) { - System.out.println(" Key ID: " + certInfo.getKeyID().toString(16)); - } - if (certInfo.getTrustFlags() != null) { System.out.println(" Trust Flags: " + certInfo.getTrustFlags()); } + + System.out.println(" Has Key: " + (pkcs12.getKeyInfoByID(id) != null)); } } diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertExportCLI.java index 04e2b7b6f..8fb526d48 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertExportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertExportCLI.java @@ -22,6 +22,9 @@ import java.io.BufferedReader; import java.io.FileOutputStream; import java.io.FileReader; import java.io.PrintStream; +import java.math.BigInteger; +import java.util.ArrayList; +import java.util.Collection; import java.util.logging.Level; import java.util.logging.Logger; @@ -50,7 +53,7 @@ public class PKCS12CertExportCLI extends CLI { } public void printHelp() { - formatter.printHelp(getFullName() + " [OPTIONS...] <nickname>", options); + formatter.printHelp(getFullName() + " [OPTIONS...] [nickname]", options); } public void createOptions() { @@ -70,6 +73,10 @@ public class PKCS12CertExportCLI extends CLI { option.setArgName("path"); options.addOption(option); + option = new Option(null, "cert-id", true, "Certificate ID to export"); + option.setArgName("ID"); + options.addOption(option); + options.addOption("v", "verbose", false, "Run in verbose mode."); options.addOption(null, "debug", false, "Run in debug mode."); options.addOption(null, "help", false, "Show help message."); @@ -104,14 +111,28 @@ public class PKCS12CertExportCLI extends CLI { } String[] cmdArgs = cmd.getArgs(); + String id = cmd.getOptionValue("cert-id"); - if (cmdArgs.length < 1) { - System.err.println("Error: Missing certificate nickname."); + if (cmdArgs.length < 1 && id == null) { + System.err.println("Error: Missing certificate nickname or ID."); printHelp(); System.exit(-1); } - String nickname = cmdArgs[0]; + if (cmdArgs.length >= 1 && id != null) { + System.err.println("Error: Certificate nickname and ID are mutually exclusive."); + printHelp(); + System.exit(-1); + } + + String nickname = null; + BigInteger certID = null; + + if (cmdArgs.length >= 1) { + nickname = cmdArgs[0]; + } else { + certID = new BigInteger(id, 16); + } String pkcs12File = cmd.getOptionValue("pkcs12-file"); @@ -153,17 +174,30 @@ public class PKCS12CertExportCLI extends CLI { PKCS12Util util = new PKCS12Util(); PKCS12 pkcs12 = util.loadFromFile(pkcs12File, password); - PKCS12CertInfo certInfo = pkcs12.getCertInfoByNickname(nickname); - if (certInfo == null) { + Collection<PKCS12CertInfo> certInfos = new ArrayList<PKCS12CertInfo>(); + + if (nickname != null) { + certInfos.addAll(pkcs12.getCertInfosByNickname(nickname)); + + } else { + PKCS12CertInfo certInfo = pkcs12.getCertInfoByID(certID); + if (certInfo != null) { + certInfos.add(certInfo); + } + } + + if (certInfos.isEmpty()) { System.err.println("Error: Certificate not found."); System.exit(-1); } - X509CertImpl cert = certInfo.getCert(); try (PrintStream os = new PrintStream(new FileOutputStream(certFile))) { - os.println("-----BEGIN CERTIFICATE-----"); - os.print(Utils.base64encode(cert.getEncoded())); - os.println("-----END CERTIFICATE-----"); + for (PKCS12CertInfo certInfo : certInfos) { + X509CertImpl cert = certInfo.getCert(); + os.println("-----BEGIN CERTIFICATE-----"); + os.print(Utils.base64encode(cert.getEncoded())); + os.println("-----END CERTIFICATE-----"); + } } } finally { diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertFindCLI.java index a97933188..9bb4ad3ba 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertFindCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertFindCLI.java @@ -133,17 +133,17 @@ public class PKCS12CertFindCLI extends CLI { Password password = new Password(passwordString.toCharArray()); - Collection<PKCS12CertInfo> certInfos; + PKCS12 pkcs12; try { PKCS12Util util = new PKCS12Util(); - PKCS12 pkcs12 = util.loadFromFile(filename, password); - - certInfos = pkcs12.getCertInfos(); + pkcs12 = util.loadFromFile(filename, password); } finally { password.clear(); } + Collection<PKCS12CertInfo> certInfos = pkcs12.getCertInfos(); + MainCLI.printMessage(certInfos.size() + " entries found"); if (certInfos.size() == 0) return; @@ -156,7 +156,7 @@ public class PKCS12CertFindCLI extends CLI { System.out.println(); } - PKCS12CertCLI.printCertInfo(certInfo); + PKCS12CertCLI.printCertInfo(pkcs12, certInfo); } } } |