Merge github.com:dogtagpki/pki

5 files changed, 92 insertions, 47 deletions

diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
index 6a008bf2c..29b7446b4 100644
--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
@@ -41,6 +41,7 @@ import org.mozilla.jss.ssl.SSLSocket;
 import org.mozilla.jss.util.Password;
 
 import com.netscape.cmsutil.crypto.CryptoUtil;
+import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion;
 import com.netscape.cmsutil.util.Utils;
 
 /**
@@ -122,29 +123,14 @@ public class HttpClient {
                 token.login(pass);
 
                 SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this);
-                org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range =
-                    new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
-                        org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0,
-                        org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
 
-                SSLSocket.setSSLVersionRangeDefault(
-                    org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.STREAM,
-                    stream_range);
-
-                org.mozilla.jss.ssl.SSLSocket.SSLVersionRange datagram_range =
-                    new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange(
-                        org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_1,
-                        org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
-
-                SSLSocket.setSSLVersionRangeDefault(
-                    org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant.DATA_GRAM,
-                    datagram_range);
-
-                CryptoUtil.setClientCiphers();
+                CryptoUtil.setSSLStreamVersionRange(SSLVersion.TLS_1_0, SSLVersion.TLS_1_2);
+                CryptoUtil.setSSLDatagramVersionRange(SSLVersion.TLS_1_1, SSLVersion.TLS_1_2);
+                CryptoUtil.setDefaultSSLCiphers();
 
                 sslSocket = new SSLSocket(_host, _port);
-                // setSSLVersionRange needs to be exposed in jss
-                // sslSocket.setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_0, org.mozilla.jss.ssl.SSLSocket.SSLVersionRange.tls1_2);
+                // SSLSocket.setSSLVersionRange() needs to be exposed in JSS
+                // sslSocket.setSSLVersionRange(SSLVersionRange.tls1_0, SSLVersionRange.tls1_2);
                 sslSocket.addHandshakeCompletedListener(listener);
 
                 CryptoToken tt = cm.getThreadToken();
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
index 0a9106705..65fad75e0 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
@@ -183,7 +183,7 @@ public class CLI {
         return null;
     }
 
-    public PKIClient getClient() {
+    public PKIClient getClient() throws Exception {
         return client;
     }
 
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 0a9ddf0a6..d7246d60c 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -59,6 +59,7 @@ import com.netscape.cmstools.pkcs12.PKCS12CLI;
 import com.netscape.cmstools.system.SecurityDomainCLI;
 import com.netscape.cmstools.user.UserCLI;
 import com.netscape.cmsutil.crypto.CryptoUtil;
+import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion;
 
 /**
  * @author Endi S. Dewata
@@ -365,9 +366,6 @@ public class MainCLI extends CLI {
 
             if (certPasswordFile != null && certPassword != null) {
                 throw new Exception("The '-C' and '-c' options are mutually exclusive.");
-
-            } else if (certPasswordFile == null && certPassword == null) {
-                throw new Exception("Missing security database password.");
             }
 
         } else if (username != null) { // basic authentication
@@ -401,14 +399,6 @@ public class MainCLI extends CLI {
             // XXX TBD set client security database token
 
             certPassword = tokenPasswordPair[1];
-
-        } else if (certNickname != null && certPassword == null) {
-            // prompt for security database password if required for authentication
-            //
-            // NOTE:  This overrides the password callback provided
-            //        by JSS for NSS security database authentication.
-            //
-            certPassword = promptForPassword("Enter Client Security Database Password: ");
         }
 
         // store security database password
@@ -467,12 +457,32 @@ public class MainCLI extends CLI {
 
     public void init() throws Exception {
 
-        // Main program should initialize client security database
-        if (certDatabase.exists()) {
-            if (verbose) System.out.println("Initializing client security database");
-            CryptoManager.initialize(certDatabase.getAbsolutePath());
+        // Create security database if it doesn't exist
+        if (!certDatabase.exists()) {
+
+            if (verbose) System.out.println("Creating security database");
+
+            certDatabase.mkdirs();
+
+            String[] commands = {
+                    "/usr/bin/certutil", "-N",
+                    "-d", certDatabase.getAbsolutePath(),
+                    "--empty-password"
+            };
+
+            Runtime rt = Runtime.getRuntime();
+            Process p = rt.exec(commands);
+
+            int rc = p.waitFor();
+            if (rc != 0) {
+                throw new Exception("Unable to create security database: " + certDatabase.getAbsolutePath() + " (rc: " + rc + ")");
+            }
         }
 
+        // Main program should initialize security database
+        if (verbose) System.out.println("Initializing security database");
+        CryptoManager.initialize(certDatabase.getAbsolutePath());
+
         // If password is specified, use password to access security token
         if (config.getCertPassword() != null) {
             if (verbose) System.out.println("Logging into security token");
@@ -498,6 +508,43 @@ public class MainCLI extends CLI {
 
         }
 
+        // See default SSL configuration in /usr/share/pki/etc/pki.conf.
+
+        String streamVersionMin = System.getenv("SSL_STREAM_VERSION_MIN");
+        String streamVersionMax = System.getenv("SSL_STREAM_VERSION_MAX");
+
+        CryptoUtil.setSSLStreamVersionRange(
+                streamVersionMin == null ? SSLVersion.TLS_1_0 : SSLVersion.valueOf(streamVersionMin),
+                streamVersionMax == null ? SSLVersion.TLS_1_2 : SSLVersion.valueOf(streamVersionMax)
+        );
+
+        String datagramVersionMin = System.getenv("SSL_DATAGRAM_VERSION_MIN");
+        String datagramVersionMax = System.getenv("SSL_DATAGRAM_VERSION_MAX");
+
+        CryptoUtil.setSSLDatagramVersionRange(
+                datagramVersionMin == null ? SSLVersion.TLS_1_1 : SSLVersion.valueOf(datagramVersionMin),
+                datagramVersionMax == null ? SSLVersion.TLS_1_2 : SSLVersion.valueOf(datagramVersionMax)
+        );
+
+        String defaultCiphers = System.getenv("SSL_DEFAULT_CIPHERS");
+        if (defaultCiphers == null || Boolean.parseBoolean(defaultCiphers)) {
+            CryptoUtil.setDefaultSSLCiphers();
+        } else {
+            CryptoUtil.unsetSSLCiphers();
+        }
+
+        String ciphers = System.getenv("SSL_CIPHERS");
+        CryptoUtil.setSSLCiphers(ciphers);
+    }
+
+    public PKIClient getClient() throws Exception {
+
+        if (client != null) return client;
+
+        if (verbose) {
+            System.out.println("Initializing PKIClient");
+        }
+
         client = new PKIClient(config, null);
         client.setVerbose(verbose);
 
@@ -533,6 +580,8 @@ public class MainCLI extends CLI {
                 }
             }
         }
+
+        return client;
     }
 
     public void execute(String[] args) throws Exception {
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java
index c5387cf03..1cf6feaf2 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/ProxyCLI.java
@@ -87,7 +87,7 @@ public class ProxyCLI extends CLI {
         return module.removeModule(name);
     }
 
-    public PKIClient getClient() {
+    public PKIClient getClient() throws Exception {
         return module.getClient();
     }
 
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java
index 968539136..893b40b34 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java
@@ -23,7 +23,9 @@ import java.io.File;
 import java.io.FileWriter;
 import java.io.InputStreamReader;
 import java.io.PrintWriter;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
 
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.io.FileUtils;
@@ -67,10 +69,6 @@ public class ClientInitCLI extends CLI {
 
         MainCLI mainCLI = (MainCLI)parent.getParent();
 
-        if (mainCLI.config.getCertPassword() == null) {
-            throw new Exception("Security database password is required.");
-        }
-
         boolean force = cmd.hasOption("force");
         File certDatabase = mainCLI.certDatabase;
 
@@ -97,16 +95,28 @@ public class ClientInitCLI extends CLI {
         File passwordFile = new File(certDatabase, "password.txt");
 
         try {
-            try (PrintWriter out = new PrintWriter(new FileWriter(passwordFile))) {
-                out.println(mainCLI.config.getCertPassword());
-            }
-
             String[] commands = {
                     "/usr/bin/certutil", "-N",
                     "-d", certDatabase.getAbsolutePath(),
-                    "-f", passwordFile.getAbsolutePath()
             };
 
+            List<String> list = new ArrayList<>(Arrays.asList(commands));
+
+            if (mainCLI.config.getCertPassword() == null) {
+                list.add("--empty-password");
+
+            } else {
+                try (PrintWriter out = new PrintWriter(new FileWriter(passwordFile))) {
+                    out.println(mainCLI.config.getCertPassword());
+                }
+
+                list.add("-f");
+                list.add(passwordFile.getAbsolutePath());
+            }
+
+            commands = new String[list.size()];
+            list.toArray(commands);
+
             Runtime rt = Runtime.getRuntime();
             Process p = rt.exec(commands);
 
@@ -119,7 +129,7 @@ public class ClientInitCLI extends CLI {
             MainCLI.printMessage("Client initialized");
 
         } finally {
-            passwordFile.delete();
+            if (passwordFile.exists()) passwordFile.delete();
         }
     }
 }