diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-04-19 13:28:56 +1000 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2016-05-03 11:09:39 +1000 |
commit | e21aadd5e14dbcda73c20f20e67b1bcc8d5b5bfc (patch) | |
tree | 166e86bc052920b4826037f47fbcb82cbfa070f5 /base/java-tools/src/com | |
parent | dc8c21cc9a68968a2b1db87f9b21cf3afbdb966a (diff) | |
download | pki-e21aadd5e14dbcda73c20f20e67b1bcc8d5b5bfc.tar.gz pki-e21aadd5e14dbcda73c20f20e67b1bcc8d5b5bfc.tar.xz pki-e21aadd5e14dbcda73c20f20e67b1bcc8d5b5bfc.zip |
Add ca-authority-key-export command
Add the 'pki ca-authority-key-export' CLI command for exporting a
PKIArchiveOptions object containing a nominated target key, wrapped
by a nominated wrapping key. This command is to be used by Custodia
to export key data for transmission to a requesting clone.
Part of: https://fedorahosted.org/pki/ticket/1625
Diffstat (limited to 'base/java-tools/src/com')
-rw-r--r-- | base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java | 1 | ||||
-rw-r--r-- | base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java | 109 |
2 files changed, 110 insertions, 0 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java index ac06ea24c..f42660d67 100644 --- a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java @@ -18,6 +18,7 @@ public class AuthorityCLI extends CLI { addModule(new AuthorityDisableCLI(this)); addModule(new AuthorityEnableCLI(this)); addModule(new AuthorityRemoveCLI(this)); + addModule(new AuthorityKeyExportCLI(this)); } public String getFullName() { diff --git a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java new file mode 100644 index 000000000..a3dee82c8 --- /dev/null +++ b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java @@ -0,0 +1,109 @@ +package com.netscape.cmstools.authority; + +import java.nio.file.Files; +import java.nio.file.Paths; +import java.security.PublicKey; + +import org.apache.commons.cli.CommandLine; +import org.apache.commons.cli.Option; +import org.apache.commons.cli.ParseException; + +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.IVParameterSpec; +import org.mozilla.jss.crypto.KeyGenAlgorithm; +import org.mozilla.jss.crypto.PrivateKey; +import org.mozilla.jss.crypto.X509Certificate; + +import com.netscape.cmstools.cli.CLI; +import com.netscape.cmsutil.crypto.CryptoUtil; + +public class AuthorityKeyExportCLI extends CLI { + + public AuthorityCLI authorityCLI; + + public AuthorityKeyExportCLI(AuthorityCLI authorityCLI) { + super("key-export", "Export wrapped CA signing key", authorityCLI); + this.authorityCLI = authorityCLI; + + options.addOption(null, "help", false, "Show usage"); + + Option option = new Option("o", "output", true, "Output file"); + option.setArgName("filename"); + options.addOption(option); + + option = new Option(null, "wrap-nickname", true, "Nickname of wrapping key"); + option.setArgName("nickname"); + options.addOption(option); + + option = new Option(null, "target-nickname", true, "Nickname of target key"); + option.setArgName("nickname"); + options.addOption(option); + } + + public void printHelp() { + formatter.printHelp(getFullName() + "--wrap-nickname NICKNAME --target-nickname NICKNAME -o FILENAME", options); + } + + public void execute(String[] args) throws Exception { + CommandLine cmd = null; + + try { + cmd = parser.parse(options, args); + } catch (ParseException e) { + System.err.println("Error: " + e.getMessage()); + printHelp(); + System.exit(-1); + } + + if (cmd.hasOption("help")) { + // Display usage + printHelp(); + System.exit(0); + } + + String filename = cmd.getOptionValue("output"); + if (filename == null) { + System.err.println("Error: No output file specified."); + printHelp(); + System.exit(-1); + } + + String wrapNick = cmd.getOptionValue("wrap-nickname"); + if (wrapNick == null) { + System.err.println("Error: no wrapping key nickname specified."); + printHelp(); + System.exit(-1); + } + + String targetNick = cmd.getOptionValue("target-nickname"); + if (targetNick == null) { + System.err.println("Error: no target key nickname specified."); + printHelp(); + System.exit(-1); + } + + try { + CryptoManager cm = CryptoManager.getInstance(); + X509Certificate wrapCert = cm.findCertByNickname(wrapNick); + X509Certificate targetCert = cm.findCertByNickname(targetNick); + + PublicKey wrappingKey = wrapCert.getPublicKey(); + PrivateKey toBeWrapped = cm.findPrivKeyByCert(targetCert); + CryptoToken token = cm.getInternalKeyStorageToken(); + + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + IVParameterSpec ivps = new IVParameterSpec(iv); + + byte[] data = CryptoUtil.createPKIArchiveOptions( + token, wrappingKey, toBeWrapped, + KeyGenAlgorithm.DES3, 0, ivps); + + Files.newOutputStream(Paths.get(filename)).write(data); + } catch (Throwable e) { + e.printStackTrace(); + System.exit(-1); + } + + } +} |