Fixed missing trust flags in certificate backup.

The ConfigurationUtils.backupKeys() has been modified to use PKCS12Util to export the certificates and their trust flags into a PKCS #12 file such that the file can be used for cloning. The code to generate PFX object has been refactored from the PKCS12Util.storeIntoFile() into a separate generatePFX() method. The PKCS12Util.loadCertFromNSS() has been modified to provide options to load a certificate from NSS database without the key or the certificate chain. The CLIs have been modified to provide the same options. The PKCS12Util.getCertInfo() has modified to ignore missing certificate attributes in the PKCS #12 file and generate a new local ID. https://fedorahosted.org/pki/ticket/2255
author: Endi S. Dewata <edewata@redhat.com> 2016-03-31 21:59:25 +0200
committer: Endi S. Dewata <edewata@redhat.com> 2016-04-04 19:33:05 +0200
commit: 6448bfea3282f2f3a81520b3381d2a833babd491 (patch)
tree: d24371d40dc4eecf705ac1f4cd73886b8ceec82a /base/java-tools
parent: 5fc6095c21a01de7c1386759a10b3303a0861cfe (diff)
download: pki-6448bfea3282f2f3a81520b3381d2a833babd491.tar.gz
pki-6448bfea3282f2f3a81520b3381d2a833babd491.tar.xz
pki-6448bfea3282f2f3a81520b3381d2a833babd491.zip
3 files changed, 17 insertions, 5 deletions
diff --git a/base/java-tools/bin/pki b/base/java-tools/bin/pki
index e476cfcfe..88490f7da 100644
--- a/base/java-tools/bin/pki
+++ b/base/java-tools/bin/pki
@@ -138,6 +138,9 @@ class PKICLI(pki.cli.CLI):
         if self.token and self.token != 'internal':
             cmd.extend(['--token', self.token])
 
+        if self.verbose:
+            cmd.extend(['--verbose'])
+
         cmd.extend(args)
 
         if self.verbose:
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
index 48e4907cf..a422b200d 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
@@ -65,6 +65,8 @@ public class PKCS12CertAddCLI extends CLI {
 
         options.addOption(null, "new-file", false, "Create a new PKCS #12 file");
         options.addOption(null, "no-trust-flags", false, "Do not include trust flags");
+        options.addOption(null, "no-key", false, "Do not include private key");
+        options.addOption(null, "no-chain", false, "Do not include certificate chain");
 
         options.addOption("v", "verbose", false, "Run in verbose mode.");
         options.addOption(null, "debug", false, "Run in debug mode.");
@@ -139,6 +141,8 @@ public class PKCS12CertAddCLI extends CLI {
 
         boolean newFile = cmd.hasOption("new-file");
         boolean includeTrustFlags = !cmd.hasOption("no-trust-flags");
+        boolean includeKey = !cmd.hasOption("no-key");
+        boolean includeChain = !cmd.hasOption("no-chain");
 
         try {
             PKCS12Util util = new PKCS12Util();
@@ -155,7 +159,8 @@ public class PKCS12CertAddCLI extends CLI {
                 pkcs12 = util.loadFromFile(filename, password);
             }
 
-            util.loadCertFromNSS(pkcs12, nickname);
+            // load the specified certificate
+            util.loadCertFromNSS(pkcs12, nickname, includeKey, includeChain);
             util.storeIntoFile(pkcs12, filename, password);
 
         } finally {
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
index d42c449b4..fab5ecdda 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
@@ -63,6 +63,8 @@ public class PKCS12ExportCLI extends CLI {
 
         options.addOption(null, "new-file", false, "Create a new PKCS #12 file");
         options.addOption(null, "no-trust-flags", false, "Do not include trust flags");
+        options.addOption(null, "no-key", false, "Do not include private key");
+        options.addOption(null, "no-chain", false, "Do not include certificate chain");
 
         options.addOption("v", "verbose", false, "Run in verbose mode.");
         options.addOption(null, "debug", false, "Run in debug mode.");
@@ -127,11 +129,13 @@ public class PKCS12ExportCLI extends CLI {
         Password password = new Password(passwordString.toCharArray());
 
         boolean newFile = cmd.hasOption("new-file");
-        boolean trustFlagsEnabled = !cmd.hasOption("no-trust-flags");
+        boolean includeTrustFlags = !cmd.hasOption("no-trust-flags");
+        boolean includeKey = !cmd.hasOption("no-key");
+        boolean includeChain = !cmd.hasOption("no-chain");
 
         try {
             PKCS12Util util = new PKCS12Util();
-            util.setTrustFlagsEnabled(trustFlagsEnabled);
+            util.setTrustFlagsEnabled(includeTrustFlags);
 
             PKCS12 pkcs12;
 
@@ -149,9 +153,9 @@ public class PKCS12ExportCLI extends CLI {
                 util.loadFromNSS(pkcs12);
 
             } else {
-                // load specified certificates
+                // load the specified certificates
                 for (String nickname : nicknames) {
-                    util.loadCertFromNSS(pkcs12, nickname);
+                    util.loadCertFromNSS(pkcs12, nickname, includeKey, includeChain);
                 }
             }
author	Endi S. Dewata <edewata@redhat.com>	2016-03-31 21:59:25 +0200
committer	Endi S. Dewata <edewata@redhat.com>	2016-04-04 19:33:05 +0200
commit	6448bfea3282f2f3a81520b3381d2a833babd491 (patch)
tree	d24371d40dc4eecf705ac1f4cd73886b8ceec82a /base/java-tools
parent	5fc6095c21a01de7c1386759a10b3303a0861cfe (diff)
download	pki-6448bfea3282f2f3a81520b3381d2a833babd491.tar.gz pki-6448bfea3282f2f3a81520b3381d2a833babd491.tar.xz pki-6448bfea3282f2f3a81520b3381d2a833babd491.zip