Added option to import client cert from CA.

A new option has been added to the client-cert-import command to
import a certificate from CA by specifying the serial number.

The client-cert-import has also been modified to get the nickname
of the certificate to import from the CLI argument. For backward
compatibility, if no argument is specified the CLI will try to
get the nickname from the authentication option (-n).

Ticket #1152

2 files changed, 109 insertions, 63 deletions

diff --git a/base/java-tools/man/man1/pki-client.1 b/base/java-tools/man/man1/pki-client.1
index 8978c8c44..0364f84ef 100644
--- a/base/java-tools/man/man1/pki-client.1
+++ b/base/java-tools/man/man1/pki-client.1
@@ -22,8 +22,8 @@ pki-client \- Command-Line Interface for managing the security database on Certi
 \fBpki\fR [CLI options] \fBclient-init\fR [command options]
 \fBpki\fR [CLI options] \fBclient-cert-find\fR [command options]
 \fBpki\fR [CLI options] \fBclient-cert-request\fR <subject DN> [command options]
-\fBpki\fR [CLI options] \fBclient-cert-import\fR [command options]
-\fBpki\fR [CLI options] \fBclient-cert-del\fR [command options]
+\fBpki\fR [CLI options] \fBclient-cert-import\fR <nickname> [command options]
+\fBpki\fR [CLI options] \fBclient-cert-del\fR <nickname> [command options]
 .fi
 
 .SH DESCRIPTION
@@ -50,12 +50,12 @@ This command is to list certificates in the client security database.
 This command is to generate and submit a certificate request.
 .RE
 .PP
-\fBpki\fR [CLI options] \fBclient-cert-import\fR [command options]
+\fBpki\fR [CLI options] \fBclient-cert-import\fR <nickname> [command options]
 .RS 4
 This command is to view a certificate in the client security database.
 .RE
 .PP
-\fBpki\fR [CLI options] \fBclient-cert-del\fR [command options]
+\fBpki\fR [CLI options] \fBclient-cert-del\fR <nickname> [command options]
 .RS 4
 This command is to delete a certificate from the client security database.
 .RE
@@ -78,13 +78,25 @@ To request a certificate:
 
 .B pki -d <security database location> -c <security database password> client-cert-request <subject DN>
 
-To import a certificate into the security database:
+To import a certificate from a file into the security database:
 
-.B pki -d <security database location> -c <security database password> -n <certificate nickname> client-cert-import --cert <certificate file>
+.B pki -d <security database location> -c <security database password> client-cert-import <nickname> --cert <certificate file>
+
+To import a CA certificate from a file into the security database:
+
+.B pki -d <security database location> -c <security database password> client-cert-import <nickname> --ca-cert <CA certificate file>
+
+To import a certificate from CA server into the security database:
+
+.B pki -d <security database location> -c <security database password> client-cert-import <nickname> --serial <serial number>
+
+To import a CA certificate from CA server into the security database:
+
+.B pki -d <security database location> -c <security database password> client-cert-import <nickname> --ca-server
 
 To delete a certificate from the security database:
 
-.B pki -d <security database location> -c <security database password> client-cert-del <certificate nickname>
+.B pki -d <security database location> -c <security database password> client-cert-del <nickname>
 
 .SH AUTHORS
 Ade Lee <alee@redhat.com>, Endi Dewata <edewata@redhat.com>, and Matthew Harmsen <mharmsen@redhat.com>.
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
index 90e3d0a3e..5080c55ea 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
@@ -20,13 +20,19 @@ package com.netscape.cmstools.client;
 
 import java.io.File;
 import java.io.FileOutputStream;
+import java.io.FileWriter;
+import java.io.PrintWriter;
+import java.net.URI;
 import java.util.Arrays;
 
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.Option;
-import org.apache.commons.io.FileUtils;
 
+import com.netscape.certsrv.cert.CertClient;
+import com.netscape.certsrv.cert.CertData;
 import com.netscape.certsrv.client.ClientConfig;
+import com.netscape.certsrv.client.PKIClient;
+import com.netscape.certsrv.dbs.certdb.CertId;
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmstools.cli.MainCLI;
 
@@ -45,7 +51,7 @@ public class ClientCertImportCLI extends CLI {
     }
 
     public void printHelp() {
-        formatter.printHelp(getFullName() + " [OPTIONS...]", options);
+        formatter.printHelp(getFullName() + " <nickname> [OPTIONS...]", options);
     }
 
     public void createOptions() {
@@ -58,6 +64,14 @@ public class ClientCertImportCLI extends CLI {
         options.addOption(option);
 
         options.addOption(null, "ca-server", false, "Import CA certificate from CA server");
+
+        option = new Option(null, "serial", true, "Serial number of certificate in CA");
+        option.setArgName("serial number");
+        options.addOption(option);
+
+        option = new Option(null, "trust", true, "Trust attributes. Default: u,u,u.");
+        option.setArgName("trust attributes");
+        options.addOption(option);
     }
 
     public void execute(String[] args) throws Exception {
@@ -81,100 +95,120 @@ public class ClientCertImportCLI extends CLI {
 
         String[] cmdArgs = cmd.getArgs();
 
-        if (cmdArgs.length != 0) {
+        if (cmdArgs.length > 1) {
             System.err.println("Error: Too many arguments specified.");
             printHelp();
             System.exit(-1);
         }
 
-        byte[] bytes = null;
+        MainCLI mainCLI = (MainCLI)parent.getParent();
+
+        String nickname = null;
+
+        // Get nickname from command argument if specified.
+        if (cmdArgs.length > 0) {
+            nickname = cmdArgs[0];
+        }
+
+        // Otherwise, get nickname from authentication option -n.
+        // This code is used to provide backward compatibility.
+        // TODO: deprecate/remove this code in 10.3.
+        if (nickname == null) {
+            nickname = mainCLI.config.getCertNickname();
+        }
+
+        if (nickname == null) {
+            System.err.println("Error: Missing certificate nickname.");
+            System.exit(-1);
+        }
 
         String certPath = cmd.getOptionValue("cert");
         String caCertPath = cmd.getOptionValue("ca-cert");
         boolean importFromCAServer = cmd.hasOption("ca-server");
+        String serialNumber = cmd.getOptionValue("serial");
+        String trustAttributes = cmd.getOptionValue("trust", "u,u,u");
 
-        boolean isCACert = false;
+        File certFile;
 
         // load the certificate
         if (certPath != null) {
             if (verbose) System.out.println("Loading certificate from " + certPath + ".");
-            bytes = FileUtils.readFileToByteArray(new File(certPath));
-
+            certFile = new File(certPath);
 
         } else if (caCertPath != null) {
             if (verbose) System.out.println("Loading CA certificate from " + caCertPath + ".");
-            bytes = FileUtils.readFileToByteArray(new File(caCertPath));
+            certFile = new File(caCertPath);
 
-            isCACert = true;
+            trustAttributes = "CT,c,";
 
         } else if (importFromCAServer) {
 
             // late initialization
-            MainCLI mainCLI = (MainCLI)parent.parent;
             mainCLI.init();
 
             client = mainCLI.getClient();
-            ClientConfig config = client.getConfig();
+            URI serverURI = mainCLI.config.getServerURI();
 
-            String caServerURI = "http://" + config.getServerURI().getHost() + ":8080/ca";
+            String caServerURI = serverURI.getScheme() + "://" +
+                serverURI.getHost() + ":" + serverURI.getPort() + "/ca";
 
             if (verbose) System.out.println("Downloading CA certificate from " + caServerURI + ".");
-            bytes = client.downloadCACertChain(caServerURI);
+            byte[] bytes = client.downloadCACertChain(caServerURI);
 
-            isCACert = true;
+            certFile = File.createTempFile("pki-client-cert-import-", ".crt", mainCLI.certDatabase);
+            certFile.deleteOnExit();
 
-        } else {
-            System.err.println("Error: Missing certificate to import");
-            printHelp();
-            System.exit(-1);
-        }
+            try (FileOutputStream out = new FileOutputStream(certFile)) {
+                out.write(bytes);
+            }
 
-        MainCLI mainCLI = (MainCLI)parent.getParent();
+            trustAttributes = "CT,c,";
 
-        if (mainCLI.config.getCertNickname() == null) {
-            System.err.println("Error: Certificate nickname is required.");
-            System.exit(-1);
-        }
+        } else if (serialNumber != null) {
 
-        File certDatabase = mainCLI.certDatabase;
-        File certFile = new File(certDatabase, "import.crt");
+            // connect to CA anonymously
+            ClientConfig config = new ClientConfig(mainCLI.config);
+            config.setCertDatabase(null);
+            config.setCertPassword(null);
+            config.setCertNickname(null);
 
-        try {
-            try (FileOutputStream out = new FileOutputStream(certFile)) {
-                out.write(bytes);
-            }
+            PKIClient client = new PKIClient(config, null);
+            CertClient certClient = new CertClient(client, "ca");
 
-            String flag;
-            if (isCACert) {
-                if (verbose) System.out.println("Importing CA certificate.");
-                flag = "CT,c,";
+            CertData certData = certClient.getCert(new CertId(serialNumber));
 
-            } else {
-                if (verbose) System.out.println("Importing certificate.");
-                flag = "u,u,u";
-            }
+            certFile = File.createTempFile("pki-client-cert-import-", ".crt", mainCLI.certDatabase);
+            certFile.deleteOnExit();
 
-            String[] commands = {
-                    "/usr/bin/certutil", "-A",
-                    "-d", certDatabase.getAbsolutePath(),
-                    "-i", certFile.getAbsolutePath(),
-                    "-n", mainCLI.config.getCertNickname(),
-                    "-t", flag
-            };
-
-            Runtime rt = Runtime.getRuntime();
-            Process p = rt.exec(commands);
-
-            int rc = p.waitFor();
-            if (rc != 0) {
-                MainCLI.printMessage("Import failed");
-                return;
+            String encoded = certData.getEncoded();
+            try (PrintWriter out = new PrintWriter(new FileWriter(certFile))) {
+                out.write(encoded);
             }
 
-            MainCLI.printMessage("Imported certificate \"" + mainCLI.config.getCertNickname() + "\"");
+        } else {
+            System.err.println("Error: Missing certificate to import");
+            printHelp();
+            System.exit(-1);
+            return;
+        }
 
-        } finally {
-            certFile.delete();
+        String[] commands = {
+                "/usr/bin/certutil", "-A",
+                "-d", mainCLI.certDatabase.getAbsolutePath(),
+                "-i", certFile.getAbsolutePath(),
+                "-n", nickname,
+                "-t", trustAttributes
+        };
+
+        Runtime rt = Runtime.getRuntime();
+        Process p = rt.exec(commands);
+
+        int rc = p.waitFor();
+        if (rc != 0) {
+            MainCLI.printMessage("Import failed");
+            return;
         }
+
+        MainCLI.printMessage("Imported certificate \"" + nickname + "\"");
     }
 }