diff options
author | Endi S. Dewata <edewata@redhat.com> | 2015-09-04 06:30:27 +0200 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-09-23 15:20:39 -0600 |
commit | c5853ed032768a32ba496f21db3720c6c3dd61e5 (patch) | |
tree | 6cc6d345e5e87223c663505ce4c874427a6c08be /base/java-tools | |
parent | 5a8996b20d297ed29a142f5d70f03b5af4e37484 (diff) | |
download | pki-c5853ed032768a32ba496f21db3720c6c3dd61e5.tar.gz pki-c5853ed032768a32ba496f21db3720c6c3dd61e5.tar.xz pki-c5853ed032768a32ba496f21db3720c6c3dd61e5.zip |
Added support for secure database connection in CLI.
The pki-server subsystem-cert-update has been modified to support
secure database connection with client certificate authentication.
The certificate and the private key will be exported temporarily
into PEM files so python-ldap can use them.
The pki client-cert-show has been modified to provide an option
to export client certificate's private key.
https://fedorahosted.org/pki/ticket/1551
(cherry picked from commit f153bd8a455953698e8af5085cd3cd7b368b1247)
Conflicts:
base/server/upgrade/10.2.0/01-AddTLSRangeSupport
Diffstat (limited to 'base/java-tools')
-rw-r--r-- | base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java | 168 |
1 files changed, 104 insertions, 64 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java index f79501cfc..e44fae745 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java @@ -29,10 +29,8 @@ import org.apache.commons.lang.RandomStringUtils; import org.apache.commons.lang.StringUtils; import org.mozilla.jss.crypto.X509Certificate; -import com.netscape.certsrv.cert.CertData; import com.netscape.cmstools.cli.CLI; import com.netscape.cmstools.cli.MainCLI; -import com.netscape.cmsutil.util.Utils; /** * @author Endi S. Dewata @@ -57,6 +55,10 @@ public class ClientCertShowCLI extends CLI { option.setArgName("path"); options.addOption(option); + option = new Option(null, "private-key", true, "PEM file to store the private key."); + option.setArgName("path"); + options.addOption(option); + option = new Option(null, "client-cert", true, "PEM file to store the certificate and the private key."); option.setArgName("path"); options.addOption(option); @@ -107,90 +109,82 @@ public class ClientCertShowCLI extends CLI { String nickname = cmdArgs[0]; String certPath = cmd.getOptionValue("cert"); + String privateKeyPath = cmd.getOptionValue("private-key"); + String clientCertPath = cmd.getOptionValue("client-cert"); String pkcs12Path = cmd.getOptionValue("pkcs12"); String pkcs12Password = cmd.getOptionValue("pkcs12-password"); - String clientCertPath = cmd.getOptionValue("client-cert"); - - if (certPath != null) { - - if (verbose) System.out.println("Exporting certificate to " + clientCertPath + "."); - - // late initialization - mainCLI.init(); - client = mainCLI.getClient(); - X509Certificate cert = client.getCert(nickname); + File pkcs12File; - try (PrintWriter out = new PrintWriter(new FileWriter(certPath))) { - out.println(CertData.HEADER); - out.println(Utils.base64encode(cert.getEncoded())); - out.println(CertData.FOOTER); - } + if (pkcs12Path != null) { + // exporting certificate to PKCS #12 file - } else if (pkcs12Path != null) { - - if (verbose) System.out.println("Exporting certificate chain and private key to " + pkcs12Path + "."); + pkcs12File = new File(pkcs12Path); if (pkcs12Password == null) { throw new Exception("Missing PKCS #12 password"); } - // store password into a temporary file - File pkcs12PasswordFile = File.createTempFile("pki-client-cert-show-", ".pwd"); - pkcs12PasswordFile.deleteOnExit(); + } else if (certPath != null || clientCertPath != null || privateKeyPath != null) { + // exporting certificate and/or private key to PEM files using temporary PKCS #12 file - try (PrintWriter out = new PrintWriter(new FileWriter(pkcs12PasswordFile))) { - out.print(pkcs12Password); - } + // prepare temporary PKCS #12 file + pkcs12File = File.createTempFile("pki-client-cert-show-", ".p12"); + pkcs12File.deleteOnExit(); - // export certificate chain and private key into PKCS #12 file - exportPKCS12( - mainCLI.certDatabase.getAbsolutePath(), - mainCLI.config.getCertPassword(), - pkcs12Path, - pkcs12PasswordFile.getAbsolutePath(), - nickname); + // generate random password + pkcs12Password = RandomStringUtils.randomAlphanumeric(16); - } else if (clientCertPath != null) { + } else { + // displaying certificate info - if (verbose) System.out.println("Exporting client certificate and private key to " + clientCertPath + "."); + mainCLI.init(); - // generate random PKCS #12 password - pkcs12Password = RandomStringUtils.randomAlphanumeric(16); + client = mainCLI.getClient(); + X509Certificate cert = client.getCert(nickname); + + ClientCLI.printCertInfo(cert); + return; + } - // store password into a temporary file - File pkcs12PasswordFile = File.createTempFile("pki-client-cert-show-", ".pwd"); - pkcs12PasswordFile.deleteOnExit(); + // store password into a temporary file + File pkcs12PasswordFile = File.createTempFile("pki-client-cert-show-", ".pwd"); + pkcs12PasswordFile.deleteOnExit(); - try (PrintWriter out = new PrintWriter(new FileWriter(pkcs12PasswordFile))) { - out.print(pkcs12Password); - } + try (PrintWriter out = new PrintWriter(new FileWriter(pkcs12PasswordFile))) { + out.print(pkcs12Password); + } - // export certificate chain and private key into a temporary PKCS #12 file - File pkcs12File = File.createTempFile("pki-client-cert-show-", ".p12"); - pkcs12File.deleteOnExit(); + if (verbose) System.out.println("Exporting certificate chain and private key to " + pkcs12File + "."); + exportPKCS12( + mainCLI.certDatabase.getAbsolutePath(), + mainCLI.config.getCertPassword(), + pkcs12File.getAbsolutePath(), + pkcs12PasswordFile.getAbsolutePath(), + nickname); - exportPKCS12( - mainCLI.certDatabase.getAbsolutePath(), - mainCLI.config.getCertPassword(), + if (certPath != null) { + if (verbose) System.out.println("Exporting certificate to " + certPath + "."); + exportCertificate( pkcs12File.getAbsolutePath(), pkcs12PasswordFile.getAbsolutePath(), - nickname); + certPath); + } - // export client certificate and private key into a PEM file - exportClientCertificate( + if (privateKeyPath != null) { + if (verbose) System.out.println("Exporting private key to " + privateKeyPath + "."); + exportPrivateKey( pkcs12File.getAbsolutePath(), pkcs12PasswordFile.getAbsolutePath(), - clientCertPath); - - } else { - // late initialization - mainCLI.init(); - - client = mainCLI.getClient(); - X509Certificate cert = client.getCert(nickname); + privateKeyPath); + } - ClientCLI.printCertInfo(cert); + if (clientCertPath != null) { + if (verbose) System.out.println("Exporting client certificate and private key to " + clientCertPath + "."); + exportClientCertificateAndPrivateKey( + pkcs12File.getAbsolutePath(), + pkcs12PasswordFile.getAbsolutePath(), + clientCertPath); } } @@ -218,7 +212,53 @@ public class ClientCertShowCLI extends CLI { } } - public void exportClientCertificate( + public void exportCertificate( + String pkcs12Path, + String pkcs12PasswordPath, + String certPath) throws Exception { + + String[] command = { + "/bin/openssl", + "pkcs12", + "-clcerts", // certificate only + "-nokeys", + "-in", pkcs12Path, + "-passin", "file:" + pkcs12PasswordPath, + "-out", certPath + }; + + try { + run(command); + + } catch (Exception e) { + throw new Exception("Unable to export certificate", e); + } + } + + public void exportPrivateKey( + String pkcs12Path, + String pkcs12PasswordPath, + String privateKeyPath) throws Exception { + + String[] command = { + "/bin/openssl", + "pkcs12", + "-nocerts", // private key only + "-nodes", // no encryption + "-in", pkcs12Path, + "-passin", "file:" + pkcs12PasswordPath, + "-out", privateKeyPath + }; + + try { + run(command); + + } catch (Exception e) { + throw new Exception("Unable to export private key", e); + } + } + + public void exportClientCertificateAndPrivateKey( String pkcs12Path, String pkcs12PasswordPath, String clientCertPath) throws Exception { @@ -226,7 +266,7 @@ public class ClientCertShowCLI extends CLI { String[] command = { "/bin/openssl", "pkcs12", - "-clcerts", // client certificate only + "-clcerts", // client certificate and private key "-nodes", // no encryption "-in", pkcs12Path, "-passin", "file:" + pkcs12PasswordPath, @@ -237,7 +277,7 @@ public class ClientCertShowCLI extends CLI { run(command); } catch (Exception e) { - throw new Exception("Unable to export client certificate", e); + throw new Exception("Unable to export client certificate and private key", e); } } |