diff options
| author | Endi Sukma Dewata <edewata@redhat.com> | 2013-04-19 11:45:10 -0400 |
|---|---|---|
| committer | Endi Sukma Dewata <edewata@redhat.com> | 2013-04-22 23:49:46 -0400 |
| commit | f3e75c44eacc3f861497a288b2713a26953fb39f (patch) | |
| tree | b895d4413af980fe7b75f66f483e2642d23fd1a4 /base/java-tools | |
| parent | 7ea5dc61f082c7372924271fd2a44dfb5345b256 (diff) | |
| download | pki-f3e75c44eacc3f861497a288b2713a26953fb39f.tar.gz pki-f3e75c44eacc3f861497a288b2713a26953fb39f.tar.xz pki-f3e75c44eacc3f861497a288b2713a26953fb39f.zip | |
Added options to reject/ignore cert validity statuses.
New options have been added to the CLI to reject or ignore certain
cert validity statuses such as UNTRUSTED_ISSUER or BAD_CERT_DOMAIN.
The options can also be defined in pki.conf as a system-wide policy.
Ticket #491
Diffstat (limited to 'base/java-tools')
| -rwxr-xr-x | base/java-tools/pki | 5 | ||||
| -rw-r--r-- | base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 47 |
2 files changed, 49 insertions, 3 deletions
diff --git a/base/java-tools/pki b/base/java-tools/pki index 197fa6100..07eb4ee28 100755 --- a/base/java-tools/pki +++ b/base/java-tools/pki @@ -107,12 +107,15 @@ if( $ARCHITECTURE eq "x86_64" ) { ## based upon the preset LD_LIBRARY_PATH and CP environment variables. ## ############################################################################### +my $PKI_CLI_OPTIONS = `source /etc/pki/pki.conf && echo \$PKI_CLI_OPTIONS`; +chomp($PKI_CLI_OPTIONS); + my @args = (); foreach (@ARGV) { push(@args, quotemeta($_)); } -my $command = "java -cp $ENV{CLASSPATH} com.netscape.cmstools.cli.MainCLI @args"; +my $command = "java -cp $ENV{CLASSPATH} com.netscape.cmstools.cli.MainCLI $PKI_CLI_OPTIONS @args"; system($command) and do { exit $? >> 8; diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index c6daa7d29..aa4327fe6 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -19,9 +19,11 @@ package com.netscape.cmstools.cli; import java.io.File; +import java.lang.reflect.Field; import java.net.InetAddress; -import java.net.URISyntaxException; import java.net.UnknownHostException; +import java.util.Collection; +import java.util.HashSet; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; @@ -29,6 +31,7 @@ import org.apache.commons.cli.Options; import org.apache.commons.lang.StringUtils; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.ssl.SSLCertificateApprovalCallback; import org.mozilla.jss.util.IncorrectPasswordException; import org.mozilla.jss.util.Password; @@ -49,6 +52,9 @@ public class MainCLI extends CLI { public ClientConfig config = new ClientConfig(); + public Collection<Integer> rejectedCertStatuses; + public Collection<Integer> ignoredCertStatuses; + public PKIConnection connection; public AccountClient accountClient; @@ -140,12 +146,20 @@ public class MainCLI extends CLI { option.setArgName("folder"); options.addOption(option); + option = new Option(null, "reject-cert-status", true, "Comma-separated list of rejected certificate validity statuses"); + option.setArgName("list"); + options.addOption(option); + + option = new Option(null, "ignore-cert-status", true, "Comma-separated list of ignored certificate validity statuses"); + option.setArgName("list"); + options.addOption(option); + options.addOption("v", false, "Verbose"); options.addOption(null, "help", false, "Help"); options.addOption(null, "version", false, "Version"); } - public void parseOptions(CommandLine cmd) throws URISyntaxException, UnknownHostException { + public void parseOptions(CommandLine cmd) throws Exception { verbose = cmd.hasOption("v"); output = cmd.getOptionValue("output"); @@ -179,11 +193,40 @@ public class MainCLI extends CLI { if (password != null) config.setPassword(password); + + String list = cmd.getOptionValue("reject-cert-status"); + rejectedCertStatuses = convertCertStatusList(list); + + list = cmd.getOptionValue("ignore-cert-status"); + ignoredCertStatuses = convertCertStatusList(list); + } + + public Collection<Integer> convertCertStatusList(String list) throws Exception { + + if (list == null) return null; + + Collection<Integer> statuses = new HashSet<Integer>(); + + Class<SSLCertificateApprovalCallback.ValidityStatus> clazz = SSLCertificateApprovalCallback.ValidityStatus.class; + + for (String status : list.split(",")) { + try { + Field field = clazz.getField(status); + statuses.add(field.getInt(null)); + + } catch (NoSuchFieldException e) { + throw new Error("Invalid cert status \"" + status + "\".", e); + } + } + + return statuses; } public void connect() throws Exception { connection = new PKIConnection(config); connection.setVerbose(verbose); + connection.setRejectedCertStatuses(rejectedCertStatuses); + connection.setIgnoredCertStatuses(ignoredCertStatuses); if (output != null) { File file = new File(output); |