Fixed missing trust flags in certificate backup.

The ConfigurationUtils.backupKeys() has been modified to use PKCS12Util to export the certificates and their trust flags into a PKCS #12 file such that the file can be used for cloning. The code to generate PFX object has been refactored from the PKCS12Util.storeIntoFile() into a separate generatePFX() method. The PKCS12Util.loadCertFromNSS() has been modified to provide options to load a certificate from NSS database without the key or the certificate chain. The CLIs have been modified to provide the same options. The PKCS12Util.getCertInfo() has modified to ignore missing certificate attributes in the PKCS #12 file and generate a new local ID. https://fedorahosted.org/pki/ticket/2255
author: Endi S. Dewata <edewata@redhat.com> 2016-03-31 21:59:25 +0200
committer: Endi S. Dewata <edewata@redhat.com> 2016-04-04 19:33:05 +0200
commit: 6448bfea3282f2f3a81520b3381d2a833babd491 (patch)
tree: d24371d40dc4eecf705ac1f4cd73886b8ceec82a /base/server/cms/src/com
parent: 5fc6095c21a01de7c1386759a10b3303a0861cfe (diff)
1 files changed, 18 insertions, 22 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 51e5f0824..25838f1f3 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -30,7 +30,6 @@ import java.io.PrintStream;
 import java.math.BigInteger;
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.security.DigestException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.KeyPair;
@@ -165,6 +164,8 @@ import netscape.ldap.LDAPSearchResults;
 import netscape.ldap.LDAPv3;
 import netscape.security.pkcs.ContentInfo;
 import netscape.security.pkcs.PKCS10;
+import netscape.security.pkcs.PKCS12;
+import netscape.security.pkcs.PKCS12Util;
 import netscape.security.pkcs.PKCS7;
 import netscape.security.pkcs.SignerInfo;
 import netscape.security.util.DerOutputStream;
@@ -3331,11 +3332,8 @@ public class ConfigurationUtils {
         }
     }
 
-    public static void backupKeys(String pwd, String fname) throws EPropertyNotFound, EBaseException,
-            NotInitializedException, ObjectNotFoundException, TokenException, DigestException,
-            InvalidKeyException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidBERException,
-            CertificateEncodingException, IllegalStateException, IllegalBlockSizeException, BadPaddingException,
-            IOException {
+    public static void backupKeys(String pwd, String fname) throws Exception {
+
         CMS.debug("backupKeys(): start");
         IConfigStore cs = CMS.getConfigStore();
         String certlist = cs.getString("preop.cert.list");
@@ -3344,39 +3342,37 @@ public class ConfigurationUtils {
         CryptoManager cm = CryptoManager.getInstance();
 
         Password pass = new org.mozilla.jss.util.Password(pwd.toCharArray());
-        SEQUENCE encSafeContents = new SEQUENCE();
-        SEQUENCE safeContents = new SEQUENCE();
+
+        PKCS12Util util = new PKCS12Util();
+        PKCS12 pkcs12 = new PKCS12();
+
+        // load system certificate (with key but without chain)
         while (st.hasMoreTokens()) {
+
             String t = st.nextToken();
             if (t.equals("sslserver"))
                 continue;
+
             String nickname = cs.getString("preop.cert." + t + ".nickname");
             String modname = cs.getString("preop.module.token");
 
             if (!modname.equals("Internal Key Storage Token"))
                 nickname = modname + ":" + nickname;
 
-            X509Certificate x509cert = cm.findCertByNickname(nickname);
-            byte localKeyId[] = addCertBag(x509cert, nickname, safeContents);
-            PrivateKey pkey = cm.findPrivKeyByCert(x509cert);
-            addKeyBag(pkey, x509cert, pass, localKeyId, encSafeContents);
+            util.loadCertFromNSS(pkcs12, nickname, true, false);
         }
 
-        X509Certificate[] cacerts = cm.getCACerts();
-
-        for (int i = 0; i < cacerts.length; i++) {
-            String nickname = null;
-            addCertBag(cacerts[i], nickname, safeContents);
+        // load CA certificates (without keys or chains)
+        for (X509Certificate caCert : cm.getCACerts()) {
+            util.loadCertFromNSS(pkcs12, caCert, false, false);
         }
 
-        AuthenticatedSafes authSafes = new AuthenticatedSafes();
-        authSafes.addSafeContents(safeContents);
-        authSafes.addSafeContents(encSafeContents);
-        PFX pfx = new PFX(authSafes);
-        pfx.computeMacData(pass, null, 5);
+        PFX pfx = util.generatePFX(pkcs12, pass);
+
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
         pfx.encode(bos);
         byte[] output = bos.toByteArray();
+
         cs.putString("preop.pkcs12", CryptoUtil.byte2string(output));
         pass.clear();
         cs.commit(false);
author	Endi S. Dewata <edewata@redhat.com>	2016-03-31 21:59:25 +0200
committer	Endi S. Dewata <edewata@redhat.com>	2016-04-04 19:33:05 +0200
commit	6448bfea3282f2f3a81520b3381d2a833babd491 (patch)
tree	d24371d40dc4eecf705ac1f4cd73886b8ceec82a /base/server/cms/src/com
parent	5fc6095c21a01de7c1386759a10b3303a0861cfe (diff)