Fixed KRA cloning issue.

The pki pkcs12-import CLI has been modified not to import certificates that already exist in the NSS database unless specifically requested with the --overwrite parameter. This will avoid changing the trust flags of the CA signing certificate during KRA cloning. The some other classes have been modified to provide better debugging information. https://fedorahosted.org/pki/ticket/2374
author: Endi S. Dewata <edewata@redhat.com> 2016-06-21 18:39:25 +0200
committer: Endi S. Dewata <edewata@redhat.com> 2016-06-29 01:17:05 +0200
commit: 8598a68ac954d1020f4e0063e257a20512961567 (patch)
tree: f17df8bee056c9a2af57387851bed472c97cb7d0 /base/util/src/netscape/security
parent: 66223629c5d8e74be9f5a59734ab091b081435bc (diff)
download: pki-8598a68ac954d1020f4e0063e257a20512961567.tar.gz
pki-8598a68ac954d1020f4e0063e257a20512961567.tar.xz
pki-8598a68ac954d1020f4e0063e257a20512961567.zip
1 files changed, 15 insertions, 6 deletions
diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
index b1b0f0768..178a861c1 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
@@ -635,14 +635,23 @@ public class PKCS12Util {
         wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publicKey), publicKey);
     }
 
-    public void storeCertIntoNSS(PKCS12 pkcs12, PKCS12CertInfo certInfo) throws Exception {
+    public void storeCertIntoNSS(PKCS12 pkcs12, PKCS12CertInfo certInfo, boolean overwrite) throws Exception {
 
         CryptoManager cm = CryptoManager.getInstance();
+        CryptoToken ct = cm.getInternalKeyStorageToken();
+        CryptoStore store = ct.getCryptoStore();
 
-        X509Certificate cert;
         BigInteger id = certInfo.getID();
         PKCS12KeyInfo keyInfo = pkcs12.getKeyInfoByID(id);
 
+        for (X509Certificate cert : cm.findCertsByNickname(certInfo.nickname)) {
+            if (!overwrite) {
+                return;
+            }
+            store.deleteCert(cert);
+        }
+
+        X509Certificate cert;
         if (keyInfo != null) { // cert has key
             logger.fine("Importing user key for " + certInfo.nickname);
             importKey(pkcs12, keyInfo);
@@ -660,19 +669,19 @@ public class PKCS12Util {
             setTrustFlags(cert, certInfo.trustFlags);
     }
 
-    public void storeCertIntoNSS(PKCS12 pkcs12, String nickname) throws Exception {
+    public void storeCertIntoNSS(PKCS12 pkcs12, String nickname, boolean overwrite) throws Exception {
         Collection<PKCS12CertInfo> certInfos = pkcs12.getCertInfosByNickname(nickname);
         for (PKCS12CertInfo certInfo : certInfos) {
-            storeCertIntoNSS(pkcs12, certInfo);
+            storeCertIntoNSS(pkcs12, certInfo, overwrite);
         }
     }
 
-    public void storeIntoNSS(PKCS12 pkcs12) throws Exception {
+    public void storeIntoNSS(PKCS12 pkcs12, boolean overwrite) throws Exception {
 
         logger.info("Storing data into NSS database");
 
         for (PKCS12CertInfo certInfo : pkcs12.getCertInfos()) {
-            storeCertIntoNSS(pkcs12, certInfo);
+            storeCertIntoNSS(pkcs12, certInfo, overwrite);
         }
     }
 }
author	Endi S. Dewata <edewata@redhat.com>	2016-06-21 18:39:25 +0200
committer	Endi S. Dewata <edewata@redhat.com>	2016-06-29 01:17:05 +0200
commit	8598a68ac954d1020f4e0063e257a20512961567 (patch)
tree	f17df8bee056c9a2af57387851bed472c97cb7d0 /base/util/src/netscape/security
parent	66223629c5d8e74be9f5a59734ab091b081435bc (diff)
download	pki-8598a68ac954d1020f4e0063e257a20512961567.tar.gz pki-8598a68ac954d1020f4e0063e257a20512961567.tar.xz pki-8598a68ac954d1020f4e0063e257a20512961567.zip