Fixed missing trust flags in certificate backup.

The ConfigurationUtils.backupKeys() has been modified to use
PKCS12Util to export the certificates and their trust flags into
a PKCS #12 file such that the file can be used for cloning.

The code to generate PFX object has been refactored from the
PKCS12Util.storeIntoFile() into a separate generatePFX() method.

The PKCS12Util.loadCertFromNSS() has been modified to provide
options to load a certificate from NSS database without the key
or the certificate chain. The CLIs have been modified to provide
the same options.

The PKCS12Util.getCertInfo() has modified to ignore missing
certificate attributes in the PKCS #12 file and generate a new
local ID.

https://fedorahosted.org/pki/ticket/2255

1 files changed, 63 insertions, 45 deletions

diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
index 7c9ab2fb4..967479b69 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
@@ -162,13 +162,14 @@ public class PKCS12Util {
     }
 
     BigInteger createLocalID(X509Certificate cert) throws Exception {
-
         // SHA1 hash of the X509Cert DER encoding
-        byte[] certDer = cert.getEncoded();
+        return createLocalID(cert.getEncoded());
+    }
 
-        MessageDigest md = MessageDigest.getInstance("SHA");
+    BigInteger createLocalID(byte[] bytes) throws Exception {
 
-        md.update(certDer);
+        MessageDigest md = MessageDigest.getInstance("SHA");
+        md.update(bytes);
         return new BigInteger(1, md.digest());
     }
 
@@ -244,21 +245,46 @@ public class PKCS12Util {
         CryptoStore store = token.getCryptoStore();
 
         for (X509Certificate cert : store.getCertificates()) {
-            loadCertChainFromNSS(pkcs12, cert);
+            loadCertFromNSS(pkcs12, cert, true, true);
         }
     }
 
-    public void loadCertFromNSS(PKCS12 pkcs12, String nickname) throws Exception {
+    public void loadCertFromNSS(PKCS12 pkcs12, String nickname, boolean includeKey, boolean includeChain) throws Exception {
 
         CryptoManager cm = CryptoManager.getInstance();
 
         X509Certificate[] certs = cm.findCertsByNickname(nickname);
         for (X509Certificate cert : certs) {
-            loadCertChainFromNSS(pkcs12, cert);
+            loadCertFromNSS(pkcs12, cert, includeKey, includeChain);
         }
     }
 
-    public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id, boolean replace) throws Exception {
+    public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, boolean includeKey, boolean includeChain) throws Exception {
+
+        CryptoManager cm = CryptoManager.getInstance();
+
+        BigInteger id = createLocalID(cert);
+
+        // load cert info
+        loadCertInfoFromNSS(pkcs12, cert, id, true);
+
+        if (includeKey) {
+            // load key info if exists
+            loadKeyInfoFromNSS(pkcs12, cert, id);
+        }
+
+        if (includeChain) {
+            // load cert chain
+            X509Certificate[] certChain = cm.buildCertificateChain(cert);
+            for (int i = 1; i < certChain.length; i++) {
+                X509Certificate c = certChain[i];
+                BigInteger cid = createLocalID(c);
+                loadCertInfoFromNSS(pkcs12, c, cid, false);
+            }
+        }
+    }
+
+    public void loadCertInfoFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id, boolean replace) throws Exception {
 
         String nickname = cert.getNickname();
         logger.info("Loading certificate \"" + nickname + "\" from NSS database");
@@ -272,7 +298,7 @@ public class PKCS12Util {
         pkcs12.addCertInfo(certInfo, replace);
     }
 
-    public void loadCertKeyFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id) throws Exception {
+    public void loadKeyInfoFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id) throws Exception {
 
         String nickname = cert.getNickname();
         logger.info("Loading private key for certificate \"" + nickname + "\" from NSS database");
@@ -298,30 +324,9 @@ public class PKCS12Util {
         }
     }
 
-    public void loadCertChainFromNSS(PKCS12 pkcs12, X509Certificate cert) throws Exception {
-
-        CryptoManager cm = CryptoManager.getInstance();
+    public PFX generatePFX(PKCS12 pkcs12, Password password) throws Exception {
 
-        BigInteger id = createLocalID(cert);
-
-        // load cert key if exists
-        loadCertKeyFromNSS(pkcs12, cert, id);
-
-        // load cert
-        loadCertFromNSS(pkcs12, cert, id, true);
-
-        // load parent certs without key
-        X509Certificate[] certChain = cm.buildCertificateChain(cert);
-        for (int i = 1; i < certChain.length; i++) {
-            X509Certificate c = certChain[i];
-            BigInteger cid = createLocalID(c);
-            loadCertFromNSS(pkcs12, c, cid, false);
-        }
-    }
-
-    public void storeIntoFile(PKCS12 pkcs12, String filename, Password password) throws Exception {
-
-        logger.info("Storing data into PKCS #12 file");
+        logger.info("Generating PKCS #12 data");
 
         SEQUENCE safeContents = new SEQUENCE();
 
@@ -342,6 +347,14 @@ public class PKCS12Util {
         PFX pfx = new PFX(authSafes);
         pfx.computeMacData(password, null, 5);
 
+        return pfx;
+    }
+
+    public void storeIntoFile(PKCS12 pkcs12, String filename, Password password) throws Exception {
+
+        PFX pfx = generatePFX(pkcs12, password);
+
+        logger.info("Storing data into PKCS #12 file");
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
         pfx.encode(bos);
         byte[] data = bos.toByteArray();
@@ -362,7 +375,7 @@ public class PKCS12Util {
         // get key attributes
         SET bagAttrs = bag.getBagAttributes();
 
-        for (int i = 0; i < bagAttrs.size(); i++) {
+        for (int i = 0; bagAttrs != null && i < bagAttrs.size(); i++) {
 
             Attribute attr = (Attribute) bagAttrs.elementAt(i);
             OBJECT_IDENTIFIER oid = attr.getType();
@@ -376,7 +389,7 @@ public class PKCS12Util {
                 BMPString subjectDN = (BMPString) new BMPString.Template().decode(bis);
 
                 keyInfo.subjectDN = subjectDN.toString();
-                logger.fine("Subject DN: " + keyInfo.subjectDN);
+                logger.fine("   Subject DN: " + keyInfo.subjectDN);
 
             } else if (oid.equals(SafeBag.LOCAL_KEY_ID)) {
 
@@ -387,12 +400,10 @@ public class PKCS12Util {
                 OCTET_STRING keyID = (OCTET_STRING) new OCTET_STRING.Template().decode(bis);
 
                 keyInfo.id = new BigInteger(1, keyID.toByteArray());
-                logger.fine("ID: " + keyInfo.id.toString(16));
+                logger.fine("   ID: " + keyInfo.id.toString(16));
             }
         }
 
-        logger.fine("Found private key " + keyInfo.subjectDN);
-
         return keyInfo;
     }
 
@@ -406,12 +417,11 @@ public class PKCS12Util {
         byte[] x509cert = certStr.toByteArray();
 
         certInfo.cert = new X509CertImpl(x509cert);
-        logger.fine("Found certificate " + certInfo.cert.getSubjectDN());
+        logger.fine("   Subject DN: " + certInfo.cert.getSubjectDN());
 
         SET bagAttrs = bag.getBagAttributes();
-        if (bagAttrs == null) return certInfo;
 
-        for (int i = 0; i < bagAttrs.size(); i++) {
+        for (int i = 0; bagAttrs != null && i < bagAttrs.size(); i++) {
 
             Attribute attr = (Attribute) bagAttrs.elementAt(i);
             OBJECT_IDENTIFIER oid = attr.getType();
@@ -425,7 +435,7 @@ public class PKCS12Util {
                 BMPString nickname = (BMPString) (new BMPString.Template()).decode(bis);
 
                 certInfo.nickname = nickname.toString();
-                logger.fine("Nickname: " + certInfo.nickname);
+                logger.fine("   Nickname: " + certInfo.nickname);
 
 
             } else if (oid.equals(SafeBag.LOCAL_KEY_ID)) {
@@ -437,7 +447,7 @@ public class PKCS12Util {
                 OCTET_STRING keyID = (OCTET_STRING) new OCTET_STRING.Template().decode(bis);
 
                 certInfo.id = new BigInteger(1, keyID.toByteArray());
-                logger.fine("ID: " + certInfo.id.toString(16));
+                logger.fine("   ID: " + certInfo.id.toString(16));
 
             } else if (oid.equals(PKCS12.CERT_TRUST_FLAGS_OID) && trustFlagsEnabled) {
 
@@ -448,16 +458,22 @@ public class PKCS12Util {
                 BMPString trustFlags = (BMPString) (new BMPString.Template()).decode(is);
 
                 certInfo.trustFlags = trustFlags.toString();
-                logger.fine("Trust flags: " + certInfo.trustFlags);
+                logger.fine("   Trust flags: " + certInfo.trustFlags);
             }
         }
 
+        if (certInfo.id == null) {
+            logger.fine("   ID not specified, generating new ID");
+            certInfo.id = createLocalID(x509cert);
+            logger.fine("   ID: " + certInfo.id.toString(16));
+        }
+
         return certInfo;
     }
 
     public void getKeyInfos(PKCS12 pkcs12, PFX pfx, Password password) throws Exception {
 
-        logger.fine("Getting private keys");
+        logger.fine("Load private keys:");
 
         AuthenticatedSafes safes = pfx.getAuthSafes();
 
@@ -472,6 +488,7 @@ public class PKCS12Util {
 
                 if (!oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) continue;
 
+                logger.fine(" - Private key:");
                 PKCS12KeyInfo keyInfo = getKeyInfo(bag, password);
                 pkcs12.addKeyInfo(keyInfo);
             }
@@ -480,7 +497,7 @@ public class PKCS12Util {
 
     public void getCertInfos(PKCS12 pkcs12, PFX pfx, Password password) throws Exception {
 
-        logger.fine("Getting certificates");
+        logger.fine("Loading certificates:");
 
         AuthenticatedSafes safes = pfx.getAuthSafes();
 
@@ -495,6 +512,7 @@ public class PKCS12Util {
 
                 if (!oid.equals(SafeBag.CERT_BAG)) continue;
 
+                logger.fine(" - Certificate:");
                 PKCS12CertInfo certInfo = getCertInfo(bag);
                 pkcs12.addCertInfo(certInfo, true);
             }