Added support for cloning 3rd-party CA certificates.

The installation code has been modified such that it imports all CA certificates from the PKCS #12 file for cloning before the server is started using certutil. The user certificates will continue to be imported using the existing JSS code after the server is started. This is necessary since JSS is unable to preserve the CA certificate nicknames. The PKCS12Util has been modified to support multiple certificates with the same nicknames. The pki pkcs12-cert-find has been modified to show certificate ID and another field indicating whether the certificate has a key. The pki pkcs12-cert-export has been modified to accept either certificate nickname or ID. The pki pkcs12-import has been modified to provide options for importing only user certificates or CA certificates. https://fedorahosted.org/pki/ticket/1742
author: Endi S. Dewata <edewata@redhat.com> 2016-03-17 15:23:34 +0100
committer: Endi S. Dewata <edewata@redhat.com> 2016-03-18 22:29:26 +0100
commit: c14e8c52ae7a2c15433fe9568c393c1d0e7a1301 (patch)
tree: a9611500f648015bb92ae29546d633e86a95e112 /base/util
parent: 04055a9bc40486950a3288acf610522e767c1e27 (diff)
download: pki-c14e8c52ae7a2c15433fe9568c393c1d0e7a1301.tar.gz
pki-c14e8c52ae7a2c15433fe9568c393c1d0e7a1301.tar.xz
pki-c14e8c52ae7a2c15433fe9568c393c1d0e7a1301.zip
3 files changed, 66 insertions, 40 deletions
diff --git a/base/util/src/netscape/security/pkcs/PKCS12.java b/base/util/src/netscape/security/pkcs/PKCS12.java
index 4f2f1600b..6c7880aa8 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12.java
@@ -18,6 +18,7 @@
 package netscape.security.pkcs;
 
 import java.math.BigInteger;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -141,7 +142,7 @@ public class PKCS12 {
 
     Map<BigInteger, PKCS12KeyInfo> keyInfosByID = new LinkedHashMap<BigInteger, PKCS12KeyInfo>();
 
-    Map<String, PKCS12CertInfo> certInfosByNickname = new LinkedHashMap<String, PKCS12CertInfo>();
+    Map<BigInteger, PKCS12CertInfo> certInfosByID = new LinkedHashMap<BigInteger, PKCS12CertInfo>();
 
     public PKCS12() {
     }
@@ -163,28 +164,42 @@ public class PKCS12 {
     }
 
     public Collection<PKCS12CertInfo> getCertInfos() {
-        return certInfosByNickname.values();
+        return certInfosByID.values();
     }
 
     public void addCertInfo(PKCS12CertInfo certInfo, boolean replace) {
-        String nickname = certInfo.nickname;
-        if (!replace && certInfosByNickname.containsKey(nickname))
+        BigInteger id = certInfo.getID();
+
+        if (!replace && certInfosByID.containsKey(id))
             return;
 
-        certInfosByNickname.put(nickname, certInfo);
+        certInfosByID.put(id, certInfo);
     }
 
-    public PKCS12CertInfo getCertInfoByNickname(String nickname) {
-        return certInfosByNickname.get(nickname);
+    public PKCS12CertInfo getCertInfoByID(BigInteger id) {
+        return certInfosByID.get(id);
     }
 
-    public PKCS12CertInfo removeCertInfoByNickname(String nickname) {
-        // remove cert
-        PKCS12CertInfo certInfo = certInfosByNickname.remove(nickname);
-        if (certInfo == null) return null;
+    public Collection<PKCS12CertInfo> getCertInfosByNickname(String nickname) {
+
+        Collection<PKCS12CertInfo> result = new ArrayList<PKCS12CertInfo>();
 
-        // remove private key
-        keyInfosByID.remove(certInfo.getKeyID());
-        return certInfo;
+        for (PKCS12CertInfo certInfo : certInfosByID.values()) {
+            if (!nickname.equals(certInfo.getNickname())) continue;
+            result.add(certInfo);
+        }
+
+        return result;
+    }
+
+    public void removeCertInfoByNickname(String nickname) {
+
+        Collection<PKCS12CertInfo> result = getCertInfosByNickname(nickname);
+
+        for (PKCS12CertInfo certInfo : result) {
+            // remove cert and key
+            certInfosByID.remove(certInfo.getID());
+            keyInfosByID.remove(certInfo.getID());
+        }
     }
 }
diff --git a/base/util/src/netscape/security/pkcs/PKCS12CertInfo.java b/base/util/src/netscape/security/pkcs/PKCS12CertInfo.java
index 3ac643eb1..ec7b0e332 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12CertInfo.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12CertInfo.java
@@ -23,7 +23,7 @@ import netscape.security.x509.X509CertImpl;
 
 public class PKCS12CertInfo {
 
-    BigInteger keyID;
+    BigInteger id;
     X509CertImpl cert;
     String nickname;
     String trustFlags;
@@ -31,12 +31,12 @@ public class PKCS12CertInfo {
     public PKCS12CertInfo() {
     }
 
-    public BigInteger getKeyID() {
-        return keyID;
+    public BigInteger getID() {
+        return id;
     }
 
-    public void setKeyID(BigInteger keyID) {
-        this.keyID = keyID;
+    public void setID(BigInteger id) {
+        this.id = id;
     }
 
     public X509CertImpl getCert() {
diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
index 35b9ed598..7c9ab2fb4 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
@@ -28,6 +28,7 @@ import java.security.MessageDigest;
 import java.security.Principal;
 import java.security.PublicKey;
 import java.security.cert.CertificateException;
+import java.util.Collection;
 import java.util.logging.Logger;
 
 import org.mozilla.jss.CryptoManager;
@@ -160,7 +161,7 @@ public class PKCS12Util {
         safeContents.addElement(safeBag);
     }
 
-    BigInteger createLocalKeyID(X509Certificate cert) throws Exception {
+    BigInteger createLocalID(X509Certificate cert) throws Exception {
 
         // SHA1 hash of the X509Cert DER encoding
         byte[] certDer = cert.getEncoded();
@@ -209,12 +210,12 @@ public class PKCS12Util {
 
         attrs.addElement(nicknameAttr);
 
-        if (certInfo.keyID != null) {
+        if (certInfo.getID() != null) {
             SEQUENCE localKeyAttr = new SEQUENCE();
             localKeyAttr.addElement(SafeBag.LOCAL_KEY_ID);
 
             SET localKeySet = new SET();
-            localKeySet.addElement(new OCTET_STRING(certInfo.keyID.toByteArray()));
+            localKeySet.addElement(new OCTET_STRING(certInfo.id.toByteArray()));
             localKeyAttr.addElement(localKeySet);
 
             attrs.addElement(localKeyAttr);
@@ -250,24 +251,28 @@ public class PKCS12Util {
     public void loadCertFromNSS(PKCS12 pkcs12, String nickname) throws Exception {
 
         CryptoManager cm = CryptoManager.getInstance();
-        X509Certificate cert = cm.findCertByNickname(nickname);
-        loadCertChainFromNSS(pkcs12, cert);
+
+        X509Certificate[] certs = cm.findCertsByNickname(nickname);
+        for (X509Certificate cert : certs) {
+            loadCertChainFromNSS(pkcs12, cert);
+        }
     }
 
-    public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger keyID, boolean replace) throws Exception {
+    public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id, boolean replace) throws Exception {
 
         String nickname = cert.getNickname();
         logger.info("Loading certificate \"" + nickname + "\" from NSS database");
 
         PKCS12CertInfo certInfo = new PKCS12CertInfo();
-        certInfo.keyID = keyID;
+        certInfo.id = id;
         certInfo.nickname = nickname;
         certInfo.cert = new X509CertImpl(cert.getEncoded());
         certInfo.trustFlags = getTrustFlags(cert);
+
         pkcs12.addCertInfo(certInfo, replace);
     }
 
-    public void loadCertKeyFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger keyID) throws Exception {
+    public void loadCertKeyFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id) throws Exception {
 
         String nickname = cert.getNickname();
         logger.info("Loading private key for certificate \"" + nickname + "\" from NSS database");
@@ -279,7 +284,7 @@ public class PKCS12Util {
             logger.fine("Certificate \"" + nickname + "\" has private key");
 
             PKCS12KeyInfo keyInfo = new PKCS12KeyInfo();
-            keyInfo.id = keyID;
+            keyInfo.id = id;
             keyInfo.subjectDN = cert.getSubjectDN().toString();
 
             byte[] privateData = getEncodedKey(privateKey);
@@ -297,17 +302,20 @@ public class PKCS12Util {
 
         CryptoManager cm = CryptoManager.getInstance();
 
-        BigInteger keyID = createLocalKeyID(cert);
+        BigInteger id = createLocalID(cert);
 
-        // load cert with key
-        loadCertFromNSS(pkcs12, cert, keyID, true);
-        loadCertKeyFromNSS(pkcs12, cert, keyID);
+        // load cert key if exists
+        loadCertKeyFromNSS(pkcs12, cert, id);
+
+        // load cert
+        loadCertFromNSS(pkcs12, cert, id, true);
 
         // load parent certs without key
         X509Certificate[] certChain = cm.buildCertificateChain(cert);
         for (int i = 1; i < certChain.length; i++) {
             X509Certificate c = certChain[i];
-            loadCertFromNSS(pkcs12, c, null, false);
+            BigInteger cid = createLocalID(c);
+            loadCertFromNSS(pkcs12, c, cid, false);
         }
     }
 
@@ -379,7 +387,7 @@ public class PKCS12Util {
                 OCTET_STRING keyID = (OCTET_STRING) new OCTET_STRING.Template().decode(bis);
 
                 keyInfo.id = new BigInteger(1, keyID.toByteArray());
-                logger.fine("Key ID: " + keyInfo.id.toString(16));
+                logger.fine("ID: " + keyInfo.id.toString(16));
             }
         }
 
@@ -428,8 +436,8 @@ public class PKCS12Util {
                 ByteArrayInputStream bis = new ByteArrayInputStream(value.getEncoded());
                 OCTET_STRING keyID = (OCTET_STRING) new OCTET_STRING.Template().decode(bis);
 
-                certInfo.keyID = new BigInteger(1, keyID.toByteArray());
-                logger.fine("Key ID: " + certInfo.keyID.toString(16));
+                certInfo.id = new BigInteger(1, keyID.toByteArray());
+                logger.fine("ID: " + certInfo.id.toString(16));
 
             } else if (oid.equals(PKCS12.CERT_TRUST_FLAGS_OID) && trustFlagsEnabled) {
 
@@ -596,8 +604,8 @@ public class PKCS12Util {
         CryptoManager cm = CryptoManager.getInstance();
 
         X509Certificate cert;
-        BigInteger keyID = certInfo.getKeyID();
-        PKCS12KeyInfo keyInfo = keyID == null ? null : pkcs12.getKeyInfoByID(keyID);
+        BigInteger id = certInfo.getID();
+        PKCS12KeyInfo keyInfo = pkcs12.getKeyInfoByID(id);
 
         if (keyInfo != null) { // cert has key
             logger.fine("Importing user key for " + certInfo.nickname);
@@ -608,6 +616,7 @@ public class PKCS12Util {
 
         } else { // cert has no key
             logger.fine("Importing CA certificate " + certInfo.nickname);
+            // Note: JSS does not preserve CA certificate nickname
             cert = cm.importCACertPackage(certInfo.cert.getEncoded());
         }
 
@@ -616,8 +625,10 @@ public class PKCS12Util {
     }
 
     public void storeCertIntoNSS(PKCS12 pkcs12, String nickname) throws Exception {
-        PKCS12CertInfo certInfo = pkcs12.getCertInfoByNickname(nickname);
-        storeCertIntoNSS(pkcs12, certInfo);
+        Collection<PKCS12CertInfo> certInfos = pkcs12.getCertInfosByNickname(nickname);
+        for (PKCS12CertInfo certInfo : certInfos) {
+            storeCertIntoNSS(pkcs12, certInfo);
+        }
     }
 
     public void storeIntoNSS(PKCS12 pkcs12) throws Exception {
author	Endi S. Dewata <edewata@redhat.com>	2016-03-17 15:23:34 +0100
committer	Endi S. Dewata <edewata@redhat.com>	2016-03-18 22:29:26 +0100
commit	c14e8c52ae7a2c15433fe9568c393c1d0e7a1301 (patch)
tree	a9611500f648015bb92ae29546d633e86a95e112 /base/util
parent	04055a9bc40486950a3288acf610522e767c1e27 (diff)
download	pki-c14e8c52ae7a2c15433fe9568c393c1d0e7a1301.tar.gz pki-c14e8c52ae7a2c15433fe9568c393c1d0e7a1301.tar.xz pki-c14e8c52ae7a2c15433fe9568c393c1d0e7a1301.zip