diff options
4 files changed, 59 insertions, 46 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java index 6c9d8032e..ce7b3dd79 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java @@ -63,10 +63,8 @@ public class PKCS12CertAddCLI extends CLI { option.setArgName("path"); options.addOption(option); + options.addOption(null, "new-file", false, "Create a new PKCS #12 file"); options.addOption(null, "no-trust-flags", false, "Do not include trust flags"); - options.addOption(null, "no-cert", false, "Do not include certificate itself"); - options.addOption(null, "no-key", false, "Do not include certificate key"); - options.addOption(null, "no-chain", false, "Do not include certificate chain"); options.addOption("v", "verbose", false, "Run in verbose mode."); options.addOption(null, "debug", false, "Run in debug mode."); @@ -139,10 +137,8 @@ public class PKCS12CertAddCLI extends CLI { Password password = new Password(passwordString.toCharArray()); + boolean newFile = cmd.hasOption("new-file"); boolean includeTrustFlags = !cmd.hasOption("no-trust-flags"); - boolean includeCert = !cmd.hasOption("no-cert"); - boolean includeKey = !cmd.hasOption("no-key"); - boolean includeChain = !cmd.hasOption("no-chain"); try { PKCS12Util util = new PKCS12Util(); @@ -150,13 +146,16 @@ public class PKCS12CertAddCLI extends CLI { PKCS12 pkcs12; - if (new File(filename).exists()) { - pkcs12 = util.loadFromFile(filename, password); - } else { + if (newFile || !new File(filename).exists()) { + // if new file requested or file does not exist, create a new file pkcs12 = new PKCS12(); + + } else { + // otherwise, add into the same file + pkcs12 = util.loadFromFile(filename, password); } - util.loadFromNSS(pkcs12, nickname, includeCert, includeKey, includeChain); + util.loadCertFromNSS(pkcs12, nickname); util.storeIntoFile(pkcs12, filename, password); } finally { diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java index a5c9e2823..f17251284 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java @@ -18,7 +18,6 @@ package com.netscape.cmstools.pkcs12; import java.io.BufferedReader; -import java.io.File; import java.io.FileReader; import java.util.logging.Level; import java.util.logging.Logger; @@ -45,7 +44,7 @@ public class PKCS12ExportCLI extends CLI { } public void printHelp() { - formatter.printHelp(getFullName() + " [OPTIONS...]", options); + formatter.printHelp(getFullName() + " [OPTIONS...] [nicknames...]", options); } public void createOptions() { @@ -96,6 +95,7 @@ public class PKCS12ExportCLI extends CLI { Logger.getLogger("netscape").setLevel(Level.FINE); } + String[] nicknames = cmd.getArgs(); String filename = cmd.getOptionValue("pkcs12"); if (filename == null) { @@ -130,15 +130,20 @@ public class PKCS12ExportCLI extends CLI { PKCS12Util util = new PKCS12Util(); util.setTrustFlagsEnabled(trustFlagsEnabled); - PKCS12 pkcs12; + // overwrite existing file + PKCS12 pkcs12 = new PKCS12(); + + if (nicknames.length == 0) { + // load all certificates + util.loadFromNSS(pkcs12); - if (new File(filename).exists()) { - pkcs12 = util.loadFromFile(filename, password); } else { - pkcs12 = new PKCS12(); + // load specified certificates + for (String nickname : nicknames) { + util.loadCertFromNSS(pkcs12, nickname); + } } - util.loadFromNSS(pkcs12); util.storeIntoFile(pkcs12, filename, password); } finally { diff --git a/base/util/src/netscape/security/pkcs/PKCS12.java b/base/util/src/netscape/security/pkcs/PKCS12.java index da4023f12..19e9fd039 100644 --- a/base/util/src/netscape/security/pkcs/PKCS12.java +++ b/base/util/src/netscape/security/pkcs/PKCS12.java @@ -175,6 +175,12 @@ public class PKCS12 { } public PKCS12CertInfo removeCertInfoByNickname(String nickname) { - return certInfosByNickname.remove(nickname); + // remove cert + PKCS12CertInfo certInfo = certInfosByNickname.remove(nickname); + if (certInfo == null) return null; + + // remove private key + keyInfosByID.remove(certInfo.getKeyID()); + return certInfo; } } diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java index 8d189a9d7..665998e2f 100644 --- a/base/util/src/netscape/security/pkcs/PKCS12Util.java +++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java @@ -240,34 +240,23 @@ public class PKCS12Util { CryptoToken token = cm.getInternalKeyStorageToken(); CryptoStore store = token.getCryptoStore(); - // load all certs for (X509Certificate cert : store.getCertificates()) { - loadCertFromNSS(pkcs12, cert, true); // load cert with private key + loadCertChainFromNSS(pkcs12, cert); } } - public void loadFromNSS(PKCS12 pkcs12, String nickname, boolean includeCert, boolean includeKey, boolean includeChain) throws Exception { + public void loadCertFromNSS(PKCS12 pkcs12, String nickname) throws Exception { CryptoManager cm = CryptoManager.getInstance(); - X509Certificate cert = cm.findCertByNickname(nickname); - - if (includeCert) { - loadCertFromNSS(pkcs12, cert, includeKey); - } - - if (includeChain) { - loadCertChainFromNSS(pkcs12, cert); - } + loadCertChainFromNSS(pkcs12, cert); } - public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, boolean includeKey) throws Exception { + public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert) throws Exception { String nickname = cert.getNickname(); logger.info("Loading certificate \"" + nickname + "\" from NSS database"); - CryptoManager cm = CryptoManager.getInstance(); - BigInteger keyID = createLocalKeyID(cert); PKCS12CertInfo certInfo = new PKCS12CertInfo(); @@ -276,17 +265,23 @@ public class PKCS12Util { certInfo.cert = new X509CertImpl(cert.getEncoded()); certInfo.trustFlags = getTrustFlags(cert); pkcs12.addCertInfo(certInfo); + } - if (!includeKey) return; + public void loadCertKeyFromNSS(PKCS12 pkcs12, X509Certificate cert) throws Exception { + String nickname = cert.getNickname(); logger.info("Loading private key for certificate \"" + nickname + "\" from NSS database"); + CryptoManager cm = CryptoManager.getInstance(); + try { PrivateKey privateKey = cm.findPrivKeyByCert(cert); logger.fine("Certificate \"" + nickname + "\" has private key"); + PKCS12CertInfo certInfo = pkcs12.getCertInfoByNickname(nickname); + PKCS12KeyInfo keyInfo = new PKCS12KeyInfo(); - keyInfo.id = keyID; + keyInfo.id = certInfo.getKeyID(); keyInfo.subjectDN = cert.getSubjectDN().toString(); byte[] privateData = getEncodedKey(privateKey); @@ -302,15 +297,17 @@ public class PKCS12Util { public void loadCertChainFromNSS(PKCS12 pkcs12, X509Certificate cert) throws Exception { - logger.info("Loading certificate chain for \"" + cert.getNickname() + "\""); - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate[] certChain = cm.buildCertificateChain(cert); - // load parent certificates only + // load cert with key + loadCertFromNSS(pkcs12, cert); + loadCertKeyFromNSS(pkcs12, cert); + + // load parent certs without key + X509Certificate[] certChain = cm.buildCertificateChain(cert); for (int i = 1; i < certChain.length; i++) { X509Certificate c = certChain[i]; - loadCertFromNSS(pkcs12, c, false); // do not include private key + loadCertFromNSS(pkcs12, c); } } @@ -601,14 +598,20 @@ public class PKCS12Util { } } - public void importCert(PKCS12CertInfo certInfo) throws Exception { - - logger.fine("Importing certificate " + certInfo.nickname); + public void importCert(PKCS12 pkcs12, PKCS12CertInfo certInfo) throws Exception { CryptoManager cm = CryptoManager.getInstance(); - X509Certificate cert = cm.importUserCACertPackage( - certInfo.cert.getEncoded(), certInfo.nickname); + X509Certificate cert; + + if (pkcs12.getKeyInfoByID(certInfo.getKeyID()) != null) { // cert has key + logger.fine("Importing user CA certificate " + certInfo.nickname); + cert = cm.importUserCACertPackage(certInfo.cert.getEncoded(), certInfo.nickname); + + } else { // cert has no key + logger.fine("Importing CA certificate " + certInfo.nickname); + cert = cm.importCACertPackage(certInfo.cert.getEncoded()); + } if (certInfo.trustFlags != null && trustFlagsEnabled) setTrustFlags(cert, certInfo.trustFlags); @@ -617,7 +620,7 @@ public class PKCS12Util { public void importCerts(PKCS12 pkcs12) throws Exception { for (PKCS12CertInfo certInfo : pkcs12.getCertInfos()) { - importCert(certInfo); + importCert(pkcs12, certInfo); } } |