summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java19
-rw-r--r--base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java19
-rw-r--r--base/util/src/netscape/security/pkcs/PKCS12.java8
-rw-r--r--base/util/src/netscape/security/pkcs/PKCS12Util.java59
4 files changed, 59 insertions, 46 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
index 6c9d8032e..ce7b3dd79 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
@@ -63,10 +63,8 @@ public class PKCS12CertAddCLI extends CLI {
option.setArgName("path");
options.addOption(option);
+ options.addOption(null, "new-file", false, "Create a new PKCS #12 file");
options.addOption(null, "no-trust-flags", false, "Do not include trust flags");
- options.addOption(null, "no-cert", false, "Do not include certificate itself");
- options.addOption(null, "no-key", false, "Do not include certificate key");
- options.addOption(null, "no-chain", false, "Do not include certificate chain");
options.addOption("v", "verbose", false, "Run in verbose mode.");
options.addOption(null, "debug", false, "Run in debug mode.");
@@ -139,10 +137,8 @@ public class PKCS12CertAddCLI extends CLI {
Password password = new Password(passwordString.toCharArray());
+ boolean newFile = cmd.hasOption("new-file");
boolean includeTrustFlags = !cmd.hasOption("no-trust-flags");
- boolean includeCert = !cmd.hasOption("no-cert");
- boolean includeKey = !cmd.hasOption("no-key");
- boolean includeChain = !cmd.hasOption("no-chain");
try {
PKCS12Util util = new PKCS12Util();
@@ -150,13 +146,16 @@ public class PKCS12CertAddCLI extends CLI {
PKCS12 pkcs12;
- if (new File(filename).exists()) {
- pkcs12 = util.loadFromFile(filename, password);
- } else {
+ if (newFile || !new File(filename).exists()) {
+ // if new file requested or file does not exist, create a new file
pkcs12 = new PKCS12();
+
+ } else {
+ // otherwise, add into the same file
+ pkcs12 = util.loadFromFile(filename, password);
}
- util.loadFromNSS(pkcs12, nickname, includeCert, includeKey, includeChain);
+ util.loadCertFromNSS(pkcs12, nickname);
util.storeIntoFile(pkcs12, filename, password);
} finally {
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
index a5c9e2823..f17251284 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
@@ -18,7 +18,6 @@
package com.netscape.cmstools.pkcs12;
import java.io.BufferedReader;
-import java.io.File;
import java.io.FileReader;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -45,7 +44,7 @@ public class PKCS12ExportCLI extends CLI {
}
public void printHelp() {
- formatter.printHelp(getFullName() + " [OPTIONS...]", options);
+ formatter.printHelp(getFullName() + " [OPTIONS...] [nicknames...]", options);
}
public void createOptions() {
@@ -96,6 +95,7 @@ public class PKCS12ExportCLI extends CLI {
Logger.getLogger("netscape").setLevel(Level.FINE);
}
+ String[] nicknames = cmd.getArgs();
String filename = cmd.getOptionValue("pkcs12");
if (filename == null) {
@@ -130,15 +130,20 @@ public class PKCS12ExportCLI extends CLI {
PKCS12Util util = new PKCS12Util();
util.setTrustFlagsEnabled(trustFlagsEnabled);
- PKCS12 pkcs12;
+ // overwrite existing file
+ PKCS12 pkcs12 = new PKCS12();
+
+ if (nicknames.length == 0) {
+ // load all certificates
+ util.loadFromNSS(pkcs12);
- if (new File(filename).exists()) {
- pkcs12 = util.loadFromFile(filename, password);
} else {
- pkcs12 = new PKCS12();
+ // load specified certificates
+ for (String nickname : nicknames) {
+ util.loadCertFromNSS(pkcs12, nickname);
+ }
}
- util.loadFromNSS(pkcs12);
util.storeIntoFile(pkcs12, filename, password);
} finally {
diff --git a/base/util/src/netscape/security/pkcs/PKCS12.java b/base/util/src/netscape/security/pkcs/PKCS12.java
index da4023f12..19e9fd039 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12.java
@@ -175,6 +175,12 @@ public class PKCS12 {
}
public PKCS12CertInfo removeCertInfoByNickname(String nickname) {
- return certInfosByNickname.remove(nickname);
+ // remove cert
+ PKCS12CertInfo certInfo = certInfosByNickname.remove(nickname);
+ if (certInfo == null) return null;
+
+ // remove private key
+ keyInfosByID.remove(certInfo.getKeyID());
+ return certInfo;
}
}
diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
index 8d189a9d7..665998e2f 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
@@ -240,34 +240,23 @@ public class PKCS12Util {
CryptoToken token = cm.getInternalKeyStorageToken();
CryptoStore store = token.getCryptoStore();
- // load all certs
for (X509Certificate cert : store.getCertificates()) {
- loadCertFromNSS(pkcs12, cert, true); // load cert with private key
+ loadCertChainFromNSS(pkcs12, cert);
}
}
- public void loadFromNSS(PKCS12 pkcs12, String nickname, boolean includeCert, boolean includeKey, boolean includeChain) throws Exception {
+ public void loadCertFromNSS(PKCS12 pkcs12, String nickname) throws Exception {
CryptoManager cm = CryptoManager.getInstance();
-
X509Certificate cert = cm.findCertByNickname(nickname);
-
- if (includeCert) {
- loadCertFromNSS(pkcs12, cert, includeKey);
- }
-
- if (includeChain) {
- loadCertChainFromNSS(pkcs12, cert);
- }
+ loadCertChainFromNSS(pkcs12, cert);
}
- public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, boolean includeKey) throws Exception {
+ public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert) throws Exception {
String nickname = cert.getNickname();
logger.info("Loading certificate \"" + nickname + "\" from NSS database");
- CryptoManager cm = CryptoManager.getInstance();
-
BigInteger keyID = createLocalKeyID(cert);
PKCS12CertInfo certInfo = new PKCS12CertInfo();
@@ -276,17 +265,23 @@ public class PKCS12Util {
certInfo.cert = new X509CertImpl(cert.getEncoded());
certInfo.trustFlags = getTrustFlags(cert);
pkcs12.addCertInfo(certInfo);
+ }
- if (!includeKey) return;
+ public void loadCertKeyFromNSS(PKCS12 pkcs12, X509Certificate cert) throws Exception {
+ String nickname = cert.getNickname();
logger.info("Loading private key for certificate \"" + nickname + "\" from NSS database");
+ CryptoManager cm = CryptoManager.getInstance();
+
try {
PrivateKey privateKey = cm.findPrivKeyByCert(cert);
logger.fine("Certificate \"" + nickname + "\" has private key");
+ PKCS12CertInfo certInfo = pkcs12.getCertInfoByNickname(nickname);
+
PKCS12KeyInfo keyInfo = new PKCS12KeyInfo();
- keyInfo.id = keyID;
+ keyInfo.id = certInfo.getKeyID();
keyInfo.subjectDN = cert.getSubjectDN().toString();
byte[] privateData = getEncodedKey(privateKey);
@@ -302,15 +297,17 @@ public class PKCS12Util {
public void loadCertChainFromNSS(PKCS12 pkcs12, X509Certificate cert) throws Exception {
- logger.info("Loading certificate chain for \"" + cert.getNickname() + "\"");
-
CryptoManager cm = CryptoManager.getInstance();
- X509Certificate[] certChain = cm.buildCertificateChain(cert);
- // load parent certificates only
+ // load cert with key
+ loadCertFromNSS(pkcs12, cert);
+ loadCertKeyFromNSS(pkcs12, cert);
+
+ // load parent certs without key
+ X509Certificate[] certChain = cm.buildCertificateChain(cert);
for (int i = 1; i < certChain.length; i++) {
X509Certificate c = certChain[i];
- loadCertFromNSS(pkcs12, c, false); // do not include private key
+ loadCertFromNSS(pkcs12, c);
}
}
@@ -601,14 +598,20 @@ public class PKCS12Util {
}
}
- public void importCert(PKCS12CertInfo certInfo) throws Exception {
-
- logger.fine("Importing certificate " + certInfo.nickname);
+ public void importCert(PKCS12 pkcs12, PKCS12CertInfo certInfo) throws Exception {
CryptoManager cm = CryptoManager.getInstance();
- X509Certificate cert = cm.importUserCACertPackage(
- certInfo.cert.getEncoded(), certInfo.nickname);
+ X509Certificate cert;
+
+ if (pkcs12.getKeyInfoByID(certInfo.getKeyID()) != null) { // cert has key
+ logger.fine("Importing user CA certificate " + certInfo.nickname);
+ cert = cm.importUserCACertPackage(certInfo.cert.getEncoded(), certInfo.nickname);
+
+ } else { // cert has no key
+ logger.fine("Importing CA certificate " + certInfo.nickname);
+ cert = cm.importCACertPackage(certInfo.cert.getEncoded());
+ }
if (certInfo.trustFlags != null && trustFlagsEnabled)
setTrustFlags(cert, certInfo.trustFlags);
@@ -617,7 +620,7 @@ public class PKCS12Util {
public void importCerts(PKCS12 pkcs12) throws Exception {
for (PKCS12CertInfo certInfo : pkcs12.getCertInfos()) {
- importCert(certInfo);
+ importCert(pkcs12, certInfo);
}
}
generated by cgit (git 2.34.1) at 2024-05-07 00:00:23 +0000