summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--base/java-tools/bin/pki3
-rw-r--r--base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java7
-rw-r--r--base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java12
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java40
-rw-r--r--base/util/src/netscape/security/pkcs/PKCS12Util.java108
5 files changed, 98 insertions, 72 deletions
diff --git a/base/java-tools/bin/pki b/base/java-tools/bin/pki
index e476cfcfe..88490f7da 100644
--- a/base/java-tools/bin/pki
+++ b/base/java-tools/bin/pki
@@ -138,6 +138,9 @@ class PKICLI(pki.cli.CLI):
if self.token and self.token != 'internal':
cmd.extend(['--token', self.token])
+ if self.verbose:
+ cmd.extend(['--verbose'])
+
cmd.extend(args)
if self.verbose:
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
index 48e4907cf..a422b200d 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12CertAddCLI.java
@@ -65,6 +65,8 @@ public class PKCS12CertAddCLI extends CLI {
options.addOption(null, "new-file", false, "Create a new PKCS #12 file");
options.addOption(null, "no-trust-flags", false, "Do not include trust flags");
+ options.addOption(null, "no-key", false, "Do not include private key");
+ options.addOption(null, "no-chain", false, "Do not include certificate chain");
options.addOption("v", "verbose", false, "Run in verbose mode.");
options.addOption(null, "debug", false, "Run in debug mode.");
@@ -139,6 +141,8 @@ public class PKCS12CertAddCLI extends CLI {
boolean newFile = cmd.hasOption("new-file");
boolean includeTrustFlags = !cmd.hasOption("no-trust-flags");
+ boolean includeKey = !cmd.hasOption("no-key");
+ boolean includeChain = !cmd.hasOption("no-chain");
try {
PKCS12Util util = new PKCS12Util();
@@ -155,7 +159,8 @@ public class PKCS12CertAddCLI extends CLI {
pkcs12 = util.loadFromFile(filename, password);
}
- util.loadCertFromNSS(pkcs12, nickname);
+ // load the specified certificate
+ util.loadCertFromNSS(pkcs12, nickname, includeKey, includeChain);
util.storeIntoFile(pkcs12, filename, password);
} finally {
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
index d42c449b4..fab5ecdda 100644
--- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java
@@ -63,6 +63,8 @@ public class PKCS12ExportCLI extends CLI {
options.addOption(null, "new-file", false, "Create a new PKCS #12 file");
options.addOption(null, "no-trust-flags", false, "Do not include trust flags");
+ options.addOption(null, "no-key", false, "Do not include private key");
+ options.addOption(null, "no-chain", false, "Do not include certificate chain");
options.addOption("v", "verbose", false, "Run in verbose mode.");
options.addOption(null, "debug", false, "Run in debug mode.");
@@ -127,11 +129,13 @@ public class PKCS12ExportCLI extends CLI {
Password password = new Password(passwordString.toCharArray());
boolean newFile = cmd.hasOption("new-file");
- boolean trustFlagsEnabled = !cmd.hasOption("no-trust-flags");
+ boolean includeTrustFlags = !cmd.hasOption("no-trust-flags");
+ boolean includeKey = !cmd.hasOption("no-key");
+ boolean includeChain = !cmd.hasOption("no-chain");
try {
PKCS12Util util = new PKCS12Util();
- util.setTrustFlagsEnabled(trustFlagsEnabled);
+ util.setTrustFlagsEnabled(includeTrustFlags);
PKCS12 pkcs12;
@@ -149,9 +153,9 @@ public class PKCS12ExportCLI extends CLI {
util.loadFromNSS(pkcs12);
} else {
- // load specified certificates
+ // load the specified certificates
for (String nickname : nicknames) {
- util.loadCertFromNSS(pkcs12, nickname);
+ util.loadCertFromNSS(pkcs12, nickname, includeKey, includeChain);
}
}
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 51e5f0824..25838f1f3 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -30,7 +30,6 @@ import java.io.PrintStream;
import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
-import java.security.DigestException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
@@ -165,6 +164,8 @@ import netscape.ldap.LDAPSearchResults;
import netscape.ldap.LDAPv3;
import netscape.security.pkcs.ContentInfo;
import netscape.security.pkcs.PKCS10;
+import netscape.security.pkcs.PKCS12;
+import netscape.security.pkcs.PKCS12Util;
import netscape.security.pkcs.PKCS7;
import netscape.security.pkcs.SignerInfo;
import netscape.security.util.DerOutputStream;
@@ -3331,11 +3332,8 @@ public class ConfigurationUtils {
}
}
- public static void backupKeys(String pwd, String fname) throws EPropertyNotFound, EBaseException,
- NotInitializedException, ObjectNotFoundException, TokenException, DigestException,
- InvalidKeyException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidBERException,
- CertificateEncodingException, IllegalStateException, IllegalBlockSizeException, BadPaddingException,
- IOException {
+ public static void backupKeys(String pwd, String fname) throws Exception {
+
CMS.debug("backupKeys(): start");
IConfigStore cs = CMS.getConfigStore();
String certlist = cs.getString("preop.cert.list");
@@ -3344,39 +3342,37 @@ public class ConfigurationUtils {
CryptoManager cm = CryptoManager.getInstance();
Password pass = new org.mozilla.jss.util.Password(pwd.toCharArray());
- SEQUENCE encSafeContents = new SEQUENCE();
- SEQUENCE safeContents = new SEQUENCE();
+
+ PKCS12Util util = new PKCS12Util();
+ PKCS12 pkcs12 = new PKCS12();
+
+ // load system certificate (with key but without chain)
while (st.hasMoreTokens()) {
+
String t = st.nextToken();
if (t.equals("sslserver"))
continue;
+
String nickname = cs.getString("preop.cert." + t + ".nickname");
String modname = cs.getString("preop.module.token");
if (!modname.equals("Internal Key Storage Token"))
nickname = modname + ":" + nickname;
- X509Certificate x509cert = cm.findCertByNickname(nickname);
- byte localKeyId[] = addCertBag(x509cert, nickname, safeContents);
- PrivateKey pkey = cm.findPrivKeyByCert(x509cert);
- addKeyBag(pkey, x509cert, pass, localKeyId, encSafeContents);
+ util.loadCertFromNSS(pkcs12, nickname, true, false);
}
- X509Certificate[] cacerts = cm.getCACerts();
-
- for (int i = 0; i < cacerts.length; i++) {
- String nickname = null;
- addCertBag(cacerts[i], nickname, safeContents);
+ // load CA certificates (without keys or chains)
+ for (X509Certificate caCert : cm.getCACerts()) {
+ util.loadCertFromNSS(pkcs12, caCert, false, false);
}
- AuthenticatedSafes authSafes = new AuthenticatedSafes();
- authSafes.addSafeContents(safeContents);
- authSafes.addSafeContents(encSafeContents);
- PFX pfx = new PFX(authSafes);
- pfx.computeMacData(pass, null, 5);
+ PFX pfx = util.generatePFX(pkcs12, pass);
+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
pfx.encode(bos);
byte[] output = bos.toByteArray();
+
cs.putString("preop.pkcs12", CryptoUtil.byte2string(output));
pass.clear();
cs.commit(false);
diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
index 7c9ab2fb4..967479b69 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
@@ -162,13 +162,14 @@ public class PKCS12Util {
}
BigInteger createLocalID(X509Certificate cert) throws Exception {
-
// SHA1 hash of the X509Cert DER encoding
- byte[] certDer = cert.getEncoded();
+ return createLocalID(cert.getEncoded());
+ }
- MessageDigest md = MessageDigest.getInstance("SHA");
+ BigInteger createLocalID(byte[] bytes) throws Exception {
- md.update(certDer);
+ MessageDigest md = MessageDigest.getInstance("SHA");
+ md.update(bytes);
return new BigInteger(1, md.digest());
}
@@ -244,21 +245,46 @@ public class PKCS12Util {
CryptoStore store = token.getCryptoStore();
for (X509Certificate cert : store.getCertificates()) {
- loadCertChainFromNSS(pkcs12, cert);
+ loadCertFromNSS(pkcs12, cert, true, true);
}
}
- public void loadCertFromNSS(PKCS12 pkcs12, String nickname) throws Exception {
+ public void loadCertFromNSS(PKCS12 pkcs12, String nickname, boolean includeKey, boolean includeChain) throws Exception {
CryptoManager cm = CryptoManager.getInstance();
X509Certificate[] certs = cm.findCertsByNickname(nickname);
for (X509Certificate cert : certs) {
- loadCertChainFromNSS(pkcs12, cert);
+ loadCertFromNSS(pkcs12, cert, includeKey, includeChain);
}
}
- public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id, boolean replace) throws Exception {
+ public void loadCertFromNSS(PKCS12 pkcs12, X509Certificate cert, boolean includeKey, boolean includeChain) throws Exception {
+
+ CryptoManager cm = CryptoManager.getInstance();
+
+ BigInteger id = createLocalID(cert);
+
+ // load cert info
+ loadCertInfoFromNSS(pkcs12, cert, id, true);
+
+ if (includeKey) {
+ // load key info if exists
+ loadKeyInfoFromNSS(pkcs12, cert, id);
+ }
+
+ if (includeChain) {
+ // load cert chain
+ X509Certificate[] certChain = cm.buildCertificateChain(cert);
+ for (int i = 1; i < certChain.length; i++) {
+ X509Certificate c = certChain[i];
+ BigInteger cid = createLocalID(c);
+ loadCertInfoFromNSS(pkcs12, c, cid, false);
+ }
+ }
+ }
+
+ public void loadCertInfoFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id, boolean replace) throws Exception {
String nickname = cert.getNickname();
logger.info("Loading certificate \"" + nickname + "\" from NSS database");
@@ -272,7 +298,7 @@ public class PKCS12Util {
pkcs12.addCertInfo(certInfo, replace);
}
- public void loadCertKeyFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id) throws Exception {
+ public void loadKeyInfoFromNSS(PKCS12 pkcs12, X509Certificate cert, BigInteger id) throws Exception {
String nickname = cert.getNickname();
logger.info("Loading private key for certificate \"" + nickname + "\" from NSS database");
@@ -298,30 +324,9 @@ public class PKCS12Util {
}
}
- public void loadCertChainFromNSS(PKCS12 pkcs12, X509Certificate cert) throws Exception {
-
- CryptoManager cm = CryptoManager.getInstance();
+ public PFX generatePFX(PKCS12 pkcs12, Password password) throws Exception {
- BigInteger id = createLocalID(cert);
-
- // load cert key if exists
- loadCertKeyFromNSS(pkcs12, cert, id);
-
- // load cert
- loadCertFromNSS(pkcs12, cert, id, true);
-
- // load parent certs without key
- X509Certificate[] certChain = cm.buildCertificateChain(cert);
- for (int i = 1; i < certChain.length; i++) {
- X509Certificate c = certChain[i];
- BigInteger cid = createLocalID(c);
- loadCertFromNSS(pkcs12, c, cid, false);
- }
- }
-
- public void storeIntoFile(PKCS12 pkcs12, String filename, Password password) throws Exception {
-
- logger.info("Storing data into PKCS #12 file");
+ logger.info("Generating PKCS #12 data");
SEQUENCE safeContents = new SEQUENCE();
@@ -342,6 +347,14 @@ public class PKCS12Util {
PFX pfx = new PFX(authSafes);
pfx.computeMacData(password, null, 5);
+ return pfx;
+ }
+
+ public void storeIntoFile(PKCS12 pkcs12, String filename, Password password) throws Exception {
+
+ PFX pfx = generatePFX(pkcs12, password);
+
+ logger.info("Storing data into PKCS #12 file");
ByteArrayOutputStream bos = new ByteArrayOutputStream();
pfx.encode(bos);
byte[] data = bos.toByteArray();
@@ -362,7 +375,7 @@ public class PKCS12Util {
// get key attributes
SET bagAttrs = bag.getBagAttributes();
- for (int i = 0; i < bagAttrs.size(); i++) {
+ for (int i = 0; bagAttrs != null && i < bagAttrs.size(); i++) {
Attribute attr = (Attribute) bagAttrs.elementAt(i);
OBJECT_IDENTIFIER oid = attr.getType();
@@ -376,7 +389,7 @@ public class PKCS12Util {
BMPString subjectDN = (BMPString) new BMPString.Template().decode(bis);
keyInfo.subjectDN = subjectDN.toString();
- logger.fine("Subject DN: " + keyInfo.subjectDN);
+ logger.fine(" Subject DN: " + keyInfo.subjectDN);
} else if (oid.equals(SafeBag.LOCAL_KEY_ID)) {
@@ -387,12 +400,10 @@ public class PKCS12Util {
OCTET_STRING keyID = (OCTET_STRING) new OCTET_STRING.Template().decode(bis);
keyInfo.id = new BigInteger(1, keyID.toByteArray());
- logger.fine("ID: " + keyInfo.id.toString(16));
+ logger.fine(" ID: " + keyInfo.id.toString(16));
}
}
- logger.fine("Found private key " + keyInfo.subjectDN);
-
return keyInfo;
}
@@ -406,12 +417,11 @@ public class PKCS12Util {
byte[] x509cert = certStr.toByteArray();
certInfo.cert = new X509CertImpl(x509cert);
- logger.fine("Found certificate " + certInfo.cert.getSubjectDN());
+ logger.fine(" Subject DN: " + certInfo.cert.getSubjectDN());
SET bagAttrs = bag.getBagAttributes();
- if (bagAttrs == null) return certInfo;
- for (int i = 0; i < bagAttrs.size(); i++) {
+ for (int i = 0; bagAttrs != null && i < bagAttrs.size(); i++) {
Attribute attr = (Attribute) bagAttrs.elementAt(i);
OBJECT_IDENTIFIER oid = attr.getType();
@@ -425,7 +435,7 @@ public class PKCS12Util {
BMPString nickname = (BMPString) (new BMPString.Template()).decode(bis);
certInfo.nickname = nickname.toString();
- logger.fine("Nickname: " + certInfo.nickname);
+ logger.fine(" Nickname: " + certInfo.nickname);
} else if (oid.equals(SafeBag.LOCAL_KEY_ID)) {
@@ -437,7 +447,7 @@ public class PKCS12Util {
OCTET_STRING keyID = (OCTET_STRING) new OCTET_STRING.Template().decode(bis);
certInfo.id = new BigInteger(1, keyID.toByteArray());
- logger.fine("ID: " + certInfo.id.toString(16));
+ logger.fine(" ID: " + certInfo.id.toString(16));
} else if (oid.equals(PKCS12.CERT_TRUST_FLAGS_OID) && trustFlagsEnabled) {
@@ -448,16 +458,22 @@ public class PKCS12Util {
BMPString trustFlags = (BMPString) (new BMPString.Template()).decode(is);
certInfo.trustFlags = trustFlags.toString();
- logger.fine("Trust flags: " + certInfo.trustFlags);
+ logger.fine(" Trust flags: " + certInfo.trustFlags);
}
}
+ if (certInfo.id == null) {
+ logger.fine(" ID not specified, generating new ID");
+ certInfo.id = createLocalID(x509cert);
+ logger.fine(" ID: " + certInfo.id.toString(16));
+ }
+
return certInfo;
}
public void getKeyInfos(PKCS12 pkcs12, PFX pfx, Password password) throws Exception {
- logger.fine("Getting private keys");
+ logger.fine("Load private keys:");
AuthenticatedSafes safes = pfx.getAuthSafes();
@@ -472,6 +488,7 @@ public class PKCS12Util {
if (!oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) continue;
+ logger.fine(" - Private key:");
PKCS12KeyInfo keyInfo = getKeyInfo(bag, password);
pkcs12.addKeyInfo(keyInfo);
}
@@ -480,7 +497,7 @@ public class PKCS12Util {
public void getCertInfos(PKCS12 pkcs12, PFX pfx, Password password) throws Exception {
- logger.fine("Getting certificates");
+ logger.fine("Loading certificates:");
AuthenticatedSafes safes = pfx.getAuthSafes();
@@ -495,6 +512,7 @@ public class PKCS12Util {
if (!oid.equals(SafeBag.CERT_BAG)) continue;
+ logger.fine(" - Certificate:");
PKCS12CertInfo certInfo = getCertInfo(bag);
pkcs12.addCertInfo(certInfo, true);
}
generated by cgit (git 2.34.1) at 2024-05-03 00:31:11 +0000