diff options
-rw-r--r-- | base/common/python/pki/nssdb.py | 12 | ||||
-rw-r--r-- | base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java | 2 | ||||
-rw-r--r-- | base/server/python/pki/server/cli/instance.py | 21 | ||||
-rw-r--r-- | base/server/python/pki/server/cli/subsystem.py | 21 | ||||
-rw-r--r-- | base/util/src/netscape/security/pkcs/PKCS12Util.java | 6 |
5 files changed, 58 insertions, 4 deletions
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index 503bd412b..30b1d4793 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -545,6 +545,9 @@ class NSSDatabase(object): pkcs12_password_file=None, nicknames=None, append=False, + include_trust_flags=True, + include_key=True, + include_chain=True, debug=False): tmpdir = tempfile.mkdtemp() @@ -580,6 +583,15 @@ class NSSDatabase(object): if append: cmd.extend(['--append']) + if not include_trust_flags: + cmd.extend(['--no-trust-flags']) + + if not include_key: + cmd.extend(['--no-key']) + + if not include_chain: + cmd.extend(['--no-chain']) + if debug: cmd.extend(['--debug']) diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java index 728a9efd1..08a0850ff 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java @@ -150,7 +150,7 @@ public class PKCS12ExportCLI extends CLI { if (nicknames.length == 0) { // load all certificates - util.loadFromNSS(pkcs12); + util.loadFromNSS(pkcs12, includeKey, includeChain); } else { // load the specified certificates diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py index 4eeee5d60..7520b32b8 100644 --- a/base/server/python/pki/server/cli/instance.py +++ b/base/server/python/pki/server/cli/instance.py @@ -77,6 +77,9 @@ class InstanceCertExportCLI(pki.cli.CLI): print(' --pkcs12-password <password> Password for the PKCS #12 file.') print(' --pkcs12-password-file <path> Input file containing the password for the PKCS #12 file.') print(' --append Append into an existing PKCS #12 file.') + print(' --no-trust-flags Do not include trust flags') + print(' --no-key Do not include private key') + print(' --no-chain Do not include certificate chain') print(' -v, --verbose Run in verbose mode.') print(' --debug Run in debug mode.') print(' --help Show help message.') @@ -88,7 +91,8 @@ class InstanceCertExportCLI(pki.cli.CLI): opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'append', 'verbose', 'debug', 'help']) + 'append', 'no-trust-flags', 'no-key', 'no-chain', + 'verbose', 'debug', 'help']) except getopt.GetoptError as e: print('ERROR: ' + str(e)) @@ -102,6 +106,9 @@ class InstanceCertExportCLI(pki.cli.CLI): pkcs12_password = None pkcs12_password_file = None append = False + include_trust_flags = True + include_key = True + include_chain = True debug = False for o, a in opts: @@ -120,6 +127,15 @@ class InstanceCertExportCLI(pki.cli.CLI): elif o == '--append': append = True + elif o == '--no-trust-flags': + include_trust_flags = False + + elif o == '--no-key': + include_key = False + + elif o == '--no-chain': + include_chain = False + elif o in ('-v', '--verbose'): self.set_verbose(True) @@ -154,6 +170,9 @@ class InstanceCertExportCLI(pki.cli.CLI): pkcs12_password_file=pkcs12_password_file, nicknames=nicknames, append=append, + include_trust_flags=include_trust_flags, + include_key=include_key, + include_chain=include_chain, debug=debug) finally: nssdb.close() diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index fe395aad6..03d48f926 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -465,6 +465,9 @@ class SubsystemCertExportCLI(pki.cli.CLI): print(' --pkcs12-password <password> Password for the PKCS #12 file.') print(' --pkcs12-password-file <path> Input file containing the password for the PKCS #12 file.') print(' --append Append into an existing PKCS #12 file.') + print(' --no-trust-flags Do not include trust flags') + print(' --no-key Do not include private key') + print(' --no-chain Do not include certificate chain') print(' -v, --verbose Run in verbose mode.') print(' --debug Run in debug mode.') print(' --help Show help message.') @@ -476,7 +479,8 @@ class SubsystemCertExportCLI(pki.cli.CLI): opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'append', 'verbose', 'debug', 'help']) + 'append', 'no-trust-flags', 'no-key', 'no-chain', + 'verbose', 'debug', 'help']) except getopt.GetoptError as e: print('ERROR: ' + str(e)) @@ -497,6 +501,9 @@ class SubsystemCertExportCLI(pki.cli.CLI): pkcs12_password = None pkcs12_password_file = None append = False + include_trust_flags = True + include_key = True + include_chain = True debug = False for o, a in opts: @@ -521,6 +528,15 @@ class SubsystemCertExportCLI(pki.cli.CLI): elif o == '--append': append = True + elif o == '--no-trust-flags': + include_trust_flags = False + + elif o == '--no-key': + include_key = False + + elif o == '--no-chain': + include_chain = False + elif o in ('-v', '--verbose'): self.set_verbose(True) @@ -591,6 +607,9 @@ class SubsystemCertExportCLI(pki.cli.CLI): pkcs12_password_file=pkcs12_password_file, nicknames=nicknames, append=append, + include_trust_flags=include_trust_flags, + include_key=include_key, + include_chain=include_chain, debug=debug) finally: diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java index 43435c822..571ee1881 100644 --- a/base/util/src/netscape/security/pkcs/PKCS12Util.java +++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java @@ -239,6 +239,10 @@ public class PKCS12Util { } public void loadFromNSS(PKCS12 pkcs12) throws Exception { + loadFromNSS(pkcs12, true, true); + } + + public void loadFromNSS(PKCS12 pkcs12, boolean includeKey, boolean includeChain) throws Exception { logger.info("Loading all certificate and keys from NSS database"); @@ -247,7 +251,7 @@ public class PKCS12Util { CryptoStore store = token.getCryptoStore(); for (X509Certificate cert : store.getCertificates()) { - loadCertFromNSS(pkcs12, cert, true, true); + loadCertFromNSS(pkcs12, cert, includeKey, includeChain); } } |