diff options
Diffstat (limited to 'base/common/python/pki')
-rw-r--r-- | base/common/python/pki/cli/pkcs12.py | 127 | ||||
-rw-r--r-- | base/common/python/pki/nssdb.py | 76 |
2 files changed, 182 insertions, 21 deletions
diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py index c0bf9aff0..a57dfd9ba 100644 --- a/base/common/python/pki/cli/pkcs12.py +++ b/base/common/python/pki/cli/pkcs12.py @@ -21,9 +21,14 @@ from __future__ import absolute_import from __future__ import print_function import getopt +import os +import re +import shutil import sys +import tempfile import pki.cli +import pki.nssdb class PKCS12CLI(pki.cli.CLI): @@ -107,6 +112,126 @@ class PKCS12ImportCLI(pki.cli.CLI): main_cli = self.parent.parent + # Due to JSS limitation, CA certificates need to be imported + # using certutil in order to preserve the nickname stored in + # the PKCS #12 file. + + if main_cli.verbose: + print('Getting certificate infos in PKCS #12 file') + + ca_certs = [] + user_certs = [] + + tmpdir = tempfile.mkdtemp() + + try: + + # find all certs in PKCS #12 file + output_file = os.path.join(tmpdir, 'pkcs12-cert-find.txt') + with open(output_file, 'wb') as f: + + cmd = ['pkcs12-cert-find'] + + if pkcs12_file: + cmd.extend(['--pkcs12', pkcs12_file]) + + if pkcs12_password: + cmd.extend(['--pkcs12-password', pkcs12_password]) + + if password_file: + cmd.extend(['--pkcs12-password-file', password_file]) + + if no_trust_flags: + cmd.extend(['--no-trust-flags']) + + main_cli.execute_java(cmd, stdout=f) + + # determine cert types + with open(output_file, 'r') as f: + + cert_info = None + + for line in f.readlines(): + + match = re.match(r' Nickname: (.*)$', line) + if match: + # store previous cert + if cert_info: + if 'key_id' in cert_info: + # if cert has key, it's a user cert + user_certs.append(cert_info) + else: + # otherwise it's a CA cert + ca_certs.append(cert_info) + + cert_info = {} + cert_info['nickname'] = match.group(1) + continue + + match = re.match(r' Key ID: (.*)$', line) + if match: + cert_info['key_id'] = match.group(1) + continue + + match = re.match(r' Trust Flags: (.*)$', line) + if match: + cert_info['trust_flags'] = match.group(1) + continue + + # store last cert + if cert_info: + if 'key_id' in cert_info: + # if cert has key, it's a user cert + user_certs.append(cert_info) + else: + # otherwise it's a CA cert + ca_certs.append(cert_info) + + cert_file = os.path.join(tmpdir, 'ca-cert.pem') + + nssdb = pki.nssdb.NSSDatabase( + main_cli.database, + token=main_cli.token, + password=main_cli.password, + password_file=main_cli.password_file) + + for cert_info in ca_certs: + + nickname = cert_info['nickname'] + trust_flags = cert_info['trust_flags'] + + if main_cli.verbose: + print('Exporting %s from PKCS #12 file' % nickname) + + cmd = ['pkcs12-cert-export'] + + if pkcs12_file: + cmd.extend(['--pkcs12', pkcs12_file]) + + if pkcs12_password: + cmd.extend(['--pkcs12-password', pkcs12_password]) + + if password_file: + cmd.extend(['--pkcs12-password-file', password_file]) + + cmd.extend(['--cert-file', cert_file, nickname]) + + main_cli.execute_java(cmd) + + if main_cli.verbose: + print('Importing %s' % nickname) + + nssdb.add_cert(nickname, cert_file, trust_flags) + + finally: + shutil.rmtree(tmpdir) + + # importing user certs + + nicknames = [] + for cert_info in user_certs: + nicknames.append(cert_info['nickname']) + cmd = ['pkcs12-import'] if pkcs12_file: @@ -121,4 +246,6 @@ class PKCS12ImportCLI(pki.cli.CLI): if no_trust_flags: cmd.extend(['--no-trust-flags']) + cmd.extend(nicknames) + main_cli.execute_java(cmd) diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index 3b34805b1..a428e397a 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -99,7 +99,11 @@ def get_file_type(filename): class NSSDatabase(object): - def __init__(self, directory, token='internal', password=None, password_file=None): + def __init__(self, directory=None, token=None, password=None, password_file=None): + + if not directory: + directory = os.path.join(os.path.expanduser("~"), '.dogtag', 'nssdb') + self.directory = directory self.token = token @@ -127,13 +131,18 @@ class NSSDatabase(object): cmd = [ 'certutil', '-A', - '-d', self.directory, - '-h', self.token, + '-d', self.directory + ] + + if self.token: + cmd.extend(['-h', self.token]) + + cmd.extend([ '-f', self.password_file, '-n', nickname, '-i', cert_file, '-t', trust_attributes - ] + ]) subprocess.check_call(cmd) @@ -144,12 +153,17 @@ class NSSDatabase(object): cmd = [ 'certutil', '-M', - '-d', self.directory, - '-h', self.token, + '-d', self.directory + ] + + if self.token: + cmd.extend(['-h', self.token]) + + cmd.extend([ '-f', self.password_file, '-n', nickname, '-t', trust_attributes - ] + ]) subprocess.check_call(cmd) @@ -189,13 +203,18 @@ class NSSDatabase(object): cmd = [ 'certutil', '-R', - '-d', self.directory, - '-h', self.token, + '-d', self.directory + ] + + if self.token: + cmd.extend(['-h', self.token]) + + cmd.extend([ '-f', self.password_file, '-s', subject_dn, '-o', binary_request_file, '-z', noise_file - ] + ]) if key_type: cmd.extend(['-k', key_type]) @@ -241,8 +260,13 @@ class NSSDatabase(object): 'certutil', '-C', '-x', - '-d', self.directory, - '-h', self.token, + '-d', self.directory + ] + + if self.token: + cmd.extend(['-h', self.token]) + + cmd.extend([ '-f', self.password_file, '-c', subject_dn, '-a', @@ -255,7 +279,7 @@ class NSSDatabase(object): '-3', '--extSKID', '--extAIA' - ] + ]) p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) @@ -334,12 +358,17 @@ class NSSDatabase(object): cmd = [ 'certutil', '-L', - '-d', self.directory, - '-h', self.token, + '-d', self.directory + ] + + if self.token: + cmd.extend(['-h', self.token]) + + cmd.extend([ '-f', self.password_file, '-n', nickname, output_format_option - ] + ]) cert_data = subprocess.check_output(cmd) @@ -353,11 +382,16 @@ class NSSDatabase(object): cmd = [ 'certutil', '-D', - '-d', self.directory, - '-h', self.token, + '-d', self.directory + ] + + if self.token: + cmd.extend(['-h', self.token]) + + cmd.extend([ '-f', self.password_file, '-n', nickname - ] + ]) subprocess.check_call(cmd) @@ -494,7 +528,7 @@ class NSSDatabase(object): '-C', self.password_file ] - if self.token and self.token != 'internal': + if self.token: cmd.extend(['--token', self.token]) cmd.extend([ @@ -531,7 +565,7 @@ class NSSDatabase(object): '-C', self.password_file ] - if self.token and self.token != 'internal': + if self.token: cmd.extend(['--token', self.token]) cmd.extend(['pkcs12-export']) |