summaryrefslogtreecommitdiffstats
path: root/base/java-tools
diff options
context:
space:
mode:
Diffstat (limited to 'base/java-tools')
-rw-r--r--base/java-tools/bin/pki233
-rw-r--r--base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java14
-rw-r--r--base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java9
3 files changed, 31 insertions, 225 deletions
diff --git a/base/java-tools/bin/pki b/base/java-tools/bin/pki
index 53e1b893a..6060a6e11 100644
--- a/base/java-tools/bin/pki
+++ b/base/java-tools/bin/pki
@@ -1,7 +1,6 @@
-#!/usr/bin/python
-# Authors:
-# Endi S. Dewata <edewata@redhat.com>
+#!/bin/sh
#
+# --- BEGIN COPYRIGHT BLOCK ---
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
@@ -15,222 +14,26 @@
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-# Copyright (C) 2014 Red Hat, Inc.
+# Copyright (C) 2017 Red Hat, Inc.
# All rights reserved.
+# --- END COPYRIGHT BLOCK ---
#
-from __future__ import absolute_import
-from __future__ import print_function
-import shlex
-import subprocess
-import sys
-import traceback
+# default PKI configuration
+. /usr/share/pki/etc/pki.conf
-import pki.cli
-import pki.cli.pkcs12
+# system-wide PKI configuration
+if [ -f /etc/pki/pki.conf ]
+then
+ . /etc/pki/pki.conf
+fi
+# user-specific PKI configuration
+if [ -f $HOME/.dogtag/pki.conf ]
+then
+ . $HOME/.dogtag/pki.conf
+fi
-PYTHON_COMMANDS = ['pkcs12-import']
+python -m pki.cli.main "$@"
-
-class PKICLI(pki.cli.CLI):
-
- def __init__(self):
- super(PKICLI, self).__init__(
- 'pki', 'PKI command-line interface')
-
- self.database = None
- self.password = None
- self.password_file = None
- self.token = None
-
- self.add_module(pki.cli.pkcs12.PKCS12CLI())
-
- def get_full_module_name(self, module_name):
- return module_name
-
- def print_help(self):
- print('Usage: pki [OPTIONS]')
- print()
- print(' --client-type <type> PKI client type (default: java)')
- print(' -d <path> Client security database location ' +
- '(default: ~/.dogtag/nssdb)')
- print(' -c <password> Client security database password ' +
- '(mutually exclusive to the -C option)')
- print(' -C <path> Client-side password file ' +
- '(mutually exclusive to the -c option)')
- print(' --token <name> Security token name')
- print()
- print(' -v, --verbose Run in verbose mode.')
- print(' --debug Show debug messages.')
- print(' --help Show help message.')
- print()
-
- super(PKICLI, self).print_help()
-
- def execute_java(self, args, stdout=sys.stdout):
-
- # read Java home
- value = subprocess.check_output(
- '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $JAVA_HOME',
- shell=True)
- java_home = value.decode(sys.getfilesystemencoding()).strip()
-
- # read PKI library
- value = subprocess.check_output(
- '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $PKI_LIB',
- shell=True)
- pki_lib = value.decode(sys.getfilesystemencoding()).strip()
-
- # read logging configuration path
- value = subprocess.check_output(
- '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $LOGGING_CONFIG',
- shell=True)
- logging_config = value.decode(sys.getfilesystemencoding()).strip()
-
- cmd = [
- java_home + '/bin/java',
- '-Djava.ext.dirs=' + pki_lib,
- '-Djava.util.logging.config.file=' + logging_config,
- 'com.netscape.cmstools.cli.MainCLI'
- ]
-
- # restore options for Java commands
-
- if self.database:
- cmd.extend(['-d', self.database])
-
- if self.password:
- cmd.extend(['-c', self.password])
-
- if self.password_file:
- cmd.extend(['-C', self.password_file])
-
- if self.token and self.token != 'internal':
- cmd.extend(['--token', self.token])
-
- if self.verbose:
- cmd.extend(['--verbose'])
-
- cmd.extend(args)
-
- if self.verbose:
- print('Java command: %s' % ' '.join(cmd))
-
- subprocess.check_call(cmd, stdout=stdout)
-
- def execute(self, argv):
-
- # append global options
- value = subprocess.check_output(
- '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $PKI_CLI_OPTIONS',
- shell=True)
- value = value.decode(sys.getfilesystemencoding()).strip()
- args = shlex.split(value)
- args.extend(argv[1:])
-
- client_type = 'java'
-
- pki_options = []
- command = None
- cmd_args = []
-
- # read pki options before the command
- # remove options for Python module
-
- i = 0
- while i < len(args):
- # if arg is a command, stop
- if args[i][0] != '-':
- command = args[i]
- break
-
- # get database path
- if args[i] == '-d':
- self.database = args[i + 1]
- pki_options.append(args[i])
- pki_options.append(args[i + 1])
- i = i + 2
-
- # get database password
- elif args[i] == '-c':
- self.password = args[i + 1]
- pki_options.append(args[i])
- pki_options.append(args[i + 1])
- i = i + 2
-
- # get database password file path
- elif args[i] == '-C':
- self.password_file = args[i + 1]
- pki_options.append(args[i])
- pki_options.append(args[i + 1])
- i = i + 2
-
- # get token name
- elif args[i] == '--token':
- self.token = args[i + 1]
- pki_options.append(args[i])
- pki_options.append(args[i + 1])
- i = i + 2
-
- # check verbose option
- elif args[i] == '-v' or args[i] == '--verbose':
- self.set_verbose(True)
- pki_options.append(args[i])
- i = i + 1
-
- # check debug option
- elif args[i] == '--debug':
- self.set_verbose(True)
- self.set_debug(True)
- pki_options.append(args[i])
- i = i + 1
-
- # get client type
- elif args[i] == '--client-type':
- client_type = args[i + 1]
- pki_options.append(args[i])
- pki_options.append(args[i + 1])
- i = i + 2
-
- else: # otherwise, save the arg for the next module
- cmd_args.append(args[i])
- i = i + 1
-
- # save the rest of the args
- while i < len(args):
- cmd_args.append(args[i])
- i = i + 1
-
- if self.verbose:
- print('PKI options: %s' % ' '.join(pki_options))
- print('PKI command: %s %s' % (command, ' '.join(cmd_args)))
-
- if client_type == 'python' or command in PYTHON_COMMANDS:
- (module, module_args) = self.parse_args(cmd_args)
- module.execute(module_args)
-
- elif client_type == 'java':
- self.execute_java(cmd_args)
-
- else:
- raise Exception('Unsupported client type: ' + client_type)
-
-
-if __name__ == '__main__':
-
- cli = PKICLI()
-
- try:
- cli.execute(sys.argv)
-
- except subprocess.CalledProcessError as e:
- if cli.verbose:
- print('ERROR: %s' % e)
- elif cli.debug:
- traceback.print_exc()
- sys.exit(e.returncode)
-
- except KeyboardInterrupt:
- print()
- sys.exit(-1)
+exit $?
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 8d5bd1f8a..0a05a395a 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -59,7 +59,6 @@ import org.mozilla.jss.crypto.KeyGenerator;
import org.mozilla.jss.crypto.KeyPairAlgorithm;
import org.mozilla.jss.crypto.KeyPairGenerator;
import org.mozilla.jss.crypto.KeyWrapAlgorithm;
-import org.mozilla.jss.crypto.KeyWrapper;
import org.mozilla.jss.crypto.Signature;
import org.mozilla.jss.crypto.SignatureAlgorithm;
import org.mozilla.jss.crypto.SymmetricKey;
@@ -551,9 +550,12 @@ public class CRMFPopClient {
public byte[] wrapPrivateKey(CryptoToken token, SymmetricKey sessionKey, byte[] iv, KeyPair keyPair) throws Exception {
// wrap private key using session
- KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
- wrapper.initWrap(sessionKey, new IVParameterSpec(iv));
- return wrapper.wrap((org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate());
+ return CryptoUtil.wrapUsingSymmetricKey(
+ token,
+ sessionKey,
+ (org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate(),
+ new IVParameterSpec(iv),
+ KeyWrapAlgorithm.DES3_CBC_PAD);
}
public byte[] wrapSessionKey(CryptoToken token, X509Certificate transportCert, SymmetricKey sessionKey) throws Exception {
@@ -561,9 +563,7 @@ public class CRMFPopClient {
// wrap session key using KRA transport cert
// currently, a transport cert has to be an RSA cert,
// regardless of the key you are wrapping
- KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
- wrapper.initWrap(transportCert.getPublicKey(), null);
- return wrapper.wrap(sessionKey);
+ return CryptoUtil.wrapUsingPublicKey(token, transportCert.getPublicKey(), sessionKey, KeyWrapAlgorithm.RSA);
}
public CertRequest createCertRequest(
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java
index 22bddcf32..a3f1deb36 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java
@@ -18,6 +18,7 @@
package com.netscape.cmstools.client;
+import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -97,11 +98,13 @@ public class ClientCertValidateCLI extends CLI {
CryptoManager cm = CryptoManager.getInstance();
if (cu.getUsage() != CryptoManager.CertificateUsage.CheckAllUsages.getUsage()) {
- if (cm.isCertValid(nickname, true, cu)) {
+ try {
+ cm.verifyCertificate(nickname, true, cu);
System.out.println("Valid certificate: " + nickname);
return true;
- } else {
- System.out.println("Invalid certificate: " + nickname);
+ } catch (CertificateException e) {
+ // Invalid certificate: (<code>) <message>
+ System.out.println(e.getMessage());
return false;
}
generated by cgit (git 2.34.1) at 2026-01-22 22:21:56 +0000