From 94a964ac6285683a90f2f5cd484a6cc4fc25f82f Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 18 Nov 2013 11:11:16 -0500 Subject: Fixed client-cert-import command. Previously client-cert-import uses a JSS method that calls NSS function PK11_ImportDERCertForKey(). To import certificate without key it should use PK11_ImportCert but it's only available via certutil. So for now the client-cert-import has been modified to call certutil until the interface is added to JSS. The MainCLI has been modified not to call CryptoManager.initialize() to avoid locking up the security database while importing the certificate using certutil. --- .../src/com/netscape/cmstools/cli/MainCLI.java | 3 +- .../cmstools/client/ClientCertImportCLI.java | 54 ++++++++++++++++++---- 2 files changed, 47 insertions(+), 10 deletions(-) (limited to 'base/java-tools/src/com') diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java index 28a2113a8..7de46a06c 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java @@ -347,7 +347,8 @@ public class MainCLI extends CLI { // Do not call CryptoManager.initialize() on client-init // because otherwise the database will be locked. - if (!cmdArgs[0].equals("client-init")) { + String command = cmdArgs[0]; + if (!command.equals("client-init") && !command.equals("client-cert-import")) { init(); } diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java index 1ced6727f..0376b7f90 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java @@ -19,6 +19,7 @@ package com.netscape.cmstools.client; import java.io.File; +import java.io.FileOutputStream; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; @@ -106,17 +107,52 @@ public class ClientCertImportCLI extends CLI { System.exit(1); } - // import the certificate - if (isCACert) { - if (verbose) System.out.println("Importing CA certificate."); - cert = client.importCACertPackage(bytes); + MainCLI mainCLI = (MainCLI)parent.getParent(); - } else { - if (verbose) System.out.println("Importing certificate."); - cert = client.importCertPackage(bytes, client.config.getCertNickname()); + if (mainCLI.config.getCertNickname() == null) { + System.err.println("Error: Certificate nickname is required."); + System.exit(1); } - MainCLI.printMessage("Imported certificate \"" + cert.getNickname() + "\""); - ClientCLI.printCertInfo(cert); + File certDatabase = mainCLI.certDatabase; + File certFile = new File(certDatabase, "import.crt"); + + try { + try (FileOutputStream out = new FileOutputStream(certFile)) { + out.write(bytes); + } + + String flag; + if (isCACert) { + if (verbose) System.out.println("Importing CA certificate."); + flag = "CT,c,"; + + } else { + if (verbose) System.out.println("Importing certificate."); + flag = "u,u,u"; + } + + String[] commands = { + "/usr/bin/certutil", "-A", + "-d", certDatabase.getAbsolutePath(), + "-i", certFile.getAbsolutePath(), + "-n", mainCLI.config.getCertNickname(), + "-t", flag + }; + + Runtime rt = Runtime.getRuntime(); + Process p = rt.exec(commands); + + int rc = p.waitFor(); + if (rc != 0) { + MainCLI.printMessage("Import failed"); + return; + } + + MainCLI.printMessage("Imported certificate \"" + mainCLI.config.getCertNickname() + "\""); + + } finally { + certFile.delete(); + } } } -- cgit