From 8bb918883ad8c1287d4085317e9330e18ec214b2 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 9 Sep 2014 15:02:47 -0400 Subject: Added option to import client cert from CA. A new option has been added to the client-cert-import command to import a certificate from CA by specifying the serial number. The client-cert-import has also been modified to get the nickname of the certificate to import from the CLI argument. For backward compatibility, if no argument is specified the CLI will try to get the nickname from the authentication option (-n). Ticket #1152 --- .../cmstools/client/ClientCertImportCLI.java | 146 +++++++++++++-------- 1 file changed, 90 insertions(+), 56 deletions(-) (limited to 'base/java-tools/src') diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java index 90e3d0a3e..5080c55ea 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java @@ -20,13 +20,19 @@ package com.netscape.cmstools.client; import java.io.File; import java.io.FileOutputStream; +import java.io.FileWriter; +import java.io.PrintWriter; +import java.net.URI; import java.util.Arrays; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; -import org.apache.commons.io.FileUtils; +import com.netscape.certsrv.cert.CertClient; +import com.netscape.certsrv.cert.CertData; import com.netscape.certsrv.client.ClientConfig; +import com.netscape.certsrv.client.PKIClient; +import com.netscape.certsrv.dbs.certdb.CertId; import com.netscape.cmstools.cli.CLI; import com.netscape.cmstools.cli.MainCLI; @@ -45,7 +51,7 @@ public class ClientCertImportCLI extends CLI { } public void printHelp() { - formatter.printHelp(getFullName() + " [OPTIONS...]", options); + formatter.printHelp(getFullName() + " [OPTIONS...]", options); } public void createOptions() { @@ -58,6 +64,14 @@ public class ClientCertImportCLI extends CLI { options.addOption(option); options.addOption(null, "ca-server", false, "Import CA certificate from CA server"); + + option = new Option(null, "serial", true, "Serial number of certificate in CA"); + option.setArgName("serial number"); + options.addOption(option); + + option = new Option(null, "trust", true, "Trust attributes. Default: u,u,u."); + option.setArgName("trust attributes"); + options.addOption(option); } public void execute(String[] args) throws Exception { @@ -81,100 +95,120 @@ public class ClientCertImportCLI extends CLI { String[] cmdArgs = cmd.getArgs(); - if (cmdArgs.length != 0) { + if (cmdArgs.length > 1) { System.err.println("Error: Too many arguments specified."); printHelp(); System.exit(-1); } - byte[] bytes = null; + MainCLI mainCLI = (MainCLI)parent.getParent(); + + String nickname = null; + + // Get nickname from command argument if specified. + if (cmdArgs.length > 0) { + nickname = cmdArgs[0]; + } + + // Otherwise, get nickname from authentication option -n. + // This code is used to provide backward compatibility. + // TODO: deprecate/remove this code in 10.3. + if (nickname == null) { + nickname = mainCLI.config.getCertNickname(); + } + + if (nickname == null) { + System.err.println("Error: Missing certificate nickname."); + System.exit(-1); + } String certPath = cmd.getOptionValue("cert"); String caCertPath = cmd.getOptionValue("ca-cert"); boolean importFromCAServer = cmd.hasOption("ca-server"); + String serialNumber = cmd.getOptionValue("serial"); + String trustAttributes = cmd.getOptionValue("trust", "u,u,u"); - boolean isCACert = false; + File certFile; // load the certificate if (certPath != null) { if (verbose) System.out.println("Loading certificate from " + certPath + "."); - bytes = FileUtils.readFileToByteArray(new File(certPath)); - + certFile = new File(certPath); } else if (caCertPath != null) { if (verbose) System.out.println("Loading CA certificate from " + caCertPath + "."); - bytes = FileUtils.readFileToByteArray(new File(caCertPath)); + certFile = new File(caCertPath); - isCACert = true; + trustAttributes = "CT,c,"; } else if (importFromCAServer) { // late initialization - MainCLI mainCLI = (MainCLI)parent.parent; mainCLI.init(); client = mainCLI.getClient(); - ClientConfig config = client.getConfig(); + URI serverURI = mainCLI.config.getServerURI(); - String caServerURI = "http://" + config.getServerURI().getHost() + ":8080/ca"; + String caServerURI = serverURI.getScheme() + "://" + + serverURI.getHost() + ":" + serverURI.getPort() + "/ca"; if (verbose) System.out.println("Downloading CA certificate from " + caServerURI + "."); - bytes = client.downloadCACertChain(caServerURI); + byte[] bytes = client.downloadCACertChain(caServerURI); - isCACert = true; + certFile = File.createTempFile("pki-client-cert-import-", ".crt", mainCLI.certDatabase); + certFile.deleteOnExit(); - } else { - System.err.println("Error: Missing certificate to import"); - printHelp(); - System.exit(-1); - } + try (FileOutputStream out = new FileOutputStream(certFile)) { + out.write(bytes); + } - MainCLI mainCLI = (MainCLI)parent.getParent(); + trustAttributes = "CT,c,"; - if (mainCLI.config.getCertNickname() == null) { - System.err.println("Error: Certificate nickname is required."); - System.exit(-1); - } + } else if (serialNumber != null) { - File certDatabase = mainCLI.certDatabase; - File certFile = new File(certDatabase, "import.crt"); + // connect to CA anonymously + ClientConfig config = new ClientConfig(mainCLI.config); + config.setCertDatabase(null); + config.setCertPassword(null); + config.setCertNickname(null); - try { - try (FileOutputStream out = new FileOutputStream(certFile)) { - out.write(bytes); - } + PKIClient client = new PKIClient(config, null); + CertClient certClient = new CertClient(client, "ca"); - String flag; - if (isCACert) { - if (verbose) System.out.println("Importing CA certificate."); - flag = "CT,c,"; + CertData certData = certClient.getCert(new CertId(serialNumber)); - } else { - if (verbose) System.out.println("Importing certificate."); - flag = "u,u,u"; - } + certFile = File.createTempFile("pki-client-cert-import-", ".crt", mainCLI.certDatabase); + certFile.deleteOnExit(); - String[] commands = { - "/usr/bin/certutil", "-A", - "-d", certDatabase.getAbsolutePath(), - "-i", certFile.getAbsolutePath(), - "-n", mainCLI.config.getCertNickname(), - "-t", flag - }; - - Runtime rt = Runtime.getRuntime(); - Process p = rt.exec(commands); - - int rc = p.waitFor(); - if (rc != 0) { - MainCLI.printMessage("Import failed"); - return; + String encoded = certData.getEncoded(); + try (PrintWriter out = new PrintWriter(new FileWriter(certFile))) { + out.write(encoded); } - MainCLI.printMessage("Imported certificate \"" + mainCLI.config.getCertNickname() + "\""); + } else { + System.err.println("Error: Missing certificate to import"); + printHelp(); + System.exit(-1); + return; + } - } finally { - certFile.delete(); + String[] commands = { + "/usr/bin/certutil", "-A", + "-d", mainCLI.certDatabase.getAbsolutePath(), + "-i", certFile.getAbsolutePath(), + "-n", nickname, + "-t", trustAttributes + }; + + Runtime rt = Runtime.getRuntime(); + Process p = rt.exec(commands); + + int rc = p.waitFor(); + if (rc != 0) { + MainCLI.printMessage("Import failed"); + return; } + + MainCLI.printMessage("Imported certificate \"" + nickname + "\""); } } -- cgit