From 7e42ef2f63a73931610252db3e30b8a7357e4425 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 8 Mar 2017 23:46:30 -0500 Subject: Refactor crypto code Move some of the crypto functions in EncryptionUnit to CryptoUtil. Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62 --- .../src/com/netscape/cmstools/CRMFPopClient.java | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'base/java-tools') diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java index 8d5bd1f8a..0a05a395a 100644 --- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java @@ -59,7 +59,6 @@ import org.mozilla.jss.crypto.KeyGenerator; import org.mozilla.jss.crypto.KeyPairAlgorithm; import org.mozilla.jss.crypto.KeyPairGenerator; import org.mozilla.jss.crypto.KeyWrapAlgorithm; -import org.mozilla.jss.crypto.KeyWrapper; import org.mozilla.jss.crypto.Signature; import org.mozilla.jss.crypto.SignatureAlgorithm; import org.mozilla.jss.crypto.SymmetricKey; @@ -551,9 +550,12 @@ public class CRMFPopClient { public byte[] wrapPrivateKey(CryptoToken token, SymmetricKey sessionKey, byte[] iv, KeyPair keyPair) throws Exception { // wrap private key using session - KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper.initWrap(sessionKey, new IVParameterSpec(iv)); - return wrapper.wrap((org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate()); + return CryptoUtil.wrapUsingSymmetricKey( + token, + sessionKey, + (org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate(), + new IVParameterSpec(iv), + KeyWrapAlgorithm.DES3_CBC_PAD); } public byte[] wrapSessionKey(CryptoToken token, X509Certificate transportCert, SymmetricKey sessionKey) throws Exception { @@ -561,9 +563,7 @@ public class CRMFPopClient { // wrap session key using KRA transport cert // currently, a transport cert has to be an RSA cert, // regardless of the key you are wrapping - KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); - wrapper.initWrap(transportCert.getPublicKey(), null); - return wrapper.wrap(sessionKey); + return CryptoUtil.wrapUsingPublicKey(token, transportCert.getPublicKey(), sessionKey, KeyWrapAlgorithm.RSA); } public CertRequest createCertRequest( -- cgit From 3253d852eb50d30f30a37800f0cf16898a038b6c Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 13 Mar 2017 21:42:49 +0100 Subject: Troubleshooting improvement for ClientCertValidateCLI. The ClientCertValidateCLI has been modified to display the NSS error code and error message for invalid certificates. --- .../src/com/netscape/cmstools/client/ClientCertValidateCLI.java | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'base/java-tools') diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java index 22bddcf32..a3f1deb36 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertValidateCLI.java @@ -18,6 +18,7 @@ package com.netscape.cmstools.client; +import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Arrays; import java.util.List; @@ -97,11 +98,13 @@ public class ClientCertValidateCLI extends CLI { CryptoManager cm = CryptoManager.getInstance(); if (cu.getUsage() != CryptoManager.CertificateUsage.CheckAllUsages.getUsage()) { - if (cm.isCertValid(nickname, true, cu)) { + try { + cm.verifyCertificate(nickname, true, cu); System.out.println("Valid certificate: " + nickname); return true; - } else { - System.out.println("Invalid certificate: " + nickname); + } catch (CertificateException e) { + // Invalid certificate: () + System.out.println(e.getMessage()); return false; } -- cgit From 07135b5906f97a8c68148a07484e63d6896f410b Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 15 Mar 2017 08:13:35 +0100 Subject: Added cascading configuration for PKI CLI. The PKI CLI has been modified to support cascading configuration files: default, system-wide, and user-specific configuration. The existing Python-based PKI CLI was moved into pki.cli.main module. A new shell script was added as a replacement which will read the configuration files and invoke the Python module. --- base/java-tools/bin/pki | 233 ++++-------------------------------------------- 1 file changed, 18 insertions(+), 215 deletions(-) (limited to 'base/java-tools') diff --git a/base/java-tools/bin/pki b/base/java-tools/bin/pki index 53e1b893a..6060a6e11 100644 --- a/base/java-tools/bin/pki +++ b/base/java-tools/bin/pki @@ -1,7 +1,6 @@ -#!/usr/bin/python -# Authors: -# Endi S. Dewata +#!/bin/sh # +# --- BEGIN COPYRIGHT BLOCK --- # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. @@ -15,222 +14,26 @@ # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -# Copyright (C) 2014 Red Hat, Inc. +# Copyright (C) 2017 Red Hat, Inc. # All rights reserved. +# --- END COPYRIGHT BLOCK --- # -from __future__ import absolute_import -from __future__ import print_function -import shlex -import subprocess -import sys -import traceback +# default PKI configuration +. /usr/share/pki/etc/pki.conf -import pki.cli -import pki.cli.pkcs12 +# system-wide PKI configuration +if [ -f /etc/pki/pki.conf ] +then + . /etc/pki/pki.conf +fi +# user-specific PKI configuration +if [ -f $HOME/.dogtag/pki.conf ] +then + . $HOME/.dogtag/pki.conf +fi -PYTHON_COMMANDS = ['pkcs12-import'] +python -m pki.cli.main "$@" - -class PKICLI(pki.cli.CLI): - - def __init__(self): - super(PKICLI, self).__init__( - 'pki', 'PKI command-line interface') - - self.database = None - self.password = None - self.password_file = None - self.token = None - - self.add_module(pki.cli.pkcs12.PKCS12CLI()) - - def get_full_module_name(self, module_name): - return module_name - - def print_help(self): - print('Usage: pki [OPTIONS]') - print() - print(' --client-type PKI client type (default: java)') - print(' -d Client security database location ' + - '(default: ~/.dogtag/nssdb)') - print(' -c Client security database password ' + - '(mutually exclusive to the -C option)') - print(' -C Client-side password file ' + - '(mutually exclusive to the -c option)') - print(' --token Security token name') - print() - print(' -v, --verbose Run in verbose mode.') - print(' --debug Show debug messages.') - print(' --help Show help message.') - print() - - super(PKICLI, self).print_help() - - def execute_java(self, args, stdout=sys.stdout): - - # read Java home - value = subprocess.check_output( - '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $JAVA_HOME', - shell=True) - java_home = value.decode(sys.getfilesystemencoding()).strip() - - # read PKI library - value = subprocess.check_output( - '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $PKI_LIB', - shell=True) - pki_lib = value.decode(sys.getfilesystemencoding()).strip() - - # read logging configuration path - value = subprocess.check_output( - '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $LOGGING_CONFIG', - shell=True) - logging_config = value.decode(sys.getfilesystemencoding()).strip() - - cmd = [ - java_home + '/bin/java', - '-Djava.ext.dirs=' + pki_lib, - '-Djava.util.logging.config.file=' + logging_config, - 'com.netscape.cmstools.cli.MainCLI' - ] - - # restore options for Java commands - - if self.database: - cmd.extend(['-d', self.database]) - - if self.password: - cmd.extend(['-c', self.password]) - - if self.password_file: - cmd.extend(['-C', self.password_file]) - - if self.token and self.token != 'internal': - cmd.extend(['--token', self.token]) - - if self.verbose: - cmd.extend(['--verbose']) - - cmd.extend(args) - - if self.verbose: - print('Java command: %s' % ' '.join(cmd)) - - subprocess.check_call(cmd, stdout=stdout) - - def execute(self, argv): - - # append global options - value = subprocess.check_output( - '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf && echo $PKI_CLI_OPTIONS', - shell=True) - value = value.decode(sys.getfilesystemencoding()).strip() - args = shlex.split(value) - args.extend(argv[1:]) - - client_type = 'java' - - pki_options = [] - command = None - cmd_args = [] - - # read pki options before the command - # remove options for Python module - - i = 0 - while i < len(args): - # if arg is a command, stop - if args[i][0] != '-': - command = args[i] - break - - # get database path - if args[i] == '-d': - self.database = args[i + 1] - pki_options.append(args[i]) - pki_options.append(args[i + 1]) - i = i + 2 - - # get database password - elif args[i] == '-c': - self.password = args[i + 1] - pki_options.append(args[i]) - pki_options.append(args[i + 1]) - i = i + 2 - - # get database password file path - elif args[i] == '-C': - self.password_file = args[i + 1] - pki_options.append(args[i]) - pki_options.append(args[i + 1]) - i = i + 2 - - # get token name - elif args[i] == '--token': - self.token = args[i + 1] - pki_options.append(args[i]) - pki_options.append(args[i + 1]) - i = i + 2 - - # check verbose option - elif args[i] == '-v' or args[i] == '--verbose': - self.set_verbose(True) - pki_options.append(args[i]) - i = i + 1 - - # check debug option - elif args[i] == '--debug': - self.set_verbose(True) - self.set_debug(True) - pki_options.append(args[i]) - i = i + 1 - - # get client type - elif args[i] == '--client-type': - client_type = args[i + 1] - pki_options.append(args[i]) - pki_options.append(args[i + 1]) - i = i + 2 - - else: # otherwise, save the arg for the next module - cmd_args.append(args[i]) - i = i + 1 - - # save the rest of the args - while i < len(args): - cmd_args.append(args[i]) - i = i + 1 - - if self.verbose: - print('PKI options: %s' % ' '.join(pki_options)) - print('PKI command: %s %s' % (command, ' '.join(cmd_args))) - - if client_type == 'python' or command in PYTHON_COMMANDS: - (module, module_args) = self.parse_args(cmd_args) - module.execute(module_args) - - elif client_type == 'java': - self.execute_java(cmd_args) - - else: - raise Exception('Unsupported client type: ' + client_type) - - -if __name__ == '__main__': - - cli = PKICLI() - - try: - cli.execute(sys.argv) - - except subprocess.CalledProcessError as e: - if cli.verbose: - print('ERROR: %s' % e) - elif cli.debug: - traceback.print_exc() - sys.exit(e.returncode) - - except KeyboardInterrupt: - print() - sys.exit(-1) +exit $? -- cgit