The CLIs for exporting PKCS #12 file have been modified to accept options to export without trust flags, keys, and/or certificate chain.
https://fedorahosted.org/pki/ticket/1736 -- Endi S. Dewata
>From 8e36b6df9f778613a4868a5a1145647c8ffe7fee Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <[email protected]> Date: Sat, 16 Apr 2016 02:43:03 +0200 Subject: [PATCH] Fixed PKCS #12 export options. The CLIs for exporting PKCS #12 file have been modified to accept options to export without trust flags, keys, and/or certificate chain. https://fedorahosted.org/pki/ticket/1736 --- base/common/python/pki/nssdb.py | 12 ++++++++++++ .../netscape/cmstools/pkcs12/PKCS12ExportCLI.java | 2 +- base/server/python/pki/server/cli/instance.py | 21 ++++++++++++++++++++- base/server/python/pki/server/cli/subsystem.py | 21 ++++++++++++++++++++- .../util/src/netscape/security/pkcs/PKCS12Util.java | 6 +++++- 5 files changed, 58 insertions(+), 4 deletions(-) diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py index 503bd412b3d6cb6d98f2dade05736a4b3fc98f9c..30b1d479375af3cb5705411d9af6cc24857d18f3 100644 --- a/base/common/python/pki/nssdb.py +++ b/base/common/python/pki/nssdb.py @@ -545,6 +545,9 @@ class NSSDatabase(object): pkcs12_password_file=None, nicknames=None, append=False, + include_trust_flags=True, + include_key=True, + include_chain=True, debug=False): tmpdir = tempfile.mkdtemp() @@ -580,6 +583,15 @@ class NSSDatabase(object): if append: cmd.extend(['--append']) + if not include_trust_flags: + cmd.extend(['--no-trust-flags']) + + if not include_key: + cmd.extend(['--no-key']) + + if not include_chain: + cmd.extend(['--no-chain']) + if debug: cmd.extend(['--debug']) diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java index 728a9efd1d3f36d14428b2f1e7b891047576de96..08a0850ff2e17544acf7c09b46ed370851840c72 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ExportCLI.java @@ -150,7 +150,7 @@ public class PKCS12ExportCLI extends CLI { if (nicknames.length == 0) { // load all certificates - util.loadFromNSS(pkcs12); + util.loadFromNSS(pkcs12, includeKey, includeChain); } else { // load the specified certificates diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py index 4eeee5d6053e05581a472b601ed9e066c4ada395..7520b32b81cf222ebc7ac1def928701b1116ae86 100644 --- a/base/server/python/pki/server/cli/instance.py +++ b/base/server/python/pki/server/cli/instance.py @@ -77,6 +77,9 @@ class InstanceCertExportCLI(pki.cli.CLI): print(' --pkcs12-password <password> Password for the PKCS #12 file.') print(' --pkcs12-password-file <path> Input file containing the password for the PKCS #12 file.') print(' --append Append into an existing PKCS #12 file.') + print(' --no-trust-flags Do not include trust flags') + print(' --no-key Do not include private key') + print(' --no-chain Do not include certificate chain') print(' -v, --verbose Run in verbose mode.') print(' --debug Run in debug mode.') print(' --help Show help message.') @@ -88,7 +91,8 @@ class InstanceCertExportCLI(pki.cli.CLI): opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'append', 'verbose', 'debug', 'help']) + 'append', 'no-trust-flags', 'no-key', 'no-chain', + 'verbose', 'debug', 'help']) except getopt.GetoptError as e: print('ERROR: ' + str(e)) @@ -102,6 +106,9 @@ class InstanceCertExportCLI(pki.cli.CLI): pkcs12_password = None pkcs12_password_file = None append = False + include_trust_flags = True + include_key = True + include_chain = True debug = False for o, a in opts: @@ -120,6 +127,15 @@ class InstanceCertExportCLI(pki.cli.CLI): elif o == '--append': append = True + elif o == '--no-trust-flags': + include_trust_flags = False + + elif o == '--no-key': + include_key = False + + elif o == '--no-chain': + include_chain = False + elif o in ('-v', '--verbose'): self.set_verbose(True) @@ -154,6 +170,9 @@ class InstanceCertExportCLI(pki.cli.CLI): pkcs12_password_file=pkcs12_password_file, nicknames=nicknames, append=append, + include_trust_flags=include_trust_flags, + include_key=include_key, + include_chain=include_chain, debug=debug) finally: nssdb.close() diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index fe395aad642f050c401996b401a4122af09b9f83..03d48f9262f8ac15e1dfbb8df63111c9cf0dabce 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -465,6 +465,9 @@ class SubsystemCertExportCLI(pki.cli.CLI): print(' --pkcs12-password <password> Password for the PKCS #12 file.') print(' --pkcs12-password-file <path> Input file containing the password for the PKCS #12 file.') print(' --append Append into an existing PKCS #12 file.') + print(' --no-trust-flags Do not include trust flags') + print(' --no-key Do not include private key') + print(' --no-chain Do not include certificate chain') print(' -v, --verbose Run in verbose mode.') print(' --debug Run in debug mode.') print(' --help Show help message.') @@ -476,7 +479,8 @@ class SubsystemCertExportCLI(pki.cli.CLI): opts, args = getopt.gnu_getopt(argv, 'i:v', [ 'instance=', 'cert-file=', 'csr-file=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', - 'append', 'verbose', 'debug', 'help']) + 'append', 'no-trust-flags', 'no-key', 'no-chain', + 'verbose', 'debug', 'help']) except getopt.GetoptError as e: print('ERROR: ' + str(e)) @@ -497,6 +501,9 @@ class SubsystemCertExportCLI(pki.cli.CLI): pkcs12_password = None pkcs12_password_file = None append = False + include_trust_flags = True + include_key = True + include_chain = True debug = False for o, a in opts: @@ -521,6 +528,15 @@ class SubsystemCertExportCLI(pki.cli.CLI): elif o == '--append': append = True + elif o == '--no-trust-flags': + include_trust_flags = False + + elif o == '--no-key': + include_key = False + + elif o == '--no-chain': + include_chain = False + elif o in ('-v', '--verbose'): self.set_verbose(True) @@ -591,6 +607,9 @@ class SubsystemCertExportCLI(pki.cli.CLI): pkcs12_password_file=pkcs12_password_file, nicknames=nicknames, append=append, + include_trust_flags=include_trust_flags, + include_key=include_key, + include_chain=include_chain, debug=debug) finally: diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java index 43435c822c9400248fe556bf066cd2659e18ae17..571ee18815e93b29e3dbd32eb0f52b2d60a421cc 100644 --- a/base/util/src/netscape/security/pkcs/PKCS12Util.java +++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java @@ -239,6 +239,10 @@ public class PKCS12Util { } public void loadFromNSS(PKCS12 pkcs12) throws Exception { + loadFromNSS(pkcs12, true, true); + } + + public void loadFromNSS(PKCS12 pkcs12, boolean includeKey, boolean includeChain) throws Exception { logger.info("Loading all certificate and keys from NSS database"); @@ -247,7 +251,7 @@ public class PKCS12Util { CryptoStore store = token.getCryptoStore(); for (X509Certificate cert : store.getCertificates()) { - loadCertFromNSS(pkcs12, cert, true, true); + loadCertFromNSS(pkcs12, cert, includeKey, includeChain); } } -- 2.5.5
_______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
