From d43f4dab6773ea7d91e71193969b26df4efaaffc Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 6 Apr 2016 19:22:48 +0200
Subject: [PATCH] Fixed pki pkcs12-import backward compatibility.

For backward compatibility the pki pkcs12-import has been modified
to generate default nicknames and trust flags for CA certificates
if they are not specified in the PKCS #12 file. The PKCS12Util was
also modified to find the certificate corresponding to a key more
accurately using the local ID instead of the subject DN.

The configuration servlet has been modified to provide better
debugging information when updating the security domain.

https://fedorahosted.org/pki/ticket/2255
---
 base/common/python/pki/cli/pkcs12.py               |  7 +++++-
 .../cms/servlet/csadmin/ConfigurationUtils.java    | 29 ++++++++++++++++------
 .../dogtagpki/server/rest/SystemConfigService.java |  2 +-
 .../src/netscape/security/pkcs/PKCS12Util.java     | 17 ++++++++++---
 4 files changed, 43 insertions(+), 12 deletions(-)

diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
index dc999a1..a7c32cc 100644
--- a/base/common/python/pki/cli/pkcs12.py
+++ b/base/common/python/pki/cli/pkcs12.py
@@ -220,7 +220,12 @@ class PKCS12ImportCLI(pki.cli.CLI):
 
                     cert_id = cert_info['id']
                     nickname = cert_info['nickname']
-                    trust_flags = cert_info['trust_flags']
+
+                    if 'trust_flags' in cert_info:
+                        trust_flags = cert_info['trust_flags']
+                    else:
+                        # default trust flags for CA certificates
+                        trust_flags = 'CT,c,c'
 
                     if main_cli.verbose:
                         print('Exporting %s (%s) from PKCS #12 file' % (nickname, cert_id))
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index 25838f1..7aeee7e 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -113,6 +113,7 @@ import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXParseException;
 
 import com.netscape.certsrv.account.AccountClient;
 import com.netscape.certsrv.apps.CMS;
@@ -3801,14 +3802,15 @@ public class ConfigurationUtils {
         content.putSingle("httpport", CMS.getEENonSSLPort());
 
         try {
+            CMS.debug("Update security domain using admin interface");
             String session_id = CMS.getConfigSDSessionId();
             content.putSingle("sessionID", session_id);
             updateDomainXML(sd_host, sd_admin_port, true, url, content, false);
 
         } catch (Exception e) {
-            CMS.debug("updateSecurityDomain: failed to update security domain using admin port "
-                      + sd_admin_port + ": " + e);
-            CMS.debug("updateSecurityDomain: now trying agent port with client auth");
+            CMS.debug("Unable to access admin interface: " + e);
+
+            CMS.debug("Update security domain using agent interface");
             url =  "/ca/agent/ca/updateDomainXML";
             updateDomainXML(sd_host, sd_agent_port, true, url, content, true);
         }
@@ -3873,7 +3875,12 @@ public class ConfigurationUtils {
             c = post(hostname, port, https, servlet, content, null, null);
         }
 
-        if (c != null && !c.equals("")) {
+        if (c == null || c.equals("")) {
+            CMS.debug("Unable to update security domain: empty response");
+            throw new IOException("Unable to update security domain: empty response");
+        }
+
+        try {
             ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes());
             XMLObject obj = new XMLObject(bis);
             String status = obj.getValue("Status");
@@ -3881,13 +3888,21 @@ public class ConfigurationUtils {
 
             if (status.equals(SUCCESS)) {
                 return;
+
+            } else if (status.equals(AUTH_FAILURE)) {
+                CMS.debug("Unable to update security domain: authentication failure");
+                throw new IOException("Unable to update security domain: authentication failure");
+
             } else {
                 String error = obj.getValue("Error");
-                throw new IOException(error);
+                CMS.debug("Unable to update security domain: " + error);
+                throw new IOException("Unable to update security domain: " + error);
             }
 
-        } else {
-            throw new IOException("Failed to get response when updating security domain");
+        } catch (SAXParseException e) {
+            CMS.debug("Unable to update security domain: " + e);
+            CMS.debug(c);
+            throw new IOException("Unable to update security domain: " + e, e);
         }
     }
 
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index c56f332..d3410bc 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -282,7 +282,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
             cs.putString("securitydomain.store", "ldap");
             cs.commit(false);
         } catch (Exception e) {
-            e.printStackTrace();
+            CMS.debug(e);
             throw new PKIException("Error while updating security domain: " + e);
         }
     }
diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
index 967479b..43435c8 100644
--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
+++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
@@ -31,6 +31,7 @@ import java.security.cert.CertificateException;
 import java.util.Collection;
 import java.util.logging.Logger;
 
+import org.apache.commons.lang.StringUtils;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.asn1.ANY;
 import org.mozilla.jss.asn1.ASN1Util;
@@ -67,6 +68,7 @@ import org.mozilla.jss.pkix.primitive.PrivateKeyInfo;
 import org.mozilla.jss.util.Password;
 
 import netscape.ldap.LDAPDN;
+import netscape.ldap.util.DN;
 import netscape.security.x509.X509CertImpl;
 
 public class PKCS12Util {
@@ -417,7 +419,8 @@ public class PKCS12Util {
         byte[] x509cert = certStr.toByteArray();
 
         certInfo.cert = new X509CertImpl(x509cert);
-        logger.fine("   Subject DN: " + certInfo.cert.getSubjectDN());
+        Principal subjectDN = certInfo.cert.getSubjectDN();
+        logger.fine("   Subject DN: " + subjectDN);
 
         SET bagAttrs = bag.getBagAttributes();
 
@@ -468,6 +471,14 @@ public class PKCS12Util {
             logger.fine("   ID: " + certInfo.id.toString(16));
         }
 
+        if (certInfo.nickname == null) {
+            logger.fine("   Nickname not specified, generating new nickname");
+            DN dn = new DN(subjectDN.getName());
+            String[] values = dn.explodeDN(true);
+            certInfo.nickname = StringUtils.join(values, " - ");
+            logger.fine("   Nickname: " + certInfo.nickname);
+        }
+
         return certInfo;
     }
 
@@ -580,9 +591,9 @@ public class PKCS12Util {
         privateKeyInfo.encode(bos);
         byte[] privateKey = bos.toByteArray();
 
-        PKCS12CertInfo certInfo = getCertBySubjectDN(pkcs12, keyInfo.subjectDN);
+        PKCS12CertInfo certInfo = pkcs12.getCertInfoByID(keyInfo.getID());
         if (certInfo == null) {
-            logger.fine("Private key nas no certificate, ignore");
+            logger.fine("Private key has no certificate, ignore");
             return;
         }
 
-- 
2.5.5