From d14e61248bca341c38057ecb0184a265eccea850 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@pki.usersys.redhat.com>
Date: Apr 09 2016 04:01:05 +0000
Subject: Resolves: PKI TRAC Ticket #2255


- PKI TRAC Ticket #2255 - PKCS #12 backup does not contain trust attributes.

---

diff --git a/pki-core-Fixed-pki-pkcs12-import-backward-compatibility.patch b/pki-core-Fixed-pki-pkcs12-import-backward-compatibility.patch
new file mode 100644
index 0000000..1d82d8e
--- /dev/null
+++ b/pki-core-Fixed-pki-pkcs12-import-backward-compatibility.patch
@@ -0,0 +1,183 @@
+From d43f4dab6773ea7d91e71193969b26df4efaaffc Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 6 Apr 2016 19:22:48 +0200
+Subject: [PATCH] Fixed pki pkcs12-import backward compatibility.
+
+For backward compatibility the pki pkcs12-import has been modified
+to generate default nicknames and trust flags for CA certificates
+if they are not specified in the PKCS #12 file. The PKCS12Util was
+also modified to find the certificate corresponding to a key more
+accurately using the local ID instead of the subject DN.
+
+The configuration servlet has been modified to provide better
+debugging information when updating the security domain.
+
+https://fedorahosted.org/pki/ticket/2255
+---
+ base/common/python/pki/cli/pkcs12.py               |  7 +++++-
+ .../cms/servlet/csadmin/ConfigurationUtils.java    | 29 ++++++++++++++++------
+ .../dogtagpki/server/rest/SystemConfigService.java |  2 +-
+ .../src/netscape/security/pkcs/PKCS12Util.java     | 17 ++++++++++---
+ 4 files changed, 43 insertions(+), 12 deletions(-)
+
+diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
+index dc999a1..a7c32cc 100644
+--- a/base/common/python/pki/cli/pkcs12.py
++++ b/base/common/python/pki/cli/pkcs12.py
+@@ -220,7 +220,12 @@ class PKCS12ImportCLI(pki.cli.CLI):
+ 
+                     cert_id = cert_info['id']
+                     nickname = cert_info['nickname']
+-                    trust_flags = cert_info['trust_flags']
++
++                    if 'trust_flags' in cert_info:
++                        trust_flags = cert_info['trust_flags']
++                    else:
++                        # default trust flags for CA certificates
++                        trust_flags = 'CT,c,c'
+ 
+                     if main_cli.verbose:
+                         print('Exporting %s (%s) from PKCS #12 file' % (nickname, cert_id))
+diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+index 25838f1..7aeee7e 100644
+--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+@@ -113,6 +113,7 @@ import org.w3c.dom.Element;
+ import org.w3c.dom.Node;
+ import org.w3c.dom.NodeList;
+ import org.xml.sax.SAXException;
++import org.xml.sax.SAXParseException;
+ 
+ import com.netscape.certsrv.account.AccountClient;
+ import com.netscape.certsrv.apps.CMS;
+@@ -3801,14 +3802,15 @@ public class ConfigurationUtils {
+         content.putSingle("httpport", CMS.getEENonSSLPort());
+ 
+         try {
++            CMS.debug("Update security domain using admin interface");
+             String session_id = CMS.getConfigSDSessionId();
+             content.putSingle("sessionID", session_id);
+             updateDomainXML(sd_host, sd_admin_port, true, url, content, false);
+ 
+         } catch (Exception e) {
+-            CMS.debug("updateSecurityDomain: failed to update security domain using admin port "
+-                      + sd_admin_port + ": " + e);
+-            CMS.debug("updateSecurityDomain: now trying agent port with client auth");
++            CMS.debug("Unable to access admin interface: " + e);
++
++            CMS.debug("Update security domain using agent interface");
+             url =  "/ca/agent/ca/updateDomainXML";
+             updateDomainXML(sd_host, sd_agent_port, true, url, content, true);
+         }
+@@ -3873,7 +3875,12 @@ public class ConfigurationUtils {
+             c = post(hostname, port, https, servlet, content, null, null);
+         }
+ 
+-        if (c != null && !c.equals("")) {
++        if (c == null || c.equals("")) {
++            CMS.debug("Unable to update security domain: empty response");
++            throw new IOException("Unable to update security domain: empty response");
++        }
++
++        try {
+             ByteArrayInputStream bis = new ByteArrayInputStream(c.getBytes());
+             XMLObject obj = new XMLObject(bis);
+             String status = obj.getValue("Status");
+@@ -3881,13 +3888,21 @@ public class ConfigurationUtils {
+ 
+             if (status.equals(SUCCESS)) {
+                 return;
++
++            } else if (status.equals(AUTH_FAILURE)) {
++                CMS.debug("Unable to update security domain: authentication failure");
++                throw new IOException("Unable to update security domain: authentication failure");
++
+             } else {
+                 String error = obj.getValue("Error");
+-                throw new IOException(error);
++                CMS.debug("Unable to update security domain: " + error);
++                throw new IOException("Unable to update security domain: " + error);
+             }
+ 
+-        } else {
+-            throw new IOException("Failed to get response when updating security domain");
++        } catch (SAXParseException e) {
++            CMS.debug("Unable to update security domain: " + e);
++            CMS.debug(c);
++            throw new IOException("Unable to update security domain: " + e, e);
+         }
+     }
+ 
+diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+index c56f332..d3410bc 100644
+--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
++++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+@@ -282,7 +282,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
+             cs.putString("securitydomain.store", "ldap");
+             cs.commit(false);
+         } catch (Exception e) {
+-            e.printStackTrace();
++            CMS.debug(e);
+             throw new PKIException("Error while updating security domain: " + e);
+         }
+     }
+diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java
+index 967479b..43435c8 100644
+--- a/base/util/src/netscape/security/pkcs/PKCS12Util.java
++++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java
+@@ -31,6 +31,7 @@ import java.security.cert.CertificateException;
+ import java.util.Collection;
+ import java.util.logging.Logger;
+ 
++import org.apache.commons.lang.StringUtils;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.asn1.ANY;
+ import org.mozilla.jss.asn1.ASN1Util;
+@@ -67,6 +68,7 @@ import org.mozilla.jss.pkix.primitive.PrivateKeyInfo;
+ import org.mozilla.jss.util.Password;
+ 
+ import netscape.ldap.LDAPDN;
++import netscape.ldap.util.DN;
+ import netscape.security.x509.X509CertImpl;
+ 
+ public class PKCS12Util {
+@@ -417,7 +419,8 @@ public class PKCS12Util {
+         byte[] x509cert = certStr.toByteArray();
+ 
+         certInfo.cert = new X509CertImpl(x509cert);
+-        logger.fine("   Subject DN: " + certInfo.cert.getSubjectDN());
++        Principal subjectDN = certInfo.cert.getSubjectDN();
++        logger.fine("   Subject DN: " + subjectDN);
+ 
+         SET bagAttrs = bag.getBagAttributes();
+ 
+@@ -468,6 +471,14 @@ public class PKCS12Util {
+             logger.fine("   ID: " + certInfo.id.toString(16));
+         }
+ 
++        if (certInfo.nickname == null) {
++            logger.fine("   Nickname not specified, generating new nickname");
++            DN dn = new DN(subjectDN.getName());
++            String[] values = dn.explodeDN(true);
++            certInfo.nickname = StringUtils.join(values, " - ");
++            logger.fine("   Nickname: " + certInfo.nickname);
++        }
++
+         return certInfo;
+     }
+ 
+@@ -580,9 +591,9 @@ public class PKCS12Util {
+         privateKeyInfo.encode(bos);
+         byte[] privateKey = bos.toByteArray();
+ 
+-        PKCS12CertInfo certInfo = getCertBySubjectDN(pkcs12, keyInfo.subjectDN);
++        PKCS12CertInfo certInfo = pkcs12.getCertInfoByID(keyInfo.getID());
+         if (certInfo == null) {
+-            logger.fine("Private key nas no certificate, ignore");
++            logger.fine("Private key has no certificate, ignore");
+             return;
+         }
+ 
+-- 
+2.5.5
+
diff --git a/pki-core.spec b/pki-core.spec
index b7e59a4..eff8afb 100644
--- a/pki-core.spec
+++ b/pki-core.spec
@@ -43,7 +43,7 @@
 
 Name:             pki-core
 Version:          10.3.0.a2
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Certificate System - PKI Core Components
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -164,6 +164,9 @@ Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{
 Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/%{name}-%{version}%{?prerel}.tar.gz
 %endif
 
+## pki-core-10.3.0.a2-2
+Patch1:           pki-core-Fixed-pki-pkcs12-import-backward-compatibility.patch
+
 # Obtain version phase number (e. g. - used by "alpha", "beta", etc.)
 #
 #     NOTE:  For "alpha" releases, will be ".a1", ".a2", etc.
@@ -718,6 +721,7 @@ This package is a part of the PKI Core used by the Certificate System.
 
 %prep
 %setup -q -n %{name}-%{version}%{?prerel}
+%patch1 -p1
 
 %clean
 %{__rm} -rf %{buildroot}
@@ -1105,6 +1109,9 @@ systemctl daemon-reload
 %endif # %{with server}
 
 %changelog
+* Fri Apr 8 2016 Dogtag Team <pki-devel@redhat.com> 10.3.0.a2-2
+- PKI TRAC Ticket #2255 - PKCS #12 backup does not contain trust attributes.
+
 * Thu Apr 7 2016 Dogtag Team <pki-devel@redhat.com> 10.3.0.a2-1
 - Updated build for F24 alpha