[Pki-devel] [PATCH] 521 Fixed problems with CLI authentication parameters.
Endi Sukma Dewata
edewata at redhat.com
Fri Aug 29 02:44:44 UTC 2014
Previously specifying a security database password in the CLI would
require a certificate nickname to be specified as well. While this
is correct for client certificate authentication, it caused a
problem for operations that do not authenticate against the server
such as client-init. The CLI has been modified to require a security
database password only if the nickname is specified for client
certificate authentication.
Similar changes have been made to require user password only if
the username is specified for basic authentication.
The CLI also has been modified to store all specified parameters
in the config object regardless of parameter validation.
The manual page has been modified accordingly.
Ticket #1125
--
Endi S. Dewata
-------------- next part --------------
From 3a82b2f414dba03ad2b77e572ba97a0a1a5da0ce Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Thu, 28 Aug 2014 19:11:42 -0400
Subject: [PATCH] Fixed problems with CLI authentication parameters.
Previously specifying a security database password in the CLI would
require a certificate nickname to be specified as well. While this
is correct for client certificate authentication, it caused a
problem for operations that do not authenticate against the server
such as client-init. The CLI has been modified to require a security
database password only if the nickname is specified for client
certificate authentication.
Similar changes have been made to require user password only if
the username is specified for basic authentication.
The CLI also has been modified to store all specified parameters
in the config object regardless of parameter validation.
The manual page has been modified accordingly.
Ticket #1125
---
base/java-tools/man/man1/pki.1 | 12 +-
.../src/com/netscape/cmstools/cli/MainCLI.java | 151 ++++++++++-----------
2 files changed, 80 insertions(+), 83 deletions(-)
diff --git a/base/java-tools/man/man1/pki.1 b/base/java-tools/man/man1/pki.1
index b5a35f1f608c3f86792008f5fec6a70bf20520ee..4e77bd6ebf92ddfe6c48ce4964fe6897f81f14b7 100644
--- a/base/java-tools/man/man1/pki.1
+++ b/base/java-tools/man/man1/pki.1
@@ -28,10 +28,10 @@ These services include certificates, groups, keys, security domains, and users.
.SH CLI OPTIONS
.TP
.B -c <client security database password>
-Specifies the client security database password (mutually exclusive to the '-C' option; requires the '-n' client authentication option).
+Specifies the client security database password (mutually exclusive to the '-C' option).
.TP
.B -C <client-side password file>
-Specifies the file which contains the client security database password (mutually exclusive to the '-c' option; requires the '-n' client authentication option).
+Specifies the file which contains the client security database password (mutually exclusive to the '-c' option).
.TP
.B -d <client security database location>
Specifies the client security database location (default: \fI~/.dogtag/nssdb\fP).
@@ -49,7 +49,7 @@ Comma-separated list of ignored certificate validity statuses.
Message format: xml (default), json.
.TP
.B -n <client certificate nickname>
-Specifies the nickname of the client certificate (signifies client authentication which is mutually exclusive to the '-u' basic authentication option).
+Specifies the nickname for client certificate authentication (mutually exclusive to the '-u' option). This authentication requires a security database password.
.TP
.B --output <folder>
Folder to store HTTP messages.
@@ -68,7 +68,7 @@ PKI subsystem type - [CA, KRA, OCSP, TKS, or TPS] (non-case-sensitive).
Specifies the server URI.
.TP
.B -u <username>
-Specifies the username (signifies basic authentication which is mutually exclusive to the '-n' client authentication option).
+Specifies the username for basic authentication (mutually exclusive to the '-n' option). This authentication requires a user password.
.TP
.B -v
Displays verbose information.
@@ -77,10 +77,10 @@ Displays verbose information.
Displays CLI version information.
.TP
.B -w <password>
-Specifies the user password (mutually exclusive to the '-W' option; requires the '-u' basic authentication option).
+Specifies the user password (mutually exclusive to the '-W' option).
.TP
.B -W <client-side password file>
-Specifies the file which contains the user password (mutually exclusive to the '-w' option; requires the '-u' basic authentication option).
+Specifies the file which contains the user password (mutually exclusive to the '-w' option).
.SH OPERATIONS
To view available commands and options, simply type \fBpki\fP. Some commands have sub-commands.
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index becd84524531aa9c18ffc1495e7d62764086e478..186c9827eb311f7221bf8957149c8b06329d34cc 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -19,9 +19,9 @@
package com.netscape.cmstools.cli;
import java.io.BufferedReader;
-import java.io.FileReader;
import java.io.Console;
import java.io.File;
+import java.io.FileReader;
import java.io.IOException;
import java.lang.reflect.Field;
import java.net.InetAddress;
@@ -291,93 +291,90 @@ public class MainCLI extends CLI {
String passwordFile = cmd.getOptionValue("W");
String[] tokenPasswordPair = { null, null };
- // check for mutually exclusive options
- if ((certNickname != null) && (username != null)) {
- System.err.println("Error: The '-n' (client authentication) and '-u' (basic authentication) options are mutually exclusive!");
+ // check authentication parameters
+ if (certNickname != null && username != null) {
+ System.err.println("Error: The '-n' and '-u' options are mutually exclusive.");
System.exit(-1);
- }
- if ((certPasswordFile != null) && (certPassword != null)) {
- System.err.println("Error: The '-C' and '-c' options are mutually exclusive!");
- System.exit(-1);
- }
- if ((passwordFile != null) && (password != null)) {
- System.err.println("Error: The '-W' and '-w' options are mutually exclusive!");
- System.exit(-1);
- }
- // check for mutually dependent options
- if (((certPasswordFile != null) || (certPassword != null)) &&
- (certNickname == null)) {
- System.err.println("Error: If either of the '-C' or '-c' options are specified, the '-n' client authentication option must also be specified!");
- System.exit(-1);
- }
- if (((passwordFile != null) || (password != null)) &&
- (username == null)) {
- System.err.println("Error: If either of the '-W' or '-w' options are specified, the '-u' basic authentication option must also be specified!");
- System.exit(-1);
+ } else if (certNickname != null) { // client certificate authentication
+
+ if (certPasswordFile != null && certPassword != null) {
+ System.err.println("Error: The '-C' and '-c' options are mutually exclusive.");
+ System.exit(-1);
+
+ } else if (certPasswordFile == null && certPassword == null) {
+ System.err.println("Error: Missing security database password.");
+ System.exit(-1);
+ }
+
+ } else if (username != null) { // basic authentication
+
+ if (passwordFile != null && password != null) {
+ System.err.println("Error: The '-W' and '-w' options are mutually exclusive.");
+ System.exit(-1);
+
+ } else if (passwordFile == null && password == null) {
+ System.err.println("Error: Missing user password.");
+ System.exit(-1);
+ }
}
- // convert into absolute path
+ // store security database path
if (certDatabase != null)
config.setCertDatabase(new File(certDatabase).getAbsolutePath());
- // check for client authentication or basic authentication
- if (certNickname != null) {
- // client authentication
- config.setCertNickname(certNickname);
-
- if (certPassword != null) {
- // set client security database password
- config.setCertPassword(certPassword);
- } else if (certPasswordFile != null) {
- // read client security database password from specified file
- tokenPasswordPair = readPlaintextPasswordFromFile(certPasswordFile);
- // XXX TBD set client security database token
-
- // set client security database password
- config.setCertPassword(tokenPasswordPair[1]);
- } else {
- // prompt for client security database password
- //
- // NOTE: This overrides the password callback provided
- // by JSS for NSS security database authentication.
- //
- try {
- certPassword = promptForPassword("Enter Client Security Database Password: ");
- // set client security database password
- config.setCertPassword(certPassword);
- } catch (Exception e) {
- System.err.println("Error: " + e.getMessage());
- System.exit(-1);
- }
+ // store certificate nickname
+ config.setCertNickname(certNickname);
+
+ if (certPasswordFile != null) {
+ // read client security database password from specified file
+ tokenPasswordPair = readPlaintextPasswordFromFile(certPasswordFile);
+ // XXX TBD set client security database token
+
+ certPassword = tokenPasswordPair[1];
+
+ } else if (certNickname != null && certPassword == null) {
+ // prompt for security database password if required for authentication
+ //
+ // NOTE: This overrides the password callback provided
+ // by JSS for NSS security database authentication.
+ //
+ try {
+ certPassword = promptForPassword("Enter Client Security Database Password: ");
+
+ } catch (Exception e) {
+ System.err.println("Error: " + e.getMessage());
+ System.exit(-1);
}
- } else if (username != null) {
- // basic authentication
- config.setUsername(username);
-
- if (password != null) {
- // set user password
- config.setPassword(password);
- } else if (passwordFile != null) {
- // read user password from specified file
- tokenPasswordPair = readPlaintextPasswordFromFile(passwordFile);
- // XXX TBD set user token
-
- // set user password
- config.setPassword(tokenPasswordPair[1]);
- } else {
- // prompt for user password
- try {
- password = promptForPassword();
- // set user password
- config.setPassword(password);
- } catch (Exception e) {
- System.err.println("Error: " + e.getMessage());
- System.exit(-1);
- }
+ }
+
+ // store security database password
+ config.setCertPassword(certPassword);
+
+ // store user name
+ config.setUsername(username);
+
+ if (passwordFile != null) {
+ // read user password from specified file
+ tokenPasswordPair = readPlaintextPasswordFromFile(passwordFile);
+ // XXX TBD set user token
+
+ password = tokenPasswordPair[1];
+
+ } else if (username != null && password == null) {
+ // prompt for user password if required for authentication
+ try {
+ password = promptForPassword();
+
+ } catch (Exception e) {
+ System.err.println("Error: " + e.getMessage());
+ System.exit(-1);
}
}
+ // store user password
+ config.setPassword(password);
+
String list = cmd.getOptionValue("reject-cert-status");
convertCertStatusList(list, rejectedCertStatuses);
--
1.8.4.2
More information about the Pki-devel
mailing list