[Pki-devel] [PATCH] 659 Added CLI options to simplify submitting CSR.
Endi Sukma Dewata
edewata at redhat.com
Fri Nov 13 16:07:29 UTC 2015
The pki ca-cert-request-submit command has been modified to
provide options to specify the profile name and the CSR which
will be used to create and populate the request object. This
way it's no longer necessary to download the request template
and insert the CSR manually.
https://fedorahosted.org/pki/ticket/456
Usage: http://pki.fedoraproject.org/wiki/Externaly-Signed_CA_Setup
--
Endi S. Dewata
-------------- next part --------------
From 8ad8a03cf5e8c54e4ed93ad34e107f9d762ccc0a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Fri, 13 Nov 2015 16:55:43 +0100
Subject: [PATCH] Added CLI options to simplify submitting CSR.
The pki ca-cert-request-submit command has been modified to
provide options to specify the profile name and the CSR which
will be used to create and populate the request object. This
way it's no longer necessary to download the request template
and insert the CSR manually.
https://fedorahosted.org/pki/ticket/456
---
.../cmstools/cert/CertRequestSubmitCLI.java | 146 +++++++++++++++++++--
1 file changed, 136 insertions(+), 10 deletions(-)
diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java
index cec1cff4f2c8167c7c16a3d095963039840b1486..991ab462be4dc15f40d41e3d59acdba0470f9c63 100644
--- a/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cert/CertRequestSubmitCLI.java
@@ -5,9 +5,10 @@ import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
import java.util.Scanner;
-
-import javax.xml.bind.JAXBException;
+import java.util.Vector;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option;
@@ -16,9 +17,13 @@ import org.apache.commons.cli.ParseException;
import com.netscape.certsrv.ca.AuthorityID;
import com.netscape.certsrv.cert.CertEnrollmentRequest;
import com.netscape.certsrv.cert.CertRequestInfos;
+import com.netscape.certsrv.profile.ProfileAttribute;
+import com.netscape.certsrv.profile.ProfileInput;
import com.netscape.cmstools.cli.CLI;
import com.netscape.cmstools.cli.MainCLI;
+import netscape.ldap.util.DN;
+import netscape.ldap.util.RDN;
import netscape.security.x509.X500Name;
public class CertRequestSubmitCLI extends CLI {
@@ -30,11 +35,11 @@ public class CertRequestSubmitCLI extends CLI {
this.certCLI = certCLI;
Option option = new Option(null, "issuer-id", true, "Authority ID (host authority if omitted)");
- option.setArgName("id");
+ option.setArgName("ID");
options.addOption(option);
option = new Option(null, "issuer-dn", true, "Authority DN (host authority if omitted)");
- option.setArgName("dn");
+ option.setArgName("DN");
options.addOption(option);
option = new Option(null, "username", true, "Username for request authentication");
@@ -43,6 +48,22 @@ public class CertRequestSubmitCLI extends CLI {
option = new Option(null, "password", false, "Prompt password for request authentication");
options.addOption(option);
+
+ option = new Option(null, "profile", true, "Certificate profile");
+ option.setArgName("profile");
+ options.addOption(option);
+
+ option = new Option(null, "request-type", true, "Request type (default: pkcs10)");
+ option.setArgName("type");
+ options.addOption(option);
+
+ option = new Option(null, "csr-file", true, "File containing the CSR");
+ option.setArgName("path");
+ options.addOption(option);
+
+ option = new Option(null, "subject", true, "Subject DN");
+ option.setArgName("DN");
+ options.addOption(option);
}
public void printHelp() {
@@ -70,8 +91,17 @@ public class CertRequestSubmitCLI extends CLI {
String[] cmdArgs = cmd.getArgs();
- if (cmdArgs.length < 1) {
- System.err.println("Error: No filename specified.");
+ String requestFilename = cmdArgs.length > 0 ? cmdArgs[0] : null;
+ String profileID = cmd.getOptionValue("profile");
+
+ if (requestFilename == null && profileID == null) {
+ System.err.println("Error: Missing request file or profile ID.");
+ printHelp();
+ System.exit(-1);
+ }
+
+ if (requestFilename != null && profileID != null) {
+ System.err.println("Error: Request file and profile ID are mutually exclusive.");
printHelp();
System.exit(-1);
}
@@ -106,7 +136,104 @@ public class CertRequestSubmitCLI extends CLI {
System.exit(-1);
}
- CertEnrollmentRequest request = getEnrollmentRequest(cmdArgs[0]);
+ String requestType = cmd.getOptionValue("request-type");
+
+ CertEnrollmentRequest request;
+ if (requestFilename == null) { // if no request file specified, generate new request from profile
+
+ if (verbose) {
+ System.out.println("Retrieving " + profileID + " profile.");
+ }
+
+ request = certCLI.certClient.getEnrollmentTemplate(profileID);
+
+ // set default request type for new request
+ if (requestType == null) requestType = "pkcs10";
+
+ } else { // otherwise, load request from file
+
+ if (verbose) {
+ System.out.println("Loading request from " + requestFilename + ".");
+ }
+
+ String xml = loadFile(requestFilename);
+ request = CertEnrollmentRequest.fromXML(xml);
+ }
+
+ if (requestType != null) {
+
+ if (verbose) {
+ System.out.println("Request type: " + requestType);
+ }
+
+ for (ProfileInput input : request.getInputs()) {
+ ProfileAttribute typeAttr = input.getAttribute("cert_request_type");
+ if (typeAttr != null) {
+ typeAttr.setValue(requestType);
+ }
+ }
+ }
+
+ String csrFilename = cmd.getOptionValue("csr-file");
+ if (csrFilename != null) {
+
+ String csr = loadFile(csrFilename);
+
+ if (verbose) {
+ System.out.println("CSR:");
+ System.out.println(csr);
+ }
+
+ for (ProfileInput input : request.getInputs()) {
+ ProfileAttribute csrAttr = input.getAttribute("cert_request");
+ if (csrAttr != null) {
+ csrAttr.setValue(csr);
+ }
+ }
+ }
+
+ String subjectDN = cmd.getOptionValue("subject");
+ if (subjectDN != null) {
+ DN dn = new DN(subjectDN);
+ Vector<?> rdns = dn.getRDNs();
+
+ Map<String, String> subjectAttributes = new HashMap<String, String>();
+ for (int i=0; i< rdns.size(); i++) {
+ RDN rdn = (RDN)rdns.elementAt(i);
+ String type = rdn.getTypes()[0].toLowerCase();
+ String value = rdn.getValues()[0];
+ subjectAttributes.put(type, value);
+ }
+
+ ProfileInput sn = request.getInput("Subject Name");
+ if (sn != null) {
+ if (verbose) System.out.println("Subject Name:");
+
+ for (ProfileAttribute attribute : sn.getAttributes()) {
+ String name = attribute.getName();
+ String value = null;
+
+ if (name.equals("subject")) {
+ // get the whole subject DN
+ value = subjectDN;
+
+ } else if (name.startsWith("sn_")) {
+ // get value from subject DN
+ value = subjectAttributes.get(name.substring(3));
+
+ } else {
+ // unknown attribute, ignore
+ if (verbose) System.out.println(" - " + name);
+ continue;
+ }
+
+ if (value == null) continue;
+
+ if (verbose) System.out.println(" - " + name + ": " + value);
+ attribute.setValue(value);
+ }
+ }
+ }
String certRequestUsername = cmd.getOptionValue("username");
if (certRequestUsername != null) {
@@ -124,10 +251,9 @@ public class CertRequestSubmitCLI extends CLI {
CertCLI.printCertRequestInfos(cri);
}
- private CertEnrollmentRequest getEnrollmentRequest(String fileName) throws JAXBException, FileNotFoundException {
+ private String loadFile(String fileName) throws FileNotFoundException {
try (Scanner scanner = new Scanner(new File(fileName))) {
- String xml = scanner.useDelimiter("\\A").next();
- return CertEnrollmentRequest.fromXML(xml);
+ return scanner.useDelimiter("\\A").next();
}
}
}
--
2.4.3
More information about the Pki-devel
mailing list