Update pki nss-cert-import

The pki nss-cert-import has been updated to use the token
name in the nickname if specified, otherwise it will use
the token name specified in the --token option.

The NSSDatabase.addCertificate() in Java (which is used
by pki nss-cert-import) has been modified to call the new
PK11Store.importCert() instead of addPEMCertificate()
which depends on certutil -A.

The NSSDatabase.add_cert() in Python has been updated to
use JSS (via pki nss-cert-import) by default. It has also
been updated to provide the input cert via standard input
instead of file to avoid permission issues.

base/common/python/pki/nssdb.py

@@ -658,7 +658,7 @@ def add_cert(
             cert_format='pem',
             token=None,
             trust_attributes=None,
-            use_jss=False):
+            use_jss=True):
 
         logger.debug('NSSDatabase.add_cert(%s)', nickname)
 
@@ -751,6 +751,12 @@ def __add_cert(
         '''
         check = True
 
+        if cert_file and not cert_data:
+            with open(cert_file, 'r', encoding='utf-8') as f:
+                cert_data = f.read()
+
+        cert_data = convert_cert(cert_data, cert_format, 'pem')
+
         cmd = [
             'pki',
             '-d', self.directory
@@ -771,14 +777,10 @@ def __add_cert(
             # Trust is most likely ,, anyway so there is no loss.
             check = False
 
-        cmd.extend(['nss-cert-import'])
-
-        if cert_file:
-            cmd.extend(['--cert', cert_file])
-
-        if cert_data:
-            cert_data = convert_cert(cert_data, cert_format, 'pem')
-            cmd.extend(['--format', 'PEM'])
+        cmd.extend([
+            'nss-cert-import',
+            '--format', 'PEM'
+        ])
 
         if trust_attributes:
             cmd.extend(['--trust', trust_attributes])

base/common/src/main/java/org/dogtagpki/nss/NSSDatabase.java

@@ -54,7 +54,6 @@
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.dogtagpki.cli.CLIException;
-import org.dogtagpki.util.cert.CertUtil;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.crypto.CryptoStore;
 import org.mozilla.jss.crypto.CryptoToken;
@@ -91,6 +90,7 @@
 import org.mozilla.jss.netscape.security.x509.X509CertImpl;
 import org.mozilla.jss.netscape.security.x509.X509CertInfo;
 import org.mozilla.jss.netscape.security.x509.X509Key;
+import org.mozilla.jss.pkcs11.PK11Cert;
 import org.mozilla.jss.pkcs11.PK11ECPrivateKey;
 import org.mozilla.jss.pkcs11.PK11PrivKey;
 import org.mozilla.jss.pkcs11.PK11PubKey;
@@ -323,29 +323,30 @@ public org.mozilla.jss.crypto.X509Certificate addPEMCertificate(
 
     public void addCertificate(
             String nickname,
-            X509Certificate cert,
+            X509CertImpl certImpl,
             String trustFlags) throws Exception {
 
-        addCertificate(null, nickname, cert, trustFlags);
+        addCertificate(null, nickname, certImpl, trustFlags);
     }
 
     public void addCertificate(
             String tokenName,
             String nickname,
-            X509Certificate cert,
+            X509CertImpl certImpl,
             String trustFlags) throws Exception {
 
-        byte[] bytes = CertUtil.toPEM(cert).getBytes();
-        Path certPath = null;
+        CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName);
+        logger.info("NSSDatabase: Importing cert " + nickname + " into " + token.getName());
 
-        try {
-            certPath = Files.createTempFile("nss-cert-", ".crt", FILE_PERMISSIONS);
-            Files.write(certPath, bytes);
+        CryptoStore store = token.getCryptoStore();
 
-            addPEMCertificate(tokenName, nickname, certPath.toString(), trustFlags);
+        org.mozilla.jss.crypto.X509Certificate cert = store.importCert(
+                certImpl.getEncoded(),
+                nickname);
 
-        } finally {
-            if (certPath != null) Files.delete(certPath);
+        if (trustFlags != null) {
+            PK11Cert pk11Cert = (PK11Cert) cert;
+            pk11Cert.setTrustFlags(trustFlags);
         }
     }
 

base/server/python/pki/server/deployment/__init__.py

@@ -3052,9 +3052,7 @@ def create_temp_sslserver_cert(self):
                 nickname=nickname,
                 cert_file=cert_file,
                 token=token,
-                trust_attributes=trust_attributes,
-                use_jss=True
-            )
+                trust_attributes=trust_attributes)
 
         finally:
             nssdb.close()
@@ -3253,8 +3251,7 @@ def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request):
             nickname=request.systemCert.nickname,
             cert_data=system_cert['data'],
             cert_format='base64',
-            token=request.systemCert.token,
-            use_jss=False)
+            token=request.systemCert.token)
 
     def setup_system_certs(self, nssdb, subsystem):
 

base/tools/src/main/java/com/netscape/cmstools/nss/NSSCertImportCLI.java

@@ -93,9 +93,20 @@ public void execute(CommandLine cmd) throws Exception {
         X509CertImpl cert = new X509CertImpl(bytes);
 
         ClientConfig clientConfig = mainCLI.getConfig();
-        NSSDatabase nssdb = mainCLI.getNSSDatabase();
 
-        String tokenName = clientConfig.getTokenName();
+        String tokenName = null;
+        int i = nickname.indexOf(':');
+
+        if (i < 0) {
+            // use token name specified in --token option
+            tokenName = clientConfig.getTokenName();
+        } else {
+            // use token name specified in nickname
+            tokenName = nickname.substring(0, i);
+            nickname = nickname.substring(i + 1);
+        }
+
+        NSSDatabase nssdb = mainCLI.getNSSDatabase();
 
         if (nickname == null) {
             nssdb.addCertificate(cert, trustFlags);