From ba32660ee26fc00132882809ce9365690f375c6c Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 19 Apr 2016 13:28:56 +1000
Subject: [PATCH 99/99] Add ca-authority-key-export command

Add the 'pki ca-authority-key-export' CLI command for exporting a
PKIArchiveOptions object containing a nominated target key, wrapped
by a nominated wrapping key.  This command is to be used by Custodia
to export key data for transmission to a requesting clone.

Part of: https://fedorahosted.org/pki/ticket/1625
---
 .../netscape/cmstools/authority/AuthorityCLI.java  |   1 +
 .../cmstools/authority/AuthorityKeyExportCLI.java  | 109 +++++++++++++++++++++
 2 files changed, 110 insertions(+)
 create mode 100644 base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java

diff --git a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java
index ac06ea24ce824ad1b4be29a4176658caa9302e89..f42660d6727059bc76ab7ccd0bd0b22a87bc5f9a 100644
--- a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityCLI.java
@@ -18,6 +18,7 @@ public class AuthorityCLI extends CLI {
         addModule(new AuthorityDisableCLI(this));
         addModule(new AuthorityEnableCLI(this));
         addModule(new AuthorityRemoveCLI(this));
+        addModule(new AuthorityKeyExportCLI(this));
     }
 
     public String getFullName() {
diff --git a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java
new file mode 100644
index 0000000000000000000000000000000000000000..a3dee82c8d7ef3ad923aa53635b0825f3d272998
--- /dev/null
+++ b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java
@@ -0,0 +1,109 @@
+package com.netscape.cmstools.authority;
+
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.PublicKey;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.ParseException;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.IVParameterSpec;
+import org.mozilla.jss.crypto.KeyGenAlgorithm;
+import org.mozilla.jss.crypto.PrivateKey;
+import org.mozilla.jss.crypto.X509Certificate;
+
+import com.netscape.cmstools.cli.CLI;
+import com.netscape.cmsutil.crypto.CryptoUtil;
+
+public class AuthorityKeyExportCLI extends CLI {
+
+    public AuthorityCLI authorityCLI;
+
+    public AuthorityKeyExportCLI(AuthorityCLI authorityCLI) {
+        super("key-export", "Export wrapped CA signing key", authorityCLI);
+        this.authorityCLI = authorityCLI;
+
+        options.addOption(null, "help", false, "Show usage");
+
+        Option option = new Option("o", "output", true, "Output file");
+        option.setArgName("filename");
+        options.addOption(option);
+
+        option = new Option(null, "wrap-nickname", true, "Nickname of wrapping key");
+        option.setArgName("nickname");
+        options.addOption(option);
+
+        option = new Option(null, "target-nickname", true, "Nickname of target key");
+        option.setArgName("nickname");
+        options.addOption(option);
+    }
+
+    public void printHelp() {
+        formatter.printHelp(getFullName() + "--wrap-nickname NICKNAME --target-nickname NICKNAME -o FILENAME", options);
+    }
+
+    public void execute(String[] args) throws Exception {
+        CommandLine cmd = null;
+
+        try {
+            cmd = parser.parse(options, args);
+        } catch (ParseException e) {
+            System.err.println("Error: " + e.getMessage());
+            printHelp();
+            System.exit(-1);
+        }
+
+        if (cmd.hasOption("help")) {
+            // Display usage
+            printHelp();
+            System.exit(0);
+        }
+
+        String filename = cmd.getOptionValue("output");
+        if (filename == null) {
+            System.err.println("Error: No output file specified.");
+            printHelp();
+            System.exit(-1);
+        }
+
+        String wrapNick = cmd.getOptionValue("wrap-nickname");
+        if (wrapNick == null) {
+            System.err.println("Error: no wrapping key nickname specified.");
+            printHelp();
+            System.exit(-1);
+        }
+
+        String targetNick = cmd.getOptionValue("target-nickname");
+        if (targetNick == null) {
+            System.err.println("Error: no target key nickname specified.");
+            printHelp();
+            System.exit(-1);
+        }
+
+        try {
+            CryptoManager cm = CryptoManager.getInstance();
+            X509Certificate wrapCert = cm.findCertByNickname(wrapNick);
+            X509Certificate targetCert = cm.findCertByNickname(targetNick);
+
+            PublicKey wrappingKey = wrapCert.getPublicKey();
+            PrivateKey toBeWrapped = cm.findPrivKeyByCert(targetCert);
+            CryptoToken token = cm.getInternalKeyStorageToken();
+
+            byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+            IVParameterSpec ivps = new IVParameterSpec(iv);
+
+            byte[] data = CryptoUtil.createPKIArchiveOptions(
+                token, wrappingKey, toBeWrapped,
+                KeyGenAlgorithm.DES3, 0, ivps);
+
+            Files.newOutputStream(Paths.get(filename)).write(data);
+        } catch (Throwable e) {
+            e.printStackTrace();
+            System.exit(-1);
+        }
+
+    }
+}
-- 
2.5.5