From 0d5eccbd9dcae97b2e632374712e9d9a003ed534 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 26 Aug 2024 13:41:25 -0500
Subject: [PATCH] Add pki nss-cert-find --subject and --issuer options

---
 .github/workflows/server-https-nss-test.yml   |  9 +++-
 .../workflows/server-https-pkcs12-test.yml    |  9 +++-
 .../netscape/cmstools/nss/NSSCertFindCLI.java | 42 ++++++++++++++++---
 3 files changed, 51 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/server-https-nss-test.yml b/.github/workflows/server-https-nss-test.yml
index 0d6a5692610..c7f407d6372 100644
--- a/.github/workflows/server-https-nss-test.yml
+++ b/.github/workflows/server-https-nss-test.yml
@@ -192,7 +192,7 @@ jobs:
           diff expected stderr
 
           # the cert should not be stored
-          docker exec client pki nss-cert-find | tee output
+          docker exec client pki nss-cert-find --subject CN=pki.example.com | tee output
 
           diff /dev/null output
 
@@ -225,6 +225,11 @@ jobs:
 
           diff expected stderr
 
+          # the cert should not be stored
+          docker exec client pki nss-cert-find --subject CN=pki.example.com | tee output
+
+          diff /dev/null output
+
       - name: Check PKI CLI with newly trusted server cert
         run: |
           # run PKI CLI and trust the cert
@@ -257,7 +262,7 @@ jobs:
           diff expected stderr
 
           # the cert should be stored and trusted
-          docker exec client pki nss-cert-find | tee output
+          docker exec client pki nss-cert-find --subject CN=pki.example.com | tee output
 
           sed -i \
               -e '/^ *Serial Number:/d' \
diff --git a/.github/workflows/server-https-pkcs12-test.yml b/.github/workflows/server-https-pkcs12-test.yml
index 6a892fac791..be45701fdca 100644
--- a/.github/workflows/server-https-pkcs12-test.yml
+++ b/.github/workflows/server-https-pkcs12-test.yml
@@ -222,7 +222,7 @@ jobs:
           diff expected stderr
 
           # the cert should not be stored
-          docker exec client pki nss-cert-find | tee output
+          docker exec client pki nss-cert-find --subject CN=pki.example.com | tee output
 
           diff /dev/null output
 
@@ -251,6 +251,11 @@ jobs:
 
           diff expected stderr
 
+          # the cert should not be stored
+          docker exec client pki nss-cert-find --subject CN=pki.example.com | tee output
+
+          diff /dev/null output
+
       - name: Check PKI CLI with newly trusted server cert
         run: |
           # run PKI CLI and trust the cert
@@ -282,7 +287,7 @@ jobs:
           diff expected stderr
 
           # the cert should be stored and trusted
-          docker exec client pki nss-cert-find | tee output
+          docker exec client pki nss-cert-find --subject CN=pki.example.com | tee output
 
           sed -i \
               -e '/^ *Serial Number:/d' \
diff --git a/base/tools/src/main/java/com/netscape/cmstools/nss/NSSCertFindCLI.java b/base/tools/src/main/java/com/netscape/cmstools/nss/NSSCertFindCLI.java
index 597dd3899c2..3764df0ebe2 100644
--- a/base/tools/src/main/java/com/netscape/cmstools/nss/NSSCertFindCLI.java
+++ b/base/tools/src/main/java/com/netscape/cmstools/nss/NSSCertFindCLI.java
@@ -5,10 +5,12 @@
 //
 package com.netscape.cmstools.nss;
 
-import java.util.Arrays;
+import java.util.ArrayList;
 import java.util.Collection;
+import java.util.List;
 
 import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Option;
 import org.dogtagpki.cli.CommandCLI;
 import org.mozilla.jss.crypto.CryptoStore;
 import org.mozilla.jss.crypto.CryptoToken;
@@ -31,25 +33,55 @@ public void printHelp() {
         formatter.printHelp(getFullName() + " [OPTIONS...]", options);
     }
 
-    public Collection<X509Certificate> findAllCerts() throws Exception {
+    @Override
+    public void createOptions() {
+        Option option = new Option(null, "subject", true, "Subject DN");
+        option.setArgName("DN");
+        options.addOption(option);
+
+        option = new Option(null, "issuer", true, "Issuer DN");
+        option.setArgName("DN");
+        options.addOption(option);
+    }
 
-        logger.info("Searching for all certs");
+    public Collection<X509Certificate> findCerts(
+            String subject,
+            String issuer
+            ) throws Exception {
+
+        logger.info("Searching for certs");
         String tokenName = getConfig().getTokenName();
         CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName);
         CryptoStore store = token.getCryptoStore();
 
-        return Arrays.asList(store.getCertificates());
+        List<X509Certificate> results = new ArrayList<>();
+        for (X509Certificate cert : store.getCertificates()) {
+
+            if (subject != null && !subject.equals(cert.getSubjectDN().toString())) {
+                continue;
+            }
+
+            if (issuer != null && !issuer.equals(cert.getIssuerDN().toString())) {
+                continue;
+            }
+
+            results.add(cert);
+        }
+        return results;
     }
 
     @Override
     public void execute(CommandLine cmd) throws Exception {
 
+        String subject = cmd.getOptionValue("subject");
+        String issuer = cmd.getOptionValue("issuer");
+
         MainCLI mainCLI = (MainCLI) getRoot();
         mainCLI.init();
 
         boolean first = true;
 
-        for (X509Certificate cert : findAllCerts()) {
+        for (X509Certificate cert : findCerts(subject, issuer)) {
 
             if (first) {
                 first = false;