diff options
Diffstat (limited to 'usr/src')
| -rw-r--r-- | usr/src/cmd/cmd-crypto/pktool/export.c | 24 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-crypto/pktool/gencsr.c | 28 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-crypto/pktool/import.c | 17 | ||||
| -rw-r--r-- | usr/src/cmd/cmd-crypto/pktool/pktool.c | 24 |
4 files changed, 63 insertions, 30 deletions
diff --git a/usr/src/cmd/cmd-crypto/pktool/export.c b/usr/src/cmd/cmd-crypto/pktool/export.c index 47a9f1d9e2..566fc4469a 100644 --- a/usr/src/cmd/cmd-crypto/pktool/export.c +++ b/usr/src/cmd/cmd-crypto/pktool/export.c @@ -19,12 +19,10 @@ * CDDL HEADER END * * - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * This file implements the export operation for this tool. * The basic flow of the process is to find the soft token, @@ -588,7 +586,7 @@ done: static KMF_RETURN pk_export_pk11_objects(KMF_HANDLE_T kmfhandle, char *token_spec, - char *certlabel, char *issuer, char *subject, + KMF_CREDENTIAL *cred, char *certlabel, char *issuer, char *subject, KMF_BIGINT *serial, KMF_ENCODE_FORMAT kfmt, char *filename) { @@ -600,14 +598,18 @@ pk_export_pk11_objects(KMF_HANDLE_T kmfhandle, char *token_spec, rv = select_token(kmfhandle, token_spec, TRUE); - if (rv != KMF_OK) { + if (rv != KMF_OK) return (rv); - } kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); numattr++; + if (cred != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, + cred, sizeof (KMF_CREDENTIAL)); + numattr++; + } if (certlabel != NULL) { kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR, certlabel, @@ -867,10 +869,10 @@ pk_export(int argc, char *argv[]) serial.len = bytelen; } - if ((kstype == KMF_KEYSTORE_PK11TOKEN || - kstype == KMF_KEYSTORE_NSS) && - (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ) || - kfmt == KMF_FORMAT_PKCS12)) { + if (kstype == KMF_KEYSTORE_PK11TOKEN || + ((kstype == KMF_KEYSTORE_NSS) && + (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ))) || + kfmt == KMF_FORMAT_PKCS12) { (void) get_token_password(kstype, token_spec, &tokencred); } @@ -896,7 +898,7 @@ pk_export(int argc, char *argv[]) certlabel, filename, oclass); else rv = pk_export_pk11_objects(kmfhandle, - token_spec, certlabel, + token_spec, &tokencred, certlabel, issuer, subject, &serial, kfmt, filename); break; diff --git a/usr/src/cmd/cmd-crypto/pktool/gencsr.c b/usr/src/cmd/cmd-crypto/pktool/gencsr.c index 87e13a3392..f06e950c43 100644 --- a/usr/src/cmd/cmd-crypto/pktool/gencsr.c +++ b/usr/src/cmd/cmd-crypto/pktool/gencsr.c @@ -551,9 +551,15 @@ pk_gencsr(int argc, char *argv[]) altname = optarg_av; break; case 'i': - if (interactive || subject) + if (interactive) return (PK_ERR_USAGE); - else + else if (subject) { + cryptoerror(LOG_STDERR, + gettext("Interactive (-i) and " + "subject options are mutually " + "exclusive.\n")); + return (PK_ERR_USAGE); + } else interactive = B_TRUE; break; case 'k': @@ -562,9 +568,15 @@ pk_gencsr(int argc, char *argv[]) return (PK_ERR_USAGE); break; case 's': - if (interactive || subject) + if (subject) return (PK_ERR_USAGE); - else + else if (interactive) { + cryptoerror(LOG_STDERR, + gettext("Interactive (-i) and " + "subject options are mutually " + "exclusive.\n")); + return (PK_ERR_USAGE); + } else subject = optarg_av; break; case 'l': @@ -798,10 +810,16 @@ pk_gencsr(int argc, char *argv[]) } end: - if (rv != KMF_OK) + if (rv != KMF_OK) { display_error(kmfhandle, rv, gettext("Error creating CSR or keypair")); + if (rv == KMF_ERR_RDN_PARSER) { + cryptoerror(LOG_STDERR, gettext("subject or " + "issuer name must be in proper DN format.\n")); + } + } + if (ekulist != NULL) free_eku_list(ekulist); diff --git a/usr/src/cmd/cmd-crypto/pktool/import.c b/usr/src/cmd/cmd-crypto/pktool/import.c index b17af422f4..48427897ba 100644 --- a/usr/src/cmd/cmd-crypto/pktool/import.c +++ b/usr/src/cmd/cmd-crypto/pktool/import.c @@ -960,6 +960,8 @@ pk_import(int argc, char *argv[]) } if ((rv = kmf_get_file_format(filename, &kfmt)) != KMF_OK) { + char *kmferrstr = NULL; + KMF_RETURN rv2; /* * Allow for raw key data to be imported. */ @@ -981,8 +983,19 @@ pk_import(int argc, char *argv[]) return (KMF_ERR_BAD_PARAMETER); } } else { - cryptoerror(LOG_STDERR, - gettext("File format not recognized.")); + if (rv == KMF_ERR_OPEN_FILE) { + cryptoerror(LOG_STDERR, + gettext("Cannot open file (%s)\n."), + filename); + } else { + rv2 = kmf_get_kmf_error_str(rv, &kmferrstr); + if (rv2 == KMF_OK && kmferrstr) { + cryptoerror(LOG_STDERR, + gettext("libkmf error: %s"), + kmferrstr); + kmf_free_str(kmferrstr); + } + } return (rv); } } diff --git a/usr/src/cmd/cmd-crypto/pktool/pktool.c b/usr/src/cmd/cmd-crypto/pktool/pktool.c index 440bc84484..15a906b2a7 100644 --- a/usr/src/cmd/cmd-crypto/pktool/pktool.c +++ b/usr/src/cmd/cmd-crypto/pktool/pktool.c @@ -296,10 +296,10 @@ static int pk_help(int argc, char *argv[]); #define GENCERT_VERB "gencert" #define GENCERT_SUMM gettext("creates a self-signed X.509v3 certificate") #define GENCERT_SYN \ - "gencert [-i] keystore=nss\n\t\t" \ + "gencert keystore=nss\n\t\t" \ "label=cert-nickname\n\t\t" \ "serial=serial number hex string]\n\t\t" \ - "subject=subject-DN\n\t\t" \ + "[ -i ] | [subject=subject-DN]\n\t\t" \ "[ altname=[critical:]SubjectAltName ]\n\t\t" \ "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ "[ token=token[:manuf[:serial]]]\n\t\t" \ @@ -311,10 +311,10 @@ static int pk_help(int argc, char *argv[]); "[ eku=[critical:]EKU name,...]\n\t\t" \ "[ lifetime=number-hour|number-day|number-year ]\n\t" \ \ - "gencert [-i] [ keystore=pkcs11 ]\n\t\t" \ + "gencert [ keystore=pkcs11 ]\n\t\t" \ "label=key/cert-label\n\t\t" \ - "subject=subject-DN\n\t\t" \ "serial=serial number hex string\n\t\t" \ + "[ -i ] | [subject=subject-DN]\n\t\t" \ "[ altname=[critical:]SubjectAltName ]\n\t\t" \ "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ "[ token=token[:manuf[:serial]]]\n\t\t" \ @@ -323,11 +323,11 @@ static int pk_help(int argc, char *argv[]); "[ eku=[critical:]EKU name,...]\n\t\t" \ "[ lifetime=number-hour|number-day|number-year ]\n\t" \ \ - "gencert [-i] keystore=file\n\t\t" \ + "gencert keystore=file\n\t\t" \ "outcert=cert_filename\n\t\t" \ "outkey=key_filename\n\t\t" \ - "subject=subject-DN\n\t\t" \ "serial=serial number hex string\n\t\t" \ + "[ -i ] | [subject=subject-DN]\n\t\t" \ "[ altname=[critical:]SubjectAltName ]\n\t\t" \ "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ "[ format=der|pem ]\n\t\t" \ @@ -343,10 +343,10 @@ static int pk_help(int argc, char *argv[]); "request file") #define GENCSR_SYN \ - "gencsr [-i] keystore=nss \n\t\t" \ + "gencsr keystore=nss \n\t\t" \ "nickname=cert-nickname\n\t\t" \ "outcsr=csr-fn\n\t\t" \ - "subject=subject-DN\n\t\t" \ + "[ -i ] | [subject=subject-DN]\n\t\t" \ "[ altname=[critical:]SubjectAltName ]\n\t\t" \ "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ "[ token=token[:manuf[:serial]]]\n\t\t" \ @@ -357,10 +357,10 @@ static int pk_help(int argc, char *argv[]); "[ eku=[critical:]EKU name,...]\n\t\t" \ "[ format=pem|der ]\n\t" \ \ - "gencsr [-i] [ keystore=pkcs11 ]\n\t\t" \ + "gencsr [ keystore=pkcs11 ]\n\t\t" \ "label=key-label\n\t\t" \ "outcsr=csr-fn\n\t\t" \ - "subject=subject-DN\n\t\t" \ + "[ -i ] | [subject=subject-DN]\n\t\t" \ "[ altname=[critical:]SubjectAltName ]\n\t\t" \ "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ "[ token=token[:manuf[:serial]]]\n\t\t" \ @@ -369,10 +369,10 @@ static int pk_help(int argc, char *argv[]); "[ eku=[critical:]EKU name,...]\n\t\t" \ "[ format=pem|der ]]\n\t" \ \ - "gencsr [-i] keystore=file\n\t\t" \ + "gencsr keystore=file\n\t\t" \ "outcsr=csr-fn\n\t\t" \ "outkey=key-fn\n\t\t" \ - "subject=subject-DN\n\t\t" \ + "[ -i ] | [subject=subject-DN]\n\t\t" \ "[ altname=[critical:]SubjectAltName ]\n\t\t" \ "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ "[ keytype=rsa|dsa ]\n\t\t" \ |