6669251 KMF needs to support empty PINs

6669357 KMF pkcs11 incorrectly sets some attributes when creating certificates and keys
6679525 [CLI] Subcommands in pktool's help are overtranslated
6680520 pktool needs to prompt for PIN more often

7 files changed, 113 insertions, 46 deletions

diff --git a/usr/src/cmd/cmd-crypto/pktool/common.c b/usr/src/cmd/cmd-crypto/pktool/common.c
index 95c5e2e229..55eb70826f 100644
--- a/usr/src/cmd/cmd-crypto/pktool/common.c
+++ b/usr/src/cmd/cmd-crypto/pktool/common.c
@@ -1174,3 +1174,25 @@ verify_ekunames(char *ekuliststr, EKU_LIST **ekulist)
 
 	return (rv);
 }
+
+KMF_RETURN
+token_auth_needed(KMF_HANDLE_T handle, char *tokenlabel, int *auth)
+{
+	CK_TOKEN_INFO info;
+	CK_SLOT_ID slot;
+	CK_RV ckrv;
+	KMF_RETURN rv;
+
+	*auth = 0;
+	rv = kmf_pk11_token_lookup(handle, tokenlabel, &slot);
+	if (rv != KMF_OK)
+		return (rv);
+
+	ckrv = C_GetTokenInfo(slot, &info);
+	if (ckrv != KMF_OK)
+		return (KMF_ERR_INTERNAL);
+
+	*auth = (info.flags & CKF_LOGIN_REQUIRED);
+
+	return (KMF_OK);
+}
diff --git a/usr/src/cmd/cmd-crypto/pktool/common.h b/usr/src/cmd/cmd-crypto/pktool/common.h
index 70a3181534..fc2614938a 100644
--- a/usr/src/cmd/cmd-crypto/pktool/common.h
+++ b/usr/src/cmd/cmd-crypto/pktool/common.h
@@ -128,6 +128,7 @@ KMF_RETURN verify_altname(char *arg, KMF_GENERALNAMECHOICES *, int *);
 KMF_RETURN verify_keyusage(char *arg, uint16_t *, int *);
 KMF_RETURN verify_file(char *);
 KMF_RETURN verify_ekunames(char *, EKU_LIST **);
+KMF_RETURN token_auth_needed(KMF_HANDLE_T, char *, int *);
 
 void free_eku_list(EKU_LIST *);
 
@@ -135,6 +136,7 @@ int yn_to_int(char *);
 
 int get_token_password(KMF_KEYSTORE_TYPE, char *, KMF_CREDENTIAL *);
 void display_error(void *, KMF_RETURN, char *);
+
 #define	DEFAULT_NSS_TOKEN	"internal"
 #define	DEFAULT_TOKEN_PROMPT	"Enter PIN for %s: "
 
diff --git a/usr/src/cmd/cmd-crypto/pktool/gencert.c b/usr/src/cmd/cmd-crypto/pktool/gencert.c
index 4f4652e6ee..c5927e52c5 100644
--- a/usr/src/cmd/cmd-crypto/pktool/gencert.c
+++ b/usr/src/cmd/cmd-crypto/pktool/gencert.c
@@ -119,7 +119,7 @@ gencert_pkcs11(KMF_HANDLE_T kmfhandle,
 		numattr++;
 	}
 
-	if (tokencred != NULL && tokencred->credlen > 0) {
+	if (tokencred != NULL && tokencred->cred != NULL) {
 		kmf_set_attr_at_index(attrlist, numattr,
 		    KMF_CREDENTIAL_ATTR, tokencred,
 		    sizeof (KMF_CREDENTIAL));
@@ -537,7 +537,7 @@ gencert_nss(KMF_HANDLE_T kmfhandle,
 		numattr++;
 	}
 
-	if (tokencred != NULL && tokencred->credlen > 0) {
+	if (tokencred != NULL && tokencred->cred != NULL) {
 		kmf_set_attr_at_index(attrlist, numattr,
 		    KMF_CREDENTIAL_ATTR, tokencred,
 		    sizeof (KMF_CREDENTIAL));
diff --git a/usr/src/cmd/cmd-crypto/pktool/genkey.c b/usr/src/cmd/cmd-crypto/pktool/genkey.c
index de9e9c858e..5c9b2616ae 100644
--- a/usr/src/cmd/cmd-crypto/pktool/genkey.c
+++ b/usr/src/cmd/cmd-crypto/pktool/genkey.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -87,7 +87,7 @@ genkey_nss(KMF_HANDLE_T kmfhandle, char *token, char *dir, char *prefix,
 		i++;
 	}
 
-	if (tokencred != NULL && tokencred->credlen > 0) {
+	if (tokencred != NULL && tokencred->cred != NULL) {
 		kmf_set_attr_at_index(attlist, i,
 		    KMF_CREDENTIAL_ATTR, tokencred,
 		    sizeof (KMF_CREDENTIAL));
@@ -191,7 +191,7 @@ genkey_pkcs11(KMF_HANDLE_T kmfhandle, char *token,
 		i++;
 	}
 
-	if (tokencred != NULL && tokencred->credlen > 0) {
+	if (tokencred != NULL && tokencred->cred != NULL) {
 		kmf_set_attr_at_index(attlist, i,
 		    KMF_CREDENTIAL_ATTR, tokencred,
 		    sizeof (KMF_CREDENTIAL));
diff --git a/usr/src/cmd/cmd-crypto/pktool/import.c b/usr/src/cmd/cmd-crypto/pktool/import.c
index edcb62332f..d9cdc41cc4 100644
--- a/usr/src/cmd/cmd-crypto/pktool/import.c
+++ b/usr/src/cmd/cmd-crypto/pktool/import.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -376,6 +376,7 @@ pk_import_cert(
 {
 	KMF_RETURN rv = KMF_OK;
 	KMF_ATTRIBUTE attrlist[32];
+	KMF_CREDENTIAL tokencred;
 	int i = 0;
 
 	if (kstype == KMF_KEYSTORE_PK11TOKEN) {
@@ -416,6 +417,18 @@ pk_import_cert(
 	}
 
 	rv = kmf_import_cert(kmfhandle, i, attrlist);
+	if (rv == KMF_ERR_AUTH_FAILED) {
+		/*
+		 * The token requires a credential, prompt and try again.
+		 */
+		(void) get_token_password(kstype, token_spec, &tokencred);
+		kmf_set_attr_at_index(attrlist, i, KMF_CREDENTIAL_ATTR,
+		    &tokencred, sizeof (KMF_CREDENTIAL));
+		i++;
+
+		rv = kmf_import_cert(kmfhandle, i, attrlist);
+
+	}
 	return (rv);
 }
 
diff --git a/usr/src/cmd/cmd-crypto/pktool/list.c b/usr/src/cmd/cmd-crypto/pktool/list.c
index 02f4da1d65..ad20acb868 100644
--- a/usr/src/cmd/cmd-crypto/pktool/list.c
+++ b/usr/src/cmd/cmd-crypto/pktool/list.c
@@ -311,11 +311,13 @@ list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass,
 	KMF_RETURN rv;
 	KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
 	int numattr = 0;
-	KMF_ATTRIBUTE attrlist[16];
+	KMF_ATTRIBUTE attrlist[18];
 	boolean_t token_bool = B_TRUE;
 	boolean_t private = B_FALSE;
 	KMF_KEY_CLASS keyclass;
 	KMF_ENCODE_FORMAT format;
+	int auth = 0;
+	KMF_CREDENTIAL cred = {NULL, 0};
 
 	/*
 	 * Symmetric keys and RSA/DSA private keys are always
@@ -332,6 +334,13 @@ list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass,
 		return (rv);
 	}
 
+	rv = token_auth_needed(kmfhandle, token, &auth);
+	if (rv != KMF_OK)
+		return (rv);
+
+	if (tokencred != NULL)
+		cred = *tokencred;
+
 	if (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ)) {
 		kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
 		    &kstype, sizeof (kstype));
@@ -409,6 +418,16 @@ list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass,
 		if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) {
 			int num = numattr;
 
+			if (auth > 0 && (tokencred == NULL ||
+			    tokencred->cred == NULL) &&
+			    (cred.cred == NULL)) {
+				(void) get_token_password(kstype, token, &cred);
+				kmf_set_attr_at_index(attrlist, numattr,
+				    KMF_CREDENTIAL_ATTR,
+				    &cred, sizeof (KMF_CREDENTIAL));
+				numattr++;
+			}
+
 			private = B_FALSE;
 			keyclass = KMF_ASYM_PUB;
 			kmf_set_attr_at_index(attrlist, num,
@@ -429,7 +448,18 @@ list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass,
 	if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) {
 		kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
 		    &kstype, sizeof (kstype));
+
 		numattr++;
+		if (auth > 0 && (cred.cred == NULL)) {
+			(void) get_token_password(kstype, token, &cred);
+		}
+
+		if (cred.cred != NULL) {
+			kmf_set_attr_at_index(attrlist, numattr,
+			    KMF_CREDENTIAL_ATTR,
+			    &cred, sizeof (KMF_CREDENTIAL));
+			numattr++;
+		}
 
 		if (objlabel != NULL) {
 			kmf_set_attr_at_index(attrlist, numattr,
@@ -452,7 +482,7 @@ list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass,
 			numattr++;
 		}
 
-		if (serial != NULL) {
+		if (serial != NULL && serial->val != NULL) {
 			kmf_set_attr_at_index(attrlist, numattr,
 			    KMF_BIGINT_ATTR, serial,
 			    sizeof (KMF_BIGINT));
diff --git a/usr/src/cmd/cmd-crypto/pktool/pktool.c b/usr/src/cmd/cmd-crypto/pktool/pktool.c
index d781f62a65..c9fb819591 100644
--- a/usr/src/cmd/cmd-crypto/pktool/pktool.c
+++ b/usr/src/cmd/cmd-crypto/pktool/pktool.c
@@ -73,26 +73,26 @@ extern int	pk_signcsr(int argc, char *argv[]);
 static int	pk_help(int argc, char *argv[]);
 
 #define	TOKEN_IDX 0
-#define	TOKEN_VERB gettext("tokens")
+#define	TOKEN_VERB "tokens"
 #define	TOKEN_SUMM gettext("lists all visible PKCS#11 tokens")
-#define	TOKEN_SYN  gettext("tokens")
+#define	TOKEN_SYN  "tokens"
 
 #define	SETPIN_IDX 1
-#define	SETPIN_VERB gettext("setpin")
+#define	SETPIN_VERB "setpin"
 #define	SETPIN_SUMM gettext("changes user authentication passphrase "\
 	"for keystore access")
-#define	SETPIN_SYN gettext(\
+#define	SETPIN_SYN \
 	"setpin [ keystore=pkcs11 ]\n\t\t" \
 	"[ token=token[:manuf[:serial]]]\n\t" \
 	"setpin keystore=nss\n\t\t" \
 	"[ token=token ]\n\t\t" \
 	"[ dir=directory-path ]\n\t\t" \
-	"[ prefix=DBprefix ]\n\t")
+	"[ prefix=DBprefix ]\n\t"
 
 #define	LIST_IDX 2
-#define	LIST_VERB gettext("list")
+#define	LIST_VERB "list"
 #define	LIST_SUMM gettext("lists a summary of objects in the keystore")
-#define	LIST_SYN gettext(\
+#define	LIST_SYN \
 	"list [ token=token[:manuf[:serial]]]\n\t\t" \
 	"[ objtype=private|public|both ]\n\t\t" \
 	"[ label=label ]\n\t" \
@@ -146,12 +146,12 @@ static int	pk_help(int argc, char *argv[]);
  \
 	"list keystore=file objtype=crl\n\t\t" \
 	"infile=crl-fn\n\t\t" \
-	"[ dir=directory-path ]\n\t")
+	"[ dir=directory-path ]\n\t"
 
 #define	DELETE_IDX 3
-#define	DELETE_VERB gettext("delete")
+#define	DELETE_VERB "delete"
 #define	DELETE_SUMM gettext("deletes objects in the keystore")
-#define	DELETE_SYN gettext(\
+#define	DELETE_SYN \
 	"delete [ token=token[:manuf[:serial]]]\n\t\t" \
 	"[ objtype=private|public|both ]\n\t\t" \
 	"[ label=object-label ]\n\t" \
@@ -212,12 +212,12 @@ static int	pk_help(int argc, char *argv[]);
  \
 	"delete keystore=file objtype=crl\n\t\t" \
 	"infile=crl-fn\n\t\t" \
-	"[ dir=directory-path ]\n\t")
+	"[ dir=directory-path ]\n\t"
 
 #define	IMPORT_IDX 4
-#define	IMPORT_VERB gettext("import")
+#define	IMPORT_VERB "import"
 #define	IMPORT_SUMM gettext("imports objects from an external source")
-#define	IMPORT_SYN gettext(\
+#define	IMPORT_SYN \
 	"import [token=token[:manuf[:serial]]]\n\t\t" \
 	"infile=input-fn\n\t" \
  \
@@ -263,12 +263,12 @@ static int	pk_help(int argc, char *argv[]);
 	"infile=input-crl-fn\n\t\t" \
 	"outcrl=output-crl-fn\n\t\t" \
 	"outformat=pem|der\n\t\t" \
-	"[ dir=output-crl-directory-path ]\n\t")
+	"[ dir=output-crl-directory-path ]\n\t"
 
 #define	EXPORT_IDX 5
-#define	EXPORT_VERB gettext("export")
+#define	EXPORT_VERB "export"
 #define	EXPORT_SUMM gettext("exports objects from the keystore to a file")
-#define	EXPORT_SYN gettext(\
+#define	EXPORT_SYN \
 	"export [token=token[:manuf[:serial]]]\n\t\t" \
 	"outfile=output-fn\n\t" \
  \
@@ -298,12 +298,12 @@ static int	pk_help(int argc, char *argv[]);
 	"certfile=cert-input-fn\n\t\t" \
 	"keyfile=key-input-fn\n\t\t" \
 	"outfile=output-pkcs12-fn\n\t\t" \
-	"[ dir=directory-path ]\n\t")
+	"[ dir=directory-path ]\n\t"
 
 #define	GENCERT_IDX 6
-#define	GENCERT_VERB gettext("gencert")
+#define	GENCERT_VERB "gencert"
 #define	GENCERT_SUMM gettext("creates a self-signed X.509v3 certificate")
-#define	GENCERT_SYN gettext(\
+#define	GENCERT_SYN \
 	"gencert [-i] keystore=nss\n\t\t" \
 	"label=cert-nickname\n\t\t" \
 	"serial=serial number hex string]\n\t\t" \
@@ -344,14 +344,14 @@ static int	pk_help(int argc, char *argv[]);
 	"[ keytype=rsa|dsa ]\n\t\t" \
 	"[ keylen=key-size ]\n\t\t" \
 	"[ eku=[critical:]EKU name,...]\n\t\t" \
-	"[ lifetime=number-hour|number-day|number-year ]\n\t")
+	"[ lifetime=number-hour|number-day|number-year ]\n\t"
 
 #define	GENCSR_IDX 7
-#define	GENCSR_VERB gettext("gencsr")
+#define	GENCSR_VERB "gencsr"
 #define	GENCSR_SUMM gettext("creates a PKCS#10 certificate signing " \
 	"request file")
 
-#define	GENCSR_SYN gettext(\
+#define	GENCSR_SYN \
 	"gencsr [-i] keystore=nss \n\t\t" \
 	"nickname=cert-nickname\n\t\t" \
 	"outcsr=csr-fn\n\t\t" \
@@ -388,22 +388,22 @@ static int	pk_help(int argc, char *argv[]);
 	"[ keylen=key-size ]\n\t\t" \
 	"[ eku=[critical:]EKU name,...]\n\t\t" \
 	"[ dir=directory-path ]\n\t\t" \
-	"[ format=pem|der ]\n\t")
+	"[ format=pem|der ]\n\t"
 
 #define	DOWNLOAD_IDX 8
-#define	DOWNLOAD_VERB gettext("download")
+#define	DOWNLOAD_VERB "download"
 #define	DOWNLOAD_SUMM gettext("downloads a CRL or certificate file " \
 	"from an external source")
-#define	DOWNLOAD_SYN gettext(\
+#define	DOWNLOAD_SYN \
 	"download url=url_str\n\t\t" \
 	"[ objtype=crl|cert ]\n\t\t" \
 	"[ http_proxy=proxy_str ]\n\t\t" \
-	"[ outfile = outfile ]\n\t")
+	"[ outfile = outfile ]\n\t"
 
 #define	GENKEY_IDX 9
-#define	GENKEY_VERB gettext("genkey")
+#define	GENKEY_VERB "genkey"
 #define	GENKEY_SUMM gettext("creates a symmetric key in the keystore")
-#define	GENKEY_SYN gettext(\
+#define	GENKEY_SYN \
 	"genkey [ keystore=pkcs11 ]\n\t\t" \
 	"label=key-label\n\t\t" \
 	"[ keytype=aes|arcfour|des|3des|generic ]\n\t\t" \
@@ -426,12 +426,12 @@ static int	pk_help(int argc, char *argv[]);
 	"[ keytype=aes|arcfour|des|3des|generic ]\n\t\t" \
 	"[ keylen=key-size (AES, ARCFOUR or GENERIC only)]\n\t\t" \
 	"[ dir=directory-path ]\n\t\t" \
-	"[ print=y|n ]\n\t")
+	"[ print=y|n ]\n\t"
 
 #define	SIGNCSR_IDX 10
-#define	SIGNCSR_VERB gettext("signcsr")
+#define	SIGNCSR_VERB "signcsr"
 #define	SIGNCSR_SUMM gettext("Sign a PKCS#10 Certificate Signing Request")
-#define	SIGNCSR_SYN gettext(\
+#define	SIGNCSR_SYN \
 	"signcsr keystore=pkcs11\n\t\t" \
 	"signkey=label (label of signing key)\n\t\t" \
 	"csr=CSR filename\n\t\t" \
@@ -477,12 +477,12 @@ static int	pk_help(int argc, char *argv[]);
 	"[ lifetime=number-hour|number-day|number-year ]\n\t\t" \
 	"[ token=token[:manuf[:serial]]]\n\t\t" \
 	"[ dir=directory-path ]\n\t\t" \
-	"[ prefix=DBprefix ]\n\t")
+	"[ prefix=DBprefix ]\n\t"
 
 #define	HELP_IDX 11
-#define	HELP_VERB gettext("help")
+#define	HELP_VERB "help"
 #define	HELP_SUMM gettext("displays help message")
-#define	HELP_SYN gettext("help\t(help and usage)")
+#define	HELP_SYN "help\t(help and usage)"
 
 /* Command structure for verbs and their actions.  Do NOT i18n/l10n. */
 static verbcmd	cmds[] = {
@@ -555,7 +555,6 @@ init_command_list()
 	cmds[HELP_IDX].verb = HELP_VERB;
 	cmds[HELP_IDX].summary = HELP_SUMM;
 	cmds[HELP_IDX].synopsis = HELP_SYN;
-
 }
 
 /*
@@ -583,9 +582,10 @@ usage(int idx)
 			(void) fprintf(stdout, "   %-8s	- %s\n",
 			    cmds[i].verb, cmds[i].summary);
 		}
-		(void) fprintf(stdout, gettext("\nFurther details on the "
-		    "subcommands can be found by adding \'help\'.\n"
-		    "Ex: pktool gencert help\n\n"));
+		(void) fprintf(stdout, "%s \'help\'.\n"
+		    "Ex: pktool gencert help\n\n",
+		    gettext("\nFurther details on the "
+		    "subcommands can be found by adding"));
 	} else {
 		(void) fprintf(stdout, "\t%s\n", cmds[idx].synopsis);
 	}