5188 SVR4 packaging shouldn't depend on openssl or libwanboot

Reviewed by: Igor Kozhukhov <igor@dilos.org> Reviewed by: Alexander Eremin <alexander.r.eremin@gmail.com> Approved by: Gordon Ross <gordon.w.ross@gmail.com>
author: Peter Tribble <peter.tribble@gmail.com> 2017-03-13 20:25:34 +0000
committer: Gordon Ross <gwr@nexenta.com> 2017-03-29 19:13:24 -0400
commit: 32991bedc3a6475f1401855c2318ae5b15f8a16b (patch)
tree: 3360e7844885746ed96019a9e3a42cd7e5e73409 /usr/src/cmd/svr4pkg/pkgadm
parent: 4383d9578c9d399b19edc33e552a4c543ebf9468 (diff)
download: illumos-joyent-32991bedc3a6475f1401855c2318ae5b15f8a16b.tar.gz
9 files changed, 20 insertions, 1479 deletions
diff --git a/usr/src/cmd/svr4pkg/pkgadm/Makefile b/usr/src/cmd/svr4pkg/pkgadm/Makefile
index 620e32cf0d..5706ea704e 100644
--- a/usr/src/cmd/svr4pkg/pkgadm/Makefile
+++ b/usr/src/cmd/svr4pkg/pkgadm/Makefile
@@ -20,22 +20,19 @@
 #
 
 #
+# Copyright (c) 2017 Peter Tribble.
 # Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 
 PROG=           pkgadm
 
-OBJS=           addcert.o	\
-		certs.o		\
-		listcert.o	\
-		lock.o		\
-		main.o		\
-		removecert.o
+OBJS=           lock.o		\
+		main.o
 
 include $(SRC)/cmd/svr4pkg/Makefile.svr4pkg
 
-LDLIBS	+=	-lpkg -ladm -lcrypto -lgen
+LDLIBS	+=	-lpkg -ladm -lgen
 
 .KEEP_STATE:
 all:            $(PROG)
diff --git a/usr/src/cmd/svr4pkg/pkgadm/addcert.c b/usr/src/cmd/svr4pkg/pkgadm/addcert.c
deleted file mode 100644
index 0a1c7bdec0..0000000000
--- a/usr/src/cmd/svr4pkg/pkgadm/addcert.c
+++ /dev/null
@@ -1,573 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License (the "License").
- * You may not use this file except in compliance with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-
-/*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- */
-
-
-#include <stdio.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <signal.h>
-#include <locale.h>
-#include <sys/param.h>
-#include <openssl/bio.h>
-#include <openssl/x509v3.h>
-#include <openssl/ui.h>
-
-#include <pkglib.h>
-#include <libinst.h>
-#include <pkgerr.h>
-#include <keystore.h>
-#include "pkgadm.h"
-#include "pkgadm_msgs.h"
-
-typedef enum {
-	VerifyFailed,
-	Accept,
-	Reject
-} VerifyStatus;
-
-static VerifyStatus	verify_trust(X509 *);
-static boolean_t	is_ca_cert(X509 *);
-
-/*
- * Name:	addcert
- * Desc:  	Imports a user certificate into the keystore, along with a
- *		private key.
- * Returns:	0 on success, non-zero otherwise.
- */
-int
-addcert(int argc, char **argv)
-{
-	int i;
-	char	keystore_file[MAXPATHLEN] = "";
-	char	*keystore_base = NULL;
-	char	*homedir;
-	char	*passarg = NULL;
-	char	*import_passarg = NULL;
-	char	*altroot = NULL;
-	char	*prog = NULL;
-	char	*alias = NULL;
-	char	*infile = NULL;
-	char	*inkeyfile = NULL;
-	keystore_encoding_format_t	informat = NULL;
-	char	*informat_str = NULL;
-	int	ret = 1;
-	boolean_t	trusted = B_FALSE;
-	boolean_t	implicit_trust = B_FALSE;
-
-	FILE	*certfile = NULL;
-	FILE	*keyfile = NULL;
-	X509	*cert = NULL;
-	STACK_OF(X509) *trustcerts = NULL;
-	EVP_PKEY *key = NULL;
-	PKG_ERR	*err = NULL;
-	keystore_handle_t	keystore = NULL;
-
-	while ((i = getopt(argc, argv, ":a:k:e:f:n:P:p:R:ty")) != EOF) {
-		switch (i) {
-		case 'a':
-			prog = optarg;
-			break;
-		case 'k':
-			keystore_base = optarg;
-			break;
-		case 'e':
-			inkeyfile = optarg;
-			break;
-		case 'f':
-			informat_str = optarg;
-			break;
-		case 'n':
-			alias = optarg;
-			break;
-		case 'P':
-			passarg = optarg;
-			break;
-		case 'p':
-			import_passarg = optarg;
-			break;
-		case 'R':
-			altroot = optarg;
-			break;
-		case 't':
-			trusted = B_TRUE;
-			break;
-		case 'y':
-			implicit_trust = B_TRUE;
-			break;
-		case ':':
-			log_msg(LOG_MSG_ERR, MSG_MISSING_OPERAND, optopt);
-			/* LINTED fallthrough intentional */
-		case '?':
-		default:
-			log_msg(LOG_MSG_ERR, MSG_USAGE);
-			goto cleanup;
-		}
-	}
-
-	if (!trusted && alias == NULL) {
-		/* for untrusted (user) certs, we require a name */
-		log_msg(LOG_MSG_ERR, MSG_USER_NAME);
-		log_msg(LOG_MSG_ERR, MSG_USAGE);
-		goto cleanup;
-	} else if (trusted && alias != NULL) {
-		/* for trusted certs, we cannot have a name */
-		log_msg(LOG_MSG_ERR, MSG_TRUSTED_NAME);
-		log_msg(LOG_MSG_ERR, MSG_USAGE);
-		goto cleanup;
-	}
-
-	if (trusted && inkeyfile != NULL) {
-		/* for trusted certs, we cannot have a private key */
-		log_msg(LOG_MSG_ERR, MSG_TRUSTED_KEY);
-		log_msg(LOG_MSG_ERR, MSG_USAGE);
-		goto cleanup;
-	}
-
-	/* last argument should be the path to the certificate */
-	if ((argc-optind) > 1) {
-	    log_msg(LOG_MSG_ERR, MSG_USAGE);
-	    goto cleanup;
-	} else if ((argc-optind) < 1) {
-		infile = "stdin";
-		certfile = stdin;
-		log_msg(LOG_MSG_DEBUG, "Loading stdin certificate");
-	} else {
-		infile = argv[optind];
-		log_msg(LOG_MSG_DEBUG, "Loading <%s> certificate",
-		    argv[optind]);
-		if ((certfile = fopen(infile, "r")) == NULL) {
-			log_msg(LOG_MSG_ERR, MSG_OPEN, infile);
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * if specific key file supplied, open it, otherwise open
-	 * default (stdin)
-	 */
-	if (inkeyfile != NULL) {
-		if ((keyfile = fopen(inkeyfile, "r")) == NULL) {
-			log_msg(LOG_MSG_ERR, MSG_OPEN, inkeyfile);
-			goto cleanup;
-		}
-	} else {
-		inkeyfile = "stdin";
-		keyfile = stdin;
-	}
-
-	/* set up proper keystore */
-	if (altroot != NULL) {
-	    if (strlcpy(keystore_file, altroot, MAXPATHLEN) >= MAXPATHLEN) {
-		log_msg(LOG_MSG_ERR, MSG_TOO_LONG, altroot);
-		goto cleanup;
-	    }
-
-	    if (strlcat(keystore_file, "/", MAXPATHLEN) >= MAXPATHLEN) {
-		log_msg(LOG_MSG_ERR, MSG_TOO_LONG, altroot);
-		goto cleanup;
-	    }
-	}
-
-	if (keystore_base == NULL) {
-		if (geteuid() == 0 || altroot != NULL) {
-				/*
-				 * If we have an alternate
-				 * root, then we have no choice but to use
-				 * root's keystore on that alternate root,
-				 * since there is no way to resolve a
-				 * user's home dir given an alternate root
-				 */
-			if (strlcat(keystore_file, PKGSEC,
-			    MAXPATHLEN) >= MAXPATHLEN) {
-				log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-				    keystore_file);
-				goto cleanup;
-			}
-		} else {
-			if ((homedir = getenv("HOME")) == NULL) {
-				/*
-				 * not superuser, but no home dir, so
-				 * use superuser's keystore
-				 */
-				if (strlcat(keystore_file, PKGSEC,
-				    MAXPATHLEN) >= MAXPATHLEN) {
-					log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-					    keystore_file);
-					goto cleanup;
-				}
-			} else {
-				if (strlcat(keystore_file, homedir,
-				    MAXPATHLEN) >= MAXPATHLEN) {
-					log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-					    homedir);
-					goto cleanup;
-				}
-				if (strlcat(keystore_file, "/.pkg/security",
-				    MAXPATHLEN) >= MAXPATHLEN) {
-					log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-					    keystore_file);
-					goto cleanup;
-				}
-			}
-		}
-	} else {
-		if (strlcat(keystore_file, keystore_base,
-		    MAXPATHLEN) >= MAXPATHLEN) {
-		    log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-			keystore_base);
-		    goto cleanup;
-		}
-	}
-
-	/* figure out input format */
-	if (informat_str == NULL) {
-		informat = KEYSTORE_FORMAT_PEM;
-	} else {
-		if (ci_streq(informat_str, "pem")) {
-			informat = KEYSTORE_FORMAT_PEM;
-		} else if (ci_streq(informat_str, "der")) {
-			informat = KEYSTORE_FORMAT_DER;
-		} else {
-			log_msg(LOG_MSG_ERR, MSG_BAD_FORMAT, informat_str);
-			goto cleanup;
-		}
-	}
-
-	err = pkgerr_new();
-
-	if (trusted) {
-		/* load all possible certs */
-		if (load_all_certs(err, certfile, informat, import_passarg,
-		    &trustcerts) != 0) {
-			log_pkgerr(LOG_MSG_ERR, err);
-			log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
-			goto cleanup;
-		}
-
-		/* we must have gotten at least one cert, if not, fail */
-		if (sk_X509_num(trustcerts) < 1) {
-			log_msg(LOG_MSG_ERR, MSG_NO_CERTS, infile);
-			goto cleanup;
-		}
-	} else {
-		/* first, try to load user certificate and key */
-		if (load_cert_and_key(err, certfile, informat, import_passarg,
-		    &key, &cert) != 0) {
-			log_pkgerr(LOG_MSG_ERR, err);
-			log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
-			goto cleanup;
-		}
-
-		/* we must have gotten a cert, if not, fail */
-		if (cert == NULL) {
-			log_msg(LOG_MSG_ERR, MSG_NO_CERTS, infile);
-			goto cleanup;
-		}
-
-		if (key == NULL) {
-			/*
-			 * if we are importing a user cert, and did not get
-			 * a key, try to load it from the key file
-			 */
-			if (keyfile == NULL) {
-				log_msg(LOG_MSG_ERR, MSG_NEED_KEY, infile);
-				goto cleanup;
-			} else {
-				log_msg(LOG_MSG_DEBUG,
-				    "Loading private key <%s>", inkeyfile);
-				if (load_cert_and_key(err, keyfile, informat,
-				    import_passarg,
-				    &key, NULL) != 0) {
-					log_pkgerr(LOG_MSG_ERR, err);
-					log_msg(LOG_MSG_ERR,
-					    MSG_NO_ADDKEY, inkeyfile);
-					goto cleanup;
-				}
-
-				if (key == NULL) {
-					log_msg(LOG_MSG_ERR, MSG_NO_PRIVKEY,
-					    inkeyfile);
-					log_msg(LOG_MSG_ERR,
-					    MSG_NO_ADDKEY, inkeyfile);
-					goto cleanup;
-				}
-			}
-		}
-	}
-
-	if (trusted) {
-		/* check validity date of all certificates */
-		for (i = 0; i < sk_X509_num(trustcerts); i++) {
-			/* LINTED pointer cast may result in improper algnmnt */
-			cert = sk_X509_value(trustcerts, i);
-			if (check_cert(err, cert) != 0) {
-				log_pkgerr(LOG_MSG_ERR, err);
-				log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT,
-				    infile);
-				goto cleanup;
-			}
-		}
-	} else {
-		/* check validity date of user certificate */
-		if (check_cert_and_key(err, cert, key) != 0) {
-			log_pkgerr(LOG_MSG_ERR, err);
-			log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
-			goto cleanup;
-		}
-	}
-
-	if (trusted && !implicit_trust) {
-		/*
-		 * if importing more than one cert, must use implicit trust,
-		 * because we can't ask the user to individually trust
-		 * each one, since there may be many
-		 */
-		if (sk_X509_num(trustcerts) != 1) {
-			log_pkgerr(LOG_MSG_ERR, err);
-			log_msg(LOG_MSG_ERR, MSG_MULTIPLE_TRUST, infile, "-y");
-			goto cleanup;
-		} else {
-			/* LINTED pointer cast may result in improper algnmnt */
-			cert = sk_X509_value(trustcerts, 0);
-		}
-
-		/* ask the user */
-		switch (verify_trust(cert)) {
-		case Accept:
-			/* user accepted */
-			break;
-		case Reject:
-			/* user aborted operation */
-			log_msg(LOG_MSG_ERR, MSG_ADDCERT_ABORT);
-			goto cleanup;
-		case VerifyFailed:
-		default:
-			log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
-			goto cleanup;
-		}
-	}
-
-	/* now load the key store */
-	log_msg(LOG_MSG_DEBUG, "Loading keystore <%s>", keystore_file);
-
-	set_passphrase_prompt(MSG_KEYSTORE_PASSPROMPT);
-	set_passphrase_passarg(passarg);
-	if (open_keystore(err, keystore_file, prog, pkg_passphrase_cb,
-	    KEYSTORE_ACCESS_READWRITE | KEYSTORE_PATH_HARD, &keystore) != 0) {
-		log_pkgerr(LOG_MSG_ERR, err);
-		log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
-		goto cleanup;
-	}
-
-	/* now merge the new cert into the keystore */
-	log_msg(LOG_MSG_DEBUG, "Merging certificate <%s>",
-	    get_subject_display_name(cert));
-	if (trusted) {
-		/* merge all trusted certs found */
-		for (i = 0; i < sk_X509_num(trustcerts); i++) {
-			/* LINTED pointer cast may result in improper algnmnt */
-			cert = sk_X509_value(trustcerts, i);
-			if (merge_ca_cert(err, cert, keystore) != 0) {
-				log_pkgerr(LOG_MSG_ERR, err);
-				log_msg(LOG_MSG_ERR,
-				    MSG_NO_ADDCERT, infile);
-				goto cleanup;
-
-			} else {
-				log_msg(LOG_MSG_INFO, MSG_TRUSTING,
-				    get_subject_display_name(cert));
-			}
-		}
-	} else {
-		/* merge user cert */
-		if (merge_cert_and_key(err, cert, key, alias, keystore) != 0) {
-			log_pkgerr(LOG_MSG_ERR, err);
-			log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
-			goto cleanup;
-		}
-	}
-
-	/* now write it back out */
-	log_msg(LOG_MSG_DEBUG, "Closing keystore");
-	set_passphrase_prompt(MSG_KEYSTORE_PASSOUTPROMPT);
-	set_passphrase_passarg(passarg);
-	if (close_keystore(err, keystore, pkg_passphrase_cb) != 0) {
-		log_pkgerr(LOG_MSG_ERR, err);
-		log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
-		goto cleanup;
-	}
-
-	if (trusted) {
-		log_msg(LOG_MSG_INFO, MSG_TRUSTED, infile);
-	} else {
-		log_msg(LOG_MSG_INFO, MSG_ADDED, infile, alias);
-	}
-
-	ret = 0;
-
-	/* fallthrough intentional */
-cleanup:
-	if (err != NULL)
-		pkgerr_free(err);
-
-	if (certfile != NULL)
-		(void) fclose(certfile);
-
-	if (keyfile != NULL)
-		(void) fclose(keyfile);
-
-	return (ret);
-	}
-
-/* Asks user to verify certificate data before proceeding */
-static VerifyStatus verify_trust(X509 *cert)
-{
-	char		vfy_trust = 'y';
-	VerifyStatus	ret = Accept;
-	PKG_ERR		*err;
-	UI		*ui = NULL;
-
-	err = pkgerr_new();
-	/* print cert data */
-	if (print_cert(err, cert, KEYSTORE_FORMAT_TEXT,
-	    get_subject_display_name(cert), B_TRUE, stdout) != 0) {
-		log_pkgerr(LOG_MSG_ERR, err);
-		ret = VerifyFailed;
-		goto cleanup;
-	}
-
-	if ((ui = UI_new()) == NULL) {
-		log_msg(LOG_MSG_ERR, MSG_MEM);
-		ret = VerifyFailed;
-		goto cleanup;
-	}
-
-	/*
-	 * The prompt is internationalized, but the valid
-	 * response values are fixed, to avoid any complex
-	 * multibyte processing that results in bugs
-	 */
-	if (UI_add_input_boolean(ui, MSG_VERIFY_TRUST,
-	    "",
-	    "yY", "nN",
-	    UI_INPUT_FLAG_ECHO, &vfy_trust) <= 0) {
-		log_msg(LOG_MSG_ERR, MSG_MEM);
-		ret = VerifyFailed;
-		goto cleanup;
-	}
-
-	if (UI_process(ui) != 0) {
-		log_msg(LOG_MSG_ERR, MSG_MEM);
-		ret = VerifyFailed;
-		goto cleanup;
-	}
-
-	if (vfy_trust != 'y') {
-		ret = Reject;
-		goto cleanup;
-	}
-
-	/*
-	 * if the cert does not appear to be a CA cert
-	 * r is not self-signed, verify that as well
-	 */
-	if (!is_ca_cert(cert)) {
-		UI_free(ui);
-		if ((ui = UI_new()) == NULL) {
-			log_msg(LOG_MSG_ERR, MSG_MEM);
-			ret = VerifyFailed;
-			goto cleanup;
-		}
-
-		if (UI_add_input_boolean(ui,
-		    MSG_VERIFY_NOT_CA,
-		    "",
-		    "yY", "nN",
-		    UI_INPUT_FLAG_ECHO, &vfy_trust) <= 0) {
-			ret = VerifyFailed;
-			goto cleanup;
-		}
-
-		if (UI_process(ui) != 0) {
-			log_msg(LOG_MSG_ERR, MSG_MEM);
-			ret = VerifyFailed;
-			goto cleanup;
-		}
-
-		if (vfy_trust != 'y') {
-			ret = Reject;
-			goto cleanup;
-		}
-	}
-
-cleanup:
-	if (ui != NULL)
-		UI_free(ui);
-
-	if (err != NULL)
-		pkgerr_free(err);
-
-	return (ret);
-}
-/*
- *	Name:	is_ca_cert
- *	Desc:	Determines if a given certificate has the attributes
- *		of a CA certificate
- *	Returns: B_TRUE if certificate has attributes of a CA cert
- *		B_FALSE otherwise
- */
-static boolean_t
-is_ca_cert(X509 *x)
-{
-
-	/*
-	 * X509_check_purpose causes the extensions that we
-	 * care about to be decoded and stored in the X509
-	 * structure, so we must call it first
-	 * before checking for CA extensions in the X509
-	 * structure
-	 */
-	(void) X509_check_purpose(x, X509_PURPOSE_ANY, 0);
-
-	/* keyUsage if present should allow cert signing */
-	if ((x->ex_flags & EXFLAG_KUSAGE) &&
-	    !(x->ex_kusage & KU_KEY_CERT_SIGN)) {
-		return (B_FALSE);
-	}
-
-	/* If basicConstraints says not a CA then say so */
-	if (x->ex_flags & EXFLAG_BCONS) {
-		if (!(x->ex_flags & EXFLAG_CA)) {
-			return (B_FALSE);
-		}
-	}
-
-	/* no explicit not-a-CA flags set, so assume that it is */
-	return (B_TRUE);
-}
diff --git a/usr/src/cmd/svr4pkg/pkgadm/certs.c b/usr/src/cmd/svr4pkg/pkgadm/certs.c
deleted file mode 100644
index c7c8f045ae..0000000000
--- a/usr/src/cmd/svr4pkg/pkgadm/certs.c
+++ /dev/null
@@ -1,239 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License (the "License").
- * You may not use this file except in compliance with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-
-/*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- */
-
-
-#include <stdio.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <pkglocs.h>
-#include <locale.h>
-#include <libintl.h>
-#include <signal.h>
-#include <sys/stat.h>
-#include <sys/statvfs.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <libintl.h>
-#include <dirent.h>
-#include <openssl/err.h>
-#include <openssl/pkcs7.h>
-#include <openssl/pkcs12.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/x509v3.h>
-
-#include <pkglib.h>
-#include <p12lib.h>
-#include <install.h>
-#include <libadm.h>
-#include <libinst.h>
-#include "pkgadm.h"
-#include "pkgadm_msgs.h"
-
-
-/*
- * Function:	load_cert_and_key
- * Description:	Loads a public key certificate and associated private key
- *		from a stream.
- * Parameters:	err	- Where to write errors to for underlying library calls
- *		incert - File to read certs and keys from
- *		format - The format of the file
- *		passarg - How to collect password if needed to decrypt file
- *		key - Location to store resulting key if found
- *		cert - Location to store resulting cert if found.
- *
- * Returns:	f one or more certificates are found in the file,
- *		and one or more keys are found, then the first
- *		certificate is used, and the keys are searched for a
- *		match.  If no key matches the cert, then only the cert
- *		is returned.  If no certs are found, but one or more
- *		keys are found, then the first key is returned.
- */
-int
-load_cert_and_key(PKG_ERR *err, FILE *incert,
-    keystore_encoding_format_t format, char *passarg, EVP_PKEY **key,
-    X509 **cert)
-{
-	X509 *tmpcert = NULL;
-	EVP_PKEY *tmpkey = NULL;
-	STACK_OF(EVP_PKEY)	*keys = NULL;
-	STACK_OF(X509)		*certs = NULL;
-	int i, ret = 0;
-	keystore_passphrase_data	data;
-	unsigned long crypto_err;
-
-	if (key) *key = NULL;
-	if (cert) *cert = NULL;
-
-	switch (format) {
-	case KEYSTORE_FORMAT_DER:
-		/* first try to load a DER cert, which cannot contain a key */
-		if ((tmpcert = d2i_X509_fp(incert, NULL)) == NULL) {
-			log_msg(LOG_MSG_ERR, MSG_PARSE);
-			ret = 1;
-		}
-		break;
-	case KEYSTORE_FORMAT_PEM:
-	default:
-		data.err = err;
-		set_passphrase_passarg(passarg);
-		set_passphrase_prompt(gettext("Enter PEM passphrase:"));
-		if (sunw_PEM_contents(incert, pkg_passphrase_cb,
-		    &data, &keys, &certs) < 0) {
-			/* print out openssl-generated PEM errors */
-			while ((crypto_err = ERR_get_error()) != 0) {
-				log_msg(LOG_MSG_ERR,
-				    ERR_reason_error_string(crypto_err));
-			}
-			ret = 1;
-			goto cleanup;
-		}
-
-		/* take the first cert in the file, if any */
-		if (cert && (certs != NULL)) {
-			if (sk_X509_num(certs) != 1) {
-				log_msg(LOG_MSG_ERR, MSG_MULTIPLE_CERTS);
-				ret = 1;
-				goto cleanup;
-			} else {
-				tmpcert = sk_X509_value(certs, 0);
-			}
-		}
-
-		if (key && (keys != NULL)) {
-			if (tmpcert != NULL) {
-				/*
-				 * if we found a cert and some keys,
-				 * only return the key that
-				 * matches the cert
-				 */
-				for (i = 0; i < sk_EVP_PKEY_num(keys); i++) {
-					if (X509_check_private_key(tmpcert,
-					    sk_EVP_PKEY_value(keys, i))) {
-						tmpkey =
-						    sk_EVP_PKEY_value(keys, i);
-						break;
-					}
-				}
-			} else {
-				if (sk_EVP_PKEY_num(keys) > 0) {
-					tmpkey = sk_EVP_PKEY_value(keys, 0);
-				}
-			}
-		}
-		break;
-	}
-
-	/* set results */
-	if (key && tmpkey) {
-		*key = tmpkey;
-		tmpkey = NULL;
-	}
-
-	if (cert && tmpcert) {
-		*cert = tmpcert;
-		tmpcert = NULL;
-	}
-
-cleanup:
-	if (tmpcert != NULL) {
-		X509_free(tmpcert);
-	}
-	if (tmpkey != NULL) {
-		sunw_evp_pkey_free(tmpkey);
-	}
-	return (ret);
-}
-
-/*
- * Function:	load_all_certs
- * Description:	Loads alll certificates from a stream.
- * Parameters:	err	- Where to write errors to for underlying library calls
- *		incert - File to read certs and keys from
- *		format - The format of the file
- *		passarg - How to collect password if needed to decrypt file
- *		certs - Location to store resulting cert if found.
- *
- * Returns:	0 - success, all certs placed in ''certs'
- *		non-zero failure, errors in 'err'
- */
-int
-load_all_certs(PKG_ERR *err, FILE *incert,
-    keystore_encoding_format_t format, char *passarg, STACK_OF(X509) **certs)
-{
-	X509 *tmpcert = NULL;
-	STACK_OF(X509) *tmpcerts = NULL;
-	int ret = 0;
-	keystore_passphrase_data	data;
-	unsigned long crypto_err;
-	if (certs) *certs = NULL;
-
-	switch (format) {
-	case KEYSTORE_FORMAT_DER:
-		/* first try to load a DER cert, which cannot contain a key */
-		if ((tmpcert = d2i_X509_fp(incert, NULL)) == NULL) {
-		    log_msg(LOG_MSG_ERR, MSG_PARSE);
-			ret = 1;
-			goto cleanup;
-		}
-
-		if ((tmpcerts = sk_X509_new_null()) == NULL) {
-			log_msg(LOG_MSG_ERR, MSG_MEM);
-			ret = 1;
-			goto cleanup;
-		}
-		sk_X509_push(tmpcerts, tmpcert);
-		break;
-	case KEYSTORE_FORMAT_PEM:
-	default:
-		data.err = err;
-		set_passphrase_prompt(MSG_PEM_PASSPROMPT);
-		set_passphrase_passarg(passarg);
-		if (sunw_PEM_contents(incert, pkg_passphrase_cb,
-		    &data, NULL, &tmpcerts) < 0) {
-			/* print out openssl-generated PEM errors */
-			while ((crypto_err = ERR_get_error()) != 0) {
-				log_msg(LOG_MSG_ERR,
-				    ERR_reason_error_string(crypto_err));
-			}
-		}
-		break;
-	}
-
-	/* set results */
-	if (certs && tmpcerts) {
-		*certs = tmpcerts;
-		tmpcerts = NULL;
-	}
-
-cleanup:
-	if (tmpcerts != NULL) {
-		sk_X509_free(tmpcerts);
-	}
-	return (ret);
-}
diff --git a/usr/src/cmd/svr4pkg/pkgadm/listcert.c b/usr/src/cmd/svr4pkg/pkgadm/listcert.c
deleted file mode 100644
index 731427271f..0000000000
--- a/usr/src/cmd/svr4pkg/pkgadm/listcert.c
+++ /dev/null
@@ -1,245 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License (the "License").
- * You may not use this file except in compliance with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-
-/*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- */
-
-
-#include <stdio.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <signal.h>
-#include <locale.h>
-#include <sys/param.h>
-#include <openssl/bio.h>
-
-#include <libinst.h>
-#include <pkglib.h>
-#include <pkgerr.h>
-#include <keystore.h>
-#include "pkgadm.h"
-#include "pkgadm_msgs.h"
-
-/*
- * Name:	listcert
- * Desc:  Lists one or more certificates from the keystore
- * Syntax:	listcert [-a app] [-f format] [-k keystore] \
- *	[-n name] [-o outfile] [-P passarg] [-R altroot]
- */
-int
-listcert(int argc, char **argv)
-{
-	int				i;
-	char				keystore_file[MAXPATHLEN] = "";
-	char				*keystore_base = NULL;
-	char				*homedir;
-	char				*passarg = NULL;
-	char				*altroot = NULL;
-	char				*prog = NULL;
-	char				*format_str = NULL;
-	keystore_encoding_format_t	format;
-	char				*alias = NULL;
-	char				*outfile_str = NULL;
-	FILE				*outfile = NULL;
-	int				ret = 1;
-	PKG_ERR				*err = NULL;
-	keystore_handle_t		keystore = NULL;
-
-	while ((i = getopt(argc, argv, ":a:f:k:n:o:P:R:")) != EOF) {
-		switch (i) {
-		case 'a':
-			prog = optarg;
-			break;
-		case 'f':
-			format_str = optarg;
-			break;
-		case 'k':
-			keystore_base = optarg;
-			break;
-		case 'n':
-			alias = optarg;
-			break;
-		case 'o':
-			outfile_str = optarg;
-			break;
-		case 'P':
-			passarg = optarg;
-			break;
-		case 'R':
-			altroot = optarg;
-			break;
-		case ':':
-			log_msg(LOG_MSG_ERR, MSG_MISSING_OPERAND, optopt);
-			/* fallthrough intentional */
-		case '?':
-		default:
-			log_msg(LOG_MSG_ERR, MSG_USAGE);
-			goto cleanup;
-		}
-	}
-
-	/* should be no arguments left */
-	if ((argc-optind) > 0) {
-		log_msg(LOG_MSG_ERR, MSG_USAGE);
-		goto cleanup;
-	}
-
-	/* figure out format */
-	if (format_str == NULL) {
-		format = KEYSTORE_FORMAT_TEXT;
-	} else {
-		if (ci_streq(format_str, "text")) {
-			format = KEYSTORE_FORMAT_TEXT;
-		} else if (ci_streq(format_str, "pem")) {
-			format = KEYSTORE_FORMAT_PEM;
-		} else if (ci_streq(format_str, "der")) {
-			format = KEYSTORE_FORMAT_DER;
-		} else {
-			log_msg(LOG_MSG_ERR, MSG_BAD_FORMAT, format_str);
-			goto cleanup;
-		}
-	}
-
-	/* open output file */
-	if (outfile_str == NULL) {
-		outfile = stdout;
-		outfile_str = "stdout";
-	} else {
-		if ((outfile = fopen(outfile_str, "w+")) == NULL) {
-			log_msg(LOG_MSG_ERR, MSG_OPEN_WRITE, outfile_str);
-			goto cleanup;
-		}
-	}
-
-	/* set up proper keystore */
-	if (altroot != NULL) {
-	    if (strlcpy(keystore_file, altroot, MAXPATHLEN) >= MAXPATHLEN) {
-		log_msg(LOG_MSG_ERR, MSG_TOO_LONG, altroot);
-		goto cleanup;
-	    }
-
-	    if (strlcat(keystore_file, "/", MAXPATHLEN) >= MAXPATHLEN) {
-		log_msg(LOG_MSG_ERR, MSG_TOO_LONG, altroot);
-		goto cleanup;
-	    }
-	}
-
-	if (keystore_base == NULL) {
-		if (geteuid() == 0 || altroot != NULL) {
-				/*
-				 * If we have an alternate
-				 * root, then we have no choice but to use
-				 * root's keystore on that alternate root,
-				 * since there is no way to resolve a
-				 * user's home dir given an alternate root
-				 */
-			if (strlcat(keystore_file, PKGSEC,
-			    MAXPATHLEN) >= MAXPATHLEN) {
-				log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-				    keystore_file);
-				goto cleanup;
-			}
-		} else {
-			if ((homedir = getenv("HOME")) == NULL) {
-				/*
-				 * not superuser, but no home dir, so
-				 * use superuser's keystore
-				 */
-				if (strlcat(keystore_file, PKGSEC,
-				    MAXPATHLEN) >= MAXPATHLEN) {
-					log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-					    keystore_file);
-					goto cleanup;
-				}
-			} else {
-				if (strlcat(keystore_file, homedir,
-				    MAXPATHLEN) >= MAXPATHLEN) {
-					log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-					    homedir);
-					goto cleanup;
-				}
-				if (strlcat(keystore_file, "/.pkg/security",
-				    MAXPATHLEN) >= MAXPATHLEN) {
-					log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-					    keystore_file);
-					goto cleanup;
-				}
-			}
-		}
-	} else {
-		if (strlcat(keystore_file, keystore_base,
-		    MAXPATHLEN) >= MAXPATHLEN) {
-		    log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-			keystore_base);
-		    goto cleanup;
-		}
-	}
-	err = pkgerr_new();
-
-	/* now load the key store */
-	log_msg(LOG_MSG_DEBUG, "Loading keystore <%s>", keystore_file);
-
-	set_passphrase_prompt(MSG_KEYSTORE_PASSPROMPT);
-	set_passphrase_passarg(passarg);
-	if (open_keystore(err, keystore_file, prog,
-	    pkg_passphrase_cb, KEYSTORE_DFLT_FLAGS,
-	    &keystore) != 0) {
-		log_pkgerr(LOG_MSG_ERR, err);
-		log_msg(LOG_MSG_ERR, MSG_PRINT, outfile_str);
-		goto cleanup;
-	}
-
-	/* list the certs */
-	log_msg(LOG_MSG_DEBUG, "Listing certificates");
-	if (print_certs(err, keystore, alias, format, outfile) != 0) {
-		log_pkgerr(LOG_MSG_ERR, err);
-	    log_msg(LOG_MSG_ERR, MSG_PRINT, outfile_str);
-		goto cleanup;
-	}
-
-	/* now close it out */
-	log_msg(LOG_MSG_DEBUG, "Closing keystore");
-	set_passphrase_prompt(MSG_KEYSTORE_PASSOUTPROMPT);
-	set_passphrase_passarg(passarg);
-	if (close_keystore(err, keystore, pkg_passphrase_cb) != 0) {
-		log_pkgerr(LOG_MSG_ERR, err);
-		log_msg(LOG_MSG_ERR, MSG_PRINT, outfile_str);
-		goto cleanup;
-	}
-
-	/* everything worked */
-	ret = 0;
-
-	/* fallthrough intentional */
-cleanup:
-	if (outfile != NULL)
-		(void) fclose(outfile);
-
-	if (err != NULL)
-		pkgerr_free(err);
-
-	return (ret);
-}
diff --git a/usr/src/cmd/svr4pkg/pkgadm/lock.c b/usr/src/cmd/svr4pkg/pkgadm/lock.c
index 7963fd5d5b..7832cd3eae 100644
--- a/usr/src/cmd/svr4pkg/pkgadm/lock.c
+++ b/usr/src/cmd/svr4pkg/pkgadm/lock.c
@@ -20,6 +20,10 @@
  */
 
 /*
+ * Copyright (c) 2017 Peter Tribble.
+ */
+
+/*
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
@@ -58,7 +62,6 @@
 #include <locale.h>
 #include <libgen.h>
 #include <sys/param.h>
-#include <openssl/bio.h>
 #include <errno.h>
 #include <assert.h>
 #include <time.h>
@@ -69,8 +72,6 @@
 
 #include <libinst.h>
 #include <pkglib.h>
-#include <pkgerr.h>
-#include <keystore.h>
 #include "pkgadm.h"
 #include "pkgadm_msgs.h"
 
diff --git a/usr/src/cmd/svr4pkg/pkgadm/main.c b/usr/src/cmd/svr4pkg/pkgadm/main.c
index 91eda6947d..cd07946284 100644
--- a/usr/src/cmd/svr4pkg/pkgadm/main.c
+++ b/usr/src/cmd/svr4pkg/pkgadm/main.c
@@ -20,6 +20,10 @@
  */
 
 /*
+ * Copyright (c) 2017 Peter Tribble.
+ */
+
+/*
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
@@ -35,19 +39,12 @@
 #include <unistd.h>
 #include <locale.h>
 #include <sys/param.h>
-#include <openssl/bio.h>
 
 #include <pkglib.h>
-#include <pkgerr.h>
-#include <keystore.h>
 #include "pkgadm.h"
 #include "pkgadm_msgs.h"
 #include "libadm.h"
 
-/* initial error message buffer size */
-
-#define	ERR_BUFSIZE		2048
-
 /* Local Function Prototypes */
 
 static void			print_version();
@@ -68,15 +65,6 @@ struct cmd  cmds[] = {
 	{ NULL, NULL }
 };
 
-struct cmd cert_cmds[] = {
-	{ "addcert",		addcert},
-	{ "listcert",		listcert},
-	{ "removecert",		removecert},
-	/* last one must be all NULLs */
-	{ NULL, NULL }
-};
-
-
 /*
  * Function:	main
  *
@@ -137,20 +125,6 @@ main(int argc, char **argv)
 		}
 	}
 
-	/* initialize security library */
-	sec_init();
-
-	/* OK, hand it off to the subcommand processors */
-	for (cur_cmd = 0; cert_cmds[cur_cmd].c_name != NULL; cur_cmd++) {
-		if (ci_streq(argv[optind], cert_cmds[cur_cmd].c_name)) {
-			/* make subcommand the first option */
-			newargc = argc - optind;
-			newargv = argv + optind;
-			opterr = optind = 1; optopt = 0;
-			return (cert_cmds[cur_cmd].c_func(newargc, newargv));
-		}
-	}
-
 	/* bad subcommand */
 	log_msg(LOG_MSG_ERR, MSG_BAD_SUB, argv[optind]);
 	log_msg(LOG_MSG_INFO, MSG_USAGE);
@@ -184,23 +158,6 @@ get_verbose()
 }
 
 /*
- * Name:	log_pkgerr
- * Description:	Outputs pkgerr messages to logging facility.
- * Scope:	public
- * Arguments:	type - the severity of the message
- *		err - error stack to dump to facility
- * Returns:	none
- */
-void
-log_pkgerr(LogMsgType type, PKG_ERR *err)
-{
-	int i;
-	for (i = 0; i < pkgerr_num(err); i++) {
-		log_msg(type, "%s", pkgerr_get(err, i));
-	}
-}
-
-/*
  * Name:	print_Version
  * Desc:  Prints Version of packaging tools
  * Arguments: none
diff --git a/usr/src/cmd/svr4pkg/pkgadm/pkgadm.h b/usr/src/cmd/svr4pkg/pkgadm/pkgadm.h
index 8911389517..8c338e3eb0 100644
--- a/usr/src/cmd/svr4pkg/pkgadm/pkgadm.h
+++ b/usr/src/cmd/svr4pkg/pkgadm/pkgadm.h
@@ -20,6 +20,10 @@
  */
 
 /*
+ * Copyright (c) 2017 Peter Tribble.
+ */
+
+/*
  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
@@ -32,8 +36,6 @@
 extern "C" {
 #endif
 
-#include <pkgerr.h>
-#include <keystore.h>
 #include "pkglib.h"
 #include "libinst.h"
 
@@ -52,23 +54,10 @@ extern "C" {
 
 /* main.c */
 extern	void		log_msg(LogMsgType, const char *, ...);
-extern	void		log_pkgerr(LogMsgType, PKG_ERR *);
 extern	void		set_verbose(boolean_t);
 extern	boolean_t	get_verbose(void);
 /* lock.c */
 extern int		admin_lock(int, char **);
-/* listcert.c */
-extern int		listcert(int, char **);
-/* importcert.c */
-extern int		addcert(int, char **);
-/* removecert.c */
-extern int		removecert(int, char **);
-
-/* certs.c */
-extern int		load_cert_and_key(PKG_ERR *, FILE *,
-    keystore_encoding_format_t, char *, EVP_PKEY **, X509 **);
-extern int		load_all_certs(PKG_ERR *, FILE *,
-    keystore_encoding_format_t, char *, STACK_OF(X509) **);
 
 #define	PKGADM_DBSTATUS_TEXT	"text"
 
diff --git a/usr/src/cmd/svr4pkg/pkgadm/pkgadm_msgs.h b/usr/src/cmd/svr4pkg/pkgadm/pkgadm_msgs.h
index bc6b9aaf7e..fb9f494393 100644
--- a/usr/src/cmd/svr4pkg/pkgadm/pkgadm_msgs.h
+++ b/usr/src/cmd/svr4pkg/pkgadm/pkgadm_msgs.h
@@ -20,6 +20,10 @@
  */
 
 /*
+ * Copyright (c) 2017 Peter Tribble.
+ */
+
+/*
  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
@@ -48,24 +52,6 @@ extern "C" {
 #define	MSG_USAGE		gettext(\
 "usage:\n" \
 "\n" \
-"pkgadm addcert  [-ty] [-a app] [-k keystore] [-e keyfile]\n" \
-"\t[-f format] [-n name] [-P passarg] [-p input_passarg]\n" \
-"\t[-R rootpath] certfile\n" \
-"\n" \
-"\t- Adds a trusted CA certificate or user certificate\n" \
-"\tand private key\n" \
-"\n" \
-"pkgadm removecert [-a app] [-k keystore] -n name [-P passarg]\n" \
-"\t[-R rootpath]\n" \
-"\n" \
-"\t- Removes a trusted CA certificate or user certificate\n" \
-"\tand private key\n" \
-"\n" \
-"pkgadm listcert  [-a app] [-f format] [-k keystore] -n name\n" \
-"\t[-P passarg] [-o outfile] [-R rootpath]\n" \
-"\n" \
-"\t- Prints trusted CA certificates or user certificates\n" \
-"\n" \
 "pkgadm dbstatus [-R rootpath]\n" \
 "\n" \
 "\t- Returns 'text' - the text install database in use since Solaris 2.0\n" \
@@ -97,16 +83,6 @@ extern "C" {
 #define	MSG_T_RESULT_THREE	gettext(\
 	"required <%d> actual <%d> <%30s> ~- <%30s>\n")
 
-#define	MSG_KEYSTORE_PASSPROMPT	gettext(\
-	"Enter Keystore Password: ")
-
-#define	MSG_KEYSTORE_PASSOUTPROMPT	gettext(\
-	"Type a Keystore protection Password.\n" \
-	"Press ENTER for no protection password (not recommended): ")
-
-#define	MSG_PEM_PASSPROMPT	gettext(\
-	"Enter PEM Passphrase: ")
-
 #define	MSG_ERROR		gettext(\
 	"ERROR")
 
@@ -115,20 +91,11 @@ extern "C" {
 #define	CREATE_PKGDIR_WARN	gettext(\
 	"Creating directory <%s>\n")
 
-#define	MSG_WRN_UNKNOWN	gettext(\
-	"Signer <%s> has unsupported signature, ignoring")
-
 #define	MSG_VALID_STALE		gettext(\
 	"Removing stale lock on <%s> pid <%ld> zid <%ld>")
 
 /* errors */
 
-#define	MSG_FATAL			gettext(\
-	"Fatal Error")
-
-#define	MSG_TOO_LONG			gettext(\
-	"Length of <%s> exceeds maximum allowed length")
-
 #define	MSG_INTERNAL			gettext(\
 	"Intenal Error <%s>")
 
@@ -138,121 +105,9 @@ extern "C" {
 #define	MSG_OPEN_WRITE			gettext(\
 	"Cannot open <%s> for writing")
 
-#define	MSG_BAD_PASSARG			gettext(\
-	"Invalid password retrieval method <%s>")
-
-#define	MSG_BAD_PASS			gettext(\
-	"Invalid password")
-
 #define	ERR_LOG_FAIL			gettext(\
 	"Failed to log message using format <%s>")
 
-#define	MSG_BAD_FORMAT			gettext(\
-	"Invalid format: <%s>")
-
-#define	MSG_USER_NAME			gettext(\
-	"An alias is required when adding user certificates")
-
-#define	MSG_TRUSTED_NAME		gettext(\
-	"Trusted certificates cannot have an explicit alias")
-
-#define	MSG_MULTIPLE_TRUST		gettext(\
-	"Found multiple certificates in <%s>.  You must explicitly trust " \
-	"them using <%s>")
-
-#define	MSG_NO_MULTIPLE_TRUST		gettext(\
-	"Found multiple certificates in <%s>.  You must explicitly trust " \
-	"them using <%s>")
-
-#define	MSG_TRUSTED_KEY			gettext(\
-	"Cannot supply private key when adding trusted certificates")
-
-#define	MSG_TRUST_KEY_FOUND		gettext(\
-	"One or more private keys were found in trusted certificate file <%s>")
-
-#define	MSG_ADDCERT_ABORT		gettext(\
-	"Addition of trusted certificate aborted by user request")
-
-
-#define	MSG_NEED_KEY			gettext(\
-	"No private key found in <%s>, must specify one with -e")
-
-#define	MSG_NO_PRIVKEY		gettext(\
-	"No private key found in <%s>")
-
-#define	MSG_NO_CERTS		gettext(\
-	"No certificates found in <%s>")
-
-#define	MSG_MULTIPLE_CERTS	gettext(\
-	"Multiple certificates found in <%s>")
-
-#define	MSG_NO_ADDCERT	gettext(\
-	"Cannot add certificate(s) from <%s>.  No changes have been made.")
-
-#define	MSG_NO_ADDKEY	gettext(\
-	"Cannot add private key from <%s>.  No changes have been made.")
-
-#define	MSG_NO_REMOVECERT	gettext(\
-	"Cannot remove certificate with alias <%s>")
-
-#define	MSG_VERIFY_TRUST	gettext(\
-	"Are you sure you want to trust this certificate? ")
-
-#define	MSG_VERIFY_NOT_CA	gettext(\
-	"\n" \
-	"This certificate does not appear to be issued and signed\n" \
-	"by a certificate authority (CA). CA Certificates are normally\n" \
-	"self-signed and have CA Basic Constraints.\n" \
-	"Are you sure you want to trust this certificate? ")
-
-#define	MSG_PARSE	gettext(\
-	"Parsing error")
-
-#define	MSG_TRUSTED	gettext(\
-	"Certificate(s) from <%s> are now trusted")
-
-#define	MSG_TRUSTING	gettext(\
-	"Trusting certificate <%s>")
-
-#define	MSG_ADDED	gettext(\
-	"Successfully added Certificate <%s> with alias <%s>")
-
-#define	MSG_REMOVED	gettext(\
-	"Successfully removed Certificate(s) with alias <%s>")
-
-#define	MSG_MEM		gettext(\
-	"Out of memory")
-
-#define	MSG_PRINT		gettext(\
-	"Cannot print certificates to <%s>")
-
-#define	MSG_PROBLEM_CONVERT	gettext(\
-	"Does %s/var/sadm exist?  Can the user write to it? (%s)")
-
-#define	MSG_CONTENTS_FORMAT	gettext(\
-	"Operation failed due to corrupted install contents data file.")
-
-#define	MSG_MKDIR_FAILED	gettext(\
-	"Could not mkdir for path %s.  %s.")
-
-#define	MSG_RENAME_FAILED	gettext(\
-	"Could not rename %s to %s\n%s")
-
-#define	MSG_REMOVE_FAILED	gettext(\
-	"Could not remove %s\n%s")
-
-#define	MSG_FILE_ACCESS		gettext(\
-	"Operation failed: unable to access file %s: %s")
-
-#define	MSG_NOT_READABLE	gettext(\
-	"Operation failed: unable to read file %s")
-
-#define	MSG_BUILD_INDEXES gettext(\
-	"Operation failed: unable to build indexes\n")
-
-#define	MSG_FILE_NAME_TOO_LONG gettext(\
-	"Operation failed: file name too long: %s\n")
-
 #define	MSG_ZONES_MISSING_REQUEST	gettext(\
 	"Must specify operation to perform\n")
 
diff --git a/usr/src/cmd/svr4pkg/pkgadm/removecert.c b/usr/src/cmd/svr4pkg/pkgadm/removecert.c
deleted file mode 100644
index 3a176b6184..0000000000
--- a/usr/src/cmd/svr4pkg/pkgadm/removecert.c
+++ /dev/null
@@ -1,201 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License (the "License").
- * You may not use this file except in compliance with the License.
- *
- * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- * or http://www.opensolaris.org/os/licensing.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- * If applicable, add the following below this CDDL HEADER, with the
- * fields enclosed by brackets "[]" replaced with your own identifying
- * information: Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- */
-
-/*
- * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- */
-
-
-#include <stdio.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <signal.h>
-#include <locale.h>
-#include <sys/param.h>
-#include <openssl/bio.h>
-
-#include <libinst.h>
-#include <pkglib.h>
-#include <pkgerr.h>
-#include <keystore.h>
-#include "pkgadm.h"
-#include "pkgadm_msgs.h"
-
-/*
- * Name:	removecert
- * Desc:  Removes a user certificate and associated private key,
- *	or a trusted certificate, from the keystore.
- * Syntax:	addcert [-a app] [-k keystore] -n name [-P passarg] [-R altroot]
- */
-int
-removecert(int argc, char **argv)
-{
-	int i;
-	char	keystore_file[MAXPATHLEN] = "";
-	char	*keystore_base = NULL;
-	char	*homedir;
-	char	*passarg = NULL;
-	char	*altroot = NULL;
-	char	*prog = NULL;
-	char	*alias = NULL;
-	int	ret = 1;
-	PKG_ERR	*err = NULL;
-	keystore_handle_t	keystore = NULL;
-
-	while ((i = getopt(argc, argv, ":a:k:n:P:R:")) != EOF) {
-		switch (i) {
-		case 'a':
-			prog = optarg;
-			break;
-		case 'k':
-			keystore_base = optarg;
-			break;
-		case 'n':
-			alias = optarg;
-			break;
-		case 'P':
-			passarg = optarg;
-			break;
-		case 'R':
-			altroot = optarg;
-			break;
-		case ':':
-			log_msg(LOG_MSG_ERR, MSG_MISSING_OPERAND, optopt);
-			/* fallthrough intentional */
-		case '?':
-		default:
-			log_msg(LOG_MSG_ERR, MSG_USAGE);
-			goto cleanup;
-		}
-	}
-
-	/* we require a name */
-	if (alias == NULL) {
-		log_msg(LOG_MSG_ERR, MSG_USAGE);
-		goto cleanup;
-	}
-
-	/* should be no arguments left */
-	if ((argc-optind) > 0) {
-		log_msg(LOG_MSG_ERR, MSG_USAGE);
-		goto cleanup;
-	}
-
-	/* set up proper keystore */
-	if (keystore_base == NULL) {
-		if (geteuid() == 0 || altroot != NULL) {
-				/*
-				 * If we have an alternate
-				 * root, then we have no choice but to use
-				 * root's keystore on that alternate root,
-				 * since there is no way to resolve a
-				 * user's home dir given an alternate root
-				 */
-			if (strlcat(keystore_file, PKGSEC,
-			    MAXPATHLEN) >= MAXPATHLEN) {
-				log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-				    keystore_file);
-				goto cleanup;
-			}
-		} else {
-			if ((homedir = getenv("HOME")) == NULL) {
-				/*
-				 * not superuser, but no home dir, so
-				 * use superuser's keystore
-				 */
-				if (strlcat(keystore_file, PKGSEC,
-				    MAXPATHLEN) >= MAXPATHLEN) {
-					log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-					    keystore_file);
-					goto cleanup;
-				}
-			} else {
-				if (strlcat(keystore_file, homedir,
-				    MAXPATHLEN) >= MAXPATHLEN) {
-					log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-					    homedir);
-					goto cleanup;
-				}
-				if (strlcat(keystore_file, "/.pkg/security",
-				    MAXPATHLEN) >= MAXPATHLEN) {
-					log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-					    keystore_file);
-					goto cleanup;
-				}
-			}
-		}
-	} else {
-		if (strlcat(keystore_file, keystore_base,
-		    MAXPATHLEN) >= MAXPATHLEN) {
-		    log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
-			keystore_base);
-		    goto cleanup;
-		}
-	}
-
-	err = pkgerr_new();
-
-	/* now load the key store */
-	log_msg(LOG_MSG_DEBUG, "Loading keystore <%s>", keystore_file);
-
-	set_passphrase_prompt(MSG_KEYSTORE_PASSPROMPT);
-	set_passphrase_passarg(passarg);
-
-	if (open_keystore(err, keystore_file, prog, pkg_passphrase_cb,
-	    KEYSTORE_ACCESS_READWRITE | KEYSTORE_PATH_HARD, &keystore) != 0) {
-		log_pkgerr(LOG_MSG_ERR, err);
-		goto cleanup;
-	}
-
-	/* now remove the selected certs */
-	log_msg(LOG_MSG_DEBUG, "Removing certificate(s) with name <%s>",
-	    alias);
-	if (delete_cert_and_keys(err, keystore, alias) != 0) {
-		log_pkgerr(LOG_MSG_ERR, err);
-		log_msg(LOG_MSG_ERR, MSG_NO_REMOVECERT, alias);
-		goto cleanup;
-	}
-
-	/* now write it back out */
-	log_msg(LOG_MSG_DEBUG, "Closing keystore");
-	set_passphrase_prompt(MSG_KEYSTORE_PASSOUTPROMPT);
-	set_passphrase_passarg(passarg);
-	if (close_keystore(err, keystore, pkg_passphrase_cb) != 0) {
-		log_pkgerr(LOG_MSG_ERR, err);
-		log_msg(LOG_MSG_ERR, MSG_NO_REMOVECERT, alias);
-		goto cleanup;
-	}
-
-	log_msg(LOG_MSG_INFO, MSG_REMOVED, alias);
-
-	ret = 0;
-	/* fallthrough intentional */
-cleanup:
-
-	if (err != NULL)
-		pkgerr_free(err);
-
-	return (ret);
-}
author	Peter Tribble <peter.tribble@gmail.com>	2017-03-13 20:25:34 +0000
committer	Gordon Ross <gwr@nexenta.com>	2017-03-29 19:13:24 -0400
commit	32991bedc3a6475f1401855c2318ae5b15f8a16b (patch)
tree	3360e7844885746ed96019a9e3a42cd7e5e73409 /usr/src/cmd/svr4pkg/pkgadm
parent	4383d9578c9d399b19edc33e552a4c543ebf9468 (diff)
download	illumos-joyent-32991bedc3a6475f1401855c2318ae5b15f8a16b.tar.gz