diff options
Diffstat (limited to 'usr/src/cmd')
22 files changed, 3608 insertions, 1526 deletions
diff --git a/usr/src/cmd/cmd-crypto/decrypt/decrypt.c b/usr/src/cmd/cmd-crypto/decrypt/decrypt.c index 6119704da3..01282d9028 100644 --- a/usr/src/cmd/cmd-crypto/decrypt/decrypt.c +++ b/usr/src/cmd/cmd-crypto/decrypt/decrypt.c @@ -326,9 +326,9 @@ algorithm_list() mech_aliases[mech].keysize_max != 0) (void) printf(" %5lu %5lu\n", (mech_aliases[mech].keysize_min * - mech_aliases[mech].keysize_unit), + mech_aliases[mech].keysize_unit), (mech_aliases[mech].keysize_max * - mech_aliases[mech].keysize_unit)); + mech_aliases[mech].keysize_unit)); else (void) printf("\n"); @@ -395,7 +395,7 @@ generate_pkcs5_key(CK_SESSION_HANDLE hSession, mechanism.ulParameterLen = sizeof (params); rv = C_GenerateKey(hSession, &mechanism, tmpl, - attrs, hKey); + attrs, hKey); return (rv); } @@ -522,7 +522,7 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) if (aflag) { /* Determine if algorithm is valid */ for (mech_match = 0; mech_match < MECH_ALIASES_COUNT; - mech_match++) { + mech_match++) { if (strcmp(algo_str, mech_aliases[mech_match].alias) == 0) { mech_type = mech_aliases[mech_match].type; @@ -623,12 +623,12 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) if (info.ulMinKeySize && (info.ulMinKeySize < mech_aliases[mek].keysize_min)) mech_aliases[mek].keysize_min = - info.ulMinKeySize; + info.ulMinKeySize; if (info.ulMaxKeySize && (info.ulMaxKeySize > mech_aliases[mek].keysize_max)) mech_aliases[mek].keysize_max = - info.ulMaxKeySize; + info.ulMaxKeySize; mech_aliases[mek].available = B_TRUE; } @@ -650,7 +650,8 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) */ i = 0; if (Kflag) { - kmfrv = KMF_PK11TokenLookup(NULL, token_label, &token_slot_id); + kmfrv = kmf_pk11_token_lookup(NULL, token_label, + &token_slot_id); if (kmfrv != KMF_OK) { cryptoerror(LOG_STDERR, gettext("no matching PKCS#11 token")); @@ -701,7 +702,7 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) /* Open a session */ rv = C_OpenSession(slotID, CKF_SERIAL_SESSION, - NULL_PTR, NULL, &hSession); + NULL_PTR, NULL, &hSession); if (rv != CKR_OK) { cryptoerror(LOG_STDERR, @@ -725,8 +726,8 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) if ((get_random_data(pivbuf, mech_aliases[mech_match].ivlen)) != 0) { cryptoerror(LOG_STDERR, gettext( - "Unable to generate random " - "data for initialization vector.")); + "Unable to generate random " + "data for initialization vector.")); goto cleanup; } } @@ -737,7 +738,7 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) rv = pkcs11_mech2keytype(mech_type, &keytype); if (rv != CKR_OK) { cryptoerror(LOG_STDERR, - gettext("unable to find key type for algorithm.")); + gettext("unable to find key type for algorithm.")); goto cleanup; } @@ -745,14 +746,14 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) if (iflag) { if ((infd = open(inputfile, O_RDONLY | O_NONBLOCK)) == -1) { cryptoerror(LOG_STDERR, gettext( - "can not open input file %s"), inputfile); + "can not open input file %s"), inputfile); goto cleanup; } /* Get info on input file */ if (fstat(infd, &insbuf) == -1) { cryptoerror(LOG_STDERR, gettext( - "can not stat input file %s"), inputfile); + "can not stat input file %s"), inputfile); goto cleanup; } } @@ -768,13 +769,13 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) if (oflag) { outfilename = outputfile; if ((stat(outputfile, &outsbuf) != -1) && - (insbuf.st_ino == outsbuf.st_ino)) { + (insbuf.st_ino == outsbuf.st_ino)) { char *dir; /* create temp file on same dir */ dir = dirname(outputfile); (void) snprintf(tmpnam, sizeof (tmpnam), - "%s/encrXXXXXX", dir); + "%s/encrXXXXXX", dir); outfilename = tmpnam; if ((outfd = mkstemp(tmpnam)) == -1) { cryptoerror(LOG_STDERR, gettext( @@ -785,8 +786,7 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) } else { /* Create file for output */ if ((outfd = open(outfilename, - O_CREAT|O_WRONLY|O_TRUNC, - 0644)) == -1) { + O_CREAT|O_WRONLY|O_TRUNC, 0644)) == -1) { cryptoerror(LOG_STDERR, gettext( "cannot open output file %s"), outfilename); @@ -801,7 +801,7 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) */ if (cmd->type == CKA_DECRYPT) { if (read(infd, &version, sizeof (version)) != - sizeof (version)) { + sizeof (version)) { cryptoerror(LOG_STDERR, gettext( "failed to get format version from " "input file.")); @@ -827,11 +827,10 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) * Read iteration count and salt data. */ if (read(infd, &iterations, - sizeof (iterations)) != - sizeof (iterations)) { + sizeof (iterations)) != sizeof (iterations)) { cryptoerror(LOG_STDERR, gettext( - "failed to get iterations from " - "input file.")); + "failed to get iterations from " + "input file.")); goto cleanup; } /* convert to host byte order */ @@ -844,18 +843,18 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) goto cleanup; } if (read(infd, salt, sizeof (salt)) - != sizeof (salt)) { + != sizeof (salt)) { cryptoerror(LOG_STDERR, gettext( - "failed to get salt data from " - "input file.")); + "failed to get salt data from " + "input file.")); goto cleanup; } break; default: cryptoerror(LOG_STDERR, gettext( - "Unrecognized format version read from " - "input file - expected %d, got %d."), - SUNW_ENCRYPT_FILE_VERSION, version); + "Unrecognized format version read from " + "input file - expected %d, got %d."), + SUNW_ENCRYPT_FILE_VERSION, version); goto cleanup; break; } @@ -884,7 +883,7 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) if (rv != 0) { cryptoerror(LOG_STDERR, gettext("unable to generate random " - "data for key salt.")); + "data for key salt.")); goto cleanup; } } @@ -926,8 +925,7 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) template[nattr].ulValueLen = keysize; nattr++; - rv = C_CreateObject(hSession, template, - nattr, &key); + rv = C_CreateObject(hSession, template, nattr, &key); } else { /* * If the encryption type has a fixed key length, @@ -945,10 +943,9 @@ execute_cmd(struct CommandInfo *cmd, char *algo_str) * the passphrase entered by the user. */ rv = generate_pkcs5_key(hSession, - salt, sizeof (salt), - iterations, - pkeydata, keytype, keysize, - keylen, cmd->type, &key); + salt, sizeof (salt), iterations, + pkeydata, keytype, keysize, + keylen, cmd->type, &key); } if (rv != CKR_OK) { @@ -979,10 +976,10 @@ do_crypto: CK_ULONG netiter; if (write(outfd, &netversion, sizeof (netversion)) - != sizeof (netversion)) { + != sizeof (netversion)) { cryptoerror(LOG_STDERR, gettext( - "failed to write version number " - "to output file.")); + "failed to write version number " + "to output file.")); goto cleanup; } /* @@ -991,16 +988,15 @@ do_crypto: */ netiter = htonl(iterations); if (write(outfd, &netiter, - sizeof (netiter)) != sizeof (netiter)) { + sizeof (netiter)) != sizeof (netiter)) { cryptoerror(LOG_STDERR, gettext( "failed to write iterations to output")); goto cleanup; } - if (ivlen > 0 && - write(outfd, pivbuf, ivlen) != ivlen) { + if (ivlen > 0 && write(outfd, pivbuf, ivlen) != ivlen) { cryptoerror(LOG_STDERR, gettext( - "failed to write initialization vector " - "to output")); + "failed to write initialization vector " + "to output")); goto cleanup; } if (write(outfd, salt, sizeof (salt)) != sizeof (salt)) { @@ -1142,7 +1138,7 @@ crypt_multipart(struct CommandInfo *cmd, CK_SESSION_HANDLE hSession, /* Start with the initial buffer */ resultlen = resultbuflen; rv = cmd->Update(hSession, databuf, (CK_ULONG)nread, - resultbuf, &resultlen); + resultbuf, &resultlen); /* Need a bigger buffer? */ if (rv == CKR_BUFFER_TOO_SMALL) { @@ -1164,7 +1160,7 @@ crypt_multipart(struct CommandInfo *cmd, CK_SESSION_HANDLE hSession, /* Try again with bigger buffer */ rv = cmd->Update(hSession, databuf, (CK_ULONG)nread, - resultbuf, &resultlen); + resultbuf, &resultlen); } if (rv != CKR_OK) { @@ -1300,21 +1296,21 @@ cryptoreadfile(char *filename, CK_BYTE_PTR *pdata, CK_ULONG_PTR pdatalen) /* read the file into a buffer */ if ((fd = open(filename, O_RDONLY | O_NONBLOCK)) == -1) { cryptoerror(LOG_STDERR, gettext( - "cannot open %s"), filename); + "cannot open %s"), filename); return (-1); } if (fstat(fd, &statbuf) == -1) { cryptoerror(LOG_STDERR, gettext( - "cannot stat %s"), filename); + "cannot stat %s"), filename); (void) close(fd); return (-1); } if (!S_ISREG(statbuf.st_mode)) { cryptoerror(LOG_STDERR, gettext( - "%s not a regular file"), filename); + "%s not a regular file"), filename); (void) close(fd); return (-1); } diff --git a/usr/src/cmd/cmd-crypto/digest/digest.c b/usr/src/cmd/cmd-crypto/digest/digest.c index 4ef01b23fb..12d2d092ee 100644 --- a/usr/src/cmd/cmd-crypto/digest/digest.c +++ b/usr/src/cmd/cmd-crypto/digest/digest.c @@ -171,7 +171,7 @@ main(int argc, char **argv) mac_cmd = B_FALSE; else { cryptoerror(LOG_STDERR, gettext( - "command name must be either digest or mac\n")); + "command name must be either digest or mac\n")); exit(EXIT_USAGE); } @@ -256,7 +256,7 @@ algorithm_list(boolean_t mac_cmd) if (mac_cmd) (void) printf(gettext("Algorithm Keysize: Min " - "Max (bits)\n" + "Max (bits)\n" "------------------------------------------\n")); for (mech = 0; mech < MECH_ALIASES_COUNT; mech++) { @@ -271,9 +271,9 @@ algorithm_list(boolean_t mac_cmd) mech_aliases[mech].keysize_max != 0) (void) printf(" %5lu %5lu\n", (mech_aliases[mech].keysize_min * - mech_aliases[mech].keysize_unit), + mech_aliases[mech].keysize_unit), (mech_aliases[mech].keysize_max * - mech_aliases[mech].keysize_unit)); + mech_aliases[mech].keysize_unit)); else (void) printf("\n"); @@ -337,8 +337,7 @@ generate_pkcs5_key(CK_SESSION_HANDLE hSession, mechanism.pParameter = ¶ms; mechanism.ulParameterLen = sizeof (params); - rv = C_GenerateKey(hSession, &mechanism, tmpl, - attrs, hKey); + rv = C_GenerateKey(hSession, &mechanism, tmpl, attrs, hKey); return (rv); } @@ -461,7 +460,7 @@ execute_cmd(char *algo_str, int filecount, char **filelist, boolean_t mac_cmd) * Determine if algorithm/mechanism is valid */ for (mech_match = 0; mech_match < MECH_ALIASES_COUNT; - mech_match++) { + mech_match++) { if (strcmp(algo_str, mech_aliases[mech_match].alias) == 0) { mech_type = mech_aliases[mech_match].type; @@ -570,12 +569,12 @@ execute_cmd(char *algo_str, int filecount, char **filelist, boolean_t mac_cmd) if (info.ulMinKeySize && (info.ulMinKeySize < mech_aliases[mek].keysize_min)) mech_aliases[mek].keysize_min = - info.ulMinKeySize; + info.ulMinKeySize; if (info.ulMaxKeySize && (info.ulMaxKeySize > mech_aliases[mek].keysize_max)) mech_aliases[mek].keysize_max = - info.ulMaxKeySize; + info.ulMaxKeySize; mech_aliases[mek].available = B_TRUE; } @@ -595,7 +594,8 @@ execute_cmd(char *algo_str, int filecount, char **filelist, boolean_t mac_cmd) */ i = 0; if (Kflag) { - kmfrv = KMF_PK11TokenLookup(NULL, token_label, &token_slot_id); + kmfrv = kmf_pk11_token_lookup(NULL, token_label, + &token_slot_id); if (kmfrv != KMF_OK) { cryptoerror(LOG_STDERR, gettext("no matching PKCS#11 token")); @@ -652,7 +652,7 @@ execute_cmd(char *algo_str, int filecount, char **filelist, boolean_t mac_cmd) /* Mechanism is supported. Go ahead & open a session */ rv = C_OpenSession(slotID, CKF_SERIAL_SESSION, - NULL_PTR, NULL, &hSession); + NULL_PTR, NULL, &hSession); if (rv != CKR_OK) { cryptoerror(LOG_STDERR, @@ -705,8 +705,7 @@ execute_cmd(char *algo_str, int filecount, char **filelist, boolean_t mac_cmd) template[nattr].ulValueLen = keylen; nattr++; - rv = C_CreateObject(hSession, template, - nattr, &key); + rv = C_CreateObject(hSession, template, nattr, &key); } else if (Kflag) { @@ -739,10 +738,8 @@ execute_cmd(char *algo_str, int filecount, char **filelist, boolean_t mac_cmd) */ (void) memset(salt, 0x0a, sizeof (salt)); rv = generate_pkcs5_key(hSession, - salt, sizeof (salt), - iterations, pkeydata, - keytype, keylen, keysize, - &key); + salt, sizeof (salt), iterations, pkeydata, + keytype, keylen, keysize, &key); } if (rv != CKR_OK) { @@ -783,8 +780,8 @@ execute_cmd(char *algo_str, int filecount, char **filelist, boolean_t mac_cmd) do { if (filecount > 0 && filelist != NULL) { filename = filelist[i]; - if ((fd = open(filename, O_RDONLY - | O_NONBLOCK)) == -1) { + if ((fd = open(filename, O_RDONLY | O_NONBLOCK)) == + -1) { cryptoerror(LOG_STDERR, gettext( "can not open input file %s\n"), filename); exitcode = EXIT_USAGE; @@ -799,16 +796,16 @@ execute_cmd(char *algo_str, int filecount, char **filelist, boolean_t mac_cmd) */ if (mac_cmd) { rv = do_mac(hSession, &mech, fd, key, &resultbuf, - &resultlen); + &resultlen); } else { rv = do_digest(hSession, &mech, fd, &resultbuf, - &resultlen); + &resultlen); } if (rv != CKR_OK) { cryptoerror(LOG_STDERR, gettext("crypto operation failed for " - "file %s: %s\n"), + "file %s: %s\n"), filename ? filename : "STDIN", pkcs11_strerror(rv)); exitcode = EXIT_FAILURE; @@ -937,7 +934,7 @@ do_digest(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pmech, /* There was a read error */ if (nread == -1) { cryptoerror(LOG_STDERR, gettext( - "error reading file: %s"), strerror(saved_errno)); + "error reading file: %s"), strerror(saved_errno)); return (CKR_GENERAL_ERROR); } else { return (rv); @@ -1003,7 +1000,7 @@ do_mac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pmech, /* There was a read error */ if (nread == -1) { cryptoerror(LOG_STDERR, gettext("error reading file: %s"), - strerror(saved_errno)); + strerror(saved_errno)); return (CKR_GENERAL_ERROR); } else { return (rv); @@ -1033,21 +1030,21 @@ getkey(char *filename, CK_BYTE_PTR *pkeydata) /* read the key file into a buffer */ if ((fd = open(filename, O_RDONLY | O_NONBLOCK)) == -1) { cryptoerror(LOG_STDERR, gettext( - "can't open %s\n"), filename); + "can't open %s\n"), filename); return (-1); } if (fstat(fd, &statbuf) == -1) { cryptoerror(LOG_STDERR, gettext( - "can't stat %s\n"), filename); + "can't stat %s\n"), filename); (void) close(fd); return (-1); } if (!S_ISREG(statbuf.st_mode)) { cryptoerror(LOG_STDERR, gettext( - "%s not a regular file\n"), filename); + "%s not a regular file\n"), filename); (void) close(fd); return (-1); } @@ -1066,7 +1063,7 @@ getkey(char *filename, CK_BYTE_PTR *pkeydata) if (read(fd, keybuf, keylen) != keylen) { cryptoerror(LOG_STDERR, gettext( - "can't read %s\n"), filename); + "can't read %s\n"), filename); (void) close(fd); return (-1); } diff --git a/usr/src/cmd/cmd-crypto/kmfcfg/create.c b/usr/src/cmd/cmd-crypto/kmfcfg/create.c index ceacf5f5d5..3b10424d13 100644 --- a/usr/src/cmd/cmd-crypto/kmfcfg/create.c +++ b/usr/src/cmd/cmd-crypto/kmfcfg/create.c @@ -18,7 +18,7 @@ * * CDDL HEADER END * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -50,30 +50,30 @@ kc_create(int argc, char *argv[]) (void) memset(&plc, 0, sizeof (KMF_POLICY_RECORD)); while ((opt = getopt_av(argc, argv, - "i:(dbfile)" - "p:(policy)" - "d:(ignore-date)" - "e:(ignore-unknown-eku)" - "a:(ignore-trust-anchor)" - "v:(validity-adjusttime)" - "t:(ta-name)" - "s:(ta-serial)" - "o:(ocsp-responder)" - "P:(ocsp-proxy)" - "r:(ocsp-use-cert-responder)" - "T:(ocsp-response-lifetime)" - "R:(ocsp-ignore-response-sign)" - "n:(ocsp-responder-cert-name)" - "A:(ocsp-responder-cert-serial)" - "c:(crl-basefilename)" - "I:(crl-directory)" - "g:(crl-get-crl-uri)" - "X:(crl-proxy)" - "S:(crl-ignore-crl-sign)" - "D:(crl-ignore-crl-date)" - "u:(keyusage)" - "E:(ekunames)" - "O:(ekuoids)")) != EOF) { + "i:(dbfile)" + "p:(policy)" + "d:(ignore-date)" + "e:(ignore-unknown-eku)" + "a:(ignore-trust-anchor)" + "v:(validity-adjusttime)" + "t:(ta-name)" + "s:(ta-serial)" + "o:(ocsp-responder)" + "P:(ocsp-proxy)" + "r:(ocsp-use-cert-responder)" + "T:(ocsp-response-lifetime)" + "R:(ocsp-ignore-response-sign)" + "n:(ocsp-responder-cert-name)" + "A:(ocsp-responder-cert-serial)" + "c:(crl-basefilename)" + "I:(crl-directory)" + "g:(crl-get-crl-uri)" + "X:(crl-proxy)" + "S:(crl-ignore-crl-sign)" + "D:(crl-ignore-crl-date)" + "u:(keyusage)" + "E:(ekunames)" + "O:(ekuoids)")) != EOF) { switch (opt) { case 'i': filename = get_string(optarg_av, &rv); @@ -142,14 +142,14 @@ kc_create(int argc, char *argv[]) } else { KMF_X509_NAME taDN; /* for syntax checking */ - if (KMF_DNParser(plc.ta_name, + if (kmf_dn_parser(plc.ta_name, &taDN) != KMF_OK) { (void) fprintf(stderr, gettext("Error name " "input.\n")); rv = KC_ERR_USAGE; } else { - KMF_FreeDN(&taDN); + kmf_free_dn(&taDN); } } break; @@ -162,7 +162,7 @@ kc_create(int argc, char *argv[]) uchar_t *bytes = NULL; size_t bytelen; - ret = KMF_HexString2Bytes( + ret = kmf_hexstr_to_bytes( (uchar_t *)plc.ta_serial, &bytes, &bytelen); if (ret != KMF_OK || bytes == NULL) { @@ -250,7 +250,7 @@ kc_create(int argc, char *argv[]) } else { KMF_X509_NAME respDN; /* for syntax checking */ - if (KMF_DNParser( + if (kmf_dn_parser( plc.VAL_OCSP_RESP_CERT_NAME, &respDN) != KMF_OK) { (void) fprintf(stderr, @@ -258,7 +258,7 @@ kc_create(int argc, char *argv[]) "input.\n")); rv = KC_ERR_USAGE; } else { - KMF_FreeDN(&respDN); + kmf_free_dn(&respDN); ocsp_set_attr++; } } @@ -273,7 +273,7 @@ kc_create(int argc, char *argv[]) uchar_t *bytes = NULL; size_t bytelen; - ret = KMF_HexString2Bytes((uchar_t *) + ret = kmf_hexstr_to_bytes((uchar_t *) plc.VAL_OCSP_RESP_CERT_SERIAL, &bytes, &bytelen); if (ret != KMF_OK || bytes == NULL) { @@ -343,7 +343,7 @@ kc_create(int argc, char *argv[]) break; case 'D': plc.VAL_CRL_IGNORE_DATE = - get_boolean(optarg_av); + get_boolean(optarg_av); if (plc.VAL_CRL_IGNORE_DATE == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); @@ -471,7 +471,7 @@ kc_create(int argc, char *argv[]) /* * Does a sanity check on the new policy. */ - ret = KMF_VerifyPolicy(&plc); + ret = kmf_verify_policy(&plc); if (ret != KMF_OK) { print_sanity_error(ret); rv = KC_ERR_ADD_POLICY; @@ -481,7 +481,7 @@ kc_create(int argc, char *argv[]) /* * Add to the DB. */ - ret = KMF_AddPolicyToDB(&plc, filename, B_FALSE); + ret = kmf_add_policy_to_db(&plc, filename, B_FALSE); if (ret != KMF_OK) { (void) fprintf(stderr, gettext("Error adding policy to database: 0x%04x\n"), ret); @@ -492,7 +492,7 @@ out: if (filename != NULL) free(filename); - KMF_FreePolicyRecord(&plc); + kmf_free_policy_record(&plc); return (rv); } diff --git a/usr/src/cmd/cmd-crypto/kmfcfg/delete.c b/usr/src/cmd/cmd-crypto/kmfcfg/delete.c index 7e0a1c7d45..318a0df475 100644 --- a/usr/src/cmd/cmd-crypto/kmfcfg/delete.c +++ b/usr/src/cmd/cmd-crypto/kmfcfg/delete.c @@ -18,7 +18,7 @@ * * CDDL HEADER END * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -117,7 +117,7 @@ kc_delete(int argc, char *argv[]) goto out; } - kmfrv = KMF_DeletePolicyFromDB(policyname, filename); + kmfrv = kmf_delete_policy_from_db(policyname, filename); if (kmfrv != KMF_OK) rv = KC_ERR_DELETE_POLICY; diff --git a/usr/src/cmd/cmd-crypto/kmfcfg/export.c b/usr/src/cmd/cmd-crypto/kmfcfg/export.c index c1ddab153c..92cf4336fb 100644 --- a/usr/src/cmd/cmd-crypto/kmfcfg/export.c +++ b/usr/src/cmd/cmd-crypto/kmfcfg/export.c @@ -19,7 +19,7 @@ * CDDL HEADER END * * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -49,7 +49,7 @@ kc_export(int argc, char *argv[]) extern char *optarg_av; while ((opt = getopt_av(argc, argv, - "d:(dbfile)p:(policy)o:(outfile)")) != EOF) { + "d:(dbfile)p:(policy)o:(outfile)")) != EOF) { switch (opt) { case 'd': filename = get_string(optarg_av, &rv); @@ -133,13 +133,14 @@ kc_export(int argc, char *argv[]) KMF_RETURN ret; found++; - ret = KMF_VerifyPolicy(&pnode->plc); + ret = kmf_verify_policy(&pnode->plc); if (ret != KMF_OK) { print_sanity_error(ret); rv = KC_ERR_VERIFY_POLICY; break; } - rv = KMF_AddPolicyToDB(&pnode->plc, outfile, B_FALSE); + rv = kmf_add_policy_to_db(&pnode->plc, outfile, + B_FALSE); } pnode = pnode->next; } diff --git a/usr/src/cmd/cmd-crypto/kmfcfg/import.c b/usr/src/cmd/cmd-crypto/kmfcfg/import.c index b55caac068..f47b50fd76 100644 --- a/usr/src/cmd/cmd-crypto/kmfcfg/import.c +++ b/usr/src/cmd/cmd-crypto/kmfcfg/import.c @@ -19,7 +19,7 @@ * CDDL HEADER END * * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -50,7 +50,7 @@ kc_import(int argc, char *argv[]) extern char *optarg_av; while ((opt = getopt_av(argc, argv, - "d:(dbfile)p:(policy)i:(infile)")) != EOF) { + "d:(dbfile)p:(policy)i:(infile)")) != EOF) { switch (opt) { case 'd': filename = get_string(optarg_av, &rv); @@ -135,21 +135,22 @@ kc_import(int argc, char *argv[]) KMF_RETURN ret; found++; - ret = KMF_VerifyPolicy(&pnode->plc); + ret = kmf_verify_policy(&pnode->plc); if (ret != KMF_OK) { print_sanity_error(ret); rv = KC_ERR_VERIFY_POLICY; break; } - rv = KMF_AddPolicyToDB(&pnode->plc, filename, B_FALSE); + rv = kmf_add_policy_to_db(&pnode->plc, filename, + B_FALSE); } pnode = pnode->next; } if (!found) { (void) fprintf(stderr, - gettext("Could not find policy \"%s\" in %s\n"), - policyname, infile); + gettext("Could not find policy \"%s\" in %s\n"), + policyname, infile); rv = KC_ERR_FIND_POLICY; } diff --git a/usr/src/cmd/cmd-crypto/kmfcfg/list.c b/usr/src/cmd/cmd-crypto/kmfcfg/list.c index e68e2b8643..b05400a2fd 100644 --- a/usr/src/cmd/cmd-crypto/kmfcfg/list.c +++ b/usr/src/cmd/cmd-crypto/kmfcfg/list.c @@ -18,7 +18,7 @@ * * CDDL HEADER END * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -44,32 +44,32 @@ show_policy(KMF_POLICY_RECORD *plc) (void) printf("Name: %s\n", plc->name); (void) printf(gettext("Ignore Date: %s\n"), - plc->ignore_date ? gettext("true") : gettext("false")); + plc->ignore_date ? gettext("true") : gettext("false")); (void) printf(gettext("Ignore Unknown EKUs: %s\n"), - plc->ignore_unknown_ekus ? gettext("true") : gettext("false")); + plc->ignore_unknown_ekus ? gettext("true") : gettext("false")); (void) printf(gettext("Ignore TA: %s\n"), - plc->ignore_trust_anchor ? gettext("true") : gettext("false")); + plc->ignore_trust_anchor ? gettext("true") : gettext("false")); (void) printf(gettext("Validity Adjusted Time: %s\n"), - plc->validity_adjusttime ? - plc->validity_adjusttime : "<null>"); + plc->validity_adjusttime ? plc->validity_adjusttime : "<null>"); if (plc->ta_name == NULL && plc->ta_serial == NULL) { (void) printf(gettext("Trust Anchor Certificate: <null>\n")); } else { (void) printf(gettext("Trust Anchor Certificate:\n")); (void) printf(gettext("\tName: %s\n"), - plc->ta_name ? plc->ta_name : "<null>"); + plc->ta_name ? plc->ta_name : "<null>"); (void) printf(gettext("\tSerial Number: %s\n"), - plc->ta_serial ? plc->ta_serial : "<null>"); + plc->ta_serial ? plc->ta_serial : "<null>"); } if (plc->ku_bits != 0) { (void) printf(gettext("Key Usage Bits: ")); for (i = KULOWBIT; i <= KUHIGHBIT; i++) { - char *s = ku2str((plc->ku_bits & (1<<i))); + char *s = kmf_ku_to_string( + (plc->ku_bits & (1<<i))); if (s != NULL) { (void) printf("%s ", s); } @@ -82,10 +82,11 @@ show_policy(KMF_POLICY_RECORD *plc) if (plc->eku_set.eku_count > 0) { (void) printf(gettext("Extended Key Usage Values:\n")); for (i = 0; i < plc->eku_set.eku_count; i++) { - char *s = KMF_OID2EKUString(&plc->eku_set.ekulist[i]); + char *s = kmf_oid_to_eku_string( + &plc->eku_set.ekulist[i]); (void) printf("\t%s\t(%s)\n", - KMF_OID2String(&plc->eku_set.ekulist[i]), - s ? s : "unknown"); + kmf_oid_to_string(&plc->eku_set.ekulist[i]), + s ? s : "unknown"); } } else { (void) printf(gettext("Extended Key Usage Values: <null>\n")); @@ -142,20 +143,20 @@ show_policy(KMF_POLICY_RECORD *plc) plc->validation_info.crl_info.directory : "<null>"); (void) printf(gettext("\tDownload and cache CRL: %s\n"), - plc->validation_info.crl_info.get_crl_uri ? - gettext("true") : gettext("false")); + plc->validation_info.crl_info.get_crl_uri ? + gettext("true") : gettext("false")); (void) printf(gettext("\tProxy: %s\n"), plc->validation_info.crl_info.proxy ? plc->validation_info.crl_info.proxy : "<null>"); (void) printf(gettext("\tIgnore CRL signature: %s\n"), - plc->validation_info.crl_info.ignore_crl_sign ? - gettext("true") : gettext("false")); + plc->validation_info.crl_info.ignore_crl_sign ? + gettext("true") : gettext("false")); (void) printf(gettext("\tIgnore CRL validity date: %s\n"), - plc->validation_info.crl_info.ignore_crl_date ? - gettext("true") : gettext("false")); + plc->validation_info.crl_info.ignore_crl_date ? + gettext("true") : gettext("false")); } (void) printf("\n"); @@ -234,11 +235,11 @@ kc_list(int argc, char *argv[]) pnode = plclist; while (pnode != NULL) { if (policyname == NULL || - strcmp(policyname, pnode->plc.name) == 0) { + strcmp(policyname, pnode->plc.name) == 0) { KMF_POLICY_RECORD *plc = &pnode->plc; found++; - rv = KMF_VerifyPolicy(plc); + rv = kmf_verify_policy(plc); if (rv != KMF_OK) { (void) fprintf(stderr, gettext( "Policy Name: '%s' is invalid\n"), diff --git a/usr/src/cmd/cmd-crypto/kmfcfg/modify.c b/usr/src/cmd/cmd-crypto/kmfcfg/modify.c index 413bda3be7..de9f7539ee 100644 --- a/usr/src/cmd/cmd-crypto/kmfcfg/modify.c +++ b/usr/src/cmd/cmd-crypto/kmfcfg/modify.c @@ -18,7 +18,7 @@ * * CDDL HEADER END * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -82,34 +82,34 @@ kc_modify(int argc, char *argv[]) (void) memset(&oplc, 0, sizeof (KMF_POLICY_RECORD)); while ((opt = getopt_av(argc, argv, - "i:(dbfile)" - "p:(policy)" - "d:(ignore-date)" - "e:(ignore-unknown-eku)" - "a:(ignore-trust-anchor)" - "v:(validity-adjusttime)" - "t:(ta-name)" - "s:(ta-serial)" - "o:(ocsp-responder)" - "P:(ocsp-proxy)" - "r:(ocsp-use-cert-responder)" - "T:(ocsp-response-lifetime)" - "R:(ocsp-ignore-response-sign)" - "n:(ocsp-responder-cert-name)" - "A:(ocsp-responder-cert-serial)" - "y:(ocsp-none)" - "c:(crl-basefilename)" - "I:(crl-directory)" - "g:(crl-get-crl-uri)" - "X:(crl-proxy)" - "S:(crl-ignore-crl-sign)" - "D:(crl-ignore-crl-date)" - "z:(crl-none)" - "u:(keyusage)" - "Y:(keyusage-none)" - "E:(ekunames)" - "O:(ekuoids)" - "Z:(eku-none)")) != EOF) { + "i:(dbfile)" + "p:(policy)" + "d:(ignore-date)" + "e:(ignore-unknown-eku)" + "a:(ignore-trust-anchor)" + "v:(validity-adjusttime)" + "t:(ta-name)" + "s:(ta-serial)" + "o:(ocsp-responder)" + "P:(ocsp-proxy)" + "r:(ocsp-use-cert-responder)" + "T:(ocsp-response-lifetime)" + "R:(ocsp-ignore-response-sign)" + "n:(ocsp-responder-cert-name)" + "A:(ocsp-responder-cert-serial)" + "y:(ocsp-none)" + "c:(crl-basefilename)" + "I:(crl-directory)" + "g:(crl-get-crl-uri)" + "X:(crl-proxy)" + "S:(crl-ignore-crl-sign)" + "D:(crl-ignore-crl-date)" + "z:(crl-none)" + "u:(keyusage)" + "Y:(keyusage-none)" + "E:(ekunames)" + "O:(ekuoids)" + "Z:(eku-none)")) != EOF) { switch (opt) { case 'i': filename = get_string(optarg_av, &rv); @@ -186,14 +186,14 @@ kc_modify(int argc, char *argv[]) } else { KMF_X509_NAME taDN; /* for syntax checking */ - if (KMF_DNParser(plc.ta_name, + if (kmf_dn_parser(plc.ta_name, &taDN) != KMF_OK) { (void) fprintf(stderr, gettext("Error name " "input.\n")); rv = KC_ERR_USAGE; } else { - KMF_FreeDN(&taDN); + kmf_free_dn(&taDN); flags |= KC_TA_NAME; } } @@ -207,7 +207,7 @@ kc_modify(int argc, char *argv[]) uchar_t *bytes = NULL; size_t bytelen; - ret = KMF_HexString2Bytes( + ret = kmf_hexstr_to_bytes( (uchar_t *)plc.ta_serial, &bytes, &bytelen); if (ret != KMF_OK || bytes == NULL) { @@ -227,7 +227,7 @@ kc_modify(int argc, char *argv[]) break; case 'o': plc.VAL_OCSP_RESPONDER_URI = - get_string(optarg_av, &rv); + get_string(optarg_av, &rv); if (plc.VAL_OCSP_RESPONDER_URI == NULL) { (void) fprintf(stderr, gettext("Error responder " @@ -302,7 +302,7 @@ kc_modify(int argc, char *argv[]) } else { KMF_X509_NAME respDN; /* for syntax checking */ - if (KMF_DNParser( + if (kmf_dn_parser( plc.VAL_OCSP_RESP_CERT_NAME, &respDN) != KMF_OK) { (void) fprintf(stderr, @@ -310,7 +310,7 @@ kc_modify(int argc, char *argv[]) "input.\n")); rv = KC_ERR_USAGE; } else { - KMF_FreeDN(&respDN); + kmf_free_dn(&respDN); flags |= KC_OCSP_RESP_CERT_NAME; ocsp_set_attr++; } @@ -326,7 +326,7 @@ kc_modify(int argc, char *argv[]) uchar_t *bytes = NULL; size_t bytelen; - ret = KMF_HexString2Bytes((uchar_t *) + ret = kmf_hexstr_to_bytes((uchar_t *) plc.VAL_OCSP_RESP_CERT_SERIAL, &bytes, &bytelen); if (ret != KMF_OK || bytes == NULL) { @@ -412,7 +412,7 @@ kc_modify(int argc, char *argv[]) break; case 'D': plc.VAL_CRL_IGNORE_DATE = - get_boolean(optarg_av); + get_boolean(optarg_av); if (plc.VAL_CRL_IGNORE_DATE == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); @@ -536,7 +536,7 @@ kc_modify(int argc, char *argv[]) } /* Try to load the named policy from the DB */ - ret = KMF_GetPolicy(filename, plc.name, &oplc); + ret = kmf_get_policy(filename, plc.name, &oplc); if (ret != KMF_OK) { (void) fprintf(stderr, gettext("Error loading policy \"%s\" from %s\n"), filename, @@ -558,7 +558,7 @@ kc_modify(int argc, char *argv[]) if (oplc.validity_adjusttime) free(oplc.validity_adjusttime); oplc.validity_adjusttime = - plc.validity_adjusttime; + plc.validity_adjusttime; } if (flags & KC_TA_NAME) { @@ -629,7 +629,7 @@ kc_modify(int argc, char *argv[]) if (oplc.VAL_OCSP_RESPONDER_URI) free(oplc.VAL_OCSP_RESPONDER_URI); oplc.VAL_OCSP_RESPONDER_URI = - plc.VAL_OCSP_RESPONDER_URI; + plc.VAL_OCSP_RESPONDER_URI; } if (flags & KC_OCSP_PROXY) { @@ -640,31 +640,31 @@ kc_modify(int argc, char *argv[]) if (flags & KC_OCSP_URI_FROM_CERT) oplc.VAL_OCSP_URI_FROM_CERT = - plc.VAL_OCSP_URI_FROM_CERT; + plc.VAL_OCSP_URI_FROM_CERT; if (flags & KC_OCSP_RESP_LIFETIME) { if (oplc.VAL_OCSP_RESP_LIFETIME) free(oplc.VAL_OCSP_RESP_LIFETIME); oplc.VAL_OCSP_RESP_LIFETIME = - plc.VAL_OCSP_RESP_LIFETIME; + plc.VAL_OCSP_RESP_LIFETIME; } if (flags & KC_OCSP_IGNORE_RESP_SIGN) oplc.VAL_OCSP_IGNORE_RESP_SIGN = - plc.VAL_OCSP_IGNORE_RESP_SIGN; + plc.VAL_OCSP_IGNORE_RESP_SIGN; if (flags & KC_OCSP_RESP_CERT_NAME) { if (oplc.VAL_OCSP_RESP_CERT_NAME) free(oplc.VAL_OCSP_RESP_CERT_NAME); oplc.VAL_OCSP_RESP_CERT_NAME = - plc.VAL_OCSP_RESP_CERT_NAME; + plc.VAL_OCSP_RESP_CERT_NAME; } if (flags & KC_OCSP_RESP_CERT_SERIAL) { if (oplc.VAL_OCSP_RESP_CERT_SERIAL) free(oplc.VAL_OCSP_RESP_CERT_SERIAL); oplc.VAL_OCSP_RESP_CERT_SERIAL = - plc.VAL_OCSP_RESP_CERT_SERIAL; + plc.VAL_OCSP_RESP_CERT_SERIAL; } if (oplc.VAL_OCSP_RESP_CERT_NAME != NULL && @@ -792,7 +792,7 @@ kc_modify(int argc, char *argv[]) /* Release current EKU list (if any) */ if (oplc.eku_set.eku_count > 0) { - KMF_FreeEKUPolicy(&oplc.eku_set); + kmf_free_eku_policy(&oplc.eku_set); oplc.eku_set.eku_count = 0; oplc.eku_set.ekulist = NULL; } @@ -804,13 +804,13 @@ kc_modify(int argc, char *argv[]) */ if (flags & KC_EKUS) { /* Release current EKU list (if any) */ - KMF_FreeEKUPolicy(&oplc.eku_set); + kmf_free_eku_policy(&oplc.eku_set); oplc.eku_set = plc.eku_set; } } /* Do a sanity check on the modified policy */ - ret = KMF_VerifyPolicy(&oplc); + ret = kmf_verify_policy(&oplc); if (ret != KMF_OK) { print_sanity_error(ret); rv = KC_ERR_VERIFY_POLICY; @@ -818,7 +818,7 @@ kc_modify(int argc, char *argv[]) } /* The modify operation is a delete followed by an add */ - ret = KMF_DeletePolicyFromDB(oplc.name, filename); + ret = kmf_delete_policy_from_db(oplc.name, filename); if (ret != KMF_OK) { rv = KC_ERR_DELETE_POLICY; goto out; @@ -827,7 +827,7 @@ kc_modify(int argc, char *argv[]) /* * Now add the modified policy back to the DB. */ - ret = KMF_AddPolicyToDB(&oplc, filename, B_FALSE); + ret = kmf_add_policy_to_db(&oplc, filename, B_FALSE); if (ret != KMF_OK) { (void) fprintf(stderr, gettext("Error adding policy to database: 0x%04x\n"), ret); @@ -839,7 +839,7 @@ out: if (filename != NULL) free(filename); - KMF_FreePolicyRecord(&oplc); + kmf_free_policy_record(&oplc); return (rv); } diff --git a/usr/src/cmd/cmd-crypto/kmfcfg/util.c b/usr/src/cmd/cmd-crypto/kmfcfg/util.c index f3bdc633f2..3fce0c839d 100644 --- a/usr/src/cmd/cmd-crypto/kmfcfg/util.c +++ b/usr/src/cmd/cmd-crypto/kmfcfg/util.c @@ -18,7 +18,7 @@ * * CDDL HEADER END * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -61,7 +61,7 @@ free_policy_list(POLICY_LIST *plist) while (n != NULL) { old = n; - KMF_FreePolicyRecord(&n->plc); + kmf_free_policy_record(&n->plc); n = n->next; free(old); } @@ -104,10 +104,10 @@ load_policies(char *file, POLICY_LIST **policy_list) * Search for the policy that matches the given name. */ if (!xmlStrcmp((const xmlChar *)node->name, - (const xmlChar *)KMF_POLICY_ELEMENT)) { + (const xmlChar *)KMF_POLICY_ELEMENT)) { /* Check the name attribute */ c = (char *)xmlGetProp(node, - (const xmlChar *)KMF_POLICY_NAME_ATTR); + (const xmlChar *)KMF_POLICY_NAME_ATTR); /* If a match, parse the rest of the data */ if (c != NULL) { @@ -115,9 +115,9 @@ load_policies(char *file, POLICY_LIST **policy_list) newitem = malloc(sizeof (POLICY_LIST)); if (newitem != NULL) { (void) memset(newitem, 0, - sizeof (POLICY_LIST)); + sizeof (POLICY_LIST)); kmfrv = parsePolicyElement(node, - &newitem->plc); + &newitem->plc); } else { kmfrv = KMF_ERR_MEMORY; goto end; @@ -167,7 +167,7 @@ parseKUlist(char *kustring) p = strtok(kustring, ","); while (p != NULL) { - cur_bit = KMF_StringToKeyUsage(p); + cur_bit = kmf_string_to_ku(p); if (cur_bit == 0) { kubits = 0; break; @@ -185,8 +185,7 @@ addToEKUList(KMF_EKU_POLICY *ekus, KMF_OID *newoid) if (newoid != NULL && ekus != NULL) { ekus->eku_count++; ekus->ekulist = realloc( - ekus->ekulist, - ekus->eku_count * sizeof (KMF_OID)); + ekus->ekulist, ekus->eku_count * sizeof (KMF_OID)); if (ekus->ekulist != NULL) { ekus->ekulist[ekus->eku_count-1] = *newoid; } @@ -211,7 +210,7 @@ parseEKUNames(char *ekulist, KMF_POLICY_RECORD *plc) /* If no tokens found, then maybe its just a single EKU value */ if (p == NULL) { - newoid = kmf_ekuname2oid(ekulist); + newoid = kmf_ekuname_to_oid(ekulist); if (newoid != NULL) { addToEKUList(ekus, newoid); free(newoid); @@ -221,7 +220,7 @@ parseEKUNames(char *ekulist, KMF_POLICY_RECORD *plc) } while (p != NULL) { - newoid = kmf_ekuname2oid(p); + newoid = kmf_ekuname_to_oid(p); if (newoid != NULL) { addToEKUList(ekus, newoid); free(newoid); @@ -233,7 +232,7 @@ parseEKUNames(char *ekulist, KMF_POLICY_RECORD *plc) } if (rv != KC_OK) - KMF_FreeEKUPolicy(ekus); + kmf_free_eku_policy(ekus); return (rv); } @@ -243,7 +242,7 @@ parseEKUOIDs(char *ekulist, KMF_POLICY_RECORD *plc) { int rv = KC_OK; char *p; - KMF_OID *newoid; + KMF_OID newoid = {NULL, 0}; KMF_EKU_POLICY *ekus = &plc->eku_set; if (ekulist == NULL || !strlen(ekulist)) @@ -254,20 +253,16 @@ parseEKUOIDs(char *ekulist, KMF_POLICY_RECORD *plc) */ p = strtok(ekulist, ","); if (p == NULL) { - newoid = kmf_string2oid(ekulist); - if (newoid != NULL) { - addToEKUList(ekus, newoid); - free(newoid); + if (kmf_string_to_oid(ekulist, &newoid) == KMF_OK) { + addToEKUList(ekus, &newoid); } else { rv = KC_ERR_USAGE; } } while (p != NULL && rv == 0) { - newoid = kmf_string2oid(p); - if (newoid != NULL) { - addToEKUList(ekus, newoid); - free(newoid); + if (kmf_string_to_oid(p, &newoid) == KMF_OK) { + addToEKUList(ekus, &newoid); } else { rv = KC_ERR_USAGE; break; @@ -276,7 +271,7 @@ parseEKUOIDs(char *ekulist, KMF_POLICY_RECORD *plc) } if (rv != KC_OK) - KMF_FreeEKUPolicy(ekus); + kmf_free_eku_policy(ekus); return (rv); } @@ -438,7 +433,7 @@ getopt_av(int argc, char * const *argv, const char *optstring) /* First time or when optstring changes from previous one */ if (_save_optstr != optstring) { if (opts_av != NULL) - free(opts_av); + free(opts_av); opts_av = NULL; _save_optstr = optstring; _save_numopts = populate_opts((char *)optstring); diff --git a/usr/src/cmd/cmd-crypto/pktool/common.c b/usr/src/cmd/cmd-crypto/pktool/common.c index e4f6feb404..b80e320606 100644 --- a/usr/src/cmd/cmd-crypto/pktool/common.c +++ b/usr/src/cmd/cmd-crypto/pktool/common.c @@ -253,7 +253,7 @@ yesno(char *prompt, char *invalid, boolean_t dflt) /* Indicate invalid input, and try again. */ if (invalid != NULL) - (void) printf("%s", invalid); + (void) printf("%s", invalid); } return (dflt); } @@ -401,7 +401,7 @@ getopt_av(int argc, char * const *argv, const char *optstring) /* First time or when optstring changes from previous one */ if (_save_optstr != optstring) { if (opts_av != NULL) - free(opts_av); + free(opts_av); opts_av = NULL; _save_optstr = optstring; _save_numopts = populate_opts((char *)optstring); @@ -521,10 +521,10 @@ Str2Lifetime(char *ltimestr, uint32_t *ltime) !strcasecmp(timetok, "days")) { *ltime = num * SECSPERDAY; } else if (!strcasecmp(timetok, "hour") || - !strcasecmp(timetok, "hours")) { + !strcasecmp(timetok, "hours")) { *ltime = num * SECSPERHOUR; } else if (!strcasecmp(timetok, "year") || - !strcasecmp(timetok, "years")) { + !strcasecmp(timetok, "years")) { *ltime = num * SECSPERDAY * DAYSPERNYEAR; } else { *ltime = 0; @@ -560,8 +560,7 @@ OT2Int(char *objclass) if (!strcasecmp(objclass, "public")) { if (retval) return (-1); - return (retval | PK_PUBLIC_OBJ | PK_CERT_OBJ | - PK_PUBKEY_OBJ); + return (retval | PK_PUBLIC_OBJ | PK_CERT_OBJ | PK_PUBKEY_OBJ); } else if (!strcasecmp(objclass, "private")) { if (retval) return (-1); @@ -604,6 +603,8 @@ Str2Format(char *formstr) return (KMF_FORMAT_PEM); if (!strcasecmp(formstr, "pkcs12")) return (KMF_FORMAT_PKCS12); + if (!strcasecmp(formstr, "raw")) + return (KMF_FORMAT_RAWKEY); return (KMF_FORMAT_UNDEF); } @@ -613,18 +614,32 @@ KMF_RETURN select_token(void *kmfhandle, char *token, int readonly) { + KMF_ATTRIBUTE attlist[10]; + int i = 0; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; KMF_RETURN rv = KMF_OK; - KMF_CONFIG_PARAMS config; if (token == NULL) return (KMF_ERR_BAD_PARAMETER); - (void) memset(&config, 0, sizeof (config)); - config.kstype = KMF_KEYSTORE_PK11TOKEN; - config.pkcs11config.label = token; - config.pkcs11config.readonly = readonly; + kmf_set_attr_at_index(attlist, i, + KMF_KEYSTORE_TYPE_ATTR, &kstype, + sizeof (kstype)); + i++; - rv = KMF_ConfigureKeystore(kmfhandle, &config); + if (token) { + kmf_set_attr_at_index(attlist, i, + KMF_TOKEN_LABEL_ATTR, token, + strlen(token)); + i++; + } + + kmf_set_attr_at_index(attlist, i, + KMF_READONLY_ATTR, &readonly, + sizeof (readonly)); + i++; + + rv = kmf_configure_keystore(kmfhandle, i, attlist); if (rv == KMF_ERR_TOKEN_SELECTED) rv = KMF_OK; return (rv); @@ -634,17 +649,37 @@ select_token(void *kmfhandle, char *token, KMF_RETURN configure_nss(void *kmfhandle, char *dir, char *prefix) { + + KMF_ATTRIBUTE attlist[10]; + int i = 0; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; KMF_RETURN rv = KMF_OK; - KMF_CONFIG_PARAMS config; - (void) memset(&config, 0, sizeof (config)); - config.kstype = KMF_KEYSTORE_NSS; - config.nssconfig.configdir = dir; - config.nssconfig.certPrefix = prefix; - config.nssconfig.keyPrefix = prefix; - config.nssconfig.secModName = NULL; + kmf_set_attr_at_index(attlist, i, + KMF_KEYSTORE_TYPE_ATTR, &kstype, + sizeof (kstype)); + i++; + + if (dir) { + kmf_set_attr_at_index(attlist, i, + KMF_DIRPATH_ATTR, dir, + strlen(dir)); + i++; + } + + if (prefix) { + kmf_set_attr_at_index(attlist, i, + KMF_CERTPREFIX_ATTR, prefix, + strlen(prefix)); + i++; + + kmf_set_attr_at_index(attlist, i, + KMF_KEYPREFIX_ATTR, prefix, + strlen(prefix)); + i++; + } - rv = KMF_ConfigureKeystore(kmfhandle, &config); + rv = kmf_configure_keystore(kmfhandle, i, attlist); if (rv == KMF_KEYSTORE_ALREADY_INITIALIZED) rv = KMF_OK; @@ -662,12 +697,11 @@ get_pk12_password(KMF_CREDENTIAL *cred) * Get the password to use for the PK12 encryption. */ (void) strlcpy(prompt, - gettext("Enter password to use for " - "accessing the PKCS12 file: "), - sizeof (prompt)); + gettext("Enter password to use for " + "accessing the PKCS12 file: "), sizeof (prompt)); if (get_pin(prompt, NULL, (uchar_t **)&cred->cred, - (ulong_t *)&cred->credlen) != CKR_OK) { + (ulong_t *)&cred->credlen) != CKR_OK) { cred->cred = NULL; cred->credlen = 0; } @@ -862,7 +896,7 @@ verify_keyusage(char *kustr, uint16_t *kubits, int *critical) k = strtok(kustr, ","); while (k != NULL) { - kuval = KMF_StringToKeyUsage(k); + kuval = kmf_string_to_ku(k); if (kuval == 0) { *kubits = 0; return (KMF_ERR_BAD_PARAMETER); @@ -938,11 +972,10 @@ get_token_password(KMF_KEYSTORE_TYPE kstype, * Login to the token first. */ (void) snprintf(prompt, sizeof (prompt), - gettext(DEFAULT_TOKEN_PROMPT), - token_spec); + gettext(DEFAULT_TOKEN_PROMPT), token_spec); if (get_pin(prompt, NULL, (uchar_t **)&cred->cred, - (ulong_t *)&cred->credlen) != CKR_OK) { + (ulong_t *)&cred->credlen) != CKR_OK) { cred->cred = NULL; cred->credlen = 0; } @@ -983,22 +1016,20 @@ display_error(void *handle, KMF_RETURN errcode, char *prefix) char *plugin_errmsg = NULL; char *kmf_errmsg = NULL; - rv1 = KMF_GetPluginErrorString(handle, &plugin_errmsg); - rv2 = KMF_GetKMFErrorString(errcode, &kmf_errmsg); + rv1 = kmf_get_plugin_error_str(handle, &plugin_errmsg); + rv2 = kmf_get_kmf_error_str(errcode, &kmf_errmsg); cryptoerror(LOG_STDERR, "%s:", prefix); if (rv1 == KMF_OK && plugin_errmsg) { - cryptoerror(LOG_STDERR, - gettext("keystore error: %s"), - plugin_errmsg); - KMF_FreeString(plugin_errmsg); + cryptoerror(LOG_STDERR, gettext("keystore error: %s"), + plugin_errmsg); + kmf_free_str(plugin_errmsg); } if (rv2 == KMF_OK && kmf_errmsg) { - cryptoerror(LOG_STDERR, - gettext("libkmf error: %s"), - kmf_errmsg); - KMF_FreeString(kmf_errmsg); + cryptoerror(LOG_STDERR, gettext("libkmf error: %s"), + kmf_errmsg); + kmf_free_str(kmf_errmsg); } if (rv1 != KMF_OK && rv2 != KMF_OK) diff --git a/usr/src/cmd/cmd-crypto/pktool/delete.c b/usr/src/cmd/cmd-crypto/pktool/delete.c index f2dcfbd8d2..b1a1bcb96b 100644 --- a/usr/src/cmd/cmd-crypto/pktool/delete.c +++ b/usr/src/cmd/cmd-crypto/pktool/delete.c @@ -39,71 +39,143 @@ #include <kmfapi.h> static KMF_RETURN -pk_destroy_keys(void *handle, KMF_KEY_HANDLE *keys, - KMF_FINDKEY_PARAMS *fkparams, uint32_t numkeys) +pk_destroy_keys(void *handle, KMF_ATTRIBUTE *attrlist, int numattr) { int i; KMF_RETURN rv = KMF_OK; - KMF_DELETEKEY_PARAMS dkparams; + uint32_t *numkeys; + KMF_KEY_HANDLE *keys = NULL; + int del_num = 0; + KMF_ATTRIBUTE delete_attlist[16]; + KMF_KEYSTORE_TYPE kstype; + uint32_t len; + boolean_t destroy = B_TRUE; + KMF_CREDENTIAL cred; + char *slotlabel = NULL; + + len = sizeof (kstype); + rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr, + &kstype, &len); + if (rv != KMF_OK) + return (rv); + + kmf_set_attr_at_index(delete_attlist, del_num, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + del_num++; - (void) memset(&dkparams, 0, sizeof (dkparams)); - dkparams.kstype = fkparams->kstype; + /* "destroy" is optional. Default is TRUE */ + (void) kmf_get_attr(KMF_DESTROY_BOOL_ATTR, attrlist, numattr, + (void *)&destroy, NULL); - switch (fkparams->kstype) { + kmf_set_attr_at_index(delete_attlist, del_num, + KMF_DESTROY_BOOL_ATTR, &destroy, sizeof (boolean_t)); + del_num++; + + switch (kstype) { case KMF_KEYSTORE_NSS: - dkparams.nssparms = fkparams->nssparms; - dkparams.cred = fkparams->cred; + rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr, + (void *)&cred, NULL); + if (rv == KMF_OK) { + if (cred.credlen > 0) { + kmf_set_attr_at_index(delete_attlist, del_num, + KMF_CREDENTIAL_ATTR, &cred, + sizeof (KMF_CREDENTIAL)); + del_num++; + } + } + + slotlabel = kmf_get_attr_ptr(KMF_TOKEN_LABEL_ATTR, attrlist, + numattr); + if (slotlabel != NULL) { + kmf_set_attr_at_index(delete_attlist, del_num, + KMF_TOKEN_LABEL_ATTR, slotlabel, + strlen(slotlabel)); + del_num++; + } break; case KMF_KEYSTORE_OPENSSL: break; case KMF_KEYSTORE_PK11TOKEN: - dkparams.cred = fkparams->cred; + rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr, + (void *)&cred, NULL); + if (rv == KMF_OK) { + if (cred.credlen > 0) { + kmf_set_attr_at_index(delete_attlist, del_num, + KMF_CREDENTIAL_ATTR, &cred, + sizeof (KMF_CREDENTIAL)); + del_num++; + } + } break; default: return (PK_ERR_USAGE); } - for (i = 0; rv == KMF_OK && i < numkeys; i++) { - rv = KMF_DeleteKeyFromKeystore(handle, &dkparams, &keys[i]); + numkeys = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr); + if (numkeys == NULL) + return (PK_ERR_USAGE); + + keys = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr); + if (keys == NULL) + return (PK_ERR_USAGE); + + for (i = 0; rv == KMF_OK && i < *numkeys; i++) { + int num = del_num; + + kmf_set_attr_at_index(delete_attlist, num, + KMF_KEY_HANDLE_ATTR, &keys[i], sizeof (KMF_KEY_HANDLE)); + num++; + + rv = kmf_delete_key_from_keystore(handle, num, delete_attlist); } return (rv); } static KMF_RETURN -pk_delete_keys(KMF_HANDLE_T kmfhandle, KMF_FINDKEY_PARAMS *parms, char *desc, - int *keysdeleted) +pk_delete_keys(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attlist, int numattr, + char *desc, int *keysdeleted) { KMF_RETURN rv = KMF_OK; uint32_t numkeys = 0; + int num = numattr; *keysdeleted = 0; numkeys = 0; - rv = KMF_FindKey(kmfhandle, parms, NULL, &numkeys); + + kmf_set_attr_at_index(attlist, num, + KMF_COUNT_ATTR, &numkeys, sizeof (uint32_t)); + num++; + + rv = kmf_find_key(kmfhandle, num, attlist); + if (rv == KMF_OK && numkeys > 0) { KMF_KEY_HANDLE *keys = NULL; char prompt[1024]; (void) snprintf(prompt, sizeof (prompt), - gettext("%d %s key(s) found, do you want " - "to delete them (y/N) ?"), numkeys, - (desc != NULL ? desc : "")); + gettext("%d %s key(s) found, do you want " + "to delete them (y/N) ?"), numkeys, + (desc != NULL ? desc : "")); if (!yesno(prompt, - gettext("Respond with yes or no.\n"), - B_FALSE)) { + gettext("Respond with yes or no.\n"), + B_FALSE)) { return (KMF_OK); } keys = (KMF_KEY_HANDLE *)malloc(numkeys * - sizeof (KMF_KEY_HANDLE)); + sizeof (KMF_KEY_HANDLE)); if (keys == NULL) return (KMF_ERR_MEMORY); (void) memset(keys, 0, numkeys * - sizeof (KMF_KEY_HANDLE)); + sizeof (KMF_KEY_HANDLE)); + + kmf_set_attr_at_index(attlist, num, + KMF_KEY_HANDLE_ATTR, keys, sizeof (KMF_KEY_HANDLE)); + num++; - rv = KMF_FindKey(kmfhandle, parms, keys, &numkeys); + rv = kmf_find_key(kmfhandle, num, attlist); if (rv == KMF_OK) { - rv = pk_destroy_keys(kmfhandle, keys, - parms, numkeys); + rv = pk_destroy_keys(kmfhandle, attlist, num); } free(keys); @@ -118,26 +190,34 @@ pk_delete_keys(KMF_HANDLE_T kmfhandle, KMF_FINDKEY_PARAMS *parms, char *desc, } static KMF_RETURN -pk_delete_certs(KMF_HANDLE_T kmfhandle, KMF_FINDCERT_PARAMS *fcparms, - KMF_DELETECERT_PARAMS *dcparms) +pk_delete_certs(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attlist, int numattr) { KMF_RETURN rv = KMF_OK; uint32_t numcerts = 0; + int num = numattr; + + kmf_set_attr_at_index(attlist, num, + KMF_COUNT_ATTR, &numcerts, sizeof (uint32_t)); + num++; - rv = KMF_FindCert(kmfhandle, fcparms, NULL, &numcerts); + rv = kmf_find_cert(kmfhandle, num, attlist); if (rv == KMF_OK && numcerts > 0) { char prompt[1024]; (void) snprintf(prompt, sizeof (prompt), - gettext("%d certificate(s) found, do you want " - "to delete them (y/N) ?"), numcerts); + gettext("%d certificate(s) found, do you want " + "to delete them (y/N) ?"), numcerts); if (!yesno(prompt, - gettext("Respond with yes or no.\n"), - B_FALSE)) { + gettext("Respond with yes or no.\n"), + B_FALSE)) { return (KMF_OK); } - rv = KMF_DeleteCertFromKeystore(kmfhandle, dcparms); + /* + * Use numattr because delete cert does not require + * KMF_COUNT_ATTR attribute. + */ + rv = kmf_delete_cert_from_keystore(kmfhandle, numattr, attlist); } else if (rv == KMF_ERR_CERT_NOT_FOUND) { rv = KMF_OK; @@ -152,36 +232,73 @@ delete_nss_keys(KMF_HANDLE_T kmfhandle, char *dir, char *prefix, KMF_CREDENTIAL *tokencred) { KMF_RETURN rv = KMF_OK; - KMF_FINDKEY_PARAMS parms; char *keytype = NULL; int nk, numkeys = 0; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; + KMF_KEY_CLASS keyclass; rv = configure_nss(kmfhandle, dir, prefix); if (rv != KMF_OK) return (rv); - (void) memset(&parms, 0, sizeof (parms)); - parms.kstype = KMF_KEYSTORE_NSS; - parms.findLabel = objlabel; - parms.cred = *tokencred; - parms.nssparms.slotlabel = token; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (objlabel != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, + objlabel, strlen(objlabel)); + numattr++; + } + + if (tokencred->credlen > 0) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, + tokencred, sizeof (KMF_CREDENTIAL)); + numattr++; + } + + if (token && strlen(token)) { + kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, + token, strlen(token)); + numattr++; + } if (oclass & PK_PRIKEY_OBJ) { - parms.keyclass = KMF_ASYM_PRI; + int num = numattr; + + keyclass = KMF_ASYM_PRI; + kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, + &keyclass, sizeof (keyclass)); + num++; + keytype = "private"; - rv = pk_delete_keys(kmfhandle, &parms, keytype, &nk); + rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); numkeys += nk; } if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { - parms.keyclass = KMF_SYMMETRIC; + int num = numattr; + + keyclass = KMF_SYMMETRIC; + kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, + &keyclass, sizeof (keyclass)); + num++; + keytype = "symmetric"; - rv = pk_delete_keys(kmfhandle, &parms, keytype, &nk); + rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); numkeys += nk; } if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) { - parms.keyclass = KMF_ASYM_PUB; + int num = numattr; + + keyclass = KMF_ASYM_PUB; + kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, + &keyclass, sizeof (keyclass)); + num++; + keytype = "public"; - rv = pk_delete_keys(kmfhandle, &parms, keytype, &nk); + rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); numkeys += nk; } if (rv == KMF_OK && numkeys == 0) @@ -199,32 +316,59 @@ delete_nss_certs(KMF_HANDLE_T kmfhandle, KMF_CERT_VALIDITY find_criteria_flag) { KMF_RETURN rv = KMF_OK; - KMF_DELETECERT_PARAMS dcparms; - KMF_FINDCERT_PARAMS fcargs; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; rv = configure_nss(kmfhandle, dir, prefix); if (rv != KMF_OK) return (rv); - (void) memset(&dcparms, 0, sizeof (dcparms)); - dcparms.kstype = KMF_KEYSTORE_NSS; - dcparms.certLabel = objlabel; - dcparms.issuer = issuer; - dcparms.subject = subject; - dcparms.serial = serno; - dcparms.find_cert_validity = find_criteria_flag; - dcparms.nssparms.slotlabel = token; - - (void) memset(&fcargs, 0, sizeof (fcargs)); - fcargs.kstype = KMF_KEYSTORE_NSS; - fcargs.certLabel = objlabel; - fcargs.issuer = issuer; - fcargs.subject = subject; - fcargs.serial = serno; - fcargs.find_cert_validity = find_criteria_flag; - fcargs.nssparms.slotlabel = token; - - rv = pk_delete_certs(kmfhandle, &fcargs, &dcparms); + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (objlabel != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_LABEL_ATTR, objlabel, + strlen(objlabel)); + numattr++; + } + + if (issuer != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_ISSUER_NAME_ATTR, issuer, + strlen(issuer)); + numattr++; + } + + if (subject != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_SUBJECT_NAME_ATTR, subject, + strlen(subject)); + numattr++; + } + + if (serno != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_BIGINT_ATTR, serno, + sizeof (KMF_BIGINT)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_VALIDITY_ATTR, &find_criteria_flag, + sizeof (KMF_CERT_VALIDITY)); + numattr++; + + if (token != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_TOKEN_LABEL_ATTR, token, + strlen(token)); + numattr++; + } + + rv = pk_delete_certs(kmfhandle, attrlist, numattr); return (rv); } @@ -232,23 +376,38 @@ delete_nss_certs(KMF_HANDLE_T kmfhandle, static KMF_RETURN delete_nss_crl(void *kmfhandle, char *dir, char *prefix, char *token, - char *issuernickname, char *subject) + char *issuer, char *subject) { KMF_RETURN rv = KMF_OK; - KMF_DELETECRL_PARAMS dcrlparms; + int numattr = 0; + KMF_ATTRIBUTE attrlist[8]; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; rv = configure_nss(kmfhandle, dir, prefix); if (rv != KMF_OK) return (rv); - (void) memset(&dcrlparms, 0, sizeof (dcrlparms)); + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; - dcrlparms.kstype = KMF_KEYSTORE_NSS; - dcrlparms.nssparms.slotlabel = token; - dcrlparms.nssparms.crl_issuerName = issuernickname; - dcrlparms.nssparms.crl_subjName = subject; + if (token != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, + token, strlen(token)); + numattr++; + } + if (issuer != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR, + issuer, strlen(issuer)); + numattr++; + } + if (subject != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR, + subject, strlen(subject)); + numattr++; + } - rv = KMF_DeleteCRL(kmfhandle, &dcrlparms); + rv = kmf_delete_crl(kmfhandle, numattr, attrlist); return (rv); } @@ -259,9 +418,14 @@ delete_pk11_keys(KMF_HANDLE_T kmfhandle, KMF_CREDENTIAL *tokencred) { KMF_RETURN rv = KMF_OK; - KMF_FINDKEY_PARAMS parms; int nk, numkeys = 0; - + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; + KMF_KEY_CLASS keyclass; + boolean_t token_bool = B_TRUE; + KMF_KEY_ALG keytype = 0; + boolean_t private; /* * Symmetric keys and RSA/DSA private keys are always * created with the "CKA_PRIVATE" field == TRUE, so @@ -275,30 +439,69 @@ delete_pk11_keys(KMF_HANDLE_T kmfhandle, return (rv); } - (void) memset(&parms, 0, sizeof (parms)); - parms.kstype = KMF_KEYSTORE_PK11TOKEN; - parms.findLabel = (char *)objlabel; - parms.keytype = 0; - parms.pkcs11parms.private = ((oclass & PK_PRIVATE_OBJ) > 0); - parms.pkcs11parms.token = 1; - parms.cred.cred = tokencred->cred; - parms.cred.credlen = tokencred->credlen; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (objlabel != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, + objlabel, strlen(objlabel)); + numattr++; + } + + if (tokencred != NULL && tokencred->credlen > 0) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, + tokencred, sizeof (KMF_CREDENTIAL)); + numattr++; + } + + private = ((oclass & PK_PRIVATE_OBJ) > 0); + + kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR, + &private, sizeof (private)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYALG_ATTR, + &keytype, sizeof (keytype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR, + &token_bool, sizeof (token_bool)); + numattr++; if (oclass & PK_PRIKEY_OBJ) { - parms.keyclass = KMF_ASYM_PRI; - rv = pk_delete_keys(kmfhandle, &parms, "private", &nk); + int num = numattr; + + keyclass = KMF_ASYM_PRI; + kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, + &keyclass, sizeof (keyclass)); + num++; + + rv = pk_delete_keys(kmfhandle, attrlist, num, "private", &nk); numkeys += nk; } if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { - parms.keyclass = KMF_SYMMETRIC; - rv = pk_delete_keys(kmfhandle, &parms, "symmetric", &nk); + int num = numattr; + + keyclass = KMF_SYMMETRIC; + kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, + &keyclass, sizeof (keyclass)); + num++; + + rv = pk_delete_keys(kmfhandle, attrlist, num, "symmetric", &nk); numkeys += nk; } if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) { - parms.keyclass = KMF_ASYM_PUB; - rv = pk_delete_keys(kmfhandle, &parms, "public", &nk); + int num = numattr; + + keyclass = KMF_ASYM_PUB; + kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, + &keyclass, sizeof (keyclass)); + num++; + + rv = pk_delete_keys(kmfhandle, attrlist, num, "public", &nk); numkeys += nk; } if (rv == KMF_OK && numkeys == 0) @@ -314,8 +517,9 @@ delete_pk11_certs(KMF_HANDLE_T kmfhandle, KMF_CERT_VALIDITY find_criteria_flag) { KMF_RETURN kmfrv; - KMF_DELETECERT_PARAMS dparms; - KMF_FINDCERT_PARAMS fcargs; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; kmfrv = select_token(kmfhandle, token, FALSE); @@ -323,16 +527,39 @@ delete_pk11_certs(KMF_HANDLE_T kmfhandle, return (kmfrv); } - (void) memset(&dparms, 0, sizeof (dparms)); - dparms.kstype = KMF_KEYSTORE_PK11TOKEN; - dparms.certLabel = objlabel; - dparms.issuer = issuer; - dparms.subject = subject; - dparms.serial = serno; - dparms.find_cert_validity = find_criteria_flag; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (objlabel != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR, + objlabel, strlen(objlabel)); + numattr++; + } + + if (issuer != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR, + issuer, strlen(issuer)); + numattr++; + } + + if (subject != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR, + subject, strlen(subject)); + numattr++; + } + + if (serno != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_BIGINT_ATTR, + serno, sizeof (KMF_BIGINT)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_VALIDITY_ATTR, + &find_criteria_flag, sizeof (KMF_CERT_VALIDITY)); + numattr++; - fcargs = dparms; - kmfrv = pk_delete_certs(kmfhandle, &fcargs, &dparms); + kmfrv = pk_delete_certs(kmfhandle, attrlist, numattr); return (kmfrv); } @@ -343,24 +570,49 @@ delete_file_certs(KMF_HANDLE_T kmfhandle, char *subject, KMF_CERT_VALIDITY find_criteria_flag) { KMF_RETURN rv; - KMF_DELETECERT_PARAMS dparms; - KMF_FINDCERT_PARAMS fcargs; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (issuer != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR, + issuer, strlen(issuer)); + numattr++; + } - (void *)memset(&dparms, 0, sizeof (dparms)); - (void *)memset(&fcargs, 0, sizeof (fcargs)); - fcargs.kstype = KMF_KEYSTORE_OPENSSL; - fcargs.certLabel = NULL; - fcargs.issuer = issuer; - fcargs.subject = subject; - fcargs.serial = serial; - fcargs.sslparms.dirpath = dir; - fcargs.sslparms.certfile = filename; - fcargs.find_cert_validity = find_criteria_flag; + if (subject != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR, + subject, strlen(subject)); + numattr++; + } + + if (serial != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_BIGINT_ATTR, + serial, sizeof (KMF_BIGINT)); + numattr++; + } - /* For now, delete parameters and find parameters are the same */ - dparms = fcargs; + if (dir != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_DIRPATH_ATTR, + dir, strlen(dir)); + numattr++; + } + + if (filename != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR, + filename, strlen(filename)); + numattr++; + } - rv = pk_delete_certs(kmfhandle, &fcargs, &dparms); + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_VALIDITY_ATTR, + &find_criteria_flag, sizeof (KMF_CERT_VALIDITY)); + numattr++; + + rv = pk_delete_certs(kmfhandle, attrlist, numattr); return (rv); } @@ -370,25 +622,51 @@ delete_file_keys(KMF_HANDLE_T kmfhandle, int oclass, char *dir, char *infile) { KMF_RETURN rv = KMF_OK; - KMF_FINDKEY_PARAMS parms; char *keytype = ""; int nk, numkeys = 0; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; + KMF_KEY_CLASS keyclass; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (dir != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_DIRPATH_ATTR, + dir, strlen(dir)); + numattr++; + } - (void) memset(&parms, 0, sizeof (parms)); - parms.kstype = KMF_KEYSTORE_OPENSSL; - parms.sslparms.dirpath = dir; - parms.sslparms.keyfile = infile; + if (infile != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_FILENAME_ATTR, + infile, strlen(infile)); + numattr++; + } if (oclass & (PK_PUBKEY_OBJ | PK_PRIKEY_OBJ)) { - parms.keyclass = KMF_ASYM_PRI; + int num = numattr; + + keyclass = KMF_ASYM_PRI; + kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, + &keyclass, sizeof (keyclass)); + num++; + keytype = "Asymmetric"; - rv = pk_delete_keys(kmfhandle, &parms, keytype, &nk); + rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); numkeys += nk; } if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { - parms.keyclass = KMF_SYMMETRIC; + int num = numattr; + + keyclass = KMF_SYMMETRIC; + kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, + &keyclass, sizeof (keyclass)); + num++; + keytype = "symmetric"; - rv = pk_delete_keys(kmfhandle, &parms, keytype, &nk); + rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); numkeys += nk; } if (rv == KMF_OK && numkeys == 0) @@ -401,15 +679,26 @@ static KMF_RETURN delete_file_crl(void *kmfhandle, char *dir, char *filename) { KMF_RETURN rv; - KMF_DELETECRL_PARAMS dcrlparms; - - (void) memset(&dcrlparms, 0, sizeof (dcrlparms)); - - dcrlparms.kstype = KMF_KEYSTORE_OPENSSL; - dcrlparms.sslparms.dirpath = dir; - dcrlparms.sslparms.crlfile = filename; + int numattr = 0; + KMF_ATTRIBUTE attrlist[4]; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (dir) { + kmf_set_attr_at_index(attrlist, numattr, KMF_DIRPATH_ATTR, + dir, strlen(dir)); + numattr++; + } + if (filename) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_FILENAME_ATTR, + filename, strlen(filename)); + numattr++; + } - rv = KMF_DeleteCRL(kmfhandle, &dcrlparms); + rv = kmf_delete_crl(kmfhandle, numattr, attrlist); return (rv); } @@ -444,11 +733,11 @@ pk_delete(int argc, char *argv[]) /* Parse command line options. Do NOT i18n/l10n. */ while ((opt = getopt_av(argc, argv, - "T:(token)y:(objtype)l:(label)" - "k:(keystore)s:(subject)n:(nickname)" - "d:(dir)p:(prefix)S:(serial)i:(issuer)" - "c:(criteria)" - "f:(infile)")) != EOF) { + "T:(token)y:(objtype)l:(label)" + "k:(keystore)s:(subject)n:(nickname)" + "d:(dir)p:(prefix)S:(serial)i:(issuer)" + "c:(criteria)" + "f:(infile)")) != EOF) { if (EMPTYSTRING(optarg_av)) return (PK_ERR_USAGE); @@ -498,7 +787,7 @@ pk_delete(int argc, char *argv[]) find_criteria = optarg_av; if (!strcasecmp(find_criteria, "valid")) find_criteria_flag = - KMF_NONEXPIRED_CERTS; + KMF_NONEXPIRED_CERTS; else if (!strcasecmp(find_criteria, "expired")) find_criteria_flag = KMF_EXPIRED_CERTS; else if (!strcasecmp(find_criteria, "both")) @@ -518,17 +807,17 @@ pk_delete(int argc, char *argv[]) /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */ if ((oclass & (PK_PUBLIC_OBJ | PK_PRIVATE_OBJ)) && - kstype != KMF_KEYSTORE_PK11TOKEN) { + kstype != KMF_KEYSTORE_PK11TOKEN) { (void) fprintf(stderr, gettext("The objtype parameter " - "is only relevant if keystore=pkcs11\n")); + "is only relevant if keystore=pkcs11\n")); return (PK_ERR_USAGE); } /* If no object class specified, delete everything but CRLs */ if (oclass == 0) oclass = PK_CERT_OBJ | PK_PUBKEY_OBJ | PK_PRIKEY_OBJ | - PK_SYMKEY_OBJ; + PK_SYMKEY_OBJ; /* No additional args allowed. */ argc -= optind_av; @@ -547,11 +836,11 @@ pk_delete(int argc, char *argv[]) uchar_t *bytes = NULL; size_t bytelen; - rv = KMF_HexString2Bytes((uchar_t *)serstr, &bytes, &bytelen); + rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen); if (rv != KMF_OK || bytes == NULL) { (void) fprintf(stderr, gettext("serial number " - "must be specified as a hex number " - "(ex: 0x0102030405ffeeddee)\n")); + "must be specified as a hex number " + "(ex: 0x0102030405ffeeddee)\n")); return (PK_ERR_USAGE); } serial.val = bytes; @@ -559,94 +848,92 @@ pk_delete(int argc, char *argv[]) } if ((kstype == KMF_KEYSTORE_PK11TOKEN || - kstype == KMF_KEYSTORE_NSS) && - (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ))) { + kstype == KMF_KEYSTORE_NSS) && + (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ))) { (void) get_token_password(kstype, token_spec, - &tokencred); + &tokencred); } - if ((kmfrv = KMF_Initialize(&kmfhandle, NULL, NULL)) != KMF_OK) + if ((kmfrv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) return (kmfrv); switch (kstype) { case KMF_KEYSTORE_PK11TOKEN: if (oclass & PK_KEY_OBJ) { kmfrv = delete_pk11_keys(kmfhandle, - token_spec, oclass, - object_label, - &tokencred); + token_spec, oclass, + object_label, &tokencred); /* * If deleting groups of objects, it is OK * to ignore the "key not found" case so that * we can continue to find other objects. */ if (kmfrv == KMF_ERR_KEY_NOT_FOUND && - (oclass != PK_KEY_OBJ)) + (oclass != PK_KEY_OBJ)) kmfrv = KMF_OK; if (kmfrv != KMF_OK) break; } if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) { kmfrv = delete_pk11_certs(kmfhandle, - token_spec, - object_label, - &serial, issuer, - subject, find_criteria_flag); + token_spec, object_label, + &serial, issuer, + subject, find_criteria_flag); /* * If cert delete failed, but we are looking at * other objects, then it is OK. */ if (kmfrv == KMF_ERR_CERT_NOT_FOUND && - (oclass & (PK_CRL_OBJ | PK_KEY_OBJ))) + (oclass & (PK_CRL_OBJ | PK_KEY_OBJ))) kmfrv = KMF_OK; if (kmfrv != KMF_OK) break; } if (oclass & PK_CRL_OBJ) kmfrv = delete_file_crl(kmfhandle, - dir, infile); + dir, infile); break; case KMF_KEYSTORE_NSS: if (oclass & PK_KEY_OBJ) { kmfrv = delete_nss_keys(kmfhandle, - dir, prefix, token_spec, - oclass, (char *)object_label, - &tokencred); + dir, prefix, token_spec, + oclass, (char *)object_label, + &tokencred); if (kmfrv != KMF_OK) break; } if (oclass & PK_CERT_OBJ) { kmfrv = delete_nss_certs(kmfhandle, - dir, prefix, token_spec, - (char *)object_label, - &serial, issuer, subject, - find_criteria_flag); + dir, prefix, token_spec, + (char *)object_label, + &serial, issuer, subject, + find_criteria_flag); if (kmfrv != KMF_OK) break; } if (oclass & PK_CRL_OBJ) kmfrv = delete_nss_crl(kmfhandle, - dir, prefix, token_spec, - (char *)object_label, subject); + dir, prefix, token_spec, + (char *)object_label, subject); break; case KMF_KEYSTORE_OPENSSL: if (oclass & PK_KEY_OBJ) { kmfrv = delete_file_keys(kmfhandle, oclass, - dir, infile); + dir, infile); if (kmfrv != KMF_OK) break; } if (oclass & (PK_CERT_OBJ)) { kmfrv = delete_file_certs(kmfhandle, - dir, infile, &serial, issuer, - subject, find_criteria_flag); + dir, infile, &serial, issuer, + subject, find_criteria_flag); if (kmfrv != KMF_OK) break; } if (oclass & PK_CRL_OBJ) kmfrv = delete_file_crl(kmfhandle, - dir, infile); + dir, infile); break; default: rv = PK_ERR_USAGE; @@ -655,11 +942,11 @@ pk_delete(int argc, char *argv[]) if (kmfrv != KMF_OK) { display_error(kmfhandle, kmfrv, - gettext("Error deleting objects")); + gettext("Error deleting objects")); } if (serial.val != NULL) free(serial.val); - (void) KMF_Finalize(kmfhandle); + (void) kmf_finalize(kmfhandle); return (kmfrv); } diff --git a/usr/src/cmd/cmd-crypto/pktool/download.c b/usr/src/cmd/cmd-crypto/pktool/download.c index 1eabc85ee3..a0b1591ad5 100644 --- a/usr/src/cmd/cmd-crypto/pktool/download.c +++ b/usr/src/cmd/cmd-crypto/pktool/download.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -121,8 +121,8 @@ pk_download(int argc, char *argv[]) /* Check if the file exists and might be overwritten. */ if (access(fullpath, F_OK) == 0) { cryptoerror(LOG_STDERR, - gettext("Warning: file \"%s\" exists, " - "will be overwritten."), fullpath); + gettext("Warning: file \"%s\" exists, " + "will be overwritten."), fullpath); if (yesno(gettext("Continue with download? "), gettext("Respond with yes or no.\n"), B_FALSE) == B_FALSE) { return (0); @@ -131,7 +131,7 @@ pk_download(int argc, char *argv[]) rv = verify_file(fullpath); if (rv != KMF_OK) { cryptoerror(LOG_STDERR, gettext("The file (%s) " - "cannot be created.\n"), fullpath); + "cannot be created.\n"), fullpath); return (PK_ERR_USAGE); } } @@ -171,7 +171,7 @@ pk_download(int argc, char *argv[]) oclass = PK_CRL_OBJ; } - if ((rv = KMF_Initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { + if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { cryptoerror(LOG_STDERR, gettext("Error initializing KMF\n")); rv = PK_ERR_USAGE; goto end; @@ -179,10 +179,10 @@ pk_download(int argc, char *argv[]) /* Now we are ready to download */ if (oclass & PK_CRL_OBJ) { - rv = KMF_DownloadCRL(kmfhandle, url, proxy, proxy_port, 30, + rv = kmf_download_crl(kmfhandle, url, proxy, proxy_port, 30, fullpath, &format); } else if (oclass & PK_CERT_OBJ) { - rv = KMF_DownloadCert(kmfhandle, url, proxy, proxy_port, 30, + rv = kmf_download_cert(kmfhandle, url, proxy, proxy_port, 30, fullpath, &format); } @@ -231,26 +231,22 @@ pk_download(int argc, char *argv[]) * If the downloaded file is outdated, give a warning. */ if (oclass & PK_CRL_OBJ) { - KMF_CHECKCRLDATE_PARAMS params; - - params.crl_name = fullpath; - ch_rv = KMF_CheckCRLDate(kmfhandle, ¶ms); - + ch_rv = kmf_check_crl_date(kmfhandle, fullpath); } else { /* certificate */ - ch_rv = KMF_ReadInputFile(kmfhandle, fullpath, &cert); + ch_rv = kmf_read_input_file(kmfhandle, fullpath, &cert); if (ch_rv != KMF_OK) goto end; if (format == KMF_FORMAT_PEM) { int len; - ch_rv = KMF_Pem2Der(cert.Data, cert.Length, + ch_rv = kmf_pem_to_der(cert.Data, cert.Length, &cert_der.Data, &len); if (ch_rv != KMF_OK) goto end; cert_der.Length = (size_t)len; } - ch_rv = KMF_CheckCertDate(kmfhandle, + ch_rv = kmf_check_cert_date(kmfhandle, format == KMF_FORMAT_ASN1 ? &cert : &cert_der); } @@ -266,9 +262,9 @@ end: if (fullpath) free(fullpath); - KMF_FreeData(&cert); - KMF_FreeData(&cert_der); + kmf_free_data(&cert); + kmf_free_data(&cert_der); - (void) KMF_Finalize(kmfhandle); + (void) kmf_finalize(kmfhandle); return (rv); } diff --git a/usr/src/cmd/cmd-crypto/pktool/export.c b/usr/src/cmd/cmd-crypto/pktool/export.c index 9170a00468..1d3b36e703 100644 --- a/usr/src/cmd/cmd-crypto/pktool/export.c +++ b/usr/src/cmd/cmd-crypto/pktool/export.c @@ -19,7 +19,7 @@ * CDDL HEADER END * * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -44,31 +44,40 @@ #include <kmfapi.h> static KMF_RETURN -pk_find_export_cert(KMF_HANDLE_T kmfhandle, KMF_FINDCERT_PARAMS *parms, - KMF_X509_DER_CERT *cert) +pk_find_export_cert(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attrlist, + int numattr, KMF_X509_DER_CERT *cert) { KMF_RETURN rv = KMF_OK; uint32_t numcerts = 0; numcerts = 0; (void) memset(cert, 0, sizeof (KMF_X509_DER_CERT)); - rv = KMF_FindCert(kmfhandle, parms, NULL, &numcerts); + + kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, + &numcerts, sizeof (uint32_t)); + numattr++; + + rv = kmf_find_cert(kmfhandle, numattr, attrlist); if (rv != KMF_OK) { return (rv); } if (numcerts == 0) { cryptoerror(LOG_STDERR, - gettext("No matching certificates found.")); + gettext("No matching certificates found.")); return (KMF_ERR_CERT_NOT_FOUND); } else if (numcerts == 1) { - rv = KMF_FindCert(kmfhandle, parms, cert, &numcerts); + kmf_set_attr_at_index(attrlist, numattr, + KMF_X509_DER_CERT_ATTR, cert, + sizeof (KMF_X509_DER_CERT)); + numattr++; + rv = kmf_find_cert(kmfhandle, numattr, attrlist); } else if (numcerts > 1) { cryptoerror(LOG_STDERR, - gettext("%d certificates found, refine the " - "search parameters to eliminate ambiguity\n"), - numcerts); + gettext("%d certificates found, refine the " + "search parameters to eliminate ambiguity\n"), + numcerts); return (KMF_ERR_BAD_PARAMETER); } return (rv); @@ -77,36 +86,80 @@ pk_find_export_cert(KMF_HANDLE_T kmfhandle, KMF_FINDCERT_PARAMS *parms, static KMF_RETURN pk_export_file_objects(KMF_HANDLE_T kmfhandle, int oclass, char *issuer, char *subject, KMF_BIGINT *serial, - KMF_ENCODE_FORMAT ofmt, char *dir, char *infile, char *filename) { KMF_RETURN rv = KMF_OK; - KMF_STORECERT_PARAMS scparms; KMF_X509_DER_CERT kmfcert; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; /* If searching for public objects or certificates, find certs now */ if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) { - KMF_FINDCERT_PARAMS fcargs; - - (void) memset(&fcargs, 0, sizeof (fcargs)); - fcargs.kstype = KMF_KEYSTORE_OPENSSL; - fcargs.certLabel = NULL; - fcargs.issuer = issuer; - fcargs.subject = subject; - fcargs.serial = serial; - fcargs.sslparms.dirpath = dir; - fcargs.sslparms.certfile = infile; - fcargs.sslparms.format = ofmt; - - rv = pk_find_export_cert(kmfhandle, &fcargs, &kmfcert); + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, + sizeof (kstype)); + numattr++; + + if (issuer != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_ISSUER_NAME_ATTR, issuer, + strlen(issuer)); + numattr++; + } + + if (subject != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_SUBJECT_NAME_ATTR, subject, + strlen(subject)); + numattr++; + } + + if (serial != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_BIGINT_ATTR, serial, + sizeof (KMF_BIGINT)); + numattr++; + } + + if (dir != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_DIRPATH_ATTR, dir, + strlen(dir)); + numattr++; + } + + if (infile != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_FILENAME_ATTR, infile, + strlen(infile)); + numattr++; + } + + rv = pk_find_export_cert(kmfhandle, attrlist, numattr, + &kmfcert); if (rv == KMF_OK) { - (void) memset(&scparms, 0, sizeof (scparms)); - scparms.kstype = KMF_KEYSTORE_OPENSSL; - scparms.sslparms.certfile = filename; - rv = KMF_StoreCert(kmfhandle, &scparms, - &kmfcert.certificate); + kstype = KMF_KEYSTORE_OPENSSL; + numattr = 0; - KMF_FreeKMFCert(kmfhandle, &kmfcert); + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_DATA_ATTR, &kmfcert.certificate, + sizeof (KMF_DATA)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_FILENAME_ATTR, filename, + strlen(filename)); + numattr++; + + rv = kmf_store_cert(kmfhandle, numattr, + attrlist); + + kmf_free_kmf_cert(kmfhandle, &kmfcert); } } return (rv); @@ -120,31 +173,70 @@ pk_export_pk12_nss(KMF_HANDLE_T kmfhandle, char *filename) { KMF_RETURN rv = KMF_OK; - KMF_EXPORTP12_PARAMS p12parms; + KMF_KEYSTORE_TYPE kstype; + KMF_CREDENTIAL p12cred = { NULL, 0}; + KMF_ATTRIBUTE attrlist[16]; + int numattr = 0; rv = configure_nss(kmfhandle, dir, prefix); if (rv != KMF_OK) return (rv); - (void) memset(&p12parms, 0, sizeof (p12parms)); if (token_spec == NULL) token_spec = DEFAULT_NSS_TOKEN; - p12parms.kstype = KMF_KEYSTORE_NSS; - p12parms.certLabel = certlabel; - p12parms.issuer = issuer; - p12parms.subject = subject; - p12parms.serial = serial; - p12parms.idstr = NULL; - if (tokencred != NULL) - p12parms.cred = *tokencred; - p12parms.nssparms.slotlabel = token_spec; + kstype = KMF_KEYSTORE_NSS; + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + numattr++; + + if (certlabel != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_LABEL_ATTR, certlabel, strlen(certlabel)); + numattr++; + } + + if (issuer != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_ISSUER_NAME_ATTR, issuer, strlen(issuer)); + numattr++; + } + + if (subject != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_SUBJECT_NAME_ATTR, subject, strlen(subject)); + numattr++; + } - (void) get_pk12_password(&p12parms.p12cred); + if (serial != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_BIGINT_ATTR, serial, sizeof (KMF_BIGINT)); + numattr++; + } - rv = KMF_ExportPK12(kmfhandle, &p12parms, filename); - if (p12parms.p12cred.cred) - free(p12parms.p12cred.cred); + if (tokencred != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CREDENTIAL_ATTR, tokencred, sizeof (KMF_CREDENTIAL)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, + token_spec, strlen(token_spec)); + numattr++; + + (void) get_pk12_password(&p12cred); + kmf_set_attr_at_index(attrlist, numattr, + KMF_PK12CRED_ATTR, &p12cred, sizeof (KMF_CREDENTIAL)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_OUTPUT_FILENAME_ATTR, filename, strlen(filename)); + numattr++; + + rv = kmf_export_pk12(kmfhandle, numattr, attrlist); + + if (p12cred.cred) + free(p12cred.cred); return (rv); } @@ -155,26 +247,47 @@ pk_export_pk12_files(KMF_HANDLE_T kmfhandle, char *outfile) { KMF_RETURN rv; - KMF_EXPORTP12_PARAMS p12parms; + KMF_KEYSTORE_TYPE kstype; + KMF_CREDENTIAL p12cred = { NULL, 0}; + KMF_ATTRIBUTE attrlist[16]; + int numattr = 0; + + kstype = KMF_KEYSTORE_OPENSSL; + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + numattr++; + + if (dir != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_DIRPATH_ATTR, dir, strlen(dir)); + numattr++; + } - (void) memset(&p12parms, 0, sizeof (p12parms)); + if (certfile != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_FILENAME_ATTR, certfile, strlen(certfile)); + numattr++; + } + + if (keyfile != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEY_FILENAME_ATTR, keyfile, strlen(keyfile)); + numattr++; + } - p12parms.kstype = KMF_KEYSTORE_OPENSSL; - p12parms.certLabel = NULL; - p12parms.issuer = NULL; - p12parms.subject = NULL; - p12parms.serial = 0; - p12parms.idstr = NULL; - p12parms.sslparms.dirpath = dir; - p12parms.sslparms.certfile = certfile; - p12parms.sslparms.keyfile = keyfile; + (void) get_pk12_password(&p12cred); + kmf_set_attr_at_index(attrlist, numattr, + KMF_PK12CRED_ATTR, &p12cred, sizeof (KMF_CREDENTIAL)); + numattr++; - (void) get_pk12_password(&p12parms.p12cred); + kmf_set_attr_at_index(attrlist, numattr, + KMF_OUTPUT_FILENAME_ATTR, outfile, strlen(outfile)); + numattr++; - rv = KMF_ExportPK12(kmfhandle, &p12parms, outfile); + rv = kmf_export_pk12(kmfhandle, numattr, attrlist); - if (p12parms.p12cred.cred) - free(p12parms.p12cred.cred); + if (p12cred.cred) + free(p12cred.cred); return (rv); } @@ -186,8 +299,10 @@ pk_export_nss_objects(KMF_HANDLE_T kmfhandle, char *token_spec, char *prefix, char *filename) { KMF_RETURN rv = KMF_OK; - KMF_STORECERT_PARAMS scparms; KMF_X509_DER_CERT kmfcert; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; + KMF_ATTRIBUTE attrlist[16]; + int numattr = 0; rv = configure_nss(kmfhandle, dir, prefix); if (rv != KMF_OK) @@ -195,27 +310,73 @@ pk_export_nss_objects(KMF_HANDLE_T kmfhandle, char *token_spec, /* If searching for public objects or certificates, find certs now */ if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) { - KMF_FINDCERT_PARAMS fcargs; + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, + sizeof (kstype)); + numattr++; + + if (certlabel != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_LABEL_ATTR, certlabel, + strlen(certlabel)); + numattr++; + } - (void) memset(&fcargs, 0, sizeof (fcargs)); - fcargs.kstype = KMF_KEYSTORE_NSS; - fcargs.certLabel = certlabel; - fcargs.issuer = issuer; - fcargs.subject = subject; - fcargs.serial = serial; - fcargs.nssparms.slotlabel = token_spec; + if (issuer != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_ISSUER_NAME_ATTR, issuer, + strlen(issuer)); + numattr++; + } - rv = pk_find_export_cert(kmfhandle, &fcargs, &kmfcert); + if (subject != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_SUBJECT_NAME_ATTR, subject, + strlen(subject)); + numattr++; + } + + if (serial != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_BIGINT_ATTR, serial, + sizeof (KMF_BIGINT)); + numattr++; + } + + if (token_spec != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_TOKEN_LABEL_ATTR, token_spec, + strlen(token_spec)); + numattr++; + } + + rv = pk_find_export_cert(kmfhandle, attrlist, numattr, + &kmfcert); if (rv == KMF_OK) { - (void) memset(&scparms, 0, sizeof (scparms)); - scparms.kstype = KMF_KEYSTORE_OPENSSL; - scparms.sslparms.certfile = filename; - scparms.sslparms.format = kfmt; + kstype = KMF_KEYSTORE_OPENSSL; + numattr = 0; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + numattr++; - rv = KMF_StoreCert(kmfhandle, &scparms, - &kmfcert.certificate); + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_DATA_ATTR, &kmfcert.certificate, + sizeof (KMF_DATA)); + numattr++; - KMF_FreeKMFCert(kmfhandle, &kmfcert); + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_FILENAME_ATTR, filename, + strlen(filename)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_ENCODE_FORMAT_ATTR, &kfmt, sizeof (kfmt)); + numattr++; + + rv = kmf_store_cert(kmfhandle, numattr, attrlist); + + kmf_free_kmf_cert(kmfhandle, &kmfcert); } } return (rv); @@ -227,29 +388,179 @@ pk_export_pk12_pk11(KMF_HANDLE_T kmfhandle, char *token_spec, KMF_BIGINT *serial, KMF_CREDENTIAL *tokencred, char *filename) { KMF_RETURN rv = KMF_OK; - KMF_EXPORTP12_PARAMS p12parms; + KMF_KEYSTORE_TYPE kstype; + KMF_CREDENTIAL p12cred = { NULL, 0}; + KMF_ATTRIBUTE attrlist[16]; + int numattr = 0; rv = select_token(kmfhandle, token_spec, TRUE); if (rv != KMF_OK) { return (rv); } - (void) memset(&p12parms, 0, sizeof (p12parms)); + kstype = KMF_KEYSTORE_PK11TOKEN; + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + numattr++; + + if (certlabel != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_LABEL_ATTR, certlabel, strlen(certlabel)); + numattr++; + } + + if (issuer != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_ISSUER_NAME_ATTR, issuer, strlen(issuer)); + numattr++; + } + + if (subject != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_SUBJECT_NAME_ATTR, subject, strlen(subject)); + numattr++; + } + + if (serial != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_BIGINT_ATTR, serial, sizeof (KMF_BIGINT)); + numattr++; + } + + if (tokencred != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CREDENTIAL_ATTR, tokencred, sizeof (KMF_CREDENTIAL)); + numattr++; + } + + (void) get_pk12_password(&p12cred); + kmf_set_attr_at_index(attrlist, numattr, + KMF_PK12CRED_ATTR, &p12cred, sizeof (KMF_CREDENTIAL)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_OUTPUT_FILENAME_ATTR, filename, strlen(filename)); + numattr++; + + rv = kmf_export_pk12(kmfhandle, numattr, attrlist); + + if (p12cred.cred) + free(p12cred.cred); + + return (rv); +} + +static KMF_RETURN +pk_export_pk11_keys(KMF_HANDLE_T kmfhandle, char *token, + KMF_CREDENTIAL *cred, KMF_ENCODE_FORMAT format, + char *label, char *filename) +{ + KMF_RETURN rv = KMF_OK; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; + int numattr = 0; + uint32_t numkeys = 1; + KMF_ATTRIBUTE attrlist[16]; + KMF_KEY_HANDLE key; + KMF_KEY_CLASS keyclass = KMF_SYMMETRIC; + boolean_t is_token = B_TRUE; + + if (EMPTYSTRING(label)) { + cryptoerror(LOG_STDERR, gettext("A label " + "must be specified to export a key.")); + return (KMF_ERR_BAD_PARAMETER); + } + + rv = select_token(kmfhandle, token, TRUE); + if (rv != KMF_OK) { + return (rv); + } + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (cred != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, + cred, sizeof (KMF_CREDENTIAL)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, + label, strlen(label)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, + &numkeys, sizeof (numkeys)); + numattr++; - p12parms.kstype = KMF_KEYSTORE_PK11TOKEN; - p12parms.certLabel = certlabel; - p12parms.issuer = issuer; - p12parms.subject = subject; - p12parms.serial = serial; - p12parms.idstr = NULL; - if (tokencred != NULL) - p12parms.cred = *tokencred; - (void) get_pk12_password(&p12parms.p12cred); + kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR, + &key, sizeof (key)); + numattr++; - rv = KMF_ExportPK12(kmfhandle, &p12parms, filename); + kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR, + &is_token, sizeof (is_token)); + numattr++; - if (p12parms.p12cred.cred) - free(p12parms.p12cred.cred); + kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR, + &format, sizeof (format)); + numattr++; + + rv = kmf_find_key(kmfhandle, numattr, attrlist); + if (rv == KMF_OK && key.keyclass == KMF_SYMMETRIC) { + KMF_RAW_SYM_KEY rkey; + + (void) memset(&rkey, 0, sizeof (KMF_RAW_SYM_KEY)); + rv = kmf_get_sym_key_value(kmfhandle, &key, &rkey); + if (rv == KMF_OK) { + int fd, n, total = 0; + + fd = open(filename, O_CREAT | O_RDWR |O_TRUNC, 0600); + if (fd == -1) { + rv = KMF_ERR_OPEN_FILE; + goto done; + } + do { + n = write(fd, rkey.keydata.val + total, + rkey.keydata.len - total); + if (n < 0) { + if (errno == EINTR) + continue; + close(fd); + rv = KMF_ERR_WRITE_FILE; + goto done; + } + total += n; + + } while (total < rkey.keydata.len); + close(fd); + } +done: + kmf_free_bigint(&rkey.keydata); + kmf_free_kmf_key(kmfhandle, &key); + } else if (rv == KMF_OK) { + KMF_KEYSTORE_TYPE sslks = KMF_KEYSTORE_OPENSSL; + printf(gettext("Found %d asymmetric keys\n"), numkeys); + + numattr = 0; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &sslks, sizeof (sslks)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_RAW_KEY_ATTR, + key.keyp, sizeof (KMF_RAW_KEY_DATA)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR, + &format, sizeof (format)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_FILENAME_ATTR, + filename, strlen(filename)); + numattr++; + + rv = kmf_store_key(kmfhandle, numattr, attrlist); + kmf_free_kmf_key(kmfhandle, &key); + } return (rv); } @@ -261,9 +572,10 @@ pk_export_pk11_objects(KMF_HANDLE_T kmfhandle, char *token_spec, char *filename) { KMF_RETURN rv = KMF_OK; - KMF_FINDCERT_PARAMS fcparms; - KMF_STORECERT_PARAMS scparms; KMF_X509_DER_CERT kmfcert; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; rv = select_token(kmfhandle, token_spec, TRUE); @@ -271,25 +583,64 @@ pk_export_pk11_objects(KMF_HANDLE_T kmfhandle, char *token_spec, return (rv); } - (void) memset(&fcparms, 0, sizeof (fcparms)); - fcparms.kstype = KMF_KEYSTORE_PK11TOKEN; - fcparms.certLabel = certlabel; - fcparms.issuer = issuer; - fcparms.subject = subject; - fcparms.serial = serial; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; - rv = pk_find_export_cert(kmfhandle, &fcparms, &kmfcert); + if (certlabel != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_LABEL_ATTR, certlabel, + strlen(certlabel)); + numattr++; + } + + if (issuer != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_ISSUER_NAME_ATTR, issuer, + strlen(issuer)); + numattr++; + } + + if (subject != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_SUBJECT_NAME_ATTR, subject, + strlen(subject)); + numattr++; + } + + if (serial != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_BIGINT_ATTR, serial, + sizeof (KMF_BIGINT)); + numattr++; + } + + rv = pk_find_export_cert(kmfhandle, attrlist, numattr, &kmfcert); if (rv == KMF_OK) { - (void) memset(&scparms, 0, sizeof (scparms)); - scparms.kstype = KMF_KEYSTORE_OPENSSL; - scparms.sslparms.certfile = filename; - scparms.sslparms.format = kfmt; + kstype = KMF_KEYSTORE_OPENSSL; + numattr = 0; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_DATA_ATTR, &kmfcert.certificate, + sizeof (KMF_DATA)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_FILENAME_ATTR, filename, strlen(filename)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_ENCODE_FORMAT_ATTR, &kfmt, sizeof (kfmt)); + numattr++; - rv = KMF_StoreCert(kmfhandle, &scparms, - &kmfcert.certificate); + rv = kmf_store_cert(kmfhandle, numattr, attrlist); - KMF_FreeKMFCert(kmfhandle, &kmfcert); + kmf_free_kmf_cert(kmfhandle, &kmfcert); } return (rv); } @@ -324,13 +675,13 @@ pk_export(int argc, char *argv[]) /* Parse command line options. Do NOT i18n/l10n. */ while ((opt = getopt_av(argc, argv, - "k:(keystore)y:(objtype)T:(token)" - "d:(dir)p:(prefix)" - "l:(label)n:(nickname)s:(subject)" - "i:(issuer)S:(serial)" - "K:(keyfile)c:(certfile)" - "F:(outformat)" - "I:(infile)o:(outfile)")) != EOF) { + "k:(keystore)y:(objtype)T:(token)" + "d:(dir)p:(prefix)" + "l:(label)n:(nickname)s:(subject)" + "i:(issuer)S:(serial)" + "K:(keyfile)c:(certfile)" + "F:(outformat)" + "I:(infile)o:(outfile)")) != EOF) { if (EMPTYSTRING(optarg_av)) return (PK_ERR_USAGE); switch (opt) { @@ -416,7 +767,7 @@ pk_export(int argc, char *argv[]) /* Filename arg is required. */ if (EMPTYSTRING(filename)) { cryptoerror(LOG_STDERR, gettext("You must specify " - "an 'outfile' parameter when exporting.\n")); + "an 'outfile' parameter when exporting.\n")); return (PK_ERR_USAGE); } @@ -428,10 +779,10 @@ pk_export(int argc, char *argv[]) /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */ if ((oclass & (PK_PUBLIC_OBJ | PK_PRIVATE_OBJ)) && - kstype != KMF_KEYSTORE_PK11TOKEN) { + kstype != KMF_KEYSTORE_PK11TOKEN) { (void) fprintf(stderr, gettext("The objtype parameter " - "is only relevant if keystore=pkcs11\n")); + "is only relevant if keystore=pkcs11\n")); return (PK_ERR_USAGE); } @@ -443,16 +794,16 @@ pk_export(int argc, char *argv[]) if (kstype == KMF_KEYSTORE_OPENSSL) { if (kfmt != KMF_FORMAT_PKCS12) { cryptoerror(LOG_STDERR, gettext("PKCS12 " - "is the only export format " - "supported for the 'file' " - "keystore.\n")); + "is the only export format " + "supported for the 'file' " + "keystore.\n")); return (PK_ERR_USAGE); } if (EMPTYSTRING(keyfile) || EMPTYSTRING(certfile)) { cryptoerror(LOG_STDERR, gettext("A cert file" - "and a key file must be specified " - "when exporting to PKCS12 from the " - "'file' keystore.\n")); + "and a key file must be specified " + "when exporting to PKCS12 from the " + "'file' keystore.\n")); return (PK_ERR_USAGE); } } @@ -460,8 +811,8 @@ pk_export(int argc, char *argv[]) /* Check if the file exists and might be overwritten. */ if (access(filename, F_OK) == 0) { cryptoerror(LOG_STDERR, - gettext("Warning: file \"%s\" exists, " - "will be overwritten."), filename); + gettext("Warning: file \"%s\" exists, " + "will be overwritten."), filename); if (yesno(gettext("Continue with export? "), gettext("Respond with yes or no.\n"), B_FALSE) == B_FALSE) { return (0); @@ -470,7 +821,7 @@ pk_export(int argc, char *argv[]) rv = verify_file(filename); if (rv != KMF_OK) { cryptoerror(LOG_STDERR, gettext("The file (%s) " - "cannot be created.\n"), filename); + "cannot be created.\n"), filename); return (PK_ERR_USAGE); } } @@ -479,11 +830,11 @@ pk_export(int argc, char *argv[]) uchar_t *bytes = NULL; size_t bytelen; - rv = KMF_HexString2Bytes((uchar_t *)serstr, &bytes, &bytelen); + rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen); if (rv != KMF_OK || bytes == NULL) { (void) fprintf(stderr, gettext("serial number " - "must be specified as a hex number " - "(ex: 0x0102030405ffeeddee)\n")); + "must be specified as a hex number " + "(ex: 0x0102030405ffeeddee)\n")); return (PK_ERR_USAGE); } serial.val = bytes; @@ -491,61 +842,62 @@ pk_export(int argc, char *argv[]) } if ((kstype == KMF_KEYSTORE_PK11TOKEN || - kstype == KMF_KEYSTORE_NSS) && - (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ) || - kfmt == KMF_FORMAT_PKCS12)) { + kstype == KMF_KEYSTORE_NSS) && + (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ) || + kfmt == KMF_FORMAT_PKCS12)) { (void) get_token_password(kstype, token_spec, - &tokencred); + &tokencred); } - if ((rv = KMF_Initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { + if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { cryptoerror(LOG_STDERR, gettext("Error initializing " - "KMF: 0x%02x\n"), rv); + "KMF: 0x%02x\n"), rv); return (rv); } switch (kstype) { case KMF_KEYSTORE_PK11TOKEN: if (kfmt == KMF_FORMAT_PKCS12) - rv = pk_export_pk12_pk11( - kmfhandle, - token_spec, - certlabel, - issuer, subject, - &serial, &tokencred, - filename); + rv = pk_export_pk12_pk11(kmfhandle, + token_spec, certlabel, + issuer, subject, + &serial, &tokencred, + filename); + else if ((oclass & PK_KEY_OBJ) || + kfmt == KMF_FORMAT_RAWKEY) + rv = pk_export_pk11_keys(kmfhandle, + token_spec, &tokencred, kfmt, + certlabel, filename); else rv = pk_export_pk11_objects(kmfhandle, - token_spec, - certlabel, - issuer, subject, - &serial, kfmt, - filename); + token_spec, certlabel, + issuer, subject, &serial, kfmt, + filename); break; case KMF_KEYSTORE_NSS: if (dir == NULL) dir = PK_DEFAULT_DIRECTORY; if (kfmt == KMF_FORMAT_PKCS12) rv = pk_export_pk12_nss(kmfhandle, - token_spec, dir, prefix, - certlabel, issuer, - subject, &serial, - &tokencred, filename); + token_spec, dir, prefix, + certlabel, issuer, + subject, &serial, + &tokencred, filename); else rv = pk_export_nss_objects(kmfhandle, - token_spec, - oclass, certlabel, issuer, subject, - &serial, kfmt, dir, prefix, filename); + token_spec, + oclass, certlabel, issuer, subject, + &serial, kfmt, dir, prefix, filename); break; case KMF_KEYSTORE_OPENSSL: if (kfmt == KMF_FORMAT_PKCS12) rv = pk_export_pk12_files(kmfhandle, - certfile, keyfile, dir, - filename); + certfile, keyfile, dir, + filename); else rv = pk_export_file_objects(kmfhandle, oclass, - issuer, subject, &serial, kfmt, - dir, infile, filename); + issuer, subject, &serial, + dir, infile, filename); break; default: rv = PK_ERR_USAGE; @@ -554,13 +906,13 @@ pk_export(int argc, char *argv[]) if (rv != KMF_OK) { display_error(kmfhandle, rv, - gettext("Error exporting objects")); + gettext("Error exporting objects")); } if (serial.val != NULL) free(serial.val); - (void) KMF_Finalize(kmfhandle); + (void) kmf_finalize(kmfhandle); return (rv); } diff --git a/usr/src/cmd/cmd-crypto/pktool/gencert.c b/usr/src/cmd/cmd-crypto/pktool/gencert.c index 5555c5e386..689b547caf 100644 --- a/usr/src/cmd/cmd-crypto/pktool/gencert.c +++ b/usr/src/cmd/cmd-crypto/pktool/gencert.c @@ -56,40 +56,38 @@ gencert_pkcs11(KMF_HANDLE_T kmfhandle, uint16_t kubits, int kucrit, KMF_CREDENTIAL *tokencred) { KMF_RETURN kmfrv = KMF_OK; - KMF_CREATEKEYPAIR_PARAMS kp_params; - KMF_STORECERT_PARAMS sc_params; KMF_KEY_HANDLE pubk, prik; KMF_X509_CERTIFICATE signedCert; KMF_X509_NAME certSubject; KMF_X509_NAME certIssuer; KMF_DATA x509DER; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; + KMF_ATTRIBUTE attrlist[16]; + int numattr = 0; + KMF_KEY_ALG keytype; + uint32_t keylength; (void) memset(&signedCert, 0, sizeof (signedCert)); (void) memset(&certSubject, 0, sizeof (certSubject)); (void) memset(&certIssuer, 0, sizeof (certIssuer)); (void) memset(&x509DER, 0, sizeof (x509DER)); - (void) memset(&kp_params, 0, sizeof (kp_params)); /* If the subject name cannot be parsed, flag it now and exit */ - if (KMF_DNParser(subject, &certSubject) != KMF_OK) { + if (kmf_dn_parser(subject, &certSubject) != KMF_OK) { cryptoerror(LOG_STDERR, - gettext("Subject name cannot be parsed.\n")); + gettext("Subject name cannot be parsed.\n")); return (PK_ERR_USAGE); } /* For a self-signed cert, the issuser and subject are the same */ - if (KMF_DNParser(subject, &certIssuer) != KMF_OK) { + if (kmf_dn_parser(subject, &certIssuer) != KMF_OK) { cryptoerror(LOG_STDERR, - gettext("Subject name cannot be parsed.\n")); + gettext("Subject name cannot be parsed.\n")); return (PK_ERR_USAGE); } - kp_params.kstype = KMF_KEYSTORE_PK11TOKEN; - kp_params.keylabel = certlabel; - kp_params.keylength = keylen; /* bits */ - kp_params.keytype = keyAlg; - kp_params.cred.cred = tokencred->cred; - kp_params.cred.credlen = tokencred->credlen; + keylength = keylen; /* bits */ + keytype = keyAlg; /* Select a PKCS11 token */ kmfrv = select_token(kmfhandle, token, FALSE); @@ -98,57 +96,129 @@ gencert_pkcs11(KMF_HANDLE_T kmfhandle, return (kmfrv); } - kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk); + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, + sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYALG_ATTR, &keytype, + sizeof (keytype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYLENGTH_ATTR, &keylength, + sizeof (keylength)); + numattr++; + + if (certlabel != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYLABEL_ATTR, certlabel, + strlen(certlabel)); + numattr++; + } + + if (tokencred != NULL && tokencred->credlen > 0) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CREDENTIAL_ATTR, tokencred, + sizeof (KMF_CREDENTIAL)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, + KMF_PRIVKEY_HANDLE_ATTR, &prik, + sizeof (KMF_KEY_HANDLE)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_PUBKEY_HANDLE_ATTR, &pubk, + sizeof (KMF_KEY_HANDLE)); + numattr++; + + kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist); if (kmfrv != KMF_OK) { return (kmfrv); } - SET_VALUE(KMF_SetCertPubKey(kmfhandle, &pubk, &signedCert), - "keypair"); + SET_VALUE(kmf_set_cert_pubkey(kmfhandle, &pubk, &signedCert), + "keypair"); - SET_VALUE(KMF_SetCertVersion(&signedCert, 2), "version number"); + SET_VALUE(kmf_set_cert_version(&signedCert, 2), "version number"); - SET_VALUE(KMF_SetCertSerialNumber(&signedCert, serial), - "serial number"); + SET_VALUE(kmf_set_cert_serial(&signedCert, serial), + "serial number"); - SET_VALUE(KMF_SetCertValidityTimes(&signedCert, NULL, ltime), - "validity time"); + SET_VALUE(kmf_set_cert_validity(&signedCert, NULL, ltime), + "validity time"); - SET_VALUE(KMF_SetCertSignatureAlgorithm(&signedCert, sigAlg), - "signature algorithm"); + SET_VALUE(kmf_set_cert_sig_alg(&signedCert, sigAlg), + "signature algorithm"); - SET_VALUE(KMF_SetCertSubjectName(&signedCert, &certSubject), - "subject name"); + SET_VALUE(kmf_set_cert_subject(&signedCert, &certSubject), + "subject name"); - SET_VALUE(KMF_SetCertIssuerName(&signedCert, &certIssuer), - "issuer name"); + SET_VALUE(kmf_set_cert_issuer(&signedCert, &certIssuer), + "issuer name"); if (altname != NULL) - SET_VALUE(KMF_SetCertSubjectAltName(&signedCert, altcrit, - alttype, altname), "subjectAltName"); + SET_VALUE(kmf_set_cert_subject_altname(&signedCert, altcrit, + alttype, altname), "subjectAltName"); if (kubits != 0) - SET_VALUE(KMF_SetCertKeyUsage(&signedCert, kucrit, kubits), - "KeyUsage"); + SET_VALUE(kmf_set_cert_ku(&signedCert, kucrit, kubits), + "KeyUsage"); - if ((kmfrv = KMF_SignCertRecord(kmfhandle, &prik, - &signedCert, &x509DER)) != KMF_OK) { + /* + * Construct attributes for the kmf_sign_cert operation. + */ + numattr = 0; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR, + &prik, sizeof (KMF_KEY_HANDLE_ATTR)); + numattr++; + + /* cert data that is to be signed */ + kmf_set_attr_at_index(attrlist, numattr, KMF_X509_CERTIFICATE_ATTR, + &signedCert, sizeof (KMF_X509_CERTIFICATE)); + numattr++; + + /* output buffer for the signed cert */ + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR, + &x509DER, sizeof (KMF_DATA)); + numattr++; + + if ((kmfrv = kmf_sign_cert(kmfhandle, numattr, attrlist)) != + KMF_OK) { goto cleanup; } - (void) memset(&sc_params, 0, sizeof (sc_params)); - sc_params.kstype = KMF_KEYSTORE_PK11TOKEN; - sc_params.certLabel = certlabel; - /* * Store the cert in the DB. */ - kmfrv = KMF_StoreCert(kmfhandle, &sc_params, &x509DER); + numattr = 0; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR, + &x509DER, sizeof (KMF_DATA)); + numattr++; + + if (certlabel != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR, + certlabel, strlen(certlabel)); + numattr++; + } + + kmfrv = kmf_store_cert(kmfhandle, numattr, attrlist); + cleanup: - KMF_FreeData(&x509DER); - KMF_FreeDN(&certSubject); - KMF_FreeDN(&certIssuer); + kmf_free_data(&x509DER); + kmf_free_dn(&certSubject); + kmf_free_dn(&certIssuer); return (kmfrv); } @@ -162,8 +232,6 @@ gencert_file(KMF_HANDLE_T kmfhandle, char *dir, char *outcert, char *outkey) { KMF_RETURN kmfrv; - KMF_CREATEKEYPAIR_PARAMS kp_params; - KMF_STORECERT_PARAMS sc_params; KMF_KEY_HANDLE pubk, prik; KMF_X509_CERTIFICATE signedCert; KMF_X509_NAME certSubject; @@ -171,26 +239,30 @@ gencert_file(KMF_HANDLE_T kmfhandle, KMF_DATA x509DER; char *fullcertpath = NULL; char *fullkeypath = NULL; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; + KMF_ATTRIBUTE attrlist[10]; + int numattr = 0; + KMF_KEY_ALG keytype; + uint32_t keylength; + KMF_ENCODE_FORMAT format; (void) memset(&signedCert, 0, sizeof (signedCert)); (void) memset(&certSubject, 0, sizeof (certSubject)); (void) memset(&certIssuer, 0, sizeof (certIssuer)); (void) memset(&x509DER, 0, sizeof (x509DER)); - (void) memset(&kp_params, 0, sizeof (kp_params)); - (void) memset(&sc_params, 0, sizeof (sc_params)); if (EMPTYSTRING(outcert) || EMPTYSTRING(outkey)) { cryptoerror(LOG_STDERR, - gettext("No output file was specified for " - "the cert or key\n")); + gettext("No output file was specified for " + "the cert or key\n")); return (PK_ERR_USAGE); } if (dir != NULL) { fullcertpath = get_fullpath(dir, outcert); if (fullcertpath == NULL) { cryptoerror(LOG_STDERR, - gettext("Cannot create file %s in " - "directory %s\n"), dir, outcert); + gettext("Cannot create file %s in directory %s\n"), + dir, outcert); return (PK_ERR_USAGE); } } else { @@ -198,9 +270,8 @@ gencert_file(KMF_HANDLE_T kmfhandle, } if (verify_file(fullcertpath)) { cryptoerror(LOG_STDERR, - gettext("Cannot write the indicated output " - "certificate file (%s).\n"), - fullcertpath); + gettext("Cannot write the indicated output " + "certificate file (%s).\n"), fullcertpath); free(fullcertpath); return (PK_ERR_USAGE); } @@ -208,8 +279,8 @@ gencert_file(KMF_HANDLE_T kmfhandle, fullkeypath = get_fullpath(dir, outkey); if (fullkeypath == NULL) { cryptoerror(LOG_STDERR, - gettext("Cannot create file %s in " - "directory %s\n"), dir, outkey); + gettext("Cannot create file %s in directory %s\n"), + dir, outkey); free(fullcertpath); return (PK_ERR_USAGE); } @@ -218,83 +289,146 @@ gencert_file(KMF_HANDLE_T kmfhandle, } if (verify_file(fullkeypath)) { cryptoerror(LOG_STDERR, - gettext("Cannot write the indicated output " - "key file (%s).\n"), - fullkeypath); + gettext("Cannot write the indicated output " + "key file (%s).\n"), fullkeypath); free(fullkeypath); free(fullcertpath); return (PK_ERR_USAGE); } /* If the subject name cannot be parsed, flag it now and exit */ - if (KMF_DNParser(subject, &certSubject) != KMF_OK) { + if (kmf_dn_parser(subject, &certSubject) != KMF_OK) { cryptoerror(LOG_STDERR, - gettext("Subject name cannot be parsed (%s)\n"), - subject); + gettext("Subject name cannot be parsed (%s)\n"), subject); return (PK_ERR_USAGE); } /* For a self-signed cert, the issuser and subject are the same */ - if (KMF_DNParser(subject, &certIssuer) != KMF_OK) { + if (kmf_dn_parser(subject, &certIssuer) != KMF_OK) { cryptoerror(LOG_STDERR, - gettext("Subject name cannot be parsed (%s)\n"), - subject); - KMF_FreeDN(&certSubject); + gettext("Subject name cannot be parsed (%s)\n"), subject); + kmf_free_dn(&certSubject); return (PK_ERR_USAGE); } - kp_params.kstype = KMF_KEYSTORE_OPENSSL; - kp_params.keylength = keylen; /* bits */ - kp_params.keytype = keyAlg; + keylength = keylen; /* bits */ + keytype = keyAlg; + format = fmt; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, + sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYALG_ATTR, &keytype, + sizeof (keytype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYLENGTH_ATTR, &keylength, + sizeof (keylength)); + numattr++; + + if (fullkeypath != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEY_FILENAME_ATTR, fullkeypath, + strlen(fullkeypath)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, + KMF_ENCODE_FORMAT_ATTR, &format, + sizeof (format)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_PRIVKEY_HANDLE_ATTR, &prik, + sizeof (KMF_KEY_HANDLE)); + numattr++; - kp_params.sslparms.keyfile = fullkeypath; - kp_params.sslparms.format = fmt; + kmf_set_attr_at_index(attrlist, numattr, + KMF_PUBKEY_HANDLE_ATTR, &pubk, + sizeof (KMF_KEY_HANDLE)); + numattr++; - kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk); + kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist); if (kmfrv != KMF_OK) { goto cleanup; } - SET_VALUE(KMF_SetCertPubKey(kmfhandle, &pubk, &signedCert), - "keypair"); - SET_VALUE(KMF_SetCertVersion(&signedCert, 2), "version number"); + SET_VALUE(kmf_set_cert_pubkey(kmfhandle, &pubk, &signedCert), + "keypair"); + + SET_VALUE(kmf_set_cert_version(&signedCert, 2), "version number"); - SET_VALUE(KMF_SetCertSerialNumber(&signedCert, serial), - "serial number"); + SET_VALUE(kmf_set_cert_serial(&signedCert, serial), + "serial number"); - SET_VALUE(KMF_SetCertValidityTimes(&signedCert, NULL, ltime), - "validity time"); + SET_VALUE(kmf_set_cert_validity(&signedCert, NULL, ltime), + "validity time"); - SET_VALUE(KMF_SetCertSignatureAlgorithm(&signedCert, sigAlg), - "signature algorithm"); + SET_VALUE(kmf_set_cert_sig_alg(&signedCert, sigAlg), + "signature algorithm"); - SET_VALUE(KMF_SetCertSubjectName(&signedCert, &certSubject), - "subject name"); + SET_VALUE(kmf_set_cert_subject(&signedCert, &certSubject), + "subject name"); - SET_VALUE(KMF_SetCertIssuerName(&signedCert, &certIssuer), - "issuer name"); + SET_VALUE(kmf_set_cert_issuer(&signedCert, &certIssuer), + "issuer name"); if (altname != NULL) - SET_VALUE(KMF_SetCertSubjectAltName(&signedCert, altcrit, - alttype, altname), "subjectAltName"); + SET_VALUE(kmf_set_cert_subject_altname(&signedCert, altcrit, + alttype, altname), "subjectAltName"); if (kubits != 0) - SET_VALUE(KMF_SetCertKeyUsage(&signedCert, kucrit, kubits), - "KeyUsage"); - - if ((kmfrv = KMF_SignCertRecord(kmfhandle, &prik, - &signedCert, &x509DER)) != KMF_OK) { + SET_VALUE(kmf_set_cert_ku(&signedCert, kucrit, kubits), + "KeyUsage"); + /* + * Construct attributes for the kmf_sign_cert operation. + */ + numattr = 0; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR, + &prik, sizeof (KMF_KEY_HANDLE_ATTR)); + numattr++; + + /* cert data that is to be signed */ + kmf_set_attr_at_index(attrlist, numattr, KMF_X509_CERTIFICATE_ATTR, + &signedCert, sizeof (KMF_X509_CERTIFICATE)); + numattr++; + + /* output buffer for the signed cert */ + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR, + &x509DER, sizeof (KMF_DATA)); + numattr++; + + if ((kmfrv = kmf_sign_cert(kmfhandle, numattr, attrlist)) != + KMF_OK) { goto cleanup; } - sc_params.kstype = KMF_KEYSTORE_OPENSSL; - sc_params.sslparms.certfile = fullcertpath; - sc_params.sslparms.keyfile = fullkeypath; - sc_params.sslparms.format = fmt; /* * Store the cert in the DB. */ - kmfrv = KMF_StoreCert(kmfhandle, &sc_params, &x509DER); + numattr = 0; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR, + &x509DER, sizeof (KMF_DATA)); + numattr++; + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR, + fullcertpath, strlen(fullcertpath)); + numattr++; + kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR, + &fmt, sizeof (fmt)); + numattr++; + + kmfrv = kmf_store_cert(kmfhandle, numattr, attrlist); cleanup: if (fullkeypath != NULL) @@ -302,9 +436,9 @@ cleanup: if (fullcertpath != NULL) free(fullcertpath); - KMF_FreeData(&x509DER); - KMF_FreeDN(&certSubject); - KMF_FreeDN(&certIssuer); + kmf_free_data(&x509DER); + kmf_free_dn(&certSubject); + kmf_free_dn(&certIssuer); return (kmfrv); } @@ -320,13 +454,16 @@ gencert_nss(KMF_HANDLE_T kmfhandle, int kucrit, KMF_CREDENTIAL *tokencred) { KMF_RETURN kmfrv; - KMF_CREATEKEYPAIR_PARAMS kp_params; - KMF_STORECERT_PARAMS sc_params; KMF_KEY_HANDLE pubk, prik; KMF_X509_CERTIFICATE signedCert; KMF_X509_NAME certSubject; KMF_X509_NAME certIssuer; KMF_DATA x509DER; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; + KMF_ATTRIBUTE attrlist[16]; + int numattr = 0; + KMF_KEY_ALG keytype; + uint32_t keylength; if (token == NULL) token = DEFAULT_NSS_TOKEN; @@ -341,81 +478,164 @@ gencert_nss(KMF_HANDLE_T kmfhandle, (void) memset(&x509DER, 0, sizeof (x509DER)); /* If the subject name cannot be parsed, flag it now and exit */ - if (KMF_DNParser(subject, &certSubject) != KMF_OK) { + if (kmf_dn_parser(subject, &certSubject) != KMF_OK) { cryptoerror(LOG_STDERR, - gettext("Subject name cannot be parsed.\n")); + gettext("Subject name cannot be parsed.\n")); return (PK_ERR_USAGE); } /* For a self-signed cert, the issuser and subject are the same */ - if (KMF_DNParser(subject, &certIssuer) != KMF_OK) { + if (kmf_dn_parser(subject, &certIssuer) != KMF_OK) { cryptoerror(LOG_STDERR, - gettext("Subject name cannot be parsed.\n")); + gettext("Subject name cannot be parsed.\n")); return (PK_ERR_USAGE); } - (void) memset(&kp_params, 0, sizeof (kp_params)); + keylength = keylen; /* bits */ + keytype = keyAlg; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, + sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYALG_ATTR, &keytype, + sizeof (keytype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYLENGTH_ATTR, &keylength, + sizeof (keylength)); + numattr++; + + if (nickname != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYLABEL_ATTR, nickname, + strlen(nickname)); + numattr++; + } + + if (tokencred != NULL && tokencred->credlen > 0) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CREDENTIAL_ATTR, tokencred, + sizeof (KMF_CREDENTIAL)); + numattr++; + } + + if (token != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_TOKEN_LABEL_ATTR, token, + strlen(token)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, + KMF_PRIVKEY_HANDLE_ATTR, &prik, + sizeof (KMF_KEY_HANDLE)); + numattr++; - kp_params.kstype = KMF_KEYSTORE_NSS; - kp_params.keylabel = nickname; - kp_params.keylength = keylen; /* bits */ - kp_params.keytype = keyAlg; - kp_params.cred.cred = tokencred->cred; - kp_params.cred.credlen = tokencred->credlen; - kp_params.nssparms.slotlabel = token; + kmf_set_attr_at_index(attrlist, numattr, + KMF_PUBKEY_HANDLE_ATTR, &pubk, + sizeof (KMF_KEY_HANDLE)); + numattr++; - kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk); + kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist); if (kmfrv != KMF_OK) { return (kmfrv); } - SET_VALUE(KMF_SetCertPubKey(kmfhandle, &pubk, &signedCert), - "keypair"); + SET_VALUE(kmf_set_cert_pubkey(kmfhandle, &pubk, &signedCert), + "keypair"); - SET_VALUE(KMF_SetCertVersion(&signedCert, 2), "version number"); + SET_VALUE(kmf_set_cert_version(&signedCert, 2), "version number"); - SET_VALUE(KMF_SetCertSerialNumber(&signedCert, serial), - "serial number"); + SET_VALUE(kmf_set_cert_serial(&signedCert, serial), + "serial number"); - SET_VALUE(KMF_SetCertValidityTimes(&signedCert, NULL, ltime), - "validity time"); + SET_VALUE(kmf_set_cert_validity(&signedCert, NULL, ltime), + "validity time"); - SET_VALUE(KMF_SetCertSignatureAlgorithm(&signedCert, sigAlg), - "signature algorithm"); + SET_VALUE(kmf_set_cert_sig_alg(&signedCert, sigAlg), + "signature algorithm"); - SET_VALUE(KMF_SetCertSubjectName(&signedCert, &certSubject), - "subject name"); + SET_VALUE(kmf_set_cert_subject(&signedCert, &certSubject), + "subject name"); - SET_VALUE(KMF_SetCertIssuerName(&signedCert, &certIssuer), - "issuer name"); + SET_VALUE(kmf_set_cert_issuer(&signedCert, &certIssuer), + "issuer name"); if (altname != NULL) - SET_VALUE(KMF_SetCertSubjectAltName(&signedCert, altcrit, - alttype, altname), "subjectAltName"); + SET_VALUE(kmf_set_cert_subject_altname(&signedCert, altcrit, + alttype, altname), "subjectAltName"); if (kubits) - SET_VALUE(KMF_SetCertKeyUsage(&signedCert, kucrit, kubits), - "subjectAltName"); + SET_VALUE(kmf_set_cert_ku(&signedCert, kucrit, kubits), + "subjectAltName"); - if ((kmfrv = KMF_SignCertRecord(kmfhandle, &prik, - &signedCert, &x509DER)) != KMF_OK) { + /* + * Construct attributes for the kmf_sign_cert operation. + */ + numattr = 0; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR, + &prik, sizeof (KMF_KEY_HANDLE_ATTR)); + numattr++; + + /* cert data that is to be signed */ + kmf_set_attr_at_index(attrlist, numattr, KMF_X509_CERTIFICATE_ATTR, + &signedCert, sizeof (KMF_X509_CERTIFICATE)); + numattr++; + + /* output buffer for the signed cert */ + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR, + &x509DER, sizeof (KMF_DATA)); + numattr++; + + if ((kmfrv = kmf_sign_cert(kmfhandle, numattr, attrlist)) != + KMF_OK) { goto cleanup; } - sc_params.kstype = KMF_KEYSTORE_NSS; - sc_params.certLabel = nickname; - sc_params.nssparms.trustflag = trust; - sc_params.nssparms.slotlabel = token; - /* * Store the cert in the DB. */ - kmfrv = KMF_StoreCert(kmfhandle, &sc_params, &x509DER); + numattr = 0; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR, + &x509DER, sizeof (KMF_DATA)); + numattr++; + + if (nickname != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR, + nickname, strlen(nickname)); + numattr++; + } + + if (trust != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_TRUSTFLAG_ATTR, + trust, strlen(trust)); + numattr++; + } + + if (token != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, + token, strlen(token)); + numattr++; + } + + kmfrv = kmf_store_cert(kmfhandle, numattr, attrlist); cleanup: - KMF_FreeData(&x509DER); - KMF_FreeDN(&certSubject); - KMF_FreeDN(&certIssuer); + kmf_free_data(&x509DER); + kmf_free_dn(&certSubject); + kmf_free_dn(&certIssuer); return (kmfrv); } @@ -456,10 +676,10 @@ pk_gencert(int argc, char *argv[]) int altcrit = 0, kucrit = 0; while ((opt = getopt_av(argc, argv, - "ik:(keystore)s:(subject)n:(nickname)A:(altname)" - "T:(token)d:(dir)p:(prefix)t:(keytype)y:(keylen)" - "r:(trust)L:(lifetime)l:(label)c:(outcert)" - "K:(outkey)S:(serial)F:(format)u:(keyusage)")) != EOF) { + "ik:(keystore)s:(subject)n:(nickname)A:(altname)" + "T:(token)d:(dir)p:(prefix)t:(keytype)y:(keylen)" + "r:(trust)L:(lifetime)l:(label)c:(outcert)" + "K:(outkey)S:(serial)F:(format)u:(keyusage)")) != EOF) { if (opt != 'i' && EMPTYSTRING(optarg_av)) return (PK_ERR_USAGE); @@ -514,11 +734,11 @@ pk_gencert(int argc, char *argv[]) break; case 'y': if (sscanf(optarg_av, "%d", - &keylen) != 1) { + &keylen) != 1) { cryptoerror(LOG_STDERR, - gettext("key length must be" - "a numeric value (%s)\n"), - optarg_av); + gettext("key length must be" + "a numeric value (%s)\n"), + optarg_av); return (PK_ERR_USAGE); } break; @@ -562,7 +782,7 @@ pk_gencert(int argc, char *argv[]) return (PK_ERR_USAGE); } - if ((rv = KMF_Initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { + if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { cryptoerror(LOG_STDERR, gettext("Error initializing KMF\n")); return (PK_ERR_USAGE); } @@ -591,13 +811,13 @@ pk_gencert(int argc, char *argv[]) if (Str2Lifetime(lifetime, <ime) != 0) { cryptoerror(LOG_STDERR, - gettext("Error parsing lifetime string\n")); + gettext("Error parsing lifetime string\n")); return (PK_ERR_USAGE); } if (Str2KeyType(keytype, &keyAlg, &sigAlg) != 0) { cryptoerror(LOG_STDERR, gettext("Unrecognized keytype (%s).\n"), - keytype); + keytype); return (PK_ERR_USAGE); } @@ -630,20 +850,20 @@ pk_gencert(int argc, char *argv[]) if (serstr == NULL) { (void) fprintf(stderr, gettext("A serial number " - "must be specified as a hex number when creating" - " a self-signed certificate " - "(ex: serial=0x0102030405feedface)\n")); + "must be specified as a hex number when creating" + " a self-signed certificate " + "(ex: serial=0x0102030405feedface)\n")); rv = PK_ERR_USAGE; goto end; } else { uchar_t *bytes = NULL; size_t bytelen; - rv = KMF_HexString2Bytes((uchar_t *)serstr, &bytes, &bytelen); + rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen); if (rv != KMF_OK || bytes == NULL) { (void) fprintf(stderr, gettext("serial number " - "must be specified as a hex number " - "(ex: 0x0102030405ffeeddee)\n")); + "must be specified as a hex number " + "(ex: 0x0102030405ffeeddee)\n")); rv = PK_ERR_USAGE; goto end; } @@ -655,8 +875,8 @@ pk_gencert(int argc, char *argv[]) rv = verify_altname(altname, &alttype, &altcrit); if (rv != KMF_OK) { (void) fprintf(stderr, gettext("Subject AltName " - "must be specified as a name=value pair. " - "See the man page for details.\n")); + "must be specified as a name=value pair. " + "See the man page for details.\n")); rv = PK_ERR_USAGE; goto end; } else { @@ -671,8 +891,8 @@ pk_gencert(int argc, char *argv[]) rv = verify_keyusage(keyusagestr, &kubits, &kucrit); if (rv != KMF_OK) { (void) fprintf(stderr, gettext("KeyUsage " - "must be specified as a comma-separated list. " - "See the man page for details.\n")); + "must be specified as a comma-separated list. " + "See the man page for details.\n")); rv = PK_ERR_USAGE; goto end; } @@ -695,26 +915,26 @@ pk_gencert(int argc, char *argv[]) dir = PK_DEFAULT_DIRECTORY; rv = gencert_nss(kmfhandle, - tokenname, subname, altname, alttype, altcrit, - certlabel, dir, prefix, keyAlg, sigAlg, keylen, - trust, ltime, &serial, kubits, kucrit, &tokencred); + tokenname, subname, altname, alttype, altcrit, + certlabel, dir, prefix, keyAlg, sigAlg, keylen, + trust, ltime, &serial, kubits, kucrit, &tokencred); } else if (kstype == KMF_KEYSTORE_PK11TOKEN) { rv = gencert_pkcs11(kmfhandle, - tokenname, subname, altname, alttype, altcrit, - certlabel, keyAlg, sigAlg, keylen, ltime, - &serial, kubits, kucrit, &tokencred); + tokenname, subname, altname, alttype, altcrit, + certlabel, keyAlg, sigAlg, keylen, ltime, + &serial, kubits, kucrit, &tokencred); } else if (kstype == KMF_KEYSTORE_OPENSSL) { rv = gencert_file(kmfhandle, - keyAlg, sigAlg, keylen, fmt, - ltime, subname, altname, alttype, altcrit, - &serial, kubits, kucrit, dir, outcert, outkey); + keyAlg, sigAlg, keylen, fmt, + ltime, subname, altname, alttype, altcrit, + &serial, kubits, kucrit, dir, outcert, outkey); } if (rv != KMF_OK) display_error(kmfhandle, rv, - gettext("Error creating certificate and keypair")); + gettext("Error creating certificate and keypair")); end: if (subname) free(subname); @@ -724,6 +944,6 @@ end: if (serial.val != NULL) free(serial.val); - (void) KMF_Finalize(kmfhandle); + (void) kmf_finalize(kmfhandle); return (rv); } diff --git a/usr/src/cmd/cmd-crypto/pktool/gencsr.c b/usr/src/cmd/cmd-crypto/pktool/gencsr.c index fcc00d01c8..e8bf92de03 100644 --- a/usr/src/cmd/cmd-crypto/pktool/gencsr.c +++ b/usr/src/cmd/cmd-crypto/pktool/gencsr.c @@ -19,7 +19,7 @@ * CDDL HEADER END * * - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -57,17 +57,19 @@ gencsr_pkcs11(KMF_HANDLE_T kmfhandle, KMF_CREDENTIAL *tokencred) { KMF_RETURN kmfrv = KMF_OK; - KMF_CREATEKEYPAIR_PARAMS kp_params; - KMF_DELETEKEY_PARAMS dk_params; KMF_KEY_HANDLE pubk, prik; KMF_X509_NAME csrSubject; KMF_CSR_DATA csr; KMF_ALGORITHM_INDEX sigAlg; KMF_DATA signedCsr = {NULL, 0}; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; + boolean_t storekey = TRUE; + (void) memset(&csr, 0, sizeof (csr)); (void) memset(&csrSubject, 0, sizeof (csrSubject)); - (void) memset(&kp_params, 0, sizeof (kp_params)); if (keyAlg == KMF_DSA) sigAlg = KMF_ALGID_SHA1WithDSA; @@ -76,61 +78,99 @@ gencsr_pkcs11(KMF_HANDLE_T kmfhandle, /* If the subject name cannot be parsed, flag it now and exit */ - if ((kmfrv = KMF_DNParser(subject, &csrSubject)) != KMF_OK) { + if ((kmfrv = kmf_dn_parser(subject, &csrSubject)) != KMF_OK) { return (kmfrv); } - kp_params.kstype = KMF_KEYSTORE_PK11TOKEN; - kp_params.keylabel = certlabel; - kp_params.keylength = keylen; /* bits */ - kp_params.keytype = keyAlg; - kp_params.cred.cred = tokencred->cred; - kp_params.cred.credlen = tokencred->credlen; - /* Select a PKCS11 token */ kmfrv = select_token(kmfhandle, token, FALSE); if (kmfrv != KMF_OK) { return (kmfrv); } - kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk); + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (certlabel != NULL && strlen(certlabel)) { + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, + certlabel, strlen(certlabel)); + numattr++; + } + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLENGTH_ATTR, + &keylen, sizeof (keylen)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYALG_ATTR, + &keyAlg, sizeof (keyAlg)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, + tokencred, sizeof (KMF_CREDENTIAL)); + numattr++; + + if (token && strlen(token)) { + kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, + token, strlen(token)); + numattr++; + } + kmf_set_attr_at_index(attrlist, numattr, KMF_PUBKEY_HANDLE_ATTR, + &pubk, sizeof (KMF_KEY_HANDLE)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVKEY_HANDLE_ATTR, + &prik, sizeof (KMF_KEY_HANDLE)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_STOREKEY_BOOL_ATTR, + &storekey, sizeof (storekey)); + numattr++; + + kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist); if (kmfrv != KMF_OK) { return (kmfrv); } - SET_VALUE(KMF_SetCSRPubKey(kmfhandle, &pubk, &csr), "keypair"); + SET_VALUE(kmf_set_csr_pubkey(kmfhandle, &pubk, &csr), "keypair"); - SET_VALUE(KMF_SetCSRVersion(&csr, 2), "version number"); + SET_VALUE(kmf_set_csr_version(&csr, 2), "version number"); - SET_VALUE(KMF_SetCSRSubjectName(&csr, &csrSubject), - "subject name"); + SET_VALUE(kmf_set_csr_subject(&csr, &csrSubject), "subject name"); - SET_VALUE(KMF_SetCSRSignatureAlgorithm(&csr, sigAlg), - "SignatureAlgorithm"); + SET_VALUE(kmf_set_csr_sig_alg(&csr, sigAlg), + "SignatureAlgorithm"); if (altname != NULL) { - SET_VALUE(KMF_SetCSRSubjectAltName(&csr, altname, altcrit, - alttype), "SetCSRSubjectAltName"); + SET_VALUE(kmf_set_csr_subject_altname(&csr, altname, altcrit, + alttype), "SetCSRSubjectAltName"); } if (kubits != 0) { - SET_VALUE(KMF_SetCSRKeyUsage(&csr, kucrit, kubits), - "SetCSRKeyUsage"); + SET_VALUE(kmf_set_csr_ku(&csr, kucrit, kubits), + "SetCSRKeyUsage"); } - if ((kmfrv = KMF_SignCSR(kmfhandle, &csr, &prik, &signedCsr)) == - KMF_OK) { - kmfrv = KMF_CreateCSRFile(&signedCsr, fmt, csrfile); + if ((kmfrv = kmf_sign_csr(kmfhandle, &csr, &prik, &signedCsr)) == + KMF_OK) { + kmfrv = kmf_create_csr_file(&signedCsr, fmt, csrfile); } cleanup: - (void) KMF_FreeData(&signedCsr); - (void) KMF_FreeKMFKey(kmfhandle, &prik); + (void) kmf_free_data(&signedCsr); + (void) kmf_free_kmf_key(kmfhandle, &prik); /* delete the key */ - (void) memset(&dk_params, 0, sizeof (dk_params)); - dk_params.kstype = KMF_KEYSTORE_PK11TOKEN; - (void) KMF_DeleteKeyFromKeystore(kmfhandle, &dk_params, &pubk); - (void) KMF_FreeSignedCSR(&csr); + numattr = 0; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_PUBKEY_HANDLE_ATTR, + &pubk, sizeof (KMF_KEY_HANDLE)); + numattr++; + + (void) kmf_delete_key_from_keystore(kmfhandle, numattr, attrlist); + + (void) kmf_free_signed_csr(&csr); return (kmfrv); } @@ -144,7 +184,6 @@ gencsr_file(KMF_HANDLE_T kmfhandle, char *dir, char *outcsr, char *outkey) { KMF_RETURN kmfrv; - KMF_CREATEKEYPAIR_PARAMS kp_params; KMF_KEY_HANDLE pubk, prik; KMF_X509_NAME csrSubject; KMF_CSR_DATA csr; @@ -153,22 +192,26 @@ gencsr_file(KMF_HANDLE_T kmfhandle, char *fullcsrpath = NULL; char *fullkeypath = NULL; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; + boolean_t storekey = TRUE; + (void) memset(&csr, 0, sizeof (csr)); (void) memset(&csrSubject, 0, sizeof (csrSubject)); - (void) memset(&kp_params, 0, sizeof (kp_params)); if (EMPTYSTRING(outcsr) || EMPTYSTRING(outkey)) { cryptoerror(LOG_STDERR, - gettext("No output file was specified for " - "the csr or key\n")); + gettext("No output file was specified for " + "the csr or key\n")); return (KMF_ERR_BAD_PARAMETER); } if (dir != NULL) { fullcsrpath = get_fullpath(dir, outcsr); if (fullcsrpath == NULL) { cryptoerror(LOG_STDERR, - gettext("Cannot create file %s in " - "directory %s\n"), dir, outcsr); + gettext("Cannot create file %s in " + "directory %s\n"), dir, outcsr); return (PK_ERR_USAGE); } } else { @@ -176,8 +219,8 @@ gencsr_file(KMF_HANDLE_T kmfhandle, } if (verify_file(fullcsrpath)) { cryptoerror(LOG_STDERR, - gettext("Cannot write the indicated output " - "certificate file (%s).\n"), fullcsrpath); + gettext("Cannot write the indicated output " + "certificate file (%s).\n"), fullcsrpath); free(fullcsrpath); return (PK_ERR_USAGE); } @@ -185,8 +228,8 @@ gencsr_file(KMF_HANDLE_T kmfhandle, fullkeypath = get_fullpath(dir, outkey); if (fullkeypath == NULL) { cryptoerror(LOG_STDERR, - gettext("Cannot create file %s in " - "directory %s\n"), dir, outkey); + gettext("Cannot create file %s in " + "directory %s\n"), dir, outkey); free(fullcsrpath); return (PK_ERR_USAGE); } @@ -195,8 +238,8 @@ gencsr_file(KMF_HANDLE_T kmfhandle, } if (verify_file(fullcsrpath)) { cryptoerror(LOG_STDERR, - gettext("Cannot write the indicated output " - "key file (%s).\n"), fullkeypath); + gettext("Cannot write the indicated output " + "key file (%s).\n"), fullkeypath); free(fullcsrpath); return (PK_ERR_USAGE); } @@ -207,43 +250,69 @@ gencsr_file(KMF_HANDLE_T kmfhandle, sigAlg = KMF_ALGID_MD5WithRSA; /* If the subject name cannot be parsed, flag it now and exit */ - if ((kmfrv = KMF_DNParser(subject, &csrSubject)) != KMF_OK) { + if ((kmfrv = kmf_dn_parser(subject, &csrSubject)) != KMF_OK) { return (kmfrv); } - kp_params.kstype = KMF_KEYSTORE_OPENSSL; - kp_params.keylength = keylen; /* bits */ - kp_params.keytype = keyAlg; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_FILENAME_ATTR, + fullkeypath, strlen(fullkeypath)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLENGTH_ATTR, + &keylen, sizeof (keylen)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYALG_ATTR, + &keyAlg, sizeof (keyAlg)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR, + &fmt, sizeof (fmt)); + numattr++; - kp_params.sslparms.keyfile = fullkeypath; - kp_params.sslparms.format = fmt; + (void) memset(&prik, 0, sizeof (prik)); + kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVKEY_HANDLE_ATTR, + &prik, sizeof (KMF_KEY_HANDLE)); + numattr++; - kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk); + (void) memset(&pubk, 0, sizeof (pubk)); + kmf_set_attr_at_index(attrlist, numattr, KMF_PUBKEY_HANDLE_ATTR, + &pubk, sizeof (KMF_KEY_HANDLE)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_STOREKEY_BOOL_ATTR, + &storekey, sizeof (storekey)); + numattr++; + + kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist); if (kmfrv != KMF_OK) { goto cleanup; } - SET_VALUE(KMF_SetCSRPubKey(kmfhandle, &pubk, &csr), - "SetCSRPubKey"); + SET_VALUE(kmf_set_csr_pubkey(kmfhandle, &pubk, &csr), + "SetCSRPubKey"); - SET_VALUE(KMF_SetCSRVersion(&csr, 2), "SetCSRVersion"); + SET_VALUE(kmf_set_csr_version(&csr, 2), "SetCSRVersion"); - SET_VALUE(KMF_SetCSRSubjectName(&csr, &csrSubject), - "SetCSRSubjectName"); + SET_VALUE(kmf_set_csr_subject(&csr, &csrSubject), + "kmf_set_csr_subject"); - SET_VALUE(KMF_SetCSRSignatureAlgorithm(&csr, sigAlg), - "SetCSRSignatureAlgorithm"); + SET_VALUE(kmf_set_csr_sig_alg(&csr, sigAlg), "kmf_set_csr_sig_alg"); if (altname != NULL) { - SET_VALUE(KMF_SetCSRSubjectAltName(&csr, altname, altcrit, - alttype), "SetCSRSubjectAltName"); + SET_VALUE(kmf_set_csr_subject_altname(&csr, altname, altcrit, + alttype), "kmf_set_csr_subject_altname"); } if (kubits != NULL) { - SET_VALUE(KMF_SetCSRKeyUsage(&csr, kucrit, kubits), - "SetCSRKeyUsage"); + SET_VALUE(kmf_set_csr_ku(&csr, kucrit, kubits), + "kmf_set_csr_ku"); } - if ((kmfrv = KMF_SignCSR(kmfhandle, &csr, &prik, &signedCsr)) == - KMF_OK) { - kmfrv = KMF_CreateCSRFile(&signedCsr, fmt, fullcsrpath); + if ((kmfrv = kmf_sign_csr(kmfhandle, &csr, &prik, &signedCsr)) == + KMF_OK) { + kmfrv = kmf_create_csr_file(&signedCsr, fmt, fullcsrpath); } cleanup: @@ -252,9 +321,9 @@ cleanup: if (fullcsrpath) free(fullcsrpath); - KMF_FreeData(&signedCsr); - KMF_FreeKMFKey(kmfhandle, &prik); - KMF_FreeSignedCSR(&csr); + kmf_free_data(&signedCsr); + kmf_free_kmf_key(kmfhandle, &prik); + kmf_free_signed_csr(&csr); return (kmfrv); } @@ -270,13 +339,16 @@ gencsr_nss(KMF_HANDLE_T kmfhandle, KMF_CREDENTIAL *tokencred) { KMF_RETURN kmfrv; - KMF_CREATEKEYPAIR_PARAMS kp_params; KMF_KEY_HANDLE pubk, prik; KMF_X509_NAME csrSubject; KMF_CSR_DATA csr; KMF_ALGORITHM_INDEX sigAlg; KMF_DATA signedCsr = {NULL, 0}; - KMF_DELETEKEY_PARAMS dk_params; + + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; + boolean_t storekey = TRUE; if (token == NULL) token = DEFAULT_NSS_TOKEN; @@ -294,56 +366,104 @@ gencsr_nss(KMF_HANDLE_T kmfhandle, (void) memset(&csrSubject, 0, sizeof (csrSubject)); /* If the subject name cannot be parsed, flag it now and exit */ - if ((kmfrv = KMF_DNParser(subject, &csrSubject)) != KMF_OK) { + if ((kmfrv = kmf_dn_parser(subject, &csrSubject)) != KMF_OK) { return (kmfrv); } - (void) memset(&kp_params, 0, sizeof (kp_params)); + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (nickname != NULL && strlen(nickname)) { + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, + nickname, strlen(nickname)); + numattr++; + } + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLENGTH_ATTR, + &keylen, sizeof (keylen)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYALG_ATTR, + &keyAlg, sizeof (keyAlg)); + numattr++; + + if (tokencred != NULL && tokencred->credlen > 0) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, + tokencred, sizeof (KMF_CREDENTIAL)); + numattr++; + } + + if (token && strlen(token)) { + kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, + token, strlen(token)); + numattr++; + } + kmf_set_attr_at_index(attrlist, numattr, KMF_PUBKEY_HANDLE_ATTR, + &pubk, sizeof (KMF_KEY_HANDLE)); + numattr++; - kp_params.kstype = KMF_KEYSTORE_NSS; - kp_params.keylabel = nickname; - kp_params.keylength = keylen; /* bits */ - kp_params.keytype = keyAlg; - kp_params.cred.cred = tokencred->cred; - kp_params.cred.credlen = tokencred->credlen; - kp_params.nssparms.slotlabel = token; + kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVKEY_HANDLE_ATTR, + &prik, sizeof (KMF_KEY_HANDLE)); + numattr++; - kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk); + kmf_set_attr_at_index(attrlist, numattr, KMF_STOREKEY_BOOL_ATTR, + &storekey, sizeof (storekey)); + numattr++; + + kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist); if (kmfrv != KMF_OK) { goto cleanup; } - SET_VALUE(KMF_SetCSRPubKey(kmfhandle, &pubk, &csr), "SetCSRPubKey"); - SET_VALUE(KMF_SetCSRVersion(&csr, 2), "SetCSRVersion"); - SET_VALUE(KMF_SetCSRSubjectName(&csr, &csrSubject), - "SetCSRSubjectName"); - SET_VALUE(KMF_SetCSRSignatureAlgorithm(&csr, sigAlg), - "SetCSRSignatureAlgorithm"); + SET_VALUE(kmf_set_csr_pubkey(kmfhandle, &pubk, &csr), + "kmf_set_csr_pubkey"); + SET_VALUE(kmf_set_csr_version(&csr, 2), "kmf_set_csr_version"); + SET_VALUE(kmf_set_csr_subject(&csr, &csrSubject), + "kmf_set_csr_subject"); + SET_VALUE(kmf_set_csr_sig_alg(&csr, sigAlg), "kmf_set_csr_sig_alg"); if (altname != NULL) { - SET_VALUE(KMF_SetCSRSubjectAltName(&csr, altname, altcrit, - alttype), "SetCSRSubjectAltName"); + SET_VALUE(kmf_set_csr_subject_altname(&csr, altname, altcrit, + alttype), "kmf_set_csr_subject_altname"); } if (kubits != NULL) { - SET_VALUE(KMF_SetCSRKeyUsage(&csr, kucrit, kubits), - "SetCSRKeyUsage"); + SET_VALUE(kmf_set_csr_ku(&csr, kucrit, kubits), + "kmf_set_csr_ku"); } - if ((kmfrv = KMF_SignCSR(kmfhandle, &csr, &prik, &signedCsr)) == - KMF_OK) { - kmfrv = KMF_CreateCSRFile(&signedCsr, fmt, csrfile); + if ((kmfrv = kmf_sign_csr(kmfhandle, &csr, &prik, &signedCsr)) == + KMF_OK) { + kmfrv = kmf_create_csr_file(&signedCsr, fmt, csrfile); } cleanup: - (void) KMF_FreeData(&signedCsr); - (void) KMF_FreeKMFKey(kmfhandle, &prik); + (void) kmf_free_data(&signedCsr); + (void) kmf_free_kmf_key(kmfhandle, &prik); + /* delete the key */ - (void) memset(&dk_params, 0, sizeof (dk_params)); - dk_params.kstype = KMF_KEYSTORE_NSS; - dk_params.cred.cred = tokencred->cred; - dk_params.cred.credlen = tokencred->credlen; - dk_params.nssparms.slotlabel = token; - (void) KMF_DeleteKeyFromKeystore(kmfhandle, &dk_params, &pubk); - (void) KMF_FreeSignedCSR(&csr); + numattr = 0; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_PUBKEY_HANDLE_ATTR, + &pubk, sizeof (KMF_KEY_HANDLE)); + numattr++; + + if (tokencred != NULL && tokencred->credlen > 0) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, + tokencred, sizeof (KMF_CREDENTIAL)); + numattr++; + } + + if (token && strlen(token)) { + kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, + token, strlen(token)); + numattr++; + } + + (void) kmf_delete_key_from_keystore(kmfhandle, numattr, attrlist); + + (void) kmf_free_signed_csr(&csr); return (kmfrv); } @@ -380,10 +500,10 @@ pk_gencsr(int argc, char *argv[]) int altcrit = 0, kucrit = 0; while ((opt = getopt_av(argc, argv, - "ik:(keystore)s:(subject)n:(nickname)A:(altname)" - "u:(keyusage)T:(token)d:(dir)p:(prefix)t:(keytype)" - "y:(keylen)l:(label)c:(outcsr)" - "K:(outkey)F:(format)")) != EOF) { + "ik:(keystore)s:(subject)n:(nickname)A:(altname)" + "u:(keyusage)T:(token)d:(dir)p:(prefix)t:(keytype)" + "y:(keylen)l:(label)c:(outcsr)" + "K:(outkey)F:(format)")) != EOF) { if (opt != 'i' && EMPTYSTRING(optarg_av)) return (PK_ERR_USAGE); @@ -436,11 +556,10 @@ pk_gencsr(int argc, char *argv[]) break; case 'y': if (sscanf(optarg_av, "%d", - &keylen) != 1) { + &keylen) != 1) { cryptoerror(LOG_STDERR, - gettext("Unrecognized " - "key length (%s)\n"), - optarg_av); + gettext("Unrecognized " + "key length (%s)\n"), optarg_av); return (PK_ERR_USAGE); } break; @@ -461,8 +580,8 @@ pk_gencsr(int argc, char *argv[]) break; default: cryptoerror(LOG_STDERR, gettext( - "unrecognized gencsr option '%s'\n"), - argv[optind_av]); + "unrecognized gencsr option '%s'\n"), + argv[optind_av]); return (PK_ERR_USAGE); } } @@ -473,7 +592,7 @@ pk_gencsr(int argc, char *argv[]) return (PK_ERR_USAGE); } - if ((rv = KMF_Initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { + if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { cryptoerror(LOG_STDERR, gettext("Error initializing KMF\n")); return (PK_ERR_USAGE); } @@ -484,7 +603,7 @@ pk_gencsr(int argc, char *argv[]) if (EMPTYSTRING(outcsr)) { (void) printf(gettext("A filename must be specified to hold" - "the final certificate request data.\n")); + "the final certificate request data.\n")); return (PK_ERR_USAGE); } else { /* @@ -494,7 +613,7 @@ pk_gencsr(int argc, char *argv[]) rv = verify_file(outcsr); if (rv != KMF_OK) { cryptoerror(LOG_STDERR, gettext("output file (%s) " - "cannot be created.\n"), outcsr); + "cannot be created.\n"), outcsr); return (PK_ERR_USAGE); } } @@ -512,13 +631,12 @@ pk_gencsr(int argc, char *argv[]) if (format && (fmt = Str2Format(format)) == KMF_FORMAT_UNDEF) { cryptoerror(LOG_STDERR, - gettext("Error parsing format string (%s).\n"), - format); + gettext("Error parsing format string (%s).\n"), format); return (PK_ERR_USAGE); } if (format && fmt != KMF_FORMAT_ASN1 && fmt != KMF_FORMAT_PEM) { cryptoerror(LOG_STDERR, - gettext("CSR must be DER or PEM format.\n")); + gettext("CSR must be DER or PEM format.\n")); return (PK_ERR_USAGE); } @@ -551,8 +669,8 @@ pk_gencsr(int argc, char *argv[]) rv = verify_altname(altname, &alttype, &altcrit); if (rv != KMF_OK) { cryptoerror(LOG_STDERR, gettext("Subject AltName " - "must be specified as a name=value pair. " - "See the man page for details.")); + "must be specified as a name=value pair. " + "See the man page for details.")); goto end; } else { /* advance the altname past the '=' sign */ @@ -566,14 +684,14 @@ pk_gencsr(int argc, char *argv[]) rv = verify_keyusage(kustr, &kubits, &kucrit); if (rv != KMF_OK) { cryptoerror(LOG_STDERR, gettext("KeyUsage " - "must be specified as a comma-separated list. " - "See the man page for details.")); + "must be specified as a comma-separated list. " + "See the man page for details.")); goto end; } } if ((rv = Str2KeyType(keytype, &keyAlg, &sigAlg)) != 0) { cryptoerror(LOG_STDERR, gettext("Unrecognized keytype (%s).\n"), - keytype); + keytype); goto end; } @@ -594,28 +712,28 @@ pk_gencsr(int argc, char *argv[]) dir = PK_DEFAULT_DIRECTORY; rv = gencsr_nss(kmfhandle, - tokenname, subname, altname, alttype, altcrit, - certlabel, dir, prefix, - keyAlg, keylen, kubits, kucrit, - fmt, outcsr, &tokencred); + tokenname, subname, altname, alttype, altcrit, + certlabel, dir, prefix, + keyAlg, keylen, kubits, kucrit, + fmt, outcsr, &tokencred); } else if (kstype == KMF_KEYSTORE_PK11TOKEN) { rv = gencsr_pkcs11(kmfhandle, - tokenname, subname, altname, alttype, altcrit, - certlabel, keyAlg, keylen, - kubits, kucrit, fmt, outcsr, &tokencred); + tokenname, subname, altname, alttype, altcrit, + certlabel, keyAlg, keylen, + kubits, kucrit, fmt, outcsr, &tokencred); } else if (kstype == KMF_KEYSTORE_OPENSSL) { rv = gencsr_file(kmfhandle, - keyAlg, keylen, fmt, subname, altname, - alttype, altcrit, kubits, kucrit, - dir, outcsr, outkey); + keyAlg, keylen, fmt, subname, altname, + alttype, altcrit, kubits, kucrit, + dir, outcsr, outkey); } end: if (rv != KMF_OK) display_error(kmfhandle, rv, - gettext("Error creating CSR or keypair")); + gettext("Error creating CSR or keypair")); if (subname) free(subname); @@ -623,7 +741,7 @@ end: if (tokencred.cred != NULL) free(tokencred.cred); - (void) KMF_Finalize(kmfhandle); + (void) kmf_finalize(kmfhandle); if (rv != KMF_OK) return (PK_ERR_USAGE); diff --git a/usr/src/cmd/cmd-crypto/pktool/genkey.c b/usr/src/cmd/cmd-crypto/pktool/genkey.c index 55890649bb..e9a121ded7 100644 --- a/usr/src/cmd/cmd-crypto/pktool/genkey.c +++ b/usr/src/cmd/cmd-crypto/pktool/genkey.c @@ -42,8 +42,12 @@ genkey_nss(KMF_HANDLE_T kmfhandle, char *token, char *dir, char *prefix, char *keylabel, KMF_KEY_ALG keyAlg, int keylen, KMF_CREDENTIAL *tokencred) { KMF_RETURN kmfrv = KMF_OK; - KMF_CREATESYMKEY_PARAMS csk_params; KMF_KEY_HANDLE key; + KMF_ATTRIBUTE attlist[20]; + int i = 0; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; + KMF_KEY_ALG keytype; + uint32_t keylength; if (keylabel == NULL) { cryptoerror(LOG_STDERR, @@ -56,14 +60,48 @@ genkey_nss(KMF_HANDLE_T kmfhandle, char *token, char *dir, char *prefix, return (kmfrv); (void) memset(&key, 0, sizeof (KMF_KEY_HANDLE)); - csk_params.kstype = KMF_KEYSTORE_NSS; - csk_params.nssparms.slotlabel = token; - csk_params.keytype = keyAlg; - csk_params.keylength = keylen; - csk_params.keylabel = keylabel; - csk_params.cred.cred = tokencred->cred; - csk_params.cred.credlen = tokencred->credlen; - kmfrv = KMF_CreateSymKey(kmfhandle, &csk_params, &key); + + keytype = keyAlg; + keylength = keylen; + + kmf_set_attr_at_index(attlist, i, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + i++; + + kmf_set_attr_at_index(attlist, i, + KMF_KEY_HANDLE_ATTR, &key, sizeof (KMF_KEY_HANDLE)); + i++; + + kmf_set_attr_at_index(attlist, i, + KMF_KEYALG_ATTR, &keytype, sizeof (keytype)); + i++; + + kmf_set_attr_at_index(attlist, i, + KMF_KEYLENGTH_ATTR, &keylength, sizeof (keylength)); + i++; + + if (keylabel != NULL) { + kmf_set_attr_at_index(attlist, i, + KMF_KEYLABEL_ATTR, keylabel, + strlen(keylabel)); + i++; + } + + if (tokencred != NULL && tokencred->credlen > 0) { + kmf_set_attr_at_index(attlist, i, + KMF_CREDENTIAL_ATTR, tokencred, + sizeof (KMF_CREDENTIAL)); + i++; + } + + if (token != NULL) { + kmf_set_attr_at_index(attlist, i, + KMF_TOKEN_LABEL_ATTR, token, + strlen(token)); + i++; + } + + kmfrv = kmf_create_sym_key(kmfhandle, i, attlist); return (kmfrv); } @@ -75,13 +113,17 @@ genkey_pkcs11(KMF_HANDLE_T kmfhandle, char *token, KMF_CREDENTIAL *tokencred) { KMF_RETURN kmfrv = KMF_OK; - KMF_CREATESYMKEY_PARAMS params; KMF_KEY_HANDLE key; KMF_RAW_SYM_KEY *rkey = NULL; boolean_t sensitive = B_FALSE; boolean_t not_extractable = B_FALSE; char *hexstr = NULL; int hexstrlen; + KMF_ATTRIBUTE attlist[20]; + int i = 0; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; + KMF_KEY_ALG keytype; + uint32_t keylength; if (keylabel == NULL) { cryptoerror(LOG_STDERR, @@ -122,15 +164,51 @@ genkey_pkcs11(KMF_HANDLE_T kmfhandle, char *token, } (void) memset(&key, 0, sizeof (KMF_KEY_HANDLE)); - params.kstype = KMF_KEYSTORE_PK11TOKEN; - params.keytype = keyAlg; - params.keylength = keylen; /* bits */ - params.keylabel = keylabel; - params.pkcs11parms.sensitive = sensitive; - params.pkcs11parms.not_extractable = not_extractable; - params.cred.cred = tokencred->cred; - params.cred.credlen = tokencred->credlen; - kmfrv = KMF_CreateSymKey(kmfhandle, ¶ms, &key); + + keytype = keyAlg; + keylength = keylen; /* bits */ + + kmf_set_attr_at_index(attlist, i, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + i++; + + kmf_set_attr_at_index(attlist, i, + KMF_KEY_HANDLE_ATTR, &key, sizeof (KMF_KEY_HANDLE)); + i++; + + kmf_set_attr_at_index(attlist, i, + KMF_KEYALG_ATTR, &keytype, sizeof (keytype)); + i++; + + kmf_set_attr_at_index(attlist, i, + KMF_KEYLENGTH_ATTR, &keylength, sizeof (keylength)); + i++; + + if (keylabel != NULL) { + kmf_set_attr_at_index(attlist, i, + KMF_KEYLABEL_ATTR, keylabel, + strlen(keylabel)); + i++; + } + + if (tokencred != NULL && tokencred->credlen > 0) { + kmf_set_attr_at_index(attlist, i, + KMF_CREDENTIAL_ATTR, tokencred, + sizeof (KMF_CREDENTIAL)); + i++; + } + + kmf_set_attr_at_index(attlist, i, + KMF_SENSITIVE_BOOL_ATTR, &sensitive, + sizeof (sensitive)); + i++; + + kmf_set_attr_at_index(attlist, i, + KMF_NON_EXTRACTABLE_BOOL_ATTR, ¬_extractable, + sizeof (not_extractable)); + i++; + + kmfrv = kmf_create_sym_key(kmfhandle, i, attlist); if (kmfrv != KMF_OK) { goto out; } @@ -148,7 +226,7 @@ genkey_pkcs11(KMF_HANDLE_T kmfhandle, char *token, goto out; } (void) memset(rkey, 0, sizeof (KMF_RAW_SYM_KEY)); - kmfrv = KMF_GetSymKeyValue(kmfhandle, &key, rkey); + kmfrv = kmf_get_sym_key_value(kmfhandle, &key, rkey); if (kmfrv != KMF_OK) { goto out; } @@ -166,7 +244,7 @@ genkey_pkcs11(KMF_HANDLE_T kmfhandle, char *token, } out: - KMF_FreeRawSymKey(rkey); + kmf_free_raw_sym_key(rkey); if (hexstr != NULL) free(hexstr); @@ -180,11 +258,16 @@ genkey_file(KMF_HANDLE_T kmfhandle, KMF_KEY_ALG keyAlg, int keylen, char *dir, char *outkey, boolean_t print_hex) { KMF_RETURN kmfrv = KMF_OK; - KMF_CREATESYMKEY_PARAMS csk_params; KMF_KEY_HANDLE key; KMF_RAW_SYM_KEY *rkey = NULL; char *hexstr = NULL; int hexstrlen; + KMF_ATTRIBUTE attlist[20]; + int i = 0; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; + KMF_KEY_ALG keytype; + uint32_t keylength; + char *dirpath; if (EMPTYSTRING(outkey)) { cryptoerror(LOG_STDERR, @@ -194,21 +277,50 @@ genkey_file(KMF_HANDLE_T kmfhandle, KMF_KEY_ALG keyAlg, int keylen, char *dir, if (verify_file(outkey)) { cryptoerror(LOG_STDERR, - gettext("Cannot write the indicated output " - "key file (%s).\n"), outkey); + gettext("Cannot write the indicated output " + "key file (%s).\n"), outkey); return (KMF_ERR_BAD_PARAMETER); } (void) memset(&key, 0, sizeof (KMF_KEY_HANDLE)); - csk_params.kstype = KMF_KEYSTORE_OPENSSL; - csk_params.keytype = keyAlg; - csk_params.keylength = keylen; - csk_params.cred.cred = NULL; - csk_params.cred.credlen = 0; - csk_params.sslparms.dirpath = (dir == NULL) ? "." : dir; - csk_params.sslparms.keyfile = outkey; - - kmfrv = KMF_CreateSymKey(kmfhandle, &csk_params, &key); + + keytype = keyAlg; + keylength = keylen; + + dirpath = (dir == NULL) ? "." : dir; + + + kmf_set_attr_at_index(attlist, i, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + i++; + + kmf_set_attr_at_index(attlist, i, + KMF_KEY_HANDLE_ATTR, &key, sizeof (KMF_KEY_HANDLE)); + i++; + + kmf_set_attr_at_index(attlist, i, + KMF_KEYALG_ATTR, &keytype, sizeof (keytype)); + i++; + + kmf_set_attr_at_index(attlist, i, + KMF_KEYLENGTH_ATTR, &keylength, sizeof (keylength)); + i++; + + if (dirpath != NULL) { + kmf_set_attr_at_index(attlist, i, + KMF_DIRPATH_ATTR, dirpath, + strlen(dirpath)); + i++; + } + + if (outkey != NULL) { + kmf_set_attr_at_index(attlist, i, + KMF_KEY_FILENAME_ATTR, outkey, + strlen(outkey)); + i++; + } + + kmfrv = kmf_create_sym_key(kmfhandle, i, attlist); if (kmfrv != KMF_OK) { goto out; } @@ -220,7 +332,7 @@ genkey_file(KMF_HANDLE_T kmfhandle, KMF_KEY_ALG keyAlg, int keylen, char *dir, goto out; } (void) memset(rkey, 0, sizeof (KMF_RAW_SYM_KEY)); - kmfrv = KMF_GetSymKeyValue(kmfhandle, &key, rkey); + kmfrv = kmf_get_sym_key_value(kmfhandle, &key, rkey); if (kmfrv != KMF_OK) { goto out; } @@ -237,7 +349,7 @@ genkey_file(KMF_HANDLE_T kmfhandle, KMF_KEY_ALG keyAlg, int keylen, char *dir, } out: - KMF_FreeRawSymKey(rkey); + kmf_free_raw_sym_key(rkey); if (hexstr != NULL) free(hexstr); @@ -256,7 +368,7 @@ pk_genkey(int argc, char *argv[]) char *tokenname = NULL; char *dir = NULL; char *prefix = NULL; - char *keytype = "AES"; + char *keytype = "generic"; char *keylenstr = NULL; int keylen = 0; char *keylabel = NULL; @@ -265,14 +377,14 @@ pk_genkey(int argc, char *argv[]) char *extstr = NULL; char *printstr = NULL; KMF_HANDLE_T kmfhandle = NULL; - KMF_KEY_ALG keyAlg = KMF_AES; + KMF_KEY_ALG keyAlg = KMF_GENERIC_SECRET; boolean_t print_hex = B_FALSE; KMF_CREDENTIAL tokencred = {NULL, 0}; while ((opt = getopt_av(argc, argv, - "k:(keystore)l:(label)T:(token)d:(dir)p:(prefix)" - "t:(keytype)y:(keylen)K:(outkey)P:(print)" - "s:(sensitive)e:(extractable)")) != EOF) { + "k:(keystore)l:(label)T:(token)d:(dir)p:(prefix)" + "t:(keytype)y:(keylen)K:(outkey)P:(print)" + "s:(sensitive)e:(extractable)")) != EOF) { if (EMPTYSTRING(optarg_av)) return (PK_ERR_USAGE); switch (opt) { @@ -344,7 +456,7 @@ pk_genkey(int argc, char *argv[]) /* Check keytype. If not specified, default to AES */ if (keytype != NULL && Str2SymKeyType(keytype, &keyAlg) != 0) { cryptoerror(LOG_STDERR, gettext("Unrecognized keytype(%s).\n"), - keytype); + keytype); return (PK_ERR_USAGE); } @@ -362,20 +474,20 @@ pk_genkey(int argc, char *argv[]) else /* AES, ARCFOUR, or GENERIC SECRET */ { if (keylenstr == NULL) { cryptoerror(LOG_STDERR, - gettext("Key length must be specified for " - "AES, ARCFOUR or GENERIC symmetric keys.\n")); + gettext("Key length must be specified for " + "AES, ARCFOUR or GENERIC symmetric keys.\n")); return (PK_ERR_USAGE); } if (sscanf(keylenstr, "%d", &keylen) != 1) { cryptoerror(LOG_STDERR, - gettext("Unrecognized key length (%s).\n"), - keytype); + gettext("Unrecognized key length (%s).\n"), + keytype); return (PK_ERR_USAGE); } if (keylen == 0 || (keylen % 8) != 0) { cryptoerror(LOG_STDERR, - gettext("Key length bitlength must be a " - "multiple of 8.\n")); + gettext("Key length bitlength must be a " + "multiple of 8.\n")); return (PK_ERR_USAGE); } } @@ -418,7 +530,7 @@ pk_genkey(int argc, char *argv[]) if (kstype == KMF_KEYSTORE_PK11TOKEN || kstype == KMF_KEYSTORE_NSS) (void) get_token_password(kstype, tokenname, &tokencred); - if ((rv = KMF_Initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { + if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { cryptoerror(LOG_STDERR, gettext("Error initializing KMF\n")); goto end; } @@ -437,12 +549,12 @@ pk_genkey(int argc, char *argv[]) end: if (rv != KMF_OK) display_error(kmfhandle, rv, - gettext("Error generating key")); + gettext("Error generating key")); if (tokencred.cred != NULL) free(tokencred.cred); - (void) KMF_Finalize(kmfhandle); + (void) kmf_finalize(kmfhandle); if (rv != KMF_OK) return (PK_ERR_USAGE); diff --git a/usr/src/cmd/cmd-crypto/pktool/import.c b/usr/src/cmd/cmd-crypto/pktool/import.c index ac706b82ab..0efe59abb0 100644 --- a/usr/src/cmd/cmd-crypto/pktool/import.c +++ b/usr/src/cmd/cmd-crypto/pktool/import.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -56,25 +56,38 @@ pk_import_pk12_files(KMF_HANDLE_T kmfhandle, KMF_CREDENTIAL *cred, int ncerts = 0; int nkeys = 0; int i; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; + KMF_ATTRIBUTE attrlist[16]; + int numattr = 0; - rv = KMF_ImportPK12(kmfhandle, outfile, cred, - &certs, &ncerts, &keys, &nkeys); + rv = kmf_import_objects(kmfhandle, outfile, cred, + &certs, &ncerts, &keys, &nkeys); if (rv == KMF_OK) { (void) printf(gettext("Found %d certificate(s) and %d " - "key(s) in %s\n"), ncerts, nkeys, outfile); + "key(s) in %s\n"), ncerts, nkeys, outfile); } if (rv == KMF_OK && ncerts > 0) { - KMF_STORECERT_PARAMS params; char newcertfile[MAXPATHLEN]; - (void) memset(¶ms, 0, sizeof (KMF_STORECERT_PARAMS)); - params.kstype = KMF_KEYSTORE_OPENSSL; - params.sslparms.dirpath = dir; - params.sslparms.format = outformat; + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + numattr++; + + if (dir != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_DIRPATH_ATTR, dir, strlen(dir)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, + KMF_ENCODE_FORMAT_ATTR, &outformat, sizeof (outformat)); + numattr++; for (i = 0; rv == KMF_OK && i < ncerts; i++) { + int num = numattr; + /* * If storing more than 1 cert, gotta change * the name so we don't overwrite the previous one. @@ -82,40 +95,84 @@ pk_import_pk12_files(KMF_HANDLE_T kmfhandle, KMF_CREDENTIAL *cred, */ if (i > 0) { (void) snprintf(newcertfile, - sizeof (newcertfile), - "%s_%d", certfile, i); - params.sslparms.certfile = newcertfile; + sizeof (newcertfile), "%s_%d", certfile, i); + + kmf_set_attr_at_index(attrlist, num, + KMF_CERT_FILENAME_ATTR, newcertfile, + strlen(newcertfile)); + num++; } else { - params.sslparms.certfile = certfile; + kmf_set_attr_at_index(attrlist, num, + KMF_CERT_FILENAME_ATTR, certfile, + strlen(certfile)); + num++; } - rv = KMF_StoreCert(kmfhandle, ¶ms, &certs[i]); + + kmf_set_attr_at_index(attrlist, num, + KMF_CERT_DATA_ATTR, &certs[i], sizeof (KMF_DATA)); + num++; + rv = kmf_store_cert(kmfhandle, num, attrlist); } } if (rv == KMF_OK && nkeys > 0) { - KMF_STOREKEY_PARAMS skparms; char newkeyfile[MAXPATHLEN]; - (void) memset(&skparms, 0, sizeof (skparms)); + numattr = 0; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, + sizeof (kstype)); + numattr++; + + if (keydir != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_DIRPATH_ATTR, keydir, + strlen(keydir)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, + KMF_ENCODE_FORMAT_ATTR, &outformat, + sizeof (outformat)); + numattr++; + + if (cred != NULL && cred->credlen > 0) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CREDENTIAL_ATTR, cred, + sizeof (KMF_CREDENTIAL)); + numattr++; + } /* The order of certificates and keys should match */ for (i = 0; rv == KMF_OK && i < nkeys; i++) { - skparms.kstype = KMF_KEYSTORE_OPENSSL; - skparms.sslparms.dirpath = keydir; - skparms.sslparms.format = outformat; - skparms.cred = *cred; - skparms.certificate = &certs[i]; + int num = numattr; if (i > 0) { (void) snprintf(newkeyfile, - sizeof (newkeyfile), - "%s_%d", keyfile, i); - skparms.sslparms.keyfile = newkeyfile; + sizeof (newkeyfile), "%s_%d", keyfile, i); + + kmf_set_attr_at_index(attrlist, num, + KMF_KEY_FILENAME_ATTR, newkeyfile, + strlen(newkeyfile)); + num++; } else { - skparms.sslparms.keyfile = keyfile; + kmf_set_attr_at_index(attrlist, num, + KMF_KEY_FILENAME_ATTR, keyfile, + strlen(keyfile)); + num++; } - rv = KMF_StorePrivateKey(kmfhandle, &skparms, - &keys[i]); + kmf_set_attr_at_index(attrlist, num, + KMF_CERT_DATA_ATTR, &certs[i], + sizeof (KMF_DATA)); + num++; + + kmf_set_attr_at_index(attrlist, num, + KMF_RAW_KEY_ATTR, &keys[i], + sizeof (KMF_RAW_KEY_DATA)); + num++; + + rv = kmf_store_key(kmfhandle, num, attrlist); } } /* @@ -123,12 +180,12 @@ pk_import_pk12_files(KMF_HANDLE_T kmfhandle, KMF_CREDENTIAL *cred, */ if (certs) { for (i = 0; i < ncerts; i++) - KMF_FreeData(&certs[i]); + kmf_free_data(&certs[i]); free(certs); } if (keys) { for (i = 0; i < nkeys; i++) - KMF_FreeRawKey(&keys[i]); + kmf_free_raw_key(&keys[i]); free(keys); } @@ -150,55 +207,105 @@ pk_import_pk12_nss( int ncerts = 0; int nkeys = 0; int i; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; + KMF_ATTRIBUTE attrlist[16]; + int numattr = 0; rv = configure_nss(kmfhandle, dir, prefix); if (rv != KMF_OK) return (rv); - rv = KMF_ImportPK12(kmfhandle, filename, kmfcred, - &certs, &ncerts, &keys, &nkeys); + rv = kmf_import_objects(kmfhandle, filename, kmfcred, + &certs, &ncerts, &keys, &nkeys); if (rv == KMF_OK) (void) printf(gettext("Found %d certificate(s) and %d " - "key(s) in %s\n"), ncerts, nkeys, filename); + "key(s) in %s\n"), ncerts, nkeys, filename); if (rv == KMF_OK) { - KMF_STORECERT_PARAMS params; + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + numattr++; + + if (token_spec != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_TOKEN_LABEL_ATTR, token_spec, + strlen(token_spec)); + numattr++; + } - (void) memset(¶ms, 0, sizeof (KMF_STORECERT_PARAMS)); - params.kstype = KMF_KEYSTORE_NSS; - params.nssparms.slotlabel = token_spec; - params.nssparms.trustflag = trustflags; + if (trustflags != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_TRUSTFLAG_ATTR, trustflags, + strlen(trustflags)); + numattr++; + } for (i = 0; rv == KMF_OK && i < ncerts; i++) { - if (i == 0) - params.certLabel = nickname; - else - params.certLabel = NULL; + int num = numattr; - rv = KMF_StoreCert(kmfhandle, ¶ms, &certs[i]); + if (i == 0 && nickname != NULL) { + kmf_set_attr_at_index(attrlist, num, + KMF_CERT_LABEL_ATTR, nickname, + strlen(nickname)); + num++; + } + + kmf_set_attr_at_index(attrlist, num, + KMF_CERT_DATA_ATTR, &certs[i], sizeof (KMF_DATA)); + num++; + rv = kmf_store_cert(kmfhandle, num, attrlist); } if (rv != KMF_OK) { display_error(kmfhandle, rv, - gettext("Error storing certificate " - "in PKCS11 token")); + gettext("Error storing certificate in NSS token")); } } if (rv == KMF_OK) { - KMF_STOREKEY_PARAMS skparms; + numattr = 0; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, + sizeof (kstype)); + numattr++; + + if (token_spec != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_TOKEN_LABEL_ATTR, token_spec, + strlen(token_spec)); + numattr++; + } + + if (nickname != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYLABEL_ATTR, nickname, + strlen(nickname)); + numattr++; + } + + if (tokencred->credlen > 0) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CREDENTIAL_ATTR, tokencred, + sizeof (KMF_CREDENTIAL)); + numattr++; + } /* The order of certificates and keys should match */ for (i = 0; i < nkeys; i++) { - (void) memset(&skparms, 0, - sizeof (KMF_STOREKEY_PARAMS)); - skparms.kstype = KMF_KEYSTORE_NSS; - skparms.cred = *tokencred; - skparms.label = nickname; - skparms.certificate = &certs[i]; - skparms.nssparms.slotlabel = token_spec; + int num = numattr; + + kmf_set_attr_at_index(attrlist, num, + KMF_CERT_DATA_ATTR, &certs[i], + sizeof (KMF_DATA)); + num++; + + kmf_set_attr_at_index(attrlist, num, + KMF_RAW_KEY_ATTR, &keys[i], + sizeof (KMF_RAW_KEY_DATA)); + num++; - rv = KMF_StorePrivateKey(kmfhandle, &skparms, &keys[i]); + rv = kmf_store_key(kmfhandle, num, attrlist); } } @@ -207,12 +314,12 @@ pk_import_pk12_nss( */ if (certs) { for (i = 0; i < ncerts; i++) - KMF_FreeData(&certs[i]); + kmf_free_data(&certs[i]); free(certs); } if (keys) { for (i = 0; i < nkeys; i++) - KMF_FreeRawKey(&keys[i]); + kmf_free_raw_key(&keys[i]); free(keys); } @@ -227,31 +334,47 @@ pk_import_cert( char *dir, char *prefix, char *trustflags) { KMF_RETURN rv = KMF_OK; - KMF_IMPORTCERT_PARAMS params; + KMF_ATTRIBUTE attrlist[32]; + int i = 0; if (kstype == KMF_KEYSTORE_PK11TOKEN) { rv = select_token(kmfhandle, token_spec, FALSE); - - if (rv != KMF_OK) { - return (rv); - } + } else if (kstype == KMF_KEYSTORE_NSS) { + rv = configure_nss(kmfhandle, dir, prefix); } + if (rv != KMF_OK) + return (rv); - (void) memset(¶ms, 0, sizeof (params)); - params.kstype = kstype; - params.certfile = filename; - params.certLabel = label; + kmf_set_attr_at_index(attrlist, i, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (KMF_KEYSTORE_TYPE)); + i++; - if (kstype == KMF_KEYSTORE_NSS) { - rv = configure_nss(kmfhandle, dir, prefix); - if (rv != KMF_OK) - return (rv); - params.nssparms.trustflag = trustflags; - params.nssparms.slotlabel = token_spec; + kmf_set_attr_at_index(attrlist, i, KMF_CERT_FILENAME_ATTR, + filename, strlen(filename)); + i++; + + if (label != NULL) { + kmf_set_attr_at_index(attrlist, i, KMF_CERT_LABEL_ATTR, + label, strlen(label)); + i++; } - rv = KMF_ImportCert(kmfhandle, ¶ms); + if (kstype == KMF_KEYSTORE_NSS) { + if (trustflags != NULL) { + kmf_set_attr_at_index(attrlist, i, KMF_TRUSTFLAG_ATTR, + trustflags, strlen(trustflags)); + i++; + } + if (token_spec != NULL) { + kmf_set_attr_at_index(attrlist, i, + KMF_TOKEN_LABEL_ATTR, + token_spec, strlen(token_spec)); + i++; + } + } + + rv = kmf_import_cert(kmfhandle, i, attrlist); return (rv); } @@ -262,20 +385,33 @@ pk_import_file_crl(void *kmfhandle, char *outdir, KMF_ENCODE_FORMAT outfmt) { - KMF_IMPORTCRL_PARAMS icrl_params; - KMF_OPENSSL_PARAMS sslparams; - - sslparams.crlfile = infile; - sslparams.dirpath = outdir; - sslparams.outcrlfile = outfile; - sslparams.format = outfmt; - sslparams.crl_check = B_FALSE; - - icrl_params.kstype = KMF_KEYSTORE_OPENSSL; - icrl_params.sslparms = sslparams; - - return (KMF_ImportCRL(kmfhandle, &icrl_params)); + int numattr = 0; + KMF_ATTRIBUTE attrlist[8]; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + if (infile) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CRL_FILENAME_ATTR, infile, strlen(infile)); + numattr++; + } + if (outdir) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_DIRPATH_ATTR, outdir, strlen(outdir)); + numattr++; + } + if (outfile) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CRL_OUTFILE_ATTR, outfile, strlen(outfile)); + numattr++; + } + kmf_set_attr_at_index(attrlist, numattr, + KMF_ENCODE_FORMAT_ATTR, &outfmt, sizeof (outfmt)); + numattr++; + return (kmf_import_crl(kmfhandle, numattr, attrlist)); } static KMF_RETURN @@ -285,19 +421,28 @@ pk_import_nss_crl(void *kmfhandle, char *outdir, char *prefix) { - KMF_IMPORTCRL_PARAMS icrl_params; KMF_RETURN rv; + int numattr = 0; + KMF_ATTRIBUTE attrlist[4]; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; rv = configure_nss(kmfhandle, outdir, prefix); if (rv != KMF_OK) return (rv); - icrl_params.kstype = KMF_KEYSTORE_NSS; - icrl_params.nssparms.slotlabel = NULL; - icrl_params.nssparms.crlfile = infile; - icrl_params.nssparms.crl_check = verify_crl_flag; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + if (infile) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_FILENAME_ATTR, + infile, strlen(infile)); + numattr++; + } + kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_CHECK_ATTR, + &verify_crl_flag, sizeof (verify_crl_flag)); + numattr++; - return (KMF_ImportCRL(kmfhandle, &icrl_params)); + return (kmf_import_crl(kmfhandle, numattr, attrlist)); } @@ -315,6 +460,9 @@ pk_import_pk12_pk11( int ncerts = 0; int nkeys = 0; int i; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; + KMF_ATTRIBUTE attrlist[16]; + int numattr = 0; rv = select_token(kmfhandle, token_spec, FALSE); @@ -322,46 +470,72 @@ pk_import_pk12_pk11( return (rv); } - rv = KMF_ImportPK12(kmfhandle, filename, p12cred, - &certs, &ncerts, &keys, &nkeys); + rv = kmf_import_objects(kmfhandle, filename, p12cred, + &certs, &ncerts, &keys, &nkeys); if (rv == KMF_OK) { - KMF_STOREKEY_PARAMS skparms; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, + sizeof (kstype)); + numattr++; + + if (label != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYLABEL_ATTR, label, + strlen(label)); + numattr++; + } + + if (tokencred != NULL && tokencred->credlen > 0) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CREDENTIAL_ATTR, tokencred, + sizeof (KMF_CREDENTIAL)); + numattr++; + } /* The order of certificates and keys should match */ for (i = 0; i < nkeys; i++) { - (void) memset(&skparms, 0, - sizeof (KMF_STOREKEY_PARAMS)); - skparms.kstype = KMF_KEYSTORE_PK11TOKEN; - skparms.certificate = &certs[i]; - if (tokencred != NULL) - skparms.cred = *tokencred; - if (i == 0) - skparms.label = label; - else - skparms.label = NULL; + int num = numattr; + + kmf_set_attr_at_index(attrlist, num, + KMF_CERT_DATA_ATTR, &certs[i], + sizeof (KMF_DATA)); + num++; + + kmf_set_attr_at_index(attrlist, num, + KMF_RAW_KEY_ATTR, &keys[i], + sizeof (KMF_RAW_KEY_DATA)); + num++; + + rv = kmf_store_key(kmfhandle, num, attrlist); - rv = KMF_StorePrivateKey(kmfhandle, &skparms, - &keys[i]); } } if (rv == KMF_OK) { - KMF_STORECERT_PARAMS params; (void) printf(gettext("Found %d certificate(s) and %d " - "key(s) in %s\n"), ncerts, nkeys, filename); - (void) memset(¶ms, 0, sizeof (KMF_STORECERT_PARAMS)); - - params.kstype = KMF_KEYSTORE_PK11TOKEN; + "key(s) in %s\n"), ncerts, nkeys, filename); + numattr = 0; + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + numattr++; for (i = 0; rv == KMF_OK && i < ncerts; i++) { - if (i == 0) - params.certLabel = label; - else - params.certLabel = NULL; + int num = numattr; + + if (i == 0 && label != NULL) { + kmf_set_attr_at_index(attrlist, num, + KMF_CERT_LABEL_ATTR, label, strlen(label)); + num++; + } - rv = KMF_StoreCert(kmfhandle, ¶ms, &certs[i]); + kmf_set_attr_at_index(attrlist, num, + KMF_CERT_DATA_ATTR, &certs[i], sizeof (KMF_DATA)); + num++; + + rv = kmf_store_cert(kmfhandle, num, attrlist); } } @@ -370,18 +544,199 @@ pk_import_pk12_pk11( */ if (certs) { for (i = 0; i < ncerts; i++) - KMF_FreeData(&certs[i]); + kmf_free_data(&certs[i]); free(certs); } if (keys) { for (i = 0; i < nkeys; i++) - KMF_FreeRawKey(&keys[i]); + kmf_free_raw_key(&keys[i]); free(keys); } return (rv); } +static KMF_RETURN +pk_import_keys(KMF_HANDLE_T kmfhandle, + KMF_KEYSTORE_TYPE kstype, char *token_spec, + KMF_CREDENTIAL *cred, char *filename, + char *label, char *senstr, char *extstr) +{ + KMF_RETURN rv = KMF_OK; + KMF_ATTRIBUTE attrlist[16]; + KMF_KEYSTORE_TYPE fileks = KMF_KEYSTORE_OPENSSL; + int numattr = 0; + KMF_KEY_HANDLE key; + KMF_RAW_KEY_DATA rawkey; + KMF_KEY_CLASS class = KMF_ASYM_PRI; + int numkeys = 1; + + if (kstype == KMF_KEYSTORE_PK11TOKEN) { + rv = select_token(kmfhandle, token_spec, FALSE); + } + if (rv != KMF_OK) + return (rv); + /* + * First, set up to read the keyfile using the FILE plugin + * mechanisms. + */ + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &fileks, sizeof (fileks)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, + &numkeys, sizeof (numkeys)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR, + &key, sizeof (key)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_RAW_KEY_ATTR, + &rawkey, sizeof (rawkey)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR, + &class, sizeof (class)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_FILENAME_ATTR, + filename, strlen(filename)); + numattr++; + + rv = kmf_find_key(kmfhandle, numattr, attrlist); + if (rv == KMF_OK) { + numattr = 0; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (cred != NULL && cred->credlen > 0) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CREDENTIAL_ATTR, cred, sizeof (KMF_CREDENTIAL)); + numattr++; + } + + if (label != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYLABEL_ATTR, label, strlen(label)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, + KMF_RAW_KEY_ATTR, &rawkey, sizeof (rawkey)); + numattr++; + + rv = kmf_store_key(kmfhandle, numattr, attrlist); + if (rv == KMF_OK) { + printf(gettext("Importing %d keys\n"), numkeys); + } + + kmf_free_kmf_key(kmfhandle, &key); + kmf_free_raw_key(&rawkey); + } else { + cryptoerror(LOG_STDERR, + gettext("Failed to load key from file (%s)\n"), + filename); + } + return (rv); +} + +static KMF_RETURN +pk_import_rawkey(KMF_HANDLE_T kmfhandle, + KMF_KEYSTORE_TYPE kstype, char *token, + KMF_CREDENTIAL *cred, + char *filename, char *label, KMF_KEY_ALG keyAlg, + char *senstr, char *extstr) +{ + KMF_RETURN rv = KMF_OK; + KMF_ATTRIBUTE attrlist[16]; + int numattr = 0; + uint32_t keylen; + boolean_t sensitive = B_FALSE; + boolean_t not_extractable = B_FALSE; + KMF_DATA keydata = {NULL, 0}; + KMF_KEY_HANDLE rawkey; + + rv = kmf_read_input_file(kmfhandle, filename, &keydata); + if (rv != KMF_OK) + return (rv); + + rv = select_token(kmfhandle, token, FALSE); + + if (rv != KMF_OK) { + return (rv); + } + if (senstr != NULL) { + if (tolower(senstr[0]) == 'y') + sensitive = B_TRUE; + else if (tolower(senstr[0]) == 'n') + sensitive = B_FALSE; + else { + cryptoerror(LOG_STDERR, + gettext("Incorrect sensitive option value.\n")); + return (KMF_ERR_BAD_PARAMETER); + } + } + + if (extstr != NULL) { + if (tolower(extstr[0]) == 'y') + not_extractable = B_FALSE; + else if (tolower(extstr[0]) == 'n') + not_extractable = B_TRUE; + else { + cryptoerror(LOG_STDERR, + gettext("Incorrect extractable option value.\n")); + return (KMF_ERR_BAD_PARAMETER); + } + } + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEY_HANDLE_ATTR, &rawkey, sizeof (rawkey)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYALG_ATTR, &keyAlg, sizeof (KMF_KEY_ALG)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEY_DATA_ATTR, keydata.Data, keydata.Length); + numattr++; + + /* Key length is given in bits not bytes */ + keylen = keydata.Length * 8; + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYLENGTH_ATTR, &keylen, sizeof (keydata.Length)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_SENSITIVE_BOOL_ATTR, &sensitive, sizeof (sensitive)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_NON_EXTRACTABLE_BOOL_ATTR, ¬_extractable, + sizeof (not_extractable)); + numattr++; + + if (label != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYLABEL_ATTR, label, strlen(label)); + numattr++; + } + if (cred != NULL && cred->credlen > 0) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CREDENTIAL_ATTR, cred, sizeof (KMF_CREDENTIAL)); + numattr++; + } + rv = kmf_create_sym_key(kmfhandle, numattr, attrlist); + + return (rv); +} + /* * Import objects from into KMF repositories. */ @@ -396,12 +751,15 @@ pk_import(int argc, char *argv[]) char *keyfile = NULL; char *certfile = NULL; char *crlfile = NULL; - char *certlabel = NULL; + char *label = NULL; char *dir = NULL; char *keydir = NULL; char *prefix = NULL; char *trustflags = NULL; char *verify_crl = NULL; + char *keytype = "generic"; + char *senstr = NULL; + char *extstr = NULL; boolean_t verify_crl_flag = B_FALSE; int oclass = 0; KMF_KEYSTORE_TYPE kstype = 0; @@ -411,16 +769,18 @@ pk_import(int argc, char *argv[]) KMF_CREDENTIAL pk12cred = { NULL, 0 }; KMF_CREDENTIAL tokencred = { NULL, 0 }; KMF_HANDLE_T kmfhandle = NULL; + KMF_KEY_ALG keyAlg = KMF_GENERIC_SECRET; /* Parse command line options. Do NOT i18n/l10n. */ while ((opt = getopt_av(argc, argv, - "T:(token)i:(infile)" - "k:(keystore)y:(objtype)" - "d:(dir)p:(prefix)" - "n:(certlabel)N:(label)" - "K:(outkey)c:(outcert)" - "v:(verifycrl)l:(outcrl)" - "t:(trust)D:(keydir)F:(outformat)")) != EOF) { + "T:(token)i:(infile)" + "k:(keystore)y:(objtype)" + "d:(dir)p:(prefix)" + "n:(certlabel)N:(label)" + "K:(outkey)c:(outcert)" + "v:(verifycrl)l:(outcrl)" + "E:(keytype)s:(sensitive)x:(extractable)" + "t:(trust)D:(keydir)F:(outformat)")) != EOF) { if (EMPTYSTRING(optarg_av)) return (PK_ERR_USAGE); switch (opt) { @@ -472,9 +832,9 @@ pk_import(int argc, char *argv[]) break; case 'n': case 'N': - if (certlabel) + if (label) return (PK_ERR_USAGE); - certlabel = optarg_av; + label = optarg_av; break; case 'F': okfmt = Str2Format(optarg_av); @@ -495,6 +855,19 @@ pk_import(int argc, char *argv[]) else return (PK_ERR_USAGE); break; + case 'E': + keytype = optarg_av; + break; + case 's': + if (senstr) + return (PK_ERR_USAGE); + senstr = optarg_av; + break; + case 'x': + if (extstr) + return (PK_ERR_USAGE); + extstr = optarg_av; + break; default: return (PK_ERR_USAGE); break; @@ -508,7 +881,7 @@ pk_import(int argc, char *argv[]) /* Filename arg is required. */ if (EMPTYSTRING(filename)) { cryptoerror(LOG_STDERR, gettext("The 'infile' parameter" - "is required for the import operation.\n")); + "is required for the import operation.\n")); return (PK_ERR_USAGE); } @@ -520,10 +893,10 @@ pk_import(int argc, char *argv[]) /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */ if ((oclass & (PK_PUBLIC_OBJ | PK_PRIVATE_OBJ)) && - kstype != KMF_KEYSTORE_PK11TOKEN) { + kstype != KMF_KEYSTORE_PK11TOKEN) { (void) fprintf(stderr, gettext("The objtype parameter " - "is only relevant if keystore=pkcs11\n")); + "is only relevant if keystore=pkcs11\n")); return (PK_ERR_USAGE); } @@ -532,57 +905,85 @@ pk_import(int argc, char *argv[]) * into NSS or PKCS#11. */ if (kstype == KMF_KEYSTORE_NSS && - (oclass != PK_CRL_OBJ) && EMPTYSTRING(certlabel)) { + (oclass != PK_CRL_OBJ) && EMPTYSTRING(label)) { cryptoerror(LOG_STDERR, gettext("The 'label' argument " - "is required for this operation\n")); + "is required for this operation\n")); return (PK_ERR_USAGE); } - /* - * PKCS11 only imports PKCS#12 files or PEM/DER Cert files. - */ - if (kstype == KMF_KEYSTORE_PK11TOKEN) { - /* we do not import private keys except in PKCS12 bundles */ - if (oclass & (PK_PRIVATE_OBJ | PK_PRIKEY_OBJ)) { - cryptoerror(LOG_STDERR, gettext( - "The PKCS11 keystore only imports PKCS12 " - "files or raw certificate data files " - " or CRL file.\n")); - return (PK_ERR_USAGE); + if ((rv = kmf_get_file_format(filename, &kfmt)) != KMF_OK) { + /* + * Allow for raw key data to be imported. + */ + if (rv == KMF_ERR_ENCODING) { + rv = KMF_OK; + kfmt = KMF_FORMAT_RAWKEY; + /* + * Set the object class only if it was not + * given on the command line or if it was + * specified as a symmetric key object. + */ + if (oclass == 0 || (oclass & PK_SYMKEY_OBJ)) { + oclass = PK_SYMKEY_OBJ; + } else { + cryptoerror(LOG_STDERR, gettext( + "The input file does not contain the " + "object type indicated on command " + "line.")); + return (KMF_ERR_BAD_PARAMETER); + } + } else { + cryptoerror(LOG_STDERR, + gettext("File format not recognized.")); + return (rv); } } - if ((rv = KMF_GetFileFormat(filename, &kfmt)) != KMF_OK) { - cryptoerror(LOG_STDERR, - gettext("File format not recognized.")); - return (rv); + /* Check parameters for raw key import operation */ + if (kfmt == KMF_FORMAT_RAWKEY) { + if (keytype != NULL && + Str2SymKeyType(keytype, &keyAlg) != 0) { + cryptoerror(LOG_STDERR, + gettext("Unrecognized keytype(%s).\n"), keytype); + return (PK_ERR_USAGE); + } + if (senstr != NULL && extstr != NULL && + kstype != KMF_KEYSTORE_PK11TOKEN) { + cryptoerror(LOG_STDERR, + gettext("The sensitive or extractable option " + "applies only when importing a key from a file " + "into a PKCS#11 keystore.\n")); + return (PK_ERR_USAGE); + } } + + /* If no objtype was given, treat it as a certificate */ if (oclass == 0 && (kfmt == KMF_FORMAT_ASN1 || - kfmt == KMF_FORMAT_PEM)) + kfmt == KMF_FORMAT_PEM)) oclass = PK_CERT_OBJ; if (kstype == KMF_KEYSTORE_NSS) { if (oclass == PK_CRL_OBJ && - (kfmt != KMF_FORMAT_ASN1 && kfmt != KMF_FORMAT_PEM)) { + (kfmt != KMF_FORMAT_ASN1 && kfmt != KMF_FORMAT_PEM)) { cryptoerror(LOG_STDERR, gettext( - "CRL data can only be imported as DER or " - "PEM format")); + "CRL data can only be imported as DER or " + "PEM format")); return (PK_ERR_USAGE); } if (oclass == PK_CERT_OBJ && - (kfmt != KMF_FORMAT_ASN1 && kfmt != KMF_FORMAT_PEM)) { + (kfmt != KMF_FORMAT_ASN1 && kfmt != KMF_FORMAT_PEM)) { cryptoerror(LOG_STDERR, gettext( - "Certificates can only be imported as DER or " - "PEM format")); + "Certificates can only be imported as DER or " + "PEM format")); return (PK_ERR_USAGE); } /* we do not import private keys except in PKCS12 bundles */ if (oclass & (PK_PRIVATE_OBJ | PK_PRIKEY_OBJ)) { cryptoerror(LOG_STDERR, gettext( - "Private key data can only be imported as part " - "of a PKCS12 file.\n")); + "Private key data can only be imported as part " + "of a PKCS12 file.\n")); return (PK_ERR_USAGE); } } @@ -590,9 +991,9 @@ pk_import(int argc, char *argv[]) if (kstype == KMF_KEYSTORE_OPENSSL && oclass != PK_CRL_OBJ) { if (EMPTYSTRING(keyfile) || EMPTYSTRING(certfile)) { cryptoerror(LOG_STDERR, gettext( - "The 'outkey' and 'outcert' parameters " - "are required for the import operation " - "when the 'file' keystore is used.\n")); + "The 'outkey' and 'outcert' parameters " + "are required for the import operation " + "when the 'file' keystore is used.\n")); return (PK_ERR_USAGE); } } @@ -604,16 +1005,17 @@ pk_import(int argc, char *argv[]) if (kfmt == KMF_FORMAT_PKCS12) { (void) get_pk12_password(&pk12cred); + } - if (kstype == KMF_KEYSTORE_PK11TOKEN || - kstype == KMF_KEYSTORE_NSS) - (void) get_token_password(kstype, token_spec, - &tokencred); + if ((kfmt == KMF_FORMAT_PKCS12 || kfmt == KMF_FORMAT_RAWKEY || + (kfmt == KMF_FORMAT_PEM && (oclass & PK_KEY_OBJ))) && + (kstype == KMF_KEYSTORE_PK11TOKEN || kstype == KMF_KEYSTORE_NSS)) { + (void) get_token_password(kstype, token_spec, &tokencred); } - if ((rv = KMF_Initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { + if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { cryptoerror(LOG_STDERR, gettext("Error initializing " - "KMF: 0x%02x\n"), rv); + "KMF: 0x%02x\n"), rv); goto end; } @@ -621,64 +1023,64 @@ pk_import(int argc, char *argv[]) case KMF_KEYSTORE_PK11TOKEN: if (kfmt == KMF_FORMAT_PKCS12) rv = pk_import_pk12_pk11( - kmfhandle, - &pk12cred, - &tokencred, - certlabel, - token_spec, - filename); + kmfhandle, &pk12cred, + &tokencred, label, + token_spec, filename); else if (oclass == PK_CERT_OBJ) rv = pk_import_cert( - kmfhandle, - kstype, - certlabel, - token_spec, - filename, - NULL, NULL, NULL); + kmfhandle, kstype, + label, token_spec, + filename, + NULL, NULL, NULL); else if (oclass == PK_CRL_OBJ) rv = pk_import_file_crl( - kmfhandle, - filename, - crlfile, - dir, - okfmt); + kmfhandle, filename, + crlfile, dir, okfmt); + else if (kfmt == KMF_FORMAT_RAWKEY && + oclass == PK_SYMKEY_OBJ) { + rv = pk_import_rawkey(kmfhandle, + kstype, token_spec, &tokencred, + filename, label, + keyAlg, senstr, extstr); + } else if (kfmt == KMF_FORMAT_PEM || + kfmt == KMF_FORMAT_PEM_KEYPAIR) { + rv = pk_import_keys(kmfhandle, + kstype, token_spec, &tokencred, + filename, label, senstr, extstr); + } else { + rv = PK_ERR_USAGE; + } break; case KMF_KEYSTORE_NSS: if (dir == NULL) dir = PK_DEFAULT_DIRECTORY; if (kfmt == KMF_FORMAT_PKCS12) rv = pk_import_pk12_nss( - kmfhandle, &pk12cred, - &tokencred, - token_spec, dir, prefix, - certlabel, trustflags, filename); + kmfhandle, &pk12cred, + &tokencred, + token_spec, dir, prefix, + label, trustflags, filename); else if (oclass == PK_CERT_OBJ) { rv = pk_import_cert( - kmfhandle, kstype, - certlabel, token_spec, - filename, dir, prefix, trustflags); + kmfhandle, kstype, + label, token_spec, + filename, dir, prefix, trustflags); } else if (oclass == PK_CRL_OBJ) { rv = pk_import_nss_crl( - kmfhandle, - verify_crl_flag, - filename, - dir, - prefix); + kmfhandle, verify_crl_flag, + filename, dir, prefix); } break; case KMF_KEYSTORE_OPENSSL: if (kfmt == KMF_FORMAT_PKCS12) rv = pk_import_pk12_files( - kmfhandle, &pk12cred, - filename, certfile, keyfile, - dir, keydir, okfmt); + kmfhandle, &pk12cred, + filename, certfile, keyfile, + dir, keydir, okfmt); else if (oclass == PK_CRL_OBJ) { rv = pk_import_file_crl( - kmfhandle, - filename, - crlfile, - dir, - okfmt); + kmfhandle, filename, + crlfile, dir, okfmt); } else /* * It doesn't make sense to import anything @@ -694,7 +1096,7 @@ pk_import(int argc, char *argv[]) end: if (rv != KMF_OK) display_error(kmfhandle, rv, - gettext("Error importing objects")); + gettext("Error importing objects")); if (tokencred.cred != NULL) free(tokencred.cred); @@ -702,7 +1104,7 @@ end: if (pk12cred.cred != NULL) free(pk12cred.cred); - (void) KMF_Finalize(kmfhandle); + (void) kmf_finalize(kmfhandle); if (rv != KMF_OK) return (PK_ERR_USAGE); diff --git a/usr/src/cmd/cmd-crypto/pktool/list.c b/usr/src/cmd/cmd-crypto/pktool/list.c index 0317da28b7..01dc537c8b 100644 --- a/usr/src/cmd/cmd-crypto/pktool/list.c +++ b/usr/src/cmd/cmd-crypto/pktool/list.c @@ -46,6 +46,7 @@ pk_show_certs(KMF_HANDLE_T kmfhandle, KMF_X509_DER_CERT *certs, int num_certs) { int i; char *subject, *issuer, *serial, *id, *altname; + char *start, *end, *keyusage, *extkeyusage; for (i = 0; i < num_certs; i++) { subject = NULL; @@ -53,42 +54,66 @@ pk_show_certs(KMF_HANDLE_T kmfhandle, KMF_X509_DER_CERT *certs, int num_certs) serial = NULL; id = NULL; altname = NULL; + start = end = NULL; + keyusage = extkeyusage = NULL; (void) fprintf(stdout, - gettext("%d. (X.509 certificate)\n"), i + 1); + gettext("%d. (X.509 certificate)\n"), i + 1); if (certs[i].kmf_private.label != NULL) (void) fprintf(stdout, gettext("\t%s: %s\n"), - (certs[i].kmf_private.keystore_type == - KMF_KEYSTORE_OPENSSL ? "Filename" : "Label"), - certs[i].kmf_private.label); - if (KMF_GetCertIDString(&certs[i].certificate, - &id) == KMF_OK) + (certs[i].kmf_private.keystore_type == + KMF_KEYSTORE_OPENSSL ? "Filename" : "Label"), + certs[i].kmf_private.label); + if (kmf_get_cert_id_str(&certs[i].certificate, + &id) == KMF_OK) (void) fprintf(stdout, gettext("\tID: %s\n"), id); - if (KMF_GetCertSubjectNameString(kmfhandle, - &certs[i].certificate, &subject) == KMF_OK) + if (kmf_get_cert_subject_str(kmfhandle, + &certs[i].certificate, &subject) == KMF_OK) (void) fprintf(stdout, gettext("\tSubject: %s\n"), - subject); - if (KMF_GetCertIssuerNameString(kmfhandle, - &certs[i].certificate, &issuer) == KMF_OK) + subject); + if (kmf_get_cert_issuer_str(kmfhandle, + &certs[i].certificate, &issuer) == KMF_OK) (void) fprintf(stdout, gettext("\tIssuer: %s\n"), - issuer); - if (KMF_GetCertSerialNumberString(kmfhandle, - &certs[i].certificate, &serial) == KMF_OK) + issuer); + if (kmf_get_cert_start_date_str(kmfhandle, + &certs[i].certificate, &start) == KMF_OK) + (void) fprintf(stdout, gettext("\tNot Before: %s\n"), + start); + if (kmf_get_cert_end_date_str(kmfhandle, + &certs[i].certificate, &end) == KMF_OK) + (void) fprintf(stdout, gettext("\tNot After: %s\n"), + end); + if (kmf_get_cert_serial_str(kmfhandle, + &certs[i].certificate, &serial) == KMF_OK) (void) fprintf(stdout, gettext("\tSerial: %s\n"), - serial); - - if (KMF_GetCertExtensionString(kmfhandle, - &certs[i].certificate, KMF_X509_EXT_SUBJ_ALTNAME, - &altname) == KMF_OK) { + serial); + if (kmf_get_cert_extn_str(kmfhandle, + &certs[i].certificate, KMF_X509_EXT_SUBJ_ALTNAME, + &altname) == KMF_OK) { (void) fprintf(stdout, gettext("\t%s\n"), - altname); + altname); } - - KMF_FreeString(subject); - KMF_FreeString(issuer); - KMF_FreeString(serial); - KMF_FreeString(id); - KMF_FreeString(altname); + if (kmf_get_cert_extn_str(kmfhandle, + &certs[i].certificate, KMF_X509_EXT_KEY_USAGE, + &keyusage) == KMF_OK) { + (void) fprintf(stdout, gettext("\t%s\n"), + keyusage); + } + if (kmf_get_cert_extn_str(kmfhandle, + &certs[i].certificate, KMF_X509_EXT_EXT_KEY_USAGE, + &extkeyusage) == KMF_OK) { + (void) fprintf(stdout, gettext("\t%s\n"), + extkeyusage); + } + kmf_free_str(subject); + kmf_free_str(issuer); + kmf_free_str(serial); + kmf_free_str(id); + kmf_free_str(altname); + kmf_free_str(keyusage); + kmf_free_str(extkeyusage); + kmf_free_str(start); + kmf_free_str(end); (void) fprintf(stdout, "\n"); } } @@ -140,20 +165,36 @@ pk_show_keys(void *handle, KMF_KEY_HANDLE *keys, int numkeys) for (i = 0; i < numkeys; i++) { (void) fprintf(stdout, gettext("Key #%d - %s: %s"), - i+1, describeKey(&keys[i]), - keys[i].keylabel ? keys[i].keylabel : - gettext("No label")); + i+1, describeKey(&keys[i]), + keys[i].keylabel ? keys[i].keylabel : + gettext("No label")); if (keys[i].keyclass == KMF_SYMMETRIC) { KMF_RETURN rv; KMF_RAW_SYM_KEY rkey; - rv = KMF_GetSymKeyValue(handle, &keys[i], - &rkey); + (void) memset(&rkey, 0, sizeof (rkey)); + rv = kmf_get_sym_key_value(handle, &keys[i], + &rkey); if (rv == KMF_OK) { (void) fprintf(stdout, " (%d bits)", - rkey.keydata.len * 8); - KMF_FreeRawSymKey(&rkey); + rkey.keydata.len * 8); + kmf_free_bigint(&rkey.keydata); + } else if (keys[i].kstype == KMF_KEYSTORE_PK11TOKEN) { + if (rv == KMF_ERR_SENSITIVE_KEY) { + (void) fprintf(stdout, " (sensitive)"); + } else if (rv == KMF_ERR_UNEXTRACTABLE_KEY) { + (void) fprintf(stdout, + " (non-extractable)"); + } else { + char *err = NULL; + if (kmf_get_kmf_error_str(rv, &err) == + KMF_OK) + (void) fprintf(stdout, + " (error: %s)", err); + if (err != NULL) + free(err); + } } } (void) fprintf(stdout, "\n"); @@ -165,69 +206,97 @@ pk_show_keys(void *handle, KMF_KEY_HANDLE *keys, int numkeys) * all matching certificates. */ static KMF_RETURN -pk_find_certs(KMF_HANDLE_T kmfhandle, KMF_FINDCERT_PARAMS *params) +pk_find_certs(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attrlist, int numattr) { KMF_RETURN rv = KMF_OK; KMF_X509_DER_CERT *certlist = NULL; uint32_t numcerts = 0; + KMF_KEYSTORE_TYPE kstype; + + rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr, + &kstype, NULL); + if (rv != KMF_OK) + return (rv); + + kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, + &numcerts, sizeof (uint32_t)); + numattr++; - numcerts = 0; - rv = KMF_FindCert(kmfhandle, params, NULL, &numcerts); + rv = kmf_find_cert(kmfhandle, numattr, attrlist); if (rv == KMF_OK && numcerts > 0) { (void) printf(gettext("Found %d certificates.\n"), - numcerts); + numcerts); certlist = (KMF_X509_DER_CERT *)malloc(numcerts * - sizeof (KMF_X509_DER_CERT)); + sizeof (KMF_X509_DER_CERT)); if (certlist == NULL) return (KMF_ERR_MEMORY); (void) memset(certlist, 0, numcerts * - sizeof (KMF_X509_DER_CERT)); + sizeof (KMF_X509_DER_CERT)); - rv = KMF_FindCert(kmfhandle, params, certlist, &numcerts); + kmf_set_attr_at_index(attrlist, numattr, + KMF_X509_DER_CERT_ATTR, certlist, + sizeof (KMF_X509_DER_CERT)); + numattr++; + + rv = kmf_find_cert(kmfhandle, numattr, attrlist); if (rv == KMF_OK) { int i; (void) pk_show_certs(kmfhandle, certlist, - numcerts); + numcerts); for (i = 0; i < numcerts; i++) - KMF_FreeKMFCert(kmfhandle, &certlist[i]); + kmf_free_kmf_cert(kmfhandle, &certlist[i]); } free(certlist); } if (rv == KMF_ERR_CERT_NOT_FOUND && - params->kstype != KMF_KEYSTORE_OPENSSL) + kstype != KMF_KEYSTORE_OPENSSL) rv = KMF_OK; return (rv); } static KMF_RETURN -pk_list_keys(void *handle, KMF_FINDKEY_PARAMS *parms) +pk_list_keys(void *handle, KMF_ATTRIBUTE *attrlist, int numattr) { KMF_RETURN rv; KMF_KEY_HANDLE *keys; uint32_t numkeys = 0; + KMF_KEYSTORE_TYPE kstype; + + rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr, + &kstype, NULL); + if (rv != KMF_OK) + return (rv); + + kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, + &numkeys, sizeof (uint32_t)); + numattr++; - numkeys = 0; - rv = KMF_FindKey(handle, parms, NULL, &numkeys); + rv = kmf_find_key(handle, numattr, attrlist); if (rv == KMF_OK && numkeys > 0) { int i; (void) printf(gettext("Found %d keys.\n"), numkeys); keys = (KMF_KEY_HANDLE *)malloc(numkeys * - sizeof (KMF_KEY_HANDLE)); + sizeof (KMF_KEY_HANDLE)); if (keys == NULL) return (KMF_ERR_MEMORY); (void) memset(keys, 0, numkeys * - sizeof (KMF_KEY_HANDLE)); + sizeof (KMF_KEY_HANDLE)); + + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEY_HANDLE_ATTR, + keys, sizeof (KMF_KEY_HANDLE)); + numattr++; - rv = KMF_FindKey(handle, parms, keys, &numkeys); + rv = kmf_find_key(handle, numattr, attrlist); if (rv == KMF_OK) pk_show_keys(handle, keys, numkeys); for (i = 0; i < numkeys; i++) - KMF_FreeKMFKey(handle, &keys[i]); + kmf_free_kmf_key(handle, &keys[i]); free(keys); } if (rv == KMF_ERR_KEY_NOT_FOUND && - parms->kstype != KMF_KEYSTORE_OPENSSL) + kstype != KMF_KEYSTORE_OPENSSL) rv = KMF_OK; return (rv); } @@ -239,7 +308,13 @@ list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass, KMF_CERT_VALIDITY find_criteria_flag) { KMF_RETURN rv; - KMF_LISTCRL_PARAMS lcrlargs; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; + boolean_t token_bool = B_TRUE; + boolean_t private = B_FALSE; + KMF_KEY_CLASS keyclass; + KMF_ENCODE_FORMAT format; /* * Symmetric keys and RSA/DSA private keys are always @@ -250,85 +325,176 @@ list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass, oclass |= PK_PRIVATE_OBJ; rv = select_token(kmfhandle, token, - !(oclass & (PK_PRIVATE_OBJ | PK_PRIKEY_OBJ))); + !(oclass & (PK_PRIVATE_OBJ | PK_PRIKEY_OBJ))); if (rv != KMF_OK) { return (rv); } if (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ)) { - KMF_FINDKEY_PARAMS parms; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (objlabel != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYLABEL_ATTR, objlabel, + strlen(objlabel)); + numattr++; + } + + private = ((oclass & PK_PRIVATE_OBJ) > 0); + + kmf_set_attr_at_index(attrlist, numattr, + KMF_PRIVATE_BOOL_ATTR, &private, + sizeof (private)); + numattr++; - (void) memset(&parms, 0, sizeof (parms)); - parms.kstype = KMF_KEYSTORE_PK11TOKEN; + kmf_set_attr_at_index(attrlist, numattr, + KMF_TOKEN_BOOL_ATTR, &token_bool, + sizeof (token_bool)); + numattr++; if (oclass & PK_PRIKEY_OBJ) { - parms.keyclass = KMF_ASYM_PRI; - parms.findLabel = objlabel; - parms.cred = *tokencred; - parms.pkcs11parms.private = - ((oclass & PK_PRIVATE_OBJ) > 0); - parms.pkcs11parms.token = 1; + int num = numattr; + + keyclass = KMF_ASYM_PRI; + kmf_set_attr_at_index(attrlist, num, + KMF_KEYCLASS_ATTR, &keyclass, + sizeof (keyclass)); + num++; + + if (tokencred != NULL && + tokencred->credlen > 0) { + kmf_set_attr_at_index(attrlist, num, + KMF_CREDENTIAL_ATTR, tokencred, + sizeof (KMF_CREDENTIAL)); + num++; + } /* list asymmetric private keys */ - rv = pk_list_keys(kmfhandle, &parms); + rv = pk_list_keys(kmfhandle, attrlist, num); } if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { - parms.keyclass = KMF_SYMMETRIC; - parms.findLabel = objlabel; - parms.cred = *tokencred; - parms.format = KMF_FORMAT_RAWKEY; - parms.pkcs11parms.private = - ((oclass & PK_PRIVATE_OBJ) > 0); - parms.pkcs11parms.token = 1; + int num = numattr; + + keyclass = KMF_SYMMETRIC; + kmf_set_attr_at_index(attrlist, num, + KMF_KEYCLASS_ATTR, &keyclass, + sizeof (keyclass)); + num++; + + if (tokencred != NULL && + tokencred->credlen > 0) { + kmf_set_attr_at_index(attrlist, num, + KMF_CREDENTIAL_ATTR, tokencred, + sizeof (KMF_CREDENTIAL)); + num++; + } + + format = KMF_FORMAT_RAWKEY; + kmf_set_attr_at_index(attrlist, num, + KMF_ENCODE_FORMAT_ATTR, &format, + sizeof (format)); + num++; /* list symmetric keys */ - rv = pk_list_keys(kmfhandle, &parms); + rv = pk_list_keys(kmfhandle, attrlist, num); } if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) { - parms.keyclass = KMF_ASYM_PUB; - parms.findLabel = objlabel; - parms.pkcs11parms.private = - ((oclass & PK_PRIVATE_OBJ) > 0); - parms.pkcs11parms.token = 1; + int num = numattr; + + keyclass = KMF_ASYM_PUB; + kmf_set_attr_at_index(attrlist, num, + KMF_KEYCLASS_ATTR, &keyclass, + sizeof (keyclass)); + num++; /* list asymmetric public keys (if any) */ - rv = pk_list_keys(kmfhandle, &parms); + rv = pk_list_keys(kmfhandle, attrlist, num); } if (rv != KMF_OK) return (rv); } + numattr = 0; if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) { - KMF_FINDCERT_PARAMS parms; - - (void) memset(&parms, 0, sizeof (parms)); - parms.kstype = KMF_KEYSTORE_PK11TOKEN; - parms.certLabel = objlabel; - parms.issuer = issuer; - parms.subject = subject; - parms.serial = serial; - parms.pkcs11parms.private = FALSE; - parms.find_cert_validity = find_criteria_flag; - - rv = pk_find_certs(kmfhandle, &parms); + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (objlabel != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_LABEL_ATTR, objlabel, + strlen(objlabel)); + numattr++; + } + + if (issuer != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_ISSUER_NAME_ATTR, issuer, + strlen(issuer)); + numattr++; + } + + if (subject != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_SUBJECT_NAME_ATTR, subject, + strlen(subject)); + numattr++; + } + + if (serial != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_BIGINT_ATTR, serial, + sizeof (KMF_BIGINT)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, + KMF_PRIVATE_BOOL_ATTR, &private, + sizeof (private)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_VALIDITY_ATTR, &find_criteria_flag, + sizeof (KMF_CERT_VALIDITY)); + numattr++; + + rv = pk_find_certs(kmfhandle, attrlist, numattr); if (rv != KMF_OK) return (rv); } + numattr = 0; + kstype = KMF_KEYSTORE_OPENSSL; /* CRL is file-based */ if (oclass & PK_CRL_OBJ) { - char *crldata; + char *crldata = NULL; - (void) memset(&lcrlargs, 0, sizeof (lcrlargs)); - lcrlargs.kstype = KMF_KEYSTORE_OPENSSL; - lcrlargs.sslparms.dirpath = dir; - lcrlargs.sslparms.crlfile = filename; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; - rv = KMF_ListCRL(kmfhandle, &lcrlargs, &crldata); - if (rv == KMF_OK) { + if (dir != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_DIRPATH_ATTR, dir, strlen(dir)); + numattr++; + } + if (filename != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CRL_FILENAME_ATTR, + filename, strlen(filename)); + numattr++; + } + kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_DATA_ATTR, + &crldata, sizeof (char *)); + numattr++; + + rv = kmf_list_crl(kmfhandle, numattr, attrlist); + if (rv == KMF_OK && crldata != NULL) { (void) printf("%s\n", crldata); free(crldata); } @@ -344,28 +510,67 @@ list_file_objects(KMF_HANDLE_T kmfhandle, int oclass, KMF_CERT_VALIDITY find_criteria_flag) { int rv; - KMF_FINDCERT_PARAMS fcargs; - KMF_FINDKEY_PARAMS fkargs; - KMF_LISTCRL_PARAMS lcrlargs; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; + KMF_KEY_CLASS keyclass; + KMF_ENCODE_FORMAT format; + char *defaultdir = "."; if (oclass & PK_KEY_OBJ) { - (void) memset(&fkargs, 0, sizeof (fkargs)); - fkargs.kstype = KMF_KEYSTORE_OPENSSL; - fkargs.sslparms.dirpath = dir; - fkargs.sslparms.keyfile = filename; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (dir == NULL && filename == NULL) + dir = defaultdir; + + if (dir != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_DIRPATH_ATTR, dir, + strlen(dir)); + numattr++; + } + + if (filename != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEY_FILENAME_ATTR, filename, + strlen(filename)); + numattr++; + } + if (oclass & PK_PRIKEY_OBJ) { - fkargs.keyclass = KMF_ASYM_PRI; + int num = numattr; - rv = pk_list_keys(kmfhandle, &fkargs); + keyclass = KMF_ASYM_PRI; + kmf_set_attr_at_index(attrlist, num, + KMF_KEYCLASS_ATTR, &keyclass, + sizeof (keyclass)); + num++; + + /* list asymmetric private keys */ + rv = pk_list_keys(kmfhandle, attrlist, num); } if (rv == KMF_ERR_KEY_NOT_FOUND) rv = KMF_OK; if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { - fkargs.keyclass = KMF_SYMMETRIC; - fkargs.format = KMF_FORMAT_RAWKEY; + int num = numattr; - rv = pk_list_keys(kmfhandle, &fkargs); + keyclass = KMF_SYMMETRIC; + kmf_set_attr_at_index(attrlist, num, + KMF_KEYCLASS_ATTR, &keyclass, + sizeof (keyclass)); + num++; + + format = KMF_FORMAT_RAWKEY; + kmf_set_attr_at_index(attrlist, num, + KMF_ENCODE_FORMAT_ATTR, &format, + sizeof (format)); + num++; + + /* list symmetric keys */ + rv = pk_list_keys(kmfhandle, attrlist, num); } if (rv == KMF_ERR_KEY_NOT_FOUND) rv = KMF_OK; @@ -373,32 +578,83 @@ list_file_objects(KMF_HANDLE_T kmfhandle, int oclass, return (rv); } + numattr = 0; if (oclass & PK_CERT_OBJ) { - (void) memset(&fcargs, 0, sizeof (fcargs)); - fcargs.kstype = KMF_KEYSTORE_OPENSSL; - fcargs.certLabel = NULL; - fcargs.issuer = issuer; - fcargs.subject = subject; - fcargs.serial = serial; - fcargs.sslparms.dirpath = dir; - fcargs.sslparms.certfile = filename; - fcargs.find_cert_validity = find_criteria_flag; - - rv = pk_find_certs(kmfhandle, &fcargs); + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, + sizeof (kstype)); + numattr++; + + if (issuer != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_ISSUER_NAME_ATTR, issuer, + strlen(issuer)); + numattr++; + } + + if (subject != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_SUBJECT_NAME_ATTR, subject, + strlen(subject)); + numattr++; + } + + if (serial != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_BIGINT_ATTR, serial, + sizeof (KMF_BIGINT)); + numattr++; + } + + if (filename != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_FILENAME_ATTR, filename, + strlen(filename)); + numattr++; + } + + if (dir != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_DIRPATH_ATTR, dir, + strlen(dir)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_VALIDITY_ATTR, &find_criteria_flag, + sizeof (KMF_CERT_VALIDITY)); + numattr++; + + rv = pk_find_certs(kmfhandle, attrlist, numattr); if (rv != KMF_OK) return (rv); } + numattr = 0; if (oclass & PK_CRL_OBJ) { - char *crldata; + char *crldata = NULL; - (void) memset(&lcrlargs, 0, sizeof (lcrlargs)); - lcrlargs.kstype = KMF_KEYSTORE_OPENSSL; - lcrlargs.sslparms.dirpath = dir; - lcrlargs.sslparms.crlfile = filename; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; - rv = KMF_ListCRL(kmfhandle, &lcrlargs, &crldata); - if (rv == KMF_OK) { + if (dir != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_DIRPATH_ATTR, dir, strlen(dir)); + numattr++; + } + if (filename != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CRL_FILENAME_ATTR, + filename, strlen(filename)); + numattr++; + } + kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_DATA_ATTR, + &crldata, sizeof (char *)); + numattr++; + + rv = kmf_list_crl(kmfhandle, numattr, attrlist); + if (rv == KMF_OK && crldata != NULL) { (void) printf("%s\n", crldata); free(crldata); } @@ -415,64 +671,163 @@ list_nss_objects(KMF_HANDLE_T kmfhandle, KMF_CERT_VALIDITY find_criteria_flag) { KMF_RETURN rv = KMF_OK; - KMF_FINDKEY_PARAMS fkargs; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; + KMF_KEY_CLASS keyclass; + KMF_ENCODE_FORMAT format; rv = configure_nss(kmfhandle, dir, prefix); if (rv != KMF_OK) return (rv); + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + if (oclass & PK_KEY_OBJ) { - (void) memset(&fkargs, 0, sizeof (fkargs)); - fkargs.kstype = KMF_KEYSTORE_NSS; - fkargs.findLabel = nickname; - fkargs.cred = *tokencred; - fkargs.nssparms.slotlabel = token_spec; + if (tokencred != NULL && tokencred->credlen > 0) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CREDENTIAL_ATTR, tokencred, + sizeof (KMF_CREDENTIAL)); + numattr++; + } + + if (token_spec && strlen(token_spec)) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_TOKEN_LABEL_ATTR, token_spec, + strlen(token_spec)); + numattr++; + } + + if (nickname != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYLABEL_ATTR, nickname, + strlen(nickname)); + numattr++; + } } if (oclass & PK_PRIKEY_OBJ) { - fkargs.keyclass = KMF_ASYM_PRI; - rv = pk_list_keys(kmfhandle, &fkargs); + int num = numattr; + + keyclass = KMF_ASYM_PRI; + kmf_set_attr_at_index(attrlist, num, + KMF_KEYCLASS_ATTR, &keyclass, + sizeof (keyclass)); + num++; + + /* list asymmetric private keys */ + rv = pk_list_keys(kmfhandle, attrlist, num); } + if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { - fkargs.keyclass = KMF_SYMMETRIC; - fkargs.format = KMF_FORMAT_RAWKEY; - rv = pk_list_keys(kmfhandle, &fkargs); + int num = numattr; + + keyclass = KMF_SYMMETRIC; + kmf_set_attr_at_index(attrlist, num, + KMF_KEYCLASS_ATTR, &keyclass, + sizeof (keyclass)); + num++; + + format = KMF_FORMAT_RAWKEY; + kmf_set_attr_at_index(attrlist, num, + KMF_ENCODE_FORMAT_ATTR, &format, + sizeof (format)); + num++; + + /* list symmetric keys */ + rv = pk_list_keys(kmfhandle, attrlist, num); } + if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) { - fkargs.keyclass = KMF_ASYM_PUB; - rv = pk_list_keys(kmfhandle, &fkargs); + int num = numattr; + + keyclass = KMF_ASYM_PUB; + kmf_set_attr_at_index(attrlist, num, + KMF_KEYCLASS_ATTR, &keyclass, + sizeof (keyclass)); + num++; + + /* list asymmetric public keys */ + rv = pk_list_keys(kmfhandle, attrlist, num); } /* If searching for public objects or certificates, find certs now */ + numattr = 0; if (rv == KMF_OK && (oclass & PK_CERT_OBJ)) { - KMF_FINDCERT_PARAMS fcargs; - - (void) memset(&fcargs, 0, sizeof (fcargs)); - fcargs.kstype = KMF_KEYSTORE_NSS; - fcargs.certLabel = nickname; - fcargs.issuer = issuer; - fcargs.subject = subject; - fcargs.serial = serial; - fcargs.nssparms.slotlabel = token_spec; - fcargs.find_cert_validity = find_criteria_flag; - - rv = pk_find_certs(kmfhandle, &fcargs); + kmf_set_attr_at_index(attrlist, numattr, + KMF_KEYSTORE_TYPE_ATTR, &kstype, + sizeof (kstype)); + numattr++; + + if (nickname != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_LABEL_ATTR, nickname, + strlen(nickname)); + numattr++; + } + + if (issuer != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_ISSUER_NAME_ATTR, issuer, + strlen(issuer)); + numattr++; + } + + if (subject != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_SUBJECT_NAME_ATTR, subject, + strlen(subject)); + numattr++; + } + + if (serial != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_BIGINT_ATTR, serial, + sizeof (KMF_BIGINT)); + numattr++; + } + + if (token_spec != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_TOKEN_LABEL_ATTR, token_spec, + strlen(token_spec)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, + KMF_CERT_VALIDITY_ATTR, &find_criteria_flag, + sizeof (KMF_CERT_VALIDITY)); + numattr++; + + rv = pk_find_certs(kmfhandle, attrlist, numattr); } + numattr = 0; if (rv == KMF_OK && (oclass & PK_CRL_OBJ)) { int numcrls; - KMF_FINDCRL_PARAMS fcrlargs; - (void) memset(&fcrlargs, 0, sizeof (fcrlargs)); - fcrlargs.kstype = KMF_KEYSTORE_NSS; - fcrlargs.nssparms.slotlabel = token_spec; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; - rv = KMF_FindCRL(kmfhandle, &fcrlargs, NULL, &numcrls); + if (token_spec != NULL) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_TOKEN_LABEL_ATTR, + token_spec, strlen(token_spec)); + numattr++; + } + kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_COUNT_ATTR, + &numcrls, sizeof (int)); + numattr++; + + rv = kmf_find_crl(kmfhandle, numattr, attrlist); if (rv == KMF_OK) { char **p; if (numcrls == 0) { (void) printf(gettext("No CRLs found in " - "NSS keystore.\n")); + "NSS keystore.\n")); return (KMF_OK); } @@ -481,13 +836,16 @@ list_nss_objects(KMF_HANDLE_T kmfhandle, return (KMF_ERR_MEMORY); } (void) memset(p, 0, numcrls * sizeof (char *)); - rv = KMF_FindCRL(kmfhandle, &fcrlargs, - p, &numcrls); + + kmf_set_attr_at_index(attrlist, numattr, + KMF_CRL_NAMELIST_ATTR, p, sizeof (char *)); + numattr++; + rv = kmf_find_crl(kmfhandle, numattr, attrlist); if (rv == KMF_OK) { int i; for (i = 0; i < numcrls; i++) { (void) printf("%d. Name = %s\n", - i + 1, p[i]); + i + 1, p[i]); free(p[i]); } } @@ -526,10 +884,10 @@ pk_list(int argc, char *argv[]) /* Parse command line options. Do NOT i18n/l10n. */ while ((opt = getopt_av(argc, argv, - "k:(keystore)t:(objtype)T:(token)d:(dir)" - "p:(prefix)n:(nickname)S:(serial)s:(subject)" - "c:(criteria)" - "i:(issuer)l:(label)f:(infile)")) != EOF) { + "k:(keystore)t:(objtype)T:(token)d:(dir)" + "p:(prefix)n:(nickname)S:(serial)s:(subject)" + "c:(criteria)" + "i:(issuer)l:(label)f:(infile)")) != EOF) { if (EMPTYSTRING(optarg_av)) return (PK_ERR_USAGE); switch (opt) { @@ -608,7 +966,7 @@ pk_list(int argc, char *argv[]) if (argc) return (PK_ERR_USAGE); - if ((rv = KMF_Initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { + if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { /* Error message ? */ return (rv); } @@ -619,10 +977,10 @@ pk_list(int argc, char *argv[]) /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */ if ((oclass & (PK_PUBLIC_OBJ | PK_PRIVATE_OBJ)) && - kstype != KMF_KEYSTORE_PK11TOKEN) { + kstype != KMF_KEYSTORE_PK11TOKEN) { (void) fprintf(stderr, gettext("The objtype parameter " - "is only relevant if keystore=pkcs11\n")); + "is only relevant if keystore=pkcs11\n")); return (PK_ERR_USAGE); } @@ -640,11 +998,11 @@ pk_list(int argc, char *argv[]) uchar_t *bytes = NULL; size_t bytelen; - rv = KMF_HexString2Bytes((uchar_t *)serstr, &bytes, &bytelen); + rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen); if (rv != KMF_OK || bytes == NULL) { (void) fprintf(stderr, gettext("serial number " - "must be specified as a hex number " - "(ex: 0x0102030405ffeeddee)\n")); + "must be specified as a hex number " + "(ex: 0x0102030405ffeeddee)\n")); return (PK_ERR_USAGE); } serial.val = bytes; @@ -652,36 +1010,36 @@ pk_list(int argc, char *argv[]) } if ((kstype == KMF_KEYSTORE_PK11TOKEN || - kstype == KMF_KEYSTORE_NSS) && - (oclass & (PK_PRIKEY_OBJ | PK_PRIVATE_OBJ))) { + kstype == KMF_KEYSTORE_NSS) && + (oclass & (PK_PRIKEY_OBJ | PK_PRIVATE_OBJ))) { (void) get_token_password(kstype, token_spec, - &tokencred); + &tokencred); } if (kstype == KMF_KEYSTORE_PK11TOKEN) { rv = list_pk11_objects(kmfhandle, token_spec, - oclass, list_label, &serial, - issuer, subject, dir, filename, - &tokencred, find_criteria_flag); + oclass, list_label, &serial, + issuer, subject, dir, filename, + &tokencred, find_criteria_flag); } else if (kstype == KMF_KEYSTORE_NSS) { if (dir == NULL) dir = PK_DEFAULT_DIRECTORY; rv = list_nss_objects(kmfhandle, - oclass, token_spec, dir, prefix, - list_label, &serial, issuer, subject, - &tokencred, find_criteria_flag); + oclass, token_spec, dir, prefix, + list_label, &serial, issuer, subject, + &tokencred, find_criteria_flag); } else if (kstype == KMF_KEYSTORE_OPENSSL) { rv = list_file_objects(kmfhandle, - oclass, dir, filename, - &serial, issuer, subject, find_criteria_flag); + oclass, dir, filename, + &serial, issuer, subject, find_criteria_flag); } if (rv != KMF_OK) { display_error(kmfhandle, rv, - gettext("Error listing objects")); + gettext("Error listing objects")); } if (serial.val != NULL) @@ -690,6 +1048,6 @@ pk_list(int argc, char *argv[]) if (tokencred.cred != NULL) free(tokencred.cred); - (void) KMF_Finalize(kmfhandle); + (void) kmf_finalize(kmfhandle); return (rv); } diff --git a/usr/src/cmd/cmd-crypto/pktool/pktool.c b/usr/src/cmd/cmd-crypto/pktool/pktool.c index 33e7441bf2..3ca028cd28 100644 --- a/usr/src/cmd/cmd-crypto/pktool/pktool.c +++ b/usr/src/cmd/cmd-crypto/pktool/pktool.c @@ -94,7 +94,7 @@ static verbcmd cmds[] = { "[ subject=subject-DN ]\n\t\t" "[ keystore=pkcs11 ]\n\t\t" "[ issuer=issuer-DN ]\n\t\t" - "[ serial=serial number]\n\t\t" + "[ serial=serial number ]\n\t\t" "[ label=cert-label ]\n\t\t" "[ token=token[:manuf[:serial]]]\n\t\t" "[ criteria=valid|expired|both ]\n\t" @@ -112,7 +112,7 @@ static verbcmd cmds[] = { "list keystore=nss objtype=cert\n\t\t" "[ subject=subject-DN ]\n\t\t" "[ issuer=issuer-DN ]\n\t\t" - "[ serial=serial number]\n\t\t" + "[ serial=serial number ]\n\t\t" "[ nickname=cert-nickname ]\n\t\t" "[ token=token[:manuf[:serial]]]\n\t\t" "[ dir=directory-path ]\n\t\t" @@ -128,7 +128,7 @@ static verbcmd cmds[] = { "list keystore=file objtype=cert\n\t\t" "[ subject=subject-DN ]\n\t\t" "[ issuer=issuer-DN ]\n\t\t" - "[ serial=serial number]\n\t\t" + "[ serial=serial number ]\n\t\t" "[ infile=cert-fn ]\n\t\t" "[ dir=directory-path ]\n\t\t" "[ criteria=valid|expired|both ]\n\t" @@ -152,8 +152,8 @@ static verbcmd cmds[] = { "delete keystore=nss objtype=cert\n\t\t" "[ subject=subject-DN ]\n\t\t" "[ issuer=issuer-DN ]\n\t\t" - "[ serial=serial number]\n\t\t" - "[ nickname=cert-nickname ]\n\t\t" + "[ serial=serial number ]\n\t\t" + "[ label=cert-label ]\n\t\t" "[ token=token[:manuf[:serial]]]\n\t\t" "[ dir=directory-path ]\n\t\t" "[ prefix=DBprefix ]\n\t\t" @@ -175,7 +175,7 @@ static verbcmd cmds[] = { "delete keystore=pkcs11 objtype=cert[:[public | private | both]]\n\t\t" "[ subject=subject-DN ]\n\t\t" "[ issuer=issuer-DN ]\n\t\t" - "[ serial=serial number]\n\t\t" + "[ serial=serial number ]\n\t\t" "[ label=cert-label ]\n\t\t" "[ token=token[:manuf[:serial]]]\n\t\t" "[ criteria=valid|expired|both ]\n\t" @@ -192,7 +192,7 @@ static verbcmd cmds[] = { "delete keystore=file objtype=cert\n\t\t" "[ subject=subject-DN ]\n\t\t" "[ issuer=issuer-DN ]\n\t\t" - "[ serial=serial number]\n\t\t" + "[ serial=serial number ]\n\t\t" "[ infile=cert-fn ]\n\t\t" "[ dir=directory-path ]\n\t\t" "[ criteria=valid|expired|both ]\n\t" @@ -228,7 +228,11 @@ static verbcmd cmds[] = { "import keystore=pkcs11\n\t\t" "infile=input-fn\n\t\t" - "label=cert-label\n\t\t" + "label=label\n\t\t" + "[ objtype=cert|key ]\n\t\t" + "[ keytype=aes|arcfour|des|3des|generic ]\n\t\t" + "[ sensitive=y|n ]\n\t\t" + "[ extractable=y|n ]\n\t\t" "[ token=token[:manuf[:serial]]]\n\t" "import keystore=pkcs11 objtype=crl\n\t\t" @@ -263,8 +267,8 @@ static verbcmd cmds[] = { "[ objtype=cert|key ]\n\t\t" "[ subject=subject-DN ]\n\t\t" "[ issuer=issuer-DN ]\n\t\t" - "[ serial=serial number]\n\t\t" - "[ nickname=cert-nickname]\n\t\t" + "[ serial=serial number ]\n\t\t" + "[ nickname=cert-nickname ]\n\t\t" "[ token=token[:manuf[:serial]]]\n\t\t" "[ dir=directory-path ]\n\t\t" "[ prefix=DBPrefix ]\n\t\t" @@ -272,11 +276,12 @@ static verbcmd cmds[] = { "export keystore=pkcs11\n\t\t" "outfile=output-fn\n\t\t" - "[ label=cert-label]\n\t\t" + "[ objtype=cert|key ]\n\t\t" + "[ label=label ]\n\t\t" "[ subject=subject-DN ]\n\t\t" "[ issuer=issuer-DN ]\n\t\t" - "[ serial=serial number]\n\t\t" - "[ outformat=pem|der|pkcs12]\n\t\t" + "[ serial=serial number ]\n\t\t" + "[ outformat=pem|der|pkcs12|raw ]\n\t\t" "[ token=token[:manuf[:serial]]]\n\t" "export keystore=file\n\t\t" @@ -341,7 +346,7 @@ static verbcmd cmds[] = { "[ prefix=DBprefix ]\n\t\t" "[ keytype=rsa|dsa ]\n\t\t" "[ keylen=key-size ]\n\t\t" - "[ format=pem|der]\n\t" + "[ format=pem|der ]\n\t" "gencsr [-i] [ keystore=pkcs11 ]\n\t\t" "label=key-label\n\t\t" "outcsr=csr-fn\n\t\t" @@ -351,7 +356,7 @@ static verbcmd cmds[] = { "[ token=token[:manuf[:serial]]]\n\t\t" "[ keytype=rsa|dsa ]\n\t\t" "[ keylen=key-size ]\n\t\t" - "[ format=pem|der]\n\t" + "[ format=pem|der ]]\n\t" "gencsr [-i] keystore=file\n\t\t" "outcsr=csr-fn\n\t\t" "outkey=key-fn\n\t\t" @@ -361,7 +366,7 @@ static verbcmd cmds[] = { "[ keytype=rsa|dsa ]\n\t\t" "[ keylen=key-size ]\n\t\t" "[ dir=directory-path ]\n\t\t" - "[ format=pem|der]\n\t" + "[ format=pem|der ]\n\t" }, { "download", pk_download, 0, @@ -486,7 +491,8 @@ process_arg_file(char *argfile, char ***argv, int *argc) if (!strlen(argline)) continue; - (*argv) = realloc((*argv), (nargs + 1) * sizeof (char *)); + (*argv) = realloc((*argv), + (nargs + 1) * sizeof (char *)); if ((*argv) == NULL) { perror("memory error"); (void) fclose(fp); diff --git a/usr/src/cmd/cmd-crypto/pktool/setpin.c b/usr/src/cmd/cmd-crypto/pktool/setpin.c index 62416e8c7d..d7538566bd 100644 --- a/usr/src/cmd/cmd-crypto/pktool/setpin.c +++ b/usr/src/cmd/cmd-crypto/pktool/setpin.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -45,23 +45,30 @@ setpin_nss(KMF_HANDLE_T handle, char *token_spec, char *dir, char *prefix) { int rv = 0; - KMF_SETPIN_PARAMS params; - KMF_CREDENTIAL newpincred = { NULL, 0 }; + KMF_CREDENTIAL oldcred = {NULL, 0}; + KMF_CREDENTIAL newpincred = {NULL, 0}; CK_UTF8CHAR_PTR old_pin = NULL, new_pin = NULL; CK_ULONG old_pinlen = 0, new_pinlen = 0; + KMF_ATTRIBUTE setpinattrs[6]; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; + int numattrs = 0; rv = configure_nss(handle, dir, prefix); if (rv != KMF_OK) return (rv); - (void) memset(¶ms, 0, sizeof (params)); - params.kstype = KMF_KEYSTORE_NSS; - params.tokenname = token_spec; - params.nssparms.slotlabel = token_spec; + kmf_set_attr_at_index(setpinattrs, numattrs, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattrs++; + if (token_spec != NULL) { + kmf_set_attr_at_index(setpinattrs, numattrs, + KMF_TOKEN_LABEL_ATTR, + token_spec, strlen(token_spec)); + numattrs++; + } if ((rv = get_pin(gettext("Enter current token passphrase " - "(<CR> if not set):"), NULL, &old_pin, &old_pinlen)) != - CKR_OK) { + "(<CR> if not set):"), NULL, &old_pin, &old_pinlen)) != CKR_OK) { cryptoerror(LOG_STDERR, gettext("Unable to get token passphrase.")); return (PK_ERR_NSS); @@ -80,13 +87,20 @@ setpin_nss(KMF_HANDLE_T handle, return (PK_ERR_NSS); } - params.cred.cred = (char *)old_pin; - params.cred.credlen = old_pinlen; + oldcred.cred = (char *)old_pin; + oldcred.credlen = old_pinlen; + + kmf_set_attr_at_index(setpinattrs, numattrs, KMF_CREDENTIAL_ATTR, + &oldcred, sizeof (oldcred)); + numattrs++; newpincred.cred = (char *)new_pin; newpincred.credlen = new_pinlen; + kmf_set_attr_at_index(setpinattrs, numattrs, KMF_NEWPIN_ATTR, + &newpincred, sizeof (newpincred)); + numattrs++; - rv = KMF_SetTokenPin(handle, ¶ms, &newpincred); + rv = kmf_set_token_pin(handle, numattrs, setpinattrs); if (new_pin) free(new_pin); @@ -105,9 +119,12 @@ setpin_pkcs11(KMF_HANDLE_T handle, char *token_spec) CK_ULONG old_pinlen = 0, new_pinlen = 0; CK_RV rv = CKR_OK; char *token_name = NULL; - KMF_SETPIN_PARAMS params; CK_TOKEN_INFO token_info; - KMF_CREDENTIAL newpincred = { NULL, 0 }; + KMF_CREDENTIAL newpincred = {NULL, 0}; + KMF_CREDENTIAL oldcred = {NULL, 0}; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; + KMF_ATTRIBUTE attrlist[6]; + int numattr = 0; /* If nothing is specified, default is to use softtoken. */ if (token_spec == NULL) { @@ -115,7 +132,7 @@ setpin_pkcs11(KMF_HANDLE_T handle, char *token_spec) token_name = SOFT_TOKEN_LABEL; } - rv = KMF_PK11TokenLookup(NULL, token_spec, &slot_id); + rv = kmf_pk11_token_lookup(NULL, token_spec, &slot_id); if (rv == KMF_OK) { /* find the pin state for the selected token */ if (C_GetTokenInfo(slot_id, &token_info) != CKR_OK) @@ -167,17 +184,31 @@ setpin_pkcs11(KMF_HANDLE_T handle, char *token_spec) return (PK_ERR_PK11); } - (void) memset(¶ms, 0, sizeof (params)); - params.kstype = KMF_KEYSTORE_PK11TOKEN; - params.tokenname = (char *)token_info.label; - params.cred.cred = (char *)old_pin; - params.cred.credlen = old_pinlen; - params.pkcs11parms.slot = slot_id; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + if (token_name != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, + token_name, strlen(token_name)); + numattr++; + } + oldcred.cred = (char *)old_pin; + oldcred.credlen = old_pinlen; + kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, + &oldcred, sizeof (oldcred)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_SLOT_ID_ATTR, + &slot_id, sizeof (slot_id)); + numattr++; newpincred.cred = (char *)new_pin; newpincred.credlen = new_pinlen; + kmf_set_attr_at_index(attrlist, numattr, KMF_NEWPIN_ATTR, + &newpincred, sizeof (newpincred)); + numattr++; - rv = KMF_SetTokenPin(handle, ¶ms, &newpincred); + rv = kmf_set_token_pin(handle, numattr, attrlist); /* Clean up. */ if (old_pin != NULL) @@ -250,7 +281,7 @@ pk_setpin(int argc, char *argv[]) token_spec = DEFAULT_NSS_TOKEN; } - if ((rv = KMF_Initialize(&handle, NULL, NULL)) != KMF_OK) + if ((rv = kmf_initialize(&handle, NULL, NULL)) != KMF_OK) return (rv); switch (kstype) { @@ -262,11 +293,11 @@ pk_setpin(int argc, char *argv[]) break; default: cryptoerror(LOG_STDERR, - gettext("incorrect keystore.")); + gettext("incorrect keystore.")); return (PK_ERR_USAGE); } - (void) KMF_Finalize(handle); + (void) kmf_finalize(handle); if (rv == KMF_ERR_AUTH_FAILED) { cryptoerror(LOG_STDERR, diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c index bc1b2181ed..670fea791c 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c +++ b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/kssladm_create.c @@ -52,25 +52,25 @@ usage_create(boolean_t do_print) if (do_print) (void) fprintf(stderr, "Usage:\n"); (void) fprintf(stderr, "kssladm create" - " -f pkcs11 [-d softtoken_directory] -T <token_label>" - " -C <certificate_label> -x <proxy_port>" - " [-h <ca_certchain_file>]" - " [options] [<server_address>] [<server_port>]\n"); + " -f pkcs11 [-d softtoken_directory] -T <token_label>" + " -C <certificate_label> -x <proxy_port>" + " [-h <ca_certchain_file>]" + " [options] [<server_address>] [<server_port>]\n"); (void) fprintf(stderr, "kssladm create" - " -f pkcs12 -i <cert_and_key_pk12file> -x <proxy_port>" - " [options] [<server_address>] [<server_port>]\n"); + " -f pkcs12 -i <cert_and_key_pk12file> -x <proxy_port>" + " [options] [<server_address>] [<server_port>]\n"); (void) fprintf(stderr, "kssladm create" - " -f pem -i <cert_and_key_pemfile> -x <proxy_port>" - " [options] [<server_address>] [<server_port>]\n"); + " -f pem -i <cert_and_key_pemfile> -x <proxy_port>" + " [options] [<server_address>] [<server_port>]\n"); (void) fprintf(stderr, "options are:\n" - "\t[-c <ciphersuites>]\n" - "\t[-p <password_file>]\n" - "\t[-t <ssl_session_cache_timeout>]\n" - "\t[-z <ssl_session_cache_size>]\n" - "\t[-v]\n"); + "\t[-c <ciphersuites>]\n" + "\t[-p <password_file>]\n" + "\t[-t <ssl_session_cache_timeout>]\n" + "\t[-z <ssl_session_cache_size>]\n" + "\t[-v]\n"); } /* @@ -135,7 +135,7 @@ kmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts, if (!nxkey) { bzero(priv_key_bignums, sizeof (KMF_BIGINT) * - MAX_ATTR_CNT); + MAX_ATTR_CNT); /* and the key attributes */ priv_key_bignums[0] = rsa->rawdata.rsa.mod; priv_key_bignums[1] = rsa->rawdata.rsa.pubexp; @@ -147,9 +147,9 @@ kmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts, priv_key_bignums[7] = rsa->rawdata.rsa.coef; if (rsa->rawdata.rsa.mod.val == NULL || - rsa->rawdata.rsa.priexp.val == NULL) { + rsa->rawdata.rsa.priexp.val == NULL) { (void) fprintf(stderr, - "missing required attributes in private key.\n"); + "missing required attributes in private key.\n"); return (NULL); } @@ -158,9 +158,9 @@ kmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts, if (priv_key_bignums[i].val == NULL) continue; kssl_attrs[attr_cnt].ka_type = - kssl_tmpl_attrs[i].ka_type; + kssl_tmpl_attrs[i].ka_type; kssl_attrs[attr_cnt].ka_value_len = - priv_key_bignums[i].len; + priv_key_bignums[i].len; bufsize += sizeof (crypto_object_attribute_t) + kssl_attrs[attr_cnt].ka_value_len; attr_cnt++; @@ -173,7 +173,7 @@ kmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts, */ for (attr_cnt = 0; attr_cnt < 5; attr_cnt++) { bufsize += sizeof (crypto_object_attribute_t) + - exkey_attrs[attr_cnt].ulValueLen; + exkey_attrs[attr_cnt].ulValueLen; } if (creds) bufsize += creds->credlen; @@ -209,7 +209,7 @@ kmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts, if (priv_key_bignums[i].val == NULL) continue; (void) memcpy(buf, priv_key_bignums[i].val, - priv_key_bignums[i].len); + priv_key_bignums[i].len); kssl_attrs[attr_cnt].ka_value_offset = buf - (char *)kssl_params; buf += kssl_attrs[attr_cnt].ka_value_len; @@ -227,10 +227,10 @@ kmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts, */ kssl_params->kssl_is_nxkey = 1; bcopy(tlabel, kssl_params->kssl_token.toklabel, - CRYPTO_EXT_SIZE_LABEL); + CRYPTO_EXT_SIZE_LABEL); kssl_params->kssl_token.pinlen = creds->credlen; kssl_params->kssl_token.tokpin_offset = - buf - (char *)kssl_params; + buf - (char *)kssl_params; kssl_params->kssl_token.ck_rv = 0; bcopy(creds->cred, buf, creds->credlen); buf += creds->credlen; @@ -248,11 +248,11 @@ kmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts, buf += attr_cnt * sizeof (kssl_object_attribute_t); for (i = 0; i < attr_cnt; i++) { bcopy(exkey_attrs[i].pValue, buf, - exkey_attrs[i].ulValueLen); + exkey_attrs[i].ulValueLen); kssl_attrs[i].ka_type = exkey_attrs[i].type; kssl_attrs[i].ka_value_offset = - buf - (char *)kssl_params; + buf - (char *)kssl_params; kssl_attrs[i].ka_value_len = exkey_attrs[i].ulValueLen; buf += exkey_attrs[i].ulValueLen; @@ -260,7 +260,7 @@ kmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts, } /* Copy the key attributes array here */ bcopy(kssl_attrs, ((char *)kssl_params) + key->ks_attrs_offset, - attr_cnt * sizeof (kssl_object_attribute_t)); + attr_cnt * sizeof (kssl_object_attribute_t)); buf = (char *)P2ROUNDUP((uintptr_t)buf, sizeof (uint32_t)); @@ -301,8 +301,9 @@ kmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts, * KMF_RAW_KEY format which is then passed along to KSSL by the caller. */ static KMF_RETURN -get_sensitive_key_data(KMF_HANDLE_T kmfh, KMF_FINDKEY_PARAMS *fkparams, - KMF_KEY_HANDLE *key, KMF_KEY_HANDLE *rawkey) +get_sensitive_key_data(KMF_HANDLE_T kmfh, + KMF_CREDENTIAL *creds, char *keylabel, + char *idstr, KMF_KEY_HANDLE *key, KMF_KEY_HANDLE *rawkey) { KMF_RETURN rv = KMF_OK; static CK_BYTE aes_param[16]; @@ -310,6 +311,8 @@ get_sensitive_key_data(KMF_HANDLE_T kmfh, KMF_FINDKEY_PARAMS *fkparams, static CK_KEY_TYPE privkey_type = CKK_RSA; static CK_BBOOL true = TRUE; static CK_BBOOL false = FALSE; + boolean_t kmftrue = B_TRUE; + boolean_t kmffalse = B_FALSE; char *err = NULL; char wrapkey_label[BUFSIZ]; int fd; @@ -317,6 +320,12 @@ get_sensitive_key_data(KMF_HANDLE_T kmfh, KMF_FINDKEY_PARAMS *fkparams, CK_RV ckrv; CK_SESSION_HANDLE pk11session; CK_BYTE aes_key_val[16]; + int numattr = 0; + int idx; + KMF_ATTRIBUTE attrlist[16]; + KMF_KEYSTORE_TYPE kstype; + KMF_KEY_CLASS kclass; + KMF_ENCODE_FORMAT format; CK_MECHANISM aes_cbc_pad_mech = {CKM_AES_CBC_PAD, aes_param, sizeof (aes_param)}; @@ -344,25 +353,24 @@ get_sensitive_key_data(KMF_HANDLE_T kmfh, KMF_FINDKEY_PARAMS *fkparams, return (KMF_ERR_INTERNAL); } if (read(fd, aes_key_val, sizeof (aes_key_val)) != - sizeof (aes_key_val)) { + sizeof (aes_key_val)) { perror("Error reading from /dev/urandom"); (void) close(fd); return (KMF_ERR_INTERNAL); } (void) close(fd); - pk11session = KMF_GetPK11Handle(kmfh); + pk11session = kmf_get_pk11_handle(kmfh); /* * Login to create the wrap key stuff. */ ckrv = C_Login(pk11session, CKU_USER, - (CK_UTF8CHAR_PTR)fkparams->cred.cred, - fkparams->cred.credlen); + (CK_UTF8CHAR_PTR)creds->cred, creds->credlen); if (ckrv != CKR_OK && ckrv != CKR_USER_ALREADY_LOGGED_IN) { (void) fprintf(stderr, - "Cannot login to the token. error = %s\n", - pkcs11_strerror(ckrv)); + "Cannot login to the token. error = %s\n", + pkcs11_strerror(ckrv)); return (KMF_ERR_INTERNAL); } @@ -370,18 +378,64 @@ get_sensitive_key_data(KMF_HANDLE_T kmfh, KMF_FINDKEY_PARAMS *fkparams, * Turn the random key into a PKCS#11 session object. */ ckrv = SUNW_C_KeyToObject(pk11session, CKM_AES_CBC_PAD, aes_key_val, - sizeof (aes_key_val), &aes_key_obj); + sizeof (aes_key_val), &aes_key_obj); if (ckrv != CKR_OK) { (void) fprintf(stderr, - "Cannot create wrapping key. error = %s\n", - pkcs11_strerror(ckrv)); + "Cannot create wrapping key. error = %s\n", + pkcs11_strerror(ckrv)); return (KMF_ERR_INTERNAL); } /* * Find the original private key that we are going to wrap. */ - rv = KMF_FindKey(kmfh, fkparams, key, &nkeys); + kstype = KMF_KEYSTORE_PK11TOKEN; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + kclass = KMF_ASYM_PRI; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR, + &kclass, sizeof (kclass)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, + creds, sizeof (KMF_CREDENTIAL)); + numattr++; + + if (keylabel) { + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, + keylabel, strlen(keylabel)); + numattr++; + } + if (idstr) { + kmf_set_attr_at_index(attrlist, numattr, KMF_IDSTR_ATTR, + idstr, strlen(idstr)); + numattr++; + } + format = KMF_FORMAT_NATIVE; + kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR, + &format, sizeof (format)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR, + &kmftrue, sizeof (kmftrue)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR, + &kmftrue, sizeof (kmftrue)); + numattr++; + + nkeys = 1; + kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, + &nkeys, sizeof (nkeys)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR, + key, sizeof (KMF_KEY_HANDLE)); + numattr++; + + rv = kmf_find_key(kmfh, numattr, attrlist); if (rv != KMF_OK) { REPORT_KMF_ERROR(rv, "Error finding private key", err); goto out; @@ -392,8 +446,8 @@ get_sensitive_key_data(KMF_HANDLE_T kmfh, KMF_FINDKEY_PARAMS *fkparams, */ bzero(aes_param, sizeof (aes_param)); ckrv = C_WrapKey(pk11session, &aes_cbc_pad_mech, - aes_key_obj, (CK_OBJECT_HANDLE)key->keyp, - NULL, &wrapped_privkey_len); + aes_key_obj, (CK_OBJECT_HANDLE)key->keyp, + NULL, &wrapped_privkey_len); if (ckrv != CKR_OK) { /* * Most common error here is that the token doesn't @@ -402,8 +456,8 @@ get_sensitive_key_data(KMF_HANDLE_T kmfh, KMF_FINDKEY_PARAMS *fkparams, * the caller deal with it gracefully. */ (void) fprintf(stderr, - "Cannot get wrap key size. error = %s\n", - pkcs11_strerror(ckrv)); + "Cannot get wrap key size. error = %s\n", + pkcs11_strerror(ckrv)); rv = KMF_ERR_INTERNAL; goto out; } @@ -416,12 +470,12 @@ get_sensitive_key_data(KMF_HANDLE_T kmfh, KMF_FINDKEY_PARAMS *fkparams, * Now get the actual wrapped key data. */ ckrv = C_WrapKey(pk11session, &aes_cbc_pad_mech, - aes_key_obj, (CK_OBJECT_HANDLE)key->keyp, - wrapped_privkey, &wrapped_privkey_len); + aes_key_obj, (CK_OBJECT_HANDLE)key->keyp, + wrapped_privkey, &wrapped_privkey_len); if (ckrv != CKR_OK) { (void) fprintf(stderr, - "Cannot wrap private key. error = %s\n", - pkcs11_strerror(ckrv)); + "Cannot wrap private key. error = %s\n", + pkcs11_strerror(ckrv)); rv = KMF_ERR_INTERNAL; goto out; } @@ -430,7 +484,7 @@ get_sensitive_key_data(KMF_HANDLE_T kmfh, KMF_FINDKEY_PARAMS *fkparams, * it easier later. */ snprintf(wrapkey_label, sizeof (wrapkey_label), "ksslprikey_%d", - getpid()); + getpid()); unwrap_tmpl[5].pValue = wrapkey_label; unwrap_tmpl[5].ulValueLen = strlen(wrapkey_label); @@ -440,12 +494,12 @@ get_sensitive_key_data(KMF_HANDLE_T kmfh, KMF_FINDKEY_PARAMS *fkparams, * session private key. */ ckrv = C_UnwrapKey(pk11session, &aes_cbc_pad_mech, aes_key_obj, - wrapped_privkey, wrapped_privkey_len, - unwrap_tmpl, 6, &sess_privkey_obj); + wrapped_privkey, wrapped_privkey_len, + unwrap_tmpl, 6, &sess_privkey_obj); if (ckrv != CKR_OK) { (void) fprintf(stderr, - "Cannot unwrap private key. error = %s\n", - pkcs11_strerror(ckrv)); + "Cannot unwrap private key. error = %s\n", + pkcs11_strerror(ckrv)); rv = KMF_ERR_INTERNAL; goto out; } @@ -454,15 +508,51 @@ get_sensitive_key_data(KMF_HANDLE_T kmfh, KMF_FINDKEY_PARAMS *fkparams, * Use KMF to find the session key and return it as RAW data * so we can pass it along to KSSL. */ - fkparams->kstype = KMF_KEYSTORE_PK11TOKEN; - fkparams->keyclass = KMF_ASYM_PRI; - fkparams->format = KMF_FORMAT_RAWKEY; - fkparams->findLabel = wrapkey_label; - fkparams->pkcs11parms.sensitive = FALSE; - fkparams->pkcs11parms.private = FALSE; - fkparams->pkcs11parms.token = FALSE; /* <-- very important! */ - - rv = KMF_FindKey(kmfh, fkparams, rawkey, &nkeys); + kclass = KMF_ASYM_PRI; + if ((idx = kmf_find_attr(KMF_KEYCLASS_ATTR, attrlist, numattr)) != -1) { + attrlist[idx].pValue = &kclass; + } + + format = KMF_FORMAT_RAWKEY; + if ((idx = kmf_find_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, + numattr)) != -1) { + attrlist[idx].pValue = &format; + } + if (wrapkey_label != NULL && + (idx = kmf_find_attr(KMF_KEYLABEL_ATTR, attrlist, numattr)) != -1) { + attrlist[idx].pValue = wrapkey_label; + attrlist[idx].valueLen = strlen(wrapkey_label); + } + + if ((idx = kmf_find_attr(KMF_PRIVATE_BOOL_ATTR, attrlist, + numattr)) != -1) { + attrlist[idx].pValue = &kmffalse; + } + if ((idx = kmf_find_attr(KMF_TOKEN_BOOL_ATTR, attrlist, + numattr)) != -1) { + attrlist[idx].pValue = &kmffalse; + } + + if ((idx = kmf_find_attr(KMF_KEY_HANDLE_ATTR, attrlist, + numattr)) != -1) { + attrlist[idx].pValue = rawkey; + } + /* + * Clear the IDSTR attribute since it is not part of the + * wrapped session key. + */ + if ((idx = kmf_find_attr(KMF_IDSTR_ATTR, attrlist, + numattr)) != -1) { + attrlist[idx].pValue = NULL; + attrlist[idx].valueLen = 0; + } + + /* The wrapped key should not be sensitive. */ + kmf_set_attr_at_index(attrlist, numattr, KMF_SENSITIVE_BOOL_ATTR, + &false, sizeof (false)); + numattr++; + + rv = kmf_find_key(kmfh, numattr, attrlist); if (rv != KMF_OK) { REPORT_KMF_ERROR(rv, "Error finding raw private key", err); goto out; @@ -489,38 +579,53 @@ load_from_pkcs11(const char *token_label, const char *password_file, KMF_X509_DER_CERT cert; KMF_KEY_HANDLE key, rawkey; KMF_CREDENTIAL creds; - KMF_FINDCERT_PARAMS fcparams; - KMF_FINDKEY_PARAMS fkparams; - KMF_CONFIG_PARAMS cfgparams; KMF_DATA iddata = { NULL, 0 }; kssl_params_t *kssl_params = NULL; uint32_t ncerts, nkeys; char *err, *idstr = NULL; char password_buf[1024]; int nxkey = 0; - - rv = KMF_Initialize(&kmfh, NULL, NULL); + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; + KMF_KEYSTORE_TYPE kstype; + KMF_KEY_CLASS kclass; + KMF_ENCODE_FORMAT format; + boolean_t false = B_FALSE; + boolean_t true = B_TRUE; + + rv = kmf_initialize(&kmfh, NULL, NULL); if (rv != KMF_OK) { REPORT_KMF_ERROR(rv, "Error initializing KMF", err); return (0); } if (get_passphrase(password_file, password_buf, - sizeof (password_buf)) <= 0) { + sizeof (password_buf)) <= 0) { perror("Unable to read passphrase"); goto done; } creds.cred = password_buf; creds.credlen = strlen(password_buf); - bzero(&cfgparams, sizeof (cfgparams)); - bzero(&fcparams, sizeof (fcparams)); - bzero(&fkparams, sizeof (fkparams)); + (void) memset(&key, 0, sizeof (KMF_KEY_HANDLE)); + (void) memset(&rawkey, 0, sizeof (KMF_KEY_HANDLE)); - cfgparams.kstype = KMF_KEYSTORE_PK11TOKEN; - cfgparams.pkcs11config.label = (char *)token_label; - cfgparams.pkcs11config.readonly = B_FALSE; + kstype = KMF_KEYSTORE_PK11TOKEN; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; - rv = KMF_ConfigureKeystore(kmfh, &cfgparams); + if (token_label && strlen(token_label)) { + kmf_set_attr_at_index(attrlist, numattr, + KMF_TOKEN_LABEL_ATTR, + (void *)token_label, strlen(token_label)); + numattr++; + } + + kmf_set_attr_at_index(attrlist, numattr, KMF_READONLY_ATTR, + &false, sizeof (false)); + numattr++; + + rv = kmf_configure_keystore(kmfh, numattr, attrlist); if (rv != KMF_OK) { REPORT_KMF_ERROR(rv, "Error configuring KMF keystore", err); goto done; @@ -529,9 +634,28 @@ load_from_pkcs11(const char *token_label, const char *password_file, /* * Find the certificate matching the given label. */ - fcparams.kstype = KMF_KEYSTORE_PK11TOKEN; - fcparams.certLabel = (char *)certname; - rv = KMF_FindCert(kmfh, &fcparams, &cert, &ncerts); + numattr = 0; + kstype = KMF_KEYSTORE_PK11TOKEN; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (kstype)); + numattr++; + + if (certname) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR, + (void *)certname, strlen(certname)); + numattr++; + } + ncerts = 1; + + kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, + &ncerts, sizeof (ncerts)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_X509_DER_CERT_ATTR, + &cert, sizeof (cert)); + numattr++; + + rv = kmf_find_cert(kmfh, numattr, attrlist); if (rv != KMF_OK || ncerts == 0) goto done; @@ -539,64 +663,100 @@ load_from_pkcs11(const char *token_label, const char *password_file, * Find the associated private key for this cert by * keying off of the label and the ASCII ID string. */ - rv = KMF_GetCertIDString(&cert.certificate, &idstr); + rv = kmf_get_cert_id_str(&cert.certificate, &idstr); if (rv != KMF_OK) goto done; - fkparams.kstype = KMF_KEYSTORE_PK11TOKEN; - fkparams.keyclass = KMF_ASYM_PRI; - fkparams.cred = creds; - fkparams.format = KMF_FORMAT_RAWKEY; - fkparams.findLabel = (char *)certname; - fkparams.idstr = idstr; - fkparams.pkcs11parms.private = TRUE; - fkparams.pkcs11parms.token = TRUE; + numattr = 1; /* attrlist[0] is already set to kstype */ + + kclass = KMF_ASYM_PRI; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR, + &kclass, sizeof (kclass)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, + &creds, sizeof (KMF_CREDENTIAL)); + numattr++; - rv = KMF_FindKey(kmfh, &fkparams, &key, &nkeys); + format = KMF_FORMAT_RAWKEY; + kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR, + &format, sizeof (format)); + numattr++; + + if (certname) { + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, + (void *)certname, strlen(certname)); + numattr++; + } + if (idstr) { + kmf_set_attr_at_index(attrlist, numattr, KMF_IDSTR_ATTR, + (void *)idstr, strlen(idstr)); + numattr++; + } + kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR, + &true, sizeof (true)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR, + &true, sizeof (true)); + numattr++; + + /* We only expect to find 1 key at most */ + nkeys = 1; + kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, + &nkeys, sizeof (nkeys)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR, + &key, sizeof (KMF_KEY_HANDLE)); + numattr++; + + rv = kmf_find_key(kmfh, numattr, attrlist); if (rv == KMF_ERR_SENSITIVE_KEY) { - KMF_FreeKMFKey(kmfh, &key); + kmf_free_kmf_key(kmfh, &key); /* * Get a normal key handle and then do a wrap/unwrap * in order to get the necessary raw data fields needed * to send to KSSL. */ - fkparams.format = KMF_FORMAT_NATIVE; - rv = get_sensitive_key_data(kmfh, &fkparams, &key, &rawkey); + format = KMF_FORMAT_NATIVE; + rv = get_sensitive_key_data(kmfh, &creds, + (char *)certname, idstr, &key, &rawkey); if (rv == KMF_OK) { /* Swap "key" for "rawkey" */ - KMF_FreeKMFKey(kmfh, &key); + kmf_free_kmf_key(kmfh, &key); key = rawkey; } else { - KMF_FreeKMFKey(kmfh, &key); + kmf_free_kmf_key(kmfh, &key); /* Let kssl try to find the key. */ nxkey = 1; - rv = KMF_GetCertIDData(&cert.certificate, &iddata); + rv = kmf_get_cert_id_data(&cert.certificate, &iddata); } } else if (rv == KMF_ERR_UNEXTRACTABLE_KEY) { - KMF_FreeKMFKey(kmfh, &key); + kmf_free_kmf_key(kmfh, &key); - /* Let kssl try to find the key. */ - nxkey = 1; - rv = KMF_GetCertIDData(&cert.certificate, &iddata); + /* Let kssl try to find the key. */ + nxkey = 1; + rv = kmf_get_cert_id_data(&cert.certificate, &iddata); } else if (rv != KMF_OK || nkeys == 0) goto done; if (rv == KMF_OK) kssl_params = kmf_to_kssl(nxkey, (KMF_RAW_KEY_DATA *)key.keyp, - 1, &cert.certificate, bufsize, - (char *)token_label, &iddata, &creds); + 1, &cert.certificate, bufsize, + (char *)token_label, &iddata, &creds); done: if (ncerts != 0) - KMF_FreeKMFCert(kmfh, &cert); + kmf_free_kmf_cert(kmfh, &cert); if (nkeys != 0) - KMF_FreeKMFKey(kmfh, &key); + kmf_free_kmf_key(kmfh, &key); if (idstr) free(idstr); if (kmfh != NULL) - (void) KMF_Finalize(kmfh); + (void) kmf_finalize(kmfh); return (kssl_params); } @@ -614,37 +774,55 @@ add_cacerts(kssl_params_t *old_params, const char *cacert_chain_file) char *buf; KMF_RETURN rv; KMF_X509_DER_CERT *certs = NULL; - KMF_FINDCERT_PARAMS fcparms; kssl_params_t *kssl_params; KMF_HANDLE_T kmfh; char *err = NULL; + int numattr = 0; + KMF_ATTRIBUTE attrlist[16]; + KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; - bzero(&fcparms, sizeof (fcparms)); - fcparms.kstype = KMF_KEYSTORE_OPENSSL; - fcparms.sslparms.certfile = (char *)cacert_chain_file; + kstype = KMF_KEYSTORE_OPENSSL; - rv = KMF_Initialize(&kmfh, NULL, NULL); + rv = kmf_initialize(&kmfh, NULL, NULL); if (rv != KMF_OK) { REPORT_KMF_ERROR(rv, "Error initializing KMF", err); return (0); } - rv = KMF_FindCert(kmfh, &fcparms, NULL, &ncerts); + ncerts = 0; + kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, + &kstype, sizeof (KMF_KEYSTORE_TYPE)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR, + (void *)cacert_chain_file, strlen(cacert_chain_file)); + numattr++; + + kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, + &ncerts, sizeof (ncerts)); + numattr++; + + rv = kmf_find_cert(kmfh, numattr, attrlist); if (rv != KMF_OK) { REPORT_KMF_ERROR(rv, "Error finding CA certificates", err); (void) KMF_Finalize(kmfh); return (0); } certs = (KMF_X509_DER_CERT *)malloc(ncerts * - sizeof (KMF_X509_DER_CERT)); + sizeof (KMF_X509_DER_CERT)); if (certs == NULL) { (void) fprintf(stderr, "memory allocation error.\n"); (void) KMF_Finalize(kmfh); return (NULL); } bzero(certs, ncerts * sizeof (KMF_X509_DER_CERT)); - rv = KMF_FindCert(kmfh, &fcparms, certs, &ncerts); - (void) KMF_Finalize(kmfh); + /* add new attribute for the cert list to be returned */ + kmf_set_attr_at_index(attrlist, numattr, KMF_X509_DER_CERT_ATTR, + certs, (ncerts * sizeof (KMF_X509_DER_CERT))); + numattr++; + rv = kmf_find_cert(kmfh, numattr, attrlist); + + (void) kmf_finalize(kmfh); if (rv != KMF_OK || ncerts == 0) { bzero(old_params, old_params->kssl_params_size); @@ -688,12 +866,12 @@ add_cacerts(kssl_params_t *old_params, const char *cacert_chain_file) /* now the certs values */ for (i = 0; i < ncerts; i++) { bcopy(certs[i].certificate.Data, buf, - certs[i].certificate.Length); + certs[i].certificate.Length); buf += certs[i].certificate.Length; } for (i = 0; i < ncerts; i++) - KMF_FreeKMFCert(kmfh, &certs[i]); + kmf_free_kmf_cert(kmfh, &certs[i]); free(certs); return (kssl_params); @@ -711,7 +889,7 @@ load_from_pem(const char *filename, const char *password_file, int *paramsize) KMF_DATA *certs = NULL; ncerts = PEM_get_rsa_key_certs(filename, (char *)password_file, - &rsa, &certs); + &rsa, &certs); if (rsa == NULL || certs == NULL || ncerts == 0) { return (NULL); } @@ -720,12 +898,12 @@ load_from_pem(const char *filename, const char *password_file, int *paramsize) (void) printf("%d certificates read successfully\n", ncerts); kssl_params = kmf_to_kssl(0, rsa, ncerts, certs, paramsize, NULL, - NULL, NULL); + NULL, NULL); for (i = 0; i < ncerts; i++) - KMF_FreeData(&certs[i]); + kmf_free_data(&certs[i]); free(certs); - KMF_FreeRawKey(rsa); + kmf_free_raw_key(rsa); return (kssl_params); } @@ -743,7 +921,7 @@ load_from_pkcs12(const char *filename, const char *password_file, int ncerts = 0, i; ncerts = PKCS12_get_rsa_key_certs(filename, - password_file, &rsa, &certs); + password_file, &rsa, &certs); if (certs == NULL || ncerts == 0) { (void) fprintf(stderr, @@ -755,13 +933,13 @@ load_from_pkcs12(const char *filename, const char *password_file, (void) printf("%d certificates read successfully\n", ncerts); kssl_params = kmf_to_kssl(0, rsa, ncerts, certs, paramsize, NULL, - NULL, NULL); + NULL, NULL); for (i = 0; i < ncerts; i++) - KMF_FreeData(&certs[i]); + kmf_free_data(&certs[i]); free(certs); - KMF_FreeRawKey(rsa); + kmf_free_raw_key(rsa); return (kssl_params); } diff --git a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/ksslutil.c b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/ksslutil.c index 30f9d5f581..42fca362e3 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/ksslutil.c +++ b/usr/src/cmd/cmd-inet/usr.sbin/kssl/kssladm/ksslutil.c @@ -51,7 +51,7 @@ PKCS12_get_rsa_key_certs(const char *filename, const char *password_file, int ncerts, nkeys; char *err = NULL; - rv = KMF_Initialize(&kmfh, NULL, NULL); + rv = kmf_initialize(&kmfh, NULL, NULL); if (rv != KMF_OK) { REPORT_KMF_ERROR(rv, "Error initializing KMF", err); return (0); @@ -63,15 +63,15 @@ PKCS12_get_rsa_key_certs(const char *filename, const char *password_file, nkeys = 0; if (get_passphrase(password_file, password_buf, - sizeof (password_buf)) <= 0) { + sizeof (password_buf)) <= 0) { perror("Unable to read passphrase"); goto done; } pk12cred.cred = password_buf; pk12cred.credlen = strlen(password_buf); - rv = KMF_ImportPK12(kmfh, (char *)filename, &pk12cred, &tcerts, &ncerts, - &keys, &nkeys); + rv = kmf_import_objects(kmfh, (char *)filename, &pk12cred, &tcerts, + &ncerts, &keys, &nkeys); if (rv != KMF_OK) { REPORT_KMF_ERROR(rv, "Error importing PKCS12 data", err); } @@ -81,14 +81,14 @@ done: int i; if (tcerts != NULL) { for (i = 0; i < ncerts; i++) - KMF_FreeData(&tcerts[i]); + kmf_free_data(&tcerts[i]); free(tcerts); } tcerts = NULL; ncerts = 0; if (keys != NULL) { for (i = 0; i < nkeys; i++) - KMF_FreeRawKey(&keys[i]); + kmf_free_raw_key(&keys[i]); free(keys); } keys = NULL; @@ -96,7 +96,7 @@ done: *certs = tcerts; *rsa = keys; - (void) KMF_Finalize(kmfh); + (void) kmf_finalize(kmfh); return (ncerts); } @@ -119,7 +119,7 @@ PEM_get_rsa_key_certs(const char *filename, char *password_file, char *err = NULL; char password_buf[1024]; - rv = KMF_Initialize(&kmfh, NULL, NULL); + rv = kmf_initialize(&kmfh, NULL, NULL); if (rv != KMF_OK) { REPORT_KMF_ERROR(rv, "Error initializing KMF", err); return (0); @@ -131,15 +131,15 @@ PEM_get_rsa_key_certs(const char *filename, char *password_file, nkeys = 0; if (get_passphrase(password_file, password_buf, - sizeof (password_buf)) <= 0) { + sizeof (password_buf)) <= 0) { perror("Unable to read passphrase"); goto done; } creds.cred = password_buf; creds.credlen = strlen(password_buf); - rv = KMF_ImportKeypair(kmfh, (char *)filename, &creds, &tcerts, &ncerts, - &keys, &nkeys); + rv = kmf_import_objects(kmfh, (char *)filename, &creds, &tcerts, + &ncerts, &keys, &nkeys); if (rv != KMF_OK) { REPORT_KMF_ERROR(rv, "Error importing key data", err); } @@ -149,14 +149,14 @@ done: int i; if (tcerts != NULL) { for (i = 0; i < ncerts; i++) - KMF_FreeData(&tcerts[i]); + kmf_free_data(&tcerts[i]); free(tcerts); } tcerts = NULL; ncerts = 0; if (keys != NULL) { for (i = 0; i < nkeys; i++) - KMF_FreeRawKey(&keys[i]); + kmf_free_raw_key(&keys[i]); free(keys); } keys = NULL; @@ -166,7 +166,7 @@ done: if (rsa != NULL) *rsa = keys; - (void) KMF_Finalize(kmfh); + (void) kmf_finalize(kmfh); return (ncerts); } |