From 32991bedc3a6475f1401855c2318ae5b15f8a16b Mon Sep 17 00:00:00 2001 From: Peter Tribble Date: Mon, 13 Mar 2017 20:25:34 +0000 Subject: 5188 SVR4 packaging shouldn't depend on openssl or libwanboot Reviewed by: Igor Kozhukhov Reviewed by: Alexander Eremin Approved by: Gordon Ross --- usr/src/cmd/svr4pkg/pkgadm/Makefile | 11 +- usr/src/cmd/svr4pkg/pkgadm/addcert.c | 573 ------------------------------- usr/src/cmd/svr4pkg/pkgadm/certs.c | 239 ------------- usr/src/cmd/svr4pkg/pkgadm/listcert.c | 245 ------------- usr/src/cmd/svr4pkg/pkgadm/lock.c | 7 +- usr/src/cmd/svr4pkg/pkgadm/main.c | 51 +-- usr/src/cmd/svr4pkg/pkgadm/pkgadm.h | 19 +- usr/src/cmd/svr4pkg/pkgadm/pkgadm_msgs.h | 153 +-------- usr/src/cmd/svr4pkg/pkgadm/removecert.c | 201 ----------- 9 files changed, 20 insertions(+), 1479 deletions(-) delete mode 100644 usr/src/cmd/svr4pkg/pkgadm/addcert.c delete mode 100644 usr/src/cmd/svr4pkg/pkgadm/certs.c delete mode 100644 usr/src/cmd/svr4pkg/pkgadm/listcert.c delete mode 100644 usr/src/cmd/svr4pkg/pkgadm/removecert.c (limited to 'usr/src/cmd/svr4pkg/pkgadm') diff --git a/usr/src/cmd/svr4pkg/pkgadm/Makefile b/usr/src/cmd/svr4pkg/pkgadm/Makefile index 620e32cf0d..5706ea704e 100644 --- a/usr/src/cmd/svr4pkg/pkgadm/Makefile +++ b/usr/src/cmd/svr4pkg/pkgadm/Makefile @@ -20,22 +20,19 @@ # # +# Copyright (c) 2017 Peter Tribble. # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # PROG= pkgadm -OBJS= addcert.o \ - certs.o \ - listcert.o \ - lock.o \ - main.o \ - removecert.o +OBJS= lock.o \ + main.o include $(SRC)/cmd/svr4pkg/Makefile.svr4pkg -LDLIBS += -lpkg -ladm -lcrypto -lgen +LDLIBS += -lpkg -ladm -lgen .KEEP_STATE: all: $(PROG) diff --git a/usr/src/cmd/svr4pkg/pkgadm/addcert.c b/usr/src/cmd/svr4pkg/pkgadm/addcert.c deleted file mode 100644 index 0a1c7bdec0..0000000000 --- a/usr/src/cmd/svr4pkg/pkgadm/addcert.c +++ /dev/null @@ -1,573 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ - -/* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include "pkgadm.h" -#include "pkgadm_msgs.h" - -typedef enum { - VerifyFailed, - Accept, - Reject -} VerifyStatus; - -static VerifyStatus verify_trust(X509 *); -static boolean_t is_ca_cert(X509 *); - -/* - * Name: addcert - * Desc: Imports a user certificate into the keystore, along with a - * private key. - * Returns: 0 on success, non-zero otherwise. - */ -int -addcert(int argc, char **argv) -{ - int i; - char keystore_file[MAXPATHLEN] = ""; - char *keystore_base = NULL; - char *homedir; - char *passarg = NULL; - char *import_passarg = NULL; - char *altroot = NULL; - char *prog = NULL; - char *alias = NULL; - char *infile = NULL; - char *inkeyfile = NULL; - keystore_encoding_format_t informat = NULL; - char *informat_str = NULL; - int ret = 1; - boolean_t trusted = B_FALSE; - boolean_t implicit_trust = B_FALSE; - - FILE *certfile = NULL; - FILE *keyfile = NULL; - X509 *cert = NULL; - STACK_OF(X509) *trustcerts = NULL; - EVP_PKEY *key = NULL; - PKG_ERR *err = NULL; - keystore_handle_t keystore = NULL; - - while ((i = getopt(argc, argv, ":a:k:e:f:n:P:p:R:ty")) != EOF) { - switch (i) { - case 'a': - prog = optarg; - break; - case 'k': - keystore_base = optarg; - break; - case 'e': - inkeyfile = optarg; - break; - case 'f': - informat_str = optarg; - break; - case 'n': - alias = optarg; - break; - case 'P': - passarg = optarg; - break; - case 'p': - import_passarg = optarg; - break; - case 'R': - altroot = optarg; - break; - case 't': - trusted = B_TRUE; - break; - case 'y': - implicit_trust = B_TRUE; - break; - case ':': - log_msg(LOG_MSG_ERR, MSG_MISSING_OPERAND, optopt); - /* LINTED fallthrough intentional */ - case '?': - default: - log_msg(LOG_MSG_ERR, MSG_USAGE); - goto cleanup; - } - } - - if (!trusted && alias == NULL) { - /* for untrusted (user) certs, we require a name */ - log_msg(LOG_MSG_ERR, MSG_USER_NAME); - log_msg(LOG_MSG_ERR, MSG_USAGE); - goto cleanup; - } else if (trusted && alias != NULL) { - /* for trusted certs, we cannot have a name */ - log_msg(LOG_MSG_ERR, MSG_TRUSTED_NAME); - log_msg(LOG_MSG_ERR, MSG_USAGE); - goto cleanup; - } - - if (trusted && inkeyfile != NULL) { - /* for trusted certs, we cannot have a private key */ - log_msg(LOG_MSG_ERR, MSG_TRUSTED_KEY); - log_msg(LOG_MSG_ERR, MSG_USAGE); - goto cleanup; - } - - /* last argument should be the path to the certificate */ - if ((argc-optind) > 1) { - log_msg(LOG_MSG_ERR, MSG_USAGE); - goto cleanup; - } else if ((argc-optind) < 1) { - infile = "stdin"; - certfile = stdin; - log_msg(LOG_MSG_DEBUG, "Loading stdin certificate"); - } else { - infile = argv[optind]; - log_msg(LOG_MSG_DEBUG, "Loading <%s> certificate", - argv[optind]); - if ((certfile = fopen(infile, "r")) == NULL) { - log_msg(LOG_MSG_ERR, MSG_OPEN, infile); - goto cleanup; - } - } - - /* - * if specific key file supplied, open it, otherwise open - * default (stdin) - */ - if (inkeyfile != NULL) { - if ((keyfile = fopen(inkeyfile, "r")) == NULL) { - log_msg(LOG_MSG_ERR, MSG_OPEN, inkeyfile); - goto cleanup; - } - } else { - inkeyfile = "stdin"; - keyfile = stdin; - } - - /* set up proper keystore */ - if (altroot != NULL) { - if (strlcpy(keystore_file, altroot, MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, altroot); - goto cleanup; - } - - if (strlcat(keystore_file, "/", MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, altroot); - goto cleanup; - } - } - - if (keystore_base == NULL) { - if (geteuid() == 0 || altroot != NULL) { - /* - * If we have an alternate - * root, then we have no choice but to use - * root's keystore on that alternate root, - * since there is no way to resolve a - * user's home dir given an alternate root - */ - if (strlcat(keystore_file, PKGSEC, - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - keystore_file); - goto cleanup; - } - } else { - if ((homedir = getenv("HOME")) == NULL) { - /* - * not superuser, but no home dir, so - * use superuser's keystore - */ - if (strlcat(keystore_file, PKGSEC, - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - keystore_file); - goto cleanup; - } - } else { - if (strlcat(keystore_file, homedir, - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - homedir); - goto cleanup; - } - if (strlcat(keystore_file, "/.pkg/security", - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - keystore_file); - goto cleanup; - } - } - } - } else { - if (strlcat(keystore_file, keystore_base, - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - keystore_base); - goto cleanup; - } - } - - /* figure out input format */ - if (informat_str == NULL) { - informat = KEYSTORE_FORMAT_PEM; - } else { - if (ci_streq(informat_str, "pem")) { - informat = KEYSTORE_FORMAT_PEM; - } else if (ci_streq(informat_str, "der")) { - informat = KEYSTORE_FORMAT_DER; - } else { - log_msg(LOG_MSG_ERR, MSG_BAD_FORMAT, informat_str); - goto cleanup; - } - } - - err = pkgerr_new(); - - if (trusted) { - /* load all possible certs */ - if (load_all_certs(err, certfile, informat, import_passarg, - &trustcerts) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile); - goto cleanup; - } - - /* we must have gotten at least one cert, if not, fail */ - if (sk_X509_num(trustcerts) < 1) { - log_msg(LOG_MSG_ERR, MSG_NO_CERTS, infile); - goto cleanup; - } - } else { - /* first, try to load user certificate and key */ - if (load_cert_and_key(err, certfile, informat, import_passarg, - &key, &cert) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile); - goto cleanup; - } - - /* we must have gotten a cert, if not, fail */ - if (cert == NULL) { - log_msg(LOG_MSG_ERR, MSG_NO_CERTS, infile); - goto cleanup; - } - - if (key == NULL) { - /* - * if we are importing a user cert, and did not get - * a key, try to load it from the key file - */ - if (keyfile == NULL) { - log_msg(LOG_MSG_ERR, MSG_NEED_KEY, infile); - goto cleanup; - } else { - log_msg(LOG_MSG_DEBUG, - "Loading private key <%s>", inkeyfile); - if (load_cert_and_key(err, keyfile, informat, - import_passarg, - &key, NULL) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, - MSG_NO_ADDKEY, inkeyfile); - goto cleanup; - } - - if (key == NULL) { - log_msg(LOG_MSG_ERR, MSG_NO_PRIVKEY, - inkeyfile); - log_msg(LOG_MSG_ERR, - MSG_NO_ADDKEY, inkeyfile); - goto cleanup; - } - } - } - } - - if (trusted) { - /* check validity date of all certificates */ - for (i = 0; i < sk_X509_num(trustcerts); i++) { - /* LINTED pointer cast may result in improper algnmnt */ - cert = sk_X509_value(trustcerts, i); - if (check_cert(err, cert) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, - infile); - goto cleanup; - } - } - } else { - /* check validity date of user certificate */ - if (check_cert_and_key(err, cert, key) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile); - goto cleanup; - } - } - - if (trusted && !implicit_trust) { - /* - * if importing more than one cert, must use implicit trust, - * because we can't ask the user to individually trust - * each one, since there may be many - */ - if (sk_X509_num(trustcerts) != 1) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_MULTIPLE_TRUST, infile, "-y"); - goto cleanup; - } else { - /* LINTED pointer cast may result in improper algnmnt */ - cert = sk_X509_value(trustcerts, 0); - } - - /* ask the user */ - switch (verify_trust(cert)) { - case Accept: - /* user accepted */ - break; - case Reject: - /* user aborted operation */ - log_msg(LOG_MSG_ERR, MSG_ADDCERT_ABORT); - goto cleanup; - case VerifyFailed: - default: - log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile); - goto cleanup; - } - } - - /* now load the key store */ - log_msg(LOG_MSG_DEBUG, "Loading keystore <%s>", keystore_file); - - set_passphrase_prompt(MSG_KEYSTORE_PASSPROMPT); - set_passphrase_passarg(passarg); - if (open_keystore(err, keystore_file, prog, pkg_passphrase_cb, - KEYSTORE_ACCESS_READWRITE | KEYSTORE_PATH_HARD, &keystore) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile); - goto cleanup; - } - - /* now merge the new cert into the keystore */ - log_msg(LOG_MSG_DEBUG, "Merging certificate <%s>", - get_subject_display_name(cert)); - if (trusted) { - /* merge all trusted certs found */ - for (i = 0; i < sk_X509_num(trustcerts); i++) { - /* LINTED pointer cast may result in improper algnmnt */ - cert = sk_X509_value(trustcerts, i); - if (merge_ca_cert(err, cert, keystore) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, - MSG_NO_ADDCERT, infile); - goto cleanup; - - } else { - log_msg(LOG_MSG_INFO, MSG_TRUSTING, - get_subject_display_name(cert)); - } - } - } else { - /* merge user cert */ - if (merge_cert_and_key(err, cert, key, alias, keystore) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile); - goto cleanup; - } - } - - /* now write it back out */ - log_msg(LOG_MSG_DEBUG, "Closing keystore"); - set_passphrase_prompt(MSG_KEYSTORE_PASSOUTPROMPT); - set_passphrase_passarg(passarg); - if (close_keystore(err, keystore, pkg_passphrase_cb) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile); - goto cleanup; - } - - if (trusted) { - log_msg(LOG_MSG_INFO, MSG_TRUSTED, infile); - } else { - log_msg(LOG_MSG_INFO, MSG_ADDED, infile, alias); - } - - ret = 0; - - /* fallthrough intentional */ -cleanup: - if (err != NULL) - pkgerr_free(err); - - if (certfile != NULL) - (void) fclose(certfile); - - if (keyfile != NULL) - (void) fclose(keyfile); - - return (ret); - } - -/* Asks user to verify certificate data before proceeding */ -static VerifyStatus verify_trust(X509 *cert) -{ - char vfy_trust = 'y'; - VerifyStatus ret = Accept; - PKG_ERR *err; - UI *ui = NULL; - - err = pkgerr_new(); - /* print cert data */ - if (print_cert(err, cert, KEYSTORE_FORMAT_TEXT, - get_subject_display_name(cert), B_TRUE, stdout) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - ret = VerifyFailed; - goto cleanup; - } - - if ((ui = UI_new()) == NULL) { - log_msg(LOG_MSG_ERR, MSG_MEM); - ret = VerifyFailed; - goto cleanup; - } - - /* - * The prompt is internationalized, but the valid - * response values are fixed, to avoid any complex - * multibyte processing that results in bugs - */ - if (UI_add_input_boolean(ui, MSG_VERIFY_TRUST, - "", - "yY", "nN", - UI_INPUT_FLAG_ECHO, &vfy_trust) <= 0) { - log_msg(LOG_MSG_ERR, MSG_MEM); - ret = VerifyFailed; - goto cleanup; - } - - if (UI_process(ui) != 0) { - log_msg(LOG_MSG_ERR, MSG_MEM); - ret = VerifyFailed; - goto cleanup; - } - - if (vfy_trust != 'y') { - ret = Reject; - goto cleanup; - } - - /* - * if the cert does not appear to be a CA cert - * r is not self-signed, verify that as well - */ - if (!is_ca_cert(cert)) { - UI_free(ui); - if ((ui = UI_new()) == NULL) { - log_msg(LOG_MSG_ERR, MSG_MEM); - ret = VerifyFailed; - goto cleanup; - } - - if (UI_add_input_boolean(ui, - MSG_VERIFY_NOT_CA, - "", - "yY", "nN", - UI_INPUT_FLAG_ECHO, &vfy_trust) <= 0) { - ret = VerifyFailed; - goto cleanup; - } - - if (UI_process(ui) != 0) { - log_msg(LOG_MSG_ERR, MSG_MEM); - ret = VerifyFailed; - goto cleanup; - } - - if (vfy_trust != 'y') { - ret = Reject; - goto cleanup; - } - } - -cleanup: - if (ui != NULL) - UI_free(ui); - - if (err != NULL) - pkgerr_free(err); - - return (ret); -} -/* - * Name: is_ca_cert - * Desc: Determines if a given certificate has the attributes - * of a CA certificate - * Returns: B_TRUE if certificate has attributes of a CA cert - * B_FALSE otherwise - */ -static boolean_t -is_ca_cert(X509 *x) -{ - - /* - * X509_check_purpose causes the extensions that we - * care about to be decoded and stored in the X509 - * structure, so we must call it first - * before checking for CA extensions in the X509 - * structure - */ - (void) X509_check_purpose(x, X509_PURPOSE_ANY, 0); - - /* keyUsage if present should allow cert signing */ - if ((x->ex_flags & EXFLAG_KUSAGE) && - !(x->ex_kusage & KU_KEY_CERT_SIGN)) { - return (B_FALSE); - } - - /* If basicConstraints says not a CA then say so */ - if (x->ex_flags & EXFLAG_BCONS) { - if (!(x->ex_flags & EXFLAG_CA)) { - return (B_FALSE); - } - } - - /* no explicit not-a-CA flags set, so assume that it is */ - return (B_TRUE); -} diff --git a/usr/src/cmd/svr4pkg/pkgadm/certs.c b/usr/src/cmd/svr4pkg/pkgadm/certs.c deleted file mode 100644 index c7c8f045ae..0000000000 --- a/usr/src/cmd/svr4pkg/pkgadm/certs.c +++ /dev/null @@ -1,239 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ - -/* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include "pkgadm.h" -#include "pkgadm_msgs.h" - - -/* - * Function: load_cert_and_key - * Description: Loads a public key certificate and associated private key - * from a stream. - * Parameters: err - Where to write errors to for underlying library calls - * incert - File to read certs and keys from - * format - The format of the file - * passarg - How to collect password if needed to decrypt file - * key - Location to store resulting key if found - * cert - Location to store resulting cert if found. - * - * Returns: f one or more certificates are found in the file, - * and one or more keys are found, then the first - * certificate is used, and the keys are searched for a - * match. If no key matches the cert, then only the cert - * is returned. If no certs are found, but one or more - * keys are found, then the first key is returned. - */ -int -load_cert_and_key(PKG_ERR *err, FILE *incert, - keystore_encoding_format_t format, char *passarg, EVP_PKEY **key, - X509 **cert) -{ - X509 *tmpcert = NULL; - EVP_PKEY *tmpkey = NULL; - STACK_OF(EVP_PKEY) *keys = NULL; - STACK_OF(X509) *certs = NULL; - int i, ret = 0; - keystore_passphrase_data data; - unsigned long crypto_err; - - if (key) *key = NULL; - if (cert) *cert = NULL; - - switch (format) { - case KEYSTORE_FORMAT_DER: - /* first try to load a DER cert, which cannot contain a key */ - if ((tmpcert = d2i_X509_fp(incert, NULL)) == NULL) { - log_msg(LOG_MSG_ERR, MSG_PARSE); - ret = 1; - } - break; - case KEYSTORE_FORMAT_PEM: - default: - data.err = err; - set_passphrase_passarg(passarg); - set_passphrase_prompt(gettext("Enter PEM passphrase:")); - if (sunw_PEM_contents(incert, pkg_passphrase_cb, - &data, &keys, &certs) < 0) { - /* print out openssl-generated PEM errors */ - while ((crypto_err = ERR_get_error()) != 0) { - log_msg(LOG_MSG_ERR, - ERR_reason_error_string(crypto_err)); - } - ret = 1; - goto cleanup; - } - - /* take the first cert in the file, if any */ - if (cert && (certs != NULL)) { - if (sk_X509_num(certs) != 1) { - log_msg(LOG_MSG_ERR, MSG_MULTIPLE_CERTS); - ret = 1; - goto cleanup; - } else { - tmpcert = sk_X509_value(certs, 0); - } - } - - if (key && (keys != NULL)) { - if (tmpcert != NULL) { - /* - * if we found a cert and some keys, - * only return the key that - * matches the cert - */ - for (i = 0; i < sk_EVP_PKEY_num(keys); i++) { - if (X509_check_private_key(tmpcert, - sk_EVP_PKEY_value(keys, i))) { - tmpkey = - sk_EVP_PKEY_value(keys, i); - break; - } - } - } else { - if (sk_EVP_PKEY_num(keys) > 0) { - tmpkey = sk_EVP_PKEY_value(keys, 0); - } - } - } - break; - } - - /* set results */ - if (key && tmpkey) { - *key = tmpkey; - tmpkey = NULL; - } - - if (cert && tmpcert) { - *cert = tmpcert; - tmpcert = NULL; - } - -cleanup: - if (tmpcert != NULL) { - X509_free(tmpcert); - } - if (tmpkey != NULL) { - sunw_evp_pkey_free(tmpkey); - } - return (ret); -} - -/* - * Function: load_all_certs - * Description: Loads alll certificates from a stream. - * Parameters: err - Where to write errors to for underlying library calls - * incert - File to read certs and keys from - * format - The format of the file - * passarg - How to collect password if needed to decrypt file - * certs - Location to store resulting cert if found. - * - * Returns: 0 - success, all certs placed in ''certs' - * non-zero failure, errors in 'err' - */ -int -load_all_certs(PKG_ERR *err, FILE *incert, - keystore_encoding_format_t format, char *passarg, STACK_OF(X509) **certs) -{ - X509 *tmpcert = NULL; - STACK_OF(X509) *tmpcerts = NULL; - int ret = 0; - keystore_passphrase_data data; - unsigned long crypto_err; - if (certs) *certs = NULL; - - switch (format) { - case KEYSTORE_FORMAT_DER: - /* first try to load a DER cert, which cannot contain a key */ - if ((tmpcert = d2i_X509_fp(incert, NULL)) == NULL) { - log_msg(LOG_MSG_ERR, MSG_PARSE); - ret = 1; - goto cleanup; - } - - if ((tmpcerts = sk_X509_new_null()) == NULL) { - log_msg(LOG_MSG_ERR, MSG_MEM); - ret = 1; - goto cleanup; - } - sk_X509_push(tmpcerts, tmpcert); - break; - case KEYSTORE_FORMAT_PEM: - default: - data.err = err; - set_passphrase_prompt(MSG_PEM_PASSPROMPT); - set_passphrase_passarg(passarg); - if (sunw_PEM_contents(incert, pkg_passphrase_cb, - &data, NULL, &tmpcerts) < 0) { - /* print out openssl-generated PEM errors */ - while ((crypto_err = ERR_get_error()) != 0) { - log_msg(LOG_MSG_ERR, - ERR_reason_error_string(crypto_err)); - } - } - break; - } - - /* set results */ - if (certs && tmpcerts) { - *certs = tmpcerts; - tmpcerts = NULL; - } - -cleanup: - if (tmpcerts != NULL) { - sk_X509_free(tmpcerts); - } - return (ret); -} diff --git a/usr/src/cmd/svr4pkg/pkgadm/listcert.c b/usr/src/cmd/svr4pkg/pkgadm/listcert.c deleted file mode 100644 index 731427271f..0000000000 --- a/usr/src/cmd/svr4pkg/pkgadm/listcert.c +++ /dev/null @@ -1,245 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ - -/* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include "pkgadm.h" -#include "pkgadm_msgs.h" - -/* - * Name: listcert - * Desc: Lists one or more certificates from the keystore - * Syntax: listcert [-a app] [-f format] [-k keystore] \ - * [-n name] [-o outfile] [-P passarg] [-R altroot] - */ -int -listcert(int argc, char **argv) -{ - int i; - char keystore_file[MAXPATHLEN] = ""; - char *keystore_base = NULL; - char *homedir; - char *passarg = NULL; - char *altroot = NULL; - char *prog = NULL; - char *format_str = NULL; - keystore_encoding_format_t format; - char *alias = NULL; - char *outfile_str = NULL; - FILE *outfile = NULL; - int ret = 1; - PKG_ERR *err = NULL; - keystore_handle_t keystore = NULL; - - while ((i = getopt(argc, argv, ":a:f:k:n:o:P:R:")) != EOF) { - switch (i) { - case 'a': - prog = optarg; - break; - case 'f': - format_str = optarg; - break; - case 'k': - keystore_base = optarg; - break; - case 'n': - alias = optarg; - break; - case 'o': - outfile_str = optarg; - break; - case 'P': - passarg = optarg; - break; - case 'R': - altroot = optarg; - break; - case ':': - log_msg(LOG_MSG_ERR, MSG_MISSING_OPERAND, optopt); - /* fallthrough intentional */ - case '?': - default: - log_msg(LOG_MSG_ERR, MSG_USAGE); - goto cleanup; - } - } - - /* should be no arguments left */ - if ((argc-optind) > 0) { - log_msg(LOG_MSG_ERR, MSG_USAGE); - goto cleanup; - } - - /* figure out format */ - if (format_str == NULL) { - format = KEYSTORE_FORMAT_TEXT; - } else { - if (ci_streq(format_str, "text")) { - format = KEYSTORE_FORMAT_TEXT; - } else if (ci_streq(format_str, "pem")) { - format = KEYSTORE_FORMAT_PEM; - } else if (ci_streq(format_str, "der")) { - format = KEYSTORE_FORMAT_DER; - } else { - log_msg(LOG_MSG_ERR, MSG_BAD_FORMAT, format_str); - goto cleanup; - } - } - - /* open output file */ - if (outfile_str == NULL) { - outfile = stdout; - outfile_str = "stdout"; - } else { - if ((outfile = fopen(outfile_str, "w+")) == NULL) { - log_msg(LOG_MSG_ERR, MSG_OPEN_WRITE, outfile_str); - goto cleanup; - } - } - - /* set up proper keystore */ - if (altroot != NULL) { - if (strlcpy(keystore_file, altroot, MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, altroot); - goto cleanup; - } - - if (strlcat(keystore_file, "/", MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, altroot); - goto cleanup; - } - } - - if (keystore_base == NULL) { - if (geteuid() == 0 || altroot != NULL) { - /* - * If we have an alternate - * root, then we have no choice but to use - * root's keystore on that alternate root, - * since there is no way to resolve a - * user's home dir given an alternate root - */ - if (strlcat(keystore_file, PKGSEC, - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - keystore_file); - goto cleanup; - } - } else { - if ((homedir = getenv("HOME")) == NULL) { - /* - * not superuser, but no home dir, so - * use superuser's keystore - */ - if (strlcat(keystore_file, PKGSEC, - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - keystore_file); - goto cleanup; - } - } else { - if (strlcat(keystore_file, homedir, - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - homedir); - goto cleanup; - } - if (strlcat(keystore_file, "/.pkg/security", - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - keystore_file); - goto cleanup; - } - } - } - } else { - if (strlcat(keystore_file, keystore_base, - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - keystore_base); - goto cleanup; - } - } - err = pkgerr_new(); - - /* now load the key store */ - log_msg(LOG_MSG_DEBUG, "Loading keystore <%s>", keystore_file); - - set_passphrase_prompt(MSG_KEYSTORE_PASSPROMPT); - set_passphrase_passarg(passarg); - if (open_keystore(err, keystore_file, prog, - pkg_passphrase_cb, KEYSTORE_DFLT_FLAGS, - &keystore) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_PRINT, outfile_str); - goto cleanup; - } - - /* list the certs */ - log_msg(LOG_MSG_DEBUG, "Listing certificates"); - if (print_certs(err, keystore, alias, format, outfile) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_PRINT, outfile_str); - goto cleanup; - } - - /* now close it out */ - log_msg(LOG_MSG_DEBUG, "Closing keystore"); - set_passphrase_prompt(MSG_KEYSTORE_PASSOUTPROMPT); - set_passphrase_passarg(passarg); - if (close_keystore(err, keystore, pkg_passphrase_cb) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_PRINT, outfile_str); - goto cleanup; - } - - /* everything worked */ - ret = 0; - - /* fallthrough intentional */ -cleanup: - if (outfile != NULL) - (void) fclose(outfile); - - if (err != NULL) - pkgerr_free(err); - - return (ret); -} diff --git a/usr/src/cmd/svr4pkg/pkgadm/lock.c b/usr/src/cmd/svr4pkg/pkgadm/lock.c index 7963fd5d5b..7832cd3eae 100644 --- a/usr/src/cmd/svr4pkg/pkgadm/lock.c +++ b/usr/src/cmd/svr4pkg/pkgadm/lock.c @@ -19,6 +19,10 @@ * CDDL HEADER END */ +/* + * Copyright (c) 2017 Peter Tribble. + */ + /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. @@ -58,7 +62,6 @@ #include #include #include -#include #include #include #include @@ -69,8 +72,6 @@ #include #include -#include -#include #include "pkgadm.h" #include "pkgadm_msgs.h" diff --git a/usr/src/cmd/svr4pkg/pkgadm/main.c b/usr/src/cmd/svr4pkg/pkgadm/main.c index 91eda6947d..cd07946284 100644 --- a/usr/src/cmd/svr4pkg/pkgadm/main.c +++ b/usr/src/cmd/svr4pkg/pkgadm/main.c @@ -19,6 +19,10 @@ * CDDL HEADER END */ +/* + * Copyright (c) 2017 Peter Tribble. + */ + /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. @@ -35,19 +39,12 @@ #include #include #include -#include #include -#include -#include #include "pkgadm.h" #include "pkgadm_msgs.h" #include "libadm.h" -/* initial error message buffer size */ - -#define ERR_BUFSIZE 2048 - /* Local Function Prototypes */ static void print_version(); @@ -68,15 +65,6 @@ struct cmd cmds[] = { { NULL, NULL } }; -struct cmd cert_cmds[] = { - { "addcert", addcert}, - { "listcert", listcert}, - { "removecert", removecert}, - /* last one must be all NULLs */ - { NULL, NULL } -}; - - /* * Function: main * @@ -137,20 +125,6 @@ main(int argc, char **argv) } } - /* initialize security library */ - sec_init(); - - /* OK, hand it off to the subcommand processors */ - for (cur_cmd = 0; cert_cmds[cur_cmd].c_name != NULL; cur_cmd++) { - if (ci_streq(argv[optind], cert_cmds[cur_cmd].c_name)) { - /* make subcommand the first option */ - newargc = argc - optind; - newargv = argv + optind; - opterr = optind = 1; optopt = 0; - return (cert_cmds[cur_cmd].c_func(newargc, newargv)); - } - } - /* bad subcommand */ log_msg(LOG_MSG_ERR, MSG_BAD_SUB, argv[optind]); log_msg(LOG_MSG_INFO, MSG_USAGE); @@ -183,23 +157,6 @@ get_verbose() return (log_get_verbose()); } -/* - * Name: log_pkgerr - * Description: Outputs pkgerr messages to logging facility. - * Scope: public - * Arguments: type - the severity of the message - * err - error stack to dump to facility - * Returns: none - */ -void -log_pkgerr(LogMsgType type, PKG_ERR *err) -{ - int i; - for (i = 0; i < pkgerr_num(err); i++) { - log_msg(type, "%s", pkgerr_get(err, i)); - } -} - /* * Name: print_Version * Desc: Prints Version of packaging tools diff --git a/usr/src/cmd/svr4pkg/pkgadm/pkgadm.h b/usr/src/cmd/svr4pkg/pkgadm/pkgadm.h index 8911389517..8c338e3eb0 100644 --- a/usr/src/cmd/svr4pkg/pkgadm/pkgadm.h +++ b/usr/src/cmd/svr4pkg/pkgadm/pkgadm.h @@ -19,6 +19,10 @@ * CDDL HEADER END */ +/* + * Copyright (c) 2017 Peter Tribble. + */ + /* * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. @@ -32,8 +36,6 @@ extern "C" { #endif -#include -#include #include "pkglib.h" #include "libinst.h" @@ -52,23 +54,10 @@ extern "C" { /* main.c */ extern void log_msg(LogMsgType, const char *, ...); -extern void log_pkgerr(LogMsgType, PKG_ERR *); extern void set_verbose(boolean_t); extern boolean_t get_verbose(void); /* lock.c */ extern int admin_lock(int, char **); -/* listcert.c */ -extern int listcert(int, char **); -/* importcert.c */ -extern int addcert(int, char **); -/* removecert.c */ -extern int removecert(int, char **); - -/* certs.c */ -extern int load_cert_and_key(PKG_ERR *, FILE *, - keystore_encoding_format_t, char *, EVP_PKEY **, X509 **); -extern int load_all_certs(PKG_ERR *, FILE *, - keystore_encoding_format_t, char *, STACK_OF(X509) **); #define PKGADM_DBSTATUS_TEXT "text" diff --git a/usr/src/cmd/svr4pkg/pkgadm/pkgadm_msgs.h b/usr/src/cmd/svr4pkg/pkgadm/pkgadm_msgs.h index bc6b9aaf7e..fb9f494393 100644 --- a/usr/src/cmd/svr4pkg/pkgadm/pkgadm_msgs.h +++ b/usr/src/cmd/svr4pkg/pkgadm/pkgadm_msgs.h @@ -19,6 +19,10 @@ * CDDL HEADER END */ +/* + * Copyright (c) 2017 Peter Tribble. + */ + /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. @@ -48,24 +52,6 @@ extern "C" { #define MSG_USAGE gettext(\ "usage:\n" \ "\n" \ -"pkgadm addcert [-ty] [-a app] [-k keystore] [-e keyfile]\n" \ -"\t[-f format] [-n name] [-P passarg] [-p input_passarg]\n" \ -"\t[-R rootpath] certfile\n" \ -"\n" \ -"\t- Adds a trusted CA certificate or user certificate\n" \ -"\tand private key\n" \ -"\n" \ -"pkgadm removecert [-a app] [-k keystore] -n name [-P passarg]\n" \ -"\t[-R rootpath]\n" \ -"\n" \ -"\t- Removes a trusted CA certificate or user certificate\n" \ -"\tand private key\n" \ -"\n" \ -"pkgadm listcert [-a app] [-f format] [-k keystore] -n name\n" \ -"\t[-P passarg] [-o outfile] [-R rootpath]\n" \ -"\n" \ -"\t- Prints trusted CA certificates or user certificates\n" \ -"\n" \ "pkgadm dbstatus [-R rootpath]\n" \ "\n" \ "\t- Returns 'text' - the text install database in use since Solaris 2.0\n" \ @@ -97,16 +83,6 @@ extern "C" { #define MSG_T_RESULT_THREE gettext(\ "required <%d> actual <%d> <%30s> ~- <%30s>\n") -#define MSG_KEYSTORE_PASSPROMPT gettext(\ - "Enter Keystore Password: ") - -#define MSG_KEYSTORE_PASSOUTPROMPT gettext(\ - "Type a Keystore protection Password.\n" \ - "Press ENTER for no protection password (not recommended): ") - -#define MSG_PEM_PASSPROMPT gettext(\ - "Enter PEM Passphrase: ") - #define MSG_ERROR gettext(\ "ERROR") @@ -115,20 +91,11 @@ extern "C" { #define CREATE_PKGDIR_WARN gettext(\ "Creating directory <%s>\n") -#define MSG_WRN_UNKNOWN gettext(\ - "Signer <%s> has unsupported signature, ignoring") - #define MSG_VALID_STALE gettext(\ "Removing stale lock on <%s> pid <%ld> zid <%ld>") /* errors */ -#define MSG_FATAL gettext(\ - "Fatal Error") - -#define MSG_TOO_LONG gettext(\ - "Length of <%s> exceeds maximum allowed length") - #define MSG_INTERNAL gettext(\ "Intenal Error <%s>") @@ -138,121 +105,9 @@ extern "C" { #define MSG_OPEN_WRITE gettext(\ "Cannot open <%s> for writing") -#define MSG_BAD_PASSARG gettext(\ - "Invalid password retrieval method <%s>") - -#define MSG_BAD_PASS gettext(\ - "Invalid password") - #define ERR_LOG_FAIL gettext(\ "Failed to log message using format <%s>") -#define MSG_BAD_FORMAT gettext(\ - "Invalid format: <%s>") - -#define MSG_USER_NAME gettext(\ - "An alias is required when adding user certificates") - -#define MSG_TRUSTED_NAME gettext(\ - "Trusted certificates cannot have an explicit alias") - -#define MSG_MULTIPLE_TRUST gettext(\ - "Found multiple certificates in <%s>. You must explicitly trust " \ - "them using <%s>") - -#define MSG_NO_MULTIPLE_TRUST gettext(\ - "Found multiple certificates in <%s>. You must explicitly trust " \ - "them using <%s>") - -#define MSG_TRUSTED_KEY gettext(\ - "Cannot supply private key when adding trusted certificates") - -#define MSG_TRUST_KEY_FOUND gettext(\ - "One or more private keys were found in trusted certificate file <%s>") - -#define MSG_ADDCERT_ABORT gettext(\ - "Addition of trusted certificate aborted by user request") - - -#define MSG_NEED_KEY gettext(\ - "No private key found in <%s>, must specify one with -e") - -#define MSG_NO_PRIVKEY gettext(\ - "No private key found in <%s>") - -#define MSG_NO_CERTS gettext(\ - "No certificates found in <%s>") - -#define MSG_MULTIPLE_CERTS gettext(\ - "Multiple certificates found in <%s>") - -#define MSG_NO_ADDCERT gettext(\ - "Cannot add certificate(s) from <%s>. No changes have been made.") - -#define MSG_NO_ADDKEY gettext(\ - "Cannot add private key from <%s>. No changes have been made.") - -#define MSG_NO_REMOVECERT gettext(\ - "Cannot remove certificate with alias <%s>") - -#define MSG_VERIFY_TRUST gettext(\ - "Are you sure you want to trust this certificate? ") - -#define MSG_VERIFY_NOT_CA gettext(\ - "\n" \ - "This certificate does not appear to be issued and signed\n" \ - "by a certificate authority (CA). CA Certificates are normally\n" \ - "self-signed and have CA Basic Constraints.\n" \ - "Are you sure you want to trust this certificate? ") - -#define MSG_PARSE gettext(\ - "Parsing error") - -#define MSG_TRUSTED gettext(\ - "Certificate(s) from <%s> are now trusted") - -#define MSG_TRUSTING gettext(\ - "Trusting certificate <%s>") - -#define MSG_ADDED gettext(\ - "Successfully added Certificate <%s> with alias <%s>") - -#define MSG_REMOVED gettext(\ - "Successfully removed Certificate(s) with alias <%s>") - -#define MSG_MEM gettext(\ - "Out of memory") - -#define MSG_PRINT gettext(\ - "Cannot print certificates to <%s>") - -#define MSG_PROBLEM_CONVERT gettext(\ - "Does %s/var/sadm exist? Can the user write to it? (%s)") - -#define MSG_CONTENTS_FORMAT gettext(\ - "Operation failed due to corrupted install contents data file.") - -#define MSG_MKDIR_FAILED gettext(\ - "Could not mkdir for path %s. %s.") - -#define MSG_RENAME_FAILED gettext(\ - "Could not rename %s to %s\n%s") - -#define MSG_REMOVE_FAILED gettext(\ - "Could not remove %s\n%s") - -#define MSG_FILE_ACCESS gettext(\ - "Operation failed: unable to access file %s: %s") - -#define MSG_NOT_READABLE gettext(\ - "Operation failed: unable to read file %s") - -#define MSG_BUILD_INDEXES gettext(\ - "Operation failed: unable to build indexes\n") - -#define MSG_FILE_NAME_TOO_LONG gettext(\ - "Operation failed: file name too long: %s\n") - #define MSG_ZONES_MISSING_REQUEST gettext(\ "Must specify operation to perform\n") diff --git a/usr/src/cmd/svr4pkg/pkgadm/removecert.c b/usr/src/cmd/svr4pkg/pkgadm/removecert.c deleted file mode 100644 index 3a176b6184..0000000000 --- a/usr/src/cmd/svr4pkg/pkgadm/removecert.c +++ /dev/null @@ -1,201 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License (the "License"). - * You may not use this file except in compliance with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ - -/* - * Copyright 2009 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include "pkgadm.h" -#include "pkgadm_msgs.h" - -/* - * Name: removecert - * Desc: Removes a user certificate and associated private key, - * or a trusted certificate, from the keystore. - * Syntax: addcert [-a app] [-k keystore] -n name [-P passarg] [-R altroot] - */ -int -removecert(int argc, char **argv) -{ - int i; - char keystore_file[MAXPATHLEN] = ""; - char *keystore_base = NULL; - char *homedir; - char *passarg = NULL; - char *altroot = NULL; - char *prog = NULL; - char *alias = NULL; - int ret = 1; - PKG_ERR *err = NULL; - keystore_handle_t keystore = NULL; - - while ((i = getopt(argc, argv, ":a:k:n:P:R:")) != EOF) { - switch (i) { - case 'a': - prog = optarg; - break; - case 'k': - keystore_base = optarg; - break; - case 'n': - alias = optarg; - break; - case 'P': - passarg = optarg; - break; - case 'R': - altroot = optarg; - break; - case ':': - log_msg(LOG_MSG_ERR, MSG_MISSING_OPERAND, optopt); - /* fallthrough intentional */ - case '?': - default: - log_msg(LOG_MSG_ERR, MSG_USAGE); - goto cleanup; - } - } - - /* we require a name */ - if (alias == NULL) { - log_msg(LOG_MSG_ERR, MSG_USAGE); - goto cleanup; - } - - /* should be no arguments left */ - if ((argc-optind) > 0) { - log_msg(LOG_MSG_ERR, MSG_USAGE); - goto cleanup; - } - - /* set up proper keystore */ - if (keystore_base == NULL) { - if (geteuid() == 0 || altroot != NULL) { - /* - * If we have an alternate - * root, then we have no choice but to use - * root's keystore on that alternate root, - * since there is no way to resolve a - * user's home dir given an alternate root - */ - if (strlcat(keystore_file, PKGSEC, - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - keystore_file); - goto cleanup; - } - } else { - if ((homedir = getenv("HOME")) == NULL) { - /* - * not superuser, but no home dir, so - * use superuser's keystore - */ - if (strlcat(keystore_file, PKGSEC, - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - keystore_file); - goto cleanup; - } - } else { - if (strlcat(keystore_file, homedir, - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - homedir); - goto cleanup; - } - if (strlcat(keystore_file, "/.pkg/security", - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - keystore_file); - goto cleanup; - } - } - } - } else { - if (strlcat(keystore_file, keystore_base, - MAXPATHLEN) >= MAXPATHLEN) { - log_msg(LOG_MSG_ERR, MSG_TOO_LONG, - keystore_base); - goto cleanup; - } - } - - err = pkgerr_new(); - - /* now load the key store */ - log_msg(LOG_MSG_DEBUG, "Loading keystore <%s>", keystore_file); - - set_passphrase_prompt(MSG_KEYSTORE_PASSPROMPT); - set_passphrase_passarg(passarg); - - if (open_keystore(err, keystore_file, prog, pkg_passphrase_cb, - KEYSTORE_ACCESS_READWRITE | KEYSTORE_PATH_HARD, &keystore) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - goto cleanup; - } - - /* now remove the selected certs */ - log_msg(LOG_MSG_DEBUG, "Removing certificate(s) with name <%s>", - alias); - if (delete_cert_and_keys(err, keystore, alias) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_NO_REMOVECERT, alias); - goto cleanup; - } - - /* now write it back out */ - log_msg(LOG_MSG_DEBUG, "Closing keystore"); - set_passphrase_prompt(MSG_KEYSTORE_PASSOUTPROMPT); - set_passphrase_passarg(passarg); - if (close_keystore(err, keystore, pkg_passphrase_cb) != 0) { - log_pkgerr(LOG_MSG_ERR, err); - log_msg(LOG_MSG_ERR, MSG_NO_REMOVECERT, alias); - goto cleanup; - } - - log_msg(LOG_MSG_INFO, MSG_REMOVED, alias); - - ret = 0; - /* fallthrough intentional */ -cleanup: - - if (err != NULL) - pkgerr_free(err); - - return (ret); -} -- cgit v1.2.3