117Sdinak /*
217Sdinak * CDDL HEADER START
317Sdinak *
417Sdinak * The contents of this file are subject to the terms of the
53089Swyllys * Common Development and Distribution License (the "License").
63089Swyllys * You may not use this file except in compliance with the License.
717Sdinak *
817Sdinak * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
917Sdinak * or http://www.opensolaris.org/os/licensing.
1017Sdinak * See the License for the specific language governing permissions
1117Sdinak * and limitations under the License.
1217Sdinak *
1317Sdinak * When distributing Covered Code, include this CDDL HEADER in each
1417Sdinak * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
1517Sdinak * If applicable, add the following below this CDDL HEADER, with the
1617Sdinak * fields enclosed by brackets "[]" replaced with your own identifying
1717Sdinak * information: Portions Copyright [yyyy] [name of copyright owner]
1817Sdinak *
1917Sdinak * CDDL HEADER END
2017Sdinak */
2117Sdinak /*
226669Swyllys * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
2317Sdinak * Use is subject to license terms.
2417Sdinak */
2517Sdinak
2617Sdinak #pragma ident "%Z%%M% %I% %E% SMI"
2717Sdinak
2817Sdinak /*
2917Sdinak * This file implements the token object delete operation for this tool.
3017Sdinak * It loads the PKCS#11 modules, finds the object to delete, deletes it,
3117Sdinak * and cleans up. User must be R/W logged into the token.
3217Sdinak */
3317Sdinak
3417Sdinak #include <stdio.h>
3517Sdinak #include <string.h>
3617Sdinak #include <cryptoutil.h>
3717Sdinak #include <security/cryptoki.h>
3817Sdinak #include "common.h"
393089Swyllys #include <kmfapi.h>
403089Swyllys
413089Swyllys static KMF_RETURN
pk_destroy_keys(void * handle,KMF_ATTRIBUTE * attrlist,int numattr)425051Swyllys pk_destroy_keys(void *handle, KMF_ATTRIBUTE *attrlist, int numattr)
433089Swyllys {
443089Swyllys int i;
453089Swyllys KMF_RETURN rv = KMF_OK;
465051Swyllys uint32_t *numkeys;
475051Swyllys KMF_KEY_HANDLE *keys = NULL;
485051Swyllys int del_num = 0;
495051Swyllys KMF_ATTRIBUTE delete_attlist[16];
505051Swyllys KMF_KEYSTORE_TYPE kstype;
515051Swyllys uint32_t len;
525051Swyllys boolean_t destroy = B_TRUE;
535051Swyllys KMF_CREDENTIAL cred;
545051Swyllys char *slotlabel = NULL;
553089Swyllys
565051Swyllys len = sizeof (kstype);
575051Swyllys rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr,
585051Swyllys &kstype, &len);
595051Swyllys if (rv != KMF_OK)
605051Swyllys return (rv);
615051Swyllys
625051Swyllys kmf_set_attr_at_index(delete_attlist, del_num,
635051Swyllys KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
645051Swyllys del_num++;
655051Swyllys
665051Swyllys /* "destroy" is optional. Default is TRUE */
675051Swyllys (void) kmf_get_attr(KMF_DESTROY_BOOL_ATTR, attrlist, numattr,
685051Swyllys (void *)&destroy, NULL);
693089Swyllys
705051Swyllys kmf_set_attr_at_index(delete_attlist, del_num,
715051Swyllys KMF_DESTROY_BOOL_ATTR, &destroy, sizeof (boolean_t));
725051Swyllys del_num++;
735051Swyllys
745051Swyllys switch (kstype) {
753089Swyllys case KMF_KEYSTORE_NSS:
765051Swyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
775051Swyllys (void *)&cred, NULL);
785051Swyllys if (rv == KMF_OK) {
795051Swyllys if (cred.credlen > 0) {
805051Swyllys kmf_set_attr_at_index(delete_attlist, del_num,
815051Swyllys KMF_CREDENTIAL_ATTR, &cred,
825051Swyllys sizeof (KMF_CREDENTIAL));
835051Swyllys del_num++;
845051Swyllys }
855051Swyllys }
865051Swyllys
875051Swyllys slotlabel = kmf_get_attr_ptr(KMF_TOKEN_LABEL_ATTR, attrlist,
885051Swyllys numattr);
895051Swyllys if (slotlabel != NULL) {
905051Swyllys kmf_set_attr_at_index(delete_attlist, del_num,
915051Swyllys KMF_TOKEN_LABEL_ATTR, slotlabel,
925051Swyllys strlen(slotlabel));
935051Swyllys del_num++;
945051Swyllys }
953089Swyllys break;
963089Swyllys case KMF_KEYSTORE_OPENSSL:
973089Swyllys break;
983089Swyllys case KMF_KEYSTORE_PK11TOKEN:
995051Swyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
1005051Swyllys (void *)&cred, NULL);
1015051Swyllys if (rv == KMF_OK) {
1025051Swyllys if (cred.credlen > 0) {
1035051Swyllys kmf_set_attr_at_index(delete_attlist, del_num,
1045051Swyllys KMF_CREDENTIAL_ATTR, &cred,
1055051Swyllys sizeof (KMF_CREDENTIAL));
1065051Swyllys del_num++;
1075051Swyllys }
1085051Swyllys }
1093089Swyllys break;
1103089Swyllys default:
1113089Swyllys return (PK_ERR_USAGE);
1123089Swyllys }
1133089Swyllys
1145051Swyllys numkeys = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
1155051Swyllys if (numkeys == NULL)
1165051Swyllys return (PK_ERR_USAGE);
1175051Swyllys
1185051Swyllys keys = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
1195051Swyllys if (keys == NULL)
1205051Swyllys return (PK_ERR_USAGE);
1215051Swyllys
1225051Swyllys for (i = 0; rv == KMF_OK && i < *numkeys; i++) {
1235051Swyllys int num = del_num;
1245051Swyllys
1255051Swyllys kmf_set_attr_at_index(delete_attlist, num,
1265051Swyllys KMF_KEY_HANDLE_ATTR, &keys[i], sizeof (KMF_KEY_HANDLE));
1275051Swyllys num++;
1285051Swyllys
1295051Swyllys rv = kmf_delete_key_from_keystore(handle, num, delete_attlist);
1303089Swyllys }
1313089Swyllys return (rv);
1323089Swyllys }
1333089Swyllys
1343089Swyllys static KMF_RETURN
pk_delete_keys(KMF_HANDLE_T kmfhandle,KMF_ATTRIBUTE * attlist,int numattr,char * desc,int * keysdeleted)1355051Swyllys pk_delete_keys(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attlist, int numattr,
1365051Swyllys char *desc, int *keysdeleted)
1373089Swyllys {
1383089Swyllys KMF_RETURN rv = KMF_OK;
1393089Swyllys uint32_t numkeys = 0;
1405051Swyllys int num = numattr;
1413089Swyllys
1423089Swyllys *keysdeleted = 0;
1433089Swyllys numkeys = 0;
1445051Swyllys
1455051Swyllys kmf_set_attr_at_index(attlist, num,
1465051Swyllys KMF_COUNT_ATTR, &numkeys, sizeof (uint32_t));
1475051Swyllys num++;
1485051Swyllys
1495051Swyllys rv = kmf_find_key(kmfhandle, num, attlist);
1505051Swyllys
1513089Swyllys if (rv == KMF_OK && numkeys > 0) {
1523089Swyllys KMF_KEY_HANDLE *keys = NULL;
1533089Swyllys char prompt[1024];
1543089Swyllys
1553089Swyllys (void) snprintf(prompt, sizeof (prompt),
1565051Swyllys gettext("%d %s key(s) found, do you want "
1575051Swyllys "to delete them (y/N) ?"), numkeys,
1585051Swyllys (desc != NULL ? desc : ""));
1593089Swyllys
1603089Swyllys if (!yesno(prompt,
1615051Swyllys gettext("Respond with yes or no.\n"),
1625051Swyllys B_FALSE)) {
1635221Swyllys *keysdeleted = numkeys;
1643089Swyllys return (KMF_OK);
1653089Swyllys }
1663089Swyllys keys = (KMF_KEY_HANDLE *)malloc(numkeys *
1675051Swyllys sizeof (KMF_KEY_HANDLE));
1683089Swyllys if (keys == NULL)
1693089Swyllys return (KMF_ERR_MEMORY);
1703089Swyllys (void) memset(keys, 0, numkeys *
1715051Swyllys sizeof (KMF_KEY_HANDLE));
1723089Swyllys
1735051Swyllys kmf_set_attr_at_index(attlist, num,
1745051Swyllys KMF_KEY_HANDLE_ATTR, keys, sizeof (KMF_KEY_HANDLE));
1755051Swyllys num++;
1765051Swyllys
1775051Swyllys rv = kmf_find_key(kmfhandle, num, attlist);
1783089Swyllys if (rv == KMF_OK) {
1795051Swyllys rv = pk_destroy_keys(kmfhandle, attlist, num);
1803089Swyllys }
1813089Swyllys
1823089Swyllys free(keys);
1833089Swyllys }
1843089Swyllys
1853089Swyllys *keysdeleted = numkeys;
1863089Swyllys return (rv);
1873089Swyllys }
1883089Swyllys
1893089Swyllys static KMF_RETURN
pk_delete_certs(KMF_HANDLE_T kmfhandle,KMF_ATTRIBUTE * attlist,int numattr)1905051Swyllys pk_delete_certs(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attlist, int numattr)
1913089Swyllys {
1923089Swyllys KMF_RETURN rv = KMF_OK;
1933089Swyllys uint32_t numcerts = 0;
1945051Swyllys int num = numattr;
1953089Swyllys
1965051Swyllys kmf_set_attr_at_index(attlist, num,
1975051Swyllys KMF_COUNT_ATTR, &numcerts, sizeof (uint32_t));
1985051Swyllys num++;
1995051Swyllys
2005051Swyllys rv = kmf_find_cert(kmfhandle, num, attlist);
2013089Swyllys if (rv == KMF_OK && numcerts > 0) {
2023089Swyllys char prompt[1024];
2033089Swyllys (void) snprintf(prompt, sizeof (prompt),
2045051Swyllys gettext("%d certificate(s) found, do you want "
2055051Swyllys "to delete them (y/N) ?"), numcerts);
2063089Swyllys
2073089Swyllys if (!yesno(prompt,
2085051Swyllys gettext("Respond with yes or no.\n"),
2095051Swyllys B_FALSE)) {
2103089Swyllys return (KMF_OK);
2113089Swyllys }
2123089Swyllys
2135051Swyllys /*
2145051Swyllys * Use numattr because delete cert does not require
2155051Swyllys * KMF_COUNT_ATTR attribute.
2165051Swyllys */
2175051Swyllys rv = kmf_delete_cert_from_keystore(kmfhandle, numattr, attlist);
2183089Swyllys
2193089Swyllys }
2203089Swyllys
2213089Swyllys return (rv);
2223089Swyllys }
2233089Swyllys
2243089Swyllys static KMF_RETURN
delete_nss_keys(KMF_HANDLE_T kmfhandle,char * dir,char * prefix,char * token,int oclass,char * objlabel,KMF_CREDENTIAL * tokencred)2253089Swyllys delete_nss_keys(KMF_HANDLE_T kmfhandle, char *dir, char *prefix,
2263089Swyllys char *token, int oclass, char *objlabel,
2273089Swyllys KMF_CREDENTIAL *tokencred)
2283089Swyllys {
2293089Swyllys KMF_RETURN rv = KMF_OK;
2303089Swyllys char *keytype = NULL;
2313089Swyllys int nk, numkeys = 0;
2325051Swyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
2335051Swyllys int numattr = 0;
2345051Swyllys KMF_ATTRIBUTE attrlist[16];
2355051Swyllys KMF_KEY_CLASS keyclass;
2363089Swyllys
2373089Swyllys rv = configure_nss(kmfhandle, dir, prefix);
2383089Swyllys if (rv != KMF_OK)
2393089Swyllys return (rv);
2403089Swyllys
2415051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
2425051Swyllys &kstype, sizeof (kstype));
2435051Swyllys numattr++;
2445051Swyllys
2455051Swyllys if (objlabel != NULL) {
2465051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR,
2475051Swyllys objlabel, strlen(objlabel));
2485051Swyllys numattr++;
2495051Swyllys }
2505051Swyllys
2515051Swyllys if (tokencred->credlen > 0) {
2525051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
2535051Swyllys tokencred, sizeof (KMF_CREDENTIAL));
2545051Swyllys numattr++;
2555051Swyllys }
2565051Swyllys
2575051Swyllys if (token && strlen(token)) {
2585051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR,
2595051Swyllys token, strlen(token));
2605051Swyllys numattr++;
2615051Swyllys }
2623089Swyllys
2633089Swyllys if (oclass & PK_PRIKEY_OBJ) {
2645051Swyllys int num = numattr;
2655051Swyllys
2665051Swyllys keyclass = KMF_ASYM_PRI;
2675051Swyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
2685051Swyllys &keyclass, sizeof (keyclass));
2695051Swyllys num++;
2705051Swyllys
2713089Swyllys keytype = "private";
2725051Swyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
2733089Swyllys numkeys += nk;
274*7108Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND &&
275*7108Swyllys oclass != PK_PRIKEY_OBJ)
276*7108Swyllys rv = KMF_OK;
2773089Swyllys }
2783089Swyllys if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) {
2795051Swyllys int num = numattr;
2805051Swyllys
2815051Swyllys keyclass = KMF_SYMMETRIC;
2825051Swyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
2835051Swyllys &keyclass, sizeof (keyclass));
2845051Swyllys num++;
2855051Swyllys
2863089Swyllys keytype = "symmetric";
2875051Swyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
2883089Swyllys numkeys += nk;
289*7108Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND &&
290*7108Swyllys oclass != PK_SYMKEY_OBJ)
291*7108Swyllys rv = KMF_OK;
2923089Swyllys }
2933089Swyllys if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) {
2945051Swyllys int num = numattr;
2955051Swyllys
2965051Swyllys keyclass = KMF_ASYM_PUB;
2975051Swyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
2985051Swyllys &keyclass, sizeof (keyclass));
2995051Swyllys num++;
3005051Swyllys
3013089Swyllys keytype = "public";
3025051Swyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
3033089Swyllys numkeys += nk;
304*7108Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND &&
305*7108Swyllys oclass != PK_PUBKEY_OBJ)
306*7108Swyllys rv = KMF_OK;
3073089Swyllys }
3083089Swyllys if (rv == KMF_OK && numkeys == 0)
3093089Swyllys rv = KMF_ERR_KEY_NOT_FOUND;
3103089Swyllys
3113089Swyllys return (rv);
3123089Swyllys }
3133089Swyllys
3143089Swyllys static KMF_RETURN
delete_nss_certs(KMF_HANDLE_T kmfhandle,char * dir,char * prefix,char * token,char * objlabel,KMF_BIGINT * serno,char * issuer,char * subject,KMF_CERT_VALIDITY find_criteria_flag)3153089Swyllys delete_nss_certs(KMF_HANDLE_T kmfhandle,
3163089Swyllys char *dir, char *prefix,
3173089Swyllys char *token, char *objlabel,
3183089Swyllys KMF_BIGINT *serno, char *issuer, char *subject,
3193089Swyllys KMF_CERT_VALIDITY find_criteria_flag)
3203089Swyllys {
3213089Swyllys KMF_RETURN rv = KMF_OK;
3225051Swyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
3235051Swyllys int numattr = 0;
3245051Swyllys KMF_ATTRIBUTE attrlist[16];
3253089Swyllys
3263089Swyllys rv = configure_nss(kmfhandle, dir, prefix);
3273089Swyllys if (rv != KMF_OK)
3283089Swyllys return (rv);
3293089Swyllys
3305051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
3315051Swyllys &kstype, sizeof (kstype));
3325051Swyllys numattr++;
3335051Swyllys
3345051Swyllys if (objlabel != NULL) {
3355051Swyllys kmf_set_attr_at_index(attrlist, numattr,
3365051Swyllys KMF_CERT_LABEL_ATTR, objlabel,
3375051Swyllys strlen(objlabel));
3385051Swyllys numattr++;
3395051Swyllys }
3405051Swyllys
3415051Swyllys if (issuer != NULL) {
3425051Swyllys kmf_set_attr_at_index(attrlist, numattr,
3435051Swyllys KMF_ISSUER_NAME_ATTR, issuer,
3445051Swyllys strlen(issuer));
3455051Swyllys numattr++;
3465051Swyllys }
3473089Swyllys
3485051Swyllys if (subject != NULL) {
3495051Swyllys kmf_set_attr_at_index(attrlist, numattr,
3505051Swyllys KMF_SUBJECT_NAME_ATTR, subject,
3515051Swyllys strlen(subject));
3525051Swyllys numattr++;
3535051Swyllys }
3545051Swyllys
3555051Swyllys if (serno != NULL) {
3565051Swyllys kmf_set_attr_at_index(attrlist, numattr,
3575051Swyllys KMF_BIGINT_ATTR, serno,
3585051Swyllys sizeof (KMF_BIGINT));
3595051Swyllys numattr++;
3605051Swyllys }
3613089Swyllys
3625051Swyllys kmf_set_attr_at_index(attrlist, numattr,
3635051Swyllys KMF_CERT_VALIDITY_ATTR, &find_criteria_flag,
3645051Swyllys sizeof (KMF_CERT_VALIDITY));
3655051Swyllys numattr++;
3665051Swyllys
3675051Swyllys if (token != NULL) {
3685051Swyllys kmf_set_attr_at_index(attrlist, numattr,
3695051Swyllys KMF_TOKEN_LABEL_ATTR, token,
3705051Swyllys strlen(token));
3715051Swyllys numattr++;
3725051Swyllys }
3735051Swyllys
3745051Swyllys rv = pk_delete_certs(kmfhandle, attrlist, numattr);
3753089Swyllys
3763089Swyllys return (rv);
3773089Swyllys }
3783089Swyllys
3793089Swyllys static KMF_RETURN
delete_nss_crl(void * kmfhandle,char * dir,char * prefix,char * token,char * issuer,char * subject)3803089Swyllys delete_nss_crl(void *kmfhandle,
3813089Swyllys char *dir, char *prefix, char *token,
3825051Swyllys char *issuer, char *subject)
3833089Swyllys {
3843089Swyllys KMF_RETURN rv = KMF_OK;
3855051Swyllys int numattr = 0;
3865051Swyllys KMF_ATTRIBUTE attrlist[8];
3875051Swyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
3883089Swyllys
3893089Swyllys rv = configure_nss(kmfhandle, dir, prefix);
3903089Swyllys if (rv != KMF_OK)
3913089Swyllys return (rv);
3923089Swyllys
3935051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
3945051Swyllys &kstype, sizeof (kstype));
3955051Swyllys numattr++;
3963089Swyllys
3975051Swyllys if (token != NULL) {
3985051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR,
3995051Swyllys token, strlen(token));
4005051Swyllys numattr++;
4015051Swyllys }
4025051Swyllys if (issuer != NULL) {
4035051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR,
4045051Swyllys issuer, strlen(issuer));
4055051Swyllys numattr++;
4065051Swyllys }
4075051Swyllys if (subject != NULL) {
4085051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR,
4095051Swyllys subject, strlen(subject));
4105051Swyllys numattr++;
4115051Swyllys }
4123089Swyllys
4135051Swyllys rv = kmf_delete_crl(kmfhandle, numattr, attrlist);
4143089Swyllys
4153089Swyllys return (rv);
4163089Swyllys }
4173089Swyllys
4183089Swyllys static KMF_RETURN
delete_pk11_keys(KMF_HANDLE_T kmfhandle,char * token,int oclass,char * objlabel,KMF_CREDENTIAL * tokencred)4193089Swyllys delete_pk11_keys(KMF_HANDLE_T kmfhandle,
4203089Swyllys char *token, int oclass, char *objlabel,
4213089Swyllys KMF_CREDENTIAL *tokencred)
4223089Swyllys {
4233089Swyllys KMF_RETURN rv = KMF_OK;
4243089Swyllys int nk, numkeys = 0;
4255051Swyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
4265051Swyllys int numattr = 0;
4275051Swyllys KMF_ATTRIBUTE attrlist[16];
4285051Swyllys KMF_KEY_CLASS keyclass;
4295051Swyllys boolean_t token_bool = B_TRUE;
4305051Swyllys boolean_t private;
4313089Swyllys /*
4323089Swyllys * Symmetric keys and RSA/DSA private keys are always
4333089Swyllys * created with the "CKA_PRIVATE" field == TRUE, so
4343089Swyllys * make sure we search for them with it also set.
4353089Swyllys */
4363089Swyllys if (oclass & (PK_SYMKEY_OBJ | PK_PRIKEY_OBJ))
4373089Swyllys oclass |= PK_PRIVATE_OBJ;
4383089Swyllys
4393089Swyllys rv = select_token(kmfhandle, token, FALSE);
4403089Swyllys if (rv != KMF_OK) {
4413089Swyllys return (rv);
4423089Swyllys }
4433089Swyllys
4445051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
4455051Swyllys &kstype, sizeof (kstype));
4465051Swyllys numattr++;
4475051Swyllys
4485051Swyllys if (objlabel != NULL) {
4495051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR,
4505051Swyllys objlabel, strlen(objlabel));
4515051Swyllys numattr++;
4525051Swyllys }
4535051Swyllys
4545051Swyllys if (tokencred != NULL && tokencred->credlen > 0) {
4555051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
4565051Swyllys tokencred, sizeof (KMF_CREDENTIAL));
4575051Swyllys numattr++;
4585051Swyllys }
4595051Swyllys
4605051Swyllys private = ((oclass & PK_PRIVATE_OBJ) > 0);
4615051Swyllys
4625051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR,
4635051Swyllys &private, sizeof (private));
4645051Swyllys numattr++;
4655051Swyllys
4665051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR,
4675051Swyllys &token_bool, sizeof (token_bool));
4685051Swyllys numattr++;
4693089Swyllys
4703089Swyllys if (oclass & PK_PRIKEY_OBJ) {
4715051Swyllys int num = numattr;
4725051Swyllys
4735051Swyllys keyclass = KMF_ASYM_PRI;
4745051Swyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
4755051Swyllys &keyclass, sizeof (keyclass));
4765051Swyllys num++;
4775051Swyllys
4785051Swyllys rv = pk_delete_keys(kmfhandle, attrlist, num, "private", &nk);
4793089Swyllys numkeys += nk;
480*7108Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND &&
481*7108Swyllys oclass != PK_PRIKEY_OBJ)
482*7108Swyllys rv = KMF_OK;
4833089Swyllys }
4843089Swyllys
4853089Swyllys if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) {
4865051Swyllys int num = numattr;
4875051Swyllys
4885051Swyllys keyclass = KMF_SYMMETRIC;
4895051Swyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
4905051Swyllys &keyclass, sizeof (keyclass));
4915051Swyllys num++;
4925051Swyllys
4935051Swyllys rv = pk_delete_keys(kmfhandle, attrlist, num, "symmetric", &nk);
4943089Swyllys numkeys += nk;
495*7108Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND &&
496*7108Swyllys oclass != PK_SYMKEY_OBJ)
497*7108Swyllys rv = KMF_OK;
4983089Swyllys }
4993089Swyllys
5003089Swyllys if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) {
5015051Swyllys int num = numattr;
5025051Swyllys
5035221Swyllys private = B_FALSE;
5045051Swyllys keyclass = KMF_ASYM_PUB;
5055051Swyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
5065051Swyllys &keyclass, sizeof (keyclass));
5075051Swyllys num++;
5085051Swyllys
5095051Swyllys rv = pk_delete_keys(kmfhandle, attrlist, num, "public", &nk);
5103089Swyllys numkeys += nk;
511*7108Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND &&
512*7108Swyllys oclass != PK_PUBKEY_OBJ)
513*7108Swyllys rv = KMF_OK;
5143089Swyllys }
5153089Swyllys if (rv == KMF_OK && numkeys == 0)
5163089Swyllys rv = KMF_ERR_KEY_NOT_FOUND;
5173089Swyllys
5183089Swyllys return (rv);
5193089Swyllys }
5203089Swyllys
5213089Swyllys static KMF_RETURN
delete_pk11_certs(KMF_HANDLE_T kmfhandle,char * token,char * objlabel,KMF_BIGINT * serno,char * issuer,char * subject,KMF_CERT_VALIDITY find_criteria_flag)5223089Swyllys delete_pk11_certs(KMF_HANDLE_T kmfhandle,
5233089Swyllys char *token, char *objlabel,
5243089Swyllys KMF_BIGINT *serno, char *issuer, char *subject,
5253089Swyllys KMF_CERT_VALIDITY find_criteria_flag)
5263089Swyllys {
5273089Swyllys KMF_RETURN kmfrv;
5285051Swyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
5295051Swyllys int numattr = 0;
5305051Swyllys KMF_ATTRIBUTE attrlist[16];
5313089Swyllys
5323089Swyllys kmfrv = select_token(kmfhandle, token, FALSE);
5333089Swyllys
5343089Swyllys if (kmfrv != KMF_OK) {
5353089Swyllys return (kmfrv);
5363089Swyllys }
5373089Swyllys
5385051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
5395051Swyllys &kstype, sizeof (kstype));
5405051Swyllys numattr++;
5415051Swyllys
5425051Swyllys if (objlabel != NULL) {
5435051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR,
5445051Swyllys objlabel, strlen(objlabel));
5455051Swyllys numattr++;
5465051Swyllys }
5475051Swyllys
5485051Swyllys if (issuer != NULL) {
5495051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR,
5505051Swyllys issuer, strlen(issuer));
5515051Swyllys numattr++;
5525051Swyllys }
5533089Swyllys
5545051Swyllys if (subject != NULL) {
5555051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR,
5565051Swyllys subject, strlen(subject));
5575051Swyllys numattr++;
5585051Swyllys }
5595051Swyllys
5605051Swyllys if (serno != NULL) {
5615051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_BIGINT_ATTR,
5625051Swyllys serno, sizeof (KMF_BIGINT));
5635051Swyllys numattr++;
5645051Swyllys }
5655051Swyllys
5665051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_VALIDITY_ATTR,
5675051Swyllys &find_criteria_flag, sizeof (KMF_CERT_VALIDITY));
5685051Swyllys numattr++;
5695051Swyllys
5705051Swyllys kmfrv = pk_delete_certs(kmfhandle, attrlist, numattr);
5713089Swyllys
5723089Swyllys return (kmfrv);
5733089Swyllys }
5743089Swyllys
5753089Swyllys static KMF_RETURN
delete_file_certs(KMF_HANDLE_T kmfhandle,char * dir,char * filename,KMF_BIGINT * serial,char * issuer,char * subject,KMF_CERT_VALIDITY find_criteria_flag)5763089Swyllys delete_file_certs(KMF_HANDLE_T kmfhandle,
5773089Swyllys char *dir, char *filename, KMF_BIGINT *serial, char *issuer,
5783089Swyllys char *subject, KMF_CERT_VALIDITY find_criteria_flag)
5793089Swyllys {
5803089Swyllys KMF_RETURN rv;
5815051Swyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
5825051Swyllys int numattr = 0;
5835051Swyllys KMF_ATTRIBUTE attrlist[16];
5845051Swyllys
5855051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
5865051Swyllys &kstype, sizeof (kstype));
5875051Swyllys numattr++;
5885051Swyllys
5895051Swyllys if (issuer != NULL) {
5905051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR,
5915051Swyllys issuer, strlen(issuer));
5925051Swyllys numattr++;
5935051Swyllys }
5945051Swyllys
5955051Swyllys if (subject != NULL) {
5965051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR,
5975051Swyllys subject, strlen(subject));
5985051Swyllys numattr++;
5995051Swyllys }
6003089Swyllys
6015051Swyllys if (serial != NULL) {
6025051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_BIGINT_ATTR,
6035051Swyllys serial, sizeof (KMF_BIGINT));
6045051Swyllys numattr++;
6055051Swyllys }
6065051Swyllys
6075051Swyllys if (dir != NULL) {
6085051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_DIRPATH_ATTR,
6095051Swyllys dir, strlen(dir));
6105051Swyllys numattr++;
6115051Swyllys }
6123089Swyllys
6135051Swyllys if (filename != NULL) {
6145051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR,
6155051Swyllys filename, strlen(filename));
6165051Swyllys numattr++;
6175051Swyllys }
6183089Swyllys
6195051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_VALIDITY_ATTR,
6205051Swyllys &find_criteria_flag, sizeof (KMF_CERT_VALIDITY));
6215051Swyllys numattr++;
6225051Swyllys
6235051Swyllys rv = pk_delete_certs(kmfhandle, attrlist, numattr);
6243089Swyllys
6253089Swyllys return (rv);
6263089Swyllys }
6273089Swyllys
6283089Swyllys static KMF_RETURN
delete_file_keys(KMF_HANDLE_T kmfhandle,int oclass,char * dir,char * infile)6293089Swyllys delete_file_keys(KMF_HANDLE_T kmfhandle, int oclass,
6303089Swyllys char *dir, char *infile)
6313089Swyllys {
6323089Swyllys KMF_RETURN rv = KMF_OK;
6333089Swyllys char *keytype = "";
6343089Swyllys int nk, numkeys = 0;
6355051Swyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
6365051Swyllys int numattr = 0;
6375051Swyllys KMF_ATTRIBUTE attrlist[16];
6385051Swyllys KMF_KEY_CLASS keyclass;
6393089Swyllys
6405051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
6415051Swyllys &kstype, sizeof (kstype));
6425051Swyllys numattr++;
6435051Swyllys
6445051Swyllys if (dir != NULL) {
6455051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_DIRPATH_ATTR,
6465051Swyllys dir, strlen(dir));
6475051Swyllys numattr++;
6485051Swyllys }
6495051Swyllys
6505051Swyllys if (infile != NULL) {
6515051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_FILENAME_ATTR,
6525051Swyllys infile, strlen(infile));
6535051Swyllys numattr++;
6545051Swyllys }
6553089Swyllys
6563089Swyllys if (oclass & (PK_PUBKEY_OBJ | PK_PRIKEY_OBJ)) {
6575051Swyllys int num = numattr;
6585051Swyllys
6595051Swyllys keyclass = KMF_ASYM_PRI;
6605051Swyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
6615051Swyllys &keyclass, sizeof (keyclass));
6625051Swyllys num++;
6635051Swyllys
6643089Swyllys keytype = "Asymmetric";
6655051Swyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
6663089Swyllys numkeys += nk;
6673089Swyllys }
668*7108Swyllys if (oclass & PK_SYMKEY_OBJ) {
6695051Swyllys int num = numattr;
6705051Swyllys
6715051Swyllys keyclass = KMF_SYMMETRIC;
6725051Swyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
6735051Swyllys &keyclass, sizeof (keyclass));
6745051Swyllys num++;
6755051Swyllys
6763089Swyllys keytype = "symmetric";
6775051Swyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
6783089Swyllys numkeys += nk;
679*7108Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && numkeys > 0)
680*7108Swyllys rv = KMF_OK;
6813089Swyllys }
6823089Swyllys if (rv == KMF_OK && numkeys == 0)
6833089Swyllys rv = KMF_ERR_KEY_NOT_FOUND;
6843089Swyllys
6853089Swyllys return (rv);
6863089Swyllys }
6873089Swyllys
6883089Swyllys static KMF_RETURN
delete_file_crl(void * kmfhandle,char * filename)6896669Swyllys delete_file_crl(void *kmfhandle, char *filename)
6903089Swyllys {
6913089Swyllys KMF_RETURN rv;
6925051Swyllys int numattr = 0;
6935051Swyllys KMF_ATTRIBUTE attrlist[4];
6945051Swyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
6953089Swyllys
6966669Swyllys if (filename == NULL || strlen(filename) == 0)
6976669Swyllys return (KMF_ERR_BAD_PARAMETER);
6986669Swyllys
6995051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
7005051Swyllys &kstype, sizeof (kstype));
7015051Swyllys numattr++;
7023089Swyllys
7035051Swyllys if (filename) {
7045051Swyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_FILENAME_ATTR,
7055051Swyllys filename, strlen(filename));
7065051Swyllys numattr++;
7075051Swyllys }
7083089Swyllys
7095051Swyllys rv = kmf_delete_crl(kmfhandle, numattr, attrlist);
7103089Swyllys
7113089Swyllys return (rv);
7123089Swyllys }
71317Sdinak
71417Sdinak /*
71517Sdinak * Delete token objects.
71617Sdinak */
71717Sdinak int
pk_delete(int argc,char * argv[])71817Sdinak pk_delete(int argc, char *argv[])
71917Sdinak {
72017Sdinak int opt;
721864Sdinak extern int optind_av;
722864Sdinak extern char *optarg_av;
723864Sdinak char *token_spec = NULL;
7243089Swyllys char *subject = NULL;
7253089Swyllys char *issuer = NULL;
7263089Swyllys char *dir = NULL;
7273089Swyllys char *prefix = NULL;
7283089Swyllys char *infile = NULL;
7293089Swyllys char *object_label = NULL;
7303089Swyllys char *serstr = NULL;
73117Sdinak
7323089Swyllys int oclass = 0;
7333089Swyllys KMF_BIGINT serial = { NULL, 0 };
7343089Swyllys KMF_HANDLE_T kmfhandle = NULL;
7353089Swyllys KMF_KEYSTORE_TYPE kstype = 0;
736*7108Swyllys KMF_RETURN kmfrv, keyrv, certrv, crlrv;
7373089Swyllys int rv = 0;
7383089Swyllys char *find_criteria = NULL;
7393089Swyllys KMF_CERT_VALIDITY find_criteria_flag = KMF_ALL_CERTS;
7403089Swyllys KMF_CREDENTIAL tokencred = {NULL, 0};
74117Sdinak
74217Sdinak /* Parse command line options. Do NOT i18n/l10n. */
743864Sdinak while ((opt = getopt_av(argc, argv,
7445051Swyllys "T:(token)y:(objtype)l:(label)"
7455051Swyllys "k:(keystore)s:(subject)n:(nickname)"
7465051Swyllys "d:(dir)p:(prefix)S:(serial)i:(issuer)"
7475051Swyllys "c:(criteria)"
7485051Swyllys "f:(infile)")) != EOF) {
7493089Swyllys
7503089Swyllys if (EMPTYSTRING(optarg_av))
7513089Swyllys return (PK_ERR_USAGE);
75217Sdinak switch (opt) {
753864Sdinak case 'T': /* token specifier */
754864Sdinak if (token_spec)
755864Sdinak return (PK_ERR_USAGE);
756864Sdinak token_spec = optarg_av;
75717Sdinak break;
758864Sdinak case 'y': /* object type: public, private, both */
7593089Swyllys if (oclass)
760864Sdinak return (PK_ERR_USAGE);
7613089Swyllys oclass = OT2Int(optarg_av);
7623089Swyllys if (oclass == -1)
7633089Swyllys return (PK_ERR_USAGE);
76417Sdinak break;
76517Sdinak case 'l': /* objects with specific label */
7663089Swyllys case 'n':
76717Sdinak if (object_label)
76817Sdinak return (PK_ERR_USAGE);
7693089Swyllys object_label = (char *)optarg_av;
7703089Swyllys break;
7713089Swyllys case 'k':
7723089Swyllys kstype = KS2Int(optarg_av);
7733089Swyllys if (kstype == 0)
7743089Swyllys return (PK_ERR_USAGE);
7753089Swyllys break;
7763089Swyllys case 's':
7773089Swyllys subject = optarg_av;
7783089Swyllys break;
7793089Swyllys case 'i':
7803089Swyllys issuer = optarg_av;
7813089Swyllys break;
7823089Swyllys case 'd':
7833089Swyllys dir = optarg_av;
7843089Swyllys break;
7853089Swyllys case 'p':
7863089Swyllys prefix = optarg_av;
7873089Swyllys break;
7883089Swyllys case 'S':
7893089Swyllys serstr = optarg_av;
7903089Swyllys break;
7913089Swyllys case 'f':
7923089Swyllys infile = optarg_av;
7933089Swyllys break;
7943089Swyllys case 'c':
7953089Swyllys find_criteria = optarg_av;
7963089Swyllys if (!strcasecmp(find_criteria, "valid"))
7973089Swyllys find_criteria_flag =
7985051Swyllys KMF_NONEXPIRED_CERTS;
7993089Swyllys else if (!strcasecmp(find_criteria, "expired"))
8003089Swyllys find_criteria_flag = KMF_EXPIRED_CERTS;
8013089Swyllys else if (!strcasecmp(find_criteria, "both"))
8023089Swyllys find_criteria_flag = KMF_ALL_CERTS;
8033089Swyllys else
8043089Swyllys return (PK_ERR_USAGE);
80517Sdinak break;
80617Sdinak default:
80717Sdinak return (PK_ERR_USAGE);
80817Sdinak break;
80917Sdinak }
81017Sdinak }
81117Sdinak
8123089Swyllys /* Assume keystore = PKCS#11 if not specified */
8133089Swyllys if (kstype == 0)
8143089Swyllys kstype = KMF_KEYSTORE_PK11TOKEN;
8153089Swyllys
8163089Swyllys /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */
8173089Swyllys if ((oclass & (PK_PUBLIC_OBJ | PK_PRIVATE_OBJ)) &&
8185051Swyllys kstype != KMF_KEYSTORE_PK11TOKEN) {
8193089Swyllys
8203089Swyllys (void) fprintf(stderr, gettext("The objtype parameter "
8215051Swyllys "is only relevant if keystore=pkcs11\n"));
8223089Swyllys return (PK_ERR_USAGE);
823864Sdinak }
824864Sdinak
82517Sdinak
82617Sdinak /* No additional args allowed. */
827864Sdinak argc -= optind_av;
828864Sdinak argv += optind_av;
82917Sdinak if (argc)
83017Sdinak return (PK_ERR_USAGE);
83117Sdinak /* Done parsing command line options. */
83217Sdinak
8336884Swyllys DIR_OPTION_CHECK(kstype, dir);
8346884Swyllys
8353089Swyllys if (kstype == KMF_KEYSTORE_PK11TOKEN && token_spec == NULL) {
8363089Swyllys token_spec = PK_DEFAULT_PK11TOKEN;
8373089Swyllys } else if (kstype == KMF_KEYSTORE_NSS && token_spec == NULL) {
8383089Swyllys token_spec = DEFAULT_NSS_TOKEN;
83917Sdinak }
84017Sdinak
8413089Swyllys if (serstr != NULL) {
8423089Swyllys uchar_t *bytes = NULL;
8433089Swyllys size_t bytelen;
8443089Swyllys
8455051Swyllys rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen);
8463089Swyllys if (rv != KMF_OK || bytes == NULL) {
8473089Swyllys (void) fprintf(stderr, gettext("serial number "
8485051Swyllys "must be specified as a hex number "
8495051Swyllys "(ex: 0x0102030405ffeeddee)\n"));
8503089Swyllys return (PK_ERR_USAGE);
8513089Swyllys }
8523089Swyllys serial.val = bytes;
8533089Swyllys serial.len = bytelen;
8545221Swyllys /* If serial number was given, it must be a cert search */
8555221Swyllys if (oclass == 0)
8565221Swyllys oclass = PK_CERT_OBJ;
85717Sdinak }
8585221Swyllys /*
8595221Swyllys * If no object type was given but subject or issuer was,
8605221Swyllys * it must be a certificate we are looking to delete.
8615221Swyllys */
8625221Swyllys if ((issuer != NULL || subject != NULL) && oclass == 0)
8635221Swyllys oclass = PK_CERT_OBJ;
8645221Swyllys /* If no object class specified, delete everything but CRLs */
8655221Swyllys if (oclass == 0)
8665221Swyllys oclass = PK_CERT_OBJ | PK_KEY_OBJ;
86717Sdinak
8683089Swyllys if ((kstype == KMF_KEYSTORE_PK11TOKEN ||
8695051Swyllys kstype == KMF_KEYSTORE_NSS) &&
8705051Swyllys (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ))) {
87117Sdinak
8723089Swyllys (void) get_token_password(kstype, token_spec,
8735051Swyllys &tokencred);
87417Sdinak }
87517Sdinak
8765051Swyllys if ((kmfrv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK)
8773089Swyllys return (kmfrv);
8783089Swyllys
879*7108Swyllys keyrv = certrv = crlrv = KMF_OK;
8803089Swyllys switch (kstype) {
8813089Swyllys case KMF_KEYSTORE_PK11TOKEN:
8823089Swyllys if (oclass & PK_KEY_OBJ) {
883*7108Swyllys keyrv = delete_pk11_keys(kmfhandle,
8845051Swyllys token_spec, oclass,
8855051Swyllys object_label, &tokencred);
8863089Swyllys /*
8873089Swyllys * If deleting groups of objects, it is OK
8883089Swyllys * to ignore the "key not found" case so that
8893089Swyllys * we can continue to find other objects.
8903089Swyllys */
891*7108Swyllys if (keyrv != KMF_OK &&
892*7108Swyllys keyrv != KMF_ERR_KEY_NOT_FOUND)
8933089Swyllys break;
8943089Swyllys }
8953089Swyllys if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) {
896*7108Swyllys certrv = delete_pk11_certs(kmfhandle,
8975051Swyllys token_spec, object_label,
8985051Swyllys &serial, issuer,
8995051Swyllys subject, find_criteria_flag);
9003089Swyllys /*
9013089Swyllys * If cert delete failed, but we are looking at
9023089Swyllys * other objects, then it is OK.
9033089Swyllys */
904*7108Swyllys if (certrv != KMF_OK &&
905*7108Swyllys certrv != KMF_ERR_CERT_NOT_FOUND)
9063089Swyllys break;
9073089Swyllys }
9083089Swyllys if (oclass & PK_CRL_OBJ)
909*7108Swyllys crlrv = delete_file_crl(kmfhandle,
9106669Swyllys infile);
9113089Swyllys break;
9123089Swyllys case KMF_KEYSTORE_NSS:
913*7108Swyllys keyrv = certrv = crlrv = KMF_OK;
9143089Swyllys if (oclass & PK_KEY_OBJ) {
915*7108Swyllys keyrv = delete_nss_keys(kmfhandle,
9165051Swyllys dir, prefix, token_spec,
9175051Swyllys oclass, (char *)object_label,
9185051Swyllys &tokencred);
919*7108Swyllys if (keyrv != KMF_OK &&
920*7108Swyllys keyrv != KMF_ERR_KEY_NOT_FOUND)
9213089Swyllys break;
9223089Swyllys }
9233089Swyllys if (oclass & PK_CERT_OBJ) {
924*7108Swyllys certrv = delete_nss_certs(kmfhandle,
9255051Swyllys dir, prefix, token_spec,
9265051Swyllys (char *)object_label,
9275051Swyllys &serial, issuer, subject,
9285051Swyllys find_criteria_flag);
929*7108Swyllys if (certrv != KMF_OK &&
930*7108Swyllys certrv != KMF_ERR_CERT_NOT_FOUND)
9313089Swyllys break;
9323089Swyllys }
9333089Swyllys if (oclass & PK_CRL_OBJ)
934*7108Swyllys crlrv = delete_nss_crl(kmfhandle,
9355051Swyllys dir, prefix, token_spec,
9365051Swyllys (char *)object_label, subject);
9373089Swyllys break;
9383089Swyllys case KMF_KEYSTORE_OPENSSL:
9393089Swyllys if (oclass & PK_KEY_OBJ) {
940*7108Swyllys keyrv = delete_file_keys(kmfhandle, oclass,
9415051Swyllys dir, infile);
942*7108Swyllys if (keyrv != KMF_OK)
9433089Swyllys break;
9443089Swyllys }
9453089Swyllys if (oclass & (PK_CERT_OBJ)) {
946*7108Swyllys certrv = delete_file_certs(kmfhandle,
9475051Swyllys dir, infile, &serial, issuer,
9485051Swyllys subject, find_criteria_flag);
949*7108Swyllys if (certrv != KMF_OK)
9503089Swyllys break;
9513089Swyllys }
9523089Swyllys if (oclass & PK_CRL_OBJ)
953*7108Swyllys crlrv = delete_file_crl(kmfhandle,
9546669Swyllys infile);
9553089Swyllys break;
9563089Swyllys default:
9573089Swyllys rv = PK_ERR_USAGE;
9583089Swyllys break;
95917Sdinak }
96017Sdinak
961*7108Swyllys /*
962*7108Swyllys * Logic here:
963*7108Swyllys * If searching for more than just one class of object (key or cert)
964*7108Swyllys * and only 1 of the classes was not found, it is not an error.
965*7108Swyllys * If searching for just one class of object, that failure should
966*7108Swyllys * be reported.
967*7108Swyllys *
968*7108Swyllys * Any error other than "KMF_ERR_[key/cert]_NOT_FOUND" should
969*7108Swyllys * be reported either way.
970*7108Swyllys */
971*7108Swyllys if (keyrv != KMF_ERR_KEY_NOT_FOUND && keyrv != KMF_OK)
972*7108Swyllys kmfrv = keyrv;
973*7108Swyllys else if (certrv != KMF_OK && certrv != KMF_ERR_CERT_NOT_FOUND)
974*7108Swyllys kmfrv = certrv;
975*7108Swyllys else if (crlrv != KMF_OK && crlrv != KMF_ERR_CRL_NOT_FOUND)
976*7108Swyllys kmfrv = crlrv;
977*7108Swyllys
978*7108Swyllys /*
979*7108Swyllys * If nothing was found, return error.
980*7108Swyllys */
981*7108Swyllys if ((keyrv == KMF_ERR_KEY_NOT_FOUND && (oclass & PK_KEY_OBJ)) &&
982*7108Swyllys (certrv == KMF_ERR_CERT_NOT_FOUND && (oclass & PK_CERT_OBJ)))
983*7108Swyllys kmfrv = KMF_ERR_KEY_NOT_FOUND;
984*7108Swyllys
985*7108Swyllys if (kmfrv != KMF_OK)
986*7108Swyllys goto out;
987*7108Swyllys
988*7108Swyllys if (keyrv != KMF_OK && (oclass == PK_KEY_OBJ))
989*7108Swyllys kmfrv = keyrv;
990*7108Swyllys else if (certrv != KMF_OK && (oclass == PK_CERT_OBJ))
991*7108Swyllys kmfrv = certrv;
992*7108Swyllys else if (crlrv != KMF_OK && (oclass == PK_CRL_OBJ))
993*7108Swyllys kmfrv = crlrv;
994*7108Swyllys
995*7108Swyllys out:
9963089Swyllys if (kmfrv != KMF_OK) {
9973089Swyllys display_error(kmfhandle, kmfrv,
9985051Swyllys gettext("Error deleting objects"));
99917Sdinak }
100017Sdinak
10013089Swyllys if (serial.val != NULL)
10023089Swyllys free(serial.val);
10035051Swyllys (void) kmf_finalize(kmfhandle);
10043089Swyllys return (kmfrv);
100517Sdinak }
1006