1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 /*
26 * This file implements the token object list operation for this tool.
27 * It loads the PKCS#11 modules, finds the object to list, lists it,
28 * and cleans up. User must be logged into the token to list private
29 * objects.
30 */
31
32 #include <stdio.h>
33 #include <errno.h>
34 #include <string.h>
35 #include <cryptoutil.h>
36 #include <security/cryptoki.h>
37 #include "common.h"
38
39 #include <kmfapi.h>
40
41 static void
pk_show_certs(KMF_HANDLE_T kmfhandle,KMF_X509_DER_CERT * certs,int num_certs)42 pk_show_certs(KMF_HANDLE_T kmfhandle, KMF_X509_DER_CERT *certs, int num_certs)
43 {
44 int i;
45 char *subject, *issuer, *serial, *id, *altname;
46 char *start, *end, *keyusage, *extkeyusage;
47
48 for (i = 0; i < num_certs; i++) {
49 subject = NULL;
50 issuer = NULL;
51 serial = NULL;
52 id = NULL;
53 altname = NULL;
54 start = end = NULL;
55 keyusage = extkeyusage = NULL;
56
57 (void) fprintf(stdout,
58 gettext("%d. (X.509 certificate)\n"), i + 1);
59 if (certs[i].kmf_private.label != NULL)
60 (void) fprintf(stdout, gettext("\t%s: %s\n"),
61 (certs[i].kmf_private.keystore_type ==
62 KMF_KEYSTORE_OPENSSL ? "Filename" : "Label"),
63 certs[i].kmf_private.label);
64 if (kmf_get_cert_id_str(&certs[i].certificate,
65 &id) == KMF_OK)
66 (void) fprintf(stdout, gettext("\tID: %s\n"), id);
67 if (kmf_get_cert_subject_str(kmfhandle,
68 &certs[i].certificate, &subject) == KMF_OK)
69 (void) fprintf(stdout, gettext("\tSubject: %s\n"),
70 subject);
71 if (kmf_get_cert_issuer_str(kmfhandle,
72 &certs[i].certificate, &issuer) == KMF_OK)
73 (void) fprintf(stdout, gettext("\tIssuer: %s\n"),
74 issuer);
75 if (kmf_get_cert_start_date_str(kmfhandle,
76 &certs[i].certificate, &start) == KMF_OK)
77 (void) fprintf(stdout, gettext("\tNot Before: %s\n"),
78 start);
79 if (kmf_get_cert_end_date_str(kmfhandle,
80 &certs[i].certificate, &end) == KMF_OK)
81 (void) fprintf(stdout, gettext("\tNot After: %s\n"),
82 end);
83 if (kmf_get_cert_serial_str(kmfhandle,
84 &certs[i].certificate, &serial) == KMF_OK)
85 (void) fprintf(stdout, gettext("\tSerial: %s\n"),
86 serial);
87 if (kmf_get_cert_extn_str(kmfhandle,
88 &certs[i].certificate, KMF_X509_EXT_SUBJ_ALTNAME,
89 &altname) == KMF_OK) {
90 (void) fprintf(stdout, gettext("\t%s\n"),
91 altname);
92 }
93 if (kmf_get_cert_extn_str(kmfhandle,
94 &certs[i].certificate, KMF_X509_EXT_KEY_USAGE,
95 &keyusage) == KMF_OK) {
96 (void) fprintf(stdout, gettext("\t%s\n"),
97 keyusage);
98 }
99 if (kmf_get_cert_extn_str(kmfhandle,
100 &certs[i].certificate, KMF_X509_EXT_EXT_KEY_USAGE,
101 &extkeyusage) == KMF_OK) {
102 (void) fprintf(stdout, gettext("\t%s\n"),
103 extkeyusage);
104 }
105 kmf_free_str(subject);
106 kmf_free_str(issuer);
107 kmf_free_str(serial);
108 kmf_free_str(id);
109 kmf_free_str(altname);
110 kmf_free_str(keyusage);
111 kmf_free_str(extkeyusage);
112 kmf_free_str(start);
113 kmf_free_str(end);
114 (void) fprintf(stdout, "\n");
115 }
116 }
117
118 static char *
describeKey(KMF_KEY_HANDLE * key)119 describeKey(KMF_KEY_HANDLE *key)
120 {
121 if (key->keyclass == KMF_ASYM_PUB) {
122 if (key->keyalg == KMF_RSA)
123 return (gettext("RSA public key"));
124 if (key->keyalg == KMF_DSA)
125 return (gettext("DSA public key"));
126 if (key->keyalg == KMF_ECDSA)
127 return (gettext("ECDSA public key"));
128 }
129 if (key->keyclass == KMF_ASYM_PRI) {
130 if (key->keyalg == KMF_RSA)
131 return (gettext("RSA private key"));
132 if (key->keyalg == KMF_DSA)
133 return (gettext("DSA private key"));
134 if (key->keyalg == KMF_ECDSA)
135 return (gettext("ECDSA private key"));
136 }
137 if (key->keyclass == KMF_SYMMETRIC) {
138 switch (key->keyalg) {
139 case KMF_AES:
140 return (gettext("AES"));
141 break;
142 case KMF_RC4:
143 return (gettext("ARCFOUR"));
144 break;
145 case KMF_DES:
146 return (gettext("DES"));
147 break;
148 case KMF_DES3:
149 return (gettext("Triple-DES"));
150 break;
151 default:
152 return (gettext("symmetric"));
153 break;
154 }
155 }
156
157 return (gettext("unrecognized key object"));
158
159 }
160
161
162 static void
pk_show_keys(void * handle,KMF_KEY_HANDLE * keys,int numkeys)163 pk_show_keys(void *handle, KMF_KEY_HANDLE *keys, int numkeys)
164 {
165 int i;
166
167 for (i = 0; i < numkeys; i++) {
168 (void) fprintf(stdout, gettext("Key #%d - %s: %s"),
169 i+1, describeKey(&keys[i]),
170 keys[i].keylabel ? keys[i].keylabel :
171 gettext("No label"));
172
173 if (keys[i].keyclass == KMF_SYMMETRIC) {
174 KMF_RETURN rv;
175 KMF_RAW_SYM_KEY rkey;
176
177 (void) memset(&rkey, 0, sizeof (rkey));
178 rv = kmf_get_sym_key_value(handle, &keys[i],
179 &rkey);
180 if (rv == KMF_OK) {
181 (void) fprintf(stdout, " (%d bits)",
182 rkey.keydata.len * 8);
183 kmf_free_bigint(&rkey.keydata);
184 } else if (keys[i].kstype == KMF_KEYSTORE_PK11TOKEN) {
185 if (rv == KMF_ERR_SENSITIVE_KEY) {
186 (void) fprintf(stdout, " (sensitive)");
187 } else if (rv == KMF_ERR_UNEXTRACTABLE_KEY) {
188 (void) fprintf(stdout,
189 " (non-extractable)");
190 } else {
191 char *err = NULL;
192 if (kmf_get_kmf_error_str(rv, &err) ==
193 KMF_OK)
194 (void) fprintf(stdout,
195 " (error: %s)", err);
196 if (err != NULL)
197 free(err);
198 }
199 }
200 }
201 (void) fprintf(stdout, "\n");
202 }
203 }
204
205 /*
206 * Generic routine used by all "list cert" operations to find
207 * all matching certificates.
208 */
209 static KMF_RETURN
pk_find_certs(KMF_HANDLE_T kmfhandle,KMF_ATTRIBUTE * attrlist,int numattr)210 pk_find_certs(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attrlist, int numattr)
211 {
212 KMF_RETURN rv = KMF_OK;
213 KMF_X509_DER_CERT *certlist = NULL;
214 uint32_t numcerts = 0;
215 KMF_KEYSTORE_TYPE kstype;
216
217 rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr,
218 &kstype, NULL);
219 if (rv != KMF_OK)
220 return (rv);
221
222 kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
223 &numcerts, sizeof (uint32_t));
224 numattr++;
225
226 rv = kmf_find_cert(kmfhandle, numattr, attrlist);
227 if (rv == KMF_OK && numcerts > 0) {
228 (void) printf(gettext("Found %d certificates.\n"),
229 numcerts);
230 certlist = (KMF_X509_DER_CERT *)malloc(numcerts *
231 sizeof (KMF_X509_DER_CERT));
232 if (certlist == NULL)
233 return (KMF_ERR_MEMORY);
234 (void) memset(certlist, 0, numcerts *
235 sizeof (KMF_X509_DER_CERT));
236
237 kmf_set_attr_at_index(attrlist, numattr,
238 KMF_X509_DER_CERT_ATTR, certlist,
239 sizeof (KMF_X509_DER_CERT));
240 numattr++;
241
242 rv = kmf_find_cert(kmfhandle, numattr, attrlist);
243 if (rv == KMF_OK) {
244 int i;
245 (void) pk_show_certs(kmfhandle, certlist,
246 numcerts);
247 for (i = 0; i < numcerts; i++)
248 kmf_free_kmf_cert(kmfhandle, &certlist[i]);
249 }
250 free(certlist);
251 }
252 if (rv == KMF_ERR_CERT_NOT_FOUND &&
253 kstype != KMF_KEYSTORE_OPENSSL)
254 rv = KMF_OK;
255
256 return (rv);
257 }
258
259 static KMF_RETURN
pk_list_keys(void * handle,KMF_ATTRIBUTE * attrlist,int numattr,char * label)260 pk_list_keys(void *handle, KMF_ATTRIBUTE *attrlist, int numattr, char *label)
261 {
262 KMF_RETURN rv;
263 KMF_KEY_HANDLE *keys;
264 uint32_t numkeys = 0;
265 KMF_KEYSTORE_TYPE kstype;
266
267 rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr,
268 &kstype, NULL);
269 if (rv != KMF_OK)
270 return (rv);
271
272 kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
273 &numkeys, sizeof (uint32_t));
274 numattr++;
275
276 rv = kmf_find_key(handle, numattr, attrlist);
277 if (rv == KMF_OK && numkeys > 0) {
278 int i;
279 (void) printf(gettext("Found %d %s keys.\n"),
280 numkeys, label);
281 keys = (KMF_KEY_HANDLE *)malloc(numkeys *
282 sizeof (KMF_KEY_HANDLE));
283 if (keys == NULL)
284 return (KMF_ERR_MEMORY);
285 (void) memset(keys, 0, numkeys *
286 sizeof (KMF_KEY_HANDLE));
287
288 kmf_set_attr_at_index(attrlist, numattr,
289 KMF_KEY_HANDLE_ATTR,
290 keys, sizeof (KMF_KEY_HANDLE));
291 numattr++;
292
293 rv = kmf_find_key(handle, numattr, attrlist);
294 if (rv == KMF_OK)
295 pk_show_keys(handle, keys, numkeys);
296 for (i = 0; i < numkeys; i++)
297 kmf_free_kmf_key(handle, &keys[i]);
298 free(keys);
299 }
300 if (rv == KMF_ERR_KEY_NOT_FOUND &&
301 kstype != KMF_KEYSTORE_OPENSSL)
302 rv = KMF_OK;
303 return (rv);
304 }
305
306 static KMF_RETURN
list_pk11_objects(KMF_HANDLE_T kmfhandle,char * token,int oclass,char * objlabel,KMF_BIGINT * serial,char * issuer,char * subject,char * dir,char * filename,KMF_CREDENTIAL * tokencred,KMF_CERT_VALIDITY find_criteria_flag)307 list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass,
308 char *objlabel, KMF_BIGINT *serial, char *issuer, char *subject,
309 char *dir, char *filename, KMF_CREDENTIAL *tokencred,
310 KMF_CERT_VALIDITY find_criteria_flag)
311 {
312 KMF_RETURN rv;
313 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
314 int numattr = 0;
315 KMF_ATTRIBUTE attrlist[18];
316 boolean_t token_bool = B_TRUE;
317 boolean_t private = B_FALSE;
318 KMF_KEY_CLASS keyclass;
319 KMF_ENCODE_FORMAT format;
320 int auth = 0;
321 KMF_CREDENTIAL cred = {NULL, 0};
322
323 /*
324 * Symmetric keys and RSA/DSA/ECDSA private keys are always
325 * created with the "CKA_PRIVATE" field == TRUE, so
326 * make sure we search for them with it also set.
327 */
328 if (oclass & (PK_SYMKEY_OBJ | PK_PRIKEY_OBJ))
329 oclass |= PK_PRIVATE_OBJ;
330
331 rv = select_token(kmfhandle, token,
332 !(oclass & (PK_PRIVATE_OBJ | PK_PRIKEY_OBJ)));
333
334 if (rv != KMF_OK) {
335 return (rv);
336 }
337
338 rv = token_auth_needed(kmfhandle, token, &auth);
339 if (rv != KMF_OK)
340 return (rv);
341
342 if (tokencred != NULL)
343 cred = *tokencred;
344
345 if (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ)) {
346 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
347 &kstype, sizeof (kstype));
348 numattr++;
349
350 if (objlabel != NULL) {
351 kmf_set_attr_at_index(attrlist, numattr,
352 KMF_KEYLABEL_ATTR, objlabel,
353 strlen(objlabel));
354 numattr++;
355 }
356
357 private = ((oclass & PK_PRIVATE_OBJ) > 0);
358
359 kmf_set_attr_at_index(attrlist, numattr,
360 KMF_PRIVATE_BOOL_ATTR, &private,
361 sizeof (private));
362 numattr++;
363
364 kmf_set_attr_at_index(attrlist, numattr,
365 KMF_TOKEN_BOOL_ATTR, &token_bool,
366 sizeof (token_bool));
367 numattr++;
368
369 if (oclass & PK_PRIKEY_OBJ) {
370 int num = numattr;
371
372 keyclass = KMF_ASYM_PRI;
373 kmf_set_attr_at_index(attrlist, num,
374 KMF_KEYCLASS_ATTR, &keyclass,
375 sizeof (keyclass));
376 num++;
377
378 if (tokencred != NULL &&
379 tokencred->credlen > 0) {
380 kmf_set_attr_at_index(attrlist, num,
381 KMF_CREDENTIAL_ATTR, tokencred,
382 sizeof (KMF_CREDENTIAL));
383 num++;
384 }
385
386 /* list asymmetric private keys */
387 rv = pk_list_keys(kmfhandle, attrlist, num,
388 "asymmetric private");
389 }
390
391 if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) {
392 int num = numattr;
393
394 keyclass = KMF_SYMMETRIC;
395 kmf_set_attr_at_index(attrlist, num,
396 KMF_KEYCLASS_ATTR, &keyclass,
397 sizeof (keyclass));
398 num++;
399
400 if (tokencred != NULL &&
401 tokencred->credlen > 0) {
402 kmf_set_attr_at_index(attrlist, num,
403 KMF_CREDENTIAL_ATTR, tokencred,
404 sizeof (KMF_CREDENTIAL));
405 num++;
406 }
407
408 format = KMF_FORMAT_RAWKEY;
409 kmf_set_attr_at_index(attrlist, num,
410 KMF_ENCODE_FORMAT_ATTR, &format,
411 sizeof (format));
412 num++;
413
414 /* list symmetric keys */
415 rv = pk_list_keys(kmfhandle, attrlist, num,
416 "symmetric");
417 }
418
419 if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) {
420 int num = numattr;
421
422 if (auth > 0 && (tokencred == NULL ||
423 tokencred->cred == NULL) &&
424 (cred.cred == NULL)) {
425 (void) get_token_password(kstype, token, &cred);
426 kmf_set_attr_at_index(attrlist, num,
427 KMF_CREDENTIAL_ATTR,
428 &cred, sizeof (KMF_CREDENTIAL));
429 num++;
430 }
431
432 private = B_FALSE;
433 keyclass = KMF_ASYM_PUB;
434 kmf_set_attr_at_index(attrlist, num,
435 KMF_KEYCLASS_ATTR, &keyclass,
436 sizeof (keyclass));
437 num++;
438
439 /* list asymmetric public keys (if any) */
440 rv = pk_list_keys(kmfhandle, attrlist, num,
441 "asymmetric public");
442 }
443
444 if (rv != KMF_OK)
445 return (rv);
446 }
447
448 numattr = 0;
449 if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) {
450 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
451 &kstype, sizeof (kstype));
452
453 numattr++;
454 if (auth > 0 && (cred.cred == NULL)) {
455 (void) get_token_password(kstype, token, &cred);
456 }
457
458 if (cred.cred != NULL) {
459 kmf_set_attr_at_index(attrlist, numattr,
460 KMF_CREDENTIAL_ATTR,
461 &cred, sizeof (KMF_CREDENTIAL));
462 numattr++;
463 }
464
465 if (objlabel != NULL) {
466 kmf_set_attr_at_index(attrlist, numattr,
467 KMF_CERT_LABEL_ATTR, objlabel,
468 strlen(objlabel));
469 numattr++;
470 }
471
472 if (issuer != NULL) {
473 kmf_set_attr_at_index(attrlist, numattr,
474 KMF_ISSUER_NAME_ATTR, issuer,
475 strlen(issuer));
476 numattr++;
477 }
478
479 if (subject != NULL) {
480 kmf_set_attr_at_index(attrlist, numattr,
481 KMF_SUBJECT_NAME_ATTR, subject,
482 strlen(subject));
483 numattr++;
484 }
485
486 if (serial != NULL && serial->val != NULL) {
487 kmf_set_attr_at_index(attrlist, numattr,
488 KMF_BIGINT_ATTR, serial,
489 sizeof (KMF_BIGINT));
490 numattr++;
491 }
492
493 kmf_set_attr_at_index(attrlist, numattr,
494 KMF_PRIVATE_BOOL_ATTR, &private,
495 sizeof (private));
496 numattr++;
497
498 kmf_set_attr_at_index(attrlist, numattr,
499 KMF_CERT_VALIDITY_ATTR, &find_criteria_flag,
500 sizeof (KMF_CERT_VALIDITY));
501 numattr++;
502
503 rv = pk_find_certs(kmfhandle, attrlist, numattr);
504 if (rv != KMF_OK)
505 return (rv);
506 }
507
508 numattr = 0;
509 kstype = KMF_KEYSTORE_OPENSSL; /* CRL is file-based */
510 if (oclass & PK_CRL_OBJ) {
511 char *crldata = NULL;
512
513 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
514 &kstype, sizeof (kstype));
515 numattr++;
516
517 if (dir != NULL) {
518 kmf_set_attr_at_index(attrlist, numattr,
519 KMF_DIRPATH_ATTR, dir, strlen(dir));
520 numattr++;
521 }
522 if (filename != NULL) {
523 kmf_set_attr_at_index(attrlist, numattr,
524 KMF_CRL_FILENAME_ATTR,
525 filename, strlen(filename));
526 numattr++;
527 }
528 kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_DATA_ATTR,
529 &crldata, sizeof (char *));
530 numattr++;
531
532 rv = kmf_list_crl(kmfhandle, numattr, attrlist);
533 if (rv == KMF_OK && crldata != NULL) {
534 (void) printf("%s\n", crldata);
535 free(crldata);
536 }
537 }
538
539 return (rv);
540 }
541
542 static int
list_file_objects(KMF_HANDLE_T kmfhandle,int oclass,char * dir,char * filename,KMF_BIGINT * serial,char * issuer,char * subject,KMF_CERT_VALIDITY find_criteria_flag)543 list_file_objects(KMF_HANDLE_T kmfhandle, int oclass,
544 char *dir, char *filename, KMF_BIGINT *serial,
545 char *issuer, char *subject,
546 KMF_CERT_VALIDITY find_criteria_flag)
547 {
548 KMF_RETURN rv = KMF_OK;
549 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
550 int numattr = 0;
551 KMF_ATTRIBUTE attrlist[16];
552 KMF_KEY_CLASS keyclass;
553 KMF_ENCODE_FORMAT format;
554 char *defaultdir = ".";
555
556 if (oclass & PK_KEY_OBJ) {
557 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
558 &kstype, sizeof (kstype));
559 numattr++;
560
561 if (dir == NULL && filename == NULL)
562 dir = defaultdir;
563
564 if (dir != NULL) {
565 kmf_set_attr_at_index(attrlist, numattr,
566 KMF_DIRPATH_ATTR, dir,
567 strlen(dir));
568 numattr++;
569 }
570
571 if (filename != NULL) {
572 kmf_set_attr_at_index(attrlist, numattr,
573 KMF_KEY_FILENAME_ATTR, filename,
574 strlen(filename));
575 numattr++;
576 }
577
578 if (oclass & PK_PRIKEY_OBJ) {
579 int num = numattr;
580
581 keyclass = KMF_ASYM_PRI;
582 kmf_set_attr_at_index(attrlist, num,
583 KMF_KEYCLASS_ATTR, &keyclass,
584 sizeof (keyclass));
585 num++;
586
587 /* list asymmetric private keys */
588 rv = pk_list_keys(kmfhandle, attrlist, num,
589 "asymmetric private");
590 }
591 if (rv == KMF_ERR_KEY_NOT_FOUND)
592 rv = KMF_OK;
593
594 if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) {
595 int num = numattr;
596
597 keyclass = KMF_SYMMETRIC;
598 kmf_set_attr_at_index(attrlist, num,
599 KMF_KEYCLASS_ATTR, &keyclass,
600 sizeof (keyclass));
601 num++;
602
603 format = KMF_FORMAT_RAWKEY;
604 kmf_set_attr_at_index(attrlist, num,
605 KMF_ENCODE_FORMAT_ATTR, &format,
606 sizeof (format));
607 num++;
608
609 /* list symmetric keys */
610 rv = pk_list_keys(kmfhandle, attrlist, num,
611 "symmetric");
612 }
613 if (rv == KMF_ERR_KEY_NOT_FOUND)
614 rv = KMF_OK;
615 if (rv != KMF_OK)
616 return (rv);
617 }
618
619 numattr = 0;
620 if (oclass & PK_CERT_OBJ) {
621 kmf_set_attr_at_index(attrlist, numattr,
622 KMF_KEYSTORE_TYPE_ATTR, &kstype,
623 sizeof (kstype));
624 numattr++;
625
626 if (issuer != NULL) {
627 kmf_set_attr_at_index(attrlist, numattr,
628 KMF_ISSUER_NAME_ATTR, issuer,
629 strlen(issuer));
630 numattr++;
631 }
632
633 if (subject != NULL) {
634 kmf_set_attr_at_index(attrlist, numattr,
635 KMF_SUBJECT_NAME_ATTR, subject,
636 strlen(subject));
637 numattr++;
638 }
639
640 if (serial != NULL && serial->val != NULL) {
641 kmf_set_attr_at_index(attrlist, numattr,
642 KMF_BIGINT_ATTR, serial,
643 sizeof (KMF_BIGINT));
644 numattr++;
645 }
646
647 if (filename != NULL) {
648 kmf_set_attr_at_index(attrlist, numattr,
649 KMF_CERT_FILENAME_ATTR, filename,
650 strlen(filename));
651 numattr++;
652 }
653
654 if (dir != NULL) {
655 kmf_set_attr_at_index(attrlist, numattr,
656 KMF_DIRPATH_ATTR, dir,
657 strlen(dir));
658 numattr++;
659 }
660
661 kmf_set_attr_at_index(attrlist, numattr,
662 KMF_CERT_VALIDITY_ATTR, &find_criteria_flag,
663 sizeof (KMF_CERT_VALIDITY));
664 numattr++;
665
666 rv = pk_find_certs(kmfhandle, attrlist, numattr);
667 if (rv != KMF_OK)
668 return (rv);
669 }
670
671 numattr = 0;
672 if (oclass & PK_CRL_OBJ) {
673 char *crldata = NULL;
674
675 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
676 &kstype, sizeof (kstype));
677 numattr++;
678
679 if (dir != NULL) {
680 kmf_set_attr_at_index(attrlist, numattr,
681 KMF_DIRPATH_ATTR, dir, strlen(dir));
682 numattr++;
683 }
684 if (filename != NULL) {
685 kmf_set_attr_at_index(attrlist, numattr,
686 KMF_CRL_FILENAME_ATTR,
687 filename, strlen(filename));
688 numattr++;
689 }
690 kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_DATA_ATTR,
691 &crldata, sizeof (char *));
692 numattr++;
693
694 rv = kmf_list_crl(kmfhandle, numattr, attrlist);
695 if (rv == KMF_OK && crldata != NULL) {
696 (void) printf("%s\n", crldata);
697 free(crldata);
698 }
699 }
700
701 return (rv);
702 }
703
704 static int
list_nss_objects(KMF_HANDLE_T kmfhandle,int oclass,char * token_spec,char * dir,char * prefix,char * nickname,KMF_BIGINT * serial,char * issuer,char * subject,KMF_CREDENTIAL * tokencred,KMF_CERT_VALIDITY find_criteria_flag)705 list_nss_objects(KMF_HANDLE_T kmfhandle,
706 int oclass, char *token_spec, char *dir, char *prefix,
707 char *nickname, KMF_BIGINT *serial, char *issuer, char *subject,
708 KMF_CREDENTIAL *tokencred,
709 KMF_CERT_VALIDITY find_criteria_flag)
710 {
711 KMF_RETURN rv = KMF_OK;
712 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
713 int numattr = 0;
714 KMF_ATTRIBUTE attrlist[16];
715 KMF_KEY_CLASS keyclass;
716 KMF_ENCODE_FORMAT format;
717
718 rv = configure_nss(kmfhandle, dir, prefix);
719 if (rv != KMF_OK)
720 return (rv);
721
722 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
723 &kstype, sizeof (kstype));
724 numattr++;
725
726 if (oclass & PK_KEY_OBJ) {
727 if (tokencred != NULL && tokencred->credlen > 0) {
728 kmf_set_attr_at_index(attrlist, numattr,
729 KMF_CREDENTIAL_ATTR, tokencred,
730 sizeof (KMF_CREDENTIAL));
731 numattr++;
732 }
733
734 if (token_spec && strlen(token_spec)) {
735 kmf_set_attr_at_index(attrlist, numattr,
736 KMF_TOKEN_LABEL_ATTR, token_spec,
737 strlen(token_spec));
738 numattr++;
739 }
740
741 if (nickname != NULL) {
742 kmf_set_attr_at_index(attrlist, numattr,
743 KMF_KEYLABEL_ATTR, nickname,
744 strlen(nickname));
745 numattr++;
746 }
747 }
748
749 if (oclass & PK_PRIKEY_OBJ) {
750 int num = numattr;
751
752 keyclass = KMF_ASYM_PRI;
753 kmf_set_attr_at_index(attrlist, num,
754 KMF_KEYCLASS_ATTR, &keyclass,
755 sizeof (keyclass));
756 num++;
757
758 /* list asymmetric private keys */
759 rv = pk_list_keys(kmfhandle, attrlist, num,
760 "asymmetric private");
761 }
762
763 if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) {
764 int num = numattr;
765
766 keyclass = KMF_SYMMETRIC;
767 kmf_set_attr_at_index(attrlist, num,
768 KMF_KEYCLASS_ATTR, &keyclass,
769 sizeof (keyclass));
770 num++;
771
772 format = KMF_FORMAT_RAWKEY;
773 kmf_set_attr_at_index(attrlist, num,
774 KMF_ENCODE_FORMAT_ATTR, &format,
775 sizeof (format));
776 num++;
777
778 /* list symmetric keys */
779 rv = pk_list_keys(kmfhandle, attrlist, num, "symmetric");
780 }
781
782 if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) {
783 int num = numattr;
784
785 keyclass = KMF_ASYM_PUB;
786 kmf_set_attr_at_index(attrlist, num,
787 KMF_KEYCLASS_ATTR, &keyclass,
788 sizeof (keyclass));
789 num++;
790
791 /* list asymmetric public keys */
792 rv = pk_list_keys(kmfhandle, attrlist, num,
793 "asymmetric public");
794 }
795
796 /* If searching for public objects or certificates, find certs now */
797 numattr = 0;
798 if (rv == KMF_OK && (oclass & PK_CERT_OBJ)) {
799 kmf_set_attr_at_index(attrlist, numattr,
800 KMF_KEYSTORE_TYPE_ATTR, &kstype,
801 sizeof (kstype));
802 numattr++;
803
804 if (nickname != NULL) {
805 kmf_set_attr_at_index(attrlist, numattr,
806 KMF_CERT_LABEL_ATTR, nickname,
807 strlen(nickname));
808 numattr++;
809 }
810
811 if (issuer != NULL) {
812 kmf_set_attr_at_index(attrlist, numattr,
813 KMF_ISSUER_NAME_ATTR, issuer,
814 strlen(issuer));
815 numattr++;
816 }
817
818 if (subject != NULL) {
819 kmf_set_attr_at_index(attrlist, numattr,
820 KMF_SUBJECT_NAME_ATTR, subject,
821 strlen(subject));
822 numattr++;
823 }
824
825 if (serial != NULL) {
826 kmf_set_attr_at_index(attrlist, numattr,
827 KMF_BIGINT_ATTR, serial,
828 sizeof (KMF_BIGINT));
829 numattr++;
830 }
831
832 if (token_spec != NULL) {
833 kmf_set_attr_at_index(attrlist, numattr,
834 KMF_TOKEN_LABEL_ATTR, token_spec,
835 strlen(token_spec));
836 numattr++;
837 }
838
839 kmf_set_attr_at_index(attrlist, numattr,
840 KMF_CERT_VALIDITY_ATTR, &find_criteria_flag,
841 sizeof (KMF_CERT_VALIDITY));
842 numattr++;
843
844 rv = pk_find_certs(kmfhandle, attrlist, numattr);
845 }
846
847 numattr = 0;
848 if (rv == KMF_OK && (oclass & PK_CRL_OBJ)) {
849 int numcrls;
850
851 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
852 &kstype, sizeof (kstype));
853 numattr++;
854
855 if (token_spec != NULL) {
856 kmf_set_attr_at_index(attrlist, numattr,
857 KMF_TOKEN_LABEL_ATTR,
858 token_spec, strlen(token_spec));
859 numattr++;
860 }
861 kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_COUNT_ATTR,
862 &numcrls, sizeof (int));
863 numattr++;
864
865 rv = kmf_find_crl(kmfhandle, numattr, attrlist);
866 if (rv == KMF_OK) {
867 char **p;
868 if (numcrls == 0) {
869 (void) printf(gettext("No CRLs found in "
870 "NSS keystore.\n"));
871
872 return (KMF_OK);
873 }
874 p = malloc(numcrls * sizeof (char *));
875 if (p == NULL) {
876 return (KMF_ERR_MEMORY);
877 }
878 (void) memset(p, 0, numcrls * sizeof (char *));
879
880 kmf_set_attr_at_index(attrlist, numattr,
881 KMF_CRL_NAMELIST_ATTR, p, sizeof (char *));
882 numattr++;
883 rv = kmf_find_crl(kmfhandle, numattr, attrlist);
884 if (rv == KMF_OK) {
885 int i;
886 for (i = 0; i < numcrls; i++) {
887 (void) printf("%d. Name = %s\n",
888 i + 1, p[i]);
889 free(p[i]);
890 }
891 }
892 free(p);
893 }
894 }
895 return (rv);
896 }
897
898 /*
899 * List token object.
900 */
901 int
pk_list(int argc,char * argv[])902 pk_list(int argc, char *argv[])
903 {
904 int opt;
905 extern int optind_av;
906 extern char *optarg_av;
907 char *token_spec = NULL;
908 char *subject = NULL;
909 char *issuer = NULL;
910 char *dir = NULL;
911 char *prefix = NULL;
912 char *filename = NULL;
913 char *serstr = NULL;
914 KMF_BIGINT serial = { NULL, 0 };
915
916 char *list_label = NULL;
917 int oclass = 0;
918 KMF_KEYSTORE_TYPE kstype = 0;
919 KMF_RETURN rv = KMF_OK;
920 KMF_HANDLE_T kmfhandle = NULL;
921 char *find_criteria = NULL;
922 KMF_CERT_VALIDITY find_criteria_flag = KMF_ALL_CERTS;
923 KMF_CREDENTIAL tokencred = {NULL, 0};
924
925 /* Parse command line options. Do NOT i18n/l10n. */
926 while ((opt = getopt_av(argc, argv,
927 "k:(keystore)t:(objtype)T:(token)d:(dir)"
928 "p:(prefix)n:(nickname)S:(serial)s:(subject)"
929 "c:(criteria)"
930 "i:(issuer)l:(label)f:(infile)")) != EOF) {
931 if (EMPTYSTRING(optarg_av))
932 return (PK_ERR_USAGE);
933 switch (opt) {
934 case 'k':
935 if (kstype != 0)
936 return (PK_ERR_USAGE);
937 kstype = KS2Int(optarg_av);
938 if (kstype == 0)
939 return (PK_ERR_USAGE);
940 break;
941 case 't':
942 if (oclass != 0)
943 return (PK_ERR_USAGE);
944 oclass = OT2Int(optarg_av);
945 if (oclass == -1)
946 return (PK_ERR_USAGE);
947 break;
948 case 's':
949 if (subject)
950 return (PK_ERR_USAGE);
951 subject = optarg_av;
952 break;
953 case 'i':
954 if (issuer)
955 return (PK_ERR_USAGE);
956 issuer = optarg_av;
957 break;
958 case 'd':
959 if (dir)
960 return (PK_ERR_USAGE);
961 dir = optarg_av;
962 break;
963 case 'p':
964 if (prefix)
965 return (PK_ERR_USAGE);
966 prefix = optarg_av;
967 break;
968 case 'S':
969 serstr = optarg_av;
970 break;
971 case 'f':
972 if (filename)
973 return (PK_ERR_USAGE);
974 filename = optarg_av;
975 break;
976 case 'T': /* token specifier */
977 if (token_spec)
978 return (PK_ERR_USAGE);
979 token_spec = optarg_av;
980 break;
981 case 'n':
982 case 'l': /* object with specific label */
983 if (list_label)
984 return (PK_ERR_USAGE);
985 list_label = optarg_av;
986 break;
987 case 'c':
988 find_criteria = optarg_av;
989 if (!strcasecmp(find_criteria, "valid"))
990 find_criteria_flag =
991 KMF_NONEXPIRED_CERTS;
992 else if (!strcasecmp(find_criteria, "expired"))
993 find_criteria_flag = KMF_EXPIRED_CERTS;
994 else if (!strcasecmp(find_criteria, "both"))
995 find_criteria_flag = KMF_ALL_CERTS;
996 else
997 return (PK_ERR_USAGE);
998 break;
999 default:
1000 return (PK_ERR_USAGE);
1001 }
1002 }
1003 /* No additional args allowed. */
1004 argc -= optind_av;
1005 argv += optind_av;
1006 if (argc)
1007 return (PK_ERR_USAGE);
1008
1009 if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) {
1010 /* Error message ? */
1011 return (rv);
1012 }
1013
1014 /* Assume keystore = PKCS#11 if not specified. */
1015 if (kstype == 0)
1016 kstype = KMF_KEYSTORE_PK11TOKEN;
1017
1018 /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */
1019 if ((oclass & (PK_PUBLIC_OBJ | PK_PRIVATE_OBJ)) &&
1020 kstype != KMF_KEYSTORE_PK11TOKEN) {
1021
1022 (void) fprintf(stderr, gettext("The objtype parameter "
1023 "is only relevant if keystore=pkcs11\n"));
1024 return (PK_ERR_USAGE);
1025 }
1026
1027
1028 if (kstype == KMF_KEYSTORE_PK11TOKEN && EMPTYSTRING(token_spec)) {
1029 token_spec = PK_DEFAULT_PK11TOKEN;
1030 } else if (kstype == KMF_KEYSTORE_NSS && EMPTYSTRING(token_spec)) {
1031 token_spec = DEFAULT_NSS_TOKEN;
1032 }
1033
1034 if (serstr != NULL) {
1035 uchar_t *bytes = NULL;
1036 size_t bytelen;
1037
1038 rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen);
1039 if (rv != KMF_OK || bytes == NULL) {
1040 (void) fprintf(stderr, gettext("serial number "
1041 "must be specified as a hex number "
1042 "(ex: 0x0102030405ffeeddee)\n"));
1043 return (PK_ERR_USAGE);
1044 }
1045 serial.val = bytes;
1046 serial.len = bytelen;
1047 /* if objtype was not given, it must be for certs */
1048 if (oclass == 0)
1049 oclass = PK_CERT_OBJ;
1050 }
1051 if (oclass == 0 && (issuer != NULL || subject != NULL))
1052 oclass = PK_CERT_OBJ;
1053
1054 /* If no object class specified, list public objects. */
1055 if (oclass == 0)
1056 oclass = PK_CERT_OBJ | PK_PUBKEY_OBJ;
1057
1058 if ((kstype == KMF_KEYSTORE_PK11TOKEN ||
1059 kstype == KMF_KEYSTORE_NSS) &&
1060 (oclass & (PK_PRIKEY_OBJ | PK_PRIVATE_OBJ))) {
1061
1062 (void) get_token_password(kstype, token_spec,
1063 &tokencred);
1064 }
1065 if (kstype == KMF_KEYSTORE_PK11TOKEN) {
1066 rv = list_pk11_objects(kmfhandle, token_spec,
1067 oclass, list_label, &serial,
1068 issuer, subject, dir, filename,
1069 &tokencred, find_criteria_flag);
1070
1071 } else if (kstype == KMF_KEYSTORE_NSS) {
1072 if (dir == NULL)
1073 dir = PK_DEFAULT_DIRECTORY;
1074 rv = list_nss_objects(kmfhandle,
1075 oclass, token_spec, dir, prefix,
1076 list_label, &serial, issuer, subject,
1077 &tokencred, find_criteria_flag);
1078
1079 } else if (kstype == KMF_KEYSTORE_OPENSSL) {
1080
1081 rv = list_file_objects(kmfhandle,
1082 oclass, dir, filename,
1083 &serial, issuer, subject, find_criteria_flag);
1084 }
1085
1086 if (rv != KMF_OK) {
1087 display_error(kmfhandle, rv,
1088 gettext("Error listing objects"));
1089 }
1090
1091 if (serial.val != NULL)
1092 free(serial.val);
1093
1094 if (tokencred.cred != NULL)
1095 free(tokencred.cred);
1096
1097 (void) kmf_finalize(kmfhandle);
1098 return (rv);
1099 }
1100