/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END * * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" #include #include #include #include #include #include #include #include #include "util.h" #define KC_IGNORE_DATE 0x0000001 #define KC_IGNORE_UNKNOWN_EKUS 0x0000002 #define KC_IGNORE_TRUST_ANCHOR 0x0000004 #define KC_VALIDITY_ADJUSTTIME 0x0000008 #define KC_TA_NAME 0x0000010 #define KC_TA_SERIAL 0x0000020 #define KC_OCSP_RESPONDER_URI 0x0000040 #define KC_OCSP_PROXY 0x0000080 #define KC_OCSP_URI_FROM_CERT 0x0000100 #define KC_OCSP_RESP_LIFETIME 0x0000200 #define KC_OCSP_IGNORE_RESP_SIGN 0x0000400 #define KC_OCSP_RESP_CERT_NAME 0x0000800 #define KC_OCSP_RESP_CERT_SERIAL 0x0001000 #define KC_OCSP_NONE 0x0002000 #define KC_CRL_BASEFILENAME 0x0004000 #define KC_CRL_DIRECTORY 0x0008000 #define KC_CRL_GET_URI 0x0010000 #define KC_CRL_PROXY 0x0020000 #define KC_CRL_IGNORE_SIGN 0x0040000 #define KC_CRL_IGNORE_DATE 0x0080000 #define KC_CRL_NONE 0x0100000 #define KC_KEYUSAGE 0x0200000 #define KC_KEYUSAGE_NONE 0x0400000 #define KC_EKUS 0x0800000 #define KC_EKUS_NONE 0x1000000 int kc_modify(int argc, char *argv[]) { KMF_RETURN ret; int rv = KC_OK; int opt; extern int optind_av; extern char *optarg_av; char *filename = NULL; uint32_t flags = 0; boolean_t ocsp_none_opt = B_FALSE; boolean_t crl_none_opt = B_FALSE; boolean_t ku_none_opt = B_FALSE; boolean_t eku_none_opt = B_FALSE; int ocsp_set_attr = 0; int crl_set_attr = 0; KMF_POLICY_RECORD oplc, plc; (void) memset(&plc, 0, sizeof (KMF_POLICY_RECORD)); (void) memset(&oplc, 0, sizeof (KMF_POLICY_RECORD)); while ((opt = getopt_av(argc, argv, "i:(dbfile)" "p:(policy)" "d:(ignore-date)" "e:(ignore-unknown-eku)" "a:(ignore-trust-anchor)" "v:(validity-adjusttime)" "t:(ta-name)" "s:(ta-serial)" "o:(ocsp-responder)" "P:(ocsp-proxy)" "r:(ocsp-use-cert-responder)" "T:(ocsp-response-lifetime)" "R:(ocsp-ignore-response-sign)" "n:(ocsp-responder-cert-name)" "A:(ocsp-responder-cert-serial)" "y:(ocsp-none)" "c:(crl-basefilename)" "I:(crl-directory)" "g:(crl-get-crl-uri)" "X:(crl-proxy)" "S:(crl-ignore-crl-sign)" "D:(crl-ignore-crl-date)" "z:(crl-none)" "u:(keyusage)" "Y:(keyusage-none)" "E:(ekunames)" "O:(ekuoids)" "Z:(eku-none)")) != EOF) { switch (opt) { case 'i': filename = get_string(optarg_av, &rv); if (filename == NULL) { (void) fprintf(stderr, gettext("Error dbfile input.\n")); } break; case 'p': plc.name = get_string(optarg_av, &rv); if (plc.name == NULL) { (void) fprintf(stderr, gettext("Error policy name.\n")); } break; case 'd': plc.ignore_date = get_boolean(optarg_av); if (plc.ignore_date == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_IGNORE_DATE; } break; case 'e': plc.ignore_unknown_ekus = get_boolean(optarg_av); if (plc.ignore_unknown_ekus == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_IGNORE_UNKNOWN_EKUS; } break; case 'a': plc.ignore_trust_anchor = get_boolean(optarg_av); if (plc.ignore_trust_anchor == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_IGNORE_TRUST_ANCHOR; } break; case 'v': plc.validity_adjusttime = get_string(optarg_av, &rv); if (plc.validity_adjusttime == NULL) { (void) fprintf(stderr, gettext("Error time input.\n")); } else { uint32_t adj; /* for syntax checking */ if (str2lifetime( plc.validity_adjusttime, &adj) < 0) { (void) fprintf(stderr, gettext("Error time " "input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_VALIDITY_ADJUSTTIME; } } break; case 't': plc.ta_name = get_string(optarg_av, &rv); if (plc.ta_name == NULL) { (void) fprintf(stderr, gettext("Error name input.\n")); } else { KMF_X509_NAME taDN; /* for syntax checking */ if (KMF_DNParser(plc.ta_name, &taDN) != KMF_OK) { (void) fprintf(stderr, gettext("Error name " "input.\n")); rv = KC_ERR_USAGE; } else { KMF_FreeDN(&taDN); flags |= KC_TA_NAME; } } break; case 's': plc.ta_serial = get_string(optarg_av, &rv); if (plc.ta_serial == NULL) { (void) fprintf(stderr, gettext("Error serial input.\n")); } else { uchar_t *bytes = NULL; size_t bytelen; ret = KMF_HexString2Bytes( (uchar_t *)plc.ta_serial, &bytes, &bytelen); if (ret != KMF_OK || bytes == NULL) { (void) fprintf(stderr, gettext("serial number " "must be specified as a " "hex number " "(ex: 0x0102030405" "ffeeddee)\n")); rv = KC_ERR_USAGE; break; } if (bytes != NULL) free(bytes); flags |= KC_TA_SERIAL; } break; case 'o': plc.VAL_OCSP_RESPONDER_URI = get_string(optarg_av, &rv); if (plc.VAL_OCSP_RESPONDER_URI == NULL) { (void) fprintf(stderr, gettext("Error responder " "input.\n")); } else { flags |= KC_OCSP_RESPONDER_URI; ocsp_set_attr++; } break; case 'P': plc.VAL_OCSP_PROXY = get_string(optarg_av, &rv); if (plc.VAL_OCSP_PROXY == NULL) { (void) fprintf(stderr, gettext("Error proxy input.\n")); } else { flags |= KC_OCSP_PROXY; ocsp_set_attr++; } break; case 'r': plc.VAL_OCSP_URI_FROM_CERT = get_boolean(optarg_av); if (plc.VAL_OCSP_URI_FROM_CERT == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_OCSP_URI_FROM_CERT; ocsp_set_attr++; } break; case 'T': plc.VAL_OCSP_RESP_LIFETIME = get_string(optarg_av, &rv); if (plc.VAL_OCSP_RESP_LIFETIME == NULL) { (void) fprintf(stderr, gettext("Error time input.\n")); } else { uint32_t adj; /* for syntax checking */ if (str2lifetime( plc.VAL_OCSP_RESP_LIFETIME, &adj) < 0) { (void) fprintf(stderr, gettext("Error time " "input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_OCSP_RESP_LIFETIME; ocsp_set_attr++; } } break; case 'R': plc.VAL_OCSP_IGNORE_RESP_SIGN = get_boolean(optarg_av); if (plc.VAL_OCSP_IGNORE_RESP_SIGN == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_OCSP_IGNORE_RESP_SIGN; ocsp_set_attr++; } break; case 'n': plc.VAL_OCSP_RESP_CERT_NAME = get_string(optarg_av, &rv); if (plc.VAL_OCSP_RESP_CERT_NAME == NULL) { (void) fprintf(stderr, gettext("Error name input.\n")); } else { KMF_X509_NAME respDN; /* for syntax checking */ if (KMF_DNParser( plc.VAL_OCSP_RESP_CERT_NAME, &respDN) != KMF_OK) { (void) fprintf(stderr, gettext("Error name " "input.\n")); rv = KC_ERR_USAGE; } else { KMF_FreeDN(&respDN); flags |= KC_OCSP_RESP_CERT_NAME; ocsp_set_attr++; } } break; case 'A': plc.VAL_OCSP_RESP_CERT_SERIAL = get_string(optarg_av, &rv); if (plc.VAL_OCSP_RESP_CERT_SERIAL == NULL) { (void) fprintf(stderr, gettext("Error serial input.\n")); } else { uchar_t *bytes = NULL; size_t bytelen; ret = KMF_HexString2Bytes((uchar_t *) plc.VAL_OCSP_RESP_CERT_SERIAL, &bytes, &bytelen); if (ret != KMF_OK || bytes == NULL) { (void) fprintf(stderr, gettext("serial number " "must be specified as a " "hex number " "(ex: 0x0102030405" "ffeeddee)\n")); rv = KC_ERR_USAGE; break; } if (bytes != NULL) free(bytes); flags |= KC_OCSP_RESP_CERT_SERIAL; ocsp_set_attr++; } break; case 'y': ocsp_none_opt = get_boolean(optarg_av); if (ocsp_none_opt == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_OCSP_NONE; } break; case 'c': plc.VAL_CRL_BASEFILENAME = get_string(optarg_av, &rv); if (plc.VAL_CRL_BASEFILENAME == NULL) { (void) fprintf(stderr, gettext( "Error basefilename input.\n")); } else { flags |= KC_CRL_BASEFILENAME; crl_set_attr++; } break; case 'I': plc.VAL_CRL_DIRECTORY = get_string(optarg_av, &rv); if (plc.VAL_CRL_DIRECTORY == NULL) { (void) fprintf(stderr, gettext("Error boolean input.\n")); } else { flags |= KC_CRL_DIRECTORY; crl_set_attr++; } break; case 'g': plc.VAL_CRL_GET_URI = get_boolean(optarg_av); if (plc.VAL_CRL_GET_URI == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_CRL_GET_URI; crl_set_attr++; } break; case 'X': plc.VAL_CRL_PROXY = get_string(optarg_av, &rv); if (plc.VAL_CRL_PROXY == NULL) { (void) fprintf(stderr, gettext("Error proxy input.\n")); } else { flags |= KC_CRL_PROXY; crl_set_attr++; } break; case 'S': plc.VAL_CRL_IGNORE_SIGN = get_boolean(optarg_av); if (plc.VAL_CRL_IGNORE_SIGN == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_CRL_IGNORE_SIGN; crl_set_attr++; } break; case 'D': plc.VAL_CRL_IGNORE_DATE = get_boolean(optarg_av); if (plc.VAL_CRL_IGNORE_DATE == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_CRL_IGNORE_DATE; crl_set_attr++; } break; case 'z': crl_none_opt = get_boolean(optarg_av); if (crl_none_opt == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_CRL_NONE; } break; case 'u': plc.ku_bits = parseKUlist(optarg_av); if (plc.ku_bits == 0) { (void) fprintf(stderr, gettext( "Error keyusage input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_KEYUSAGE; } break; case 'Y': ku_none_opt = get_boolean(optarg_av); if (ku_none_opt == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_KEYUSAGE_NONE; } break; case 'E': if (parseEKUNames(optarg_av, &plc) != 0) { (void) fprintf(stderr, gettext("Error EKU input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_EKUS; } break; case 'O': if (parseEKUOIDs(optarg_av, &plc) != 0) { (void) fprintf(stderr, gettext("Error EKU OID input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_EKUS; } break; case 'Z': eku_none_opt = get_boolean(optarg_av); if (eku_none_opt == -1) { (void) fprintf(stderr, gettext("Error boolean input.\n")); rv = KC_ERR_USAGE; } else { flags |= KC_EKUS_NONE; } break; default: (void) fprintf(stderr, gettext("Error input option.\n")); rv = KC_ERR_USAGE; break; } if (rv != KC_OK) goto out; } /* No additional args allowed. */ argc -= optind_av; if (argc) { (void) fprintf(stderr, gettext("Error input option\n")); rv = KC_ERR_USAGE; goto out; } if (filename == NULL) { filename = strdup(KMF_DEFAULT_POLICY_FILE); if (filename == NULL) { rv = KC_ERR_MEMORY; goto out; } } /* * Must have a policy name. The policy name can not be default * if using the default policy file. */ if (plc.name == NULL) { (void) fprintf(stderr, gettext("You must specify a policy name.\n")); rv = KC_ERR_USAGE; goto out; } else if (strcmp(filename, KMF_DEFAULT_POLICY_FILE) == 0 && strcmp(plc.name, KMF_DEFAULT_POLICY_NAME) == 0) { (void) fprintf(stderr, gettext("Can not modify the default policy in the default " "policy file.\n")); rv = KC_ERR_USAGE; goto out; } /* Check the access permission of the policy DB */ if (access(filename, W_OK) < 0) { int err = errno; (void) fprintf(stderr, gettext("Cannot access \"%s\" for modify - %s\n"), filename, strerror(err)); rv = KC_ERR_ACCESS; goto out; } /* Try to load the named policy from the DB */ ret = KMF_GetPolicy(filename, plc.name, &oplc); if (ret != KMF_OK) { (void) fprintf(stderr, gettext("Error loading policy \"%s\" from %s\n"), filename, plc.name); return (KC_ERR_FIND_POLICY); } /* Update the general policy attributes. */ if (flags & KC_IGNORE_DATE) oplc.ignore_date = plc.ignore_date; if (flags & KC_IGNORE_UNKNOWN_EKUS) oplc.ignore_unknown_ekus = plc.ignore_unknown_ekus; if (flags & KC_IGNORE_TRUST_ANCHOR) oplc.ignore_trust_anchor = plc.ignore_trust_anchor; if (flags & KC_VALIDITY_ADJUSTTIME) { if (oplc.validity_adjusttime) free(oplc.validity_adjusttime); oplc.validity_adjusttime = plc.validity_adjusttime; } if (flags & KC_TA_NAME) { if (oplc.ta_name) free(oplc.ta_name); oplc.ta_name = plc.ta_name; } if (flags & KC_TA_SERIAL) { if (oplc.ta_serial) free(oplc.ta_serial); oplc.ta_serial = plc.ta_serial; } /* Update the OCSP policy */ if (ocsp_none_opt == B_TRUE) { if (ocsp_set_attr > 0) { (void) fprintf(stderr, gettext("Can not set ocsp-none=true and other " "OCSP attributes at the same time.\n")); rv = KC_ERR_USAGE; goto out; } /* * If the original policy does not have OCSP checking, * then we do not need to do anything. If the original * policy has the OCSP checking, then we need to release the * space of OCSP attributes and turn the OCSP checking off. */ if (oplc.revocation & KMF_REVOCATION_METHOD_OCSP) { if (oplc.VAL_OCSP_BASIC.responderURI) { free(oplc.VAL_OCSP_BASIC.responderURI); oplc.VAL_OCSP_BASIC.responderURI = NULL; } if (oplc.VAL_OCSP_BASIC.proxy) { free(oplc.VAL_OCSP_BASIC.proxy); oplc.VAL_OCSP_BASIC.proxy = NULL; } if (oplc.VAL_OCSP_BASIC.response_lifetime) { free(oplc.VAL_OCSP_BASIC.response_lifetime); oplc.VAL_OCSP_BASIC.response_lifetime = NULL; } if (flags & KC_OCSP_RESP_CERT_NAME) { free(oplc.VAL_OCSP_RESP_CERT.name); oplc.VAL_OCSP_RESP_CERT.name = NULL; } if (flags & KC_OCSP_RESP_CERT_SERIAL) { free(oplc.VAL_OCSP_RESP_CERT.serial); oplc.VAL_OCSP_RESP_CERT.serial = NULL; } /* Turn off the OCSP checking */ oplc.revocation &= ~KMF_REVOCATION_METHOD_OCSP; } } else { /* * If the "ocsp-none" option is not set or is set to false, * then we only need to do the modification if there is at * least one OCSP attribute is specified. */ if (ocsp_set_attr > 0) { if (flags & KC_OCSP_RESPONDER_URI) { if (oplc.VAL_OCSP_RESPONDER_URI) free(oplc.VAL_OCSP_RESPONDER_URI); oplc.VAL_OCSP_RESPONDER_URI = plc.VAL_OCSP_RESPONDER_URI; } if (flags & KC_OCSP_PROXY) { if (oplc.VAL_OCSP_PROXY) free(oplc.VAL_OCSP_PROXY); oplc.VAL_OCSP_PROXY = plc.VAL_OCSP_PROXY; } if (flags & KC_OCSP_URI_FROM_CERT) oplc.VAL_OCSP_URI_FROM_CERT = plc.VAL_OCSP_URI_FROM_CERT; if (flags & KC_OCSP_RESP_LIFETIME) { if (oplc.VAL_OCSP_RESP_LIFETIME) free(oplc.VAL_OCSP_RESP_LIFETIME); oplc.VAL_OCSP_RESP_LIFETIME = plc.VAL_OCSP_RESP_LIFETIME; } if (flags & KC_OCSP_IGNORE_RESP_SIGN) oplc.VAL_OCSP_IGNORE_RESP_SIGN = plc.VAL_OCSP_IGNORE_RESP_SIGN; if (flags & KC_OCSP_RESP_CERT_NAME) { if (oplc.VAL_OCSP_RESP_CERT_NAME) free(oplc.VAL_OCSP_RESP_CERT_NAME); oplc.VAL_OCSP_RESP_CERT_NAME = plc.VAL_OCSP_RESP_CERT_NAME; } if (flags & KC_OCSP_RESP_CERT_SERIAL) { if (oplc.VAL_OCSP_RESP_CERT_SERIAL) free(oplc.VAL_OCSP_RESP_CERT_SERIAL); oplc.VAL_OCSP_RESP_CERT_SERIAL = plc.VAL_OCSP_RESP_CERT_SERIAL; } if (oplc.VAL_OCSP_RESP_CERT_NAME != NULL && oplc.VAL_OCSP_RESP_CERT_SERIAL != NULL) oplc.VAL_OCSP.has_resp_cert = B_TRUE; else oplc.VAL_OCSP.has_resp_cert = B_FALSE; /* Turn on the OCSP checking */ oplc.revocation |= KMF_REVOCATION_METHOD_OCSP; } } /* Update the CRL policy */ if (crl_none_opt == B_TRUE) { if (crl_set_attr > 0) { (void) fprintf(stderr, gettext("Can not set crl-none=true and other CRL " "attributes at the same time.\n")); rv = KC_ERR_USAGE; goto out; } /* * If the original policy does not have CRL checking, * then we do not need to do anything. If the original * policy has the CRL checking, then we need to release the * space of CRL attributes and turn the CRL checking off. */ if (oplc.revocation & KMF_REVOCATION_METHOD_CRL) { if (oplc.VAL_CRL_BASEFILENAME) { free(oplc.VAL_CRL_BASEFILENAME); oplc.VAL_CRL_BASEFILENAME = NULL; } if (oplc.VAL_CRL_DIRECTORY) { free(oplc.VAL_CRL_DIRECTORY); oplc.VAL_CRL_DIRECTORY = NULL; } if (oplc.VAL_CRL_PROXY) { free(oplc.VAL_CRL_PROXY); oplc.VAL_CRL_PROXY = NULL; } /* Turn off the CRL checking */ oplc.revocation &= ~KMF_REVOCATION_METHOD_CRL; } } else { /* * If the "ocsp-none" option is not set or is set to false, * then we only need to do the modification if there is at * least one CRL attribute is specified. */ if (crl_set_attr > 0) { if (flags & KC_CRL_BASEFILENAME) { if (oplc.VAL_CRL_BASEFILENAME) free(oplc.VAL_CRL_BASEFILENAME); oplc.VAL_CRL_BASEFILENAME = plc.VAL_CRL_BASEFILENAME; } if (flags & KC_CRL_DIRECTORY) { if (oplc.VAL_CRL_DIRECTORY) free(oplc.VAL_CRL_DIRECTORY); oplc.VAL_CRL_DIRECTORY = plc.VAL_CRL_DIRECTORY; } if (flags & KC_CRL_GET_URI) { oplc.VAL_CRL_GET_URI = plc.VAL_CRL_GET_URI; } if (flags & KC_CRL_PROXY) { if (oplc.VAL_CRL_PROXY) free(oplc.VAL_CRL_PROXY); oplc.VAL_CRL_PROXY = plc.VAL_CRL_PROXY; } if (flags & KC_CRL_IGNORE_SIGN) { oplc.VAL_CRL_IGNORE_SIGN = plc.VAL_CRL_IGNORE_SIGN; } if (flags & KC_CRL_IGNORE_DATE) { oplc.VAL_CRL_IGNORE_DATE = plc.VAL_CRL_IGNORE_DATE; } /* Turn on the CRL checking */ oplc.revocation |= KMF_REVOCATION_METHOD_CRL; } } /* Update the Key Usage */ if (ku_none_opt == B_TRUE) { if (flags & KC_KEYUSAGE) { (void) fprintf(stderr, gettext("Can not set keyusage-none=true and " "modify the keyusage value at the same time.\n")); rv = KC_ERR_USAGE; goto out; } oplc.ku_bits = 0; } else { /* * If the "keyusage-none" option is not set or is set to * false, then we only need to do the modification if * the keyusage value is specified. */ if (flags & KC_KEYUSAGE) oplc.ku_bits = plc.ku_bits; } /* Update the Extended Key Usage */ if (eku_none_opt == B_TRUE) { if (flags & KC_EKUS) { (void) fprintf(stderr, gettext("Can not set eku-none=true and modify " "EKU values at the same time.\n")); rv = KC_ERR_USAGE; goto out; } /* Release current EKU list (if any) */ if (oplc.eku_set.eku_count > 0) { KMF_FreeEKUPolicy(&oplc.eku_set); oplc.eku_set.eku_count = 0; oplc.eku_set.ekulist = NULL; } } else { /* * If the "eku-none" option is not set or is set to false, * then we only need to do the modification if either * "ekuname" or "ekuoids" is specified. */ if (flags & KC_EKUS) { /* Release current EKU list (if any) */ KMF_FreeEKUPolicy(&oplc.eku_set); oplc.eku_set = plc.eku_set; } } /* Do a sanity check on the modified policy */ ret = KMF_VerifyPolicy(&oplc); if (ret != KMF_OK) { print_sanity_error(ret); rv = KC_ERR_VERIFY_POLICY; goto out; } /* The modify operation is a delete followed by an add */ ret = KMF_DeletePolicyFromDB(oplc.name, filename); if (ret != KMF_OK) { rv = KC_ERR_DELETE_POLICY; goto out; } /* * Now add the modified policy back to the DB. */ ret = KMF_AddPolicyToDB(&oplc, filename, B_FALSE); if (ret != KMF_OK) { (void) fprintf(stderr, gettext("Error adding policy to database: 0x%04x\n"), ret); rv = KC_ERR_ADD_POLICY; goto out; } out: if (filename != NULL) free(filename); KMF_FreePolicyRecord(&oplc); return (rv); }