/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
/*
* This file implements the export operation for this tool.
* The basic flow of the process is to find the soft token,
* log into it, find the PKCS#11 objects in the soft token
* to be exported matching keys with their certificates, export
* them to the PKCS#12 file encrypting them with a file password
* if desired, and log out.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
#include "common.h"
#include <kmfapi.h>
static KMF_RETURN
pk_find_export_cert(KMF_HANDLE_T kmfhandle, KMF_FINDCERT_PARAMS *parms,
KMF_X509_DER_CERT *cert)
{
KMF_RETURN rv = KMF_OK;
uint32_t numcerts = 0;
numcerts = 0;
(void) memset(cert, 0, sizeof (KMF_X509_DER_CERT));
rv = KMF_FindCert(kmfhandle, parms, NULL, &numcerts);
if (rv != KMF_OK) {
return (rv);
}
if (numcerts == 0) {
cryptoerror(LOG_STDERR,
gettext("No matching certificates found."));
return (KMF_ERR_CERT_NOT_FOUND);
} else if (numcerts == 1) {
rv = KMF_FindCert(kmfhandle, parms, cert, &numcerts);
} else if (numcerts > 1) {
cryptoerror(LOG_STDERR,
gettext("%d certificates found, refine the "
"search parameters to eliminate ambiguity\n"),
numcerts);
return (KMF_ERR_BAD_PARAMETER);
}
return (rv);
}
static KMF_RETURN
pk_export_file_objects(KMF_HANDLE_T kmfhandle, int oclass,
char *issuer, char *subject, KMF_BIGINT *serial,
KMF_ENCODE_FORMAT ofmt,
char *dir, char *infile, char *filename)
{
KMF_RETURN rv = KMF_OK;
KMF_STORECERT_PARAMS scparms;
KMF_X509_DER_CERT kmfcert;
/* If searching for public objects or certificates, find certs now */
if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) {
KMF_FINDCERT_PARAMS fcargs;
(void) memset(&fcargs, 0, sizeof (fcargs));
fcargs.kstype = KMF_KEYSTORE_OPENSSL;
fcargs.certLabel = NULL;
fcargs.issuer = issuer;
fcargs.subject = subject;
fcargs.serial = serial;
fcargs.sslparms.dirpath = dir;
fcargs.sslparms.certfile = infile;
fcargs.sslparms.format = ofmt;
rv = pk_find_export_cert(kmfhandle, &fcargs, &kmfcert);
if (rv == KMF_OK) {
(void) memset(&scparms, 0, sizeof (scparms));
scparms.kstype = KMF_KEYSTORE_OPENSSL;
scparms.sslparms.certfile = filename;
rv = KMF_StoreCert(kmfhandle, &scparms,
&kmfcert.certificate);
KMF_FreeKMFCert(kmfhandle, &kmfcert);
}
}
return (rv);
}
static KMF_RETURN
pk_export_pk12_nss(KMF_HANDLE_T kmfhandle,
char *token_spec, char *dir, char *prefix,
char *certlabel, char *issuer, char *subject,
KMF_BIGINT *serial, KMF_CREDENTIAL *tokencred,
char *filename)
{
KMF_RETURN rv = KMF_OK;
KMF_EXPORTP12_PARAMS p12parms;
rv = configure_nss(kmfhandle, dir, prefix);
if (rv != KMF_OK)
return (rv);
(void) memset(&p12parms, 0, sizeof (p12parms));
if (token_spec == NULL)
token_spec = DEFAULT_NSS_TOKEN;
p12parms.kstype = KMF_KEYSTORE_NSS;
p12parms.certLabel = certlabel;
p12parms.issuer = issuer;
p12parms.subject = subject;
p12parms.serial = serial;
p12parms.idstr = NULL;
if (tokencred != NULL)
p12parms.cred = *tokencred;
p12parms.nssparms.slotlabel = token_spec;
(void) get_pk12_password(&p12parms.p12cred);
rv = KMF_ExportPK12(kmfhandle, &p12parms, filename);
if (p12parms.p12cred.cred)
free(p12parms.p12cred.cred);
return (rv);
}
static KMF_RETURN
pk_export_pk12_files(KMF_HANDLE_T kmfhandle,
char *certfile, char *keyfile, char *dir,
char *outfile)
{
KMF_RETURN rv;
KMF_EXPORTP12_PARAMS p12parms;
(void) memset(&p12parms, 0, sizeof (p12parms));
p12parms.kstype = KMF_KEYSTORE_OPENSSL;
p12parms.certLabel = NULL;
p12parms.issuer = NULL;
p12parms.subject = NULL;
p12parms.serial = 0;
p12parms.idstr = NULL;
p12parms.sslparms.dirpath = dir;
p12parms.sslparms.certfile = certfile;
p12parms.sslparms.keyfile = keyfile;
(void) get_pk12_password(&p12parms.p12cred);
rv = KMF_ExportPK12(kmfhandle, &p12parms, outfile);
if (p12parms.p12cred.cred)
free(p12parms.p12cred.cred);
return (rv);
}
static KMF_RETURN
pk_export_nss_objects(KMF_HANDLE_T kmfhandle, char *token_spec,
int oclass, char *certlabel, char *issuer, char *subject,
KMF_BIGINT *serial, KMF_ENCODE_FORMAT kfmt, char *dir,
char *prefix, char *filename)
{
KMF_RETURN rv = KMF_OK;
KMF_STORECERT_PARAMS scparms;
KMF_X509_DER_CERT kmfcert;
rv = configure_nss(kmfhandle, dir, prefix);
if (rv != KMF_OK)
return (rv);
/* If searching for public objects or certificates, find certs now */
if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) {
KMF_FINDCERT_PARAMS fcargs;
(void) memset(&fcargs, 0, sizeof (fcargs));
fcargs.kstype = KMF_KEYSTORE_NSS;
fcargs.certLabel = certlabel;
fcargs.issuer = issuer;
fcargs.subject = subject;
fcargs.serial = serial;
fcargs.nssparms.slotlabel = token_spec;
rv = pk_find_export_cert(kmfhandle, &fcargs, &kmfcert);
if (rv == KMF_OK) {
(void) memset(&scparms, 0, sizeof (scparms));
scparms.kstype = KMF_KEYSTORE_OPENSSL;
scparms.sslparms.certfile = filename;
scparms.sslparms.format = kfmt;
rv = KMF_StoreCert(kmfhandle, &scparms,
&kmfcert.certificate);
KMF_FreeKMFCert(kmfhandle, &kmfcert);
}
}
return (rv);
}
static KMF_RETURN
pk_export_pk12_pk11(KMF_HANDLE_T kmfhandle, char *token_spec,
char *certlabel, char *issuer, char *subject,
KMF_BIGINT *serial, KMF_CREDENTIAL *tokencred, char *filename)
{
KMF_RETURN rv = KMF_OK;
KMF_EXPORTP12_PARAMS p12parms;
rv = select_token(kmfhandle, token_spec, TRUE);
if (rv != KMF_OK) {
return (rv);
}
(void) memset(&p12parms, 0, sizeof (p12parms));
p12parms.kstype = KMF_KEYSTORE_PK11TOKEN;
p12parms.certLabel = certlabel;
p12parms.issuer = issuer;
p12parms.subject = subject;
p12parms.serial = serial;
p12parms.idstr = NULL;
if (tokencred != NULL)
p12parms.cred = *tokencred;
(void) get_pk12_password(&p12parms.p12cred);
rv = KMF_ExportPK12(kmfhandle, &p12parms, filename);
if (p12parms.p12cred.cred)
free(p12parms.p12cred.cred);
return (rv);
}
static KMF_RETURN
pk_export_pk11_objects(KMF_HANDLE_T kmfhandle, char *token_spec,
char *certlabel, char *issuer, char *subject,
KMF_BIGINT *serial, KMF_ENCODE_FORMAT kfmt,
char *filename)
{
KMF_RETURN rv = KMF_OK;
KMF_FINDCERT_PARAMS fcparms;
KMF_STORECERT_PARAMS scparms;
KMF_X509_DER_CERT kmfcert;
rv = select_token(kmfhandle, token_spec, TRUE);
if (rv != KMF_OK) {
return (rv);
}
(void) memset(&fcparms, 0, sizeof (fcparms));
fcparms.kstype = KMF_KEYSTORE_PK11TOKEN;
fcparms.certLabel = certlabel;
fcparms.issuer = issuer;
fcparms.subject = subject;
fcparms.serial = serial;
rv = pk_find_export_cert(kmfhandle, &fcparms, &kmfcert);
if (rv == KMF_OK) {
(void) memset(&scparms, 0, sizeof (scparms));
scparms.kstype = KMF_KEYSTORE_OPENSSL;
scparms.sslparms.certfile = filename;
scparms.sslparms.format = kfmt;
rv = KMF_StoreCert(kmfhandle, &scparms,
&kmfcert.certificate);
KMF_FreeKMFCert(kmfhandle, &kmfcert);
}
return (rv);
}
/*
* Export objects from one keystore to a file.
*/
int
pk_export(int argc, char *argv[])
{
int opt;
extern int optind_av;
extern char *optarg_av;
char *token_spec = NULL;
char *filename = NULL;
char *dir = NULL;
char *prefix = NULL;
char *certlabel = NULL;
char *subject = NULL;
char *issuer = NULL;
char *infile = NULL;
char *keyfile = NULL;
char *certfile = NULL;
char *serstr = NULL;
KMF_KEYSTORE_TYPE kstype = 0;
KMF_ENCODE_FORMAT kfmt = KMF_FORMAT_PKCS12;
KMF_RETURN rv = KMF_OK;
int oclass = PK_CERT_OBJ;
KMF_BIGINT serial = { NULL, 0 };
KMF_HANDLE_T kmfhandle = NULL;
KMF_CREDENTIAL tokencred = {NULL, 0};
/* Parse command line options. Do NOT i18n/l10n. */
while ((opt = getopt_av(argc, argv,
"k:(keystore)y:(objtype)T:(token)"
"d:(dir)p:(prefix)"
"l:(label)n:(nickname)s:(subject)"
"i:(issuer)S:(serial)"
"K:(keyfile)c:(certfile)"
"F:(outformat)"
"I:(infile)o:(outfile)")) != EOF) {
if (EMPTYSTRING(optarg_av))
return (PK_ERR_USAGE);
switch (opt) {
case 'k':
kstype = KS2Int(optarg_av);
if (kstype == 0)
return (PK_ERR_USAGE);
break;
case 'y':
oclass = OT2Int(optarg_av);
if (oclass == -1)
return (PK_ERR_USAGE);
break;
case 'T': /* token specifier */
if (token_spec)
return (PK_ERR_USAGE);
token_spec = optarg_av;
break;
case 'd':
if (dir)
return (PK_ERR_USAGE);
dir = optarg_av;
break;
case 'p':
if (prefix)
return (PK_ERR_USAGE);
prefix = optarg_av;
break;
case 'n':
case 'l':
if (certlabel)
return (PK_ERR_USAGE);
certlabel = optarg_av;
break;
case 's':
if (subject)
return (PK_ERR_USAGE);
subject = optarg_av;
break;
case 'i':
if (issuer)
return (PK_ERR_USAGE);
issuer = optarg_av;
break;
case 'S':
serstr = optarg_av;
break;
case 'F':
kfmt = Str2Format(optarg_av);
if (kfmt == KMF_FORMAT_UNDEF)
return (PK_ERR_USAGE);
break;
case 'I': /* output file name */
if (infile)
return (PK_ERR_USAGE);
infile = optarg_av;
break;
case 'o': /* output file name */
if (filename)
return (PK_ERR_USAGE);
filename = optarg_av;
break;
case 'c': /* input cert file name */
if (certfile)
return (PK_ERR_USAGE);
certfile = optarg_av;
break;
case 'K': /* input key file name */
if (keyfile)
return (PK_ERR_USAGE);
keyfile = optarg_av;
break;
default:
return (PK_ERR_USAGE);
break;
}
}
/* Assume keystore = PKCS#11 if not specified */
if (kstype == 0)
kstype = KMF_KEYSTORE_PK11TOKEN;
/* Filename arg is required. */
if (EMPTYSTRING(filename)) {
cryptoerror(LOG_STDERR, gettext("You must specify "
"an 'outfile' parameter when exporting.\n"));
return (PK_ERR_USAGE);
}
/* No additional args allowed. */
argc -= optind_av;
argv += optind_av;
if (argc)
return (PK_ERR_USAGE);
/* if PUBLIC or PRIVATE obj was given, the old syntax was used. */
if ((oclass & (PK_PUBLIC_OBJ | PK_PRIVATE_OBJ)) &&
kstype != KMF_KEYSTORE_PK11TOKEN) {
(void) fprintf(stderr, gettext("The objtype parameter "
"is only relevant if keystore=pkcs11\n"));
return (PK_ERR_USAGE);
}
if (kstype == KMF_KEYSTORE_PK11TOKEN && EMPTYSTRING(token_spec))
token_spec = PK_DEFAULT_PK11TOKEN;
else if (kstype == KMF_KEYSTORE_NSS && EMPTYSTRING(token_spec))
token_spec = DEFAULT_NSS_TOKEN;
if (kstype == KMF_KEYSTORE_OPENSSL) {
if (kfmt != KMF_FORMAT_PKCS12) {
cryptoerror(LOG_STDERR, gettext("PKCS12 "
"is the only export format "
"supported for the 'file' "
"keystore.\n"));
return (PK_ERR_USAGE);
}
if (EMPTYSTRING(keyfile) || EMPTYSTRING(certfile)) {
cryptoerror(LOG_STDERR, gettext("A cert file"
"and a key file must be specified "
"when exporting to PKCS12 from the "
"'file' keystore.\n"));
return (PK_ERR_USAGE);
}
}
/* Check if the file exists and might be overwritten. */
if (access(filename, F_OK) == 0) {
cryptoerror(LOG_STDERR,
gettext("Warning: file \"%s\" exists, "
"will be overwritten."), filename);
if (yesno(gettext("Continue with export? "),
gettext("Respond with yes or no.\n"), B_FALSE) == B_FALSE) {
return (0);
}
} else {
rv = verify_file(filename);
if (rv != KMF_OK) {
cryptoerror(LOG_STDERR, gettext("The file (%s) "
"cannot be created.\n"), filename);
return (PK_ERR_USAGE);
}
}
if (serstr != NULL) {
uchar_t *bytes = NULL;
size_t bytelen;
rv = KMF_HexString2Bytes((uchar_t *)serstr, &bytes, &bytelen);
if (rv != KMF_OK || bytes == NULL) {
(void) fprintf(stderr, gettext("serial number "
"must be specified as a hex number "
"(ex: 0x0102030405ffeeddee)\n"));
return (PK_ERR_USAGE);
}
serial.val = bytes;
serial.len = bytelen;
}
if ((kstype == KMF_KEYSTORE_PK11TOKEN ||
kstype == KMF_KEYSTORE_NSS) &&
(oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ) ||
kfmt == KMF_FORMAT_PKCS12)) {
(void) get_token_password(kstype, token_spec,
&tokencred);
}
if ((rv = KMF_Initialize(&kmfhandle, NULL, NULL)) != KMF_OK) {
cryptoerror(LOG_STDERR, gettext("Error initializing "
"KMF: 0x%02x\n"), rv);
return (rv);
}
switch (kstype) {
case KMF_KEYSTORE_PK11TOKEN:
if (kfmt == KMF_FORMAT_PKCS12)
rv = pk_export_pk12_pk11(
kmfhandle,
token_spec,
certlabel,
issuer, subject,
&serial, &tokencred,
filename);
else
rv = pk_export_pk11_objects(kmfhandle,
token_spec,
certlabel,
issuer, subject,
&serial, kfmt,
filename);
break;
case KMF_KEYSTORE_NSS:
if (dir == NULL)
dir = PK_DEFAULT_DIRECTORY;
if (kfmt == KMF_FORMAT_PKCS12)
rv = pk_export_pk12_nss(kmfhandle,
token_spec, dir, prefix,
certlabel, issuer,
subject, &serial,
&tokencred, filename);
else
rv = pk_export_nss_objects(kmfhandle,
token_spec,
oclass, certlabel, issuer, subject,
&serial, kfmt, dir, prefix, filename);
break;
case KMF_KEYSTORE_OPENSSL:
if (kfmt == KMF_FORMAT_PKCS12)
rv = pk_export_pk12_files(kmfhandle,
certfile, keyfile, dir,
filename);
else
rv = pk_export_file_objects(kmfhandle, oclass,
issuer, subject, &serial, kfmt,
dir, infile, filename);
break;
default:
rv = PK_ERR_USAGE;
break;
}
if (rv != KMF_OK) {
display_error(kmfhandle, rv,
gettext("Error exporting objects"));
}
if (serial.val != NULL)
free(serial.val);
(void) KMF_Finalize(kmfhandle);
return (rv);
}