17711facfSdinak /*
27711facfSdinak * CDDL HEADER START
37711facfSdinak *
47711facfSdinak * The contents of this file are subject to the terms of the
599ebb4caSwyllys * Common Development and Distribution License (the "License").
699ebb4caSwyllys * You may not use this file except in compliance with the License.
77711facfSdinak *
87711facfSdinak * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97711facfSdinak * or http://www.opensolaris.org/os/licensing.
107711facfSdinak * See the License for the specific language governing permissions
117711facfSdinak * and limitations under the License.
127711facfSdinak *
137711facfSdinak * When distributing Covered Code, include this CDDL HEADER in each
147711facfSdinak * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157711facfSdinak * If applicable, add the following below this CDDL HEADER, with the
167711facfSdinak * fields enclosed by brackets "[]" replaced with your own identifying
177711facfSdinak * information: Portions Copyright [yyyy] [name of copyright owner]
187711facfSdinak *
197711facfSdinak * CDDL HEADER END
207711facfSdinak */
217711facfSdinak /*
22448b8615Swyllys * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
237711facfSdinak * Use is subject to license terms.
24*33f5ff17SMilan Jurik * Copyright 2012 Milan Jurik. All rights reserved.
257711facfSdinak */
267711facfSdinak
277711facfSdinak /*
287711facfSdinak * This file implements the token object delete operation for this tool.
297711facfSdinak * It loads the PKCS#11 modules, finds the object to delete, deletes it,
307711facfSdinak * and cleans up. User must be R/W logged into the token.
317711facfSdinak */
327711facfSdinak
337711facfSdinak #include <stdio.h>
347711facfSdinak #include <string.h>
357711facfSdinak #include <cryptoutil.h>
367711facfSdinak #include <security/cryptoki.h>
377711facfSdinak #include "common.h"
3899ebb4caSwyllys #include <kmfapi.h>
3999ebb4caSwyllys
4099ebb4caSwyllys static KMF_RETURN
pk_destroy_keys(void * handle,KMF_ATTRIBUTE * attrlist,int numattr)4130a5e8faSwyllys pk_destroy_keys(void *handle, KMF_ATTRIBUTE *attrlist, int numattr)
4299ebb4caSwyllys {
4399ebb4caSwyllys int i;
4499ebb4caSwyllys KMF_RETURN rv = KMF_OK;
4530a5e8faSwyllys uint32_t *numkeys;
4630a5e8faSwyllys KMF_KEY_HANDLE *keys = NULL;
4730a5e8faSwyllys int del_num = 0;
4830a5e8faSwyllys KMF_ATTRIBUTE delete_attlist[16];
4930a5e8faSwyllys KMF_KEYSTORE_TYPE kstype;
5030a5e8faSwyllys uint32_t len;
5130a5e8faSwyllys boolean_t destroy = B_TRUE;
5230a5e8faSwyllys KMF_CREDENTIAL cred;
5330a5e8faSwyllys char *slotlabel = NULL;
5499ebb4caSwyllys
5530a5e8faSwyllys len = sizeof (kstype);
5630a5e8faSwyllys rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr,
5730a5e8faSwyllys &kstype, &len);
5830a5e8faSwyllys if (rv != KMF_OK)
5930a5e8faSwyllys return (rv);
6099ebb4caSwyllys
6130a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num,
6230a5e8faSwyllys KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
6330a5e8faSwyllys del_num++;
6430a5e8faSwyllys
6530a5e8faSwyllys /* "destroy" is optional. Default is TRUE */
6630a5e8faSwyllys (void) kmf_get_attr(KMF_DESTROY_BOOL_ATTR, attrlist, numattr,
6730a5e8faSwyllys (void *)&destroy, NULL);
6830a5e8faSwyllys
6930a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num,
7030a5e8faSwyllys KMF_DESTROY_BOOL_ATTR, &destroy, sizeof (boolean_t));
7130a5e8faSwyllys del_num++;
7230a5e8faSwyllys
7330a5e8faSwyllys switch (kstype) {
7499ebb4caSwyllys case KMF_KEYSTORE_NSS:
7530a5e8faSwyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
7630a5e8faSwyllys (void *)&cred, NULL);
7730a5e8faSwyllys if (rv == KMF_OK) {
7830a5e8faSwyllys if (cred.credlen > 0) {
7930a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num,
8030a5e8faSwyllys KMF_CREDENTIAL_ATTR, &cred,
8130a5e8faSwyllys sizeof (KMF_CREDENTIAL));
8230a5e8faSwyllys del_num++;
8330a5e8faSwyllys }
8430a5e8faSwyllys }
8530a5e8faSwyllys
8630a5e8faSwyllys slotlabel = kmf_get_attr_ptr(KMF_TOKEN_LABEL_ATTR, attrlist,
8730a5e8faSwyllys numattr);
8830a5e8faSwyllys if (slotlabel != NULL) {
8930a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num,
9030a5e8faSwyllys KMF_TOKEN_LABEL_ATTR, slotlabel,
9130a5e8faSwyllys strlen(slotlabel));
9230a5e8faSwyllys del_num++;
9330a5e8faSwyllys }
9499ebb4caSwyllys break;
9599ebb4caSwyllys case KMF_KEYSTORE_OPENSSL:
9699ebb4caSwyllys break;
9799ebb4caSwyllys case KMF_KEYSTORE_PK11TOKEN:
9830a5e8faSwyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
9930a5e8faSwyllys (void *)&cred, NULL);
10030a5e8faSwyllys if (rv == KMF_OK) {
10130a5e8faSwyllys if (cred.credlen > 0) {
10230a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num,
10330a5e8faSwyllys KMF_CREDENTIAL_ATTR, &cred,
10430a5e8faSwyllys sizeof (KMF_CREDENTIAL));
10530a5e8faSwyllys del_num++;
10630a5e8faSwyllys }
10730a5e8faSwyllys }
10899ebb4caSwyllys break;
10999ebb4caSwyllys default:
11099ebb4caSwyllys return (PK_ERR_USAGE);
11199ebb4caSwyllys }
11299ebb4caSwyllys
11330a5e8faSwyllys numkeys = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
11430a5e8faSwyllys if (numkeys == NULL)
11530a5e8faSwyllys return (PK_ERR_USAGE);
11630a5e8faSwyllys
11730a5e8faSwyllys keys = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
11830a5e8faSwyllys if (keys == NULL)
11930a5e8faSwyllys return (PK_ERR_USAGE);
12030a5e8faSwyllys
12130a5e8faSwyllys for (i = 0; rv == KMF_OK && i < *numkeys; i++) {
12230a5e8faSwyllys int num = del_num;
12330a5e8faSwyllys
12430a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, num,
12530a5e8faSwyllys KMF_KEY_HANDLE_ATTR, &keys[i], sizeof (KMF_KEY_HANDLE));
12630a5e8faSwyllys num++;
12730a5e8faSwyllys
12830a5e8faSwyllys rv = kmf_delete_key_from_keystore(handle, num, delete_attlist);
12999ebb4caSwyllys }
13099ebb4caSwyllys return (rv);
13199ebb4caSwyllys }
13299ebb4caSwyllys
13399ebb4caSwyllys static KMF_RETURN
pk_delete_keys(KMF_HANDLE_T kmfhandle,KMF_ATTRIBUTE * attlist,int numattr,char * desc,int * keysdeleted)13430a5e8faSwyllys pk_delete_keys(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attlist, int numattr,
13530a5e8faSwyllys char *desc, int *keysdeleted)
13699ebb4caSwyllys {
13799ebb4caSwyllys KMF_RETURN rv = KMF_OK;
13899ebb4caSwyllys uint32_t numkeys = 0;
13930a5e8faSwyllys int num = numattr;
14099ebb4caSwyllys
14199ebb4caSwyllys *keysdeleted = 0;
14299ebb4caSwyllys numkeys = 0;
14330a5e8faSwyllys
14430a5e8faSwyllys kmf_set_attr_at_index(attlist, num,
14530a5e8faSwyllys KMF_COUNT_ATTR, &numkeys, sizeof (uint32_t));
14630a5e8faSwyllys num++;
14730a5e8faSwyllys
14830a5e8faSwyllys rv = kmf_find_key(kmfhandle, num, attlist);
14930a5e8faSwyllys
15099ebb4caSwyllys if (rv == KMF_OK && numkeys > 0) {
15199ebb4caSwyllys KMF_KEY_HANDLE *keys = NULL;
15299ebb4caSwyllys char prompt[1024];
15399ebb4caSwyllys
15499ebb4caSwyllys (void) snprintf(prompt, sizeof (prompt),
15599ebb4caSwyllys gettext("%d %s key(s) found, do you want "
15699ebb4caSwyllys "to delete them (y/N) ?"), numkeys,
15799ebb4caSwyllys (desc != NULL ? desc : ""));
15899ebb4caSwyllys
15999ebb4caSwyllys if (!yesno(prompt,
16099ebb4caSwyllys gettext("Respond with yes or no.\n"),
16199ebb4caSwyllys B_FALSE)) {
1622cbed729Swyllys *keysdeleted = numkeys;
16399ebb4caSwyllys return (KMF_OK);
16499ebb4caSwyllys }
16599ebb4caSwyllys keys = (KMF_KEY_HANDLE *)malloc(numkeys *
16699ebb4caSwyllys sizeof (KMF_KEY_HANDLE));
16799ebb4caSwyllys if (keys == NULL)
16899ebb4caSwyllys return (KMF_ERR_MEMORY);
16999ebb4caSwyllys (void) memset(keys, 0, numkeys *
17099ebb4caSwyllys sizeof (KMF_KEY_HANDLE));
17199ebb4caSwyllys
17230a5e8faSwyllys kmf_set_attr_at_index(attlist, num,
17330a5e8faSwyllys KMF_KEY_HANDLE_ATTR, keys, sizeof (KMF_KEY_HANDLE));
17430a5e8faSwyllys num++;
17530a5e8faSwyllys
17630a5e8faSwyllys rv = kmf_find_key(kmfhandle, num, attlist);
17799ebb4caSwyllys if (rv == KMF_OK) {
17830a5e8faSwyllys rv = pk_destroy_keys(kmfhandle, attlist, num);
17999ebb4caSwyllys }
18099ebb4caSwyllys
18199ebb4caSwyllys free(keys);
18299ebb4caSwyllys }
18399ebb4caSwyllys
18499ebb4caSwyllys *keysdeleted = numkeys;
18599ebb4caSwyllys return (rv);
18699ebb4caSwyllys }
18799ebb4caSwyllys
18899ebb4caSwyllys static KMF_RETURN
pk_delete_certs(KMF_HANDLE_T kmfhandle,KMF_ATTRIBUTE * attlist,int numattr)18930a5e8faSwyllys pk_delete_certs(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attlist, int numattr)
19099ebb4caSwyllys {
19199ebb4caSwyllys KMF_RETURN rv = KMF_OK;
19299ebb4caSwyllys uint32_t numcerts = 0;
19330a5e8faSwyllys int num = numattr;
19499ebb4caSwyllys
19530a5e8faSwyllys kmf_set_attr_at_index(attlist, num,
19630a5e8faSwyllys KMF_COUNT_ATTR, &numcerts, sizeof (uint32_t));
19730a5e8faSwyllys num++;
19830a5e8faSwyllys
19930a5e8faSwyllys rv = kmf_find_cert(kmfhandle, num, attlist);
20099ebb4caSwyllys if (rv == KMF_OK && numcerts > 0) {
20199ebb4caSwyllys char prompt[1024];
20299ebb4caSwyllys (void) snprintf(prompt, sizeof (prompt),
20399ebb4caSwyllys gettext("%d certificate(s) found, do you want "
20499ebb4caSwyllys "to delete them (y/N) ?"), numcerts);
20599ebb4caSwyllys
20699ebb4caSwyllys if (!yesno(prompt,
20799ebb4caSwyllys gettext("Respond with yes or no.\n"),
20899ebb4caSwyllys B_FALSE)) {
20999ebb4caSwyllys return (KMF_OK);
21099ebb4caSwyllys }
21199ebb4caSwyllys
21230a5e8faSwyllys /*
21330a5e8faSwyllys * Use numattr because delete cert does not require
21430a5e8faSwyllys * KMF_COUNT_ATTR attribute.
21530a5e8faSwyllys */
21630a5e8faSwyllys rv = kmf_delete_cert_from_keystore(kmfhandle, numattr, attlist);
21799ebb4caSwyllys
21899ebb4caSwyllys }
21999ebb4caSwyllys
22099ebb4caSwyllys return (rv);
22199ebb4caSwyllys }
22299ebb4caSwyllys
22399ebb4caSwyllys static KMF_RETURN
delete_nss_keys(KMF_HANDLE_T kmfhandle,char * dir,char * prefix,char * token,int oclass,char * objlabel,KMF_CREDENTIAL * tokencred)22499ebb4caSwyllys delete_nss_keys(KMF_HANDLE_T kmfhandle, char *dir, char *prefix,
22599ebb4caSwyllys char *token, int oclass, char *objlabel,
22699ebb4caSwyllys KMF_CREDENTIAL *tokencred)
22799ebb4caSwyllys {
22899ebb4caSwyllys KMF_RETURN rv = KMF_OK;
22999ebb4caSwyllys char *keytype = NULL;
23099ebb4caSwyllys int nk, numkeys = 0;
23130a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
23230a5e8faSwyllys int numattr = 0;
23330a5e8faSwyllys KMF_ATTRIBUTE attrlist[16];
23430a5e8faSwyllys KMF_KEY_CLASS keyclass;
23599ebb4caSwyllys
23699ebb4caSwyllys rv = configure_nss(kmfhandle, dir, prefix);
23799ebb4caSwyllys if (rv != KMF_OK)
23899ebb4caSwyllys return (rv);
23999ebb4caSwyllys
24030a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
24130a5e8faSwyllys &kstype, sizeof (kstype));
24230a5e8faSwyllys numattr++;
24330a5e8faSwyllys
24430a5e8faSwyllys if (objlabel != NULL) {
24530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR,
24630a5e8faSwyllys objlabel, strlen(objlabel));
24730a5e8faSwyllys numattr++;
24830a5e8faSwyllys }
24930a5e8faSwyllys
25030a5e8faSwyllys if (tokencred->credlen > 0) {
25130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
25230a5e8faSwyllys tokencred, sizeof (KMF_CREDENTIAL));
25330a5e8faSwyllys numattr++;
25430a5e8faSwyllys }
25530a5e8faSwyllys
25630a5e8faSwyllys if (token && strlen(token)) {
25730a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR,
25830a5e8faSwyllys token, strlen(token));
25930a5e8faSwyllys numattr++;
26030a5e8faSwyllys }
26199ebb4caSwyllys
26299ebb4caSwyllys if (oclass & PK_PRIKEY_OBJ) {
26330a5e8faSwyllys int num = numattr;
26430a5e8faSwyllys
26530a5e8faSwyllys keyclass = KMF_ASYM_PRI;
26630a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
26730a5e8faSwyllys &keyclass, sizeof (keyclass));
26830a5e8faSwyllys num++;
26930a5e8faSwyllys
27099ebb4caSwyllys keytype = "private";
27130a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
27299ebb4caSwyllys numkeys += nk;
27364012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND &&
27464012b18Swyllys oclass != PK_PRIKEY_OBJ)
27564012b18Swyllys rv = KMF_OK;
27699ebb4caSwyllys }
27799ebb4caSwyllys if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) {
27830a5e8faSwyllys int num = numattr;
27930a5e8faSwyllys
28030a5e8faSwyllys keyclass = KMF_SYMMETRIC;
28130a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
28230a5e8faSwyllys &keyclass, sizeof (keyclass));
28330a5e8faSwyllys num++;
28430a5e8faSwyllys
28599ebb4caSwyllys keytype = "symmetric";
28630a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
28799ebb4caSwyllys numkeys += nk;
28864012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND &&
28964012b18Swyllys oclass != PK_SYMKEY_OBJ)
29064012b18Swyllys rv = KMF_OK;
29199ebb4caSwyllys }
29299ebb4caSwyllys if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) {
29330a5e8faSwyllys int num = numattr;
29430a5e8faSwyllys
29530a5e8faSwyllys keyclass = KMF_ASYM_PUB;
29630a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
29730a5e8faSwyllys &keyclass, sizeof (keyclass));
29830a5e8faSwyllys num++;
29930a5e8faSwyllys
30099ebb4caSwyllys keytype = "public";
30130a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
30299ebb4caSwyllys numkeys += nk;
30364012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND &&
30464012b18Swyllys oclass != PK_PUBKEY_OBJ)
30564012b18Swyllys rv = KMF_OK;
30699ebb4caSwyllys }
30799ebb4caSwyllys if (rv == KMF_OK && numkeys == 0)
30899ebb4caSwyllys rv = KMF_ERR_KEY_NOT_FOUND;
30999ebb4caSwyllys
31099ebb4caSwyllys return (rv);
31199ebb4caSwyllys }
31299ebb4caSwyllys
31399ebb4caSwyllys static KMF_RETURN
delete_nss_certs(KMF_HANDLE_T kmfhandle,char * dir,char * prefix,char * token,char * objlabel,KMF_BIGINT * serno,char * issuer,char * subject,KMF_CERT_VALIDITY find_criteria_flag)31499ebb4caSwyllys delete_nss_certs(KMF_HANDLE_T kmfhandle,
31599ebb4caSwyllys char *dir, char *prefix,
31699ebb4caSwyllys char *token, char *objlabel,
31799ebb4caSwyllys KMF_BIGINT *serno, char *issuer, char *subject,
31899ebb4caSwyllys KMF_CERT_VALIDITY find_criteria_flag)
31999ebb4caSwyllys {
32099ebb4caSwyllys KMF_RETURN rv = KMF_OK;
32130a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
32230a5e8faSwyllys int numattr = 0;
32330a5e8faSwyllys KMF_ATTRIBUTE attrlist[16];
32499ebb4caSwyllys
32599ebb4caSwyllys rv = configure_nss(kmfhandle, dir, prefix);
32699ebb4caSwyllys if (rv != KMF_OK)
32799ebb4caSwyllys return (rv);
32899ebb4caSwyllys
32930a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
33030a5e8faSwyllys &kstype, sizeof (kstype));
33130a5e8faSwyllys numattr++;
33299ebb4caSwyllys
33330a5e8faSwyllys if (objlabel != NULL) {
33430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr,
33530a5e8faSwyllys KMF_CERT_LABEL_ATTR, objlabel,
33630a5e8faSwyllys strlen(objlabel));
33730a5e8faSwyllys numattr++;
33830a5e8faSwyllys }
33999ebb4caSwyllys
34030a5e8faSwyllys if (issuer != NULL) {
34130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr,
34230a5e8faSwyllys KMF_ISSUER_NAME_ATTR, issuer,
34330a5e8faSwyllys strlen(issuer));
34430a5e8faSwyllys numattr++;
34530a5e8faSwyllys }
34630a5e8faSwyllys
34730a5e8faSwyllys if (subject != NULL) {
34830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr,
34930a5e8faSwyllys KMF_SUBJECT_NAME_ATTR, subject,
35030a5e8faSwyllys strlen(subject));
35130a5e8faSwyllys numattr++;
35230a5e8faSwyllys }
35330a5e8faSwyllys
35430a5e8faSwyllys if (serno != NULL) {
35530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr,
35630a5e8faSwyllys KMF_BIGINT_ATTR, serno,
35730a5e8faSwyllys sizeof (KMF_BIGINT));
35830a5e8faSwyllys numattr++;
35930a5e8faSwyllys }
36030a5e8faSwyllys
36130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr,
36230a5e8faSwyllys KMF_CERT_VALIDITY_ATTR, &find_criteria_flag,
36330a5e8faSwyllys sizeof (KMF_CERT_VALIDITY));
36430a5e8faSwyllys numattr++;
36530a5e8faSwyllys
36630a5e8faSwyllys if (token != NULL) {
36730a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr,
36830a5e8faSwyllys KMF_TOKEN_LABEL_ATTR, token,
36930a5e8faSwyllys strlen(token));
37030a5e8faSwyllys numattr++;
37130a5e8faSwyllys }
37230a5e8faSwyllys
37330a5e8faSwyllys rv = pk_delete_certs(kmfhandle, attrlist, numattr);
37499ebb4caSwyllys
37599ebb4caSwyllys return (rv);
37699ebb4caSwyllys }
37799ebb4caSwyllys
37899ebb4caSwyllys static KMF_RETURN
delete_nss_crl(void * kmfhandle,char * dir,char * prefix,char * token,char * issuer,char * subject)37999ebb4caSwyllys delete_nss_crl(void *kmfhandle,
38099ebb4caSwyllys char *dir, char *prefix, char *token,
38130a5e8faSwyllys char *issuer, char *subject)
38299ebb4caSwyllys {
38399ebb4caSwyllys KMF_RETURN rv = KMF_OK;
38430a5e8faSwyllys int numattr = 0;
38530a5e8faSwyllys KMF_ATTRIBUTE attrlist[8];
38630a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
38799ebb4caSwyllys
38899ebb4caSwyllys rv = configure_nss(kmfhandle, dir, prefix);
38999ebb4caSwyllys if (rv != KMF_OK)
39099ebb4caSwyllys return (rv);
39199ebb4caSwyllys
39230a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
39330a5e8faSwyllys &kstype, sizeof (kstype));
39430a5e8faSwyllys numattr++;
39599ebb4caSwyllys
39630a5e8faSwyllys if (token != NULL) {
39730a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR,
39830a5e8faSwyllys token, strlen(token));
39930a5e8faSwyllys numattr++;
40030a5e8faSwyllys }
40130a5e8faSwyllys if (issuer != NULL) {
40230a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR,
40330a5e8faSwyllys issuer, strlen(issuer));
40430a5e8faSwyllys numattr++;
40530a5e8faSwyllys }
40630a5e8faSwyllys if (subject != NULL) {
40730a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR,
40830a5e8faSwyllys subject, strlen(subject));
40930a5e8faSwyllys numattr++;
41030a5e8faSwyllys }
41199ebb4caSwyllys
41230a5e8faSwyllys rv = kmf_delete_crl(kmfhandle, numattr, attrlist);
41399ebb4caSwyllys
41499ebb4caSwyllys return (rv);
41599ebb4caSwyllys }
41699ebb4caSwyllys
41799ebb4caSwyllys static KMF_RETURN
delete_pk11_keys(KMF_HANDLE_T kmfhandle,char * token,int oclass,char * objlabel,KMF_CREDENTIAL * tokencred)41899ebb4caSwyllys delete_pk11_keys(KMF_HANDLE_T kmfhandle,
41999ebb4caSwyllys char *token, int oclass, char *objlabel,
42099ebb4caSwyllys KMF_CREDENTIAL *tokencred)
42199ebb4caSwyllys {
42299ebb4caSwyllys KMF_RETURN rv = KMF_OK;
42399ebb4caSwyllys int nk, numkeys = 0;
42430a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
42530a5e8faSwyllys int numattr = 0;
42630a5e8faSwyllys KMF_ATTRIBUTE attrlist[16];
42730a5e8faSwyllys KMF_KEY_CLASS keyclass;
42830a5e8faSwyllys boolean_t token_bool = B_TRUE;
42930a5e8faSwyllys boolean_t private;
43099ebb4caSwyllys /*
43199ebb4caSwyllys * Symmetric keys and RSA/DSA private keys are always
43299ebb4caSwyllys * created with the "CKA_PRIVATE" field == TRUE, so
43399ebb4caSwyllys * make sure we search for them with it also set.
43499ebb4caSwyllys */
43599ebb4caSwyllys if (oclass & (PK_SYMKEY_OBJ | PK_PRIKEY_OBJ))
43699ebb4caSwyllys oclass |= PK_PRIVATE_OBJ;
43799ebb4caSwyllys
43899ebb4caSwyllys rv = select_token(kmfhandle, token, FALSE);
43999ebb4caSwyllys if (rv != KMF_OK) {
44099ebb4caSwyllys return (rv);
44199ebb4caSwyllys }
44299ebb4caSwyllys
44330a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
44430a5e8faSwyllys &kstype, sizeof (kstype));
44530a5e8faSwyllys numattr++;
44630a5e8faSwyllys
44730a5e8faSwyllys if (objlabel != NULL) {
44830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR,
44930a5e8faSwyllys objlabel, strlen(objlabel));
45030a5e8faSwyllys numattr++;
45130a5e8faSwyllys }
45230a5e8faSwyllys
45330a5e8faSwyllys if (tokencred != NULL && tokencred->credlen > 0) {
45430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
45530a5e8faSwyllys tokencred, sizeof (KMF_CREDENTIAL));
45630a5e8faSwyllys numattr++;
45730a5e8faSwyllys }
45830a5e8faSwyllys
45930a5e8faSwyllys private = ((oclass & PK_PRIVATE_OBJ) > 0);
46030a5e8faSwyllys
46130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR,
46230a5e8faSwyllys &private, sizeof (private));
46330a5e8faSwyllys numattr++;
46430a5e8faSwyllys
46530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR,
46630a5e8faSwyllys &token_bool, sizeof (token_bool));
46730a5e8faSwyllys numattr++;
46899ebb4caSwyllys
46999ebb4caSwyllys if (oclass & PK_PRIKEY_OBJ) {
47030a5e8faSwyllys int num = numattr;
47130a5e8faSwyllys
47230a5e8faSwyllys keyclass = KMF_ASYM_PRI;
47330a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
47430a5e8faSwyllys &keyclass, sizeof (keyclass));
47530a5e8faSwyllys num++;
47630a5e8faSwyllys
47730a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, "private", &nk);
47899ebb4caSwyllys numkeys += nk;
47964012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND &&
48064012b18Swyllys oclass != PK_PRIKEY_OBJ)
48164012b18Swyllys rv = KMF_OK;
48299ebb4caSwyllys }
48399ebb4caSwyllys
48499ebb4caSwyllys if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) {
48530a5e8faSwyllys int num = numattr;
48630a5e8faSwyllys
48730a5e8faSwyllys keyclass = KMF_SYMMETRIC;
48830a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
48930a5e8faSwyllys &keyclass, sizeof (keyclass));
49030a5e8faSwyllys num++;
49130a5e8faSwyllys
49230a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, "symmetric", &nk);
49399ebb4caSwyllys numkeys += nk;
49464012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND &&
49564012b18Swyllys oclass != PK_SYMKEY_OBJ)
49664012b18Swyllys rv = KMF_OK;
49799ebb4caSwyllys }
49899ebb4caSwyllys
49999ebb4caSwyllys if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) {
50030a5e8faSwyllys int num = numattr;
50130a5e8faSwyllys
5022cbed729Swyllys private = B_FALSE;
50330a5e8faSwyllys keyclass = KMF_ASYM_PUB;
50430a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
50530a5e8faSwyllys &keyclass, sizeof (keyclass));
50630a5e8faSwyllys num++;
50730a5e8faSwyllys
50830a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, "public", &nk);
50999ebb4caSwyllys numkeys += nk;
51064012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND &&
51164012b18Swyllys oclass != PK_PUBKEY_OBJ)
51264012b18Swyllys rv = KMF_OK;
51399ebb4caSwyllys }
51499ebb4caSwyllys if (rv == KMF_OK && numkeys == 0)
51599ebb4caSwyllys rv = KMF_ERR_KEY_NOT_FOUND;
51699ebb4caSwyllys
51799ebb4caSwyllys return (rv);
51899ebb4caSwyllys }
51999ebb4caSwyllys
52099ebb4caSwyllys static KMF_RETURN
delete_pk11_certs(KMF_HANDLE_T kmfhandle,char * token,char * objlabel,KMF_BIGINT * serno,char * issuer,char * subject,KMF_CERT_VALIDITY find_criteria_flag)52199ebb4caSwyllys delete_pk11_certs(KMF_HANDLE_T kmfhandle,
52299ebb4caSwyllys char *token, char *objlabel,
52399ebb4caSwyllys KMF_BIGINT *serno, char *issuer, char *subject,
52499ebb4caSwyllys KMF_CERT_VALIDITY find_criteria_flag)
52599ebb4caSwyllys {
52699ebb4caSwyllys KMF_RETURN kmfrv;
52730a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
52830a5e8faSwyllys int numattr = 0;
52930a5e8faSwyllys KMF_ATTRIBUTE attrlist[16];
53099ebb4caSwyllys
53199ebb4caSwyllys kmfrv = select_token(kmfhandle, token, FALSE);
53299ebb4caSwyllys
53399ebb4caSwyllys if (kmfrv != KMF_OK) {
53499ebb4caSwyllys return (kmfrv);
53599ebb4caSwyllys }
53699ebb4caSwyllys
53730a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
53830a5e8faSwyllys &kstype, sizeof (kstype));
53930a5e8faSwyllys numattr++;
54099ebb4caSwyllys
54130a5e8faSwyllys if (objlabel != NULL) {
54230a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR,
54330a5e8faSwyllys objlabel, strlen(objlabel));
54430a5e8faSwyllys numattr++;
54530a5e8faSwyllys }
54630a5e8faSwyllys
54730a5e8faSwyllys if (issuer != NULL) {
54830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR,
54930a5e8faSwyllys issuer, strlen(issuer));
55030a5e8faSwyllys numattr++;
55130a5e8faSwyllys }
55230a5e8faSwyllys
55330a5e8faSwyllys if (subject != NULL) {
55430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR,
55530a5e8faSwyllys subject, strlen(subject));
55630a5e8faSwyllys numattr++;
55730a5e8faSwyllys }
55830a5e8faSwyllys
55930a5e8faSwyllys if (serno != NULL) {
56030a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_BIGINT_ATTR,
56130a5e8faSwyllys serno, sizeof (KMF_BIGINT));
56230a5e8faSwyllys numattr++;
56330a5e8faSwyllys }
56430a5e8faSwyllys
56530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_VALIDITY_ATTR,
56630a5e8faSwyllys &find_criteria_flag, sizeof (KMF_CERT_VALIDITY));
56730a5e8faSwyllys numattr++;
56830a5e8faSwyllys
56930a5e8faSwyllys kmfrv = pk_delete_certs(kmfhandle, attrlist, numattr);
57099ebb4caSwyllys
57199ebb4caSwyllys return (kmfrv);
57299ebb4caSwyllys }
57399ebb4caSwyllys
57499ebb4caSwyllys static KMF_RETURN
delete_file_certs(KMF_HANDLE_T kmfhandle,char * dir,char * filename,KMF_BIGINT * serial,char * issuer,char * subject,KMF_CERT_VALIDITY find_criteria_flag)57599ebb4caSwyllys delete_file_certs(KMF_HANDLE_T kmfhandle,
57699ebb4caSwyllys char *dir, char *filename, KMF_BIGINT *serial, char *issuer,
57799ebb4caSwyllys char *subject, KMF_CERT_VALIDITY find_criteria_flag)
57899ebb4caSwyllys {
57999ebb4caSwyllys KMF_RETURN rv;
58030a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
58130a5e8faSwyllys int numattr = 0;
58230a5e8faSwyllys KMF_ATTRIBUTE attrlist[16];
58399ebb4caSwyllys
58430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
58530a5e8faSwyllys &kstype, sizeof (kstype));
58630a5e8faSwyllys numattr++;
58799ebb4caSwyllys
58830a5e8faSwyllys if (issuer != NULL) {
58930a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR,
59030a5e8faSwyllys issuer, strlen(issuer));
59130a5e8faSwyllys numattr++;
59230a5e8faSwyllys }
59399ebb4caSwyllys
59430a5e8faSwyllys if (subject != NULL) {
59530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR,
59630a5e8faSwyllys subject, strlen(subject));
59730a5e8faSwyllys numattr++;
59830a5e8faSwyllys }
59930a5e8faSwyllys
60030a5e8faSwyllys if (serial != NULL) {
60130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_BIGINT_ATTR,
60230a5e8faSwyllys serial, sizeof (KMF_BIGINT));
60330a5e8faSwyllys numattr++;
60430a5e8faSwyllys }
60530a5e8faSwyllys
60630a5e8faSwyllys if (dir != NULL) {
60730a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_DIRPATH_ATTR,
60830a5e8faSwyllys dir, strlen(dir));
60930a5e8faSwyllys numattr++;
61030a5e8faSwyllys }
61130a5e8faSwyllys
61230a5e8faSwyllys if (filename != NULL) {
61330a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR,
61430a5e8faSwyllys filename, strlen(filename));
61530a5e8faSwyllys numattr++;
61630a5e8faSwyllys }
61730a5e8faSwyllys
61830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_VALIDITY_ATTR,
61930a5e8faSwyllys &find_criteria_flag, sizeof (KMF_CERT_VALIDITY));
62030a5e8faSwyllys numattr++;
62130a5e8faSwyllys
62230a5e8faSwyllys rv = pk_delete_certs(kmfhandle, attrlist, numattr);
62399ebb4caSwyllys
62499ebb4caSwyllys return (rv);
62599ebb4caSwyllys }
62699ebb4caSwyllys
62799ebb4caSwyllys static KMF_RETURN
delete_file_keys(KMF_HANDLE_T kmfhandle,int oclass,char * dir,char * infile)62899ebb4caSwyllys delete_file_keys(KMF_HANDLE_T kmfhandle, int oclass,
62999ebb4caSwyllys char *dir, char *infile)
63099ebb4caSwyllys {
63199ebb4caSwyllys KMF_RETURN rv = KMF_OK;
63299ebb4caSwyllys char *keytype = "";
63399ebb4caSwyllys int nk, numkeys = 0;
63430a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
63530a5e8faSwyllys int numattr = 0;
63630a5e8faSwyllys KMF_ATTRIBUTE attrlist[16];
63730a5e8faSwyllys KMF_KEY_CLASS keyclass;
63899ebb4caSwyllys
63930a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
64030a5e8faSwyllys &kstype, sizeof (kstype));
64130a5e8faSwyllys numattr++;
64230a5e8faSwyllys
64330a5e8faSwyllys if (dir != NULL) {
64430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_DIRPATH_ATTR,
64530a5e8faSwyllys dir, strlen(dir));
64630a5e8faSwyllys numattr++;
64730a5e8faSwyllys }
64830a5e8faSwyllys
64930a5e8faSwyllys if (infile != NULL) {
65030a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_FILENAME_ATTR,
65130a5e8faSwyllys infile, strlen(infile));
65230a5e8faSwyllys numattr++;
65330a5e8faSwyllys }
65499ebb4caSwyllys
65599ebb4caSwyllys if (oclass & (PK_PUBKEY_OBJ | PK_PRIKEY_OBJ)) {
65630a5e8faSwyllys int num = numattr;
65730a5e8faSwyllys
65830a5e8faSwyllys keyclass = KMF_ASYM_PRI;
65930a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
66030a5e8faSwyllys &keyclass, sizeof (keyclass));
66130a5e8faSwyllys num++;
66230a5e8faSwyllys
66399ebb4caSwyllys keytype = "Asymmetric";
66430a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
66599ebb4caSwyllys numkeys += nk;
66699ebb4caSwyllys }
66764012b18Swyllys if (oclass & PK_SYMKEY_OBJ) {
66830a5e8faSwyllys int num = numattr;
66930a5e8faSwyllys
67030a5e8faSwyllys keyclass = KMF_SYMMETRIC;
67130a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
67230a5e8faSwyllys &keyclass, sizeof (keyclass));
67330a5e8faSwyllys num++;
67430a5e8faSwyllys
67599ebb4caSwyllys keytype = "symmetric";
67630a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
67799ebb4caSwyllys numkeys += nk;
67864012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && numkeys > 0)
67964012b18Swyllys rv = KMF_OK;
68099ebb4caSwyllys }
68199ebb4caSwyllys if (rv == KMF_OK && numkeys == 0)
68299ebb4caSwyllys rv = KMF_ERR_KEY_NOT_FOUND;
68399ebb4caSwyllys
68499ebb4caSwyllys return (rv);
68599ebb4caSwyllys }
68699ebb4caSwyllys
68799ebb4caSwyllys static KMF_RETURN
delete_file_crl(void * kmfhandle,char * filename)688448b8615Swyllys delete_file_crl(void *kmfhandle, char *filename)
68999ebb4caSwyllys {
69099ebb4caSwyllys KMF_RETURN rv;
69130a5e8faSwyllys int numattr = 0;
69230a5e8faSwyllys KMF_ATTRIBUTE attrlist[4];
69330a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
69499ebb4caSwyllys
695448b8615Swyllys if (filename == NULL || strlen(filename) == 0)
696448b8615Swyllys return (KMF_ERR_BAD_PARAMETER);
697448b8615Swyllys
69830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
69930a5e8faSwyllys &kstype, sizeof (kstype));
70030a5e8faSwyllys numattr++;
70199ebb4caSwyllys
70230a5e8faSwyllys if (filename) {
70330a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_FILENAME_ATTR,
70430a5e8faSwyllys filename, strlen(filename));
70530a5e8faSwyllys numattr++;
70630a5e8faSwyllys }
70799ebb4caSwyllys
70830a5e8faSwyllys rv = kmf_delete_crl(kmfhandle, numattr, attrlist);
70999ebb4caSwyllys
71099ebb4caSwyllys return (rv);
71199ebb4caSwyllys }
7127711facfSdinak
7137711facfSdinak /*
7147711facfSdinak * Delete token objects.
7157711facfSdinak */
7167711facfSdinak int
pk_delete(int argc,char * argv[])7177711facfSdinak pk_delete(int argc, char *argv[])
7187711facfSdinak {
7197711facfSdinak int opt;
72049e21299Sdinak extern int optind_av;
72149e21299Sdinak extern char *optarg_av;
72249e21299Sdinak char *token_spec = NULL;
72399ebb4caSwyllys char *subject = NULL;
72499ebb4caSwyllys char *issuer = NULL;
72599ebb4caSwyllys char *dir = NULL;
72699ebb4caSwyllys char *prefix = NULL;
72799ebb4caSwyllys char *infile = NULL;
72899ebb4caSwyllys char *object_label = NULL;
72999ebb4caSwyllys char *serstr = NULL;
7307711facfSdinak
73199ebb4caSwyllys int oclass = 0;
73299ebb4caSwyllys KMF_BIGINT serial = { NULL, 0 };
73399ebb4caSwyllys KMF_HANDLE_T kmfhandle = NULL;
73499ebb4caSwyllys KMF_KEYSTORE_TYPE kstype = 0;
73564012b18Swyllys KMF_RETURN kmfrv, keyrv, certrv, crlrv;
73699ebb4caSwyllys int rv = 0;
73799ebb4caSwyllys char *find_criteria = NULL;
73899ebb4caSwyllys KMF_CERT_VALIDITY find_criteria_flag = KMF_ALL_CERTS;
73999ebb4caSwyllys KMF_CREDENTIAL tokencred = { NULL, 0 };
7407711facfSdinak
7417711facfSdinak /* Parse command line options. Do NOT i18n/l10n. */
74249e21299Sdinak while ((opt = getopt_av(argc, argv,
74399ebb4caSwyllys "T:(token)y:(objtype)l:(label)"
74499ebb4caSwyllys "k:(keystore)s:(subject)n:(nickname)"
74599ebb4caSwyllys "d:(dir)p:(prefix)S:(serial)i:(issuer)"
74699ebb4caSwyllys "c:(criteria)"
74799ebb4caSwyllys "f:(infile)")) != EOF) {
74899ebb4caSwyllys
74999ebb4caSwyllys if (EMPTYSTRING(optarg_av))
75099ebb4caSwyllys return (PK_ERR_USAGE);
7517711facfSdinak switch (opt) {
75249e21299Sdinak case 'T': /* token specifier */
75349e21299Sdinak if (token_spec)
75449e21299Sdinak return (PK_ERR_USAGE);
75549e21299Sdinak token_spec = optarg_av;
7567711facfSdinak break;
75749e21299Sdinak case 'y': /* object type: public, private, both */
75899ebb4caSwyllys if (oclass)
75949e21299Sdinak return (PK_ERR_USAGE);
76099ebb4caSwyllys oclass = OT2Int(optarg_av);
76199ebb4caSwyllys if (oclass == -1)
76299ebb4caSwyllys return (PK_ERR_USAGE);
7637711facfSdinak break;
7647711facfSdinak case 'l': /* objects with specific label */
76599ebb4caSwyllys case 'n':
7667711facfSdinak if (object_label)
7677711facfSdinak return (PK_ERR_USAGE);
76899ebb4caSwyllys object_label = (char *)optarg_av;
76999ebb4caSwyllys break;
77099ebb4caSwyllys case 'k':
77199ebb4caSwyllys kstype = KS2Int(optarg_av);
77299ebb4caSwyllys if (kstype == 0)
77399ebb4caSwyllys return (PK_ERR_USAGE);
77499ebb4caSwyllys break;
77599ebb4caSwyllys case 's':
77699ebb4caSwyllys subject = optarg_av;
77799ebb4caSwyllys break;
77899ebb4caSwyllys case 'i':
77999ebb4caSwyllys issuer = optarg_av;
78099ebb4caSwyllys break;
78199ebb4caSwyllys case 'd':
78299ebb4caSwyllys dir = optarg_av;
78399ebb4caSwyllys break;
78499ebb4caSwyllys case 'p':
78599ebb4caSwyllys prefix = optarg_av;
78699ebb4caSwyllys break;
78799ebb4caSwyllys case 'S':
78899ebb4caSwyllys serstr = optarg_av;
78999ebb4caSwyllys break;
79099ebb4caSwyllys case 'f':
79199ebb4caSwyllys infile = optarg_av;
79299ebb4caSwyllys break;
79399ebb4caSwyllys case 'c':
79499ebb4caSwyllys find_criteria = optarg_av;
79599ebb4caSwyllys if (!strcasecmp(find_criteria, "valid"))
79699ebb4caSwyllys find_criteria_flag =
79799ebb4caSwyllys KMF_NONEXPIRED_CERTS;
79899ebb4caSwyllys else if (!strcasecmp(find_criteria, "expired"))
79999ebb4caSwyllys find_criteria_flag = KMF_EXPIRED_CERTS;
80099ebb4caSwyllys else if (!strcasecmp(find_criteria, "both"))
80199ebb4caSwyllys find_criteria_flag = KMF_ALL_CERTS;
80299ebb4caSwyllys else
80399ebb4caSwyllys return (PK_ERR_USAGE);
8047711facfSdinak break;
8057711facfSdinak default:
8067711facfSdinak return (PK_ERR_USAGE);
8077711facfSdinak }
8087711facfSdinak }
8097711facfSdinak
81099ebb4caSwyllys /* Assume keystore = PKCS#11 if not specified */
81199ebb4caSwyllys if (kstype == 0)
81299ebb4caSwyllys kstype = KMF_KEYSTORE_PK11TOKEN;
81399ebb4caSwyllys
81499ebb4caSwyllys /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */
81599ebb4caSwyllys if ((oclass & (PK_PUBLIC_OBJ | PK_PRIVATE_OBJ)) &&
81699ebb4caSwyllys kstype != KMF_KEYSTORE_PK11TOKEN) {
81799ebb4caSwyllys
81899ebb4caSwyllys (void) fprintf(stderr, gettext("The objtype parameter "
81999ebb4caSwyllys "is only relevant if keystore=pkcs11\n"));
82049e21299Sdinak return (PK_ERR_USAGE);
82149e21299Sdinak }
82249e21299Sdinak
8237711facfSdinak
8247711facfSdinak /* No additional args allowed. */
82549e21299Sdinak argc -= optind_av;
82649e21299Sdinak argv += optind_av;
8277711facfSdinak if (argc)
8287711facfSdinak return (PK_ERR_USAGE);
8297711facfSdinak /* Done parsing command line options. */
8307711facfSdinak
831577f4726Swyllys DIR_OPTION_CHECK(kstype, dir);
832577f4726Swyllys
83399ebb4caSwyllys if (kstype == KMF_KEYSTORE_PK11TOKEN && token_spec == NULL) {
83499ebb4caSwyllys token_spec = PK_DEFAULT_PK11TOKEN;
83599ebb4caSwyllys } else if (kstype == KMF_KEYSTORE_NSS && token_spec == NULL) {
83699ebb4caSwyllys token_spec = DEFAULT_NSS_TOKEN;
8377711facfSdinak }
8387711facfSdinak
83999ebb4caSwyllys if (serstr != NULL) {
84099ebb4caSwyllys uchar_t *bytes = NULL;
84199ebb4caSwyllys size_t bytelen;
84299ebb4caSwyllys
84330a5e8faSwyllys rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen);
84499ebb4caSwyllys if (rv != KMF_OK || bytes == NULL) {
84599ebb4caSwyllys (void) fprintf(stderr, gettext("serial number "
84699ebb4caSwyllys "must be specified as a hex number "
84799ebb4caSwyllys "(ex: 0x0102030405ffeeddee)\n"));
84899ebb4caSwyllys return (PK_ERR_USAGE);
84999ebb4caSwyllys }
85099ebb4caSwyllys serial.val = bytes;
85199ebb4caSwyllys serial.len = bytelen;
8522cbed729Swyllys /* If serial number was given, it must be a cert search */
8532cbed729Swyllys if (oclass == 0)
8542cbed729Swyllys oclass = PK_CERT_OBJ;
8557711facfSdinak }
8562cbed729Swyllys /*
8572cbed729Swyllys * If no object type was given but subject or issuer was,
8582cbed729Swyllys * it must be a certificate we are looking to delete.
8592cbed729Swyllys */
8602cbed729Swyllys if ((issuer != NULL || subject != NULL) && oclass == 0)
8612cbed729Swyllys oclass = PK_CERT_OBJ;
8622cbed729Swyllys /* If no object class specified, delete everything but CRLs */
8632cbed729Swyllys if (oclass == 0)
8642cbed729Swyllys oclass = PK_CERT_OBJ | PK_KEY_OBJ;
8657711facfSdinak
86699ebb4caSwyllys if ((kstype == KMF_KEYSTORE_PK11TOKEN ||
86799ebb4caSwyllys kstype == KMF_KEYSTORE_NSS) &&
86899ebb4caSwyllys (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ))) {
86999ebb4caSwyllys
87099ebb4caSwyllys (void) get_token_password(kstype, token_spec,
87199ebb4caSwyllys &tokencred);
8727711facfSdinak }
8737711facfSdinak
87430a5e8faSwyllys if ((kmfrv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK)
87599ebb4caSwyllys return (kmfrv);
8767711facfSdinak
87764012b18Swyllys keyrv = certrv = crlrv = KMF_OK;
87899ebb4caSwyllys switch (kstype) {
87999ebb4caSwyllys case KMF_KEYSTORE_PK11TOKEN:
88099ebb4caSwyllys if (oclass & PK_KEY_OBJ) {
88164012b18Swyllys keyrv = delete_pk11_keys(kmfhandle,
88299ebb4caSwyllys token_spec, oclass,
88330a5e8faSwyllys object_label, &tokencred);
8847711facfSdinak /*
88599ebb4caSwyllys * If deleting groups of objects, it is OK
88699ebb4caSwyllys * to ignore the "key not found" case so that
88799ebb4caSwyllys * we can continue to find other objects.
8887711facfSdinak */
88964012b18Swyllys if (keyrv != KMF_OK &&
89064012b18Swyllys keyrv != KMF_ERR_KEY_NOT_FOUND)
89199ebb4caSwyllys break;
8927711facfSdinak }
89399ebb4caSwyllys if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) {
89464012b18Swyllys certrv = delete_pk11_certs(kmfhandle,
89530a5e8faSwyllys token_spec, object_label,
89699ebb4caSwyllys &serial, issuer,
89799ebb4caSwyllys subject, find_criteria_flag);
89899ebb4caSwyllys /*
89999ebb4caSwyllys * If cert delete failed, but we are looking at
90099ebb4caSwyllys * other objects, then it is OK.
90199ebb4caSwyllys */
90264012b18Swyllys if (certrv != KMF_OK &&
90364012b18Swyllys certrv != KMF_ERR_CERT_NOT_FOUND)
90499ebb4caSwyllys break;
9057711facfSdinak }
90699ebb4caSwyllys if (oclass & PK_CRL_OBJ)
90764012b18Swyllys crlrv = delete_file_crl(kmfhandle,
908448b8615Swyllys infile);
90999ebb4caSwyllys break;
91099ebb4caSwyllys case KMF_KEYSTORE_NSS:
91164012b18Swyllys keyrv = certrv = crlrv = KMF_OK;
91299ebb4caSwyllys if (oclass & PK_KEY_OBJ) {
91364012b18Swyllys keyrv = delete_nss_keys(kmfhandle,
91499ebb4caSwyllys dir, prefix, token_spec,
91599ebb4caSwyllys oclass, (char *)object_label,
91699ebb4caSwyllys &tokencred);
91764012b18Swyllys if (keyrv != KMF_OK &&
91864012b18Swyllys keyrv != KMF_ERR_KEY_NOT_FOUND)
91999ebb4caSwyllys break;
92099ebb4caSwyllys }
92199ebb4caSwyllys if (oclass & PK_CERT_OBJ) {
92264012b18Swyllys certrv = delete_nss_certs(kmfhandle,
92399ebb4caSwyllys dir, prefix, token_spec,
92499ebb4caSwyllys (char *)object_label,
92599ebb4caSwyllys &serial, issuer, subject,
92699ebb4caSwyllys find_criteria_flag);
92764012b18Swyllys if (certrv != KMF_OK &&
92864012b18Swyllys certrv != KMF_ERR_CERT_NOT_FOUND)
92999ebb4caSwyllys break;
93099ebb4caSwyllys }
93199ebb4caSwyllys if (oclass & PK_CRL_OBJ)
93264012b18Swyllys crlrv = delete_nss_crl(kmfhandle,
93399ebb4caSwyllys dir, prefix, token_spec,
93499ebb4caSwyllys (char *)object_label, subject);
93599ebb4caSwyllys break;
93699ebb4caSwyllys case KMF_KEYSTORE_OPENSSL:
93799ebb4caSwyllys if (oclass & PK_KEY_OBJ) {
93864012b18Swyllys keyrv = delete_file_keys(kmfhandle, oclass,
93999ebb4caSwyllys dir, infile);
94064012b18Swyllys if (keyrv != KMF_OK)
94199ebb4caSwyllys break;
94299ebb4caSwyllys }
94399ebb4caSwyllys if (oclass & (PK_CERT_OBJ)) {
94464012b18Swyllys certrv = delete_file_certs(kmfhandle,
94599ebb4caSwyllys dir, infile, &serial, issuer,
94699ebb4caSwyllys subject, find_criteria_flag);
94764012b18Swyllys if (certrv != KMF_OK)
94899ebb4caSwyllys break;
94999ebb4caSwyllys }
95099ebb4caSwyllys if (oclass & PK_CRL_OBJ)
95164012b18Swyllys crlrv = delete_file_crl(kmfhandle,
952448b8615Swyllys infile);
95399ebb4caSwyllys break;
95499ebb4caSwyllys default:
95599ebb4caSwyllys rv = PK_ERR_USAGE;
95699ebb4caSwyllys break;
9577711facfSdinak }
9587711facfSdinak
95964012b18Swyllys /*
96064012b18Swyllys * Logic here:
96164012b18Swyllys * If searching for more than just one class of object (key or cert)
96264012b18Swyllys * and only 1 of the classes was not found, it is not an error.
96364012b18Swyllys * If searching for just one class of object, that failure should
96464012b18Swyllys * be reported.
96564012b18Swyllys *
96664012b18Swyllys * Any error other than "KMF_ERR_[key/cert]_NOT_FOUND" should
96764012b18Swyllys * be reported either way.
96864012b18Swyllys */
96964012b18Swyllys if (keyrv != KMF_ERR_KEY_NOT_FOUND && keyrv != KMF_OK)
97064012b18Swyllys kmfrv = keyrv;
97164012b18Swyllys else if (certrv != KMF_OK && certrv != KMF_ERR_CERT_NOT_FOUND)
97264012b18Swyllys kmfrv = certrv;
97364012b18Swyllys else if (crlrv != KMF_OK && crlrv != KMF_ERR_CRL_NOT_FOUND)
97464012b18Swyllys kmfrv = crlrv;
97564012b18Swyllys
97664012b18Swyllys /*
97764012b18Swyllys * If nothing was found, return error.
97864012b18Swyllys */
97964012b18Swyllys if ((keyrv == KMF_ERR_KEY_NOT_FOUND && (oclass & PK_KEY_OBJ)) &&
98064012b18Swyllys (certrv == KMF_ERR_CERT_NOT_FOUND && (oclass & PK_CERT_OBJ)))
98164012b18Swyllys kmfrv = KMF_ERR_KEY_NOT_FOUND;
98264012b18Swyllys
98364012b18Swyllys if (kmfrv != KMF_OK)
98464012b18Swyllys goto out;
98564012b18Swyllys
98664012b18Swyllys if (keyrv != KMF_OK && (oclass == PK_KEY_OBJ))
98764012b18Swyllys kmfrv = keyrv;
98864012b18Swyllys else if (certrv != KMF_OK && (oclass == PK_CERT_OBJ))
98964012b18Swyllys kmfrv = certrv;
99064012b18Swyllys else if (crlrv != KMF_OK && (oclass == PK_CRL_OBJ))
99164012b18Swyllys kmfrv = crlrv;
99264012b18Swyllys
99364012b18Swyllys out:
99499ebb4caSwyllys if (kmfrv != KMF_OK) {
99599ebb4caSwyllys display_error(kmfhandle, kmfrv,
99699ebb4caSwyllys gettext("Error deleting objects"));
9977711facfSdinak }
9987711facfSdinak
99999ebb4caSwyllys if (serial.val != NULL)
100099ebb4caSwyllys free(serial.val);
100130a5e8faSwyllys (void) kmf_finalize(kmfhandle);
100299ebb4caSwyllys return (kmfrv);
10037711facfSdinak }
1004