1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * This file implements the token object list operation for this tool. 28 * It loads the PKCS#11 modules, finds the object to list, lists it, 29 * and cleans up. User must be logged into the token to list private 30 * objects. 31 */ 32 33 #include <stdio.h> 34 #include <errno.h> 35 #include <string.h> 36 #include <cryptoutil.h> 37 #include <security/cryptoki.h> 38 #include "common.h" 39 40 #include <kmfapi.h> 41 42 static void 43 pk_show_certs(KMF_HANDLE_T kmfhandle, KMF_X509_DER_CERT *certs, int num_certs) 44 { 45 int i; 46 char *subject, *issuer, *serial, *id, *altname; 47 char *start, *end, *keyusage, *extkeyusage; 48 49 for (i = 0; i < num_certs; i++) { 50 subject = NULL; 51 issuer = NULL; 52 serial = NULL; 53 id = NULL; 54 altname = NULL; 55 start = end = NULL; 56 keyusage = extkeyusage = NULL; 57 58 (void) fprintf(stdout, 59 gettext("%d. (X.509 certificate)\n"), i + 1); 60 if (certs[i].kmf_private.label != NULL) 61 (void) fprintf(stdout, gettext("\t%s: %s\n"), 62 (certs[i].kmf_private.keystore_type == 63 KMF_KEYSTORE_OPENSSL ? "Filename" : "Label"), 64 certs[i].kmf_private.label); 65 if (kmf_get_cert_id_str(&certs[i].certificate, 66 &id) == KMF_OK) 67 (void) fprintf(stdout, gettext("\tID: %s\n"), id); 68 if (kmf_get_cert_subject_str(kmfhandle, 69 &certs[i].certificate, &subject) == KMF_OK) 70 (void) fprintf(stdout, gettext("\tSubject: %s\n"), 71 subject); 72 if (kmf_get_cert_issuer_str(kmfhandle, 73 &certs[i].certificate, &issuer) == KMF_OK) 74 (void) fprintf(stdout, gettext("\tIssuer: %s\n"), 75 issuer); 76 if (kmf_get_cert_start_date_str(kmfhandle, 77 &certs[i].certificate, &start) == KMF_OK) 78 (void) fprintf(stdout, gettext("\tNot Before: %s\n"), 79 start); 80 if (kmf_get_cert_end_date_str(kmfhandle, 81 &certs[i].certificate, &end) == KMF_OK) 82 (void) fprintf(stdout, gettext("\tNot After: %s\n"), 83 end); 84 if (kmf_get_cert_serial_str(kmfhandle, 85 &certs[i].certificate, &serial) == KMF_OK) 86 (void) fprintf(stdout, gettext("\tSerial: %s\n"), 87 serial); 88 if (kmf_get_cert_extn_str(kmfhandle, 89 &certs[i].certificate, KMF_X509_EXT_SUBJ_ALTNAME, 90 &altname) == KMF_OK) { 91 (void) fprintf(stdout, gettext("\t%s\n"), 92 altname); 93 } 94 if (kmf_get_cert_extn_str(kmfhandle, 95 &certs[i].certificate, KMF_X509_EXT_KEY_USAGE, 96 &keyusage) == KMF_OK) { 97 (void) fprintf(stdout, gettext("\t%s\n"), 98 keyusage); 99 } 100 if (kmf_get_cert_extn_str(kmfhandle, 101 &certs[i].certificate, KMF_X509_EXT_EXT_KEY_USAGE, 102 &extkeyusage) == KMF_OK) { 103 (void) fprintf(stdout, gettext("\t%s\n"), 104 extkeyusage); 105 } 106 kmf_free_str(subject); 107 kmf_free_str(issuer); 108 kmf_free_str(serial); 109 kmf_free_str(id); 110 kmf_free_str(altname); 111 kmf_free_str(keyusage); 112 kmf_free_str(extkeyusage); 113 kmf_free_str(start); 114 kmf_free_str(end); 115 (void) fprintf(stdout, "\n"); 116 } 117 } 118 119 static char * 120 describeKey(KMF_KEY_HANDLE *key) 121 { 122 if (key->keyclass == KMF_ASYM_PUB) { 123 if (key->keyalg == KMF_RSA) 124 return (gettext("RSA public key")); 125 if (key->keyalg == KMF_DSA) 126 return (gettext("DSA public key")); 127 if (key->keyalg == KMF_ECDSA) 128 return (gettext("ECDSA public key")); 129 } 130 if (key->keyclass == KMF_ASYM_PRI) { 131 if (key->keyalg == KMF_RSA) 132 return (gettext("RSA private key")); 133 if (key->keyalg == KMF_DSA) 134 return (gettext("DSA private key")); 135 if (key->keyalg == KMF_ECDSA) 136 return (gettext("ECDSA private key")); 137 } 138 if (key->keyclass == KMF_SYMMETRIC) { 139 switch (key->keyalg) { 140 case KMF_AES: 141 return (gettext("AES")); 142 break; 143 case KMF_RC4: 144 return (gettext("ARCFOUR")); 145 break; 146 case KMF_DES: 147 return (gettext("DES")); 148 break; 149 case KMF_DES3: 150 return (gettext("Triple-DES")); 151 break; 152 default: 153 return (gettext("symmetric")); 154 break; 155 } 156 } 157 158 return (gettext("unrecognized key object")); 159 160 } 161 162 163 static void 164 pk_show_keys(void *handle, KMF_KEY_HANDLE *keys, int numkeys) 165 { 166 int i; 167 168 for (i = 0; i < numkeys; i++) { 169 (void) fprintf(stdout, gettext("Key #%d - %s: %s"), 170 i+1, describeKey(&keys[i]), 171 keys[i].keylabel ? keys[i].keylabel : 172 gettext("No label")); 173 174 if (keys[i].keyclass == KMF_SYMMETRIC) { 175 KMF_RETURN rv; 176 KMF_RAW_SYM_KEY rkey; 177 178 (void) memset(&rkey, 0, sizeof (rkey)); 179 rv = kmf_get_sym_key_value(handle, &keys[i], 180 &rkey); 181 if (rv == KMF_OK) { 182 (void) fprintf(stdout, " (%d bits)", 183 rkey.keydata.len * 8); 184 kmf_free_bigint(&rkey.keydata); 185 } else if (keys[i].kstype == KMF_KEYSTORE_PK11TOKEN) { 186 if (rv == KMF_ERR_SENSITIVE_KEY) { 187 (void) fprintf(stdout, " (sensitive)"); 188 } else if (rv == KMF_ERR_UNEXTRACTABLE_KEY) { 189 (void) fprintf(stdout, 190 " (non-extractable)"); 191 } else { 192 char *err = NULL; 193 if (kmf_get_kmf_error_str(rv, &err) == 194 KMF_OK) 195 (void) fprintf(stdout, 196 " (error: %s)", err); 197 if (err != NULL) 198 free(err); 199 } 200 } 201 } 202 (void) fprintf(stdout, "\n"); 203 } 204 } 205 206 /* 207 * Generic routine used by all "list cert" operations to find 208 * all matching certificates. 209 */ 210 static KMF_RETURN 211 pk_find_certs(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attrlist, int numattr) 212 { 213 KMF_RETURN rv = KMF_OK; 214 KMF_X509_DER_CERT *certlist = NULL; 215 uint32_t numcerts = 0; 216 KMF_KEYSTORE_TYPE kstype; 217 218 rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr, 219 &kstype, NULL); 220 if (rv != KMF_OK) 221 return (rv); 222 223 kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, 224 &numcerts, sizeof (uint32_t)); 225 numattr++; 226 227 rv = kmf_find_cert(kmfhandle, numattr, attrlist); 228 if (rv == KMF_OK && numcerts > 0) { 229 (void) printf(gettext("Found %d certificates.\n"), 230 numcerts); 231 certlist = (KMF_X509_DER_CERT *)malloc(numcerts * 232 sizeof (KMF_X509_DER_CERT)); 233 if (certlist == NULL) 234 return (KMF_ERR_MEMORY); 235 (void) memset(certlist, 0, numcerts * 236 sizeof (KMF_X509_DER_CERT)); 237 238 kmf_set_attr_at_index(attrlist, numattr, 239 KMF_X509_DER_CERT_ATTR, certlist, 240 sizeof (KMF_X509_DER_CERT)); 241 numattr++; 242 243 rv = kmf_find_cert(kmfhandle, numattr, attrlist); 244 if (rv == KMF_OK) { 245 int i; 246 (void) pk_show_certs(kmfhandle, certlist, 247 numcerts); 248 for (i = 0; i < numcerts; i++) 249 kmf_free_kmf_cert(kmfhandle, &certlist[i]); 250 } 251 free(certlist); 252 } 253 if (rv == KMF_ERR_CERT_NOT_FOUND && 254 kstype != KMF_KEYSTORE_OPENSSL) 255 rv = KMF_OK; 256 257 return (rv); 258 } 259 260 static KMF_RETURN 261 pk_list_keys(void *handle, KMF_ATTRIBUTE *attrlist, int numattr, char *label) 262 { 263 KMF_RETURN rv; 264 KMF_KEY_HANDLE *keys; 265 uint32_t numkeys = 0; 266 KMF_KEYSTORE_TYPE kstype; 267 268 rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr, 269 &kstype, NULL); 270 if (rv != KMF_OK) 271 return (rv); 272 273 kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR, 274 &numkeys, sizeof (uint32_t)); 275 numattr++; 276 277 rv = kmf_find_key(handle, numattr, attrlist); 278 if (rv == KMF_OK && numkeys > 0) { 279 int i; 280 (void) printf(gettext("Found %d %s keys.\n"), 281 numkeys, label); 282 keys = (KMF_KEY_HANDLE *)malloc(numkeys * 283 sizeof (KMF_KEY_HANDLE)); 284 if (keys == NULL) 285 return (KMF_ERR_MEMORY); 286 (void) memset(keys, 0, numkeys * 287 sizeof (KMF_KEY_HANDLE)); 288 289 kmf_set_attr_at_index(attrlist, numattr, 290 KMF_KEY_HANDLE_ATTR, 291 keys, sizeof (KMF_KEY_HANDLE)); 292 numattr++; 293 294 rv = kmf_find_key(handle, numattr, attrlist); 295 if (rv == KMF_OK) 296 pk_show_keys(handle, keys, numkeys); 297 for (i = 0; i < numkeys; i++) 298 kmf_free_kmf_key(handle, &keys[i]); 299 free(keys); 300 } 301 if (rv == KMF_ERR_KEY_NOT_FOUND && 302 kstype != KMF_KEYSTORE_OPENSSL) 303 rv = KMF_OK; 304 return (rv); 305 } 306 307 static KMF_RETURN 308 list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass, 309 char *objlabel, KMF_BIGINT *serial, char *issuer, char *subject, 310 char *dir, char *filename, KMF_CREDENTIAL *tokencred, 311 KMF_CERT_VALIDITY find_criteria_flag) 312 { 313 KMF_RETURN rv; 314 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; 315 int numattr = 0; 316 KMF_ATTRIBUTE attrlist[18]; 317 boolean_t token_bool = B_TRUE; 318 boolean_t private = B_FALSE; 319 KMF_KEY_CLASS keyclass; 320 KMF_ENCODE_FORMAT format; 321 int auth = 0; 322 KMF_CREDENTIAL cred = {NULL, 0}; 323 324 /* 325 * Symmetric keys and RSA/DSA/ECDSA private keys are always 326 * created with the "CKA_PRIVATE" field == TRUE, so 327 * make sure we search for them with it also set. 328 */ 329 if (oclass & (PK_SYMKEY_OBJ | PK_PRIKEY_OBJ)) 330 oclass |= PK_PRIVATE_OBJ; 331 332 rv = select_token(kmfhandle, token, 333 !(oclass & (PK_PRIVATE_OBJ | PK_PRIKEY_OBJ))); 334 335 if (rv != KMF_OK) { 336 return (rv); 337 } 338 339 rv = token_auth_needed(kmfhandle, token, &auth); 340 if (rv != KMF_OK) 341 return (rv); 342 343 if (tokencred != NULL) 344 cred = *tokencred; 345 346 if (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ)) { 347 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 348 &kstype, sizeof (kstype)); 349 numattr++; 350 351 if (objlabel != NULL) { 352 kmf_set_attr_at_index(attrlist, numattr, 353 KMF_KEYLABEL_ATTR, objlabel, 354 strlen(objlabel)); 355 numattr++; 356 } 357 358 private = ((oclass & PK_PRIVATE_OBJ) > 0); 359 360 kmf_set_attr_at_index(attrlist, numattr, 361 KMF_PRIVATE_BOOL_ATTR, &private, 362 sizeof (private)); 363 numattr++; 364 365 kmf_set_attr_at_index(attrlist, numattr, 366 KMF_TOKEN_BOOL_ATTR, &token_bool, 367 sizeof (token_bool)); 368 numattr++; 369 370 if (oclass & PK_PRIKEY_OBJ) { 371 int num = numattr; 372 373 keyclass = KMF_ASYM_PRI; 374 kmf_set_attr_at_index(attrlist, num, 375 KMF_KEYCLASS_ATTR, &keyclass, 376 sizeof (keyclass)); 377 num++; 378 379 if (tokencred != NULL && 380 tokencred->credlen > 0) { 381 kmf_set_attr_at_index(attrlist, num, 382 KMF_CREDENTIAL_ATTR, tokencred, 383 sizeof (KMF_CREDENTIAL)); 384 num++; 385 } 386 387 /* list asymmetric private keys */ 388 rv = pk_list_keys(kmfhandle, attrlist, num, 389 "asymmetric private"); 390 } 391 392 if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { 393 int num = numattr; 394 395 keyclass = KMF_SYMMETRIC; 396 kmf_set_attr_at_index(attrlist, num, 397 KMF_KEYCLASS_ATTR, &keyclass, 398 sizeof (keyclass)); 399 num++; 400 401 if (tokencred != NULL && 402 tokencred->credlen > 0) { 403 kmf_set_attr_at_index(attrlist, num, 404 KMF_CREDENTIAL_ATTR, tokencred, 405 sizeof (KMF_CREDENTIAL)); 406 num++; 407 } 408 409 format = KMF_FORMAT_RAWKEY; 410 kmf_set_attr_at_index(attrlist, num, 411 KMF_ENCODE_FORMAT_ATTR, &format, 412 sizeof (format)); 413 num++; 414 415 /* list symmetric keys */ 416 rv = pk_list_keys(kmfhandle, attrlist, num, 417 "symmetric"); 418 } 419 420 if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) { 421 int num = numattr; 422 423 if (auth > 0 && (tokencred == NULL || 424 tokencred->cred == NULL) && 425 (cred.cred == NULL)) { 426 (void) get_token_password(kstype, token, &cred); 427 kmf_set_attr_at_index(attrlist, numattr, 428 KMF_CREDENTIAL_ATTR, 429 &cred, sizeof (KMF_CREDENTIAL)); 430 numattr++; 431 } 432 433 private = B_FALSE; 434 keyclass = KMF_ASYM_PUB; 435 kmf_set_attr_at_index(attrlist, num, 436 KMF_KEYCLASS_ATTR, &keyclass, 437 sizeof (keyclass)); 438 num++; 439 440 /* list asymmetric public keys (if any) */ 441 rv = pk_list_keys(kmfhandle, attrlist, num, 442 "asymmetric public"); 443 } 444 445 if (rv != KMF_OK) 446 return (rv); 447 } 448 449 numattr = 0; 450 if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) { 451 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 452 &kstype, sizeof (kstype)); 453 454 numattr++; 455 if (auth > 0 && (cred.cred == NULL)) { 456 (void) get_token_password(kstype, token, &cred); 457 } 458 459 if (cred.cred != NULL) { 460 kmf_set_attr_at_index(attrlist, numattr, 461 KMF_CREDENTIAL_ATTR, 462 &cred, sizeof (KMF_CREDENTIAL)); 463 numattr++; 464 } 465 466 if (objlabel != NULL) { 467 kmf_set_attr_at_index(attrlist, numattr, 468 KMF_CERT_LABEL_ATTR, objlabel, 469 strlen(objlabel)); 470 numattr++; 471 } 472 473 if (issuer != NULL) { 474 kmf_set_attr_at_index(attrlist, numattr, 475 KMF_ISSUER_NAME_ATTR, issuer, 476 strlen(issuer)); 477 numattr++; 478 } 479 480 if (subject != NULL) { 481 kmf_set_attr_at_index(attrlist, numattr, 482 KMF_SUBJECT_NAME_ATTR, subject, 483 strlen(subject)); 484 numattr++; 485 } 486 487 if (serial != NULL && serial->val != NULL) { 488 kmf_set_attr_at_index(attrlist, numattr, 489 KMF_BIGINT_ATTR, serial, 490 sizeof (KMF_BIGINT)); 491 numattr++; 492 } 493 494 kmf_set_attr_at_index(attrlist, numattr, 495 KMF_PRIVATE_BOOL_ATTR, &private, 496 sizeof (private)); 497 numattr++; 498 499 kmf_set_attr_at_index(attrlist, numattr, 500 KMF_CERT_VALIDITY_ATTR, &find_criteria_flag, 501 sizeof (KMF_CERT_VALIDITY)); 502 numattr++; 503 504 rv = pk_find_certs(kmfhandle, attrlist, numattr); 505 if (rv != KMF_OK) 506 return (rv); 507 } 508 509 numattr = 0; 510 kstype = KMF_KEYSTORE_OPENSSL; /* CRL is file-based */ 511 if (oclass & PK_CRL_OBJ) { 512 char *crldata = NULL; 513 514 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 515 &kstype, sizeof (kstype)); 516 numattr++; 517 518 if (dir != NULL) { 519 kmf_set_attr_at_index(attrlist, numattr, 520 KMF_DIRPATH_ATTR, dir, strlen(dir)); 521 numattr++; 522 } 523 if (filename != NULL) { 524 kmf_set_attr_at_index(attrlist, numattr, 525 KMF_CRL_FILENAME_ATTR, 526 filename, strlen(filename)); 527 numattr++; 528 } 529 kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_DATA_ATTR, 530 &crldata, sizeof (char *)); 531 numattr++; 532 533 rv = kmf_list_crl(kmfhandle, numattr, attrlist); 534 if (rv == KMF_OK && crldata != NULL) { 535 (void) printf("%s\n", crldata); 536 free(crldata); 537 } 538 } 539 540 return (rv); 541 } 542 543 static int 544 list_file_objects(KMF_HANDLE_T kmfhandle, int oclass, 545 char *dir, char *filename, KMF_BIGINT *serial, 546 char *issuer, char *subject, 547 KMF_CERT_VALIDITY find_criteria_flag) 548 { 549 KMF_RETURN rv = KMF_OK; 550 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; 551 int numattr = 0; 552 KMF_ATTRIBUTE attrlist[16]; 553 KMF_KEY_CLASS keyclass; 554 KMF_ENCODE_FORMAT format; 555 char *defaultdir = "."; 556 557 if (oclass & PK_KEY_OBJ) { 558 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 559 &kstype, sizeof (kstype)); 560 numattr++; 561 562 if (dir == NULL && filename == NULL) 563 dir = defaultdir; 564 565 if (dir != NULL) { 566 kmf_set_attr_at_index(attrlist, numattr, 567 KMF_DIRPATH_ATTR, dir, 568 strlen(dir)); 569 numattr++; 570 } 571 572 if (filename != NULL) { 573 kmf_set_attr_at_index(attrlist, numattr, 574 KMF_KEY_FILENAME_ATTR, filename, 575 strlen(filename)); 576 numattr++; 577 } 578 579 if (oclass & PK_PRIKEY_OBJ) { 580 int num = numattr; 581 582 keyclass = KMF_ASYM_PRI; 583 kmf_set_attr_at_index(attrlist, num, 584 KMF_KEYCLASS_ATTR, &keyclass, 585 sizeof (keyclass)); 586 num++; 587 588 /* list asymmetric private keys */ 589 rv = pk_list_keys(kmfhandle, attrlist, num, 590 "asymmetric private"); 591 } 592 if (rv == KMF_ERR_KEY_NOT_FOUND) 593 rv = KMF_OK; 594 595 if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { 596 int num = numattr; 597 598 keyclass = KMF_SYMMETRIC; 599 kmf_set_attr_at_index(attrlist, num, 600 KMF_KEYCLASS_ATTR, &keyclass, 601 sizeof (keyclass)); 602 num++; 603 604 format = KMF_FORMAT_RAWKEY; 605 kmf_set_attr_at_index(attrlist, num, 606 KMF_ENCODE_FORMAT_ATTR, &format, 607 sizeof (format)); 608 num++; 609 610 /* list symmetric keys */ 611 rv = pk_list_keys(kmfhandle, attrlist, num, 612 "symmetric"); 613 } 614 if (rv == KMF_ERR_KEY_NOT_FOUND) 615 rv = KMF_OK; 616 if (rv != KMF_OK) 617 return (rv); 618 } 619 620 numattr = 0; 621 if (oclass & PK_CERT_OBJ) { 622 kmf_set_attr_at_index(attrlist, numattr, 623 KMF_KEYSTORE_TYPE_ATTR, &kstype, 624 sizeof (kstype)); 625 numattr++; 626 627 if (issuer != NULL) { 628 kmf_set_attr_at_index(attrlist, numattr, 629 KMF_ISSUER_NAME_ATTR, issuer, 630 strlen(issuer)); 631 numattr++; 632 } 633 634 if (subject != NULL) { 635 kmf_set_attr_at_index(attrlist, numattr, 636 KMF_SUBJECT_NAME_ATTR, subject, 637 strlen(subject)); 638 numattr++; 639 } 640 641 if (serial != NULL && serial->val != NULL) { 642 kmf_set_attr_at_index(attrlist, numattr, 643 KMF_BIGINT_ATTR, serial, 644 sizeof (KMF_BIGINT)); 645 numattr++; 646 } 647 648 if (filename != NULL) { 649 kmf_set_attr_at_index(attrlist, numattr, 650 KMF_CERT_FILENAME_ATTR, filename, 651 strlen(filename)); 652 numattr++; 653 } 654 655 if (dir != NULL) { 656 kmf_set_attr_at_index(attrlist, numattr, 657 KMF_DIRPATH_ATTR, dir, 658 strlen(dir)); 659 numattr++; 660 } 661 662 kmf_set_attr_at_index(attrlist, numattr, 663 KMF_CERT_VALIDITY_ATTR, &find_criteria_flag, 664 sizeof (KMF_CERT_VALIDITY)); 665 numattr++; 666 667 rv = pk_find_certs(kmfhandle, attrlist, numattr); 668 if (rv != KMF_OK) 669 return (rv); 670 } 671 672 numattr = 0; 673 if (oclass & PK_CRL_OBJ) { 674 char *crldata = NULL; 675 676 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 677 &kstype, sizeof (kstype)); 678 numattr++; 679 680 if (dir != NULL) { 681 kmf_set_attr_at_index(attrlist, numattr, 682 KMF_DIRPATH_ATTR, dir, strlen(dir)); 683 numattr++; 684 } 685 if (filename != NULL) { 686 kmf_set_attr_at_index(attrlist, numattr, 687 KMF_CRL_FILENAME_ATTR, 688 filename, strlen(filename)); 689 numattr++; 690 } 691 kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_DATA_ATTR, 692 &crldata, sizeof (char *)); 693 numattr++; 694 695 rv = kmf_list_crl(kmfhandle, numattr, attrlist); 696 if (rv == KMF_OK && crldata != NULL) { 697 (void) printf("%s\n", crldata); 698 free(crldata); 699 } 700 } 701 702 return (rv); 703 } 704 705 static int 706 list_nss_objects(KMF_HANDLE_T kmfhandle, 707 int oclass, char *token_spec, char *dir, char *prefix, 708 char *nickname, KMF_BIGINT *serial, char *issuer, char *subject, 709 KMF_CREDENTIAL *tokencred, 710 KMF_CERT_VALIDITY find_criteria_flag) 711 { 712 KMF_RETURN rv = KMF_OK; 713 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; 714 int numattr = 0; 715 KMF_ATTRIBUTE attrlist[16]; 716 KMF_KEY_CLASS keyclass; 717 KMF_ENCODE_FORMAT format; 718 719 rv = configure_nss(kmfhandle, dir, prefix); 720 if (rv != KMF_OK) 721 return (rv); 722 723 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 724 &kstype, sizeof (kstype)); 725 numattr++; 726 727 if (oclass & PK_KEY_OBJ) { 728 if (tokencred != NULL && tokencred->credlen > 0) { 729 kmf_set_attr_at_index(attrlist, numattr, 730 KMF_CREDENTIAL_ATTR, tokencred, 731 sizeof (KMF_CREDENTIAL)); 732 numattr++; 733 } 734 735 if (token_spec && strlen(token_spec)) { 736 kmf_set_attr_at_index(attrlist, numattr, 737 KMF_TOKEN_LABEL_ATTR, token_spec, 738 strlen(token_spec)); 739 numattr++; 740 } 741 742 if (nickname != NULL) { 743 kmf_set_attr_at_index(attrlist, numattr, 744 KMF_KEYLABEL_ATTR, nickname, 745 strlen(nickname)); 746 numattr++; 747 } 748 } 749 750 if (oclass & PK_PRIKEY_OBJ) { 751 int num = numattr; 752 753 keyclass = KMF_ASYM_PRI; 754 kmf_set_attr_at_index(attrlist, num, 755 KMF_KEYCLASS_ATTR, &keyclass, 756 sizeof (keyclass)); 757 num++; 758 759 /* list asymmetric private keys */ 760 rv = pk_list_keys(kmfhandle, attrlist, num, 761 "asymmetric private"); 762 } 763 764 if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { 765 int num = numattr; 766 767 keyclass = KMF_SYMMETRIC; 768 kmf_set_attr_at_index(attrlist, num, 769 KMF_KEYCLASS_ATTR, &keyclass, 770 sizeof (keyclass)); 771 num++; 772 773 format = KMF_FORMAT_RAWKEY; 774 kmf_set_attr_at_index(attrlist, num, 775 KMF_ENCODE_FORMAT_ATTR, &format, 776 sizeof (format)); 777 num++; 778 779 /* list symmetric keys */ 780 rv = pk_list_keys(kmfhandle, attrlist, num, "symmetric"); 781 } 782 783 if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) { 784 int num = numattr; 785 786 keyclass = KMF_ASYM_PUB; 787 kmf_set_attr_at_index(attrlist, num, 788 KMF_KEYCLASS_ATTR, &keyclass, 789 sizeof (keyclass)); 790 num++; 791 792 /* list asymmetric public keys */ 793 rv = pk_list_keys(kmfhandle, attrlist, num, 794 "asymmetric public"); 795 } 796 797 /* If searching for public objects or certificates, find certs now */ 798 numattr = 0; 799 if (rv == KMF_OK && (oclass & PK_CERT_OBJ)) { 800 kmf_set_attr_at_index(attrlist, numattr, 801 KMF_KEYSTORE_TYPE_ATTR, &kstype, 802 sizeof (kstype)); 803 numattr++; 804 805 if (nickname != NULL) { 806 kmf_set_attr_at_index(attrlist, numattr, 807 KMF_CERT_LABEL_ATTR, nickname, 808 strlen(nickname)); 809 numattr++; 810 } 811 812 if (issuer != NULL) { 813 kmf_set_attr_at_index(attrlist, numattr, 814 KMF_ISSUER_NAME_ATTR, issuer, 815 strlen(issuer)); 816 numattr++; 817 } 818 819 if (subject != NULL) { 820 kmf_set_attr_at_index(attrlist, numattr, 821 KMF_SUBJECT_NAME_ATTR, subject, 822 strlen(subject)); 823 numattr++; 824 } 825 826 if (serial != NULL) { 827 kmf_set_attr_at_index(attrlist, numattr, 828 KMF_BIGINT_ATTR, serial, 829 sizeof (KMF_BIGINT)); 830 numattr++; 831 } 832 833 if (token_spec != NULL) { 834 kmf_set_attr_at_index(attrlist, numattr, 835 KMF_TOKEN_LABEL_ATTR, token_spec, 836 strlen(token_spec)); 837 numattr++; 838 } 839 840 kmf_set_attr_at_index(attrlist, numattr, 841 KMF_CERT_VALIDITY_ATTR, &find_criteria_flag, 842 sizeof (KMF_CERT_VALIDITY)); 843 numattr++; 844 845 rv = pk_find_certs(kmfhandle, attrlist, numattr); 846 } 847 848 numattr = 0; 849 if (rv == KMF_OK && (oclass & PK_CRL_OBJ)) { 850 int numcrls; 851 852 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 853 &kstype, sizeof (kstype)); 854 numattr++; 855 856 if (token_spec != NULL) { 857 kmf_set_attr_at_index(attrlist, numattr, 858 KMF_TOKEN_LABEL_ATTR, 859 token_spec, strlen(token_spec)); 860 numattr++; 861 } 862 kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_COUNT_ATTR, 863 &numcrls, sizeof (int)); 864 numattr++; 865 866 rv = kmf_find_crl(kmfhandle, numattr, attrlist); 867 if (rv == KMF_OK) { 868 char **p; 869 if (numcrls == 0) { 870 (void) printf(gettext("No CRLs found in " 871 "NSS keystore.\n")); 872 873 return (KMF_OK); 874 } 875 p = malloc(numcrls * sizeof (char *)); 876 if (p == NULL) { 877 return (KMF_ERR_MEMORY); 878 } 879 (void) memset(p, 0, numcrls * sizeof (char *)); 880 881 kmf_set_attr_at_index(attrlist, numattr, 882 KMF_CRL_NAMELIST_ATTR, p, sizeof (char *)); 883 numattr++; 884 rv = kmf_find_crl(kmfhandle, numattr, attrlist); 885 if (rv == KMF_OK) { 886 int i; 887 for (i = 0; i < numcrls; i++) { 888 (void) printf("%d. Name = %s\n", 889 i + 1, p[i]); 890 free(p[i]); 891 } 892 } 893 free(p); 894 } 895 } 896 return (rv); 897 } 898 899 /* 900 * List token object. 901 */ 902 int 903 pk_list(int argc, char *argv[]) 904 { 905 int opt; 906 extern int optind_av; 907 extern char *optarg_av; 908 char *token_spec = NULL; 909 char *subject = NULL; 910 char *issuer = NULL; 911 char *dir = NULL; 912 char *prefix = NULL; 913 char *filename = NULL; 914 char *serstr = NULL; 915 KMF_BIGINT serial = { NULL, 0 }; 916 917 char *list_label = NULL; 918 int oclass = 0; 919 KMF_KEYSTORE_TYPE kstype = 0; 920 KMF_RETURN rv = KMF_OK; 921 KMF_HANDLE_T kmfhandle = NULL; 922 char *find_criteria = NULL; 923 KMF_CERT_VALIDITY find_criteria_flag = KMF_ALL_CERTS; 924 KMF_CREDENTIAL tokencred = {NULL, 0}; 925 926 /* Parse command line options. Do NOT i18n/l10n. */ 927 while ((opt = getopt_av(argc, argv, 928 "k:(keystore)t:(objtype)T:(token)d:(dir)" 929 "p:(prefix)n:(nickname)S:(serial)s:(subject)" 930 "c:(criteria)" 931 "i:(issuer)l:(label)f:(infile)")) != EOF) { 932 if (EMPTYSTRING(optarg_av)) 933 return (PK_ERR_USAGE); 934 switch (opt) { 935 case 'k': 936 if (kstype != 0) 937 return (PK_ERR_USAGE); 938 kstype = KS2Int(optarg_av); 939 if (kstype == 0) 940 return (PK_ERR_USAGE); 941 break; 942 case 't': 943 if (oclass != 0) 944 return (PK_ERR_USAGE); 945 oclass = OT2Int(optarg_av); 946 if (oclass == -1) 947 return (PK_ERR_USAGE); 948 break; 949 case 's': 950 if (subject) 951 return (PK_ERR_USAGE); 952 subject = optarg_av; 953 break; 954 case 'i': 955 if (issuer) 956 return (PK_ERR_USAGE); 957 issuer = optarg_av; 958 break; 959 case 'd': 960 if (dir) 961 return (PK_ERR_USAGE); 962 dir = optarg_av; 963 break; 964 case 'p': 965 if (prefix) 966 return (PK_ERR_USAGE); 967 prefix = optarg_av; 968 break; 969 case 'S': 970 serstr = optarg_av; 971 break; 972 case 'f': 973 if (filename) 974 return (PK_ERR_USAGE); 975 filename = optarg_av; 976 break; 977 case 'T': /* token specifier */ 978 if (token_spec) 979 return (PK_ERR_USAGE); 980 token_spec = optarg_av; 981 break; 982 case 'n': 983 case 'l': /* object with specific label */ 984 if (list_label) 985 return (PK_ERR_USAGE); 986 list_label = optarg_av; 987 break; 988 case 'c': 989 find_criteria = optarg_av; 990 if (!strcasecmp(find_criteria, "valid")) 991 find_criteria_flag = 992 KMF_NONEXPIRED_CERTS; 993 else if (!strcasecmp(find_criteria, "expired")) 994 find_criteria_flag = KMF_EXPIRED_CERTS; 995 else if (!strcasecmp(find_criteria, "both")) 996 find_criteria_flag = KMF_ALL_CERTS; 997 else 998 return (PK_ERR_USAGE); 999 break; 1000 default: 1001 return (PK_ERR_USAGE); 1002 } 1003 } 1004 /* No additional args allowed. */ 1005 argc -= optind_av; 1006 argv += optind_av; 1007 if (argc) 1008 return (PK_ERR_USAGE); 1009 1010 if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { 1011 /* Error message ? */ 1012 return (rv); 1013 } 1014 1015 /* Assume keystore = PKCS#11 if not specified. */ 1016 if (kstype == 0) 1017 kstype = KMF_KEYSTORE_PK11TOKEN; 1018 1019 /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */ 1020 if ((oclass & (PK_PUBLIC_OBJ | PK_PRIVATE_OBJ)) && 1021 kstype != KMF_KEYSTORE_PK11TOKEN) { 1022 1023 (void) fprintf(stderr, gettext("The objtype parameter " 1024 "is only relevant if keystore=pkcs11\n")); 1025 return (PK_ERR_USAGE); 1026 } 1027 1028 1029 if (kstype == KMF_KEYSTORE_PK11TOKEN && EMPTYSTRING(token_spec)) { 1030 token_spec = PK_DEFAULT_PK11TOKEN; 1031 } else if (kstype == KMF_KEYSTORE_NSS && EMPTYSTRING(token_spec)) { 1032 token_spec = DEFAULT_NSS_TOKEN; 1033 } 1034 1035 if (serstr != NULL) { 1036 uchar_t *bytes = NULL; 1037 size_t bytelen; 1038 1039 rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen); 1040 if (rv != KMF_OK || bytes == NULL) { 1041 (void) fprintf(stderr, gettext("serial number " 1042 "must be specified as a hex number " 1043 "(ex: 0x0102030405ffeeddee)\n")); 1044 return (PK_ERR_USAGE); 1045 } 1046 serial.val = bytes; 1047 serial.len = bytelen; 1048 /* if objtype was not given, it must be for certs */ 1049 if (oclass == 0) 1050 oclass = PK_CERT_OBJ; 1051 } 1052 if (oclass == 0 && (issuer != NULL || subject != NULL)) 1053 oclass = PK_CERT_OBJ; 1054 1055 /* If no object class specified, list public objects. */ 1056 if (oclass == 0) 1057 oclass = PK_CERT_OBJ | PK_PUBKEY_OBJ; 1058 1059 if ((kstype == KMF_KEYSTORE_PK11TOKEN || 1060 kstype == KMF_KEYSTORE_NSS) && 1061 (oclass & (PK_PRIKEY_OBJ | PK_PRIVATE_OBJ))) { 1062 1063 (void) get_token_password(kstype, token_spec, 1064 &tokencred); 1065 } 1066 if (kstype == KMF_KEYSTORE_PK11TOKEN) { 1067 rv = list_pk11_objects(kmfhandle, token_spec, 1068 oclass, list_label, &serial, 1069 issuer, subject, dir, filename, 1070 &tokencred, find_criteria_flag); 1071 1072 } else if (kstype == KMF_KEYSTORE_NSS) { 1073 if (dir == NULL) 1074 dir = PK_DEFAULT_DIRECTORY; 1075 rv = list_nss_objects(kmfhandle, 1076 oclass, token_spec, dir, prefix, 1077 list_label, &serial, issuer, subject, 1078 &tokencred, find_criteria_flag); 1079 1080 } else if (kstype == KMF_KEYSTORE_OPENSSL) { 1081 1082 rv = list_file_objects(kmfhandle, 1083 oclass, dir, filename, 1084 &serial, issuer, subject, find_criteria_flag); 1085 } 1086 1087 if (rv != KMF_OK) { 1088 display_error(kmfhandle, rv, 1089 gettext("Error listing objects")); 1090 } 1091 1092 if (serial.val != NULL) 1093 free(serial.val); 1094 1095 if (tokencred.cred != NULL) 1096 free(tokencred.cred); 1097 1098 (void) kmf_finalize(kmfhandle); 1099 return (rv); 1100 } 1101