1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 /* 26 * This file comprises the main driver for this tool. 27 * Upon parsing the command verbs from user input, it 28 * branches to the appropriate modules to perform the 29 * requested task. 30 */ 31 32 #include <stdio.h> 33 #include <string.h> 34 #include <ctype.h> 35 #include <malloc.h> 36 #include <libintl.h> 37 #include <libgen.h> 38 #include <errno.h> 39 #include <cryptoutil.h> 40 #include <security/cryptoki.h> 41 #include "common.h" 42 43 /* 44 * The verbcmd construct allows genericizing information about a verb so 45 * that it is easier to manipulate. Makes parsing code easier to read, 46 * fix, and extend with new verbs. 47 */ 48 typedef struct verbcmd_s { 49 char *verb; 50 int (*action)(int, char *[]); 51 int mode; 52 char *summary; 53 char *synopsis; 54 } verbcmd; 55 56 /* External declarations for supported verb actions. */ 57 extern int pk_setpin(int argc, char *argv[]); 58 extern int pk_list(int argc, char *argv[]); 59 extern int pk_delete(int argc, char *argv[]); 60 extern int pk_import(int argc, char *argv[]); 61 extern int pk_export(int argc, char *argv[]); 62 extern int pk_tokens(int argc, char *argv[]); 63 extern int pk_gencert(int argc, char *argv[]); 64 extern int pk_gencsr(int argc, char *argv[]); 65 extern int pk_download(int argc, char *argv[]); 66 extern int pk_genkey(int argc, char *argv[]); 67 extern int pk_signcsr(int argc, char *argv[]); 68 extern int pk_inittoken(int argc, char *argv[]); 69 extern int pk_genkeypair(int argc, char *argv[]); 70 71 /* Forward declarations for "built-in" verb actions. */ 72 static int pk_help(int argc, char *argv[]); 73 74 #define TOKEN_IDX 0 75 #define TOKEN_VERB "tokens" 76 #define TOKEN_SUMM gettext("lists all visible PKCS#11 tokens") 77 #define TOKEN_SYN "tokens" 78 79 #define SETPIN_IDX 1 80 #define SETPIN_VERB "setpin" 81 #define SETPIN_SUMM gettext("changes user authentication passphrase "\ 82 "for keystore access") 83 #define SETPIN_SYN \ 84 "setpin [ keystore=pkcs11 ]\n\t\t" \ 85 "[ token=token[:manuf[:serial]]]\n\t\t" \ 86 "[ usertype=so|user ]\n\t" \ 87 \ 88 "setpin keystore=nss\n\t\t" \ 89 "[ token=token ]\n\t\t" \ 90 "[ dir=directory-path ]\n\t\t" \ 91 "[ prefix=DBprefix ]\n\t" 92 93 #define LIST_IDX 2 94 #define LIST_VERB "list" 95 #define LIST_SUMM gettext("lists a summary of objects in the keystore") 96 #define LIST_SYN \ 97 "list [ token=token[:manuf[:serial]]]\n\t\t" \ 98 "[ objtype=private|public|both ]\n\t\t" \ 99 "[ label=label ]\n\t" \ 100 \ 101 "list objtype=cert[:[public | private | both ]]\n\t\t" \ 102 "[ subject=subject-DN ]\n\t\t" \ 103 "[ keystore=pkcs11 ]\n\t\t" \ 104 "[ issuer=issuer-DN ]\n\t\t" \ 105 "[ serial=serial number ]\n\t\t" \ 106 "[ label=cert-label ]\n\t\t" \ 107 "[ token=token[:manuf[:serial]]]\n\t\t" \ 108 "[ criteria=valid|expired|both ]\n\t" \ 109 \ 110 "list objtype=key[:[public | private | both ]]\n\t\t" \ 111 "[ keystore=pkcs11 ]\n\t\t" \ 112 "[ label=key-label ]\n\t\t" \ 113 "[ token=token[:manuf[:serial]]]\n\t" \ 114 \ 115 "list keystore=pkcs11 objtype=crl\n\t\t" \ 116 "infile=crl-fn\n\t" \ 117 \ 118 "list keystore=nss objtype=cert\n\t\t" \ 119 "[ subject=subject-DN ]\n\t\t" \ 120 "[ issuer=issuer-DN ]\n\t\t" \ 121 "[ serial=serial number ]\n\t\t" \ 122 "[ nickname=cert-nickname ]\n\t\t" \ 123 "[ token=token[:manuf[:serial]]]\n\t\t" \ 124 "[ dir=directory-path ]\n\t\t" \ 125 "[ prefix=DBprefix ]\n\t\t" \ 126 "[ criteria=valid|expired|both ]\n\t" \ 127 \ 128 "list keystore=nss objtype=key\n\t\t" \ 129 "[ token=token[:manuf[:serial]]]\n\t\t" \ 130 "[ dir=directory-path ]\n\t\t" \ 131 "[ prefix=DBprefix ]\n\t\t" \ 132 "[ nickname=key-nickname ]\n\t" \ 133 \ 134 "list keystore=file objtype=cert\n\t\t" \ 135 "[ subject=subject-DN ]\n\t\t" \ 136 "[ issuer=issuer-DN ]\n\t\t" \ 137 "[ serial=serial number ]\n\t\t" \ 138 "[ infile=cert-fn ]\n\t\t" \ 139 "[ dir=directory-path ]\n\t\t" \ 140 "[ criteria=valid|expired|both ]\n\t" \ 141 \ 142 "list keystore=file objtype=key\n\t\t" \ 143 "[ infile=key-fn ]\n\t\t" \ 144 "[ dir=directory-path ]\n\t" \ 145 \ 146 "list keystore=file objtype=crl\n\t\t" \ 147 "infile=crl-fn\n\t" 148 149 #define DELETE_IDX 3 150 #define DELETE_VERB "delete" 151 #define DELETE_SUMM gettext("deletes objects in the keystore") 152 #define DELETE_SYN \ 153 "delete [ token=token[:manuf[:serial]]]\n\t\t" \ 154 "[ objtype=private|public|both ]\n\t\t" \ 155 "[ label=object-label ]\n\t" \ 156 \ 157 "delete keystore=nss objtype=cert\n\t\t" \ 158 "[ subject=subject-DN ]\n\t\t" \ 159 "[ issuer=issuer-DN ]\n\t\t" \ 160 "[ serial=serial number ]\n\t\t" \ 161 "[ label=cert-label ]\n\t\t" \ 162 "[ token=token[:manuf[:serial]]]\n\t\t" \ 163 "[ dir=directory-path ]\n\t\t" \ 164 "[ prefix=DBprefix ]\n\t\t" \ 165 "[ criteria=valid|expired|both ]\n\t" \ 166 \ 167 "delete keystore=nss objtype=key\n\t\t" \ 168 "[ token=token[:manuf[:serial]]]\n\t\t" \ 169 "[ dir=directory-path ]\n\t\t" \ 170 "[ prefix=DBprefix ]\n\t\t" \ 171 "[ nickname=key-nickname ]\n\t\t" \ 172 \ 173 "delete keystore=nss objtype=crl\n\t\t" \ 174 "[ nickname=issuer-nickname ]\n\t\t" \ 175 "[ subject=subject-DN ]\n\t\t" \ 176 "[ token=token[:manuf[:serial]]]\n\t\t" \ 177 "[ dir=directory-path ]\n\t\t" \ 178 "[ prefix=DBprefix ]\n\t" \ 179 \ 180 "delete keystore=pkcs11 " \ 181 "objtype=cert[:[public | private | both]]\n\t\t" \ 182 "[ subject=subject-DN ]\n\t\t" \ 183 "[ issuer=issuer-DN ]\n\t\t" \ 184 "[ serial=serial number ]\n\t\t" \ 185 "[ label=cert-label ]\n\t\t" \ 186 "[ token=token[:manuf[:serial]]]\n\t\t" \ 187 "[ criteria=valid|expired|both ]\n\t" \ 188 \ 189 "delete keystore=pkcs11 " \ 190 "objtype=key[:[public | private | both]]\n\t\t" \ 191 "[ label=key-label ]\n\t\t" \ 192 "[ token=token[:manuf[:serial]]]\n\t" \ 193 \ 194 "delete keystore=pkcs11 objtype=crl\n\t\t" \ 195 "infile=crl-fn\n\t" \ 196 \ 197 "delete keystore=file objtype=cert\n\t\t" \ 198 "[ subject=subject-DN ]\n\t\t" \ 199 "[ issuer=issuer-DN ]\n\t\t" \ 200 "[ serial=serial number ]\n\t\t" \ 201 "[ infile=cert-fn ]\n\t\t" \ 202 "[ dir=directory-path ]\n\t\t" \ 203 "[ criteria=valid|expired|both ]\n\t" \ 204 \ 205 "delete keystore=file objtype=key\n\t\t" \ 206 "[ infile=key-fn ]\n\t\t" \ 207 "[ dir=directory-path ]\n\t" \ 208 \ 209 "delete keystore=file objtype=crl\n\t\t" \ 210 "infile=crl-fn\n\t" 211 212 #define IMPORT_IDX 4 213 #define IMPORT_VERB "import" 214 #define IMPORT_SUMM gettext("imports objects from an external source") 215 #define IMPORT_SYN \ 216 "import [token=token[:manuf[:serial]]]\n\t\t" \ 217 "infile=input-fn\n\t" \ 218 \ 219 "import keystore=nss objtype=cert\n\t\t" \ 220 "infile=input-fn\n\t\t" \ 221 "label=cert-label\n\t\t" \ 222 "[ trust=trust-value ]\n\t\t" \ 223 "[ token=token[:manuf[:serial]]]\n\t\t" \ 224 "[ dir=directory-path ]\n\t\t" \ 225 "[ prefix=DBprefix ]\n\t" \ 226 \ 227 "import keystore=nss objtype=crl\n\t\t" \ 228 "infile=input-fn\n\t\t" \ 229 "[ verifycrl=y|n ]\n\t\t" \ 230 "[ token=token[:manuf[:serial]]]\n\t\t" \ 231 "[ dir=directory-path ]\n\t\t" \ 232 "[ prefix=DBprefix ]\n\t" \ 233 \ 234 "import keystore=pkcs11\n\t\t" \ 235 "infile=input-fn\n\t\t" \ 236 "label=label\n\t\t" \ 237 "[ objtype=cert|key ]\n\t\t" \ 238 "[ keytype=aes|arcfour|des|3des|generic ]\n\t\t" \ 239 "[ sensitive=y|n ]\n\t\t" \ 240 "[ extractable=y|n ]\n\t\t" \ 241 "[ token=token[:manuf[:serial]]]\n\t" \ 242 \ 243 "import keystore=pkcs11 objtype=crl\n\t\t" \ 244 "infile=input-crl-fn\n\t\t" \ 245 "outcrl=output-crl-fn\n\t\t" \ 246 "outformat=pem|der\n\t" \ 247 \ 248 "import keystore=file\n\t\t" \ 249 "infile=input-fn\n\t\t" \ 250 "outkey=output-key-fn\n\t\t" \ 251 "outcert=output-cert-fn\n\t\t" \ 252 "[ outformat=pem|der|pkcs12 ]\n\t" \ 253 \ 254 "import keystore=file objtype=crl\n\t\t" \ 255 "infile=input-crl-fn\n\t\t" \ 256 "outcrl=output-crl-fn\n\t\t" \ 257 "outformat=pem|der\n\t" 258 259 #define EXPORT_IDX 5 260 #define EXPORT_VERB "export" 261 #define EXPORT_SUMM gettext("exports objects from the keystore to a file") 262 #define EXPORT_SYN \ 263 "export [token=token[:manuf[:serial]]]\n\t\t" \ 264 "outfile=output-fn\n\t" \ 265 \ 266 "export keystore=nss\n\t\t" \ 267 "outfile=output-fn\n\t\t" \ 268 "[ objtype=cert|key ]\n\t\t" \ 269 "[ subject=subject-DN ]\n\t\t" \ 270 "[ issuer=issuer-DN ]\n\t\t" \ 271 "[ serial=serial number ]\n\t\t" \ 272 "[ nickname=cert-nickname ]\n\t\t" \ 273 "[ token=token[:manuf[:serial]]]\n\t\t" \ 274 "[ dir=directory-path ]\n\t\t" \ 275 "[ prefix=DBPrefix ]\n\t\t" \ 276 "[ outformat=pem|der|pkcs12 ]\n\t" \ 277 \ 278 "export keystore=pkcs11\n\t\t" \ 279 "outfile=output-fn\n\t\t" \ 280 "[ objtype=cert|key ]\n\t\t" \ 281 "[ label=label ]\n\t\t" \ 282 "[ subject=subject-DN ]\n\t\t" \ 283 "[ issuer=issuer-DN ]\n\t\t" \ 284 "[ serial=serial number ]\n\t\t" \ 285 "[ outformat=pem|der|pkcs12|raw ]\n\t\t" \ 286 "[ token=token[:manuf[:serial]]]\n\t" \ 287 \ 288 "export keystore=file\n\t\t" \ 289 "certfile=cert-input-fn\n\t\t" \ 290 "keyfile=key-input-fn\n\t\t" \ 291 "outfile=output-pkcs12-fn\n\t" 292 293 #define GENCERT_IDX 6 294 #define GENCERT_VERB "gencert" 295 #define GENCERT_SUMM gettext("creates a self-signed X.509v3 certificate") 296 #define GENCERT_SYN \ 297 "gencert listcurves\n\t" \ 298 \ 299 "gencert keystore=nss\n\t\t" \ 300 "label=cert-nickname\n\t\t" \ 301 "serial=serial number hex string\n\t\t" \ 302 "[ -i ] | [subject=subject-DN]\n\t\t" \ 303 "[ altname=[critical:]SubjectAltName ]\n\t\t" \ 304 "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ 305 "[ token=token[:manuf[:serial]]]\n\t\t" \ 306 "[ dir=directory-path ]\n\t\t" \ 307 "[ prefix=DBprefix ]\n\t\t" \ 308 "[ keytype=rsa | ec [curve=ECC Curve Name] " \ 309 "[hash=md5 | sha1 | sha256 | sha384 | sha512]]\n\t\t" \ 310 "[ keytype=dsa [hash=sha1]]\n\t\t" \ 311 "[ keylen=key-size ]\n\t\t" \ 312 "[ trust=trust-value ]\n\t\t" \ 313 "[ eku=[critical:]EKU name,...]\n\t\t" \ 314 "[ lifetime=number-hour|number-day|number-year ]\n\t" \ 315 \ 316 "gencert [ keystore=pkcs11 ]\n\t\t" \ 317 "label=key/cert-label\n\t\t" \ 318 "serial=serial number hex string\n\t\t" \ 319 "[ -i ] | [subject=subject-DN]\n\t\t" \ 320 "[ altname=[critical:]SubjectAltName ]\n\t\t" \ 321 "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ 322 "[ token=token[:manuf[:serial]]]\n\t\t" \ 323 "[ keytype=rsa | ec [curve=ECC Curve Name] " \ 324 "[hash=md5 | sha1 | sha256 | sha384 | sha512]]\n\t\t" \ 325 "[ keytype=dsa [hash=sha1 | sha256 ]]\n\t\t" \ 326 "[ keylen=key-size ]\n\t\t" \ 327 "[ eku=[critical:]EKU name,...]\n\t\t" \ 328 "[ lifetime=number-hour|number-day|number-year ]\n\t" \ 329 \ 330 "gencert keystore=file\n\t\t" \ 331 "outcert=cert_filename\n\t\t" \ 332 "outkey=key_filename\n\t\t" \ 333 "serial=serial number hex string\n\t\t" \ 334 "[ -i ] | [subject=subject-DN]\n\t\t" \ 335 "[ altname=[critical:]SubjectAltName ]\n\t\t" \ 336 "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ 337 "[ format=der|pem ]\n\t\t" \ 338 "[ keytype=rsa [hash=md5 | sha1 | sha256 | sha384 | sha512]]\n\t\t" \ 339 "[ keytype=dsa [hash=sha1 | sha256 ]]\n\t\t" \ 340 "[ keylen=key-size ]\n\t\t" \ 341 "[ eku=[critical:]EKU name,...]\n\t\t" \ 342 "[ lifetime=number-hour|number-day|number-year ]\n\t" 343 344 #define GENCSR_IDX 7 345 #define GENCSR_VERB "gencsr" 346 #define GENCSR_SUMM gettext("creates a PKCS#10 certificate signing " \ 347 "request file") 348 349 #define GENCSR_SYN \ 350 "gencsr listcurves\n\t" \ 351 \ 352 "gencsr keystore=nss \n\t\t" \ 353 "nickname=cert-nickname\n\t\t" \ 354 "outcsr=csr-fn\n\t\t" \ 355 "[ -i ] | [subject=subject-DN]\n\t\t" \ 356 "[ altname=[critical:]SubjectAltName ]\n\t\t" \ 357 "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ 358 "[ token=token[:manuf[:serial]]]\n\t\t" \ 359 "[ dir=directory-path ]\n\t\t" \ 360 "[ prefix=DBprefix ]\n\t\t" \ 361 "[ keytype=rsa | ec [curve=ECC Curve Name] " \ 362 "[hash=md5 | sha1 | sha256 | sha384 | sha512]]\n\t\t" \ 363 "[ keytype=dsa [hash=sha1]]\n\t\t" \ 364 "[ keylen=key-size ]\n\t\t" \ 365 "[ eku=[critical:]EKU name,...]\n\t\t" \ 366 "[ format=pem|der ]\n\t" \ 367 \ 368 "gencsr [ keystore=pkcs11 ]\n\t\t" \ 369 "label=key-label\n\t\t" \ 370 "outcsr=csr-fn\n\t\t" \ 371 "[ -i ] | [subject=subject-DN]\n\t\t" \ 372 "[ altname=[critical:]SubjectAltName ]\n\t\t" \ 373 "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ 374 "[ token=token[:manuf[:serial]]]\n\t\t" \ 375 "[ keytype=rsa | ec [curve=ECC Curve Name] " \ 376 "[hash=md5 | sha1 | sha256 | sha384 | sha512]]\n\t\t" \ 377 "[ keytype=dsa [hash=sha1 | sha256 ]]\n\t\t" \ 378 "[ keylen=key-size ]\n\t\t" \ 379 "[ eku=[critical:]EKU name,...]\n\t\t" \ 380 "[ format=pem|der ]]\n\t" \ 381 \ 382 "gencsr keystore=file\n\t\t" \ 383 "outcsr=csr-fn\n\t\t" \ 384 "outkey=key-fn\n\t\t" \ 385 "[ -i ] | [subject=subject-DN]\n\t\t" \ 386 "[ altname=[critical:]SubjectAltName ]\n\t\t" \ 387 "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ 388 "[ keytype=rsa [hash=md5 | sha1 | sha256 | sha384 | sha512]]\n\t\t" \ 389 "[ keytype=dsa [hash=sha1 | sha256 ]]\n\t\t" \ 390 "[ keylen=key-size ]\n\t\t" \ 391 "[ eku=[critical:]EKU name,...]\n\t\t" \ 392 "[ format=pem|der ]\n\t" 393 394 #define DOWNLOAD_IDX 8 395 #define DOWNLOAD_VERB "download" 396 #define DOWNLOAD_SUMM gettext("downloads a CRL or certificate file " \ 397 "from an external source") 398 #define DOWNLOAD_SYN \ 399 "download url=url_str\n\t\t" \ 400 "[ objtype=crl|cert ]\n\t\t" \ 401 "[ http_proxy=proxy_str ]\n\t\t" \ 402 "[ outfile = outfile ]\n\t" 403 404 #define GENKEY_IDX 9 405 #define GENKEY_VERB "genkey" 406 #define GENKEY_SUMM gettext("creates a symmetric key in the keystore") 407 #define GENKEY_SYN \ 408 "genkey [ keystore=pkcs11 ]\n\t\t" \ 409 "label=key-label\n\t\t" \ 410 "[ keytype=aes|arcfour|des|3des|generic ]\n\t\t" \ 411 "[ keylen=key-size (AES, ARCFOUR or GENERIC only)]\n\t\t" \ 412 "[ token=token[:manuf[:serial]]]\n\t\t" \ 413 "[ sensitive=y|n ]\n\t\t" \ 414 "[ extractable=y|n ]\n\t\t" \ 415 "[ print=y|n ]\n\t" \ 416 \ 417 "genkey keystore=nss\n\t\t" \ 418 "label=key-label\n\t\t" \ 419 "[ keytype=aes|arcfour|des|3des|generic ]\n\t\t" \ 420 "[ keylen=key-size (AES, ARCFOUR or GENERIC only)]\n\t\t" \ 421 "[ token=token[:manuf[:serial]]]\n\t\t" \ 422 "[ dir=directory-path ]\n\t\t" \ 423 "[ prefix=DBprefix ]\n\t" \ 424 \ 425 "genkey keystore=file\n\t\t" \ 426 "outkey=key-fn\n\t\t" \ 427 "[ keytype=aes|arcfour|des|3des|generic ]\n\t\t" \ 428 "[ keylen=key-size (AES, ARCFOUR or GENERIC only)]\n\t\t" \ 429 "[ print=y|n ]\n\t" 430 431 #define SIGNCSR_IDX 10 432 #define SIGNCSR_VERB "signcsr" 433 #define SIGNCSR_SUMM gettext("Sign a PKCS#10 Certificate Signing Request") 434 #define SIGNCSR_SYN \ 435 "signcsr keystore=pkcs11\n\t\t" \ 436 "signkey=label (label of signing key)\n\t\t" \ 437 "csr=CSR filename\n\t\t" \ 438 "serial=serial number hex string\n\t\t" \ 439 "outcert=filename for final certificate\n\t\t" \ 440 "issuer=issuer-DN\n\t\t" \ 441 "[ store=y|n ] (store the new cert on the token, default=n)\n\t\t" \ 442 "[ outlabel=certificate label ]\n\t\t" \ 443 "[ format=pem|der ] (output format)\n\t\t" \ 444 "[ subject=subject-DN ] (new subject name)\n\t\t" \ 445 "[ altname=subjectAltName ]\n\t\t" \ 446 "[ keyusage=[critical:]usage,...]\n\t\t" \ 447 "[ eku=[critical:]EKU Name,...]\n\t\t" \ 448 "[ lifetime=number-hour|number-day|number-year ]\n\t\t" \ 449 "[ token=token[:manuf[:serial]]]\n\t" \ 450 \ 451 "signcsr keystore=file\n\t\t" \ 452 "signkey=filename\n\t\t" \ 453 "csr=CSR filename\n\t\t" \ 454 "serial=serial number hex string\n\t\t" \ 455 "outcert=filename for final certificate\n\t\t" \ 456 "issuer=issuer-DN\n\t\t" \ 457 "[ format=pem|der ] (output format)\n\t\t" \ 458 "[ subject=subject-DN ] (new subject name)\n\t\t" \ 459 "[ altname=subjectAltName ]\n\t\t" \ 460 "[ keyusage=[critical:]usage,...]\n\t\t" \ 461 "[ lifetime=number-hour|number-day|number-year ]\n\t\t" \ 462 "[ eku=[critical:]EKU Name,...]\n\t" \ 463 \ 464 "signcsr keystore=nss\n\t\t" \ 465 "signkey=label (label of signing key)\n\t\t" \ 466 "csr=CSR filename\n\t\t" \ 467 "serial=serial number hex string\n\t\t" \ 468 "outcert=filename for final certificate\n\t\t" \ 469 "issuer=issuer-DN\n\t\t" \ 470 "[ store=y|n ] (store the new cert in NSS DB, default=n)\n\t\t" \ 471 "[ outlabel=certificate label ]\n\t\t" \ 472 "[ format=pem|der ] (output format)\n\t\t" \ 473 "[ subject=subject-DN ] (new subject name)\n\t\t" \ 474 "[ altname=subjectAltName ]\n\t\t" \ 475 "[ keyusage=[critical:]usage,...]\n\t\t" \ 476 "[ eku=[critical:]EKU Name,...]\n\t\t" \ 477 "[ lifetime=number-hour|number-day|number-year ]\n\t\t" \ 478 "[ token=token[:manuf[:serial]]]\n\t\t" \ 479 "[ dir=directory-path ]\n\t\t" \ 480 "[ prefix=DBprefix ]\n\t" 481 482 #define INITTOKEN_IDX 11 483 #define INITTOKEN_VERB "inittoken" 484 #define INITTOKEN_SUMM gettext("Initialize a PKCS11 token") 485 #define INITTOKEN_SYN \ 486 "inittoken \n\t\t" \ 487 "[ currlabel=token[:manuf[:serial]]]\n\t\t" \ 488 "[ newlabel=new token label ]\n\t" 489 490 #define GENKEYPAIR_IDX 12 491 #define GENKEYPAIR_VERB "genkeypair" 492 #define GENKEYPAIR_SUMM gettext("creates an asymmetric keypair") 493 #define GENKEYPAIR_SYN \ 494 "genkeypair listcurves\n\t" \ 495 \ 496 "genkeypair keystore=nss\n\t\t" \ 497 "label=key-nickname\n\t\t" \ 498 "[ token=token[:manuf[:serial]]]\n\t\t" \ 499 "[ dir=directory-path ]\n\t\t" \ 500 "[ prefix=DBprefix ]\n\t\t" \ 501 "[ keytype=rsa | dsa | ec [curve=ECC Curve Name]]\n\t\t" \ 502 "[ keylen=key-size ]\n\t" \ 503 \ 504 "genkeypair [ keystore=pkcs11 ]\n\t\t" \ 505 "label=key-label\n\t\t" \ 506 "[ token=token[:manuf[:serial]]]\n\t\t" \ 507 "[ keytype=rsa | dsa | ec [curve=ECC Curve Name]]\n\t\t" \ 508 "[ keylen=key-size ]\n\t" \ 509 \ 510 "genkeypair keystore=file\n\t\t" \ 511 "outkey=key_filename\n\t\t" \ 512 "[ format=der|pem ]\n\t\t" \ 513 "[ keytype=rsa|dsa ]\n\t\t" \ 514 "[ keylen=key-size ]\n\t" 515 516 #define HELP_IDX 13 517 #define HELP_VERB "help" 518 #define HELP_SUMM gettext("displays help message") 519 #define HELP_SYN "help\t(help and usage)" 520 521 /* Command structure for verbs and their actions. Do NOT i18n/l10n. */ 522 static verbcmd cmds[] = { 523 { NULL, pk_tokens, 0, NULL, NULL}, 524 { NULL, pk_setpin, 0, NULL, NULL}, 525 { NULL, pk_list, 0, NULL, NULL}, 526 { NULL, pk_delete, 0, NULL, NULL}, 527 { NULL, pk_import, 0, NULL, NULL}, 528 { NULL, pk_export, 0, NULL, NULL}, 529 { NULL, pk_gencert, 0, NULL, NULL}, 530 { NULL, pk_gencsr, 0, NULL, NULL}, 531 { NULL, pk_download, 0, NULL, NULL}, 532 { NULL, pk_genkey, 0, NULL, NULL}, 533 { NULL, pk_signcsr, 0, NULL, NULL}, 534 { NULL, pk_inittoken, 0, NULL, NULL}, 535 { NULL, pk_genkeypair, 0, NULL, NULL}, 536 { NULL, pk_help, 0, NULL, NULL} 537 }; 538 539 static int num_cmds = sizeof (cmds) / sizeof (verbcmd); 540 541 static char *prog; 542 static void usage(int); 543 544 static void 545 init_command_list() 546 { 547 cmds[TOKEN_IDX].verb = TOKEN_VERB; 548 cmds[TOKEN_IDX].summary = TOKEN_SUMM; 549 cmds[TOKEN_IDX].synopsis = TOKEN_SYN; 550 551 cmds[SETPIN_IDX].verb = SETPIN_VERB; 552 cmds[SETPIN_IDX].summary = SETPIN_SUMM; 553 cmds[SETPIN_IDX].synopsis = SETPIN_SYN; 554 555 cmds[LIST_IDX].verb = LIST_VERB; 556 cmds[LIST_IDX].summary = LIST_SUMM; 557 cmds[LIST_IDX].synopsis = LIST_SYN; 558 559 cmds[DELETE_IDX].verb = DELETE_VERB; 560 cmds[DELETE_IDX].summary = DELETE_SUMM; 561 cmds[DELETE_IDX].synopsis = DELETE_SYN; 562 563 cmds[IMPORT_IDX].verb = IMPORT_VERB; 564 cmds[IMPORT_IDX].summary = IMPORT_SUMM; 565 cmds[IMPORT_IDX].synopsis = IMPORT_SYN; 566 567 cmds[EXPORT_IDX].verb = EXPORT_VERB; 568 cmds[EXPORT_IDX].summary = EXPORT_SUMM; 569 cmds[EXPORT_IDX].synopsis = EXPORT_SYN; 570 571 cmds[GENCERT_IDX].verb = GENCERT_VERB; 572 cmds[GENCERT_IDX].summary = GENCERT_SUMM; 573 cmds[GENCERT_IDX].synopsis = GENCERT_SYN; 574 575 cmds[GENCSR_IDX].verb = GENCSR_VERB; 576 cmds[GENCSR_IDX].summary = GENCSR_SUMM; 577 cmds[GENCSR_IDX].synopsis = GENCSR_SYN; 578 579 cmds[DOWNLOAD_IDX].verb = DOWNLOAD_VERB; 580 cmds[DOWNLOAD_IDX].summary = DOWNLOAD_SUMM; 581 cmds[DOWNLOAD_IDX].synopsis = DOWNLOAD_SYN; 582 583 cmds[GENKEY_IDX].verb = GENKEY_VERB; 584 cmds[GENKEY_IDX].summary = GENKEY_SUMM; 585 cmds[GENKEY_IDX].synopsis = GENKEY_SYN; 586 587 cmds[SIGNCSR_IDX].verb = SIGNCSR_VERB; 588 cmds[SIGNCSR_IDX].summary = SIGNCSR_SUMM; 589 cmds[SIGNCSR_IDX].synopsis = SIGNCSR_SYN; 590 591 cmds[INITTOKEN_IDX].verb = INITTOKEN_VERB; 592 cmds[INITTOKEN_IDX].summary = INITTOKEN_SUMM; 593 cmds[INITTOKEN_IDX].synopsis = INITTOKEN_SYN; 594 595 cmds[GENKEYPAIR_IDX].verb = GENKEYPAIR_VERB; 596 cmds[GENKEYPAIR_IDX].summary = GENKEYPAIR_SUMM; 597 cmds[GENKEYPAIR_IDX].synopsis = GENKEYPAIR_SYN; 598 599 cmds[HELP_IDX].verb = HELP_VERB; 600 cmds[HELP_IDX].summary = HELP_SUMM; 601 cmds[HELP_IDX].synopsis = HELP_SYN; 602 } 603 604 /* 605 * Usage information. This function must be updated when new verbs or 606 * options are added. 607 */ 608 static void 609 usage(int idx) 610 { 611 int i; 612 613 /* Display this block only in command-line mode. */ 614 (void) fprintf(stdout, gettext("Usage:\n")); 615 (void) fprintf(stdout, gettext(" %s -?\t(help and usage)\n"), 616 prog); 617 (void) fprintf(stdout, gettext(" %s -f option_file\n"), prog); 618 (void) fprintf(stdout, gettext(" %s subcommand [options...]\n"), 619 prog); 620 (void) fprintf(stdout, gettext("where subcommands may be:\n")); 621 622 /* Display only those verbs that match the current tool mode. */ 623 if (idx == -1) { 624 for (i = 0; i < num_cmds; i++) { 625 /* Do NOT i18n/l10n. */ 626 (void) fprintf(stdout, " %-8s - %s\n", 627 cmds[i].verb, cmds[i].summary); 628 } 629 (void) fprintf(stdout, "%s \'help\'.\n" 630 "Ex: pktool gencert help\n\n", 631 gettext("\nFurther details on the " 632 "subcommands can be found by adding")); 633 } else { 634 (void) fprintf(stdout, "\t%s\n", cmds[idx].synopsis); 635 } 636 } 637 638 /* 639 * Provide help, in the form of displaying the usage. 640 */ 641 static int 642 pk_help(int argc, char *argv[]) 643 /* ARGSUSED */ 644 { 645 usage(-1); 646 return (0); 647 } 648 649 /* 650 * Process arguments from the argfile and create a new 651 * argv/argc list to be processed later. 652 */ 653 static int 654 process_arg_file(char *argfile, char ***argv, int *argc) 655 { 656 FILE *fp; 657 char argline[2 * BUFSIZ]; /* 2048 bytes should be plenty */ 658 char *p; 659 int nargs = 0; 660 661 if ((fp = fopen(argfile, "rF")) == NULL) { 662 (void) fprintf(stderr, 663 gettext("Cannot read argfile %s: %s\n"), 664 argfile, strerror(errno)); 665 return (errno); 666 } 667 668 while (fgets(argline, sizeof (argline), fp) != NULL) { 669 int j; 670 /* remove trailing whitespace */ 671 j = strlen(argline) - 1; 672 while (j >= 0 && isspace(argline[j])) { 673 argline[j] = 0; 674 j--; 675 } 676 /* If it was a blank line, get the next one. */ 677 if (!strlen(argline)) 678 continue; 679 680 (*argv) = realloc((*argv), 681 (nargs + 1) * sizeof (char *)); 682 if ((*argv) == NULL) { 683 perror("memory error"); 684 (void) fclose(fp); 685 return (errno); 686 } 687 p = (char *)strdup(argline); 688 if (p == NULL) { 689 perror("memory error"); 690 (void) fclose(fp); 691 return (errno); 692 } 693 (*argv)[nargs] = p; 694 nargs++; 695 } 696 *argc = nargs; 697 (void) fclose(fp); 698 return (0); 699 } 700 701 /* 702 * MAIN() -- where all the action is 703 */ 704 int 705 main(int argc, char *argv[], char *envp[]) 706 /* ARGSUSED2 */ 707 { 708 int i, found = -1; 709 int rv; 710 int pk_argc = 0; 711 char **pk_argv = NULL; 712 int save_errno = 0; 713 714 /* Set up for i18n/l10n. */ 715 (void) setlocale(LC_ALL, ""); 716 #if !defined(TEXT_DOMAIN) /* Should be defined by cc -D. */ 717 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it isn't. */ 718 #endif 719 (void) textdomain(TEXT_DOMAIN); 720 721 init_command_list(); 722 723 /* Get program base name and move pointer over 0th arg. */ 724 prog = basename(argv[0]); 725 argv++, argc--; 726 727 /* Set up for debug and error output. */ 728 if (argc == 0) { 729 usage(-1); 730 return (1); 731 } 732 733 /* Check for help options. For CLIP-compliance. */ 734 if (strcmp(argv[0], "-?") == 0) { 735 return (pk_help(argc, argv)); 736 } else if (strcmp(argv[0], "-f") == 0 && argc == 2) { 737 rv = process_arg_file(argv[1], &pk_argv, &pk_argc); 738 if (rv) 739 return (rv); 740 } else if (argc >= 1 && argv[0][0] == '-') { 741 usage(-1); 742 return (1); 743 } 744 745 /* Always turns off Metaslot so that we can see softtoken. */ 746 if (setenv("METASLOT_ENABLED", "false", 1) < 0) { 747 save_errno = errno; 748 cryptoerror(LOG_STDERR, 749 gettext("Disabling Metaslot failed (%s)."), 750 strerror(save_errno)); 751 return (1); 752 } 753 754 /* Begin parsing command line. */ 755 if (pk_argc == 0 && pk_argv == NULL) { 756 pk_argc = argc; 757 pk_argv = argv; 758 } 759 760 /* Check for valid verb (or an abbreviation of it). */ 761 found = -1; 762 for (i = 0; i < num_cmds; i++) { 763 if (strcmp(cmds[i].verb, pk_argv[0]) == 0) { 764 if (found < 0) { 765 found = i; 766 break; 767 } 768 } 769 } 770 /* Stop here if no valid verb found. */ 771 if (found < 0) { 772 cryptoerror(LOG_STDERR, gettext("Invalid verb: %s"), 773 pk_argv[0]); 774 return (1); 775 } 776 777 /* Get to work! */ 778 rv = (*cmds[found].action)(pk_argc, pk_argv); 779 switch (rv) { 780 case PK_ERR_NONE: 781 break; /* Command succeeded, do nothing. */ 782 case PK_ERR_USAGE: 783 usage(found); 784 break; 785 case PK_ERR_QUIT: 786 exit(0); 787 /* NOTREACHED */ 788 case PK_ERR_PK11: 789 case PK_ERR_SYSTEM: 790 case PK_ERR_OPENSSL: 791 case PK_ERR_NSS: 792 default: 793 break; 794 } 795 return (rv); 796 } 797