17711facfSdinak /* 27711facfSdinak * CDDL HEADER START 37711facfSdinak * 47711facfSdinak * The contents of this file are subject to the terms of the 599ebb4caSwyllys * Common Development and Distribution License (the "License"). 699ebb4caSwyllys * You may not use this file except in compliance with the License. 77711facfSdinak * 87711facfSdinak * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97711facfSdinak * or http://www.opensolaris.org/os/licensing. 107711facfSdinak * See the License for the specific language governing permissions 117711facfSdinak * and limitations under the License. 127711facfSdinak * 137711facfSdinak * When distributing Covered Code, include this CDDL HEADER in each 147711facfSdinak * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157711facfSdinak * If applicable, add the following below this CDDL HEADER, with the 167711facfSdinak * fields enclosed by brackets "[]" replaced with your own identifying 177711facfSdinak * information: Portions Copyright [yyyy] [name of copyright owner] 187711facfSdinak * 197711facfSdinak * CDDL HEADER END 207711facfSdinak */ 217711facfSdinak /* 22448b8615Swyllys * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 237711facfSdinak * Use is subject to license terms. 247711facfSdinak */ 257711facfSdinak 267711facfSdinak #pragma ident "%Z%%M% %I% %E% SMI" 277711facfSdinak 287711facfSdinak /* 297711facfSdinak * This file implements the token object delete operation for this tool. 307711facfSdinak * It loads the PKCS#11 modules, finds the object to delete, deletes it, 317711facfSdinak * and cleans up. User must be R/W logged into the token. 327711facfSdinak */ 337711facfSdinak 347711facfSdinak #include <stdio.h> 357711facfSdinak #include <string.h> 367711facfSdinak #include <cryptoutil.h> 377711facfSdinak #include <security/cryptoki.h> 387711facfSdinak #include "common.h" 3999ebb4caSwyllys #include <kmfapi.h> 4099ebb4caSwyllys 4199ebb4caSwyllys static KMF_RETURN 4230a5e8faSwyllys pk_destroy_keys(void *handle, KMF_ATTRIBUTE *attrlist, int numattr) 4399ebb4caSwyllys { 4499ebb4caSwyllys int i; 4599ebb4caSwyllys KMF_RETURN rv = KMF_OK; 4630a5e8faSwyllys uint32_t *numkeys; 4730a5e8faSwyllys KMF_KEY_HANDLE *keys = NULL; 4830a5e8faSwyllys int del_num = 0; 4930a5e8faSwyllys KMF_ATTRIBUTE delete_attlist[16]; 5030a5e8faSwyllys KMF_KEYSTORE_TYPE kstype; 5130a5e8faSwyllys uint32_t len; 5230a5e8faSwyllys boolean_t destroy = B_TRUE; 5330a5e8faSwyllys KMF_CREDENTIAL cred; 5430a5e8faSwyllys char *slotlabel = NULL; 5599ebb4caSwyllys 5630a5e8faSwyllys len = sizeof (kstype); 5730a5e8faSwyllys rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr, 5830a5e8faSwyllys &kstype, &len); 5930a5e8faSwyllys if (rv != KMF_OK) 6030a5e8faSwyllys return (rv); 6199ebb4caSwyllys 6230a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num, 6330a5e8faSwyllys KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); 6430a5e8faSwyllys del_num++; 6530a5e8faSwyllys 6630a5e8faSwyllys /* "destroy" is optional. Default is TRUE */ 6730a5e8faSwyllys (void) kmf_get_attr(KMF_DESTROY_BOOL_ATTR, attrlist, numattr, 6830a5e8faSwyllys (void *)&destroy, NULL); 6930a5e8faSwyllys 7030a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num, 7130a5e8faSwyllys KMF_DESTROY_BOOL_ATTR, &destroy, sizeof (boolean_t)); 7230a5e8faSwyllys del_num++; 7330a5e8faSwyllys 7430a5e8faSwyllys switch (kstype) { 7599ebb4caSwyllys case KMF_KEYSTORE_NSS: 7630a5e8faSwyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr, 7730a5e8faSwyllys (void *)&cred, NULL); 7830a5e8faSwyllys if (rv == KMF_OK) { 7930a5e8faSwyllys if (cred.credlen > 0) { 8030a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num, 8130a5e8faSwyllys KMF_CREDENTIAL_ATTR, &cred, 8230a5e8faSwyllys sizeof (KMF_CREDENTIAL)); 8330a5e8faSwyllys del_num++; 8430a5e8faSwyllys } 8530a5e8faSwyllys } 8630a5e8faSwyllys 8730a5e8faSwyllys slotlabel = kmf_get_attr_ptr(KMF_TOKEN_LABEL_ATTR, attrlist, 8830a5e8faSwyllys numattr); 8930a5e8faSwyllys if (slotlabel != NULL) { 9030a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num, 9130a5e8faSwyllys KMF_TOKEN_LABEL_ATTR, slotlabel, 9230a5e8faSwyllys strlen(slotlabel)); 9330a5e8faSwyllys del_num++; 9430a5e8faSwyllys } 9599ebb4caSwyllys break; 9699ebb4caSwyllys case KMF_KEYSTORE_OPENSSL: 9799ebb4caSwyllys break; 9899ebb4caSwyllys case KMF_KEYSTORE_PK11TOKEN: 9930a5e8faSwyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr, 10030a5e8faSwyllys (void *)&cred, NULL); 10130a5e8faSwyllys if (rv == KMF_OK) { 10230a5e8faSwyllys if (cred.credlen > 0) { 10330a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num, 10430a5e8faSwyllys KMF_CREDENTIAL_ATTR, &cred, 10530a5e8faSwyllys sizeof (KMF_CREDENTIAL)); 10630a5e8faSwyllys del_num++; 10730a5e8faSwyllys } 10830a5e8faSwyllys } 10999ebb4caSwyllys break; 11099ebb4caSwyllys default: 11199ebb4caSwyllys return (PK_ERR_USAGE); 11299ebb4caSwyllys } 11399ebb4caSwyllys 11430a5e8faSwyllys numkeys = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr); 11530a5e8faSwyllys if (numkeys == NULL) 11630a5e8faSwyllys return (PK_ERR_USAGE); 11730a5e8faSwyllys 11830a5e8faSwyllys keys = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr); 11930a5e8faSwyllys if (keys == NULL) 12030a5e8faSwyllys return (PK_ERR_USAGE); 12130a5e8faSwyllys 12230a5e8faSwyllys for (i = 0; rv == KMF_OK && i < *numkeys; i++) { 12330a5e8faSwyllys int num = del_num; 12430a5e8faSwyllys 12530a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, num, 12630a5e8faSwyllys KMF_KEY_HANDLE_ATTR, &keys[i], sizeof (KMF_KEY_HANDLE)); 12730a5e8faSwyllys num++; 12830a5e8faSwyllys 12930a5e8faSwyllys rv = kmf_delete_key_from_keystore(handle, num, delete_attlist); 13099ebb4caSwyllys } 13199ebb4caSwyllys return (rv); 13299ebb4caSwyllys } 13399ebb4caSwyllys 13499ebb4caSwyllys static KMF_RETURN 13530a5e8faSwyllys pk_delete_keys(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attlist, int numattr, 13630a5e8faSwyllys char *desc, int *keysdeleted) 13799ebb4caSwyllys { 13899ebb4caSwyllys KMF_RETURN rv = KMF_OK; 13999ebb4caSwyllys uint32_t numkeys = 0; 14030a5e8faSwyllys int num = numattr; 14199ebb4caSwyllys 14299ebb4caSwyllys *keysdeleted = 0; 14399ebb4caSwyllys numkeys = 0; 14430a5e8faSwyllys 14530a5e8faSwyllys kmf_set_attr_at_index(attlist, num, 14630a5e8faSwyllys KMF_COUNT_ATTR, &numkeys, sizeof (uint32_t)); 14730a5e8faSwyllys num++; 14830a5e8faSwyllys 14930a5e8faSwyllys rv = kmf_find_key(kmfhandle, num, attlist); 15030a5e8faSwyllys 15199ebb4caSwyllys if (rv == KMF_OK && numkeys > 0) { 15299ebb4caSwyllys KMF_KEY_HANDLE *keys = NULL; 15399ebb4caSwyllys char prompt[1024]; 15499ebb4caSwyllys 15599ebb4caSwyllys (void) snprintf(prompt, sizeof (prompt), 15699ebb4caSwyllys gettext("%d %s key(s) found, do you want " 15799ebb4caSwyllys "to delete them (y/N) ?"), numkeys, 15899ebb4caSwyllys (desc != NULL ? desc : "")); 15999ebb4caSwyllys 16099ebb4caSwyllys if (!yesno(prompt, 16199ebb4caSwyllys gettext("Respond with yes or no.\n"), 16299ebb4caSwyllys B_FALSE)) { 1632cbed729Swyllys *keysdeleted = numkeys; 16499ebb4caSwyllys return (KMF_OK); 16599ebb4caSwyllys } 16699ebb4caSwyllys keys = (KMF_KEY_HANDLE *)malloc(numkeys * 16799ebb4caSwyllys sizeof (KMF_KEY_HANDLE)); 16899ebb4caSwyllys if (keys == NULL) 16999ebb4caSwyllys return (KMF_ERR_MEMORY); 17099ebb4caSwyllys (void) memset(keys, 0, numkeys * 17199ebb4caSwyllys sizeof (KMF_KEY_HANDLE)); 17299ebb4caSwyllys 17330a5e8faSwyllys kmf_set_attr_at_index(attlist, num, 17430a5e8faSwyllys KMF_KEY_HANDLE_ATTR, keys, sizeof (KMF_KEY_HANDLE)); 17530a5e8faSwyllys num++; 17630a5e8faSwyllys 17730a5e8faSwyllys rv = kmf_find_key(kmfhandle, num, attlist); 17899ebb4caSwyllys if (rv == KMF_OK) { 17930a5e8faSwyllys rv = pk_destroy_keys(kmfhandle, attlist, num); 18099ebb4caSwyllys } 18199ebb4caSwyllys 18299ebb4caSwyllys free(keys); 18399ebb4caSwyllys } 18499ebb4caSwyllys 18599ebb4caSwyllys *keysdeleted = numkeys; 18699ebb4caSwyllys return (rv); 18799ebb4caSwyllys } 18899ebb4caSwyllys 18999ebb4caSwyllys static KMF_RETURN 19030a5e8faSwyllys pk_delete_certs(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attlist, int numattr) 19199ebb4caSwyllys { 19299ebb4caSwyllys KMF_RETURN rv = KMF_OK; 19399ebb4caSwyllys uint32_t numcerts = 0; 19430a5e8faSwyllys int num = numattr; 19599ebb4caSwyllys 19630a5e8faSwyllys kmf_set_attr_at_index(attlist, num, 19730a5e8faSwyllys KMF_COUNT_ATTR, &numcerts, sizeof (uint32_t)); 19830a5e8faSwyllys num++; 19930a5e8faSwyllys 20030a5e8faSwyllys rv = kmf_find_cert(kmfhandle, num, attlist); 20199ebb4caSwyllys if (rv == KMF_OK && numcerts > 0) { 20299ebb4caSwyllys char prompt[1024]; 20399ebb4caSwyllys (void) snprintf(prompt, sizeof (prompt), 20499ebb4caSwyllys gettext("%d certificate(s) found, do you want " 20599ebb4caSwyllys "to delete them (y/N) ?"), numcerts); 20699ebb4caSwyllys 20799ebb4caSwyllys if (!yesno(prompt, 20899ebb4caSwyllys gettext("Respond with yes or no.\n"), 20999ebb4caSwyllys B_FALSE)) { 21099ebb4caSwyllys return (KMF_OK); 21199ebb4caSwyllys } 21299ebb4caSwyllys 21330a5e8faSwyllys /* 21430a5e8faSwyllys * Use numattr because delete cert does not require 21530a5e8faSwyllys * KMF_COUNT_ATTR attribute. 21630a5e8faSwyllys */ 21730a5e8faSwyllys rv = kmf_delete_cert_from_keystore(kmfhandle, numattr, attlist); 21899ebb4caSwyllys 21999ebb4caSwyllys } 22099ebb4caSwyllys 22199ebb4caSwyllys return (rv); 22299ebb4caSwyllys } 22399ebb4caSwyllys 22499ebb4caSwyllys static KMF_RETURN 22599ebb4caSwyllys delete_nss_keys(KMF_HANDLE_T kmfhandle, char *dir, char *prefix, 22699ebb4caSwyllys char *token, int oclass, char *objlabel, 22799ebb4caSwyllys KMF_CREDENTIAL *tokencred) 22899ebb4caSwyllys { 22999ebb4caSwyllys KMF_RETURN rv = KMF_OK; 23099ebb4caSwyllys char *keytype = NULL; 23199ebb4caSwyllys int nk, numkeys = 0; 23230a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; 23330a5e8faSwyllys int numattr = 0; 23430a5e8faSwyllys KMF_ATTRIBUTE attrlist[16]; 23530a5e8faSwyllys KMF_KEY_CLASS keyclass; 23699ebb4caSwyllys 23799ebb4caSwyllys rv = configure_nss(kmfhandle, dir, prefix); 23899ebb4caSwyllys if (rv != KMF_OK) 23999ebb4caSwyllys return (rv); 24099ebb4caSwyllys 24130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 24230a5e8faSwyllys &kstype, sizeof (kstype)); 24330a5e8faSwyllys numattr++; 24430a5e8faSwyllys 24530a5e8faSwyllys if (objlabel != NULL) { 24630a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, 24730a5e8faSwyllys objlabel, strlen(objlabel)); 24830a5e8faSwyllys numattr++; 24930a5e8faSwyllys } 25030a5e8faSwyllys 25130a5e8faSwyllys if (tokencred->credlen > 0) { 25230a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, 25330a5e8faSwyllys tokencred, sizeof (KMF_CREDENTIAL)); 25430a5e8faSwyllys numattr++; 25530a5e8faSwyllys } 25630a5e8faSwyllys 25730a5e8faSwyllys if (token && strlen(token)) { 25830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, 25930a5e8faSwyllys token, strlen(token)); 26030a5e8faSwyllys numattr++; 26130a5e8faSwyllys } 26299ebb4caSwyllys 26399ebb4caSwyllys if (oclass & PK_PRIKEY_OBJ) { 26430a5e8faSwyllys int num = numattr; 26530a5e8faSwyllys 26630a5e8faSwyllys keyclass = KMF_ASYM_PRI; 26730a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 26830a5e8faSwyllys &keyclass, sizeof (keyclass)); 26930a5e8faSwyllys num++; 27030a5e8faSwyllys 27199ebb4caSwyllys keytype = "private"; 27230a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); 27399ebb4caSwyllys numkeys += nk; 274*64012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && 275*64012b18Swyllys oclass != PK_PRIKEY_OBJ) 276*64012b18Swyllys rv = KMF_OK; 27799ebb4caSwyllys } 27899ebb4caSwyllys if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { 27930a5e8faSwyllys int num = numattr; 28030a5e8faSwyllys 28130a5e8faSwyllys keyclass = KMF_SYMMETRIC; 28230a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 28330a5e8faSwyllys &keyclass, sizeof (keyclass)); 28430a5e8faSwyllys num++; 28530a5e8faSwyllys 28699ebb4caSwyllys keytype = "symmetric"; 28730a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); 28899ebb4caSwyllys numkeys += nk; 289*64012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && 290*64012b18Swyllys oclass != PK_SYMKEY_OBJ) 291*64012b18Swyllys rv = KMF_OK; 29299ebb4caSwyllys } 29399ebb4caSwyllys if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) { 29430a5e8faSwyllys int num = numattr; 29530a5e8faSwyllys 29630a5e8faSwyllys keyclass = KMF_ASYM_PUB; 29730a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 29830a5e8faSwyllys &keyclass, sizeof (keyclass)); 29930a5e8faSwyllys num++; 30030a5e8faSwyllys 30199ebb4caSwyllys keytype = "public"; 30230a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); 30399ebb4caSwyllys numkeys += nk; 304*64012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && 305*64012b18Swyllys oclass != PK_PUBKEY_OBJ) 306*64012b18Swyllys rv = KMF_OK; 30799ebb4caSwyllys } 30899ebb4caSwyllys if (rv == KMF_OK && numkeys == 0) 30999ebb4caSwyllys rv = KMF_ERR_KEY_NOT_FOUND; 31099ebb4caSwyllys 31199ebb4caSwyllys return (rv); 31299ebb4caSwyllys } 31399ebb4caSwyllys 31499ebb4caSwyllys static KMF_RETURN 31599ebb4caSwyllys delete_nss_certs(KMF_HANDLE_T kmfhandle, 31699ebb4caSwyllys char *dir, char *prefix, 31799ebb4caSwyllys char *token, char *objlabel, 31899ebb4caSwyllys KMF_BIGINT *serno, char *issuer, char *subject, 31999ebb4caSwyllys KMF_CERT_VALIDITY find_criteria_flag) 32099ebb4caSwyllys { 32199ebb4caSwyllys KMF_RETURN rv = KMF_OK; 32230a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; 32330a5e8faSwyllys int numattr = 0; 32430a5e8faSwyllys KMF_ATTRIBUTE attrlist[16]; 32599ebb4caSwyllys 32699ebb4caSwyllys rv = configure_nss(kmfhandle, dir, prefix); 32799ebb4caSwyllys if (rv != KMF_OK) 32899ebb4caSwyllys return (rv); 32999ebb4caSwyllys 33030a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 33130a5e8faSwyllys &kstype, sizeof (kstype)); 33230a5e8faSwyllys numattr++; 33399ebb4caSwyllys 33430a5e8faSwyllys if (objlabel != NULL) { 33530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, 33630a5e8faSwyllys KMF_CERT_LABEL_ATTR, objlabel, 33730a5e8faSwyllys strlen(objlabel)); 33830a5e8faSwyllys numattr++; 33930a5e8faSwyllys } 34099ebb4caSwyllys 34130a5e8faSwyllys if (issuer != NULL) { 34230a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, 34330a5e8faSwyllys KMF_ISSUER_NAME_ATTR, issuer, 34430a5e8faSwyllys strlen(issuer)); 34530a5e8faSwyllys numattr++; 34630a5e8faSwyllys } 34730a5e8faSwyllys 34830a5e8faSwyllys if (subject != NULL) { 34930a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, 35030a5e8faSwyllys KMF_SUBJECT_NAME_ATTR, subject, 35130a5e8faSwyllys strlen(subject)); 35230a5e8faSwyllys numattr++; 35330a5e8faSwyllys } 35430a5e8faSwyllys 35530a5e8faSwyllys if (serno != NULL) { 35630a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, 35730a5e8faSwyllys KMF_BIGINT_ATTR, serno, 35830a5e8faSwyllys sizeof (KMF_BIGINT)); 35930a5e8faSwyllys numattr++; 36030a5e8faSwyllys } 36130a5e8faSwyllys 36230a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, 36330a5e8faSwyllys KMF_CERT_VALIDITY_ATTR, &find_criteria_flag, 36430a5e8faSwyllys sizeof (KMF_CERT_VALIDITY)); 36530a5e8faSwyllys numattr++; 36630a5e8faSwyllys 36730a5e8faSwyllys if (token != NULL) { 36830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, 36930a5e8faSwyllys KMF_TOKEN_LABEL_ATTR, token, 37030a5e8faSwyllys strlen(token)); 37130a5e8faSwyllys numattr++; 37230a5e8faSwyllys } 37330a5e8faSwyllys 37430a5e8faSwyllys rv = pk_delete_certs(kmfhandle, attrlist, numattr); 37599ebb4caSwyllys 37699ebb4caSwyllys return (rv); 37799ebb4caSwyllys } 37899ebb4caSwyllys 37999ebb4caSwyllys static KMF_RETURN 38099ebb4caSwyllys delete_nss_crl(void *kmfhandle, 38199ebb4caSwyllys char *dir, char *prefix, char *token, 38230a5e8faSwyllys char *issuer, char *subject) 38399ebb4caSwyllys { 38499ebb4caSwyllys KMF_RETURN rv = KMF_OK; 38530a5e8faSwyllys int numattr = 0; 38630a5e8faSwyllys KMF_ATTRIBUTE attrlist[8]; 38730a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; 38899ebb4caSwyllys 38999ebb4caSwyllys rv = configure_nss(kmfhandle, dir, prefix); 39099ebb4caSwyllys if (rv != KMF_OK) 39199ebb4caSwyllys return (rv); 39299ebb4caSwyllys 39330a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 39430a5e8faSwyllys &kstype, sizeof (kstype)); 39530a5e8faSwyllys numattr++; 39699ebb4caSwyllys 39730a5e8faSwyllys if (token != NULL) { 39830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, 39930a5e8faSwyllys token, strlen(token)); 40030a5e8faSwyllys numattr++; 40130a5e8faSwyllys } 40230a5e8faSwyllys if (issuer != NULL) { 40330a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR, 40430a5e8faSwyllys issuer, strlen(issuer)); 40530a5e8faSwyllys numattr++; 40630a5e8faSwyllys } 40730a5e8faSwyllys if (subject != NULL) { 40830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR, 40930a5e8faSwyllys subject, strlen(subject)); 41030a5e8faSwyllys numattr++; 41130a5e8faSwyllys } 41299ebb4caSwyllys 41330a5e8faSwyllys rv = kmf_delete_crl(kmfhandle, numattr, attrlist); 41499ebb4caSwyllys 41599ebb4caSwyllys return (rv); 41699ebb4caSwyllys } 41799ebb4caSwyllys 41899ebb4caSwyllys static KMF_RETURN 41999ebb4caSwyllys delete_pk11_keys(KMF_HANDLE_T kmfhandle, 42099ebb4caSwyllys char *token, int oclass, char *objlabel, 42199ebb4caSwyllys KMF_CREDENTIAL *tokencred) 42299ebb4caSwyllys { 42399ebb4caSwyllys KMF_RETURN rv = KMF_OK; 42499ebb4caSwyllys int nk, numkeys = 0; 42530a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; 42630a5e8faSwyllys int numattr = 0; 42730a5e8faSwyllys KMF_ATTRIBUTE attrlist[16]; 42830a5e8faSwyllys KMF_KEY_CLASS keyclass; 42930a5e8faSwyllys boolean_t token_bool = B_TRUE; 43030a5e8faSwyllys boolean_t private; 43199ebb4caSwyllys /* 43299ebb4caSwyllys * Symmetric keys and RSA/DSA private keys are always 43399ebb4caSwyllys * created with the "CKA_PRIVATE" field == TRUE, so 43499ebb4caSwyllys * make sure we search for them with it also set. 43599ebb4caSwyllys */ 43699ebb4caSwyllys if (oclass & (PK_SYMKEY_OBJ | PK_PRIKEY_OBJ)) 43799ebb4caSwyllys oclass |= PK_PRIVATE_OBJ; 43899ebb4caSwyllys 43999ebb4caSwyllys rv = select_token(kmfhandle, token, FALSE); 44099ebb4caSwyllys if (rv != KMF_OK) { 44199ebb4caSwyllys return (rv); 44299ebb4caSwyllys } 44399ebb4caSwyllys 44430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 44530a5e8faSwyllys &kstype, sizeof (kstype)); 44630a5e8faSwyllys numattr++; 44730a5e8faSwyllys 44830a5e8faSwyllys if (objlabel != NULL) { 44930a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, 45030a5e8faSwyllys objlabel, strlen(objlabel)); 45130a5e8faSwyllys numattr++; 45230a5e8faSwyllys } 45330a5e8faSwyllys 45430a5e8faSwyllys if (tokencred != NULL && tokencred->credlen > 0) { 45530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, 45630a5e8faSwyllys tokencred, sizeof (KMF_CREDENTIAL)); 45730a5e8faSwyllys numattr++; 45830a5e8faSwyllys } 45930a5e8faSwyllys 46030a5e8faSwyllys private = ((oclass & PK_PRIVATE_OBJ) > 0); 46130a5e8faSwyllys 46230a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR, 46330a5e8faSwyllys &private, sizeof (private)); 46430a5e8faSwyllys numattr++; 46530a5e8faSwyllys 46630a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR, 46730a5e8faSwyllys &token_bool, sizeof (token_bool)); 46830a5e8faSwyllys numattr++; 46999ebb4caSwyllys 47099ebb4caSwyllys if (oclass & PK_PRIKEY_OBJ) { 47130a5e8faSwyllys int num = numattr; 47230a5e8faSwyllys 47330a5e8faSwyllys keyclass = KMF_ASYM_PRI; 47430a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 47530a5e8faSwyllys &keyclass, sizeof (keyclass)); 47630a5e8faSwyllys num++; 47730a5e8faSwyllys 47830a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, "private", &nk); 47999ebb4caSwyllys numkeys += nk; 480*64012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && 481*64012b18Swyllys oclass != PK_PRIKEY_OBJ) 482*64012b18Swyllys rv = KMF_OK; 48399ebb4caSwyllys } 48499ebb4caSwyllys 48599ebb4caSwyllys if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { 48630a5e8faSwyllys int num = numattr; 48730a5e8faSwyllys 48830a5e8faSwyllys keyclass = KMF_SYMMETRIC; 48930a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 49030a5e8faSwyllys &keyclass, sizeof (keyclass)); 49130a5e8faSwyllys num++; 49230a5e8faSwyllys 49330a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, "symmetric", &nk); 49499ebb4caSwyllys numkeys += nk; 495*64012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && 496*64012b18Swyllys oclass != PK_SYMKEY_OBJ) 497*64012b18Swyllys rv = KMF_OK; 49899ebb4caSwyllys } 49999ebb4caSwyllys 50099ebb4caSwyllys if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) { 50130a5e8faSwyllys int num = numattr; 50230a5e8faSwyllys 5032cbed729Swyllys private = B_FALSE; 50430a5e8faSwyllys keyclass = KMF_ASYM_PUB; 50530a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 50630a5e8faSwyllys &keyclass, sizeof (keyclass)); 50730a5e8faSwyllys num++; 50830a5e8faSwyllys 50930a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, "public", &nk); 51099ebb4caSwyllys numkeys += nk; 511*64012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && 512*64012b18Swyllys oclass != PK_PUBKEY_OBJ) 513*64012b18Swyllys rv = KMF_OK; 51499ebb4caSwyllys } 51599ebb4caSwyllys if (rv == KMF_OK && numkeys == 0) 51699ebb4caSwyllys rv = KMF_ERR_KEY_NOT_FOUND; 51799ebb4caSwyllys 51899ebb4caSwyllys return (rv); 51999ebb4caSwyllys } 52099ebb4caSwyllys 52199ebb4caSwyllys static KMF_RETURN 52299ebb4caSwyllys delete_pk11_certs(KMF_HANDLE_T kmfhandle, 52399ebb4caSwyllys char *token, char *objlabel, 52499ebb4caSwyllys KMF_BIGINT *serno, char *issuer, char *subject, 52599ebb4caSwyllys KMF_CERT_VALIDITY find_criteria_flag) 52699ebb4caSwyllys { 52799ebb4caSwyllys KMF_RETURN kmfrv; 52830a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; 52930a5e8faSwyllys int numattr = 0; 53030a5e8faSwyllys KMF_ATTRIBUTE attrlist[16]; 53199ebb4caSwyllys 53299ebb4caSwyllys kmfrv = select_token(kmfhandle, token, FALSE); 53399ebb4caSwyllys 53499ebb4caSwyllys if (kmfrv != KMF_OK) { 53599ebb4caSwyllys return (kmfrv); 53699ebb4caSwyllys } 53799ebb4caSwyllys 53830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 53930a5e8faSwyllys &kstype, sizeof (kstype)); 54030a5e8faSwyllys numattr++; 54199ebb4caSwyllys 54230a5e8faSwyllys if (objlabel != NULL) { 54330a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR, 54430a5e8faSwyllys objlabel, strlen(objlabel)); 54530a5e8faSwyllys numattr++; 54630a5e8faSwyllys } 54730a5e8faSwyllys 54830a5e8faSwyllys if (issuer != NULL) { 54930a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR, 55030a5e8faSwyllys issuer, strlen(issuer)); 55130a5e8faSwyllys numattr++; 55230a5e8faSwyllys } 55330a5e8faSwyllys 55430a5e8faSwyllys if (subject != NULL) { 55530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR, 55630a5e8faSwyllys subject, strlen(subject)); 55730a5e8faSwyllys numattr++; 55830a5e8faSwyllys } 55930a5e8faSwyllys 56030a5e8faSwyllys if (serno != NULL) { 56130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_BIGINT_ATTR, 56230a5e8faSwyllys serno, sizeof (KMF_BIGINT)); 56330a5e8faSwyllys numattr++; 56430a5e8faSwyllys } 56530a5e8faSwyllys 56630a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_VALIDITY_ATTR, 56730a5e8faSwyllys &find_criteria_flag, sizeof (KMF_CERT_VALIDITY)); 56830a5e8faSwyllys numattr++; 56930a5e8faSwyllys 57030a5e8faSwyllys kmfrv = pk_delete_certs(kmfhandle, attrlist, numattr); 57199ebb4caSwyllys 57299ebb4caSwyllys return (kmfrv); 57399ebb4caSwyllys } 57499ebb4caSwyllys 57599ebb4caSwyllys static KMF_RETURN 57699ebb4caSwyllys delete_file_certs(KMF_HANDLE_T kmfhandle, 57799ebb4caSwyllys char *dir, char *filename, KMF_BIGINT *serial, char *issuer, 57899ebb4caSwyllys char *subject, KMF_CERT_VALIDITY find_criteria_flag) 57999ebb4caSwyllys { 58099ebb4caSwyllys KMF_RETURN rv; 58130a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; 58230a5e8faSwyllys int numattr = 0; 58330a5e8faSwyllys KMF_ATTRIBUTE attrlist[16]; 58499ebb4caSwyllys 58530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 58630a5e8faSwyllys &kstype, sizeof (kstype)); 58730a5e8faSwyllys numattr++; 58899ebb4caSwyllys 58930a5e8faSwyllys if (issuer != NULL) { 59030a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR, 59130a5e8faSwyllys issuer, strlen(issuer)); 59230a5e8faSwyllys numattr++; 59330a5e8faSwyllys } 59499ebb4caSwyllys 59530a5e8faSwyllys if (subject != NULL) { 59630a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR, 59730a5e8faSwyllys subject, strlen(subject)); 59830a5e8faSwyllys numattr++; 59930a5e8faSwyllys } 60030a5e8faSwyllys 60130a5e8faSwyllys if (serial != NULL) { 60230a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_BIGINT_ATTR, 60330a5e8faSwyllys serial, sizeof (KMF_BIGINT)); 60430a5e8faSwyllys numattr++; 60530a5e8faSwyllys } 60630a5e8faSwyllys 60730a5e8faSwyllys if (dir != NULL) { 60830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_DIRPATH_ATTR, 60930a5e8faSwyllys dir, strlen(dir)); 61030a5e8faSwyllys numattr++; 61130a5e8faSwyllys } 61230a5e8faSwyllys 61330a5e8faSwyllys if (filename != NULL) { 61430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR, 61530a5e8faSwyllys filename, strlen(filename)); 61630a5e8faSwyllys numattr++; 61730a5e8faSwyllys } 61830a5e8faSwyllys 61930a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_VALIDITY_ATTR, 62030a5e8faSwyllys &find_criteria_flag, sizeof (KMF_CERT_VALIDITY)); 62130a5e8faSwyllys numattr++; 62230a5e8faSwyllys 62330a5e8faSwyllys rv = pk_delete_certs(kmfhandle, attrlist, numattr); 62499ebb4caSwyllys 62599ebb4caSwyllys return (rv); 62699ebb4caSwyllys } 62799ebb4caSwyllys 62899ebb4caSwyllys static KMF_RETURN 62999ebb4caSwyllys delete_file_keys(KMF_HANDLE_T kmfhandle, int oclass, 63099ebb4caSwyllys char *dir, char *infile) 63199ebb4caSwyllys { 63299ebb4caSwyllys KMF_RETURN rv = KMF_OK; 63399ebb4caSwyllys char *keytype = ""; 63499ebb4caSwyllys int nk, numkeys = 0; 63530a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; 63630a5e8faSwyllys int numattr = 0; 63730a5e8faSwyllys KMF_ATTRIBUTE attrlist[16]; 63830a5e8faSwyllys KMF_KEY_CLASS keyclass; 63999ebb4caSwyllys 64030a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 64130a5e8faSwyllys &kstype, sizeof (kstype)); 64230a5e8faSwyllys numattr++; 64330a5e8faSwyllys 64430a5e8faSwyllys if (dir != NULL) { 64530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_DIRPATH_ATTR, 64630a5e8faSwyllys dir, strlen(dir)); 64730a5e8faSwyllys numattr++; 64830a5e8faSwyllys } 64930a5e8faSwyllys 65030a5e8faSwyllys if (infile != NULL) { 65130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_FILENAME_ATTR, 65230a5e8faSwyllys infile, strlen(infile)); 65330a5e8faSwyllys numattr++; 65430a5e8faSwyllys } 65599ebb4caSwyllys 65699ebb4caSwyllys if (oclass & (PK_PUBKEY_OBJ | PK_PRIKEY_OBJ)) { 65730a5e8faSwyllys int num = numattr; 65830a5e8faSwyllys 65930a5e8faSwyllys keyclass = KMF_ASYM_PRI; 66030a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 66130a5e8faSwyllys &keyclass, sizeof (keyclass)); 66230a5e8faSwyllys num++; 66330a5e8faSwyllys 66499ebb4caSwyllys keytype = "Asymmetric"; 66530a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); 66699ebb4caSwyllys numkeys += nk; 66799ebb4caSwyllys } 668*64012b18Swyllys if (oclass & PK_SYMKEY_OBJ) { 66930a5e8faSwyllys int num = numattr; 67030a5e8faSwyllys 67130a5e8faSwyllys keyclass = KMF_SYMMETRIC; 67230a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 67330a5e8faSwyllys &keyclass, sizeof (keyclass)); 67430a5e8faSwyllys num++; 67530a5e8faSwyllys 67699ebb4caSwyllys keytype = "symmetric"; 67730a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); 67899ebb4caSwyllys numkeys += nk; 679*64012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && numkeys > 0) 680*64012b18Swyllys rv = KMF_OK; 68199ebb4caSwyllys } 68299ebb4caSwyllys if (rv == KMF_OK && numkeys == 0) 68399ebb4caSwyllys rv = KMF_ERR_KEY_NOT_FOUND; 68499ebb4caSwyllys 68599ebb4caSwyllys return (rv); 68699ebb4caSwyllys } 68799ebb4caSwyllys 68899ebb4caSwyllys static KMF_RETURN 689448b8615Swyllys delete_file_crl(void *kmfhandle, char *filename) 69099ebb4caSwyllys { 69199ebb4caSwyllys KMF_RETURN rv; 69230a5e8faSwyllys int numattr = 0; 69330a5e8faSwyllys KMF_ATTRIBUTE attrlist[4]; 69430a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; 69599ebb4caSwyllys 696448b8615Swyllys if (filename == NULL || strlen(filename) == 0) 697448b8615Swyllys return (KMF_ERR_BAD_PARAMETER); 698448b8615Swyllys 69930a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 70030a5e8faSwyllys &kstype, sizeof (kstype)); 70130a5e8faSwyllys numattr++; 70299ebb4caSwyllys 70330a5e8faSwyllys if (filename) { 70430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_FILENAME_ATTR, 70530a5e8faSwyllys filename, strlen(filename)); 70630a5e8faSwyllys numattr++; 70730a5e8faSwyllys } 70899ebb4caSwyllys 70930a5e8faSwyllys rv = kmf_delete_crl(kmfhandle, numattr, attrlist); 71099ebb4caSwyllys 71199ebb4caSwyllys return (rv); 71299ebb4caSwyllys } 7137711facfSdinak 7147711facfSdinak /* 7157711facfSdinak * Delete token objects. 7167711facfSdinak */ 7177711facfSdinak int 7187711facfSdinak pk_delete(int argc, char *argv[]) 7197711facfSdinak { 7207711facfSdinak int opt; 72149e21299Sdinak extern int optind_av; 72249e21299Sdinak extern char *optarg_av; 72349e21299Sdinak char *token_spec = NULL; 72499ebb4caSwyllys char *subject = NULL; 72599ebb4caSwyllys char *issuer = NULL; 72699ebb4caSwyllys char *dir = NULL; 72799ebb4caSwyllys char *prefix = NULL; 72899ebb4caSwyllys char *infile = NULL; 72999ebb4caSwyllys char *object_label = NULL; 73099ebb4caSwyllys char *serstr = NULL; 7317711facfSdinak 73299ebb4caSwyllys int oclass = 0; 73399ebb4caSwyllys KMF_BIGINT serial = { NULL, 0 }; 73499ebb4caSwyllys KMF_HANDLE_T kmfhandle = NULL; 73599ebb4caSwyllys KMF_KEYSTORE_TYPE kstype = 0; 736*64012b18Swyllys KMF_RETURN kmfrv, keyrv, certrv, crlrv; 73799ebb4caSwyllys int rv = 0; 73899ebb4caSwyllys char *find_criteria = NULL; 73999ebb4caSwyllys KMF_CERT_VALIDITY find_criteria_flag = KMF_ALL_CERTS; 74099ebb4caSwyllys KMF_CREDENTIAL tokencred = {NULL, 0}; 7417711facfSdinak 7427711facfSdinak /* Parse command line options. Do NOT i18n/l10n. */ 74349e21299Sdinak while ((opt = getopt_av(argc, argv, 74499ebb4caSwyllys "T:(token)y:(objtype)l:(label)" 74599ebb4caSwyllys "k:(keystore)s:(subject)n:(nickname)" 74699ebb4caSwyllys "d:(dir)p:(prefix)S:(serial)i:(issuer)" 74799ebb4caSwyllys "c:(criteria)" 74899ebb4caSwyllys "f:(infile)")) != EOF) { 74999ebb4caSwyllys 75099ebb4caSwyllys if (EMPTYSTRING(optarg_av)) 75199ebb4caSwyllys return (PK_ERR_USAGE); 7527711facfSdinak switch (opt) { 75349e21299Sdinak case 'T': /* token specifier */ 75449e21299Sdinak if (token_spec) 75549e21299Sdinak return (PK_ERR_USAGE); 75649e21299Sdinak token_spec = optarg_av; 7577711facfSdinak break; 75849e21299Sdinak case 'y': /* object type: public, private, both */ 75999ebb4caSwyllys if (oclass) 76049e21299Sdinak return (PK_ERR_USAGE); 76199ebb4caSwyllys oclass = OT2Int(optarg_av); 76299ebb4caSwyllys if (oclass == -1) 76399ebb4caSwyllys return (PK_ERR_USAGE); 7647711facfSdinak break; 7657711facfSdinak case 'l': /* objects with specific label */ 76699ebb4caSwyllys case 'n': 7677711facfSdinak if (object_label) 7687711facfSdinak return (PK_ERR_USAGE); 76999ebb4caSwyllys object_label = (char *)optarg_av; 77099ebb4caSwyllys break; 77199ebb4caSwyllys case 'k': 77299ebb4caSwyllys kstype = KS2Int(optarg_av); 77399ebb4caSwyllys if (kstype == 0) 77499ebb4caSwyllys return (PK_ERR_USAGE); 77599ebb4caSwyllys break; 77699ebb4caSwyllys case 's': 77799ebb4caSwyllys subject = optarg_av; 77899ebb4caSwyllys break; 77999ebb4caSwyllys case 'i': 78099ebb4caSwyllys issuer = optarg_av; 78199ebb4caSwyllys break; 78299ebb4caSwyllys case 'd': 78399ebb4caSwyllys dir = optarg_av; 78499ebb4caSwyllys break; 78599ebb4caSwyllys case 'p': 78699ebb4caSwyllys prefix = optarg_av; 78799ebb4caSwyllys break; 78899ebb4caSwyllys case 'S': 78999ebb4caSwyllys serstr = optarg_av; 79099ebb4caSwyllys break; 79199ebb4caSwyllys case 'f': 79299ebb4caSwyllys infile = optarg_av; 79399ebb4caSwyllys break; 79499ebb4caSwyllys case 'c': 79599ebb4caSwyllys find_criteria = optarg_av; 79699ebb4caSwyllys if (!strcasecmp(find_criteria, "valid")) 79799ebb4caSwyllys find_criteria_flag = 79899ebb4caSwyllys KMF_NONEXPIRED_CERTS; 79999ebb4caSwyllys else if (!strcasecmp(find_criteria, "expired")) 80099ebb4caSwyllys find_criteria_flag = KMF_EXPIRED_CERTS; 80199ebb4caSwyllys else if (!strcasecmp(find_criteria, "both")) 80299ebb4caSwyllys find_criteria_flag = KMF_ALL_CERTS; 80399ebb4caSwyllys else 80499ebb4caSwyllys return (PK_ERR_USAGE); 8057711facfSdinak break; 8067711facfSdinak default: 8077711facfSdinak return (PK_ERR_USAGE); 8087711facfSdinak break; 8097711facfSdinak } 8107711facfSdinak } 8117711facfSdinak 81299ebb4caSwyllys /* Assume keystore = PKCS#11 if not specified */ 81399ebb4caSwyllys if (kstype == 0) 81499ebb4caSwyllys kstype = KMF_KEYSTORE_PK11TOKEN; 81599ebb4caSwyllys 81699ebb4caSwyllys /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */ 81799ebb4caSwyllys if ((oclass & (PK_PUBLIC_OBJ | PK_PRIVATE_OBJ)) && 81899ebb4caSwyllys kstype != KMF_KEYSTORE_PK11TOKEN) { 81999ebb4caSwyllys 82099ebb4caSwyllys (void) fprintf(stderr, gettext("The objtype parameter " 82199ebb4caSwyllys "is only relevant if keystore=pkcs11\n")); 82249e21299Sdinak return (PK_ERR_USAGE); 82349e21299Sdinak } 82449e21299Sdinak 8257711facfSdinak 8267711facfSdinak /* No additional args allowed. */ 82749e21299Sdinak argc -= optind_av; 82849e21299Sdinak argv += optind_av; 8297711facfSdinak if (argc) 8307711facfSdinak return (PK_ERR_USAGE); 8317711facfSdinak /* Done parsing command line options. */ 8327711facfSdinak 833577f4726Swyllys DIR_OPTION_CHECK(kstype, dir); 834577f4726Swyllys 83599ebb4caSwyllys if (kstype == KMF_KEYSTORE_PK11TOKEN && token_spec == NULL) { 83699ebb4caSwyllys token_spec = PK_DEFAULT_PK11TOKEN; 83799ebb4caSwyllys } else if (kstype == KMF_KEYSTORE_NSS && token_spec == NULL) { 83899ebb4caSwyllys token_spec = DEFAULT_NSS_TOKEN; 8397711facfSdinak } 8407711facfSdinak 84199ebb4caSwyllys if (serstr != NULL) { 84299ebb4caSwyllys uchar_t *bytes = NULL; 84399ebb4caSwyllys size_t bytelen; 84499ebb4caSwyllys 84530a5e8faSwyllys rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen); 84699ebb4caSwyllys if (rv != KMF_OK || bytes == NULL) { 84799ebb4caSwyllys (void) fprintf(stderr, gettext("serial number " 84899ebb4caSwyllys "must be specified as a hex number " 84999ebb4caSwyllys "(ex: 0x0102030405ffeeddee)\n")); 85099ebb4caSwyllys return (PK_ERR_USAGE); 85199ebb4caSwyllys } 85299ebb4caSwyllys serial.val = bytes; 85399ebb4caSwyllys serial.len = bytelen; 8542cbed729Swyllys /* If serial number was given, it must be a cert search */ 8552cbed729Swyllys if (oclass == 0) 8562cbed729Swyllys oclass = PK_CERT_OBJ; 8577711facfSdinak } 8582cbed729Swyllys /* 8592cbed729Swyllys * If no object type was given but subject or issuer was, 8602cbed729Swyllys * it must be a certificate we are looking to delete. 8612cbed729Swyllys */ 8622cbed729Swyllys if ((issuer != NULL || subject != NULL) && oclass == 0) 8632cbed729Swyllys oclass = PK_CERT_OBJ; 8642cbed729Swyllys /* If no object class specified, delete everything but CRLs */ 8652cbed729Swyllys if (oclass == 0) 8662cbed729Swyllys oclass = PK_CERT_OBJ | PK_KEY_OBJ; 8677711facfSdinak 86899ebb4caSwyllys if ((kstype == KMF_KEYSTORE_PK11TOKEN || 86999ebb4caSwyllys kstype == KMF_KEYSTORE_NSS) && 87099ebb4caSwyllys (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ))) { 87199ebb4caSwyllys 87299ebb4caSwyllys (void) get_token_password(kstype, token_spec, 87399ebb4caSwyllys &tokencred); 8747711facfSdinak } 8757711facfSdinak 87630a5e8faSwyllys if ((kmfrv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) 87799ebb4caSwyllys return (kmfrv); 8787711facfSdinak 879*64012b18Swyllys keyrv = certrv = crlrv = KMF_OK; 88099ebb4caSwyllys switch (kstype) { 88199ebb4caSwyllys case KMF_KEYSTORE_PK11TOKEN: 88299ebb4caSwyllys if (oclass & PK_KEY_OBJ) { 883*64012b18Swyllys keyrv = delete_pk11_keys(kmfhandle, 88499ebb4caSwyllys token_spec, oclass, 88530a5e8faSwyllys object_label, &tokencred); 8867711facfSdinak /* 88799ebb4caSwyllys * If deleting groups of objects, it is OK 88899ebb4caSwyllys * to ignore the "key not found" case so that 88999ebb4caSwyllys * we can continue to find other objects. 8907711facfSdinak */ 891*64012b18Swyllys if (keyrv != KMF_OK && 892*64012b18Swyllys keyrv != KMF_ERR_KEY_NOT_FOUND) 89399ebb4caSwyllys break; 8947711facfSdinak } 89599ebb4caSwyllys if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) { 896*64012b18Swyllys certrv = delete_pk11_certs(kmfhandle, 89730a5e8faSwyllys token_spec, object_label, 89899ebb4caSwyllys &serial, issuer, 89999ebb4caSwyllys subject, find_criteria_flag); 90099ebb4caSwyllys /* 90199ebb4caSwyllys * If cert delete failed, but we are looking at 90299ebb4caSwyllys * other objects, then it is OK. 90399ebb4caSwyllys */ 904*64012b18Swyllys if (certrv != KMF_OK && 905*64012b18Swyllys certrv != KMF_ERR_CERT_NOT_FOUND) 90699ebb4caSwyllys break; 9077711facfSdinak } 90899ebb4caSwyllys if (oclass & PK_CRL_OBJ) 909*64012b18Swyllys crlrv = delete_file_crl(kmfhandle, 910448b8615Swyllys infile); 91199ebb4caSwyllys break; 91299ebb4caSwyllys case KMF_KEYSTORE_NSS: 913*64012b18Swyllys keyrv = certrv = crlrv = KMF_OK; 91499ebb4caSwyllys if (oclass & PK_KEY_OBJ) { 915*64012b18Swyllys keyrv = delete_nss_keys(kmfhandle, 91699ebb4caSwyllys dir, prefix, token_spec, 91799ebb4caSwyllys oclass, (char *)object_label, 91899ebb4caSwyllys &tokencred); 919*64012b18Swyllys if (keyrv != KMF_OK && 920*64012b18Swyllys keyrv != KMF_ERR_KEY_NOT_FOUND) 92199ebb4caSwyllys break; 92299ebb4caSwyllys } 92399ebb4caSwyllys if (oclass & PK_CERT_OBJ) { 924*64012b18Swyllys certrv = delete_nss_certs(kmfhandle, 92599ebb4caSwyllys dir, prefix, token_spec, 92699ebb4caSwyllys (char *)object_label, 92799ebb4caSwyllys &serial, issuer, subject, 92899ebb4caSwyllys find_criteria_flag); 929*64012b18Swyllys if (certrv != KMF_OK && 930*64012b18Swyllys certrv != KMF_ERR_CERT_NOT_FOUND) 93199ebb4caSwyllys break; 93299ebb4caSwyllys } 93399ebb4caSwyllys if (oclass & PK_CRL_OBJ) 934*64012b18Swyllys crlrv = delete_nss_crl(kmfhandle, 93599ebb4caSwyllys dir, prefix, token_spec, 93699ebb4caSwyllys (char *)object_label, subject); 93799ebb4caSwyllys break; 93899ebb4caSwyllys case KMF_KEYSTORE_OPENSSL: 93999ebb4caSwyllys if (oclass & PK_KEY_OBJ) { 940*64012b18Swyllys keyrv = delete_file_keys(kmfhandle, oclass, 94199ebb4caSwyllys dir, infile); 942*64012b18Swyllys if (keyrv != KMF_OK) 94399ebb4caSwyllys break; 94499ebb4caSwyllys } 94599ebb4caSwyllys if (oclass & (PK_CERT_OBJ)) { 946*64012b18Swyllys certrv = delete_file_certs(kmfhandle, 94799ebb4caSwyllys dir, infile, &serial, issuer, 94899ebb4caSwyllys subject, find_criteria_flag); 949*64012b18Swyllys if (certrv != KMF_OK) 95099ebb4caSwyllys break; 95199ebb4caSwyllys } 95299ebb4caSwyllys if (oclass & PK_CRL_OBJ) 953*64012b18Swyllys crlrv = delete_file_crl(kmfhandle, 954448b8615Swyllys infile); 95599ebb4caSwyllys break; 95699ebb4caSwyllys default: 95799ebb4caSwyllys rv = PK_ERR_USAGE; 95899ebb4caSwyllys break; 9597711facfSdinak } 9607711facfSdinak 961*64012b18Swyllys /* 962*64012b18Swyllys * Logic here: 963*64012b18Swyllys * If searching for more than just one class of object (key or cert) 964*64012b18Swyllys * and only 1 of the classes was not found, it is not an error. 965*64012b18Swyllys * If searching for just one class of object, that failure should 966*64012b18Swyllys * be reported. 967*64012b18Swyllys * 968*64012b18Swyllys * Any error other than "KMF_ERR_[key/cert]_NOT_FOUND" should 969*64012b18Swyllys * be reported either way. 970*64012b18Swyllys */ 971*64012b18Swyllys if (keyrv != KMF_ERR_KEY_NOT_FOUND && keyrv != KMF_OK) 972*64012b18Swyllys kmfrv = keyrv; 973*64012b18Swyllys else if (certrv != KMF_OK && certrv != KMF_ERR_CERT_NOT_FOUND) 974*64012b18Swyllys kmfrv = certrv; 975*64012b18Swyllys else if (crlrv != KMF_OK && crlrv != KMF_ERR_CRL_NOT_FOUND) 976*64012b18Swyllys kmfrv = crlrv; 977*64012b18Swyllys 978*64012b18Swyllys /* 979*64012b18Swyllys * If nothing was found, return error. 980*64012b18Swyllys */ 981*64012b18Swyllys if ((keyrv == KMF_ERR_KEY_NOT_FOUND && (oclass & PK_KEY_OBJ)) && 982*64012b18Swyllys (certrv == KMF_ERR_CERT_NOT_FOUND && (oclass & PK_CERT_OBJ))) 983*64012b18Swyllys kmfrv = KMF_ERR_KEY_NOT_FOUND; 984*64012b18Swyllys 985*64012b18Swyllys if (kmfrv != KMF_OK) 986*64012b18Swyllys goto out; 987*64012b18Swyllys 988*64012b18Swyllys if (keyrv != KMF_OK && (oclass == PK_KEY_OBJ)) 989*64012b18Swyllys kmfrv = keyrv; 990*64012b18Swyllys else if (certrv != KMF_OK && (oclass == PK_CERT_OBJ)) 991*64012b18Swyllys kmfrv = certrv; 992*64012b18Swyllys else if (crlrv != KMF_OK && (oclass == PK_CRL_OBJ)) 993*64012b18Swyllys kmfrv = crlrv; 994*64012b18Swyllys 995*64012b18Swyllys out: 99699ebb4caSwyllys if (kmfrv != KMF_OK) { 99799ebb4caSwyllys display_error(kmfhandle, kmfrv, 99899ebb4caSwyllys gettext("Error deleting objects")); 9997711facfSdinak } 10007711facfSdinak 100199ebb4caSwyllys if (serial.val != NULL) 100299ebb4caSwyllys free(serial.val); 100330a5e8faSwyllys (void) kmf_finalize(kmfhandle); 100499ebb4caSwyllys return (kmfrv); 10057711facfSdinak } 1006