17711facfSdinak /* 27711facfSdinak * CDDL HEADER START 37711facfSdinak * 47711facfSdinak * The contents of this file are subject to the terms of the 599ebb4caSwyllys * Common Development and Distribution License (the "License"). 699ebb4caSwyllys * You may not use this file except in compliance with the License. 77711facfSdinak * 87711facfSdinak * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97711facfSdinak * or http://www.opensolaris.org/os/licensing. 107711facfSdinak * See the License for the specific language governing permissions 117711facfSdinak * and limitations under the License. 127711facfSdinak * 137711facfSdinak * When distributing Covered Code, include this CDDL HEADER in each 147711facfSdinak * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157711facfSdinak * If applicable, add the following below this CDDL HEADER, with the 167711facfSdinak * fields enclosed by brackets "[]" replaced with your own identifying 177711facfSdinak * information: Portions Copyright [yyyy] [name of copyright owner] 187711facfSdinak * 197711facfSdinak * CDDL HEADER END 207711facfSdinak */ 217711facfSdinak /* 22448b8615Swyllys * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 237711facfSdinak * Use is subject to license terms. 24*33f5ff17SMilan Jurik * Copyright 2012 Milan Jurik. All rights reserved. 257711facfSdinak */ 267711facfSdinak 277711facfSdinak /* 287711facfSdinak * This file implements the token object delete operation for this tool. 297711facfSdinak * It loads the PKCS#11 modules, finds the object to delete, deletes it, 307711facfSdinak * and cleans up. User must be R/W logged into the token. 317711facfSdinak */ 327711facfSdinak 337711facfSdinak #include <stdio.h> 347711facfSdinak #include <string.h> 357711facfSdinak #include <cryptoutil.h> 367711facfSdinak #include <security/cryptoki.h> 377711facfSdinak #include "common.h" 3899ebb4caSwyllys #include <kmfapi.h> 3999ebb4caSwyllys 4099ebb4caSwyllys static KMF_RETURN 4130a5e8faSwyllys pk_destroy_keys(void *handle, KMF_ATTRIBUTE *attrlist, int numattr) 4299ebb4caSwyllys { 4399ebb4caSwyllys int i; 4499ebb4caSwyllys KMF_RETURN rv = KMF_OK; 4530a5e8faSwyllys uint32_t *numkeys; 4630a5e8faSwyllys KMF_KEY_HANDLE *keys = NULL; 4730a5e8faSwyllys int del_num = 0; 4830a5e8faSwyllys KMF_ATTRIBUTE delete_attlist[16]; 4930a5e8faSwyllys KMF_KEYSTORE_TYPE kstype; 5030a5e8faSwyllys uint32_t len; 5130a5e8faSwyllys boolean_t destroy = B_TRUE; 5230a5e8faSwyllys KMF_CREDENTIAL cred; 5330a5e8faSwyllys char *slotlabel = NULL; 5499ebb4caSwyllys 5530a5e8faSwyllys len = sizeof (kstype); 5630a5e8faSwyllys rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr, 5730a5e8faSwyllys &kstype, &len); 5830a5e8faSwyllys if (rv != KMF_OK) 5930a5e8faSwyllys return (rv); 6099ebb4caSwyllys 6130a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num, 6230a5e8faSwyllys KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); 6330a5e8faSwyllys del_num++; 6430a5e8faSwyllys 6530a5e8faSwyllys /* "destroy" is optional. Default is TRUE */ 6630a5e8faSwyllys (void) kmf_get_attr(KMF_DESTROY_BOOL_ATTR, attrlist, numattr, 6730a5e8faSwyllys (void *)&destroy, NULL); 6830a5e8faSwyllys 6930a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num, 7030a5e8faSwyllys KMF_DESTROY_BOOL_ATTR, &destroy, sizeof (boolean_t)); 7130a5e8faSwyllys del_num++; 7230a5e8faSwyllys 7330a5e8faSwyllys switch (kstype) { 7499ebb4caSwyllys case KMF_KEYSTORE_NSS: 7530a5e8faSwyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr, 7630a5e8faSwyllys (void *)&cred, NULL); 7730a5e8faSwyllys if (rv == KMF_OK) { 7830a5e8faSwyllys if (cred.credlen > 0) { 7930a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num, 8030a5e8faSwyllys KMF_CREDENTIAL_ATTR, &cred, 8130a5e8faSwyllys sizeof (KMF_CREDENTIAL)); 8230a5e8faSwyllys del_num++; 8330a5e8faSwyllys } 8430a5e8faSwyllys } 8530a5e8faSwyllys 8630a5e8faSwyllys slotlabel = kmf_get_attr_ptr(KMF_TOKEN_LABEL_ATTR, attrlist, 8730a5e8faSwyllys numattr); 8830a5e8faSwyllys if (slotlabel != NULL) { 8930a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num, 9030a5e8faSwyllys KMF_TOKEN_LABEL_ATTR, slotlabel, 9130a5e8faSwyllys strlen(slotlabel)); 9230a5e8faSwyllys del_num++; 9330a5e8faSwyllys } 9499ebb4caSwyllys break; 9599ebb4caSwyllys case KMF_KEYSTORE_OPENSSL: 9699ebb4caSwyllys break; 9799ebb4caSwyllys case KMF_KEYSTORE_PK11TOKEN: 9830a5e8faSwyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr, 9930a5e8faSwyllys (void *)&cred, NULL); 10030a5e8faSwyllys if (rv == KMF_OK) { 10130a5e8faSwyllys if (cred.credlen > 0) { 10230a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, del_num, 10330a5e8faSwyllys KMF_CREDENTIAL_ATTR, &cred, 10430a5e8faSwyllys sizeof (KMF_CREDENTIAL)); 10530a5e8faSwyllys del_num++; 10630a5e8faSwyllys } 10730a5e8faSwyllys } 10899ebb4caSwyllys break; 10999ebb4caSwyllys default: 11099ebb4caSwyllys return (PK_ERR_USAGE); 11199ebb4caSwyllys } 11299ebb4caSwyllys 11330a5e8faSwyllys numkeys = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr); 11430a5e8faSwyllys if (numkeys == NULL) 11530a5e8faSwyllys return (PK_ERR_USAGE); 11630a5e8faSwyllys 11730a5e8faSwyllys keys = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr); 11830a5e8faSwyllys if (keys == NULL) 11930a5e8faSwyllys return (PK_ERR_USAGE); 12030a5e8faSwyllys 12130a5e8faSwyllys for (i = 0; rv == KMF_OK && i < *numkeys; i++) { 12230a5e8faSwyllys int num = del_num; 12330a5e8faSwyllys 12430a5e8faSwyllys kmf_set_attr_at_index(delete_attlist, num, 12530a5e8faSwyllys KMF_KEY_HANDLE_ATTR, &keys[i], sizeof (KMF_KEY_HANDLE)); 12630a5e8faSwyllys num++; 12730a5e8faSwyllys 12830a5e8faSwyllys rv = kmf_delete_key_from_keystore(handle, num, delete_attlist); 12999ebb4caSwyllys } 13099ebb4caSwyllys return (rv); 13199ebb4caSwyllys } 13299ebb4caSwyllys 13399ebb4caSwyllys static KMF_RETURN 13430a5e8faSwyllys pk_delete_keys(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attlist, int numattr, 13530a5e8faSwyllys char *desc, int *keysdeleted) 13699ebb4caSwyllys { 13799ebb4caSwyllys KMF_RETURN rv = KMF_OK; 13899ebb4caSwyllys uint32_t numkeys = 0; 13930a5e8faSwyllys int num = numattr; 14099ebb4caSwyllys 14199ebb4caSwyllys *keysdeleted = 0; 14299ebb4caSwyllys numkeys = 0; 14330a5e8faSwyllys 14430a5e8faSwyllys kmf_set_attr_at_index(attlist, num, 14530a5e8faSwyllys KMF_COUNT_ATTR, &numkeys, sizeof (uint32_t)); 14630a5e8faSwyllys num++; 14730a5e8faSwyllys 14830a5e8faSwyllys rv = kmf_find_key(kmfhandle, num, attlist); 14930a5e8faSwyllys 15099ebb4caSwyllys if (rv == KMF_OK && numkeys > 0) { 15199ebb4caSwyllys KMF_KEY_HANDLE *keys = NULL; 15299ebb4caSwyllys char prompt[1024]; 15399ebb4caSwyllys 15499ebb4caSwyllys (void) snprintf(prompt, sizeof (prompt), 15599ebb4caSwyllys gettext("%d %s key(s) found, do you want " 15699ebb4caSwyllys "to delete them (y/N) ?"), numkeys, 15799ebb4caSwyllys (desc != NULL ? desc : "")); 15899ebb4caSwyllys 15999ebb4caSwyllys if (!yesno(prompt, 16099ebb4caSwyllys gettext("Respond with yes or no.\n"), 16199ebb4caSwyllys B_FALSE)) { 1622cbed729Swyllys *keysdeleted = numkeys; 16399ebb4caSwyllys return (KMF_OK); 16499ebb4caSwyllys } 16599ebb4caSwyllys keys = (KMF_KEY_HANDLE *)malloc(numkeys * 16699ebb4caSwyllys sizeof (KMF_KEY_HANDLE)); 16799ebb4caSwyllys if (keys == NULL) 16899ebb4caSwyllys return (KMF_ERR_MEMORY); 16999ebb4caSwyllys (void) memset(keys, 0, numkeys * 17099ebb4caSwyllys sizeof (KMF_KEY_HANDLE)); 17199ebb4caSwyllys 17230a5e8faSwyllys kmf_set_attr_at_index(attlist, num, 17330a5e8faSwyllys KMF_KEY_HANDLE_ATTR, keys, sizeof (KMF_KEY_HANDLE)); 17430a5e8faSwyllys num++; 17530a5e8faSwyllys 17630a5e8faSwyllys rv = kmf_find_key(kmfhandle, num, attlist); 17799ebb4caSwyllys if (rv == KMF_OK) { 17830a5e8faSwyllys rv = pk_destroy_keys(kmfhandle, attlist, num); 17999ebb4caSwyllys } 18099ebb4caSwyllys 18199ebb4caSwyllys free(keys); 18299ebb4caSwyllys } 18399ebb4caSwyllys 18499ebb4caSwyllys *keysdeleted = numkeys; 18599ebb4caSwyllys return (rv); 18699ebb4caSwyllys } 18799ebb4caSwyllys 18899ebb4caSwyllys static KMF_RETURN 18930a5e8faSwyllys pk_delete_certs(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attlist, int numattr) 19099ebb4caSwyllys { 19199ebb4caSwyllys KMF_RETURN rv = KMF_OK; 19299ebb4caSwyllys uint32_t numcerts = 0; 19330a5e8faSwyllys int num = numattr; 19499ebb4caSwyllys 19530a5e8faSwyllys kmf_set_attr_at_index(attlist, num, 19630a5e8faSwyllys KMF_COUNT_ATTR, &numcerts, sizeof (uint32_t)); 19730a5e8faSwyllys num++; 19830a5e8faSwyllys 19930a5e8faSwyllys rv = kmf_find_cert(kmfhandle, num, attlist); 20099ebb4caSwyllys if (rv == KMF_OK && numcerts > 0) { 20199ebb4caSwyllys char prompt[1024]; 20299ebb4caSwyllys (void) snprintf(prompt, sizeof (prompt), 20399ebb4caSwyllys gettext("%d certificate(s) found, do you want " 20499ebb4caSwyllys "to delete them (y/N) ?"), numcerts); 20599ebb4caSwyllys 20699ebb4caSwyllys if (!yesno(prompt, 20799ebb4caSwyllys gettext("Respond with yes or no.\n"), 20899ebb4caSwyllys B_FALSE)) { 20999ebb4caSwyllys return (KMF_OK); 21099ebb4caSwyllys } 21199ebb4caSwyllys 21230a5e8faSwyllys /* 21330a5e8faSwyllys * Use numattr because delete cert does not require 21430a5e8faSwyllys * KMF_COUNT_ATTR attribute. 21530a5e8faSwyllys */ 21630a5e8faSwyllys rv = kmf_delete_cert_from_keystore(kmfhandle, numattr, attlist); 21799ebb4caSwyllys 21899ebb4caSwyllys } 21999ebb4caSwyllys 22099ebb4caSwyllys return (rv); 22199ebb4caSwyllys } 22299ebb4caSwyllys 22399ebb4caSwyllys static KMF_RETURN 22499ebb4caSwyllys delete_nss_keys(KMF_HANDLE_T kmfhandle, char *dir, char *prefix, 22599ebb4caSwyllys char *token, int oclass, char *objlabel, 22699ebb4caSwyllys KMF_CREDENTIAL *tokencred) 22799ebb4caSwyllys { 22899ebb4caSwyllys KMF_RETURN rv = KMF_OK; 22999ebb4caSwyllys char *keytype = NULL; 23099ebb4caSwyllys int nk, numkeys = 0; 23130a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; 23230a5e8faSwyllys int numattr = 0; 23330a5e8faSwyllys KMF_ATTRIBUTE attrlist[16]; 23430a5e8faSwyllys KMF_KEY_CLASS keyclass; 23599ebb4caSwyllys 23699ebb4caSwyllys rv = configure_nss(kmfhandle, dir, prefix); 23799ebb4caSwyllys if (rv != KMF_OK) 23899ebb4caSwyllys return (rv); 23999ebb4caSwyllys 24030a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 24130a5e8faSwyllys &kstype, sizeof (kstype)); 24230a5e8faSwyllys numattr++; 24330a5e8faSwyllys 24430a5e8faSwyllys if (objlabel != NULL) { 24530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, 24630a5e8faSwyllys objlabel, strlen(objlabel)); 24730a5e8faSwyllys numattr++; 24830a5e8faSwyllys } 24930a5e8faSwyllys 25030a5e8faSwyllys if (tokencred->credlen > 0) { 25130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, 25230a5e8faSwyllys tokencred, sizeof (KMF_CREDENTIAL)); 25330a5e8faSwyllys numattr++; 25430a5e8faSwyllys } 25530a5e8faSwyllys 25630a5e8faSwyllys if (token && strlen(token)) { 25730a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, 25830a5e8faSwyllys token, strlen(token)); 25930a5e8faSwyllys numattr++; 26030a5e8faSwyllys } 26199ebb4caSwyllys 26299ebb4caSwyllys if (oclass & PK_PRIKEY_OBJ) { 26330a5e8faSwyllys int num = numattr; 26430a5e8faSwyllys 26530a5e8faSwyllys keyclass = KMF_ASYM_PRI; 26630a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 26730a5e8faSwyllys &keyclass, sizeof (keyclass)); 26830a5e8faSwyllys num++; 26930a5e8faSwyllys 27099ebb4caSwyllys keytype = "private"; 27130a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); 27299ebb4caSwyllys numkeys += nk; 27364012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && 27464012b18Swyllys oclass != PK_PRIKEY_OBJ) 27564012b18Swyllys rv = KMF_OK; 27699ebb4caSwyllys } 27799ebb4caSwyllys if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { 27830a5e8faSwyllys int num = numattr; 27930a5e8faSwyllys 28030a5e8faSwyllys keyclass = KMF_SYMMETRIC; 28130a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 28230a5e8faSwyllys &keyclass, sizeof (keyclass)); 28330a5e8faSwyllys num++; 28430a5e8faSwyllys 28599ebb4caSwyllys keytype = "symmetric"; 28630a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); 28799ebb4caSwyllys numkeys += nk; 28864012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && 28964012b18Swyllys oclass != PK_SYMKEY_OBJ) 29064012b18Swyllys rv = KMF_OK; 29199ebb4caSwyllys } 29299ebb4caSwyllys if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) { 29330a5e8faSwyllys int num = numattr; 29430a5e8faSwyllys 29530a5e8faSwyllys keyclass = KMF_ASYM_PUB; 29630a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 29730a5e8faSwyllys &keyclass, sizeof (keyclass)); 29830a5e8faSwyllys num++; 29930a5e8faSwyllys 30099ebb4caSwyllys keytype = "public"; 30130a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); 30299ebb4caSwyllys numkeys += nk; 30364012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && 30464012b18Swyllys oclass != PK_PUBKEY_OBJ) 30564012b18Swyllys rv = KMF_OK; 30699ebb4caSwyllys } 30799ebb4caSwyllys if (rv == KMF_OK && numkeys == 0) 30899ebb4caSwyllys rv = KMF_ERR_KEY_NOT_FOUND; 30999ebb4caSwyllys 31099ebb4caSwyllys return (rv); 31199ebb4caSwyllys } 31299ebb4caSwyllys 31399ebb4caSwyllys static KMF_RETURN 31499ebb4caSwyllys delete_nss_certs(KMF_HANDLE_T kmfhandle, 31599ebb4caSwyllys char *dir, char *prefix, 31699ebb4caSwyllys char *token, char *objlabel, 31799ebb4caSwyllys KMF_BIGINT *serno, char *issuer, char *subject, 31899ebb4caSwyllys KMF_CERT_VALIDITY find_criteria_flag) 31999ebb4caSwyllys { 32099ebb4caSwyllys KMF_RETURN rv = KMF_OK; 32130a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; 32230a5e8faSwyllys int numattr = 0; 32330a5e8faSwyllys KMF_ATTRIBUTE attrlist[16]; 32499ebb4caSwyllys 32599ebb4caSwyllys rv = configure_nss(kmfhandle, dir, prefix); 32699ebb4caSwyllys if (rv != KMF_OK) 32799ebb4caSwyllys return (rv); 32899ebb4caSwyllys 32930a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 33030a5e8faSwyllys &kstype, sizeof (kstype)); 33130a5e8faSwyllys numattr++; 33299ebb4caSwyllys 33330a5e8faSwyllys if (objlabel != NULL) { 33430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, 33530a5e8faSwyllys KMF_CERT_LABEL_ATTR, objlabel, 33630a5e8faSwyllys strlen(objlabel)); 33730a5e8faSwyllys numattr++; 33830a5e8faSwyllys } 33999ebb4caSwyllys 34030a5e8faSwyllys if (issuer != NULL) { 34130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, 34230a5e8faSwyllys KMF_ISSUER_NAME_ATTR, issuer, 34330a5e8faSwyllys strlen(issuer)); 34430a5e8faSwyllys numattr++; 34530a5e8faSwyllys } 34630a5e8faSwyllys 34730a5e8faSwyllys if (subject != NULL) { 34830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, 34930a5e8faSwyllys KMF_SUBJECT_NAME_ATTR, subject, 35030a5e8faSwyllys strlen(subject)); 35130a5e8faSwyllys numattr++; 35230a5e8faSwyllys } 35330a5e8faSwyllys 35430a5e8faSwyllys if (serno != NULL) { 35530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, 35630a5e8faSwyllys KMF_BIGINT_ATTR, serno, 35730a5e8faSwyllys sizeof (KMF_BIGINT)); 35830a5e8faSwyllys numattr++; 35930a5e8faSwyllys } 36030a5e8faSwyllys 36130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, 36230a5e8faSwyllys KMF_CERT_VALIDITY_ATTR, &find_criteria_flag, 36330a5e8faSwyllys sizeof (KMF_CERT_VALIDITY)); 36430a5e8faSwyllys numattr++; 36530a5e8faSwyllys 36630a5e8faSwyllys if (token != NULL) { 36730a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, 36830a5e8faSwyllys KMF_TOKEN_LABEL_ATTR, token, 36930a5e8faSwyllys strlen(token)); 37030a5e8faSwyllys numattr++; 37130a5e8faSwyllys } 37230a5e8faSwyllys 37330a5e8faSwyllys rv = pk_delete_certs(kmfhandle, attrlist, numattr); 37499ebb4caSwyllys 37599ebb4caSwyllys return (rv); 37699ebb4caSwyllys } 37799ebb4caSwyllys 37899ebb4caSwyllys static KMF_RETURN 37999ebb4caSwyllys delete_nss_crl(void *kmfhandle, 38099ebb4caSwyllys char *dir, char *prefix, char *token, 38130a5e8faSwyllys char *issuer, char *subject) 38299ebb4caSwyllys { 38399ebb4caSwyllys KMF_RETURN rv = KMF_OK; 38430a5e8faSwyllys int numattr = 0; 38530a5e8faSwyllys KMF_ATTRIBUTE attrlist[8]; 38630a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; 38799ebb4caSwyllys 38899ebb4caSwyllys rv = configure_nss(kmfhandle, dir, prefix); 38999ebb4caSwyllys if (rv != KMF_OK) 39099ebb4caSwyllys return (rv); 39199ebb4caSwyllys 39230a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 39330a5e8faSwyllys &kstype, sizeof (kstype)); 39430a5e8faSwyllys numattr++; 39599ebb4caSwyllys 39630a5e8faSwyllys if (token != NULL) { 39730a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, 39830a5e8faSwyllys token, strlen(token)); 39930a5e8faSwyllys numattr++; 40030a5e8faSwyllys } 40130a5e8faSwyllys if (issuer != NULL) { 40230a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR, 40330a5e8faSwyllys issuer, strlen(issuer)); 40430a5e8faSwyllys numattr++; 40530a5e8faSwyllys } 40630a5e8faSwyllys if (subject != NULL) { 40730a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR, 40830a5e8faSwyllys subject, strlen(subject)); 40930a5e8faSwyllys numattr++; 41030a5e8faSwyllys } 41199ebb4caSwyllys 41230a5e8faSwyllys rv = kmf_delete_crl(kmfhandle, numattr, attrlist); 41399ebb4caSwyllys 41499ebb4caSwyllys return (rv); 41599ebb4caSwyllys } 41699ebb4caSwyllys 41799ebb4caSwyllys static KMF_RETURN 41899ebb4caSwyllys delete_pk11_keys(KMF_HANDLE_T kmfhandle, 41999ebb4caSwyllys char *token, int oclass, char *objlabel, 42099ebb4caSwyllys KMF_CREDENTIAL *tokencred) 42199ebb4caSwyllys { 42299ebb4caSwyllys KMF_RETURN rv = KMF_OK; 42399ebb4caSwyllys int nk, numkeys = 0; 42430a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; 42530a5e8faSwyllys int numattr = 0; 42630a5e8faSwyllys KMF_ATTRIBUTE attrlist[16]; 42730a5e8faSwyllys KMF_KEY_CLASS keyclass; 42830a5e8faSwyllys boolean_t token_bool = B_TRUE; 42930a5e8faSwyllys boolean_t private; 43099ebb4caSwyllys /* 43199ebb4caSwyllys * Symmetric keys and RSA/DSA private keys are always 43299ebb4caSwyllys * created with the "CKA_PRIVATE" field == TRUE, so 43399ebb4caSwyllys * make sure we search for them with it also set. 43499ebb4caSwyllys */ 43599ebb4caSwyllys if (oclass & (PK_SYMKEY_OBJ | PK_PRIKEY_OBJ)) 43699ebb4caSwyllys oclass |= PK_PRIVATE_OBJ; 43799ebb4caSwyllys 43899ebb4caSwyllys rv = select_token(kmfhandle, token, FALSE); 43999ebb4caSwyllys if (rv != KMF_OK) { 44099ebb4caSwyllys return (rv); 44199ebb4caSwyllys } 44299ebb4caSwyllys 44330a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 44430a5e8faSwyllys &kstype, sizeof (kstype)); 44530a5e8faSwyllys numattr++; 44630a5e8faSwyllys 44730a5e8faSwyllys if (objlabel != NULL) { 44830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, 44930a5e8faSwyllys objlabel, strlen(objlabel)); 45030a5e8faSwyllys numattr++; 45130a5e8faSwyllys } 45230a5e8faSwyllys 45330a5e8faSwyllys if (tokencred != NULL && tokencred->credlen > 0) { 45430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, 45530a5e8faSwyllys tokencred, sizeof (KMF_CREDENTIAL)); 45630a5e8faSwyllys numattr++; 45730a5e8faSwyllys } 45830a5e8faSwyllys 45930a5e8faSwyllys private = ((oclass & PK_PRIVATE_OBJ) > 0); 46030a5e8faSwyllys 46130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR, 46230a5e8faSwyllys &private, sizeof (private)); 46330a5e8faSwyllys numattr++; 46430a5e8faSwyllys 46530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR, 46630a5e8faSwyllys &token_bool, sizeof (token_bool)); 46730a5e8faSwyllys numattr++; 46899ebb4caSwyllys 46999ebb4caSwyllys if (oclass & PK_PRIKEY_OBJ) { 47030a5e8faSwyllys int num = numattr; 47130a5e8faSwyllys 47230a5e8faSwyllys keyclass = KMF_ASYM_PRI; 47330a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 47430a5e8faSwyllys &keyclass, sizeof (keyclass)); 47530a5e8faSwyllys num++; 47630a5e8faSwyllys 47730a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, "private", &nk); 47899ebb4caSwyllys numkeys += nk; 47964012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && 48064012b18Swyllys oclass != PK_PRIKEY_OBJ) 48164012b18Swyllys rv = KMF_OK; 48299ebb4caSwyllys } 48399ebb4caSwyllys 48499ebb4caSwyllys if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) { 48530a5e8faSwyllys int num = numattr; 48630a5e8faSwyllys 48730a5e8faSwyllys keyclass = KMF_SYMMETRIC; 48830a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 48930a5e8faSwyllys &keyclass, sizeof (keyclass)); 49030a5e8faSwyllys num++; 49130a5e8faSwyllys 49230a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, "symmetric", &nk); 49399ebb4caSwyllys numkeys += nk; 49464012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && 49564012b18Swyllys oclass != PK_SYMKEY_OBJ) 49664012b18Swyllys rv = KMF_OK; 49799ebb4caSwyllys } 49899ebb4caSwyllys 49999ebb4caSwyllys if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) { 50030a5e8faSwyllys int num = numattr; 50130a5e8faSwyllys 5022cbed729Swyllys private = B_FALSE; 50330a5e8faSwyllys keyclass = KMF_ASYM_PUB; 50430a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 50530a5e8faSwyllys &keyclass, sizeof (keyclass)); 50630a5e8faSwyllys num++; 50730a5e8faSwyllys 50830a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, "public", &nk); 50999ebb4caSwyllys numkeys += nk; 51064012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && 51164012b18Swyllys oclass != PK_PUBKEY_OBJ) 51264012b18Swyllys rv = KMF_OK; 51399ebb4caSwyllys } 51499ebb4caSwyllys if (rv == KMF_OK && numkeys == 0) 51599ebb4caSwyllys rv = KMF_ERR_KEY_NOT_FOUND; 51699ebb4caSwyllys 51799ebb4caSwyllys return (rv); 51899ebb4caSwyllys } 51999ebb4caSwyllys 52099ebb4caSwyllys static KMF_RETURN 52199ebb4caSwyllys delete_pk11_certs(KMF_HANDLE_T kmfhandle, 52299ebb4caSwyllys char *token, char *objlabel, 52399ebb4caSwyllys KMF_BIGINT *serno, char *issuer, char *subject, 52499ebb4caSwyllys KMF_CERT_VALIDITY find_criteria_flag) 52599ebb4caSwyllys { 52699ebb4caSwyllys KMF_RETURN kmfrv; 52730a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; 52830a5e8faSwyllys int numattr = 0; 52930a5e8faSwyllys KMF_ATTRIBUTE attrlist[16]; 53099ebb4caSwyllys 53199ebb4caSwyllys kmfrv = select_token(kmfhandle, token, FALSE); 53299ebb4caSwyllys 53399ebb4caSwyllys if (kmfrv != KMF_OK) { 53499ebb4caSwyllys return (kmfrv); 53599ebb4caSwyllys } 53699ebb4caSwyllys 53730a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 53830a5e8faSwyllys &kstype, sizeof (kstype)); 53930a5e8faSwyllys numattr++; 54099ebb4caSwyllys 54130a5e8faSwyllys if (objlabel != NULL) { 54230a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR, 54330a5e8faSwyllys objlabel, strlen(objlabel)); 54430a5e8faSwyllys numattr++; 54530a5e8faSwyllys } 54630a5e8faSwyllys 54730a5e8faSwyllys if (issuer != NULL) { 54830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR, 54930a5e8faSwyllys issuer, strlen(issuer)); 55030a5e8faSwyllys numattr++; 55130a5e8faSwyllys } 55230a5e8faSwyllys 55330a5e8faSwyllys if (subject != NULL) { 55430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR, 55530a5e8faSwyllys subject, strlen(subject)); 55630a5e8faSwyllys numattr++; 55730a5e8faSwyllys } 55830a5e8faSwyllys 55930a5e8faSwyllys if (serno != NULL) { 56030a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_BIGINT_ATTR, 56130a5e8faSwyllys serno, sizeof (KMF_BIGINT)); 56230a5e8faSwyllys numattr++; 56330a5e8faSwyllys } 56430a5e8faSwyllys 56530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_VALIDITY_ATTR, 56630a5e8faSwyllys &find_criteria_flag, sizeof (KMF_CERT_VALIDITY)); 56730a5e8faSwyllys numattr++; 56830a5e8faSwyllys 56930a5e8faSwyllys kmfrv = pk_delete_certs(kmfhandle, attrlist, numattr); 57099ebb4caSwyllys 57199ebb4caSwyllys return (kmfrv); 57299ebb4caSwyllys } 57399ebb4caSwyllys 57499ebb4caSwyllys static KMF_RETURN 57599ebb4caSwyllys delete_file_certs(KMF_HANDLE_T kmfhandle, 57699ebb4caSwyllys char *dir, char *filename, KMF_BIGINT *serial, char *issuer, 57799ebb4caSwyllys char *subject, KMF_CERT_VALIDITY find_criteria_flag) 57899ebb4caSwyllys { 57999ebb4caSwyllys KMF_RETURN rv; 58030a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; 58130a5e8faSwyllys int numattr = 0; 58230a5e8faSwyllys KMF_ATTRIBUTE attrlist[16]; 58399ebb4caSwyllys 58430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 58530a5e8faSwyllys &kstype, sizeof (kstype)); 58630a5e8faSwyllys numattr++; 58799ebb4caSwyllys 58830a5e8faSwyllys if (issuer != NULL) { 58930a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR, 59030a5e8faSwyllys issuer, strlen(issuer)); 59130a5e8faSwyllys numattr++; 59230a5e8faSwyllys } 59399ebb4caSwyllys 59430a5e8faSwyllys if (subject != NULL) { 59530a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR, 59630a5e8faSwyllys subject, strlen(subject)); 59730a5e8faSwyllys numattr++; 59830a5e8faSwyllys } 59930a5e8faSwyllys 60030a5e8faSwyllys if (serial != NULL) { 60130a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_BIGINT_ATTR, 60230a5e8faSwyllys serial, sizeof (KMF_BIGINT)); 60330a5e8faSwyllys numattr++; 60430a5e8faSwyllys } 60530a5e8faSwyllys 60630a5e8faSwyllys if (dir != NULL) { 60730a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_DIRPATH_ATTR, 60830a5e8faSwyllys dir, strlen(dir)); 60930a5e8faSwyllys numattr++; 61030a5e8faSwyllys } 61130a5e8faSwyllys 61230a5e8faSwyllys if (filename != NULL) { 61330a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR, 61430a5e8faSwyllys filename, strlen(filename)); 61530a5e8faSwyllys numattr++; 61630a5e8faSwyllys } 61730a5e8faSwyllys 61830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_VALIDITY_ATTR, 61930a5e8faSwyllys &find_criteria_flag, sizeof (KMF_CERT_VALIDITY)); 62030a5e8faSwyllys numattr++; 62130a5e8faSwyllys 62230a5e8faSwyllys rv = pk_delete_certs(kmfhandle, attrlist, numattr); 62399ebb4caSwyllys 62499ebb4caSwyllys return (rv); 62599ebb4caSwyllys } 62699ebb4caSwyllys 62799ebb4caSwyllys static KMF_RETURN 62899ebb4caSwyllys delete_file_keys(KMF_HANDLE_T kmfhandle, int oclass, 62999ebb4caSwyllys char *dir, char *infile) 63099ebb4caSwyllys { 63199ebb4caSwyllys KMF_RETURN rv = KMF_OK; 63299ebb4caSwyllys char *keytype = ""; 63399ebb4caSwyllys int nk, numkeys = 0; 63430a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; 63530a5e8faSwyllys int numattr = 0; 63630a5e8faSwyllys KMF_ATTRIBUTE attrlist[16]; 63730a5e8faSwyllys KMF_KEY_CLASS keyclass; 63899ebb4caSwyllys 63930a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 64030a5e8faSwyllys &kstype, sizeof (kstype)); 64130a5e8faSwyllys numattr++; 64230a5e8faSwyllys 64330a5e8faSwyllys if (dir != NULL) { 64430a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_DIRPATH_ATTR, 64530a5e8faSwyllys dir, strlen(dir)); 64630a5e8faSwyllys numattr++; 64730a5e8faSwyllys } 64830a5e8faSwyllys 64930a5e8faSwyllys if (infile != NULL) { 65030a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_FILENAME_ATTR, 65130a5e8faSwyllys infile, strlen(infile)); 65230a5e8faSwyllys numattr++; 65330a5e8faSwyllys } 65499ebb4caSwyllys 65599ebb4caSwyllys if (oclass & (PK_PUBKEY_OBJ | PK_PRIKEY_OBJ)) { 65630a5e8faSwyllys int num = numattr; 65730a5e8faSwyllys 65830a5e8faSwyllys keyclass = KMF_ASYM_PRI; 65930a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 66030a5e8faSwyllys &keyclass, sizeof (keyclass)); 66130a5e8faSwyllys num++; 66230a5e8faSwyllys 66399ebb4caSwyllys keytype = "Asymmetric"; 66430a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); 66599ebb4caSwyllys numkeys += nk; 66699ebb4caSwyllys } 66764012b18Swyllys if (oclass & PK_SYMKEY_OBJ) { 66830a5e8faSwyllys int num = numattr; 66930a5e8faSwyllys 67030a5e8faSwyllys keyclass = KMF_SYMMETRIC; 67130a5e8faSwyllys kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR, 67230a5e8faSwyllys &keyclass, sizeof (keyclass)); 67330a5e8faSwyllys num++; 67430a5e8faSwyllys 67599ebb4caSwyllys keytype = "symmetric"; 67630a5e8faSwyllys rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk); 67799ebb4caSwyllys numkeys += nk; 67864012b18Swyllys if (rv == KMF_ERR_KEY_NOT_FOUND && numkeys > 0) 67964012b18Swyllys rv = KMF_OK; 68099ebb4caSwyllys } 68199ebb4caSwyllys if (rv == KMF_OK && numkeys == 0) 68299ebb4caSwyllys rv = KMF_ERR_KEY_NOT_FOUND; 68399ebb4caSwyllys 68499ebb4caSwyllys return (rv); 68599ebb4caSwyllys } 68699ebb4caSwyllys 68799ebb4caSwyllys static KMF_RETURN 688448b8615Swyllys delete_file_crl(void *kmfhandle, char *filename) 68999ebb4caSwyllys { 69099ebb4caSwyllys KMF_RETURN rv; 69130a5e8faSwyllys int numattr = 0; 69230a5e8faSwyllys KMF_ATTRIBUTE attrlist[4]; 69330a5e8faSwyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; 69499ebb4caSwyllys 695448b8615Swyllys if (filename == NULL || strlen(filename) == 0) 696448b8615Swyllys return (KMF_ERR_BAD_PARAMETER); 697448b8615Swyllys 69830a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 69930a5e8faSwyllys &kstype, sizeof (kstype)); 70030a5e8faSwyllys numattr++; 70199ebb4caSwyllys 70230a5e8faSwyllys if (filename) { 70330a5e8faSwyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_FILENAME_ATTR, 70430a5e8faSwyllys filename, strlen(filename)); 70530a5e8faSwyllys numattr++; 70630a5e8faSwyllys } 70799ebb4caSwyllys 70830a5e8faSwyllys rv = kmf_delete_crl(kmfhandle, numattr, attrlist); 70999ebb4caSwyllys 71099ebb4caSwyllys return (rv); 71199ebb4caSwyllys } 7127711facfSdinak 7137711facfSdinak /* 7147711facfSdinak * Delete token objects. 7157711facfSdinak */ 7167711facfSdinak int 7177711facfSdinak pk_delete(int argc, char *argv[]) 7187711facfSdinak { 7197711facfSdinak int opt; 72049e21299Sdinak extern int optind_av; 72149e21299Sdinak extern char *optarg_av; 72249e21299Sdinak char *token_spec = NULL; 72399ebb4caSwyllys char *subject = NULL; 72499ebb4caSwyllys char *issuer = NULL; 72599ebb4caSwyllys char *dir = NULL; 72699ebb4caSwyllys char *prefix = NULL; 72799ebb4caSwyllys char *infile = NULL; 72899ebb4caSwyllys char *object_label = NULL; 72999ebb4caSwyllys char *serstr = NULL; 7307711facfSdinak 73199ebb4caSwyllys int oclass = 0; 73299ebb4caSwyllys KMF_BIGINT serial = { NULL, 0 }; 73399ebb4caSwyllys KMF_HANDLE_T kmfhandle = NULL; 73499ebb4caSwyllys KMF_KEYSTORE_TYPE kstype = 0; 73564012b18Swyllys KMF_RETURN kmfrv, keyrv, certrv, crlrv; 73699ebb4caSwyllys int rv = 0; 73799ebb4caSwyllys char *find_criteria = NULL; 73899ebb4caSwyllys KMF_CERT_VALIDITY find_criteria_flag = KMF_ALL_CERTS; 73999ebb4caSwyllys KMF_CREDENTIAL tokencred = { NULL, 0 }; 7407711facfSdinak 7417711facfSdinak /* Parse command line options. Do NOT i18n/l10n. */ 74249e21299Sdinak while ((opt = getopt_av(argc, argv, 74399ebb4caSwyllys "T:(token)y:(objtype)l:(label)" 74499ebb4caSwyllys "k:(keystore)s:(subject)n:(nickname)" 74599ebb4caSwyllys "d:(dir)p:(prefix)S:(serial)i:(issuer)" 74699ebb4caSwyllys "c:(criteria)" 74799ebb4caSwyllys "f:(infile)")) != EOF) { 74899ebb4caSwyllys 74999ebb4caSwyllys if (EMPTYSTRING(optarg_av)) 75099ebb4caSwyllys return (PK_ERR_USAGE); 7517711facfSdinak switch (opt) { 75249e21299Sdinak case 'T': /* token specifier */ 75349e21299Sdinak if (token_spec) 75449e21299Sdinak return (PK_ERR_USAGE); 75549e21299Sdinak token_spec = optarg_av; 7567711facfSdinak break; 75749e21299Sdinak case 'y': /* object type: public, private, both */ 75899ebb4caSwyllys if (oclass) 75949e21299Sdinak return (PK_ERR_USAGE); 76099ebb4caSwyllys oclass = OT2Int(optarg_av); 76199ebb4caSwyllys if (oclass == -1) 76299ebb4caSwyllys return (PK_ERR_USAGE); 7637711facfSdinak break; 7647711facfSdinak case 'l': /* objects with specific label */ 76599ebb4caSwyllys case 'n': 7667711facfSdinak if (object_label) 7677711facfSdinak return (PK_ERR_USAGE); 76899ebb4caSwyllys object_label = (char *)optarg_av; 76999ebb4caSwyllys break; 77099ebb4caSwyllys case 'k': 77199ebb4caSwyllys kstype = KS2Int(optarg_av); 77299ebb4caSwyllys if (kstype == 0) 77399ebb4caSwyllys return (PK_ERR_USAGE); 77499ebb4caSwyllys break; 77599ebb4caSwyllys case 's': 77699ebb4caSwyllys subject = optarg_av; 77799ebb4caSwyllys break; 77899ebb4caSwyllys case 'i': 77999ebb4caSwyllys issuer = optarg_av; 78099ebb4caSwyllys break; 78199ebb4caSwyllys case 'd': 78299ebb4caSwyllys dir = optarg_av; 78399ebb4caSwyllys break; 78499ebb4caSwyllys case 'p': 78599ebb4caSwyllys prefix = optarg_av; 78699ebb4caSwyllys break; 78799ebb4caSwyllys case 'S': 78899ebb4caSwyllys serstr = optarg_av; 78999ebb4caSwyllys break; 79099ebb4caSwyllys case 'f': 79199ebb4caSwyllys infile = optarg_av; 79299ebb4caSwyllys break; 79399ebb4caSwyllys case 'c': 79499ebb4caSwyllys find_criteria = optarg_av; 79599ebb4caSwyllys if (!strcasecmp(find_criteria, "valid")) 79699ebb4caSwyllys find_criteria_flag = 79799ebb4caSwyllys KMF_NONEXPIRED_CERTS; 79899ebb4caSwyllys else if (!strcasecmp(find_criteria, "expired")) 79999ebb4caSwyllys find_criteria_flag = KMF_EXPIRED_CERTS; 80099ebb4caSwyllys else if (!strcasecmp(find_criteria, "both")) 80199ebb4caSwyllys find_criteria_flag = KMF_ALL_CERTS; 80299ebb4caSwyllys else 80399ebb4caSwyllys return (PK_ERR_USAGE); 8047711facfSdinak break; 8057711facfSdinak default: 8067711facfSdinak return (PK_ERR_USAGE); 8077711facfSdinak } 8087711facfSdinak } 8097711facfSdinak 81099ebb4caSwyllys /* Assume keystore = PKCS#11 if not specified */ 81199ebb4caSwyllys if (kstype == 0) 81299ebb4caSwyllys kstype = KMF_KEYSTORE_PK11TOKEN; 81399ebb4caSwyllys 81499ebb4caSwyllys /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */ 81599ebb4caSwyllys if ((oclass & (PK_PUBLIC_OBJ | PK_PRIVATE_OBJ)) && 81699ebb4caSwyllys kstype != KMF_KEYSTORE_PK11TOKEN) { 81799ebb4caSwyllys 81899ebb4caSwyllys (void) fprintf(stderr, gettext("The objtype parameter " 81999ebb4caSwyllys "is only relevant if keystore=pkcs11\n")); 82049e21299Sdinak return (PK_ERR_USAGE); 82149e21299Sdinak } 82249e21299Sdinak 8237711facfSdinak 8247711facfSdinak /* No additional args allowed. */ 82549e21299Sdinak argc -= optind_av; 82649e21299Sdinak argv += optind_av; 8277711facfSdinak if (argc) 8287711facfSdinak return (PK_ERR_USAGE); 8297711facfSdinak /* Done parsing command line options. */ 8307711facfSdinak 831577f4726Swyllys DIR_OPTION_CHECK(kstype, dir); 832577f4726Swyllys 83399ebb4caSwyllys if (kstype == KMF_KEYSTORE_PK11TOKEN && token_spec == NULL) { 83499ebb4caSwyllys token_spec = PK_DEFAULT_PK11TOKEN; 83599ebb4caSwyllys } else if (kstype == KMF_KEYSTORE_NSS && token_spec == NULL) { 83699ebb4caSwyllys token_spec = DEFAULT_NSS_TOKEN; 8377711facfSdinak } 8387711facfSdinak 83999ebb4caSwyllys if (serstr != NULL) { 84099ebb4caSwyllys uchar_t *bytes = NULL; 84199ebb4caSwyllys size_t bytelen; 84299ebb4caSwyllys 84330a5e8faSwyllys rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen); 84499ebb4caSwyllys if (rv != KMF_OK || bytes == NULL) { 84599ebb4caSwyllys (void) fprintf(stderr, gettext("serial number " 84699ebb4caSwyllys "must be specified as a hex number " 84799ebb4caSwyllys "(ex: 0x0102030405ffeeddee)\n")); 84899ebb4caSwyllys return (PK_ERR_USAGE); 84999ebb4caSwyllys } 85099ebb4caSwyllys serial.val = bytes; 85199ebb4caSwyllys serial.len = bytelen; 8522cbed729Swyllys /* If serial number was given, it must be a cert search */ 8532cbed729Swyllys if (oclass == 0) 8542cbed729Swyllys oclass = PK_CERT_OBJ; 8557711facfSdinak } 8562cbed729Swyllys /* 8572cbed729Swyllys * If no object type was given but subject or issuer was, 8582cbed729Swyllys * it must be a certificate we are looking to delete. 8592cbed729Swyllys */ 8602cbed729Swyllys if ((issuer != NULL || subject != NULL) && oclass == 0) 8612cbed729Swyllys oclass = PK_CERT_OBJ; 8622cbed729Swyllys /* If no object class specified, delete everything but CRLs */ 8632cbed729Swyllys if (oclass == 0) 8642cbed729Swyllys oclass = PK_CERT_OBJ | PK_KEY_OBJ; 8657711facfSdinak 86699ebb4caSwyllys if ((kstype == KMF_KEYSTORE_PK11TOKEN || 86799ebb4caSwyllys kstype == KMF_KEYSTORE_NSS) && 86899ebb4caSwyllys (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ))) { 86999ebb4caSwyllys 87099ebb4caSwyllys (void) get_token_password(kstype, token_spec, 87199ebb4caSwyllys &tokencred); 8727711facfSdinak } 8737711facfSdinak 87430a5e8faSwyllys if ((kmfrv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) 87599ebb4caSwyllys return (kmfrv); 8767711facfSdinak 87764012b18Swyllys keyrv = certrv = crlrv = KMF_OK; 87899ebb4caSwyllys switch (kstype) { 87999ebb4caSwyllys case KMF_KEYSTORE_PK11TOKEN: 88099ebb4caSwyllys if (oclass & PK_KEY_OBJ) { 88164012b18Swyllys keyrv = delete_pk11_keys(kmfhandle, 88299ebb4caSwyllys token_spec, oclass, 88330a5e8faSwyllys object_label, &tokencred); 8847711facfSdinak /* 88599ebb4caSwyllys * If deleting groups of objects, it is OK 88699ebb4caSwyllys * to ignore the "key not found" case so that 88799ebb4caSwyllys * we can continue to find other objects. 8887711facfSdinak */ 88964012b18Swyllys if (keyrv != KMF_OK && 89064012b18Swyllys keyrv != KMF_ERR_KEY_NOT_FOUND) 89199ebb4caSwyllys break; 8927711facfSdinak } 89399ebb4caSwyllys if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) { 89464012b18Swyllys certrv = delete_pk11_certs(kmfhandle, 89530a5e8faSwyllys token_spec, object_label, 89699ebb4caSwyllys &serial, issuer, 89799ebb4caSwyllys subject, find_criteria_flag); 89899ebb4caSwyllys /* 89999ebb4caSwyllys * If cert delete failed, but we are looking at 90099ebb4caSwyllys * other objects, then it is OK. 90199ebb4caSwyllys */ 90264012b18Swyllys if (certrv != KMF_OK && 90364012b18Swyllys certrv != KMF_ERR_CERT_NOT_FOUND) 90499ebb4caSwyllys break; 9057711facfSdinak } 90699ebb4caSwyllys if (oclass & PK_CRL_OBJ) 90764012b18Swyllys crlrv = delete_file_crl(kmfhandle, 908448b8615Swyllys infile); 90999ebb4caSwyllys break; 91099ebb4caSwyllys case KMF_KEYSTORE_NSS: 91164012b18Swyllys keyrv = certrv = crlrv = KMF_OK; 91299ebb4caSwyllys if (oclass & PK_KEY_OBJ) { 91364012b18Swyllys keyrv = delete_nss_keys(kmfhandle, 91499ebb4caSwyllys dir, prefix, token_spec, 91599ebb4caSwyllys oclass, (char *)object_label, 91699ebb4caSwyllys &tokencred); 91764012b18Swyllys if (keyrv != KMF_OK && 91864012b18Swyllys keyrv != KMF_ERR_KEY_NOT_FOUND) 91999ebb4caSwyllys break; 92099ebb4caSwyllys } 92199ebb4caSwyllys if (oclass & PK_CERT_OBJ) { 92264012b18Swyllys certrv = delete_nss_certs(kmfhandle, 92399ebb4caSwyllys dir, prefix, token_spec, 92499ebb4caSwyllys (char *)object_label, 92599ebb4caSwyllys &serial, issuer, subject, 92699ebb4caSwyllys find_criteria_flag); 92764012b18Swyllys if (certrv != KMF_OK && 92864012b18Swyllys certrv != KMF_ERR_CERT_NOT_FOUND) 92999ebb4caSwyllys break; 93099ebb4caSwyllys } 93199ebb4caSwyllys if (oclass & PK_CRL_OBJ) 93264012b18Swyllys crlrv = delete_nss_crl(kmfhandle, 93399ebb4caSwyllys dir, prefix, token_spec, 93499ebb4caSwyllys (char *)object_label, subject); 93599ebb4caSwyllys break; 93699ebb4caSwyllys case KMF_KEYSTORE_OPENSSL: 93799ebb4caSwyllys if (oclass & PK_KEY_OBJ) { 93864012b18Swyllys keyrv = delete_file_keys(kmfhandle, oclass, 93999ebb4caSwyllys dir, infile); 94064012b18Swyllys if (keyrv != KMF_OK) 94199ebb4caSwyllys break; 94299ebb4caSwyllys } 94399ebb4caSwyllys if (oclass & (PK_CERT_OBJ)) { 94464012b18Swyllys certrv = delete_file_certs(kmfhandle, 94599ebb4caSwyllys dir, infile, &serial, issuer, 94699ebb4caSwyllys subject, find_criteria_flag); 94764012b18Swyllys if (certrv != KMF_OK) 94899ebb4caSwyllys break; 94999ebb4caSwyllys } 95099ebb4caSwyllys if (oclass & PK_CRL_OBJ) 95164012b18Swyllys crlrv = delete_file_crl(kmfhandle, 952448b8615Swyllys infile); 95399ebb4caSwyllys break; 95499ebb4caSwyllys default: 95599ebb4caSwyllys rv = PK_ERR_USAGE; 95699ebb4caSwyllys break; 9577711facfSdinak } 9587711facfSdinak 95964012b18Swyllys /* 96064012b18Swyllys * Logic here: 96164012b18Swyllys * If searching for more than just one class of object (key or cert) 96264012b18Swyllys * and only 1 of the classes was not found, it is not an error. 96364012b18Swyllys * If searching for just one class of object, that failure should 96464012b18Swyllys * be reported. 96564012b18Swyllys * 96664012b18Swyllys * Any error other than "KMF_ERR_[key/cert]_NOT_FOUND" should 96764012b18Swyllys * be reported either way. 96864012b18Swyllys */ 96964012b18Swyllys if (keyrv != KMF_ERR_KEY_NOT_FOUND && keyrv != KMF_OK) 97064012b18Swyllys kmfrv = keyrv; 97164012b18Swyllys else if (certrv != KMF_OK && certrv != KMF_ERR_CERT_NOT_FOUND) 97264012b18Swyllys kmfrv = certrv; 97364012b18Swyllys else if (crlrv != KMF_OK && crlrv != KMF_ERR_CRL_NOT_FOUND) 97464012b18Swyllys kmfrv = crlrv; 97564012b18Swyllys 97664012b18Swyllys /* 97764012b18Swyllys * If nothing was found, return error. 97864012b18Swyllys */ 97964012b18Swyllys if ((keyrv == KMF_ERR_KEY_NOT_FOUND && (oclass & PK_KEY_OBJ)) && 98064012b18Swyllys (certrv == KMF_ERR_CERT_NOT_FOUND && (oclass & PK_CERT_OBJ))) 98164012b18Swyllys kmfrv = KMF_ERR_KEY_NOT_FOUND; 98264012b18Swyllys 98364012b18Swyllys if (kmfrv != KMF_OK) 98464012b18Swyllys goto out; 98564012b18Swyllys 98664012b18Swyllys if (keyrv != KMF_OK && (oclass == PK_KEY_OBJ)) 98764012b18Swyllys kmfrv = keyrv; 98864012b18Swyllys else if (certrv != KMF_OK && (oclass == PK_CERT_OBJ)) 98964012b18Swyllys kmfrv = certrv; 99064012b18Swyllys else if (crlrv != KMF_OK && (oclass == PK_CRL_OBJ)) 99164012b18Swyllys kmfrv = crlrv; 99264012b18Swyllys 99364012b18Swyllys out: 99499ebb4caSwyllys if (kmfrv != KMF_OK) { 99599ebb4caSwyllys display_error(kmfhandle, kmfrv, 99699ebb4caSwyllys gettext("Error deleting objects")); 9977711facfSdinak } 9987711facfSdinak 99999ebb4caSwyllys if (serial.val != NULL) 100099ebb4caSwyllys free(serial.val); 100130a5e8faSwyllys (void) kmf_finalize(kmfhandle); 100299ebb4caSwyllys return (kmfrv); 10037711facfSdinak } 1004