4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
21 * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
22 * Copyright 2012 Milan Jurik. All rights reserved.
26 * This file implements the export operation for this tool.
27 * The basic flow of the process is to find the soft token,
28 * log into it, find the PKCS#11 objects in the soft token
29 * to be exported matching keys with their certificates, export
30 * them to the PKCS#12 file encrypting them with a file password
31 * if desired, and log out.
44 pk_find_export_cert(KMF_HANDLE_T kmfhandle
, KMF_ATTRIBUTE
*attrlist
,
45 int numattr
, KMF_X509_DER_CERT
*cert
)
47 KMF_RETURN rv
= KMF_OK
;
48 uint32_t numcerts
= 0;
51 (void) memset(cert
, 0, sizeof (KMF_X509_DER_CERT
));
53 kmf_set_attr_at_index(attrlist
, numattr
, KMF_COUNT_ATTR
,
54 &numcerts
, sizeof (uint32_t));
57 rv
= kmf_find_cert(kmfhandle
, numattr
, attrlist
);
62 cryptoerror(LOG_STDERR
,
63 gettext("No matching certificates found."));
64 return (KMF_ERR_CERT_NOT_FOUND
);
66 } else if (numcerts
== 1) {
67 kmf_set_attr_at_index(attrlist
, numattr
,
68 KMF_X509_DER_CERT_ATTR
, cert
,
69 sizeof (KMF_X509_DER_CERT
));
71 rv
= kmf_find_cert(kmfhandle
, numattr
, attrlist
);
73 } else if (numcerts
> 1) {
74 cryptoerror(LOG_STDERR
,
75 gettext("%d certificates found, refine the "
76 "search parameters to eliminate ambiguity\n"),
78 return (KMF_ERR_BAD_PARAMETER
);
84 pk_export_file_objects(KMF_HANDLE_T kmfhandle
, int oclass
,
85 char *issuer
, char *subject
, KMF_BIGINT
*serial
,
86 char *infile
, char *filename
)
88 KMF_RETURN rv
= KMF_OK
;
89 KMF_X509_DER_CERT kmfcert
;
90 KMF_KEYSTORE_TYPE kstype
= KMF_KEYSTORE_OPENSSL
;
92 KMF_ATTRIBUTE attrlist
[16];
94 /* If searching for public objects or certificates, find certs now */
95 if (oclass
& (PK_CERT_OBJ
| PK_PUBLIC_OBJ
)) {
96 kmf_set_attr_at_index(attrlist
, numattr
,
97 KMF_KEYSTORE_TYPE_ATTR
, &kstype
,
101 if (issuer
!= NULL
) {
102 kmf_set_attr_at_index(attrlist
, numattr
,
103 KMF_ISSUER_NAME_ATTR
, issuer
,
108 if (subject
!= NULL
) {
109 kmf_set_attr_at_index(attrlist
, numattr
,
110 KMF_SUBJECT_NAME_ATTR
, subject
,
115 if (serial
!= NULL
) {
116 kmf_set_attr_at_index(attrlist
, numattr
,
117 KMF_BIGINT_ATTR
, serial
,
118 sizeof (KMF_BIGINT
));
122 if (infile
!= NULL
) {
123 kmf_set_attr_at_index(attrlist
, numattr
,
124 KMF_CERT_FILENAME_ATTR
, infile
,
129 rv
= pk_find_export_cert(kmfhandle
, attrlist
, numattr
,
132 kstype
= KMF_KEYSTORE_OPENSSL
;
135 kmf_set_attr_at_index(attrlist
, numattr
,
136 KMF_KEYSTORE_TYPE_ATTR
, &kstype
, sizeof (kstype
));
139 kmf_set_attr_at_index(attrlist
, numattr
,
140 KMF_CERT_DATA_ATTR
, &kmfcert
.certificate
,
144 kmf_set_attr_at_index(attrlist
, numattr
,
145 KMF_CERT_FILENAME_ATTR
, filename
,
149 rv
= kmf_store_cert(kmfhandle
, numattr
,
152 kmf_free_kmf_cert(kmfhandle
, &kmfcert
);
159 pk_export_pk12_nss(KMF_HANDLE_T kmfhandle
,
160 char *token_spec
, char *dir
, char *prefix
,
161 char *certlabel
, char *issuer
, char *subject
,
162 KMF_BIGINT
*serial
, KMF_CREDENTIAL
*tokencred
,
165 KMF_RETURN rv
= KMF_OK
;
166 KMF_KEYSTORE_TYPE kstype
;
167 KMF_CREDENTIAL p12cred
= { NULL
, 0 };
168 KMF_ATTRIBUTE attrlist
[16];
171 rv
= configure_nss(kmfhandle
, dir
, prefix
);
175 if (token_spec
== NULL
)
176 token_spec
= DEFAULT_NSS_TOKEN
;
178 kstype
= KMF_KEYSTORE_NSS
;
179 kmf_set_attr_at_index(attrlist
, numattr
,
180 KMF_KEYSTORE_TYPE_ATTR
, &kstype
, sizeof (kstype
));
183 if (certlabel
!= NULL
) {
184 kmf_set_attr_at_index(attrlist
, numattr
,
185 KMF_CERT_LABEL_ATTR
, certlabel
, strlen(certlabel
));
189 if (issuer
!= NULL
) {
190 kmf_set_attr_at_index(attrlist
, numattr
,
191 KMF_ISSUER_NAME_ATTR
, issuer
, strlen(issuer
));
195 if (subject
!= NULL
) {
196 kmf_set_attr_at_index(attrlist
, numattr
,
197 KMF_SUBJECT_NAME_ATTR
, subject
, strlen(subject
));
201 if (serial
!= NULL
) {
202 kmf_set_attr_at_index(attrlist
, numattr
,
203 KMF_BIGINT_ATTR
, serial
, sizeof (KMF_BIGINT
));
207 if (tokencred
!= NULL
) {
208 kmf_set_attr_at_index(attrlist
, numattr
,
209 KMF_CREDENTIAL_ATTR
, tokencred
, sizeof (KMF_CREDENTIAL
));
213 kmf_set_attr_at_index(attrlist
, numattr
, KMF_TOKEN_LABEL_ATTR
,
214 token_spec
, strlen(token_spec
));
217 (void) get_pk12_password(&p12cred
);
218 kmf_set_attr_at_index(attrlist
, numattr
,
219 KMF_PK12CRED_ATTR
, &p12cred
, sizeof (KMF_CREDENTIAL
));
222 kmf_set_attr_at_index(attrlist
, numattr
,
223 KMF_OUTPUT_FILENAME_ATTR
, filename
, strlen(filename
));
226 rv
= kmf_export_pk12(kmfhandle
, numattr
, attrlist
);
234 pk_export_pk12_files(KMF_HANDLE_T kmfhandle
,
235 char *certfile
, char *keyfile
,
239 KMF_KEYSTORE_TYPE kstype
;
240 KMF_CREDENTIAL p12cred
= { NULL
, 0 };
241 KMF_ATTRIBUTE attrlist
[16];
244 kstype
= KMF_KEYSTORE_OPENSSL
;
245 kmf_set_attr_at_index(attrlist
, numattr
,
246 KMF_KEYSTORE_TYPE_ATTR
, &kstype
, sizeof (kstype
));
249 if (certfile
!= NULL
) {
250 kmf_set_attr_at_index(attrlist
, numattr
,
251 KMF_CERT_FILENAME_ATTR
, certfile
, strlen(certfile
));
255 if (keyfile
!= NULL
) {
256 kmf_set_attr_at_index(attrlist
, numattr
,
257 KMF_KEY_FILENAME_ATTR
, keyfile
, strlen(keyfile
));
261 (void) get_pk12_password(&p12cred
);
262 kmf_set_attr_at_index(attrlist
, numattr
,
263 KMF_PK12CRED_ATTR
, &p12cred
, sizeof (KMF_CREDENTIAL
));
266 kmf_set_attr_at_index(attrlist
, numattr
,
267 KMF_OUTPUT_FILENAME_ATTR
, outfile
, strlen(outfile
));
270 rv
= kmf_export_pk12(kmfhandle
, numattr
, attrlist
);
278 pk_export_nss_objects(KMF_HANDLE_T kmfhandle
, char *token_spec
,
279 int oclass
, char *certlabel
, char *issuer
, char *subject
,
280 KMF_BIGINT
*serial
, KMF_ENCODE_FORMAT kfmt
, char *dir
,
281 char *prefix
, char *filename
)
283 KMF_RETURN rv
= KMF_OK
;
284 KMF_X509_DER_CERT kmfcert
;
285 KMF_KEYSTORE_TYPE kstype
= KMF_KEYSTORE_NSS
;
286 KMF_ATTRIBUTE attrlist
[16];
289 rv
= configure_nss(kmfhandle
, dir
, prefix
);
293 /* If searching for public objects or certificates, find certs now */
294 if (oclass
& (PK_CERT_OBJ
| PK_PUBLIC_OBJ
)) {
295 kmf_set_attr_at_index(attrlist
, numattr
,
296 KMF_KEYSTORE_TYPE_ATTR
, &kstype
,
300 if (certlabel
!= NULL
) {
301 kmf_set_attr_at_index(attrlist
, numattr
,
302 KMF_CERT_LABEL_ATTR
, certlabel
,
307 if (issuer
!= NULL
) {
308 kmf_set_attr_at_index(attrlist
, numattr
,
309 KMF_ISSUER_NAME_ATTR
, issuer
,
314 if (subject
!= NULL
) {
315 kmf_set_attr_at_index(attrlist
, numattr
,
316 KMF_SUBJECT_NAME_ATTR
, subject
,
321 if (serial
!= NULL
) {
322 kmf_set_attr_at_index(attrlist
, numattr
,
323 KMF_BIGINT_ATTR
, serial
,
324 sizeof (KMF_BIGINT
));
328 if (token_spec
!= NULL
) {
329 kmf_set_attr_at_index(attrlist
, numattr
,
330 KMF_TOKEN_LABEL_ATTR
, token_spec
,
335 rv
= pk_find_export_cert(kmfhandle
, attrlist
, numattr
,
338 kstype
= KMF_KEYSTORE_OPENSSL
;
341 kmf_set_attr_at_index(attrlist
, numattr
,
342 KMF_KEYSTORE_TYPE_ATTR
, &kstype
, sizeof (kstype
));
345 kmf_set_attr_at_index(attrlist
, numattr
,
346 KMF_CERT_DATA_ATTR
, &kmfcert
.certificate
,
350 kmf_set_attr_at_index(attrlist
, numattr
,
351 KMF_CERT_FILENAME_ATTR
, filename
,
355 kmf_set_attr_at_index(attrlist
, numattr
,
356 KMF_ENCODE_FORMAT_ATTR
, &kfmt
, sizeof (kfmt
));
359 rv
= kmf_store_cert(kmfhandle
, numattr
, attrlist
);
361 kmf_free_kmf_cert(kmfhandle
, &kmfcert
);
368 pk_export_pk12_pk11(KMF_HANDLE_T kmfhandle
, char *token_spec
,
369 char *certlabel
, char *issuer
, char *subject
,
370 KMF_BIGINT
*serial
, KMF_CREDENTIAL
*tokencred
, char *filename
)
372 KMF_RETURN rv
= KMF_OK
;
373 KMF_KEYSTORE_TYPE kstype
;
374 KMF_CREDENTIAL p12cred
= { NULL
, 0 };
375 KMF_ATTRIBUTE attrlist
[16];
378 rv
= select_token(kmfhandle
, token_spec
, TRUE
);
383 kstype
= KMF_KEYSTORE_PK11TOKEN
;
384 kmf_set_attr_at_index(attrlist
, numattr
,
385 KMF_KEYSTORE_TYPE_ATTR
, &kstype
, sizeof (kstype
));
388 if (certlabel
!= NULL
) {
389 kmf_set_attr_at_index(attrlist
, numattr
,
390 KMF_CERT_LABEL_ATTR
, certlabel
, strlen(certlabel
));
394 if (issuer
!= NULL
) {
395 kmf_set_attr_at_index(attrlist
, numattr
,
396 KMF_ISSUER_NAME_ATTR
, issuer
, strlen(issuer
));
400 if (subject
!= NULL
) {
401 kmf_set_attr_at_index(attrlist
, numattr
,
402 KMF_SUBJECT_NAME_ATTR
, subject
, strlen(subject
));
406 if (serial
!= NULL
) {
407 kmf_set_attr_at_index(attrlist
, numattr
,
408 KMF_BIGINT_ATTR
, serial
, sizeof (KMF_BIGINT
));
412 if (tokencred
!= NULL
) {
413 kmf_set_attr_at_index(attrlist
, numattr
,
414 KMF_CREDENTIAL_ATTR
, tokencred
, sizeof (KMF_CREDENTIAL
));
418 (void) get_pk12_password(&p12cred
);
419 kmf_set_attr_at_index(attrlist
, numattr
,
420 KMF_PK12CRED_ATTR
, &p12cred
, sizeof (KMF_CREDENTIAL
));
423 kmf_set_attr_at_index(attrlist
, numattr
,
424 KMF_OUTPUT_FILENAME_ATTR
, filename
, strlen(filename
));
427 rv
= kmf_export_pk12(kmfhandle
, numattr
, attrlist
);
435 pk_export_pk11_keys(KMF_HANDLE_T kmfhandle
, char *token
,
436 KMF_CREDENTIAL
*cred
, KMF_ENCODE_FORMAT format
,
437 char *label
, char *filename
, int oclass
)
439 KMF_RETURN rv
= KMF_OK
;
440 KMF_KEYSTORE_TYPE kstype
= KMF_KEYSTORE_PK11TOKEN
;
441 KMF_KEY_CLASS kclass
= KMF_KEYCLASS_NONE
;
443 uint32_t numkeys
= 1;
444 KMF_ATTRIBUTE attrlist
[16];
446 boolean_t is_token
= B_TRUE
;
448 if (EMPTYSTRING(label
)) {
449 cryptoerror(LOG_STDERR
, gettext("A label "
450 "must be specified to export a key."));
451 return (KMF_ERR_BAD_PARAMETER
);
454 rv
= select_token(kmfhandle
, token
, TRUE
);
459 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
460 &kstype
, sizeof (kstype
));
464 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CREDENTIAL_ATTR
,
465 cred
, sizeof (KMF_CREDENTIAL
));
469 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYLABEL_ATTR
,
470 label
, strlen(label
));
473 kmf_set_attr_at_index(attrlist
, numattr
, KMF_COUNT_ATTR
,
474 &numkeys
, sizeof (numkeys
));
477 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEY_HANDLE_ATTR
,
481 kmf_set_attr_at_index(attrlist
, numattr
, KMF_TOKEN_BOOL_ATTR
,
482 &is_token
, sizeof (is_token
));
485 kmf_set_attr_at_index(attrlist
, numattr
, KMF_ENCODE_FORMAT_ATTR
,
486 &format
, sizeof (format
));
489 /* Check to see if we are exporting private or public only */
490 if ((oclass
& PK_KEY_OBJ
) == PK_PRIKEY_OBJ
)
491 kclass
= KMF_ASYM_PRI
;
492 else if ((oclass
& PK_KEY_OBJ
) == PK_PUBKEY_OBJ
)
493 kclass
= KMF_ASYM_PUB
;
494 else if ((oclass
& PK_KEY_OBJ
) == PK_SYMKEY_OBJ
)
495 kclass
= KMF_SYMMETRIC
;
496 else /* only 1 key at a time can be exported here, so default to pri */
497 kclass
= KMF_ASYM_PRI
;
499 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYCLASS_ATTR
,
500 &kclass
, sizeof (kclass
));
503 rv
= kmf_find_key(kmfhandle
, numattr
, attrlist
);
505 * If nothing found but caller wanted ALL keys, try symmetric
508 if (rv
== KMF_ERR_KEY_NOT_FOUND
&& (oclass
== PK_KEY_OBJ
)) {
509 kclass
= KMF_SYMMETRIC
;
510 rv
= kmf_find_key(kmfhandle
, numattr
, attrlist
);
513 * If nothing found but caller wanted ALL keys, try asymmetric
516 if (rv
== KMF_ERR_KEY_NOT_FOUND
&& (oclass
== PK_KEY_OBJ
)) {
517 kclass
= KMF_ASYM_PUB
;
518 rv
= kmf_find_key(kmfhandle
, numattr
, attrlist
);
520 if (rv
== KMF_OK
&& key
.keyclass
== KMF_SYMMETRIC
) {
521 KMF_RAW_SYM_KEY rkey
;
523 (void) memset(&rkey
, 0, sizeof (KMF_RAW_SYM_KEY
));
524 rv
= kmf_get_sym_key_value(kmfhandle
, &key
, &rkey
);
526 int fd
, n
, total
= 0;
528 fd
= open(filename
, O_CREAT
| O_RDWR
|O_TRUNC
, 0600);
530 rv
= KMF_ERR_OPEN_FILE
;
534 n
= write(fd
, rkey
.keydata
.val
+ total
,
535 rkey
.keydata
.len
- total
);
540 rv
= KMF_ERR_WRITE_FILE
;
545 } while (total
< rkey
.keydata
.len
);
549 kmf_free_bigint(&rkey
.keydata
);
550 kmf_free_kmf_key(kmfhandle
, &key
);
551 } else if (rv
== KMF_OK
) {
552 KMF_KEYSTORE_TYPE sslks
= KMF_KEYSTORE_OPENSSL
;
553 (void) printf(gettext("Found %d asymmetric keys\n"), numkeys
);
556 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
557 &sslks
, sizeof (sslks
));
560 kmf_set_attr_at_index(attrlist
, numattr
, KMF_RAW_KEY_ATTR
,
561 key
.keyp
, sizeof (KMF_RAW_KEY_DATA
));
564 kmf_set_attr_at_index(attrlist
, numattr
, KMF_ENCODE_FORMAT_ATTR
,
565 &format
, sizeof (format
));
568 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEY_FILENAME_ATTR
,
569 filename
, strlen(filename
));
572 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYCLASS_ATTR
,
573 &key
.keyclass
, sizeof (KMF_KEY_CLASS
));
576 rv
= kmf_store_key(kmfhandle
, numattr
, attrlist
);
577 kmf_free_kmf_key(kmfhandle
, &key
);
584 pk_export_pk11_objects(KMF_HANDLE_T kmfhandle
, char *token_spec
,
585 KMF_CREDENTIAL
*cred
, char *certlabel
, char *issuer
, char *subject
,
586 KMF_BIGINT
*serial
, KMF_ENCODE_FORMAT kfmt
,
589 KMF_RETURN rv
= KMF_OK
;
590 KMF_X509_DER_CERT kmfcert
;
591 KMF_KEYSTORE_TYPE kstype
= KMF_KEYSTORE_PK11TOKEN
;
593 KMF_ATTRIBUTE attrlist
[16];
595 rv
= select_token(kmfhandle
, token_spec
, TRUE
);
600 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
601 &kstype
, sizeof (kstype
));
605 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CREDENTIAL_ATTR
,
606 cred
, sizeof (KMF_CREDENTIAL
));
609 if (certlabel
!= NULL
) {
610 kmf_set_attr_at_index(attrlist
, numattr
,
611 KMF_CERT_LABEL_ATTR
, certlabel
,
616 if (issuer
!= NULL
) {
617 kmf_set_attr_at_index(attrlist
, numattr
,
618 KMF_ISSUER_NAME_ATTR
, issuer
,
623 if (subject
!= NULL
) {
624 kmf_set_attr_at_index(attrlist
, numattr
,
625 KMF_SUBJECT_NAME_ATTR
, subject
,
630 if (serial
!= NULL
) {
631 kmf_set_attr_at_index(attrlist
, numattr
,
632 KMF_BIGINT_ATTR
, serial
,
633 sizeof (KMF_BIGINT
));
637 rv
= pk_find_export_cert(kmfhandle
, attrlist
, numattr
, &kmfcert
);
640 kstype
= KMF_KEYSTORE_OPENSSL
;
643 kmf_set_attr_at_index(attrlist
, numattr
,
644 KMF_KEYSTORE_TYPE_ATTR
, &kstype
, sizeof (kstype
));
647 kmf_set_attr_at_index(attrlist
, numattr
,
648 KMF_CERT_DATA_ATTR
, &kmfcert
.certificate
,
652 kmf_set_attr_at_index(attrlist
, numattr
,
653 KMF_CERT_FILENAME_ATTR
, filename
, strlen(filename
));
656 kmf_set_attr_at_index(attrlist
, numattr
,
657 KMF_ENCODE_FORMAT_ATTR
, &kfmt
, sizeof (kfmt
));
660 rv
= kmf_store_cert(kmfhandle
, numattr
, attrlist
);
662 kmf_free_kmf_cert(kmfhandle
, &kmfcert
);
668 * Export objects from one keystore to a file.
671 pk_export(int argc
, char *argv
[])
674 extern int optind_av
;
675 extern char *optarg_av
;
676 char *token_spec
= NULL
;
677 char *filename
= NULL
;
680 char *certlabel
= NULL
;
681 char *subject
= NULL
;
684 char *keyfile
= NULL
;
685 char *certfile
= NULL
;
687 KMF_KEYSTORE_TYPE kstype
= 0;
688 KMF_ENCODE_FORMAT kfmt
= KMF_FORMAT_PKCS12
;
689 KMF_RETURN rv
= KMF_OK
;
690 int oclass
= PK_CERT_OBJ
;
691 KMF_BIGINT serial
= { NULL
, 0 };
692 KMF_HANDLE_T kmfhandle
= NULL
;
693 KMF_CREDENTIAL tokencred
= { NULL
, 0 };
695 /* Parse command line options. Do NOT i18n/l10n. */
696 while ((opt
= getopt_av(argc
, argv
,
697 "k:(keystore)y:(objtype)T:(token)"
699 "l:(label)n:(nickname)s:(subject)"
700 "i:(issuer)S:(serial)"
701 "K:(keyfile)c:(certfile)"
703 "I:(infile)o:(outfile)")) != EOF
) {
704 if (EMPTYSTRING(optarg_av
))
705 return (PK_ERR_USAGE
);
708 kstype
= KS2Int(optarg_av
);
710 return (PK_ERR_USAGE
);
713 oclass
= OT2Int(optarg_av
);
715 return (PK_ERR_USAGE
);
717 case 'T': /* token specifier */
719 return (PK_ERR_USAGE
);
720 token_spec
= optarg_av
;
724 return (PK_ERR_USAGE
);
729 return (PK_ERR_USAGE
);
735 return (PK_ERR_USAGE
);
736 certlabel
= optarg_av
;
740 return (PK_ERR_USAGE
);
745 return (PK_ERR_USAGE
);
752 kfmt
= Str2Format(optarg_av
);
753 if (kfmt
== KMF_FORMAT_UNDEF
)
754 return (PK_ERR_USAGE
);
756 case 'I': /* output file name */
758 return (PK_ERR_USAGE
);
761 case 'o': /* output file name */
763 return (PK_ERR_USAGE
);
764 filename
= optarg_av
;
766 case 'c': /* input cert file name */
768 return (PK_ERR_USAGE
);
769 certfile
= optarg_av
;
771 case 'K': /* input key file name */
773 return (PK_ERR_USAGE
);
777 return (PK_ERR_USAGE
);
781 /* Assume keystore = PKCS#11 if not specified */
783 kstype
= KMF_KEYSTORE_PK11TOKEN
;
785 /* Filename arg is required. */
786 if (EMPTYSTRING(filename
)) {
787 cryptoerror(LOG_STDERR
, gettext("You must specify "
788 "an 'outfile' parameter when exporting.\n"));
789 return (PK_ERR_USAGE
);
792 /* No additional args allowed. */
796 return (PK_ERR_USAGE
);
798 DIR_OPTION_CHECK(kstype
, dir
);
800 /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */
801 if ((oclass
& (PK_PUBLIC_OBJ
| PK_PRIVATE_OBJ
)) &&
802 kstype
!= KMF_KEYSTORE_PK11TOKEN
) {
804 (void) fprintf(stderr
, gettext("The objtype parameter "
805 "is only relevant if keystore=pkcs11\n"));
806 return (PK_ERR_USAGE
);
809 if (kstype
== KMF_KEYSTORE_PK11TOKEN
&& EMPTYSTRING(token_spec
))
810 token_spec
= PK_DEFAULT_PK11TOKEN
;
811 else if (kstype
== KMF_KEYSTORE_NSS
&& EMPTYSTRING(token_spec
))
812 token_spec
= DEFAULT_NSS_TOKEN
;
814 if (kstype
== KMF_KEYSTORE_OPENSSL
) {
815 if (kfmt
!= KMF_FORMAT_PKCS12
) {
816 cryptoerror(LOG_STDERR
, gettext("PKCS12 "
817 "is the only export format "
818 "supported for the 'file' "
820 return (PK_ERR_USAGE
);
822 if (EMPTYSTRING(keyfile
) || EMPTYSTRING(certfile
)) {
823 cryptoerror(LOG_STDERR
, gettext("A cert file"
824 "and a key file must be specified "
825 "when exporting to PKCS12 from the "
826 "'file' keystore.\n"));
827 return (PK_ERR_USAGE
);
831 /* Check if the file exists */
832 if (verify_file(filename
) != KMF_OK
) {
833 cryptoerror(LOG_STDERR
,
834 gettext("Warning: file \"%s\" exists, "
835 "will be overwritten."), filename
);
836 if (yesno(gettext("Continue with export? "),
837 gettext("Respond with yes or no.\n"), B_FALSE
) == B_FALSE
) {
840 /* remove the file */
841 (void) unlink(filename
);
845 if (serstr
!= NULL
) {
846 uchar_t
*bytes
= NULL
;
849 rv
= kmf_hexstr_to_bytes((uchar_t
*)serstr
, &bytes
, &bytelen
);
850 if (rv
!= KMF_OK
|| bytes
== NULL
) {
851 (void) fprintf(stderr
, gettext("serial number "
852 "must be specified as a hex number "
853 "(ex: 0x0102030405ffeeddee)\n"));
854 return (PK_ERR_USAGE
);
857 serial
.len
= bytelen
;
861 * We need a password in the following situations:
862 * 1. When accessing PKCS11 token
863 * 2. If NSS keystore, when making a PKCS12 file or when
864 * accessing any private object or key.
866 if (kstype
== KMF_KEYSTORE_PK11TOKEN
||
867 ((kstype
== KMF_KEYSTORE_NSS
) &&
868 ((oclass
& (PK_KEY_OBJ
| PK_PRIVATE_OBJ
)) ||
869 (kfmt
== KMF_FORMAT_PKCS12
)))) {
870 (void) get_token_password(kstype
, token_spec
,
874 if ((rv
= kmf_initialize(&kmfhandle
, NULL
, NULL
)) != KMF_OK
) {
875 cryptoerror(LOG_STDERR
, gettext("Error initializing "
876 "KMF: 0x%02x\n"), rv
);
881 case KMF_KEYSTORE_PK11TOKEN
:
882 if (kfmt
== KMF_FORMAT_PKCS12
)
883 rv
= pk_export_pk12_pk11(kmfhandle
,
884 token_spec
, certlabel
,
888 else if ((oclass
& PK_KEY_OBJ
) ||
889 kfmt
== KMF_FORMAT_RAWKEY
)
890 rv
= pk_export_pk11_keys(kmfhandle
,
891 token_spec
, &tokencred
, kfmt
,
892 certlabel
, filename
, oclass
);
894 rv
= pk_export_pk11_objects(kmfhandle
,
895 token_spec
, &tokencred
, certlabel
,
896 issuer
, subject
, &serial
, kfmt
,
899 case KMF_KEYSTORE_NSS
:
901 dir
= PK_DEFAULT_DIRECTORY
;
902 if (kfmt
== KMF_FORMAT_PKCS12
)
903 rv
= pk_export_pk12_nss(kmfhandle
,
904 token_spec
, dir
, prefix
,
907 &tokencred
, filename
);
909 rv
= pk_export_nss_objects(kmfhandle
,
911 oclass
, certlabel
, issuer
, subject
,
912 &serial
, kfmt
, dir
, prefix
, filename
);
914 case KMF_KEYSTORE_OPENSSL
:
915 if (kfmt
== KMF_FORMAT_PKCS12
)
916 rv
= pk_export_pk12_files(kmfhandle
,
917 certfile
, keyfile
, filename
);
919 rv
= pk_export_file_objects(kmfhandle
, oclass
,
920 issuer
, subject
, &serial
,
929 display_error(kmfhandle
, rv
,
930 gettext("Error exporting objects"));
935 (void) kmf_finalize(kmfhandle
);
