4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2012 Milan Jurik. All rights reserved.
27 * This file implements the token object list operation for this tool.
28 * It loads the PKCS#11 modules, finds the object to list, lists it,
29 * and cleans up. User must be logged into the token to list private
36 #include <cryptoutil.h>
37 #include <security/cryptoki.h>
43 pk_show_certs(KMF_HANDLE_T kmfhandle
, KMF_X509_DER_CERT
*certs
, int num_certs
)
46 char *subject
, *issuer
, *serial
, *id
, *altname
;
47 char *start
, *end
, *keyusage
, *extkeyusage
;
49 for (i
= 0; i
< num_certs
; i
++) {
56 keyusage
= extkeyusage
= NULL
;
58 (void) fprintf(stdout
,
59 gettext("%d. (X.509 certificate)\n"), i
+ 1);
60 if (certs
[i
].kmf_private
.label
!= NULL
)
61 (void) fprintf(stdout
, gettext("\t%s: %s\n"),
62 (certs
[i
].kmf_private
.keystore_type
==
63 KMF_KEYSTORE_OPENSSL
? "Filename" : "Label"),
64 certs
[i
].kmf_private
.label
);
65 if (kmf_get_cert_id_str(&certs
[i
].certificate
,
67 (void) fprintf(stdout
, gettext("\tID: %s\n"), id
);
68 if (kmf_get_cert_subject_str(kmfhandle
,
69 &certs
[i
].certificate
, &subject
) == KMF_OK
)
70 (void) fprintf(stdout
, gettext("\tSubject: %s\n"),
72 if (kmf_get_cert_issuer_str(kmfhandle
,
73 &certs
[i
].certificate
, &issuer
) == KMF_OK
)
74 (void) fprintf(stdout
, gettext("\tIssuer: %s\n"),
76 if (kmf_get_cert_start_date_str(kmfhandle
,
77 &certs
[i
].certificate
, &start
) == KMF_OK
)
78 (void) fprintf(stdout
, gettext("\tNot Before: %s\n"),
80 if (kmf_get_cert_end_date_str(kmfhandle
,
81 &certs
[i
].certificate
, &end
) == KMF_OK
)
82 (void) fprintf(stdout
, gettext("\tNot After: %s\n"),
84 if (kmf_get_cert_serial_str(kmfhandle
,
85 &certs
[i
].certificate
, &serial
) == KMF_OK
)
86 (void) fprintf(stdout
, gettext("\tSerial: %s\n"),
88 if (kmf_get_cert_extn_str(kmfhandle
,
89 &certs
[i
].certificate
, KMF_X509_EXT_SUBJ_ALTNAME
,
90 &altname
) == KMF_OK
) {
91 (void) fprintf(stdout
, gettext("\t%s\n"),
94 if (kmf_get_cert_extn_str(kmfhandle
,
95 &certs
[i
].certificate
, KMF_X509_EXT_KEY_USAGE
,
96 &keyusage
) == KMF_OK
) {
97 (void) fprintf(stdout
, gettext("\t%s\n"),
100 if (kmf_get_cert_extn_str(kmfhandle
,
101 &certs
[i
].certificate
, KMF_X509_EXT_EXT_KEY_USAGE
,
102 &extkeyusage
) == KMF_OK
) {
103 (void) fprintf(stdout
, gettext("\t%s\n"),
106 kmf_free_str(subject
);
107 kmf_free_str(issuer
);
108 kmf_free_str(serial
);
110 kmf_free_str(altname
);
111 kmf_free_str(keyusage
);
112 kmf_free_str(extkeyusage
);
115 (void) fprintf(stdout
, "\n");
120 describeKey(KMF_KEY_HANDLE
*key
)
122 if (key
->keyclass
== KMF_ASYM_PUB
) {
123 if (key
->keyalg
== KMF_RSA
)
124 return (gettext("RSA public key"));
125 if (key
->keyalg
== KMF_DSA
)
126 return (gettext("DSA public key"));
127 if (key
->keyalg
== KMF_ECDSA
)
128 return (gettext("ECDSA public key"));
130 if (key
->keyclass
== KMF_ASYM_PRI
) {
131 if (key
->keyalg
== KMF_RSA
)
132 return (gettext("RSA private key"));
133 if (key
->keyalg
== KMF_DSA
)
134 return (gettext("DSA private key"));
135 if (key
->keyalg
== KMF_ECDSA
)
136 return (gettext("ECDSA private key"));
138 if (key
->keyclass
== KMF_SYMMETRIC
) {
139 switch (key
->keyalg
) {
141 return (gettext("AES"));
143 return (gettext("ARCFOUR"));
145 return (gettext("DES"));
147 return (gettext("Triple-DES"));
149 return (gettext("symmetric"));
153 return (gettext("unrecognized key object"));
159 pk_show_keys(void *handle
, KMF_KEY_HANDLE
*keys
, int numkeys
)
163 for (i
= 0; i
< numkeys
; i
++) {
164 (void) fprintf(stdout
, gettext("Key #%d - %s: %s"),
165 i
+1, describeKey(&keys
[i
]),
166 keys
[i
].keylabel
? keys
[i
].keylabel
:
167 gettext("No label"));
169 if (keys
[i
].keyclass
== KMF_SYMMETRIC
) {
171 KMF_RAW_SYM_KEY rkey
;
173 (void) memset(&rkey
, 0, sizeof (rkey
));
174 rv
= kmf_get_sym_key_value(handle
, &keys
[i
],
177 (void) fprintf(stdout
, " (%d bits)",
178 rkey
.keydata
.len
* 8);
179 kmf_free_bigint(&rkey
.keydata
);
180 } else if (keys
[i
].kstype
== KMF_KEYSTORE_PK11TOKEN
) {
181 if (rv
== KMF_ERR_SENSITIVE_KEY
) {
182 (void) fprintf(stdout
, " (sensitive)");
183 } else if (rv
== KMF_ERR_UNEXTRACTABLE_KEY
) {
184 (void) fprintf(stdout
,
185 " (non-extractable)");
188 if (kmf_get_kmf_error_str(rv
, &err
) ==
190 (void) fprintf(stdout
,
191 " (error: %s)", err
);
196 (void) fprintf(stdout
, "\n");
201 * Generic routine used by all "list cert" operations to find
202 * all matching certificates.
205 pk_find_certs(KMF_HANDLE_T kmfhandle
, KMF_ATTRIBUTE
*attrlist
, int numattr
)
207 KMF_RETURN rv
= KMF_OK
;
208 KMF_X509_DER_CERT
*certlist
= NULL
;
209 uint32_t numcerts
= 0;
210 KMF_KEYSTORE_TYPE kstype
;
212 rv
= kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR
, attrlist
, numattr
,
217 kmf_set_attr_at_index(attrlist
, numattr
, KMF_COUNT_ATTR
,
218 &numcerts
, sizeof (uint32_t));
221 rv
= kmf_find_cert(kmfhandle
, numattr
, attrlist
);
222 if (rv
== KMF_OK
&& numcerts
> 0) {
223 (void) printf(gettext("Found %d certificates.\n"),
225 certlist
= (KMF_X509_DER_CERT
*)malloc(numcerts
*
226 sizeof (KMF_X509_DER_CERT
));
227 if (certlist
== NULL
)
228 return (KMF_ERR_MEMORY
);
229 (void) memset(certlist
, 0, numcerts
*
230 sizeof (KMF_X509_DER_CERT
));
232 kmf_set_attr_at_index(attrlist
, numattr
,
233 KMF_X509_DER_CERT_ATTR
, certlist
,
234 sizeof (KMF_X509_DER_CERT
));
237 rv
= kmf_find_cert(kmfhandle
, numattr
, attrlist
);
240 (void) pk_show_certs(kmfhandle
, certlist
,
242 for (i
= 0; i
< numcerts
; i
++)
243 kmf_free_kmf_cert(kmfhandle
, &certlist
[i
]);
247 if (rv
== KMF_ERR_CERT_NOT_FOUND
&&
248 kstype
!= KMF_KEYSTORE_OPENSSL
)
255 pk_list_keys(void *handle
, KMF_ATTRIBUTE
*attrlist
, int numattr
, char *label
)
258 KMF_KEY_HANDLE
*keys
;
259 uint32_t numkeys
= 0;
260 KMF_KEYSTORE_TYPE kstype
;
262 rv
= kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR
, attrlist
, numattr
,
267 kmf_set_attr_at_index(attrlist
, numattr
, KMF_COUNT_ATTR
,
268 &numkeys
, sizeof (uint32_t));
271 rv
= kmf_find_key(handle
, numattr
, attrlist
);
272 if (rv
== KMF_OK
&& numkeys
> 0) {
274 (void) printf(gettext("Found %d %s keys.\n"),
276 keys
= (KMF_KEY_HANDLE
*)malloc(numkeys
*
277 sizeof (KMF_KEY_HANDLE
));
279 return (KMF_ERR_MEMORY
);
280 (void) memset(keys
, 0, numkeys
*
281 sizeof (KMF_KEY_HANDLE
));
283 kmf_set_attr_at_index(attrlist
, numattr
,
285 keys
, sizeof (KMF_KEY_HANDLE
));
288 rv
= kmf_find_key(handle
, numattr
, attrlist
);
290 pk_show_keys(handle
, keys
, numkeys
);
291 for (i
= 0; i
< numkeys
; i
++)
292 kmf_free_kmf_key(handle
, &keys
[i
]);
295 if (rv
== KMF_ERR_KEY_NOT_FOUND
&&
296 kstype
!= KMF_KEYSTORE_OPENSSL
)
302 list_pk11_objects(KMF_HANDLE_T kmfhandle
, char *token
, int oclass
,
303 char *objlabel
, KMF_BIGINT
*serial
, char *issuer
, char *subject
,
304 char *dir
, char *filename
, KMF_CREDENTIAL
*tokencred
,
305 KMF_CERT_VALIDITY find_criteria_flag
)
308 KMF_KEYSTORE_TYPE kstype
= KMF_KEYSTORE_PK11TOKEN
;
310 KMF_ATTRIBUTE attrlist
[18];
311 boolean_t token_bool
= B_TRUE
;
312 boolean_t
private = B_FALSE
;
313 KMF_KEY_CLASS keyclass
;
314 KMF_ENCODE_FORMAT format
;
316 KMF_CREDENTIAL cred
= { NULL
, 0 };
319 * Symmetric keys and RSA/DSA/ECDSA private keys are always
320 * created with the "CKA_PRIVATE" field == TRUE, so
321 * make sure we search for them with it also set.
323 if (oclass
& (PK_SYMKEY_OBJ
| PK_PRIKEY_OBJ
))
324 oclass
|= PK_PRIVATE_OBJ
;
326 rv
= select_token(kmfhandle
, token
,
327 !(oclass
& (PK_PRIVATE_OBJ
| PK_PRIKEY_OBJ
)));
333 rv
= token_auth_needed(kmfhandle
, token
, &auth
);
337 if (tokencred
!= NULL
)
340 if (oclass
& (PK_KEY_OBJ
| PK_PRIVATE_OBJ
)) {
341 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
342 &kstype
, sizeof (kstype
));
345 if (objlabel
!= NULL
) {
346 kmf_set_attr_at_index(attrlist
, numattr
,
347 KMF_KEYLABEL_ATTR
, objlabel
,
352 private = ((oclass
& PK_PRIVATE_OBJ
) > 0);
354 kmf_set_attr_at_index(attrlist
, numattr
,
355 KMF_PRIVATE_BOOL_ATTR
, &private,
359 kmf_set_attr_at_index(attrlist
, numattr
,
360 KMF_TOKEN_BOOL_ATTR
, &token_bool
,
361 sizeof (token_bool
));
364 if (oclass
& PK_PRIKEY_OBJ
) {
367 keyclass
= KMF_ASYM_PRI
;
368 kmf_set_attr_at_index(attrlist
, num
,
369 KMF_KEYCLASS_ATTR
, &keyclass
,
373 if (tokencred
!= NULL
&&
374 tokencred
->credlen
> 0) {
375 kmf_set_attr_at_index(attrlist
, num
,
376 KMF_CREDENTIAL_ATTR
, tokencred
,
377 sizeof (KMF_CREDENTIAL
));
381 /* list asymmetric private keys */
382 rv
= pk_list_keys(kmfhandle
, attrlist
, num
,
383 "asymmetric private");
386 if (rv
== KMF_OK
&& (oclass
& PK_SYMKEY_OBJ
)) {
389 keyclass
= KMF_SYMMETRIC
;
390 kmf_set_attr_at_index(attrlist
, num
,
391 KMF_KEYCLASS_ATTR
, &keyclass
,
395 if (tokencred
!= NULL
&&
396 tokencred
->credlen
> 0) {
397 kmf_set_attr_at_index(attrlist
, num
,
398 KMF_CREDENTIAL_ATTR
, tokencred
,
399 sizeof (KMF_CREDENTIAL
));
403 format
= KMF_FORMAT_RAWKEY
;
404 kmf_set_attr_at_index(attrlist
, num
,
405 KMF_ENCODE_FORMAT_ATTR
, &format
,
409 /* list symmetric keys */
410 rv
= pk_list_keys(kmfhandle
, attrlist
, num
,
414 if (rv
== KMF_OK
&& (oclass
& PK_PUBKEY_OBJ
)) {
417 if (auth
> 0 && (tokencred
== NULL
||
418 tokencred
->cred
== NULL
) &&
419 (cred
.cred
== NULL
)) {
420 (void) get_token_password(kstype
, token
, &cred
);
421 kmf_set_attr_at_index(attrlist
, num
,
423 &cred
, sizeof (KMF_CREDENTIAL
));
428 keyclass
= KMF_ASYM_PUB
;
429 kmf_set_attr_at_index(attrlist
, num
,
430 KMF_KEYCLASS_ATTR
, &keyclass
,
434 /* list asymmetric public keys (if any) */
435 rv
= pk_list_keys(kmfhandle
, attrlist
, num
,
436 "asymmetric public");
444 if (oclass
& (PK_CERT_OBJ
| PK_PUBLIC_OBJ
)) {
445 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
446 &kstype
, sizeof (kstype
));
449 if (auth
> 0 && (cred
.cred
== NULL
)) {
450 (void) get_token_password(kstype
, token
, &cred
);
453 if (cred
.cred
!= NULL
) {
454 kmf_set_attr_at_index(attrlist
, numattr
,
456 &cred
, sizeof (KMF_CREDENTIAL
));
460 if (objlabel
!= NULL
) {
461 kmf_set_attr_at_index(attrlist
, numattr
,
462 KMF_CERT_LABEL_ATTR
, objlabel
,
467 if (issuer
!= NULL
) {
468 kmf_set_attr_at_index(attrlist
, numattr
,
469 KMF_ISSUER_NAME_ATTR
, issuer
,
474 if (subject
!= NULL
) {
475 kmf_set_attr_at_index(attrlist
, numattr
,
476 KMF_SUBJECT_NAME_ATTR
, subject
,
481 if (serial
!= NULL
&& serial
->val
!= NULL
) {
482 kmf_set_attr_at_index(attrlist
, numattr
,
483 KMF_BIGINT_ATTR
, serial
,
484 sizeof (KMF_BIGINT
));
488 kmf_set_attr_at_index(attrlist
, numattr
,
489 KMF_PRIVATE_BOOL_ATTR
, &private,
493 kmf_set_attr_at_index(attrlist
, numattr
,
494 KMF_CERT_VALIDITY_ATTR
, &find_criteria_flag
,
495 sizeof (KMF_CERT_VALIDITY
));
498 rv
= pk_find_certs(kmfhandle
, attrlist
, numattr
);
504 kstype
= KMF_KEYSTORE_OPENSSL
; /* CRL is file-based */
505 if (oclass
& PK_CRL_OBJ
) {
506 char *crldata
= NULL
;
508 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
509 &kstype
, sizeof (kstype
));
513 kmf_set_attr_at_index(attrlist
, numattr
,
514 KMF_DIRPATH_ATTR
, dir
, strlen(dir
));
517 if (filename
!= NULL
) {
518 kmf_set_attr_at_index(attrlist
, numattr
,
519 KMF_CRL_FILENAME_ATTR
,
520 filename
, strlen(filename
));
523 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CRL_DATA_ATTR
,
524 &crldata
, sizeof (char *));
527 rv
= kmf_list_crl(kmfhandle
, numattr
, attrlist
);
528 if (rv
== KMF_OK
&& crldata
!= NULL
) {
529 (void) printf("%s\n", crldata
);
538 list_file_objects(KMF_HANDLE_T kmfhandle
, int oclass
,
539 char *dir
, char *filename
, KMF_BIGINT
*serial
,
540 char *issuer
, char *subject
,
541 KMF_CERT_VALIDITY find_criteria_flag
)
543 KMF_RETURN rv
= KMF_OK
;
544 KMF_KEYSTORE_TYPE kstype
= KMF_KEYSTORE_OPENSSL
;
546 KMF_ATTRIBUTE attrlist
[16];
547 KMF_KEY_CLASS keyclass
;
548 KMF_ENCODE_FORMAT format
;
549 char *defaultdir
= ".";
551 if (oclass
& PK_KEY_OBJ
) {
552 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
553 &kstype
, sizeof (kstype
));
556 if (dir
== NULL
&& filename
== NULL
)
560 kmf_set_attr_at_index(attrlist
, numattr
,
561 KMF_DIRPATH_ATTR
, dir
,
566 if (filename
!= NULL
) {
567 kmf_set_attr_at_index(attrlist
, numattr
,
568 KMF_KEY_FILENAME_ATTR
, filename
,
573 if (oclass
& PK_PRIKEY_OBJ
) {
576 keyclass
= KMF_ASYM_PRI
;
577 kmf_set_attr_at_index(attrlist
, num
,
578 KMF_KEYCLASS_ATTR
, &keyclass
,
582 /* list asymmetric private keys */
583 rv
= pk_list_keys(kmfhandle
, attrlist
, num
,
584 "asymmetric private");
586 if (rv
== KMF_ERR_KEY_NOT_FOUND
)
589 if (rv
== KMF_OK
&& (oclass
& PK_SYMKEY_OBJ
)) {
592 keyclass
= KMF_SYMMETRIC
;
593 kmf_set_attr_at_index(attrlist
, num
,
594 KMF_KEYCLASS_ATTR
, &keyclass
,
598 format
= KMF_FORMAT_RAWKEY
;
599 kmf_set_attr_at_index(attrlist
, num
,
600 KMF_ENCODE_FORMAT_ATTR
, &format
,
604 /* list symmetric keys */
605 rv
= pk_list_keys(kmfhandle
, attrlist
, num
,
608 if (rv
== KMF_ERR_KEY_NOT_FOUND
)
615 if (oclass
& PK_CERT_OBJ
) {
616 kmf_set_attr_at_index(attrlist
, numattr
,
617 KMF_KEYSTORE_TYPE_ATTR
, &kstype
,
621 if (issuer
!= NULL
) {
622 kmf_set_attr_at_index(attrlist
, numattr
,
623 KMF_ISSUER_NAME_ATTR
, issuer
,
628 if (subject
!= NULL
) {
629 kmf_set_attr_at_index(attrlist
, numattr
,
630 KMF_SUBJECT_NAME_ATTR
, subject
,
635 if (serial
!= NULL
&& serial
->val
!= NULL
) {
636 kmf_set_attr_at_index(attrlist
, numattr
,
637 KMF_BIGINT_ATTR
, serial
,
638 sizeof (KMF_BIGINT
));
642 if (filename
!= NULL
) {
643 kmf_set_attr_at_index(attrlist
, numattr
,
644 KMF_CERT_FILENAME_ATTR
, filename
,
650 kmf_set_attr_at_index(attrlist
, numattr
,
651 KMF_DIRPATH_ATTR
, dir
,
656 kmf_set_attr_at_index(attrlist
, numattr
,
657 KMF_CERT_VALIDITY_ATTR
, &find_criteria_flag
,
658 sizeof (KMF_CERT_VALIDITY
));
661 rv
= pk_find_certs(kmfhandle
, attrlist
, numattr
);
667 if (oclass
& PK_CRL_OBJ
) {
668 char *crldata
= NULL
;
670 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
671 &kstype
, sizeof (kstype
));
675 kmf_set_attr_at_index(attrlist
, numattr
,
676 KMF_DIRPATH_ATTR
, dir
, strlen(dir
));
679 if (filename
!= NULL
) {
680 kmf_set_attr_at_index(attrlist
, numattr
,
681 KMF_CRL_FILENAME_ATTR
,
682 filename
, strlen(filename
));
685 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CRL_DATA_ATTR
,
686 &crldata
, sizeof (char *));
689 rv
= kmf_list_crl(kmfhandle
, numattr
, attrlist
);
690 if (rv
== KMF_OK
&& crldata
!= NULL
) {
691 (void) printf("%s\n", crldata
);
700 list_nss_objects(KMF_HANDLE_T kmfhandle
,
701 int oclass
, char *token_spec
, char *dir
, char *prefix
,
702 char *nickname
, KMF_BIGINT
*serial
, char *issuer
, char *subject
,
703 KMF_CREDENTIAL
*tokencred
,
704 KMF_CERT_VALIDITY find_criteria_flag
)
706 KMF_RETURN rv
= KMF_OK
;
707 KMF_KEYSTORE_TYPE kstype
= KMF_KEYSTORE_NSS
;
709 KMF_ATTRIBUTE attrlist
[16];
710 KMF_KEY_CLASS keyclass
;
711 KMF_ENCODE_FORMAT format
;
713 rv
= configure_nss(kmfhandle
, dir
, prefix
);
717 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
718 &kstype
, sizeof (kstype
));
721 if (oclass
& PK_KEY_OBJ
) {
722 if (tokencred
!= NULL
&& tokencred
->credlen
> 0) {
723 kmf_set_attr_at_index(attrlist
, numattr
,
724 KMF_CREDENTIAL_ATTR
, tokencred
,
725 sizeof (KMF_CREDENTIAL
));
729 if (token_spec
&& strlen(token_spec
)) {
730 kmf_set_attr_at_index(attrlist
, numattr
,
731 KMF_TOKEN_LABEL_ATTR
, token_spec
,
736 if (nickname
!= NULL
) {
737 kmf_set_attr_at_index(attrlist
, numattr
,
738 KMF_KEYLABEL_ATTR
, nickname
,
744 if (oclass
& PK_PRIKEY_OBJ
) {
747 keyclass
= KMF_ASYM_PRI
;
748 kmf_set_attr_at_index(attrlist
, num
,
749 KMF_KEYCLASS_ATTR
, &keyclass
,
753 /* list asymmetric private keys */
754 rv
= pk_list_keys(kmfhandle
, attrlist
, num
,
755 "asymmetric private");
758 if (rv
== KMF_OK
&& (oclass
& PK_SYMKEY_OBJ
)) {
761 keyclass
= KMF_SYMMETRIC
;
762 kmf_set_attr_at_index(attrlist
, num
,
763 KMF_KEYCLASS_ATTR
, &keyclass
,
767 format
= KMF_FORMAT_RAWKEY
;
768 kmf_set_attr_at_index(attrlist
, num
,
769 KMF_ENCODE_FORMAT_ATTR
, &format
,
773 /* list symmetric keys */
774 rv
= pk_list_keys(kmfhandle
, attrlist
, num
, "symmetric");
777 if (rv
== KMF_OK
&& (oclass
& PK_PUBKEY_OBJ
)) {
780 keyclass
= KMF_ASYM_PUB
;
781 kmf_set_attr_at_index(attrlist
, num
,
782 KMF_KEYCLASS_ATTR
, &keyclass
,
786 /* list asymmetric public keys */
787 rv
= pk_list_keys(kmfhandle
, attrlist
, num
,
788 "asymmetric public");
791 /* If searching for public objects or certificates, find certs now */
793 if (rv
== KMF_OK
&& (oclass
& PK_CERT_OBJ
)) {
794 kmf_set_attr_at_index(attrlist
, numattr
,
795 KMF_KEYSTORE_TYPE_ATTR
, &kstype
,
799 if (nickname
!= NULL
) {
800 kmf_set_attr_at_index(attrlist
, numattr
,
801 KMF_CERT_LABEL_ATTR
, nickname
,
806 if (issuer
!= NULL
) {
807 kmf_set_attr_at_index(attrlist
, numattr
,
808 KMF_ISSUER_NAME_ATTR
, issuer
,
813 if (subject
!= NULL
) {
814 kmf_set_attr_at_index(attrlist
, numattr
,
815 KMF_SUBJECT_NAME_ATTR
, subject
,
820 if (serial
!= NULL
) {
821 kmf_set_attr_at_index(attrlist
, numattr
,
822 KMF_BIGINT_ATTR
, serial
,
823 sizeof (KMF_BIGINT
));
827 if (token_spec
!= NULL
) {
828 kmf_set_attr_at_index(attrlist
, numattr
,
829 KMF_TOKEN_LABEL_ATTR
, token_spec
,
834 kmf_set_attr_at_index(attrlist
, numattr
,
835 KMF_CERT_VALIDITY_ATTR
, &find_criteria_flag
,
836 sizeof (KMF_CERT_VALIDITY
));
839 rv
= pk_find_certs(kmfhandle
, attrlist
, numattr
);
843 if (rv
== KMF_OK
&& (oclass
& PK_CRL_OBJ
)) {
846 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
847 &kstype
, sizeof (kstype
));
850 if (token_spec
!= NULL
) {
851 kmf_set_attr_at_index(attrlist
, numattr
,
852 KMF_TOKEN_LABEL_ATTR
,
853 token_spec
, strlen(token_spec
));
856 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CRL_COUNT_ATTR
,
857 &numcrls
, sizeof (int));
860 rv
= kmf_find_crl(kmfhandle
, numattr
, attrlist
);
864 (void) printf(gettext("No CRLs found in "
869 p
= malloc(numcrls
* sizeof (char *));
871 return (KMF_ERR_MEMORY
);
873 (void) memset(p
, 0, numcrls
* sizeof (char *));
875 kmf_set_attr_at_index(attrlist
, numattr
,
876 KMF_CRL_NAMELIST_ATTR
, p
, sizeof (char *));
878 rv
= kmf_find_crl(kmfhandle
, numattr
, attrlist
);
881 for (i
= 0; i
< numcrls
; i
++) {
882 (void) printf("%d. Name = %s\n",
897 pk_list(int argc
, char *argv
[])
900 extern int optind_av
;
901 extern char *optarg_av
;
902 char *token_spec
= NULL
;
903 char *subject
= NULL
;
907 char *filename
= NULL
;
909 KMF_BIGINT serial
= { NULL
, 0 };
911 char *list_label
= NULL
;
913 KMF_KEYSTORE_TYPE kstype
= 0;
914 KMF_RETURN rv
= KMF_OK
;
915 KMF_HANDLE_T kmfhandle
= NULL
;
916 char *find_criteria
= NULL
;
917 KMF_CERT_VALIDITY find_criteria_flag
= KMF_ALL_CERTS
;
918 KMF_CREDENTIAL tokencred
= { NULL
, 0 };
920 /* Parse command line options. Do NOT i18n/l10n. */
921 while ((opt
= getopt_av(argc
, argv
,
922 "k:(keystore)t:(objtype)T:(token)d:(dir)"
923 "p:(prefix)n:(nickname)S:(serial)s:(subject)"
925 "i:(issuer)l:(label)f:(infile)")) != EOF
) {
926 if (EMPTYSTRING(optarg_av
))
927 return (PK_ERR_USAGE
);
931 return (PK_ERR_USAGE
);
932 kstype
= KS2Int(optarg_av
);
934 return (PK_ERR_USAGE
);
938 return (PK_ERR_USAGE
);
939 oclass
= OT2Int(optarg_av
);
941 return (PK_ERR_USAGE
);
945 return (PK_ERR_USAGE
);
950 return (PK_ERR_USAGE
);
955 return (PK_ERR_USAGE
);
960 return (PK_ERR_USAGE
);
968 return (PK_ERR_USAGE
);
969 filename
= optarg_av
;
971 case 'T': /* token specifier */
973 return (PK_ERR_USAGE
);
974 token_spec
= optarg_av
;
977 case 'l': /* object with specific label */
979 return (PK_ERR_USAGE
);
980 list_label
= optarg_av
;
983 find_criteria
= optarg_av
;
984 if (!strcasecmp(find_criteria
, "valid"))
986 KMF_NONEXPIRED_CERTS
;
987 else if (!strcasecmp(find_criteria
, "expired"))
988 find_criteria_flag
= KMF_EXPIRED_CERTS
;
989 else if (!strcasecmp(find_criteria
, "both"))
990 find_criteria_flag
= KMF_ALL_CERTS
;
992 return (PK_ERR_USAGE
);
995 return (PK_ERR_USAGE
);
998 /* No additional args allowed. */
1002 return (PK_ERR_USAGE
);
1004 if ((rv
= kmf_initialize(&kmfhandle
, NULL
, NULL
)) != KMF_OK
) {
1005 /* Error message ? */
1009 /* Assume keystore = PKCS#11 if not specified. */
1011 kstype
= KMF_KEYSTORE_PK11TOKEN
;
1013 /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */
1014 if ((oclass
& (PK_PUBLIC_OBJ
| PK_PRIVATE_OBJ
)) &&
1015 kstype
!= KMF_KEYSTORE_PK11TOKEN
) {
1017 (void) fprintf(stderr
, gettext("The objtype parameter "
1018 "is only relevant if keystore=pkcs11\n"));
1019 return (PK_ERR_USAGE
);
1023 if (kstype
== KMF_KEYSTORE_PK11TOKEN
&& EMPTYSTRING(token_spec
)) {
1024 token_spec
= PK_DEFAULT_PK11TOKEN
;
1025 } else if (kstype
== KMF_KEYSTORE_NSS
&& EMPTYSTRING(token_spec
)) {
1026 token_spec
= DEFAULT_NSS_TOKEN
;
1029 if (serstr
!= NULL
) {
1030 uchar_t
*bytes
= NULL
;
1033 rv
= kmf_hexstr_to_bytes((uchar_t
*)serstr
, &bytes
, &bytelen
);
1034 if (rv
!= KMF_OK
|| bytes
== NULL
) {
1035 (void) fprintf(stderr
, gettext("serial number "
1036 "must be specified as a hex number "
1037 "(ex: 0x0102030405ffeeddee)\n"));
1038 return (PK_ERR_USAGE
);
1041 serial
.len
= bytelen
;
1042 /* if objtype was not given, it must be for certs */
1044 oclass
= PK_CERT_OBJ
;
1046 if (oclass
== 0 && (issuer
!= NULL
|| subject
!= NULL
))
1047 oclass
= PK_CERT_OBJ
;
1049 /* If no object class specified, list public objects. */
1051 oclass
= PK_CERT_OBJ
| PK_PUBKEY_OBJ
;
1053 if ((kstype
== KMF_KEYSTORE_PK11TOKEN
||
1054 kstype
== KMF_KEYSTORE_NSS
) &&
1055 (oclass
& (PK_PRIKEY_OBJ
| PK_PRIVATE_OBJ
))) {
1057 (void) get_token_password(kstype
, token_spec
,
1060 if (kstype
== KMF_KEYSTORE_PK11TOKEN
) {
1061 rv
= list_pk11_objects(kmfhandle
, token_spec
,
1062 oclass
, list_label
, &serial
,
1063 issuer
, subject
, dir
, filename
,
1064 &tokencred
, find_criteria_flag
);
1066 } else if (kstype
== KMF_KEYSTORE_NSS
) {
1068 dir
= PK_DEFAULT_DIRECTORY
;
1069 rv
= list_nss_objects(kmfhandle
,
1070 oclass
, token_spec
, dir
, prefix
,
1071 list_label
, &serial
, issuer
, subject
,
1072 &tokencred
, find_criteria_flag
);
1074 } else if (kstype
== KMF_KEYSTORE_OPENSSL
) {
1076 rv
= list_file_objects(kmfhandle
,
1077 oclass
, dir
, filename
,
1078 &serial
, issuer
, subject
, find_criteria_flag
);
1082 display_error(kmfhandle
, rv
,
1083 gettext("Error listing objects"));
1088 free(tokencred
.cred
);
1090 (void) kmf_finalize(kmfhandle
);
