add UNLEASHED_OBJ to unleashed.mk
[unleashed/tickless.git] / usr / src / cmd / cmd-crypto / pktool / list.c
blob9dd60c857df92ce6b3c249a904acb81309d67df4
1 /*
2 * CDDL HEADER START
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
19 * CDDL HEADER END
22 * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
23 * Copyright 2012 Milan Jurik. All rights reserved.
27 * This file implements the token object list operation for this tool.
28 * It loads the PKCS#11 modules, finds the object to list, lists it,
29 * and cleans up. User must be logged into the token to list private
30 * objects.
33 #include <stdio.h>
34 #include <errno.h>
35 #include <string.h>
36 #include <cryptoutil.h>
37 #include <security/cryptoki.h>
38 #include "common.h"
40 #include <kmfapi.h>
42 static void
43 pk_show_certs(KMF_HANDLE_T kmfhandle, KMF_X509_DER_CERT *certs, int num_certs)
45 int i;
46 char *subject, *issuer, *serial, *id, *altname;
47 char *start, *end, *keyusage, *extkeyusage;
49 for (i = 0; i < num_certs; i++) {
50 subject = NULL;
51 issuer = NULL;
52 serial = NULL;
53 id = NULL;
54 altname = NULL;
55 start = end = NULL;
56 keyusage = extkeyusage = NULL;
58 (void) fprintf(stdout,
59 gettext("%d. (X.509 certificate)\n"), i + 1);
60 if (certs[i].kmf_private.label != NULL)
61 (void) fprintf(stdout, gettext("\t%s: %s\n"),
62 (certs[i].kmf_private.keystore_type ==
63 KMF_KEYSTORE_OPENSSL ? "Filename" : "Label"),
64 certs[i].kmf_private.label);
65 if (kmf_get_cert_id_str(&certs[i].certificate,
66 &id) == KMF_OK)
67 (void) fprintf(stdout, gettext("\tID: %s\n"), id);
68 if (kmf_get_cert_subject_str(kmfhandle,
69 &certs[i].certificate, &subject) == KMF_OK)
70 (void) fprintf(stdout, gettext("\tSubject: %s\n"),
71 subject);
72 if (kmf_get_cert_issuer_str(kmfhandle,
73 &certs[i].certificate, &issuer) == KMF_OK)
74 (void) fprintf(stdout, gettext("\tIssuer: %s\n"),
75 issuer);
76 if (kmf_get_cert_start_date_str(kmfhandle,
77 &certs[i].certificate, &start) == KMF_OK)
78 (void) fprintf(stdout, gettext("\tNot Before: %s\n"),
79 start);
80 if (kmf_get_cert_end_date_str(kmfhandle,
81 &certs[i].certificate, &end) == KMF_OK)
82 (void) fprintf(stdout, gettext("\tNot After: %s\n"),
83 end);
84 if (kmf_get_cert_serial_str(kmfhandle,
85 &certs[i].certificate, &serial) == KMF_OK)
86 (void) fprintf(stdout, gettext("\tSerial: %s\n"),
87 serial);
88 if (kmf_get_cert_extn_str(kmfhandle,
89 &certs[i].certificate, KMF_X509_EXT_SUBJ_ALTNAME,
90 &altname) == KMF_OK) {
91 (void) fprintf(stdout, gettext("\t%s\n"),
92 altname);
94 if (kmf_get_cert_extn_str(kmfhandle,
95 &certs[i].certificate, KMF_X509_EXT_KEY_USAGE,
96 &keyusage) == KMF_OK) {
97 (void) fprintf(stdout, gettext("\t%s\n"),
98 keyusage);
100 if (kmf_get_cert_extn_str(kmfhandle,
101 &certs[i].certificate, KMF_X509_EXT_EXT_KEY_USAGE,
102 &extkeyusage) == KMF_OK) {
103 (void) fprintf(stdout, gettext("\t%s\n"),
104 extkeyusage);
106 kmf_free_str(subject);
107 kmf_free_str(issuer);
108 kmf_free_str(serial);
109 kmf_free_str(id);
110 kmf_free_str(altname);
111 kmf_free_str(keyusage);
112 kmf_free_str(extkeyusage);
113 kmf_free_str(start);
114 kmf_free_str(end);
115 (void) fprintf(stdout, "\n");
119 static char *
120 describeKey(KMF_KEY_HANDLE *key)
122 if (key->keyclass == KMF_ASYM_PUB) {
123 if (key->keyalg == KMF_RSA)
124 return (gettext("RSA public key"));
125 if (key->keyalg == KMF_DSA)
126 return (gettext("DSA public key"));
127 if (key->keyalg == KMF_ECDSA)
128 return (gettext("ECDSA public key"));
130 if (key->keyclass == KMF_ASYM_PRI) {
131 if (key->keyalg == KMF_RSA)
132 return (gettext("RSA private key"));
133 if (key->keyalg == KMF_DSA)
134 return (gettext("DSA private key"));
135 if (key->keyalg == KMF_ECDSA)
136 return (gettext("ECDSA private key"));
138 if (key->keyclass == KMF_SYMMETRIC) {
139 switch (key->keyalg) {
140 case KMF_AES:
141 return (gettext("AES"));
142 case KMF_RC4:
143 return (gettext("ARCFOUR"));
144 case KMF_DES:
145 return (gettext("DES"));
146 case KMF_DES3:
147 return (gettext("Triple-DES"));
148 default:
149 return (gettext("symmetric"));
153 return (gettext("unrecognized key object"));
158 static void
159 pk_show_keys(void *handle, KMF_KEY_HANDLE *keys, int numkeys)
161 int i;
163 for (i = 0; i < numkeys; i++) {
164 (void) fprintf(stdout, gettext("Key #%d - %s: %s"),
165 i+1, describeKey(&keys[i]),
166 keys[i].keylabel ? keys[i].keylabel :
167 gettext("No label"));
169 if (keys[i].keyclass == KMF_SYMMETRIC) {
170 KMF_RETURN rv;
171 KMF_RAW_SYM_KEY rkey;
173 (void) memset(&rkey, 0, sizeof (rkey));
174 rv = kmf_get_sym_key_value(handle, &keys[i],
175 &rkey);
176 if (rv == KMF_OK) {
177 (void) fprintf(stdout, " (%d bits)",
178 rkey.keydata.len * 8);
179 kmf_free_bigint(&rkey.keydata);
180 } else if (keys[i].kstype == KMF_KEYSTORE_PK11TOKEN) {
181 if (rv == KMF_ERR_SENSITIVE_KEY) {
182 (void) fprintf(stdout, " (sensitive)");
183 } else if (rv == KMF_ERR_UNEXTRACTABLE_KEY) {
184 (void) fprintf(stdout,
185 " (non-extractable)");
186 } else {
187 char *err = NULL;
188 if (kmf_get_kmf_error_str(rv, &err) ==
189 KMF_OK)
190 (void) fprintf(stdout,
191 " (error: %s)", err);
192 free(err);
196 (void) fprintf(stdout, "\n");
201 * Generic routine used by all "list cert" operations to find
202 * all matching certificates.
204 static KMF_RETURN
205 pk_find_certs(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attrlist, int numattr)
207 KMF_RETURN rv = KMF_OK;
208 KMF_X509_DER_CERT *certlist = NULL;
209 uint32_t numcerts = 0;
210 KMF_KEYSTORE_TYPE kstype;
212 rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr,
213 &kstype, NULL);
214 if (rv != KMF_OK)
215 return (rv);
217 kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
218 &numcerts, sizeof (uint32_t));
219 numattr++;
221 rv = kmf_find_cert(kmfhandle, numattr, attrlist);
222 if (rv == KMF_OK && numcerts > 0) {
223 (void) printf(gettext("Found %d certificates.\n"),
224 numcerts);
225 certlist = (KMF_X509_DER_CERT *)malloc(numcerts *
226 sizeof (KMF_X509_DER_CERT));
227 if (certlist == NULL)
228 return (KMF_ERR_MEMORY);
229 (void) memset(certlist, 0, numcerts *
230 sizeof (KMF_X509_DER_CERT));
232 kmf_set_attr_at_index(attrlist, numattr,
233 KMF_X509_DER_CERT_ATTR, certlist,
234 sizeof (KMF_X509_DER_CERT));
235 numattr++;
237 rv = kmf_find_cert(kmfhandle, numattr, attrlist);
238 if (rv == KMF_OK) {
239 int i;
240 (void) pk_show_certs(kmfhandle, certlist,
241 numcerts);
242 for (i = 0; i < numcerts; i++)
243 kmf_free_kmf_cert(kmfhandle, &certlist[i]);
245 free(certlist);
247 if (rv == KMF_ERR_CERT_NOT_FOUND &&
248 kstype != KMF_KEYSTORE_OPENSSL)
249 rv = KMF_OK;
251 return (rv);
254 static KMF_RETURN
255 pk_list_keys(void *handle, KMF_ATTRIBUTE *attrlist, int numattr, char *label)
257 KMF_RETURN rv;
258 KMF_KEY_HANDLE *keys;
259 uint32_t numkeys = 0;
260 KMF_KEYSTORE_TYPE kstype;
262 rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr,
263 &kstype, NULL);
264 if (rv != KMF_OK)
265 return (rv);
267 kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
268 &numkeys, sizeof (uint32_t));
269 numattr++;
271 rv = kmf_find_key(handle, numattr, attrlist);
272 if (rv == KMF_OK && numkeys > 0) {
273 int i;
274 (void) printf(gettext("Found %d %s keys.\n"),
275 numkeys, label);
276 keys = (KMF_KEY_HANDLE *)malloc(numkeys *
277 sizeof (KMF_KEY_HANDLE));
278 if (keys == NULL)
279 return (KMF_ERR_MEMORY);
280 (void) memset(keys, 0, numkeys *
281 sizeof (KMF_KEY_HANDLE));
283 kmf_set_attr_at_index(attrlist, numattr,
284 KMF_KEY_HANDLE_ATTR,
285 keys, sizeof (KMF_KEY_HANDLE));
286 numattr++;
288 rv = kmf_find_key(handle, numattr, attrlist);
289 if (rv == KMF_OK)
290 pk_show_keys(handle, keys, numkeys);
291 for (i = 0; i < numkeys; i++)
292 kmf_free_kmf_key(handle, &keys[i]);
293 free(keys);
295 if (rv == KMF_ERR_KEY_NOT_FOUND &&
296 kstype != KMF_KEYSTORE_OPENSSL)
297 rv = KMF_OK;
298 return (rv);
301 static KMF_RETURN
302 list_pk11_objects(KMF_HANDLE_T kmfhandle, char *token, int oclass,
303 char *objlabel, KMF_BIGINT *serial, char *issuer, char *subject,
304 char *dir, char *filename, KMF_CREDENTIAL *tokencred,
305 KMF_CERT_VALIDITY find_criteria_flag)
307 KMF_RETURN rv;
308 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
309 int numattr = 0;
310 KMF_ATTRIBUTE attrlist[18];
311 boolean_t token_bool = B_TRUE;
312 boolean_t private = B_FALSE;
313 KMF_KEY_CLASS keyclass;
314 KMF_ENCODE_FORMAT format;
315 int auth = 0;
316 KMF_CREDENTIAL cred = { NULL, 0 };
319 * Symmetric keys and RSA/DSA/ECDSA private keys are always
320 * created with the "CKA_PRIVATE" field == TRUE, so
321 * make sure we search for them with it also set.
323 if (oclass & (PK_SYMKEY_OBJ | PK_PRIKEY_OBJ))
324 oclass |= PK_PRIVATE_OBJ;
326 rv = select_token(kmfhandle, token,
327 !(oclass & (PK_PRIVATE_OBJ | PK_PRIKEY_OBJ)));
329 if (rv != KMF_OK) {
330 return (rv);
333 rv = token_auth_needed(kmfhandle, token, &auth);
334 if (rv != KMF_OK)
335 return (rv);
337 if (tokencred != NULL)
338 cred = *tokencred;
340 if (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ)) {
341 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
342 &kstype, sizeof (kstype));
343 numattr++;
345 if (objlabel != NULL) {
346 kmf_set_attr_at_index(attrlist, numattr,
347 KMF_KEYLABEL_ATTR, objlabel,
348 strlen(objlabel));
349 numattr++;
352 private = ((oclass & PK_PRIVATE_OBJ) > 0);
354 kmf_set_attr_at_index(attrlist, numattr,
355 KMF_PRIVATE_BOOL_ATTR, &private,
356 sizeof (private));
357 numattr++;
359 kmf_set_attr_at_index(attrlist, numattr,
360 KMF_TOKEN_BOOL_ATTR, &token_bool,
361 sizeof (token_bool));
362 numattr++;
364 if (oclass & PK_PRIKEY_OBJ) {
365 int num = numattr;
367 keyclass = KMF_ASYM_PRI;
368 kmf_set_attr_at_index(attrlist, num,
369 KMF_KEYCLASS_ATTR, &keyclass,
370 sizeof (keyclass));
371 num++;
373 if (tokencred != NULL &&
374 tokencred->credlen > 0) {
375 kmf_set_attr_at_index(attrlist, num,
376 KMF_CREDENTIAL_ATTR, tokencred,
377 sizeof (KMF_CREDENTIAL));
378 num++;
381 /* list asymmetric private keys */
382 rv = pk_list_keys(kmfhandle, attrlist, num,
383 "asymmetric private");
386 if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) {
387 int num = numattr;
389 keyclass = KMF_SYMMETRIC;
390 kmf_set_attr_at_index(attrlist, num,
391 KMF_KEYCLASS_ATTR, &keyclass,
392 sizeof (keyclass));
393 num++;
395 if (tokencred != NULL &&
396 tokencred->credlen > 0) {
397 kmf_set_attr_at_index(attrlist, num,
398 KMF_CREDENTIAL_ATTR, tokencred,
399 sizeof (KMF_CREDENTIAL));
400 num++;
403 format = KMF_FORMAT_RAWKEY;
404 kmf_set_attr_at_index(attrlist, num,
405 KMF_ENCODE_FORMAT_ATTR, &format,
406 sizeof (format));
407 num++;
409 /* list symmetric keys */
410 rv = pk_list_keys(kmfhandle, attrlist, num,
411 "symmetric");
414 if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) {
415 int num = numattr;
417 if (auth > 0 && (tokencred == NULL ||
418 tokencred->cred == NULL) &&
419 (cred.cred == NULL)) {
420 (void) get_token_password(kstype, token, &cred);
421 kmf_set_attr_at_index(attrlist, num,
422 KMF_CREDENTIAL_ATTR,
423 &cred, sizeof (KMF_CREDENTIAL));
424 num++;
427 private = B_FALSE;
428 keyclass = KMF_ASYM_PUB;
429 kmf_set_attr_at_index(attrlist, num,
430 KMF_KEYCLASS_ATTR, &keyclass,
431 sizeof (keyclass));
432 num++;
434 /* list asymmetric public keys (if any) */
435 rv = pk_list_keys(kmfhandle, attrlist, num,
436 "asymmetric public");
439 if (rv != KMF_OK)
440 return (rv);
443 numattr = 0;
444 if (oclass & (PK_CERT_OBJ | PK_PUBLIC_OBJ)) {
445 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
446 &kstype, sizeof (kstype));
448 numattr++;
449 if (auth > 0 && (cred.cred == NULL)) {
450 (void) get_token_password(kstype, token, &cred);
453 if (cred.cred != NULL) {
454 kmf_set_attr_at_index(attrlist, numattr,
455 KMF_CREDENTIAL_ATTR,
456 &cred, sizeof (KMF_CREDENTIAL));
457 numattr++;
460 if (objlabel != NULL) {
461 kmf_set_attr_at_index(attrlist, numattr,
462 KMF_CERT_LABEL_ATTR, objlabel,
463 strlen(objlabel));
464 numattr++;
467 if (issuer != NULL) {
468 kmf_set_attr_at_index(attrlist, numattr,
469 KMF_ISSUER_NAME_ATTR, issuer,
470 strlen(issuer));
471 numattr++;
474 if (subject != NULL) {
475 kmf_set_attr_at_index(attrlist, numattr,
476 KMF_SUBJECT_NAME_ATTR, subject,
477 strlen(subject));
478 numattr++;
481 if (serial != NULL && serial->val != NULL) {
482 kmf_set_attr_at_index(attrlist, numattr,
483 KMF_BIGINT_ATTR, serial,
484 sizeof (KMF_BIGINT));
485 numattr++;
488 kmf_set_attr_at_index(attrlist, numattr,
489 KMF_PRIVATE_BOOL_ATTR, &private,
490 sizeof (private));
491 numattr++;
493 kmf_set_attr_at_index(attrlist, numattr,
494 KMF_CERT_VALIDITY_ATTR, &find_criteria_flag,
495 sizeof (KMF_CERT_VALIDITY));
496 numattr++;
498 rv = pk_find_certs(kmfhandle, attrlist, numattr);
499 if (rv != KMF_OK)
500 return (rv);
503 numattr = 0;
504 kstype = KMF_KEYSTORE_OPENSSL; /* CRL is file-based */
505 if (oclass & PK_CRL_OBJ) {
506 char *crldata = NULL;
508 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
509 &kstype, sizeof (kstype));
510 numattr++;
512 if (dir != NULL) {
513 kmf_set_attr_at_index(attrlist, numattr,
514 KMF_DIRPATH_ATTR, dir, strlen(dir));
515 numattr++;
517 if (filename != NULL) {
518 kmf_set_attr_at_index(attrlist, numattr,
519 KMF_CRL_FILENAME_ATTR,
520 filename, strlen(filename));
521 numattr++;
523 kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_DATA_ATTR,
524 &crldata, sizeof (char *));
525 numattr++;
527 rv = kmf_list_crl(kmfhandle, numattr, attrlist);
528 if (rv == KMF_OK && crldata != NULL) {
529 (void) printf("%s\n", crldata);
530 free(crldata);
534 return (rv);
537 static int
538 list_file_objects(KMF_HANDLE_T kmfhandle, int oclass,
539 char *dir, char *filename, KMF_BIGINT *serial,
540 char *issuer, char *subject,
541 KMF_CERT_VALIDITY find_criteria_flag)
543 KMF_RETURN rv = KMF_OK;
544 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
545 int numattr = 0;
546 KMF_ATTRIBUTE attrlist[16];
547 KMF_KEY_CLASS keyclass;
548 KMF_ENCODE_FORMAT format;
549 char *defaultdir = ".";
551 if (oclass & PK_KEY_OBJ) {
552 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
553 &kstype, sizeof (kstype));
554 numattr++;
556 if (dir == NULL && filename == NULL)
557 dir = defaultdir;
559 if (dir != NULL) {
560 kmf_set_attr_at_index(attrlist, numattr,
561 KMF_DIRPATH_ATTR, dir,
562 strlen(dir));
563 numattr++;
566 if (filename != NULL) {
567 kmf_set_attr_at_index(attrlist, numattr,
568 KMF_KEY_FILENAME_ATTR, filename,
569 strlen(filename));
570 numattr++;
573 if (oclass & PK_PRIKEY_OBJ) {
574 int num = numattr;
576 keyclass = KMF_ASYM_PRI;
577 kmf_set_attr_at_index(attrlist, num,
578 KMF_KEYCLASS_ATTR, &keyclass,
579 sizeof (keyclass));
580 num++;
582 /* list asymmetric private keys */
583 rv = pk_list_keys(kmfhandle, attrlist, num,
584 "asymmetric private");
586 if (rv == KMF_ERR_KEY_NOT_FOUND)
587 rv = KMF_OK;
589 if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) {
590 int num = numattr;
592 keyclass = KMF_SYMMETRIC;
593 kmf_set_attr_at_index(attrlist, num,
594 KMF_KEYCLASS_ATTR, &keyclass,
595 sizeof (keyclass));
596 num++;
598 format = KMF_FORMAT_RAWKEY;
599 kmf_set_attr_at_index(attrlist, num,
600 KMF_ENCODE_FORMAT_ATTR, &format,
601 sizeof (format));
602 num++;
604 /* list symmetric keys */
605 rv = pk_list_keys(kmfhandle, attrlist, num,
606 "symmetric");
608 if (rv == KMF_ERR_KEY_NOT_FOUND)
609 rv = KMF_OK;
610 if (rv != KMF_OK)
611 return (rv);
614 numattr = 0;
615 if (oclass & PK_CERT_OBJ) {
616 kmf_set_attr_at_index(attrlist, numattr,
617 KMF_KEYSTORE_TYPE_ATTR, &kstype,
618 sizeof (kstype));
619 numattr++;
621 if (issuer != NULL) {
622 kmf_set_attr_at_index(attrlist, numattr,
623 KMF_ISSUER_NAME_ATTR, issuer,
624 strlen(issuer));
625 numattr++;
628 if (subject != NULL) {
629 kmf_set_attr_at_index(attrlist, numattr,
630 KMF_SUBJECT_NAME_ATTR, subject,
631 strlen(subject));
632 numattr++;
635 if (serial != NULL && serial->val != NULL) {
636 kmf_set_attr_at_index(attrlist, numattr,
637 KMF_BIGINT_ATTR, serial,
638 sizeof (KMF_BIGINT));
639 numattr++;
642 if (filename != NULL) {
643 kmf_set_attr_at_index(attrlist, numattr,
644 KMF_CERT_FILENAME_ATTR, filename,
645 strlen(filename));
646 numattr++;
649 if (dir != NULL) {
650 kmf_set_attr_at_index(attrlist, numattr,
651 KMF_DIRPATH_ATTR, dir,
652 strlen(dir));
653 numattr++;
656 kmf_set_attr_at_index(attrlist, numattr,
657 KMF_CERT_VALIDITY_ATTR, &find_criteria_flag,
658 sizeof (KMF_CERT_VALIDITY));
659 numattr++;
661 rv = pk_find_certs(kmfhandle, attrlist, numattr);
662 if (rv != KMF_OK)
663 return (rv);
666 numattr = 0;
667 if (oclass & PK_CRL_OBJ) {
668 char *crldata = NULL;
670 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
671 &kstype, sizeof (kstype));
672 numattr++;
674 if (dir != NULL) {
675 kmf_set_attr_at_index(attrlist, numattr,
676 KMF_DIRPATH_ATTR, dir, strlen(dir));
677 numattr++;
679 if (filename != NULL) {
680 kmf_set_attr_at_index(attrlist, numattr,
681 KMF_CRL_FILENAME_ATTR,
682 filename, strlen(filename));
683 numattr++;
685 kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_DATA_ATTR,
686 &crldata, sizeof (char *));
687 numattr++;
689 rv = kmf_list_crl(kmfhandle, numattr, attrlist);
690 if (rv == KMF_OK && crldata != NULL) {
691 (void) printf("%s\n", crldata);
692 free(crldata);
696 return (rv);
699 static int
700 list_nss_objects(KMF_HANDLE_T kmfhandle,
701 int oclass, char *token_spec, char *dir, char *prefix,
702 char *nickname, KMF_BIGINT *serial, char *issuer, char *subject,
703 KMF_CREDENTIAL *tokencred,
704 KMF_CERT_VALIDITY find_criteria_flag)
706 KMF_RETURN rv = KMF_OK;
707 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
708 int numattr = 0;
709 KMF_ATTRIBUTE attrlist[16];
710 KMF_KEY_CLASS keyclass;
711 KMF_ENCODE_FORMAT format;
713 rv = configure_nss(kmfhandle, dir, prefix);
714 if (rv != KMF_OK)
715 return (rv);
717 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
718 &kstype, sizeof (kstype));
719 numattr++;
721 if (oclass & PK_KEY_OBJ) {
722 if (tokencred != NULL && tokencred->credlen > 0) {
723 kmf_set_attr_at_index(attrlist, numattr,
724 KMF_CREDENTIAL_ATTR, tokencred,
725 sizeof (KMF_CREDENTIAL));
726 numattr++;
729 if (token_spec && strlen(token_spec)) {
730 kmf_set_attr_at_index(attrlist, numattr,
731 KMF_TOKEN_LABEL_ATTR, token_spec,
732 strlen(token_spec));
733 numattr++;
736 if (nickname != NULL) {
737 kmf_set_attr_at_index(attrlist, numattr,
738 KMF_KEYLABEL_ATTR, nickname,
739 strlen(nickname));
740 numattr++;
744 if (oclass & PK_PRIKEY_OBJ) {
745 int num = numattr;
747 keyclass = KMF_ASYM_PRI;
748 kmf_set_attr_at_index(attrlist, num,
749 KMF_KEYCLASS_ATTR, &keyclass,
750 sizeof (keyclass));
751 num++;
753 /* list asymmetric private keys */
754 rv = pk_list_keys(kmfhandle, attrlist, num,
755 "asymmetric private");
758 if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) {
759 int num = numattr;
761 keyclass = KMF_SYMMETRIC;
762 kmf_set_attr_at_index(attrlist, num,
763 KMF_KEYCLASS_ATTR, &keyclass,
764 sizeof (keyclass));
765 num++;
767 format = KMF_FORMAT_RAWKEY;
768 kmf_set_attr_at_index(attrlist, num,
769 KMF_ENCODE_FORMAT_ATTR, &format,
770 sizeof (format));
771 num++;
773 /* list symmetric keys */
774 rv = pk_list_keys(kmfhandle, attrlist, num, "symmetric");
777 if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) {
778 int num = numattr;
780 keyclass = KMF_ASYM_PUB;
781 kmf_set_attr_at_index(attrlist, num,
782 KMF_KEYCLASS_ATTR, &keyclass,
783 sizeof (keyclass));
784 num++;
786 /* list asymmetric public keys */
787 rv = pk_list_keys(kmfhandle, attrlist, num,
788 "asymmetric public");
791 /* If searching for public objects or certificates, find certs now */
792 numattr = 0;
793 if (rv == KMF_OK && (oclass & PK_CERT_OBJ)) {
794 kmf_set_attr_at_index(attrlist, numattr,
795 KMF_KEYSTORE_TYPE_ATTR, &kstype,
796 sizeof (kstype));
797 numattr++;
799 if (nickname != NULL) {
800 kmf_set_attr_at_index(attrlist, numattr,
801 KMF_CERT_LABEL_ATTR, nickname,
802 strlen(nickname));
803 numattr++;
806 if (issuer != NULL) {
807 kmf_set_attr_at_index(attrlist, numattr,
808 KMF_ISSUER_NAME_ATTR, issuer,
809 strlen(issuer));
810 numattr++;
813 if (subject != NULL) {
814 kmf_set_attr_at_index(attrlist, numattr,
815 KMF_SUBJECT_NAME_ATTR, subject,
816 strlen(subject));
817 numattr++;
820 if (serial != NULL) {
821 kmf_set_attr_at_index(attrlist, numattr,
822 KMF_BIGINT_ATTR, serial,
823 sizeof (KMF_BIGINT));
824 numattr++;
827 if (token_spec != NULL) {
828 kmf_set_attr_at_index(attrlist, numattr,
829 KMF_TOKEN_LABEL_ATTR, token_spec,
830 strlen(token_spec));
831 numattr++;
834 kmf_set_attr_at_index(attrlist, numattr,
835 KMF_CERT_VALIDITY_ATTR, &find_criteria_flag,
836 sizeof (KMF_CERT_VALIDITY));
837 numattr++;
839 rv = pk_find_certs(kmfhandle, attrlist, numattr);
842 numattr = 0;
843 if (rv == KMF_OK && (oclass & PK_CRL_OBJ)) {
844 int numcrls;
846 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
847 &kstype, sizeof (kstype));
848 numattr++;
850 if (token_spec != NULL) {
851 kmf_set_attr_at_index(attrlist, numattr,
852 KMF_TOKEN_LABEL_ATTR,
853 token_spec, strlen(token_spec));
854 numattr++;
856 kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_COUNT_ATTR,
857 &numcrls, sizeof (int));
858 numattr++;
860 rv = kmf_find_crl(kmfhandle, numattr, attrlist);
861 if (rv == KMF_OK) {
862 char **p;
863 if (numcrls == 0) {
864 (void) printf(gettext("No CRLs found in "
865 "NSS keystore.\n"));
867 return (KMF_OK);
869 p = malloc(numcrls * sizeof (char *));
870 if (p == NULL) {
871 return (KMF_ERR_MEMORY);
873 (void) memset(p, 0, numcrls * sizeof (char *));
875 kmf_set_attr_at_index(attrlist, numattr,
876 KMF_CRL_NAMELIST_ATTR, p, sizeof (char *));
877 numattr++;
878 rv = kmf_find_crl(kmfhandle, numattr, attrlist);
879 if (rv == KMF_OK) {
880 int i;
881 for (i = 0; i < numcrls; i++) {
882 (void) printf("%d. Name = %s\n",
883 i + 1, p[i]);
884 free(p[i]);
887 free(p);
890 return (rv);
894 * List token object.
897 pk_list(int argc, char *argv[])
899 int opt;
900 extern int optind_av;
901 extern char *optarg_av;
902 char *token_spec = NULL;
903 char *subject = NULL;
904 char *issuer = NULL;
905 char *dir = NULL;
906 char *prefix = NULL;
907 char *filename = NULL;
908 char *serstr = NULL;
909 KMF_BIGINT serial = { NULL, 0 };
911 char *list_label = NULL;
912 int oclass = 0;
913 KMF_KEYSTORE_TYPE kstype = 0;
914 KMF_RETURN rv = KMF_OK;
915 KMF_HANDLE_T kmfhandle = NULL;
916 char *find_criteria = NULL;
917 KMF_CERT_VALIDITY find_criteria_flag = KMF_ALL_CERTS;
918 KMF_CREDENTIAL tokencred = { NULL, 0 };
920 /* Parse command line options. Do NOT i18n/l10n. */
921 while ((opt = getopt_av(argc, argv,
922 "k:(keystore)t:(objtype)T:(token)d:(dir)"
923 "p:(prefix)n:(nickname)S:(serial)s:(subject)"
924 "c:(criteria)"
925 "i:(issuer)l:(label)f:(infile)")) != EOF) {
926 if (EMPTYSTRING(optarg_av))
927 return (PK_ERR_USAGE);
928 switch (opt) {
929 case 'k':
930 if (kstype != 0)
931 return (PK_ERR_USAGE);
932 kstype = KS2Int(optarg_av);
933 if (kstype == 0)
934 return (PK_ERR_USAGE);
935 break;
936 case 't':
937 if (oclass != 0)
938 return (PK_ERR_USAGE);
939 oclass = OT2Int(optarg_av);
940 if (oclass == -1)
941 return (PK_ERR_USAGE);
942 break;
943 case 's':
944 if (subject)
945 return (PK_ERR_USAGE);
946 subject = optarg_av;
947 break;
948 case 'i':
949 if (issuer)
950 return (PK_ERR_USAGE);
951 issuer = optarg_av;
952 break;
953 case 'd':
954 if (dir)
955 return (PK_ERR_USAGE);
956 dir = optarg_av;
957 break;
958 case 'p':
959 if (prefix)
960 return (PK_ERR_USAGE);
961 prefix = optarg_av;
962 break;
963 case 'S':
964 serstr = optarg_av;
965 break;
966 case 'f':
967 if (filename)
968 return (PK_ERR_USAGE);
969 filename = optarg_av;
970 break;
971 case 'T': /* token specifier */
972 if (token_spec)
973 return (PK_ERR_USAGE);
974 token_spec = optarg_av;
975 break;
976 case 'n':
977 case 'l': /* object with specific label */
978 if (list_label)
979 return (PK_ERR_USAGE);
980 list_label = optarg_av;
981 break;
982 case 'c':
983 find_criteria = optarg_av;
984 if (!strcasecmp(find_criteria, "valid"))
985 find_criteria_flag =
986 KMF_NONEXPIRED_CERTS;
987 else if (!strcasecmp(find_criteria, "expired"))
988 find_criteria_flag = KMF_EXPIRED_CERTS;
989 else if (!strcasecmp(find_criteria, "both"))
990 find_criteria_flag = KMF_ALL_CERTS;
991 else
992 return (PK_ERR_USAGE);
993 break;
994 default:
995 return (PK_ERR_USAGE);
998 /* No additional args allowed. */
999 argc -= optind_av;
1000 argv += optind_av;
1001 if (argc)
1002 return (PK_ERR_USAGE);
1004 if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) {
1005 /* Error message ? */
1006 return (rv);
1009 /* Assume keystore = PKCS#11 if not specified. */
1010 if (kstype == 0)
1011 kstype = KMF_KEYSTORE_PK11TOKEN;
1013 /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */
1014 if ((oclass & (PK_PUBLIC_OBJ | PK_PRIVATE_OBJ)) &&
1015 kstype != KMF_KEYSTORE_PK11TOKEN) {
1017 (void) fprintf(stderr, gettext("The objtype parameter "
1018 "is only relevant if keystore=pkcs11\n"));
1019 return (PK_ERR_USAGE);
1023 if (kstype == KMF_KEYSTORE_PK11TOKEN && EMPTYSTRING(token_spec)) {
1024 token_spec = PK_DEFAULT_PK11TOKEN;
1025 } else if (kstype == KMF_KEYSTORE_NSS && EMPTYSTRING(token_spec)) {
1026 token_spec = DEFAULT_NSS_TOKEN;
1029 if (serstr != NULL) {
1030 uchar_t *bytes = NULL;
1031 size_t bytelen;
1033 rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen);
1034 if (rv != KMF_OK || bytes == NULL) {
1035 (void) fprintf(stderr, gettext("serial number "
1036 "must be specified as a hex number "
1037 "(ex: 0x0102030405ffeeddee)\n"));
1038 return (PK_ERR_USAGE);
1040 serial.val = bytes;
1041 serial.len = bytelen;
1042 /* if objtype was not given, it must be for certs */
1043 if (oclass == 0)
1044 oclass = PK_CERT_OBJ;
1046 if (oclass == 0 && (issuer != NULL || subject != NULL))
1047 oclass = PK_CERT_OBJ;
1049 /* If no object class specified, list public objects. */
1050 if (oclass == 0)
1051 oclass = PK_CERT_OBJ | PK_PUBKEY_OBJ;
1053 if ((kstype == KMF_KEYSTORE_PK11TOKEN ||
1054 kstype == KMF_KEYSTORE_NSS) &&
1055 (oclass & (PK_PRIKEY_OBJ | PK_PRIVATE_OBJ))) {
1057 (void) get_token_password(kstype, token_spec,
1058 &tokencred);
1060 if (kstype == KMF_KEYSTORE_PK11TOKEN) {
1061 rv = list_pk11_objects(kmfhandle, token_spec,
1062 oclass, list_label, &serial,
1063 issuer, subject, dir, filename,
1064 &tokencred, find_criteria_flag);
1066 } else if (kstype == KMF_KEYSTORE_NSS) {
1067 if (dir == NULL)
1068 dir = PK_DEFAULT_DIRECTORY;
1069 rv = list_nss_objects(kmfhandle,
1070 oclass, token_spec, dir, prefix,
1071 list_label, &serial, issuer, subject,
1072 &tokencred, find_criteria_flag);
1074 } else if (kstype == KMF_KEYSTORE_OPENSSL) {
1076 rv = list_file_objects(kmfhandle,
1077 oclass, dir, filename,
1078 &serial, issuer, subject, find_criteria_flag);
1081 if (rv != KMF_OK) {
1082 display_error(kmfhandle, rv,
1083 gettext("Error listing objects"));
1086 free(serial.val);
1088 free(tokencred.cred);
1090 (void) kmf_finalize(kmfhandle);
1091 return (rv);