7711facfe58561dd91d6ece0f5f41150c3956c83dinak * CDDL HEADER START
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * The contents of this file are subject to the terms of the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Common Development and Distribution License (the "License").
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You may not use this file except in compliance with the License.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * See the License for the specific language governing permissions
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * and limitations under the License.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * When distributing Covered Code, include this CDDL HEADER in each
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * If applicable, add the following below this CDDL HEADER, with the
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * fields enclosed by brackets "[]" replaced with your own identifying
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * information: Portions Copyright [yyyy] [name of copyright owner]
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * CDDL HEADER END
9e765c33c4dfc2dff414f25e1aa96208c482839bHuie-Ying Lee * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Use is subject to license terms.
33f5ff17089e3a43e6e730bf80384c233123dbd9Milan Jurik * Copyright 2012 Milan Jurik. All rights reserved.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * This file implements the import operation for this tool.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * The basic flow of the process is to decrypt the PKCS#12
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * input file if it has a password, parse the elements in
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * the file, find the soft token, log into it, import the
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * PKCS#11 objects into the soft token, and log out.
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys a = (KMF_ATTRIBUTE *)malloc(n * sizeof (KMF_ATTRIBUTE)); \
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (a == NULL) { \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyspk_import_pk12_files(KMF_HANDLE_T kmfhandle, KMF_CREDENTIAL *cred,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) printf(gettext("Found %d certificate(s) and %d "
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_ENCODE_FORMAT_ATTR, &outformat, sizeof (outformat));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If storing more than 1 cert, gotta change
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * the name so we don't overwrite the previous one.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Just append a _# to the name.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (i > 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* The order of certificates and keys should match */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (i > 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Cleanup memory.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < ncerts; i++)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < nkeys; i++)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_import_objects(kmfhandle, filename, kmfcred,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) printf(gettext("Found %d certificate(s) and %d "
64012b183780cacb63ca9686d771578f883ac119wyllys /* The order of certificates and keys should match */
64012b183780cacb63ca9686d771578f883ac119wyllys for (i = 0; i < nkeys; i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Cleanup memory.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < ncerts; i++)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < nkeys; i++)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (KMF_KEYSTORE_TYPE));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, i, KMF_CERT_FILENAME_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, i, KMF_CERT_LABEL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, i, KMF_TRUSTFLAG_ATTR,
fa60c371cd00bdca17de2ff18fe3e64d051ae61bwyllys * The token requires a credential, prompt and try again.
fa60c371cd00bdca17de2ff18fe3e64d051ae61bwyllys (void) get_token_password(kstype, token_spec, &tokencred);
fa60c371cd00bdca17de2ff18fe3e64d051ae61bwyllys kmf_set_attr_at_index(attrlist, i, KMF_CREDENTIAL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (kmf_import_crl(kmfhandle, numattr, attrlist));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_FILENAME_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CRL_CHECK_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (kmf_import_crl(kmfhandle, numattr, attrlist));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_import_objects(kmfhandle, filename, p12cred,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* The order of certificates and keys should match */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < nkeys; i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) printf(gettext("Found %d certificate(s) and %d "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Cleanup memory.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < ncerts; i++)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < nkeys; i++)
46d33f7eb2dfb8bdd702b0d0605ce8c741b50f9dwyllys/*ARGSUSED*/
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * First, set up to read the keyfile using the FILE plugin
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * mechanisms.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_RAW_KEY_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_FILENAME_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
46d33f7eb2dfb8bdd702b0d0605ce8c741b50f9dwyllys (void) printf(gettext("Importing %d keys\n"), numkeys);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_read_input_file(kmfhandle, filename, &keydata);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Key length is given in bits not bytes */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_KEYLENGTH_ATTR, &keylen, sizeof (keydata.Length));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_SENSITIVE_BOOL_ATTR, &sensitive, sizeof (sensitive));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_create_sym_key(kmfhandle, numattr, attrlist);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Import objects from into KMF repositories.
49e212991a3065f7e499a4b29ae8d8eaf33f3135dinak extern char *optarg_av;
49e212991a3065f7e499a4b29ae8d8eaf33f3135dinak /* Parse command line options. Do NOT i18n/l10n. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "T:(token)i:(infile)"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "k:(keystore)y:(objtype)"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "d:(dir)p:(prefix)"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "n:(certlabel)N:(label)"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "K:(outkey)c:(outcert)"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "v:(verifycrl)l:(outcrl)"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "E:(keytype)s:(sensitive)x:(extractable)"
49e212991a3065f7e499a4b29ae8d8eaf33f3135dinak switch (opt) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Assume keystore = PKCS#11 if not specified */
49e212991a3065f7e499a4b29ae8d8eaf33f3135dinak /* Filename arg is required. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("The 'infile' parameter"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "is required for the import operation.\n"));
49e212991a3065f7e499a4b29ae8d8eaf33f3135dinak /* No additional args allowed. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* if PUBLIC or PRIVATE obj was given, the old syntax was used. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) fprintf(stderr, gettext("The objtype parameter "
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "is only relevant if keystore=pkcs11\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You must specify a certlabel (cert label) when importing
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * into NSS or PKCS#11.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("The 'label' argument "
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "is required for this operation\n"));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = kmf_get_file_format(filename, &kfmt)) != KMF_OK) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Allow for raw key data to be imported.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Set the object class only if it was not
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * given on the command line or if it was
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * specified as a symmetric key object.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "The input file does not contain the "
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "object type indicated on command "
592106a23e99a1790d339bab84de7fa3474964a4Wyllys Ingersoll rv2 = kmf_get_kmf_error_str(rv, &kmferrstr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Check parameters for raw key import operation */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "applies only when importing a key from a file "
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "into a PKCS#11 keystore.\n"));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* If no objtype was given, treat it as a certificate */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (kfmt != KMF_FORMAT_ASN1 && kfmt != KMF_FORMAT_PEM)) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "CRL data can only be imported as DER or "
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "PEM format"));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (kfmt != KMF_FORMAT_ASN1 && kfmt != KMF_FORMAT_PEM)) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "Certificates can only be imported as DER or "
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "PEM format"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* we do not import private keys except in PKCS12 bundles */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "Private key data can only be imported as part "
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "of a PKCS12 file.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kstype == KMF_KEYSTORE_OPENSSL && oclass != PK_CRL_OBJ) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "The 'outkey' and 'outcert' parameters "
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "are required for the import operation "
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "when the 'file' keystore is used.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kstype == KMF_KEYSTORE_PK11TOKEN && EMPTYSTRING(token_spec))
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys else if (kstype == KMF_KEYSTORE_NSS && EMPTYSTRING(token_spec))
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((kfmt == KMF_FORMAT_PKCS12 || kfmt == KMF_FORMAT_RAWKEY ||
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (kfmt == KMF_FORMAT_PEM && (oclass & PK_KEY_OBJ))) &&
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (kstype == KMF_KEYSTORE_PK11TOKEN || kstype == KMF_KEYSTORE_NSS)) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) get_token_password(kstype, token_spec, &tokencred);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("Error initializing "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * It doesn't make sense to import anything
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * else for the files plugin.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak return (0);