import.c revision 7711facfe58561dd91d6ece0f5f41150c3956c83
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * CDDL HEADER START
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * The contents of this file are subject to the terms of the
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Common Development and Distribution License, Version 1.0 only
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * (the "License"). You may not use this file except in compliance
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * with the License.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * See the License for the specific language governing permissions
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * and limitations under the License.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * When distributing Covered Code, include this CDDL HEADER in each
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * If applicable, add the following below this CDDL HEADER, with the
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * fields enclosed by brackets "[]" replaced with your own identifying
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * information: Portions Copyright [yyyy] [name of copyright owner]
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * CDDL HEADER END
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Use is subject to license terms.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak#pragma ident "%Z%%M% %I% %E% SMI"
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * This file implements the import operation for this tool.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * The basic flow of the process is to decrypt the PKCS#12
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * input file if it has a password, parse the elements in
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * the file, find the soft token, log into it, import the
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * PKCS#11 objects into the soft token, and log out.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Helper function decrypt and parse PKCS#12 import file.
7711facfe58561dd91d6ece0f5f41150c3956c83dinakextract_pkcs12(BIO *fbio, CK_UTF8CHAR *pin, CK_ULONG pinlen,
7711facfe58561dd91d6ece0f5f41150c3956c83dinak EVP_PKEY **priv_key, X509 **cert, STACK_OF(X509) **ca)
7711facfe58561dd91d6ece0f5f41150c3956c83dinak/* ARGSUSED */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to create PKCS#12 context."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((pk12_tmp = d2i_PKCS12_bio(fbio, &pk12)) == NULL) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* This is ok; it seems to mean there is no more to read. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak ERR_GET_REASON(ERR_peek_error()) == ASN1_R_HEADER_TOO_LONG)
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to populate PKCS#12 context."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if (PKCS12_parse(pk12, (char *)pin, &temp_pkey, &temp_cert,
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Converts OpenSSL BIGNUM into PKCS#11 biginteger_t format.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Write RSA private key to token.
7711facfe58561dd91d6ece0f5f41150c3956c83dinakwrite_rsa_private(CK_SESSION_HANDLE sess, RSA *rsa, X509 *cert)
7711facfe58561dd91d6ece0f5f41150c3956c83dinak { 0 /* CKA_PRIVATE_EXPONENT */, NULL, 0 }, /* optional */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak CK_ULONG count = sizeof (rsa_pri_attrs) / sizeof (CK_ATTRIBUTE);
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Attributes start at array index 4. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Recycle the certificate label for the private key label. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((label = X509_alias_get0(cert, (int *)&label_len)) == NULL) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr(label, label_len, &(rsa_pri_attrs[i++]));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Recycle the certificate id for the private key id. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((id = PKTOOL_X509_keyid_get0(cert, (int *)&id_len)) == NULL) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr(id, id_len, &(rsa_pri_attrs[i++]));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Recycle the certificate start and end dates for private key. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if (PKTOOL_cvt_ossltime(X509_get_notBefore(cert), tmpdate)) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak (void) memcpy(&startdate, tmpdate, sizeof (startdate));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr((CK_BYTE *)&startdate, sizeof (startdate),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if (PKTOOL_cvt_ossltime(X509_get_notAfter(cert), tmpdate)) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr((CK_BYTE *)&enddate, sizeof (enddate),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Modulus n */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert RSA private key modulus."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Public exponent e */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak cryptodebug("converting RSA private key public exponent");
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = cvt_bn2bigint(rsa->e, &pubexp)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert RSA private key public exponent."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Private exponent d */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak cryptodebug("converting RSA private key private exponent");
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = cvt_bn2bigint(rsa->d, &priexp)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "RSA private key private exponent."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Prime p */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = cvt_bn2bigint(rsa->p, &prime1)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert RSA private key prime 1."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Prime q */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = cvt_bn2bigint(rsa->q, &prime2)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert RSA private key prime 2."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Private exponent d modulo p-1 */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = cvt_bn2bigint(rsa->dmp1, &exp1)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert RSA private key exponent 1."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Private exponent d modulo q-1 */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = cvt_bn2bigint(rsa->dmq1, &exp2)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert RSA private key exponent 2."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* CRT coefficient q-inverse mod p */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak cryptodebug("converting RSA private key coefficient");
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = cvt_bn2bigint(rsa->iqmp, &coef)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert RSA private key coefficient."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Indicates programming error: attributes overran the template */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak cryptodebug("error: more attributes found than accounted for");
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = C_CreateObject(sess, rsa_pri_attrs, i, &obj)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to create RSA private key object."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Write DSA private key to token.
7711facfe58561dd91d6ece0f5f41150c3956c83dinakwrite_dsa_private(CK_SESSION_HANDLE sess, DSA *dsa, X509 *cert)
7711facfe58561dd91d6ece0f5f41150c3956c83dinak CK_ULONG count = sizeof (dsa_pri_attrs) / sizeof (CK_ATTRIBUTE);
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Attributes start at array index 4. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Recycle the certificate label for the private key label. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((label = X509_alias_get0(cert, (int *)&label_len)) == NULL) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr(label, label_len, &(dsa_pri_attrs[i++]));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Recycle the certificate id for the private key id. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((id = PKTOOL_X509_keyid_get0(cert, (int *)&id_len)) == NULL) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr(id, id_len, &(dsa_pri_attrs[i++]));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Recycle the certificate start and end dates for private key. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if (PKTOOL_cvt_ossltime(X509_get_notBefore(cert), tmpdate)) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak (void) memcpy(&startdate, tmpdate, sizeof (startdate));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr((CK_BYTE *)&startdate, sizeof (startdate),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if (PKTOOL_cvt_ossltime(X509_get_notAfter(cert), tmpdate)) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr((CK_BYTE *)&enddate, sizeof (enddate),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Prime p */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert DSA private key prime."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Subprime q */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = cvt_bn2bigint(dsa->q, &subprime)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert DSA private key subprime."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Base g */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert DSA private key base."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Private key x */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = cvt_bn2bigint(dsa->priv_key, &value)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert DSA private key value."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Indicates programming error: attributes overran the template */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak cryptodebug("error: more attributes found than accounted for");
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = C_CreateObject(sess, dsa_pri_attrs, i, &obj)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to create DSA private key object."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Write DH private key to token.
7711facfe58561dd91d6ece0f5f41150c3956c83dinakwrite_dh_private(CK_SESSION_HANDLE sess, DH *dh, X509 *cert)
7711facfe58561dd91d6ece0f5f41150c3956c83dinak CK_ULONG count = sizeof (dh_pri_attrs) / sizeof (CK_ATTRIBUTE);
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Attributes start at array index 4. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Recycle the certificate label for the private key label. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((label = X509_alias_get0(cert, (int *)&label_len)) == NULL) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr(label, label_len, &(dh_pri_attrs[i++]));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Recycle the certificate id for the private key id. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((id = PKTOOL_X509_keyid_get0(cert, (int *)&id_len)) == NULL) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr(id, id_len, &(dh_pri_attrs[i++]));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Recycle the certificate start and end dates for private key. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if (PKTOOL_cvt_ossltime(X509_get_notBefore(cert), tmpdate)) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak (void) memcpy(&startdate, tmpdate, sizeof (startdate));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr((CK_BYTE *)&startdate, sizeof (startdate),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if (PKTOOL_cvt_ossltime(X509_get_notAfter(cert), tmpdate)) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr((CK_BYTE *)&enddate, sizeof (enddate),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Prime p */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert DH private key prime."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Base g */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert DH private key base."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Private value x */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = cvt_bn2bigint(dh->priv_key, &value)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to convert DH private key value."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Indicates programming error: attributes overran the template */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak cryptodebug("error: more attributes found than accounted for");
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = C_CreateObject(sess, dh_pri_attrs, i, &obj)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to create DH private key object."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Write certificate to token.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak { CKA_CERTIFICATE_TYPE, &certtype, sizeof (certtype) },
7711facfe58561dd91d6ece0f5f41150c3956c83dinak CK_ULONG count = sizeof (cert_attrs) / sizeof (CK_ATTRIBUTE);
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Attributes start at array index 3. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * OpenSSL subject name and issuer (a little further below) are
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * actually stack structures that contain individual ASN.1
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * components. This stack of entries is packed into one DER string.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((subject = PKTOOL_X509_subject_name(cert, (int *)&subject_len)) ==
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr(subject, subject_len, &(cert_attrs[i++]));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Get cert value, but it has to be reconstructed from cert. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((value = PKTOOL_X509_cert_value(cert, (int *)&value_len)) == NULL) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr(value, value_len, &(cert_attrs[i++]));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Get certificate label which is "friendlyName" Netscape,
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * "alias" in OpenSSL.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((label = X509_alias_get0(cert, (int *)&label_len)) == NULL) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr(label, label_len, &(cert_attrs[i++]));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Get the keyid for the cert. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((id = PKTOOL_X509_keyid_get0(cert, (int *)&id_len)) == NULL) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Get the issuer name for the cert. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((issuer = PKTOOL_X509_issuer_name(cert, (int *)&issuer_len)) ==
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr(issuer, issuer_len, &(cert_attrs[i++]));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Get the cert serial number. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((serial = PKTOOL_X509_serial_number(cert, (int *)&serial_len)) ==
7711facfe58561dd91d6ece0f5f41150c3956c83dinak copy_string_to_attr(serial, serial_len, &(cert_attrs[i++]));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Indicates programming error: attributes overran the template */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak cryptodebug("error: more attributes found than accounted for");
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = C_CreateObject(sess, cert_attrs, i, &obj)) != CKR_OK) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to create X.509 certificate object."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Helper function to write PKCS#12 items to token. Returns CKR_OK
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * or CKR_GENERAL_ERROR
7711facfe58561dd91d6ece0f5f41150c3956c83dinakwrite_token_objs(CK_SESSION_HANDLE sess, EVP_PKEY *priv_key, X509 *cert,
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Do not reset *successes or *failures -- keep running totals. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Import user key. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak (void) fprintf(stdout, gettext("Writing RSA private key...\n"));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to write RSA private key (%s)."),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak (void) fprintf(stdout, gettext("Writing DSA private key...\n"));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to write DSA private key (%s)."),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak (void) fprintf(stdout, gettext("Writing DH private key...\n"));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to write DH private key (%s)."),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Note that EVP_PKEY_DH for X9.42 is not implemented
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * in the OpenSSL library.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Private key type 0x%02x import not supported."),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Import user certificate. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak (void) fprintf(stdout, gettext("Writing user certificate...\n"));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to write user certificate (%s)."),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Import as many stacks of authority certificates as possible. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * sk_X509_value() is macro that embeds a cast to (X509 *).
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Here it translates into ((X509 *)sk_value((ca), (i))).
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Lint is complaining about the embedded casting, and
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * to fix it, you need to fix openssl header files.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* LINTED E_BAD_PTR_CAST_ALIGN */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Writing authority certificate...\n"));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to write authority certificate (%s)."),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak (void) fprintf(stdout, gettext("PKCS#12 element scan completed.\n"));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak * Import objects from PKCS#12 file into token.
7711facfe58561dd91d6ece0f5f41150c3956c83dinak int good_count = 0, bad_count = 0; /* running totals */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Get rid of subcommand word "import". */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* One additional arg required: filename. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Done parsing command line options. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Check that the file exists and is non-empty. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak cryptoerror(LOG_STDERR, gettext("File \"%s\" is unreadable "
7711facfe58561dd91d6ece0f5f41150c3956c83dinak cryptoerror(LOG_STDERR, gettext("Unable to get size of "
7711facfe58561dd91d6ece0f5f41150c3956c83dinak cryptoerror(LOG_STDERR, gettext("File \"%s\" is empty."),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Import operation only supported on softtoken. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak full_token_name(token_name, manuf_id, serial_no, full_name);
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Find the slot with token. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = find_token_slot(token_name, manuf_id, serial_no, &slot_id,
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Get the user's PIN. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = get_pin(gettext("Enter token passphrase:"), NULL, &pin,
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to get token passphrase (%s)."),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Assume user must be logged in R/W to import objects into token. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = quick_start(slot_id, CKF_RW_SESSION, pin, pinlen, &sess)) !=
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Setup OpenSSL context. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Open PKCS#12 file. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak cryptoerror(LOG_STDERR, gettext("Unable to open import file."));
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Get the PIN for the PKCS#12 import file. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = get_pin(gettext("Enter import file passphrase:"), NULL,
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to get import file passphrase (%s)."),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* PKCS#12 import file may have multiple elements, loop until done. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak for (i = 0; /* */; i++) {
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Extract the contents of the PKCS#12 import file. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if ((rv = extract_pkcs12(fbio, pk12pin, pk12pinlen, &priv_key,
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to parse PKCS#12 element #%d "
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Reached end of import file? */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak if (rv == CKR_OK && priv_key == NULL && cert == NULL &&
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Scanning PKCS#12 element #%d for objects...\n"), i+1);
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Write the objects to the token. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "Unable to write PKCS#12 element #%d to token %s."),
7711facfe58561dd91d6ece0f5f41150c3956c83dinak (void) fprintf(stdout, gettext("%d PKCS#12 elements scanned: "
7711facfe58561dd91d6ece0f5f41150c3956c83dinak "%d objects imported, %d errors occurred.\n"), i,
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Close PKCS#12 file. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak /* Clean up. */
7711facfe58561dd91d6ece0f5f41150c3956c83dinak return (0);