import.c revision 46d33f7eb2dfb8bdd702b0d0605ce8c741b50f9d
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2007 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
/*
* This file implements the import operation for this tool.
* The basic flow of the process is to decrypt the PKCS#12
* input file if it has a password, parse the elements in
* the file, find the soft token, log into it, import the
* PKCS#11 objects into the soft token, and log out.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include "common.h"
#include <kmfapi.h>
static KMF_RETURN
{
int ncerts = 0;
int nkeys = 0;
int i;
int numattr = 0;
}
char newcertfile[MAXPATHLEN];
numattr++;
numattr++;
}
numattr++;
/*
* If storing more than 1 cert, gotta change
* the name so we don't overwrite the previous one.
* Just append a _# to the name.
*/
if (i > 0) {
(void) snprintf(newcertfile,
num++;
} else {
num++;
}
num++;
}
}
char newkeyfile[MAXPATHLEN];
numattr = 0;
sizeof (kstype));
numattr++;
numattr++;
}
sizeof (outformat));
numattr++;
sizeof (KMF_CREDENTIAL));
numattr++;
}
/* The order of certificates and keys should match */
if (i > 0) {
(void) snprintf(newkeyfile,
strlen(newkeyfile));
num++;
} else {
num++;
}
KMF_CERT_DATA_ATTR, &certs[i],
sizeof (KMF_DATA));
num++;
KMF_RAW_KEY_ATTR, &keys[i],
sizeof (KMF_RAW_KEY_DATA));
num++;
}
}
/*
* Cleanup memory.
*/
if (certs) {
for (i = 0; i < ncerts; i++)
kmf_free_data(&certs[i]);
}
if (keys) {
for (i = 0; i < nkeys; i++)
kmf_free_raw_key(&keys[i]);
}
return (rv);
}
static KMF_RETURN
{
int ncerts = 0;
int nkeys = 0;
int i;
int numattr = 0;
return (rv);
numattr++;
if (token_spec != NULL) {
strlen(token_spec));
numattr++;
}
if (trustflags != NULL) {
strlen(trustflags));
numattr++;
}
num++;
}
num++;
}
gettext("Error storing certificate in NSS token"));
}
}
numattr = 0;
sizeof (kstype));
numattr++;
if (token_spec != NULL) {
strlen(token_spec));
numattr++;
}
numattr++;
}
sizeof (KMF_CREDENTIAL));
numattr++;
}
/* The order of certificates and keys should match */
for (i = 0; i < nkeys; i++) {
KMF_CERT_DATA_ATTR, &certs[i],
sizeof (KMF_DATA));
num++;
KMF_RAW_KEY_ATTR, &keys[i],
sizeof (KMF_RAW_KEY_DATA));
num++;
}
}
/*
* Cleanup memory.
*/
if (certs) {
for (i = 0; i < ncerts; i++)
kmf_free_data(&certs[i]);
}
if (keys) {
for (i = 0; i < nkeys; i++)
kmf_free_raw_key(&keys[i]);
}
return (rv);
}
static KMF_RETURN
{
int i = 0;
if (kstype == KMF_KEYSTORE_PK11TOKEN) {
} else if (kstype == KMF_KEYSTORE_NSS) {
}
return (rv);
i++;
i++;
i++;
}
if (kstype == KMF_KEYSTORE_NSS) {
if (trustflags != NULL) {
i++;
}
if (token_spec != NULL) {
i++;
}
}
return (rv);
}
static KMF_RETURN
pk_import_file_crl(void *kmfhandle,
char *infile,
char *outfile,
char *outdir,
{
int numattr = 0;
numattr++;
if (infile) {
numattr++;
}
if (outdir) {
numattr++;
}
if (outfile) {
numattr++;
}
numattr++;
}
static KMF_RETURN
pk_import_nss_crl(void *kmfhandle,
char *infile,
char *outdir,
char *prefix)
{
int numattr = 0;
return (rv);
numattr++;
if (infile) {
numattr++;
}
&verify_crl_flag, sizeof (verify_crl_flag));
numattr++;
}
static KMF_RETURN
char *label, char *token_spec,
char *filename)
{
int ncerts = 0;
int nkeys = 0;
int i;
int numattr = 0;
return (rv);
}
sizeof (kstype));
numattr++;
numattr++;
}
sizeof (KMF_CREDENTIAL));
numattr++;
}
/* The order of certificates and keys should match */
for (i = 0; i < nkeys; i++) {
KMF_CERT_DATA_ATTR, &certs[i],
sizeof (KMF_DATA));
num++;
KMF_RAW_KEY_ATTR, &keys[i],
sizeof (KMF_RAW_KEY_DATA));
num++;
}
}
numattr = 0;
numattr++;
num++;
}
num++;
}
}
/*
* Cleanup memory.
*/
if (certs) {
for (i = 0; i < ncerts; i++)
kmf_free_data(&certs[i]);
}
if (keys) {
for (i = 0; i < nkeys; i++)
kmf_free_raw_key(&keys[i]);
}
return (rv);
}
/*ARGSUSED*/
static KMF_RETURN
{
int numattr = 0;
int numkeys = 1;
if (kstype == KMF_KEYSTORE_PK11TOKEN) {
}
return (rv);
/*
* First, set up to read the keyfile using the FILE plugin
* mechanisms.
*/
numattr++;
numattr++;
numattr++;
numattr++;
numattr++;
numattr++;
numattr = 0;
numattr++;
numattr++;
}
numattr++;
}
numattr++;
}
} else {
gettext("Failed to load key from file (%s)\n"),
filename);
}
return (rv);
}
static KMF_RETURN
{
int numattr = 0;
return (rv);
return (rv);
}
else {
gettext("Incorrect sensitive option value.\n"));
return (KMF_ERR_BAD_PARAMETER);
}
}
else {
gettext("Incorrect extractable option value.\n"));
return (KMF_ERR_BAD_PARAMETER);
}
}
numattr++;
numattr++;
numattr++;
numattr++;
/* Key length is given in bits not bytes */
numattr++;
numattr++;
sizeof (not_extractable));
numattr++;
numattr++;
}
numattr++;
}
return (rv);
}
/*
* Import objects from into KMF repositories.
*/
int
{
int opt;
extern int optind_av;
extern char *optarg_av;
char *token_spec = NULL;
char *trustflags = NULL;
char *verify_crl = NULL;
char *keytype = "generic";
int oclass = 0;
KMF_KEYSTORE_TYPE kstype = 0;
KMF_ENCODE_FORMAT kfmt = 0;
"T:(token)i:(infile)"
"k:(keystore)y:(objtype)"
"d:(dir)p:(prefix)"
"n:(certlabel)N:(label)"
"K:(outkey)c:(outcert)"
"v:(verifycrl)l:(outcrl)"
"E:(keytype)s:(sensitive)x:(extractable)"
"t:(trust)D:(keydir)F:(outformat)")) != EOF) {
if (EMPTYSTRING(optarg_av))
return (PK_ERR_USAGE);
switch (opt) {
case 'T': /* token specifier */
if (token_spec)
return (PK_ERR_USAGE);
break;
case 'c': /* output cert file name */
if (certfile)
return (PK_ERR_USAGE);
break;
case 'l': /* output CRL file name */
if (crlfile)
return (PK_ERR_USAGE);
break;
case 'K': /* output key file name */
if (keyfile)
return (PK_ERR_USAGE);
break;
case 'i': /* input file name */
if (filename)
return (PK_ERR_USAGE);
break;
case 'k':
if (kstype == 0)
return (PK_ERR_USAGE);
break;
case 'y':
if (oclass == -1)
return (PK_ERR_USAGE);
break;
case 'd':
break;
case 'D':
break;
case 'p':
if (prefix)
return (PK_ERR_USAGE);
break;
case 'n':
case 'N':
if (label)
return (PK_ERR_USAGE);
break;
case 'F':
if (okfmt == KMF_FORMAT_UNDEF)
return (PK_ERR_USAGE);
break;
case 't':
if (trustflags)
return (PK_ERR_USAGE);
break;
case 'v':
else
return (PK_ERR_USAGE);
break;
case 'E':
break;
case 's':
if (senstr)
return (PK_ERR_USAGE);
break;
case 'x':
if (extstr)
return (PK_ERR_USAGE);
break;
default:
return (PK_ERR_USAGE);
break;
}
}
/* Assume keystore = PKCS#11 if not specified */
if (kstype == 0)
/* Filename arg is required. */
if (EMPTYSTRING(filename)) {
"is required for the import operation.\n"));
return (PK_ERR_USAGE);
}
/* No additional args allowed. */
if (argc)
return (PK_ERR_USAGE);
/* if PUBLIC or PRIVATE obj was given, the old syntax was used. */
kstype != KMF_KEYSTORE_PK11TOKEN) {
"is only relevant if keystore=pkcs11\n"));
return (PK_ERR_USAGE);
}
/*
* You must specify a certlabel (cert label) when importing
* into NSS or PKCS#11.
*/
if (kstype == KMF_KEYSTORE_NSS &&
"is required for this operation\n"));
return (PK_ERR_USAGE);
}
/*
* Allow for raw key data to be imported.
*/
if (rv == KMF_ERR_ENCODING) {
/*
* Set the object class only if it was not
* given on the command line or if it was
* specified as a symmetric key object.
*/
} else {
"The input file does not contain the "
"object type indicated on command "
"line."));
return (KMF_ERR_BAD_PARAMETER);
}
} else {
gettext("File format not recognized."));
return (rv);
}
}
/* Check parameters for raw key import operation */
if (kfmt == KMF_FORMAT_RAWKEY) {
return (PK_ERR_USAGE);
}
kstype != KMF_KEYSTORE_PK11TOKEN) {
gettext("The sensitive or extractable option "
"applies only when importing a key from a file "
"into a PKCS#11 keystore.\n"));
return (PK_ERR_USAGE);
}
}
/* If no objtype was given, treat it as a certificate */
kfmt == KMF_FORMAT_PEM))
if (kstype == KMF_KEYSTORE_NSS) {
if (oclass == PK_CRL_OBJ &&
"CRL data can only be imported as DER or "
"PEM format"));
return (PK_ERR_USAGE);
}
if (oclass == PK_CERT_OBJ &&
"Certificates can only be imported as DER or "
"PEM format"));
return (PK_ERR_USAGE);
}
/* we do not import private keys except in PKCS12 bundles */
"Private key data can only be imported as part "
"of a PKCS12 file.\n"));
return (PK_ERR_USAGE);
}
}
"The 'outkey' and 'outcert' parameters "
"are required for the import operation "
"when the 'file' keystore is used.\n"));
return (PK_ERR_USAGE);
}
}
if (kfmt == KMF_FORMAT_PKCS12) {
(void) get_pk12_password(&pk12cred);
}
}
"KMF: 0x%02x\n"), rv);
goto end;
}
switch (kstype) {
case KMF_KEYSTORE_PK11TOKEN:
if (kfmt == KMF_FORMAT_PKCS12)
else if (oclass == PK_CERT_OBJ)
rv = pk_import_cert(
else if (oclass == PK_CRL_OBJ)
else if (kfmt == KMF_FORMAT_RAWKEY &&
oclass == PK_SYMKEY_OBJ) {
} else if (kfmt == KMF_FORMAT_PEM ||
kfmt == KMF_FORMAT_PEM_KEYPAIR) {
} else {
rv = PK_ERR_USAGE;
}
break;
case KMF_KEYSTORE_NSS:
if (kfmt == KMF_FORMAT_PKCS12)
else if (oclass == PK_CERT_OBJ) {
rv = pk_import_cert(
} else if (oclass == PK_CRL_OBJ) {
}
break;
case KMF_KEYSTORE_OPENSSL:
if (kfmt == KMF_FORMAT_PKCS12)
else if (oclass == PK_CRL_OBJ) {
} else
/*
* It doesn't make sense to import anything
* else for the files plugin.
*/
return (PK_ERR_USAGE);
break;
default:
rv = PK_ERR_USAGE;
break;
}
end:
gettext("Error importing objects"));
(void) kmf_finalize(kmfhandle);
return (PK_ERR_USAGE);
return (0);
}