6860037 pktool can't find certificate when there is only one on the token
6794511 Improved pktool Error Reporting
6744775 pktool error message for non-existant file could be better
--- a/usr/src/cmd/cmd-crypto/pktool/export.c Sat Aug 01 09:46:31 2009 -0700
+++ b/usr/src/cmd/cmd-crypto/pktool/export.c Sat Aug 01 11:59:47 2009 -0700
@@ -19,12 +19,10 @@
* CDDL HEADER END
*
*
- * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
-#pragma ident "%Z%%M% %I% %E% SMI"
-
/*
* This file implements the export operation for this tool.
* The basic flow of the process is to find the soft token,
@@ -588,7 +586,7 @@
static KMF_RETURN
pk_export_pk11_objects(KMF_HANDLE_T kmfhandle, char *token_spec,
- char *certlabel, char *issuer, char *subject,
+ KMF_CREDENTIAL *cred, char *certlabel, char *issuer, char *subject,
KMF_BIGINT *serial, KMF_ENCODE_FORMAT kfmt,
char *filename)
{
@@ -600,14 +598,18 @@
rv = select_token(kmfhandle, token_spec, TRUE);
- if (rv != KMF_OK) {
+ if (rv != KMF_OK)
return (rv);
- }
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
+ if (cred != NULL) {
+ kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
+ cred, sizeof (KMF_CREDENTIAL));
+ numattr++;
+ }
if (certlabel != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_CERT_LABEL_ATTR, certlabel,
@@ -867,10 +869,10 @@
serial.len = bytelen;
}
- if ((kstype == KMF_KEYSTORE_PK11TOKEN ||
- kstype == KMF_KEYSTORE_NSS) &&
- (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ) ||
- kfmt == KMF_FORMAT_PKCS12)) {
+ if (kstype == KMF_KEYSTORE_PK11TOKEN ||
+ ((kstype == KMF_KEYSTORE_NSS) &&
+ (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ))) ||
+ kfmt == KMF_FORMAT_PKCS12) {
(void) get_token_password(kstype, token_spec,
&tokencred);
}
@@ -896,7 +898,7 @@
certlabel, filename, oclass);
else
rv = pk_export_pk11_objects(kmfhandle,
- token_spec, certlabel,
+ token_spec, &tokencred, certlabel,
issuer, subject, &serial, kfmt,
filename);
break;
--- a/usr/src/cmd/cmd-crypto/pktool/gencsr.c Sat Aug 01 09:46:31 2009 -0700
+++ b/usr/src/cmd/cmd-crypto/pktool/gencsr.c Sat Aug 01 11:59:47 2009 -0700
@@ -551,9 +551,15 @@
altname = optarg_av;
break;
case 'i':
- if (interactive || subject)
+ if (interactive)
return (PK_ERR_USAGE);
- else
+ else if (subject) {
+ cryptoerror(LOG_STDERR,
+ gettext("Interactive (-i) and "
+ "subject options are mutually "
+ "exclusive.\n"));
+ return (PK_ERR_USAGE);
+ } else
interactive = B_TRUE;
break;
case 'k':
@@ -562,9 +568,15 @@
return (PK_ERR_USAGE);
break;
case 's':
- if (interactive || subject)
+ if (subject)
return (PK_ERR_USAGE);
- else
+ else if (interactive) {
+ cryptoerror(LOG_STDERR,
+ gettext("Interactive (-i) and "
+ "subject options are mutually "
+ "exclusive.\n"));
+ return (PK_ERR_USAGE);
+ } else
subject = optarg_av;
break;
case 'l':
@@ -798,10 +810,16 @@
}
end:
- if (rv != KMF_OK)
+ if (rv != KMF_OK) {
display_error(kmfhandle, rv,
gettext("Error creating CSR or keypair"));
+ if (rv == KMF_ERR_RDN_PARSER) {
+ cryptoerror(LOG_STDERR, gettext("subject or "
+ "issuer name must be in proper DN format.\n"));
+ }
+ }
+
if (ekulist != NULL)
free_eku_list(ekulist);
--- a/usr/src/cmd/cmd-crypto/pktool/import.c Sat Aug 01 09:46:31 2009 -0700
+++ b/usr/src/cmd/cmd-crypto/pktool/import.c Sat Aug 01 11:59:47 2009 -0700
@@ -960,6 +960,8 @@
}
if ((rv = kmf_get_file_format(filename, &kfmt)) != KMF_OK) {
+ char *kmferrstr = NULL;
+ KMF_RETURN rv2;
/*
* Allow for raw key data to be imported.
*/
@@ -981,8 +983,19 @@
return (KMF_ERR_BAD_PARAMETER);
}
} else {
- cryptoerror(LOG_STDERR,
- gettext("File format not recognized."));
+ if (rv == KMF_ERR_OPEN_FILE) {
+ cryptoerror(LOG_STDERR,
+ gettext("Cannot open file (%s)\n."),
+ filename);
+ } else {
+ rv2 = kmf_get_kmf_error_str(rv, &kmferrstr);
+ if (rv2 == KMF_OK && kmferrstr) {
+ cryptoerror(LOG_STDERR,
+ gettext("libkmf error: %s"),
+ kmferrstr);
+ kmf_free_str(kmferrstr);
+ }
+ }
return (rv);
}
}
--- a/usr/src/cmd/cmd-crypto/pktool/pktool.c Sat Aug 01 09:46:31 2009 -0700
+++ b/usr/src/cmd/cmd-crypto/pktool/pktool.c Sat Aug 01 11:59:47 2009 -0700
@@ -296,10 +296,10 @@
#define GENCERT_VERB "gencert"
#define GENCERT_SUMM gettext("creates a self-signed X.509v3 certificate")
#define GENCERT_SYN \
- "gencert [-i] keystore=nss\n\t\t" \
+ "gencert keystore=nss\n\t\t" \
"label=cert-nickname\n\t\t" \
"serial=serial number hex string]\n\t\t" \
- "subject=subject-DN\n\t\t" \
+ "[ -i ] | [subject=subject-DN]\n\t\t" \
"[ altname=[critical:]SubjectAltName ]\n\t\t" \
"[ keyusage=[critical:]usage,usage,...]\n\t\t" \
"[ token=token[:manuf[:serial]]]\n\t\t" \
@@ -311,10 +311,10 @@
"[ eku=[critical:]EKU name,...]\n\t\t" \
"[ lifetime=number-hour|number-day|number-year ]\n\t" \
\
- "gencert [-i] [ keystore=pkcs11 ]\n\t\t" \
+ "gencert [ keystore=pkcs11 ]\n\t\t" \
"label=key/cert-label\n\t\t" \
- "subject=subject-DN\n\t\t" \
"serial=serial number hex string\n\t\t" \
+ "[ -i ] | [subject=subject-DN]\n\t\t" \
"[ altname=[critical:]SubjectAltName ]\n\t\t" \
"[ keyusage=[critical:]usage,usage,...]\n\t\t" \
"[ token=token[:manuf[:serial]]]\n\t\t" \
@@ -323,11 +323,11 @@
"[ eku=[critical:]EKU name,...]\n\t\t" \
"[ lifetime=number-hour|number-day|number-year ]\n\t" \
\
- "gencert [-i] keystore=file\n\t\t" \
+ "gencert keystore=file\n\t\t" \
"outcert=cert_filename\n\t\t" \
"outkey=key_filename\n\t\t" \
- "subject=subject-DN\n\t\t" \
"serial=serial number hex string\n\t\t" \
+ "[ -i ] | [subject=subject-DN]\n\t\t" \
"[ altname=[critical:]SubjectAltName ]\n\t\t" \
"[ keyusage=[critical:]usage,usage,...]\n\t\t" \
"[ format=der|pem ]\n\t\t" \
@@ -343,10 +343,10 @@
"request file")
#define GENCSR_SYN \
- "gencsr [-i] keystore=nss \n\t\t" \
+ "gencsr keystore=nss \n\t\t" \
"nickname=cert-nickname\n\t\t" \
"outcsr=csr-fn\n\t\t" \
- "subject=subject-DN\n\t\t" \
+ "[ -i ] | [subject=subject-DN]\n\t\t" \
"[ altname=[critical:]SubjectAltName ]\n\t\t" \
"[ keyusage=[critical:]usage,usage,...]\n\t\t" \
"[ token=token[:manuf[:serial]]]\n\t\t" \
@@ -357,10 +357,10 @@
"[ eku=[critical:]EKU name,...]\n\t\t" \
"[ format=pem|der ]\n\t" \
\
- "gencsr [-i] [ keystore=pkcs11 ]\n\t\t" \
+ "gencsr [ keystore=pkcs11 ]\n\t\t" \
"label=key-label\n\t\t" \
"outcsr=csr-fn\n\t\t" \
- "subject=subject-DN\n\t\t" \
+ "[ -i ] | [subject=subject-DN]\n\t\t" \
"[ altname=[critical:]SubjectAltName ]\n\t\t" \
"[ keyusage=[critical:]usage,usage,...]\n\t\t" \
"[ token=token[:manuf[:serial]]]\n\t\t" \
@@ -369,10 +369,10 @@
"[ eku=[critical:]EKU name,...]\n\t\t" \
"[ format=pem|der ]]\n\t" \
\
- "gencsr [-i] keystore=file\n\t\t" \
+ "gencsr keystore=file\n\t\t" \
"outcsr=csr-fn\n\t\t" \
"outkey=key-fn\n\t\t" \
- "subject=subject-DN\n\t\t" \
+ "[ -i ] | [subject=subject-DN]\n\t\t" \
"[ altname=[critical:]SubjectAltName ]\n\t\t" \
"[ keyusage=[critical:]usage,usage,...]\n\t\t" \
"[ keytype=rsa|dsa ]\n\t\t" \