upstream/illumos/illumos-gate: changeset 10241:356a64b58ebc

--- a/usr/src/cmd/cmd-crypto/pktool/export.c	Sat Aug 01 09:46:31 2009 -0700
+++ b/usr/src/cmd/cmd-crypto/pktool/export.c	Sat Aug 01 11:59:47 2009 -0700
@@ -19,12 +19,10 @@
  * CDDL HEADER END
  *
  *
- * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 /*
  * This file implements the export operation for this tool.
  * The basic flow of the process is to find the soft token,
@@ -588,7 +586,7 @@
 
 static KMF_RETURN
 pk_export_pk11_objects(KMF_HANDLE_T kmfhandle, char *token_spec,
-	char *certlabel, char *issuer, char *subject,
+	KMF_CREDENTIAL *cred, char *certlabel, char *issuer, char *subject,
 	KMF_BIGINT *serial, KMF_ENCODE_FORMAT kfmt,
 	char *filename)
 {
@@ -600,14 +598,18 @@
 
 	rv = select_token(kmfhandle, token_spec, TRUE);
 
-	if (rv != KMF_OK) {
+	if (rv != KMF_OK)
 		return (rv);
-	}
 
 	kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
 	    &kstype, sizeof (kstype));
 	numattr++;
 
+	if (cred != NULL) {
+		kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
+		    cred, sizeof (KMF_CREDENTIAL));
+		numattr++;
+	}
 	if (certlabel != NULL) {
 		kmf_set_attr_at_index(attrlist, numattr,
 		    KMF_CERT_LABEL_ATTR, certlabel,
@@ -867,10 +869,10 @@
 		serial.len = bytelen;
 	}
 
-	if ((kstype == KMF_KEYSTORE_PK11TOKEN ||
-	    kstype == KMF_KEYSTORE_NSS) &&
-	    (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ) ||
-	    kfmt == KMF_FORMAT_PKCS12)) {
+	if (kstype == KMF_KEYSTORE_PK11TOKEN ||
+	    ((kstype == KMF_KEYSTORE_NSS) &&
+	    (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ))) ||
+	    kfmt == KMF_FORMAT_PKCS12) {
 			(void) get_token_password(kstype, token_spec,
 			    &tokencred);
 	}
@@ -896,7 +898,7 @@
 				    certlabel, filename, oclass);
 			else
 				rv = pk_export_pk11_objects(kmfhandle,
-				    token_spec, certlabel,
+				    token_spec, &tokencred, certlabel,
 				    issuer, subject, &serial, kfmt,
 				    filename);
 			break;

--- a/usr/src/cmd/cmd-crypto/pktool/gencsr.c	Sat Aug 01 09:46:31 2009 -0700
+++ b/usr/src/cmd/cmd-crypto/pktool/gencsr.c	Sat Aug 01 11:59:47 2009 -0700
@@ -551,9 +551,15 @@
 				altname = optarg_av;
 				break;
 			case 'i':
-				if (interactive || subject)
+				if (interactive)
 					return (PK_ERR_USAGE);
-				else
+				else if (subject) {
+					cryptoerror(LOG_STDERR,
+					    gettext("Interactive (-i) and "
+					    "subject options are mutually "
+					    "exclusive.\n"));
+					return (PK_ERR_USAGE);
+				} else
 					interactive = B_TRUE;
 				break;
 			case 'k':
@@ -562,9 +568,15 @@
 					return (PK_ERR_USAGE);
 				break;
 			case 's':
-				if (interactive || subject)
+				if (subject)
 					return (PK_ERR_USAGE);
-				else
+				else if (interactive) {
+					cryptoerror(LOG_STDERR,
+					    gettext("Interactive (-i) and "
+					    "subject options are mutually "
+					    "exclusive.\n"));
+					return (PK_ERR_USAGE);
+				} else
 					subject = optarg_av;
 				break;
 			case 'l':
@@ -798,10 +810,16 @@
 	}
 
 end:
-	if (rv != KMF_OK)
+	if (rv != KMF_OK) {
 		display_error(kmfhandle, rv,
 		    gettext("Error creating CSR or keypair"));
 
+		if (rv == KMF_ERR_RDN_PARSER) {
+			cryptoerror(LOG_STDERR, gettext("subject or "
+			    "issuer name must be in proper DN format.\n"));
+		}
+	}
+
 	if (ekulist != NULL)
 		free_eku_list(ekulist);

--- a/usr/src/cmd/cmd-crypto/pktool/import.c	Sat Aug 01 09:46:31 2009 -0700
+++ b/usr/src/cmd/cmd-crypto/pktool/import.c	Sat Aug 01 11:59:47 2009 -0700
@@ -960,6 +960,8 @@
 	}
 
 	if ((rv = kmf_get_file_format(filename, &kfmt)) != KMF_OK) {
+		char *kmferrstr = NULL;
+		KMF_RETURN rv2;
 		/*
 		 * Allow for raw key data to be imported.
 		 */
@@ -981,8 +983,19 @@
 				return (KMF_ERR_BAD_PARAMETER);
 			}
 		} else {
-			cryptoerror(LOG_STDERR,
-			    gettext("File format not recognized."));
+			if (rv == KMF_ERR_OPEN_FILE) {
+				cryptoerror(LOG_STDERR,
+				    gettext("Cannot open file (%s)\n."),
+				    filename);
+			} else {
+				rv2 = kmf_get_kmf_error_str(rv, &kmferrstr);
+				if (rv2 == KMF_OK && kmferrstr) {
+					cryptoerror(LOG_STDERR,
+					    gettext("libkmf error: %s"),
+					    kmferrstr);
+					kmf_free_str(kmferrstr);
+				}
+			}
 			return (rv);
 		}
 	}

--- a/usr/src/cmd/cmd-crypto/pktool/pktool.c	Sat Aug 01 09:46:31 2009 -0700
+++ b/usr/src/cmd/cmd-crypto/pktool/pktool.c	Sat Aug 01 11:59:47 2009 -0700
@@ -296,10 +296,10 @@
 #define	GENCERT_VERB "gencert"
 #define	GENCERT_SUMM gettext("creates a self-signed X.509v3 certificate")
 #define	GENCERT_SYN \
-	"gencert [-i] keystore=nss\n\t\t" \
+	"gencert keystore=nss\n\t\t" \
 	"label=cert-nickname\n\t\t" \
 	"serial=serial number hex string]\n\t\t" \
-	"subject=subject-DN\n\t\t" \
+	"[ -i ] | [subject=subject-DN]\n\t\t" \
 	"[ altname=[critical:]SubjectAltName ]\n\t\t" \
 	"[ keyusage=[critical:]usage,usage,...]\n\t\t" \
 	"[ token=token[:manuf[:serial]]]\n\t\t" \
@@ -311,10 +311,10 @@
 	"[ eku=[critical:]EKU name,...]\n\t\t" \
 	"[ lifetime=number-hour|number-day|number-year ]\n\t" \
  \
-	"gencert [-i] [ keystore=pkcs11 ]\n\t\t" \
+	"gencert [ keystore=pkcs11 ]\n\t\t" \
 	"label=key/cert-label\n\t\t" \
-	"subject=subject-DN\n\t\t" \
 	"serial=serial number hex string\n\t\t" \
+	"[ -i ] | [subject=subject-DN]\n\t\t" \
 	"[ altname=[critical:]SubjectAltName ]\n\t\t" \
 	"[ keyusage=[critical:]usage,usage,...]\n\t\t" \
 	"[ token=token[:manuf[:serial]]]\n\t\t" \
@@ -323,11 +323,11 @@
 	"[ eku=[critical:]EKU name,...]\n\t\t" \
 	"[ lifetime=number-hour|number-day|number-year ]\n\t" \
  \
-	"gencert [-i] keystore=file\n\t\t" \
+	"gencert keystore=file\n\t\t" \
 	"outcert=cert_filename\n\t\t" \
 	"outkey=key_filename\n\t\t" \
-	"subject=subject-DN\n\t\t" \
 	"serial=serial number hex string\n\t\t" \
+	"[ -i ] | [subject=subject-DN]\n\t\t" \
 	"[ altname=[critical:]SubjectAltName ]\n\t\t" \
 	"[ keyusage=[critical:]usage,usage,...]\n\t\t" \
 	"[ format=der|pem ]\n\t\t" \
@@ -343,10 +343,10 @@
 	"request file")
 
 #define	GENCSR_SYN \
-	"gencsr [-i] keystore=nss \n\t\t" \
+	"gencsr keystore=nss \n\t\t" \
 	"nickname=cert-nickname\n\t\t" \
 	"outcsr=csr-fn\n\t\t" \
-	"subject=subject-DN\n\t\t" \
+	"[ -i ] | [subject=subject-DN]\n\t\t" \
 	"[ altname=[critical:]SubjectAltName ]\n\t\t" \
 	"[ keyusage=[critical:]usage,usage,...]\n\t\t" \
 	"[ token=token[:manuf[:serial]]]\n\t\t" \
@@ -357,10 +357,10 @@
 	"[ eku=[critical:]EKU name,...]\n\t\t" \
 	"[ format=pem|der ]\n\t" \
  \
-	"gencsr [-i] [ keystore=pkcs11 ]\n\t\t" \
+	"gencsr [ keystore=pkcs11 ]\n\t\t" \
 	"label=key-label\n\t\t" \
 	"outcsr=csr-fn\n\t\t" \
-	"subject=subject-DN\n\t\t" \
+	"[ -i ] | [subject=subject-DN]\n\t\t" \
 	"[ altname=[critical:]SubjectAltName ]\n\t\t" \
 	"[ keyusage=[critical:]usage,usage,...]\n\t\t" \
 	"[ token=token[:manuf[:serial]]]\n\t\t" \
@@ -369,10 +369,10 @@
 	"[ eku=[critical:]EKU name,...]\n\t\t" \
 	"[ format=pem|der ]]\n\t" \
  \
-	"gencsr [-i] keystore=file\n\t\t" \
+	"gencsr keystore=file\n\t\t" \
 	"outcsr=csr-fn\n\t\t" \
 	"outkey=key-fn\n\t\t" \
-	"subject=subject-DN\n\t\t" \
+	"[ -i ] | [subject=subject-DN]\n\t\t" \
 	"[ altname=[critical:]SubjectAltName ]\n\t\t" \
 	"[ keyusage=[critical:]usage,usage,...]\n\t\t" \
 	"[ keytype=rsa|dsa ]\n\t\t" \

author	Wyllys Ingersoll <wyllys.ingersoll@sun.com>
	Sat, 01 Aug 2009 11:59:47 -0700
changeset 10241	356a64b58ebc
parent 10240	63b037ea03d0
child 10242	c40d075fbca6

usr/src/cmd/cmd-crypto/pktool/export.c		file \| annotate \| diff \| comparison \| revisions
usr/src/cmd/cmd-crypto/pktool/gencsr.c		file \| annotate \| diff \| comparison \| revisions
usr/src/cmd/cmd-crypto/pktool/import.c		file \| annotate \| diff \| comparison \| revisions
usr/src/cmd/cmd-crypto/pktool/pktool.c		file \| annotate \| diff \| comparison \| revisions