Mercurial > illumos > illumos-gate
changeset 10241:356a64b58ebc
6860037 pktool can't find certificate when there is only one on the token
6794511 Improved pktool Error Reporting
6744775 pktool error message for non-existant file could be better
author | Wyllys Ingersoll <wyllys.ingersoll@sun.com> |
---|---|
date | Sat, 01 Aug 2009 11:59:47 -0700 |
parents | 63b037ea03d0 |
children | c40d075fbca6 |
files | usr/src/cmd/cmd-crypto/pktool/export.c usr/src/cmd/cmd-crypto/pktool/gencsr.c usr/src/cmd/cmd-crypto/pktool/import.c usr/src/cmd/cmd-crypto/pktool/pktool.c |
diffstat | 4 files changed, 63 insertions(+), 30 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/cmd/cmd-crypto/pktool/export.c Sat Aug 01 09:46:31 2009 -0700 +++ b/usr/src/cmd/cmd-crypto/pktool/export.c Sat Aug 01 11:59:47 2009 -0700 @@ -19,12 +19,10 @@ * CDDL HEADER END * * - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - /* * This file implements the export operation for this tool. * The basic flow of the process is to find the soft token, @@ -588,7 +586,7 @@ static KMF_RETURN pk_export_pk11_objects(KMF_HANDLE_T kmfhandle, char *token_spec, - char *certlabel, char *issuer, char *subject, + KMF_CREDENTIAL *cred, char *certlabel, char *issuer, char *subject, KMF_BIGINT *serial, KMF_ENCODE_FORMAT kfmt, char *filename) { @@ -600,14 +598,18 @@ rv = select_token(kmfhandle, token_spec, TRUE); - if (rv != KMF_OK) { + if (rv != KMF_OK) return (rv); - } kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); numattr++; + if (cred != NULL) { + kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR, + cred, sizeof (KMF_CREDENTIAL)); + numattr++; + } if (certlabel != NULL) { kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR, certlabel, @@ -867,10 +869,10 @@ serial.len = bytelen; } - if ((kstype == KMF_KEYSTORE_PK11TOKEN || - kstype == KMF_KEYSTORE_NSS) && - (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ) || - kfmt == KMF_FORMAT_PKCS12)) { + if (kstype == KMF_KEYSTORE_PK11TOKEN || + ((kstype == KMF_KEYSTORE_NSS) && + (oclass & (PK_KEY_OBJ | PK_PRIVATE_OBJ))) || + kfmt == KMF_FORMAT_PKCS12) { (void) get_token_password(kstype, token_spec, &tokencred); } @@ -896,7 +898,7 @@ certlabel, filename, oclass); else rv = pk_export_pk11_objects(kmfhandle, - token_spec, certlabel, + token_spec, &tokencred, certlabel, issuer, subject, &serial, kfmt, filename); break;
--- a/usr/src/cmd/cmd-crypto/pktool/gencsr.c Sat Aug 01 09:46:31 2009 -0700 +++ b/usr/src/cmd/cmd-crypto/pktool/gencsr.c Sat Aug 01 11:59:47 2009 -0700 @@ -551,9 +551,15 @@ altname = optarg_av; break; case 'i': - if (interactive || subject) + if (interactive) return (PK_ERR_USAGE); - else + else if (subject) { + cryptoerror(LOG_STDERR, + gettext("Interactive (-i) and " + "subject options are mutually " + "exclusive.\n")); + return (PK_ERR_USAGE); + } else interactive = B_TRUE; break; case 'k': @@ -562,9 +568,15 @@ return (PK_ERR_USAGE); break; case 's': - if (interactive || subject) + if (subject) return (PK_ERR_USAGE); - else + else if (interactive) { + cryptoerror(LOG_STDERR, + gettext("Interactive (-i) and " + "subject options are mutually " + "exclusive.\n")); + return (PK_ERR_USAGE); + } else subject = optarg_av; break; case 'l': @@ -798,10 +810,16 @@ } end: - if (rv != KMF_OK) + if (rv != KMF_OK) { display_error(kmfhandle, rv, gettext("Error creating CSR or keypair")); + if (rv == KMF_ERR_RDN_PARSER) { + cryptoerror(LOG_STDERR, gettext("subject or " + "issuer name must be in proper DN format.\n")); + } + } + if (ekulist != NULL) free_eku_list(ekulist);
--- a/usr/src/cmd/cmd-crypto/pktool/import.c Sat Aug 01 09:46:31 2009 -0700 +++ b/usr/src/cmd/cmd-crypto/pktool/import.c Sat Aug 01 11:59:47 2009 -0700 @@ -960,6 +960,8 @@ } if ((rv = kmf_get_file_format(filename, &kfmt)) != KMF_OK) { + char *kmferrstr = NULL; + KMF_RETURN rv2; /* * Allow for raw key data to be imported. */ @@ -981,8 +983,19 @@ return (KMF_ERR_BAD_PARAMETER); } } else { - cryptoerror(LOG_STDERR, - gettext("File format not recognized.")); + if (rv == KMF_ERR_OPEN_FILE) { + cryptoerror(LOG_STDERR, + gettext("Cannot open file (%s)\n."), + filename); + } else { + rv2 = kmf_get_kmf_error_str(rv, &kmferrstr); + if (rv2 == KMF_OK && kmferrstr) { + cryptoerror(LOG_STDERR, + gettext("libkmf error: %s"), + kmferrstr); + kmf_free_str(kmferrstr); + } + } return (rv); } }
--- a/usr/src/cmd/cmd-crypto/pktool/pktool.c Sat Aug 01 09:46:31 2009 -0700 +++ b/usr/src/cmd/cmd-crypto/pktool/pktool.c Sat Aug 01 11:59:47 2009 -0700 @@ -296,10 +296,10 @@ #define GENCERT_VERB "gencert" #define GENCERT_SUMM gettext("creates a self-signed X.509v3 certificate") #define GENCERT_SYN \ - "gencert [-i] keystore=nss\n\t\t" \ + "gencert keystore=nss\n\t\t" \ "label=cert-nickname\n\t\t" \ "serial=serial number hex string]\n\t\t" \ - "subject=subject-DN\n\t\t" \ + "[ -i ] | [subject=subject-DN]\n\t\t" \ "[ altname=[critical:]SubjectAltName ]\n\t\t" \ "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ "[ token=token[:manuf[:serial]]]\n\t\t" \ @@ -311,10 +311,10 @@ "[ eku=[critical:]EKU name,...]\n\t\t" \ "[ lifetime=number-hour|number-day|number-year ]\n\t" \ \ - "gencert [-i] [ keystore=pkcs11 ]\n\t\t" \ + "gencert [ keystore=pkcs11 ]\n\t\t" \ "label=key/cert-label\n\t\t" \ - "subject=subject-DN\n\t\t" \ "serial=serial number hex string\n\t\t" \ + "[ -i ] | [subject=subject-DN]\n\t\t" \ "[ altname=[critical:]SubjectAltName ]\n\t\t" \ "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ "[ token=token[:manuf[:serial]]]\n\t\t" \ @@ -323,11 +323,11 @@ "[ eku=[critical:]EKU name,...]\n\t\t" \ "[ lifetime=number-hour|number-day|number-year ]\n\t" \ \ - "gencert [-i] keystore=file\n\t\t" \ + "gencert keystore=file\n\t\t" \ "outcert=cert_filename\n\t\t" \ "outkey=key_filename\n\t\t" \ - "subject=subject-DN\n\t\t" \ "serial=serial number hex string\n\t\t" \ + "[ -i ] | [subject=subject-DN]\n\t\t" \ "[ altname=[critical:]SubjectAltName ]\n\t\t" \ "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ "[ format=der|pem ]\n\t\t" \ @@ -343,10 +343,10 @@ "request file") #define GENCSR_SYN \ - "gencsr [-i] keystore=nss \n\t\t" \ + "gencsr keystore=nss \n\t\t" \ "nickname=cert-nickname\n\t\t" \ "outcsr=csr-fn\n\t\t" \ - "subject=subject-DN\n\t\t" \ + "[ -i ] | [subject=subject-DN]\n\t\t" \ "[ altname=[critical:]SubjectAltName ]\n\t\t" \ "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ "[ token=token[:manuf[:serial]]]\n\t\t" \ @@ -357,10 +357,10 @@ "[ eku=[critical:]EKU name,...]\n\t\t" \ "[ format=pem|der ]\n\t" \ \ - "gencsr [-i] [ keystore=pkcs11 ]\n\t\t" \ + "gencsr [ keystore=pkcs11 ]\n\t\t" \ "label=key-label\n\t\t" \ "outcsr=csr-fn\n\t\t" \ - "subject=subject-DN\n\t\t" \ + "[ -i ] | [subject=subject-DN]\n\t\t" \ "[ altname=[critical:]SubjectAltName ]\n\t\t" \ "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ "[ token=token[:manuf[:serial]]]\n\t\t" \ @@ -369,10 +369,10 @@ "[ eku=[critical:]EKU name,...]\n\t\t" \ "[ format=pem|der ]]\n\t" \ \ - "gencsr [-i] keystore=file\n\t\t" \ + "gencsr keystore=file\n\t\t" \ "outcsr=csr-fn\n\t\t" \ "outkey=key-fn\n\t\t" \ - "subject=subject-DN\n\t\t" \ + "[ -i ] | [subject=subject-DN]\n\t\t" \ "[ altname=[critical:]SubjectAltName ]\n\t\t" \ "[ keyusage=[critical:]usage,usage,...]\n\t\t" \ "[ keytype=rsa|dsa ]\n\t\t" \