/*

 * Copyright (C) 2010-2012 Free Software Foundation, Inc.

 * Copyright (C) 2015-2016 Red Hat, Inc.

 *

 * Author: Nikos Mavrogiannopoulos

 *

 * This file is part of GnuTLS.

 *

 * GnuTLS is free software: you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation, either version 3 of the License, or

 * (at your option) any later version.

 *

 * GnuTLS is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program.  If not, see <https://www.gnu.org/licenses/>.

 */

#include <config.h>

#include <gnutls/gnutls.h>

#include <gnutls/pkcs11.h>

#include <gnutls/abstract.h>

#include <stdio.h>

#include <stdlib.h>

#include "p11tool.h"

#include "certtool-cfg.h"

#include "certtool-common.h"

#include <unistd.h>

#include <string.h>

#include <stdint.h>

#include <common.h>

#include <p11-kit/pkcs11.h>

#ifdef _WIN32

# define sleep(x) Sleep(x*1000)

#endif

static

char *get_single_token_url(common_info_st * info);

static char *_saved_url = NULL;

#define FIX(url, out, det, info) \

	if (url == NULL) { \

		url = get_single_token_url(info); \

		if (url == NULL) { \

			fprintf(stderr, "warning: no token URL was provided for this operation; the available tokens are:\n\n"); \

			pkcs11_token_list(out, det, info, 1); \

			app_exit(1); \

		} \

		_saved_url = (void*)url; \

	}

#define UNFIX gnutls_free(_saved_url);_saved_url = NULL

#define KEEP_LOGIN_FLAGS(flags) (flags & (GNUTLS_PKCS11_OBJ_FLAG_LOGIN|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO))

#define CHECK_LOGIN_FLAG(url, flags) \

	if ((flags & KEEP_LOGIN_FLAGS(flags)) == 0) { \

		unsigned _tflags; \

		int _r = gnutls_pkcs11_token_get_flags(url, &_tflags); \

		if (_r >= 0 && (_tflags & GNUTLS_PKCS11_TOKEN_LOGIN_REQUIRED)) { \

			flags |= GNUTLS_PKCS11_OBJ_FLAG_LOGIN; \

			fprintf(stderr, \

				"note: assuming --login for this operation.\n"); \

		} else { \

			fprintf(stderr, \

				"warning: --login was not specified and it may be required for this operation.\n"); \

		} \

	}

void

pkcs11_delete(FILE * outfile, const char *url,

	      unsigned int login_flags, common_info_st * info)

{

	int ret;

	unsigned int obj_flags = 0;

	if (login_flags) obj_flags = login_flags;

	pkcs11_common(info);

	if (info->batch == 0) {

		pkcs11_list(outfile, url, PKCS11_TYPE_ALL, login_flags,

			    GNUTLS_PKCS11_URL_LIB, info);

		ret =

		    read_yesno

		    ("Are you sure you want to delete those objects? (y/N): ",

		     0);

		if (ret == 0) {

			app_exit(1);

		}

	}

	ret = gnutls_pkcs11_delete_url(url, obj_flags);

	if (ret < 0) {

		fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,

			gnutls_strerror(ret));

		app_exit(1);

	}

	fprintf(outfile, "\n%d objects deleted\n", ret);

	return;

}

static

const char *get_key_algo_type(gnutls_pkcs11_obj_type_t otype, const char *objurl, unsigned flags, time_t *exp)

{

	int ret;

	gnutls_pubkey_t pubkey = NULL;

	gnutls_privkey_t privkey = NULL;

	gnutls_x509_crt_t crt = NULL;

	static char str[256];

	const char *p;

	unsigned int bits;

	gnutls_pk_algorithm_t pk;

	gnutls_ecc_curve_t curve;

	if (exp)

		*exp = -1;

	switch (otype) {

		case GNUTLS_PKCS11_OBJ_X509_CRT:

			ret = gnutls_x509_crt_init(&crt;;

			if (ret < 0)

				goto fail;

			ret = gnutls_x509_crt_import_url(crt, objurl, flags);

			if (ret < 0)

				goto fail;

			ret = gnutls_x509_crt_get_pk_algorithm(crt, &bits);

			if (ret < 0)

				goto fail;

			pk = ret;

			p = gnutls_pk_get_name(pk);

			if (p) {

				if ((pk == GNUTLS_PK_RSA || pk == GNUTLS_PK_DSA) && bits > 0) {

					snprintf(str, sizeof(str), "%s-%d", p, bits);

					p = str;

				} else if (pk == GNUTLS_PK_ECDSA && gnutls_x509_crt_get_pk_ecc_raw(crt, &curve, NULL, NULL) >= 0) {

					snprintf(str, sizeof(str), "%s-%s", p, gnutls_ecc_curve_get_name(curve));

					p = str;

				}

			}

			if (exp)

				*exp = gnutls_x509_crt_get_expiration_time(crt);

			gnutls_x509_crt_deinit(crt);

			return p;

		case GNUTLS_PKCS11_OBJ_PUBKEY:

			ret = gnutls_pubkey_init(&pubkey);

			if (ret < 0)

				goto fail;

			ret = gnutls_pubkey_import_url(pubkey, objurl, flags);

			if (ret < 0)

				goto fail;

			ret = gnutls_pubkey_get_pk_algorithm(pubkey, &bits);

			if (ret < 0)

				goto fail;

			pk = ret;

			p = gnutls_pk_get_name(pk);

			if (p) {

				if ((pk == GNUTLS_PK_RSA || pk == GNUTLS_PK_DSA) && bits > 0) {

					snprintf(str, sizeof(str), "%s-%d", p, bits);

					p = str;

				} else if (pk == GNUTLS_PK_ECDSA && gnutls_pubkey_export_ecc_raw(pubkey, &curve, NULL, NULL) >= 0) {

					snprintf(str, sizeof(str), "%s-%s", p, gnutls_ecc_curve_get_name(curve));

					p = str;

				}

			}

			gnutls_pubkey_deinit(pubkey);

			return p;

		case GNUTLS_PKCS11_OBJ_PRIVKEY:

			ret = gnutls_privkey_init(&privkey);

			if (ret < 0)

				goto fail;

			ret = gnutls_privkey_import_url(privkey, objurl, flags);

			if (ret < 0)

				goto fail;

			ret = gnutls_privkey_get_pk_algorithm(privkey, &bits);

			if (ret < 0)

				goto fail;

			pk = ret;

			p = gnutls_pk_get_name(pk);

			if (p) {

				if ((pk == GNUTLS_PK_RSA || pk == GNUTLS_PK_DSA) && bits > 0) {

					snprintf(str, sizeof(str), "%s-%d", p, bits);

					p = str;

				} else if (pk == GNUTLS_PK_ECDSA && gnutls_privkey_export_ecc_raw(privkey, &curve, NULL, NULL, NULL) >= 0) {

					snprintf(str, sizeof(str), "%s-%s", p, gnutls_ecc_curve_get_name(curve));

					p = str;

				}

			}

			gnutls_privkey_deinit(privkey);

			return p;

		default:

 fail:

			if (crt)

				gnutls_x509_crt_deinit(crt);

			if (pubkey)

				gnutls_pubkey_deinit(pubkey);

			if (privkey)

				gnutls_privkey_deinit(privkey);

			return NULL;

	}

}

/* lists certificates from a token

 */

void

pkcs11_list(FILE * outfile, const char *url, int type, unsigned int flags,

	    unsigned int detailed, common_info_st * info)

{

	gnutls_pkcs11_obj_t *crt_list;

	unsigned int crt_list_size = 0, i, j;

	int ret, otype;

	char *output, *str;

	int attrs, print_exts = 0;

	gnutls_x509_ext_st *exts;

	unsigned exts_size;

	unsigned int obj_flags = flags;

	time_t exp;

	pkcs11_common(info);

	FIX(url, outfile, detailed, info);

	ret = gnutls_pkcs11_token_get_flags(url, &flags);

	if (ret < 0) {

		flags = 0;

	}

	if (flags & GNUTLS_PKCS11_TOKEN_TRUSTED)

		print_exts = 1;

	if (type == PKCS11_TYPE_TRUSTED) {

		attrs = GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED;

	} else if (type == PKCS11_TYPE_PK) {

		attrs = GNUTLS_PKCS11_OBJ_ATTR_CRT_WITH_PRIVKEY;

	} else if (type == PKCS11_TYPE_CRT_ALL) {

		attrs = GNUTLS_PKCS11_OBJ_ATTR_CRT_ALL;

		if (print_exts != 0) print_exts++;

	} else if (type == PKCS11_TYPE_PRIVKEY) {

		attrs = GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY;

	} else { /* also PKCS11_TYPE_INFO */

		attrs = GNUTLS_PKCS11_OBJ_ATTR_ALL;

	}

	/* give some initial value to avoid asking for the pkcs11 pin twice.

	 */

	ret =

	    gnutls_pkcs11_obj_list_import_url2(&crt_list, &crt_list_size,

					       url, attrs, obj_flags);

	if (ret < 0) {

		fprintf(stderr, "Error in crt_list_import (1): %s\n",

			gnutls_strerror(ret));

		app_exit(1);

	}

	if (crt_list_size == 0) {

		fprintf(stderr, "No matching objects found\n");

		app_exit(2);

	}

	for (i = 0; i < crt_list_size; i++) {

		char buf[256];

		size_t size;

		const char *p;

		unsigned int oflags;

		const char *vendor;

		char *objurl;

		char timebuf[SIMPLE_CTIME_BUF_SIZE];

		ret =

		    gnutls_pkcs11_obj_export_url(crt_list[i], detailed,

						 &output);

		if (ret < 0) {

			fprintf(stderr, "Error in %s:%d: %s\n", __func__,

				__LINE__, gnutls_strerror(ret));

			app_exit(1);

		}

		if (info->only_urls) {

			fprintf(outfile, "%s\n", output);

			gnutls_free(output);

			continue;

		} else {

			fprintf(outfile, "Object %d:\n\tURL: %s\n", i, output);

		}

		/* copy vendor query (e.g. pin-value) from the original URL */

		vendor = strrchr(url, '?');

		if (vendor) {

			objurl = gnutls_malloc(strlen(output) + strlen(vendor) + 1);

			strcpy(objurl, output);

			strcat(objurl, vendor);

		} else {

			objurl = gnutls_strdup(output);

		}

		p = NULL;

		otype = gnutls_pkcs11_obj_get_type(crt_list[i]);

		if (otype == GNUTLS_PKCS11_OBJ_PRIVKEY ||

		    otype == GNUTLS_PKCS11_OBJ_PUBKEY ||

		    otype == GNUTLS_PKCS11_OBJ_X509_CRT) {

			p = get_key_algo_type(otype, objurl, obj_flags, &exp);

		}

		if (p) {

			fprintf(outfile, "\tType: %s (%s)\n",

				gnutls_pkcs11_type_get_name(otype), p);

		} else {

			fprintf(outfile, "\tType: %s\n",

				gnutls_pkcs11_type_get_name(otype));

		}

		if (otype == GNUTLS_PKCS11_OBJ_X509_CRT && exp != -1) {

			fprintf(outfile, "\tExpires: %s\n", simple_ctime(&exp, timebuf));

		}

		gnutls_free(output);

		gnutls_free(objurl);

		size = sizeof(buf);

		ret =

		    gnutls_pkcs11_obj_get_info(crt_list[i],

					       GNUTLS_PKCS11_OBJ_LABEL,

					       buf, &size);

		if (ret < 0) {

			fprintf(stderr, "Error in %s:%d: %s\n", __func__,

				__LINE__, gnutls_strerror(ret));

			app_exit(1);

		}

		fprintf(outfile, "\tLabel: %s\n", buf);

		oflags = 0;

		ret = gnutls_pkcs11_obj_get_flags(crt_list[i], &oflags);

		if (ret < 0) {

			fprintf(stderr, "Error in %s:%d: %s\n", __func__,

				__LINE__, gnutls_strerror(ret));

			app_exit(1);

		}

		str = gnutls_pkcs11_obj_flags_get_str(oflags);

		if (str != NULL) {

			fprintf(outfile, "\tFlags: %s\n", str);

			gnutls_free(str);

		}

		size = sizeof(buf);

		ret =

		    gnutls_pkcs11_obj_get_info(crt_list[i],

					       GNUTLS_PKCS11_OBJ_ID_HEX,

					       buf, &size);

		if (ret < 0) {

			if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {

				fprintf(outfile, "\tID: (too long)\n");

			} else {

				fprintf(stderr, "Error in %s:%d: %s\n", __func__,

					__LINE__, gnutls_strerror(ret));

				app_exit(1);

			}

		} else {

			fprintf(outfile, "\tID: %s\n", buf);

		}

		if (otype == GNUTLS_PKCS11_OBJ_X509_CRT && print_exts > 0) {

			ret = gnutls_pkcs11_obj_get_exts(crt_list[i], &exts, &exts_size, 0);

			if (ret >= 0 && exts_size > 0) {

				gnutls_datum_t txt;

				if (print_exts > 1) {

					fprintf(outfile, "\tAttached extensions:\n");

					ret = gnutls_x509_ext_print(exts, exts_size, 0, &txt);

					if (ret >= 0) {

						fprintf(outfile, "%s", (char*)txt.data);

						gnutls_free(txt.data);

					}

				} else {

					fprintf(outfile, "\tAttached extensions:");

					for (j=0;j

						fprintf(outfile, "%s%s", exts[j].oid, (j!=exts_size-1)?",":" ");

					}

				}

				for (j=0;j

					gnutls_x509_ext_deinit(&exts[j]);

				}

				gnutls_free(exts);

				fprintf(outfile, "\n");

			}

		}

		fprintf(outfile, "\n");

		gnutls_pkcs11_obj_deinit(crt_list[i]);

	}

	gnutls_free(crt_list);

	UNFIX;

	return;

}

#define TEST_DATA "Test data to sign"

void

pkcs11_test_sign(FILE * outfile, const char *url, unsigned int flags,

	    common_info_st * info)

{

	gnutls_privkey_t privkey;

	gnutls_pubkey_t pubkey;

	int ret;

	gnutls_datum_t data, sig = {NULL, 0};

	int pk;

	gnutls_digest_algorithm_t hash;

	gnutls_sign_algorithm_t sig_algo;

	pkcs11_common(info);

	FIX(url, outfile, 0, info);

	data.data = (void*)TEST_DATA;

	data.size = sizeof(TEST_DATA)-1;

	ret = gnutls_privkey_init(&privkey);

	if (ret < 0) {

		fprintf(stderr, "Error in %s:%d: %s\n", __func__,

			__LINE__, gnutls_strerror(ret));

		app_exit(1);

	}

	ret = gnutls_pubkey_init(&pubkey);

	if (ret < 0) {

		fprintf(stderr, "Error in %s:%d: %s\n", __func__,

			__LINE__, gnutls_strerror(ret));

		app_exit(1);

	}

	ret = gnutls_privkey_import_url(privkey, url, flags);

	if (ret < 0) {

		fprintf(stderr, "Cannot import private key: %s\n",

			gnutls_strerror(ret));

		app_exit(1);

	}

	ret = gnutls_pubkey_import_privkey(pubkey, privkey, GNUTLS_KEY_DIGITAL_SIGNATURE, flags);

	if (ret < 0) {

		fprintf(stderr, "Cannot import public key: %s\n",

			gnutls_strerror(ret));

		app_exit(1);

	}

	pk = gnutls_privkey_get_pk_algorithm(privkey, NULL);

	if (info->hash == GNUTLS_DIG_UNKNOWN)

		hash = GNUTLS_DIG_SHA256;

	else

		hash = info->hash;

	if (info->rsa_pss_sign && pk == GNUTLS_PK_RSA)

		pk = GNUTLS_PK_RSA_PSS;

	sig_algo = gnutls_pk_to_sign(pk, hash);

	if (sig_algo == GNUTLS_SIGN_UNKNOWN) {

		fprintf(stderr, "No supported signature algorithm for %s and %s\n",

			gnutls_pk_get_name(pk), gnutls_digest_get_name(hash));

		app_exit(1);

	}

	fprintf(stderr, "Signing using %s... ", gnutls_sign_get_name(sig_algo));

	ret = gnutls_privkey_sign_data2(privkey, sig_algo, 0, &data, &sig);

	if (ret < 0) {

		fprintf(stderr, "Cannot sign data: %s\n",

			gnutls_strerror(ret));

		/* in case of unsupported signature algorithm allow

		 * calling apps to distinguish error codes (used

		 * by testpkcs11.sh */

		if (ret == GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM)

			app_exit(2);

		app_exit(1);

	}

	fprintf(stderr, "ok\n");

	fprintf(stderr, "Verifying against private key parameters... ");

	ret = gnutls_pubkey_verify_data2(pubkey, sig_algo,

					 0, &data, &sig);

	if (ret < 0) {

		fprintf(stderr, "Cannot verify signed data: %s\n",

			gnutls_strerror(ret));

		app_exit(1);

	}

	fprintf(stderr, "ok\n");

	/* now try to verify against a public key within the token */

	gnutls_pubkey_deinit(pubkey);

	ret = gnutls_pubkey_init(&pubkey);

	if (ret < 0) {

		fprintf(stderr, "Error in %s:%d: %s\n", __func__,

			__LINE__, gnutls_strerror(ret));

		app_exit(1);

	}

	ret = gnutls_pubkey_import_url(pubkey, url, flags);

	if (ret < 0) {

		fprintf(stderr, "Cannot find a corresponding public key object in token: %s\n",

			gnutls_strerror(ret));

		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)

			app_exit(0);

		app_exit(1);

	}

	fprintf(stderr, "Verifying against public key in the token... ");

	ret = gnutls_pubkey_verify_data2(pubkey, sig_algo,

					 0, &data, &sig);

	if (ret < 0) {

		fprintf(stderr, "Cannot verify signed data: %s\n",

			gnutls_strerror(ret));

		app_exit(1);

	}

	fprintf(stderr, "ok\n");

	gnutls_free(sig.data);

	gnutls_pubkey_deinit(pubkey);

	gnutls_privkey_deinit(privkey);

	UNFIX;

}

void

pkcs11_export(FILE * outfile, const char *url, unsigned int flags,

	      common_info_st * info)

{

	gnutls_pkcs11_obj_t obj;

	gnutls_datum_t t;

	int ret;

	unsigned int obj_flags = flags;

	pkcs11_common(info);

	FIX(url, outfile, 0, info);

	ret = gnutls_pkcs11_obj_init(&obj);

	if (ret < 0) {

		fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,

			gnutls_strerror(ret));

		app_exit(1);

	}

	ret = gnutls_pkcs11_obj_import_url(obj, url, obj_flags);

	if (ret < 0) {

		fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,

			gnutls_strerror(ret));

		app_exit(1);

	}

	ret = gnutls_pkcs11_obj_export3(obj, info->outcert_format, &t);

	if (ret < 0) {

		fprintf(stderr, "Error in %s:%d: %s\n", __func__,

				__LINE__, gnutls_strerror(ret));

		app_exit(1);

	}

	fwrite(t.data, 1, t.size, outfile);

	gnutls_free(t.data);

	if (info->outcert_format == GNUTLS_X509_FMT_PEM)

		fputs("\n\n", outfile);

	gnutls_pkcs11_obj_deinit(obj);

	UNFIX;

	return;

}

void

pkcs11_export_chain(FILE * outfile, const char *url, unsigned int flags,

	      common_info_st * info)

{

	gnutls_pkcs11_obj_t obj;

	gnutls_x509_crt_t xcrt;

	gnutls_datum_t t;

	int ret;

	unsigned int obj_flags = flags;

	pkcs11_common(info);

	FIX(url, outfile, 0, info);

	ret = gnutls_pkcs11_obj_init(&obj);

	if (ret < 0) {

		fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,

			gnutls_strerror(ret));

		app_exit(1);

	}

	ret = gnutls_pkcs11_obj_import_url(obj, url, obj_flags);

	if (ret < 0) {

		fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,

			gnutls_strerror(ret));

		app_exit(1);

	}

	/* make a crt */

	ret = gnutls_x509_crt_init(&xcrt);

	if (ret < 0) {

		fprintf(stderr, "Error in %s:%d: %s\n", __func__, __LINE__,

			gnutls_strerror(ret));

		app_exit(1);

	}

	ret = gnutls_x509_crt_import_pkcs11(xcrt, obj);

	if (ret < 0) {

		fprintf(stderr, "Error in %s:%d: %s\n", __func__,

				__LINE__, gnutls_strerror(ret));

		app_exit(1);

	}

	ret = gnutls_pkcs11_obj_export3(obj, GNUTLS_X509_FMT_PEM, &t);

	if (ret < 0) {

		fprintf(stderr, "Error in %s:%d: %s\n", __func__,

				__LINE__, gnutls_strerror(ret));

		app_exit(1);

	}

	fwrite(t.data, 1, t.size, outfile);

	fputs("\n\n", outfile);

	gnutls_free(t.data);

	gnutls_pkcs11_obj_deinit(obj);

	do {

		ret = gnutls_pkcs11_get_raw_issuer(url, xcrt, &t, GNUTLS_X509_FMT_PEM, 0);

		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)

			break;

		if (ret < 0) {

			fprintf(stderr, "Error in %s:%d: %s\n", __func__,

					__LINE__, gnutls_strerror(ret));

			app_exit(1);

		}

		fwrite(t.data, 1, t.size, outfile);

		fputs("\n\n", outfile);

		gnutls_x509_crt_deinit(xcrt);

		ret = gnutls_x509_crt_init(&xcrt);

		if (ret < 0) {

			fprintf(stderr, "Error in %s:%d: %s\n", __func__,

					__LINE__, gnutls_strerror(ret));

			app_exit(1);

		}

		ret = gnutls_x509_crt_import(xcrt, &t, GNUTLS_X509_FMT_PEM);

		if (ret < 0) {

			fprintf(stderr, "Error in %s:%d: %s\n", __func__,

					__LINE__, gnutls_strerror(ret));

			app_exit(1);

		}

		gnutls_free(t.data);

		ret = gnutls_x509_crt_check_issuer(xcrt, xcrt);

		if (ret != 0) {

			/* self signed */

			break;

		}

	} while(1);

	UNFIX;

	return;

}

/* If there is a single token only present, return its URL.

 */

static

char *get_single_token_url(common_info_st * info)

{

	int ret;

	char *url = NULL, *t = NULL;

	pkcs11_common(info);

	ret = gnutls_pkcs11_token_get_url(0, 0, &url;;

	if (ret < 0)

		return NULL;

	ret = gnutls_pkcs11_token_get_url(1, 0, &t);

	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {

		gnutls_free(t);

		gnutls_free(url);

		return NULL;

	}

	return url;

}

static

void print_type(FILE *outfile, unsigned flags)

{

	unsigned print = 0;

	fputs("\tType: ", outfile);

	if (flags & GNUTLS_PKCS11_TOKEN_HW) {

		fputs("Hardware token", outfile);

		print++;

	}

	if (flags & GNUTLS_PKCS11_TOKEN_TRUSTED) {

		if (print != 0)

			fputs(", ", outfile);

		fputs("Trust module", outfile);

		print++;

	}

	if (print == 0)

		fputs("Generic token", outfile);

	fputc('\n', outfile);

	print = 0;

	fputs("\tFlags: ", outfile);

	if (flags & GNUTLS_PKCS11_TOKEN_RNG) {

		fputs("RNG", outfile);

		print++;

	}

	if (flags & GNUTLS_PKCS11_TOKEN_LOGIN_REQUIRED) {

		if (print != 0)

			fputs(", ", outfile);

		fputs("Requires login", outfile);

		print++;

	}

	if (flags & GNUTLS_PKCS11_TOKEN_PROTECTED_AUTHENTICATION_PATH) {

		if (print != 0)

			fputs(", ", outfile);

		fputs("External PIN", outfile);

		print++;

	}

	if (!(flags & GNUTLS_PKCS11_TOKEN_INITIALIZED)) {

		if (print != 0)

			fputs(", ", outfile);

		fputs("Uninitialized", outfile);

		print++;

	}

	if (flags & GNUTLS_PKCS11_TOKEN_USER_PIN_COUNT_LOW) {

		if (print != 0)

			fputs(", ", outfile);

		fputs("uPIN low count", outfile);

		print++;

	}

	if (flags & GNUTLS_PKCS11_TOKEN_USER_PIN_FINAL_TRY) {

		if (print != 0)

			fputs(", ", outfile);

		fputs("Final uPIN attempt", outfile);

		print++;

	}

	if (flags & GNUTLS_PKCS11_TOKEN_USER_PIN_FINAL_TRY) {

		if (print != 0)

			fputs(", ", outfile);

		fputs("uPIN locked", outfile);

		print++;

	}

	if (flags & GNUTLS_PKCS11_TOKEN_SO_PIN_COUNT_LOW) {

		if (print != 0)

			fputs(", ", outfile);

		fputs("SO-PIN low count", outfile);

		print++;

	}

	if (flags & GNUTLS_PKCS11_TOKEN_SO_PIN_FINAL_TRY) {

		if (print != 0)

			fputs(", ", outfile);

		fputs("Final SO-PIN attempt", outfile);

		print++;

	}

	if (flags & GNUTLS_PKCS11_TOKEN_SO_PIN_FINAL_TRY) {

		if (print != 0)

			fputs(", ", outfile);

		fputs("SO-PIN locked", outfile);

		print++;

	}

	if (!(flags & GNUTLS_PKCS11_TOKEN_USER_PIN_INITIALIZED)) {

		if (print != 0)

			fputs(", ", outfile);

		fputs("uPIN uninitialized", outfile);

		print++;

	}

	if (flags & GNUTLS_PKCS11_TOKEN_ERROR_STATE) {

		if (print != 0)

			fputs(", ", outfile);

		fputs("Error state", outfile);

		print++;

	}

	if (print == 0)

		fputs("Generic token", outfile);

	fputc('\n', outfile);

}

void

pkcs11_token_list(FILE * outfile, unsigned int detailed,

		  common_info_st * info, unsigned brief)

{

	int ret;

	int i;

	char *url;

	char buf[128];

	size_t size;

	unsigned flags;

	pkcs11_common(info);

	for (i = 0;; i++) {

		ret = gnutls_pkcs11_token_get_url(i, detailed, &url;;

		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)

			break;

		if (ret < 0) {

			fprintf(stderr, "Error in %s:%d: %s\n", __func__,

				__LINE__, gnutls_strerror(ret));

			app_exit(1);

		}

		if (brief != 0) {

			fprintf(outfile, "%s\n", url);

			goto cont;

		} else {

			fprintf(outfile, "Token %d:\n\tURL: %s\n", i, url);

		}

		size = sizeof(buf);

		ret =

		    gnutls_pkcs11_token_get_info(url,

						 GNUTLS_PKCS11_TOKEN_LABEL,

						 buf, &size);

		if (ret < 0) {

			fprintf(stderr, "Error in %s:%d: %s\n", __func__,

				__LINE__, gnutls_strerror(ret));

			app_exit(1);

		}

		fprintf(outfile, "\tLabel: %s\n", buf);

		ret = gnutls_pkcs11_token_get_flags(url, &flags);

		if (ret < 0) {

			fprintf(stderr, "Error in %s:%d: %s\n", __func__,

				__LINE__, gnutls_strerror(ret));

		} else {

			print_type(outfile, flags);

		}

		size = sizeof(buf);

		ret =

		    gnutls_pkcs11_token_get_info(url,

						 GNUTLS_PKCS11_TOKEN_MANUFACTURER,

						 buf, &size);

		if (ret < 0) {

			fprintf(stderr, "Error in %s:%d: %s\n", __func__,