/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*

** symkeyutil.c

**

** utility for managing symetric keys in the database or the token

**

*/

/*

 * Wish List for this utility:

 *  1) Display and Set the CKA_ operation flags for the key.

 *  2) Modify existing keys

 *  3) Copy keys

 *  4) Read CKA_ID and display for keys.

 *  5) Option to store CKA_ID in a file on key creation.

 *  6) Encrypt, Decrypt, Hash, and Mac with generated keys.

 *  7) Use asymetric keys to wrap and unwrap keys.

 *  8) Derive.

 *  9) PBE keys.

 */

#include <stdio.h>

#include <string.h>

#include "secutil.h"

#include "nspr.h"

#include "pk11func.h"

#include "secasn1.h"

#include "cert.h"

#include "cryptohi.h"

#include "secoid.h"

#include "certdb.h"

#include "nss.h"

typedef struct _KeyTypes {

    CK_KEY_TYPE	keyType;

    CK_MECHANISM_TYPE mechType;

    CK_MECHANISM_TYPE wrapMech;

    char *label;

} KeyTypes;

static KeyTypes keyArray[] = {

#ifdef RECOGNIZE_ASYMETRIC_TYPES

    { CKK_RSA, CKM_RSA_PKCS, CKM_RSA_PKCS, "rsa" },

    { CKK_DSA, CKM_DSA, CKM_INVALID_MECHANISM, "dsa" },

    { CKK_DH, CKM_DH_PKCS_DERIVE, CKM_INVALID_MECHANISM, "dh" },

    { CKK_EC, CKM_ECDSA, CKM_INVALID_MECHANISM, "ec" },

    { CKK_X9_42_DH, CKM_X9_42_DH_DERIVE, CKM_INVALID_MECHANISM, "x9.42dh" },

    { CKK_KEA, CKM_KEA_KEY_DERIVE, CKM_INVALID_MECHANISM, "kea" },

#endif

    { CKK_GENERIC_SECRET, CKM_SHA_1_HMAC, CKM_INVALID_MECHANISM, "generic" },

    { CKK_RC2, CKM_RC2_CBC, CKM_RC2_ECB,"rc2" },

    /* don't define a wrap mech for RC-4 since it's note really safe */

    { CKK_RC4, CKM_RC4, CKM_INVALID_MECHANISM, "rc4" }, 

    { CKK_DES, CKM_DES_CBC, CKM_DES_ECB,"des" },

    { CKK_DES2, CKM_DES2_KEY_GEN, CKM_DES3_ECB, "des2" },

    { CKK_DES3, CKM_DES3_KEY_GEN, CKM_DES3_ECB, "des3" },

    { CKK_CAST, CKM_CAST_CBC, CKM_CAST_ECB, "cast" },

    { CKK_CAST3, CKM_CAST3_CBC, CKM_CAST3_ECB, "cast3" },

    { CKK_CAST5, CKM_CAST5_CBC, CKM_CAST5_ECB, "cast5" },

    { CKK_CAST128, CKM_CAST128_CBC, CKM_CAST128_ECB, "cast128" },

    { CKK_RC5, CKM_RC5_CBC, CKM_RC5_ECB, "rc5" },

    { CKK_IDEA, CKM_IDEA_CBC, CKM_IDEA_ECB, "idea" },

    { CKK_SKIPJACK, CKM_SKIPJACK_CBC64, CKM_SKIPJACK_WRAP, "skipjack" },

    { CKK_BATON, CKM_BATON_CBC128, CKM_BATON_WRAP, "baton" },

    { CKK_JUNIPER, CKM_JUNIPER_CBC128, CKM_JUNIPER_WRAP, "juniper" },

    { CKK_CDMF, CKM_CDMF_CBC, CKM_CDMF_ECB, "cdmf" },

    { CKK_AES, CKM_AES_CBC, CKM_AES_ECB, "aes" },

    { CKK_CAMELLIA, CKM_CAMELLIA_CBC, CKM_CAMELLIA_ECB, "camellia" },

};

static int keyArraySize = sizeof(keyArray)/sizeof(keyArray[0]);

int

GetLen(PRFileDesc* fd)

{

    PRFileInfo info;

    if (PR_SUCCESS != PR_GetOpenFileInfo(fd, &info)) {

        return -1;

    }

    return info.size;

}

int

ReadBuf(char *inFile, SECItem *item)

{

    int len;

    int ret;

    PRFileDesc* fd = PR_Open(inFile, PR_RDONLY, 0);

    if (NULL == fd) {

        SECU_PrintError("symkeyutil", "PR_Open failed");

	return -1;

    }

    len = GetLen(fd);

    if (len < 0) {

	SECU_PrintError("symkeyutil", "PR_GetOpenFileInfo failed");

	return -1;

    }

    item->data = (unsigned char *)PORT_Alloc(len);

    if (item->data == NULL) {

	fprintf(stderr,"Failed to allocate %d to read file %s\n",len,inFile);

	return -1;

    }

    ret = PR_Read(fd,item->data,item->len);

    if (ret < 0) {

	SECU_PrintError("symkeyutil", "PR_Read failed");

	PORT_Free(item->data);

	item->data = NULL;

	return -1;

    }

    PR_Close(fd);

    item->len = len;

    return 0;

}

int

WriteBuf(char *inFile, SECItem *item)

{

    int ret;

    PRFileDesc* fd = PR_Open(inFile, PR_WRONLY|PR_CREATE_FILE, 0x200);

    if (NULL == fd) {

        SECU_PrintError("symkeyutil", "PR_Open failed");

	return -1;

    }

    ret = PR_Write(fd,item->data,item->len);

    if (ret < 0) {

	SECU_PrintError("symkeyutil", "PR_Write failed");

	return -1;

    }

    PR_Close(fd);

    return 0;

}

CK_KEY_TYPE

GetKeyTypeFromString(const char *keyString)

{

    int i;

    for (i=0; i < keyArraySize; i++) {

	if (PL_strcasecmp(keyString,keyArray[i].label) == 0) {

	    return keyArray[i].keyType;

	}

    }

    return (CK_KEY_TYPE)-1;

}

CK_MECHANISM_TYPE

GetKeyMechFromString(const char *keyString)

{

    int i;

    for (i=0; i < keyArraySize; i++) {

	if (PL_strcasecmp(keyString,keyArray[i].label) == 0) {

	    return keyArray[i].mechType;

	}

    }

    return (CK_MECHANISM_TYPE)-1;

}

const char *

GetStringFromKeyType(CK_KEY_TYPE type)

{

    int i;

    for (i=0; i < keyArraySize; i++) {

	if (keyArray[i].keyType == type) {

	    return keyArray[i].label;

	}

    }

    return "unmatched";

}

CK_MECHANISM_TYPE

GetWrapFromKeyType(CK_KEY_TYPE type)

{

    int i;

    for (i=0; i < keyArraySize; i++) {

	if (keyArray[i].keyType == type) {

	    return keyArray[i].wrapMech;

	}

    }

    return CKM_INVALID_MECHANISM;

}

CK_MECHANISM_TYPE

GetWrapMechanism(PK11SymKey *symKey)

{

    CK_KEY_TYPE type = PK11_GetSymKeyType(symKey);

    return GetWrapFromKeyType(type);

}

int

GetDigit(char c)

{

    if (c == 0) {

	return -1;

    }

    if (c <= '9' && c >= '0') {

	return c - '0';

    }

    if (c <= 'f' && c >= 'a') {

	return c - 'a' + 0xa;

    }

    if (c <= 'F' && c >= 'A') {

	return c - 'A' + 0xa;

    }

    return -1;

}

char

ToDigit(unsigned char c)

{

    c = c & 0xf;

    if (c <= 9) {

	return (char) (c+'0');

    }

    return (char) (c+'a'-0xa);

}

char *

BufToHex(SECItem *outbuf)

{

    int len = outbuf->len * 2 +1;

    char *string, *ptr;

    unsigned int i;

    string = PORT_Alloc(len);

    ptr = string;

    for (i=0; i < outbuf->len; i++) {

	*ptr++ = ToDigit(outbuf->data[i] >> 4);

	*ptr++ = ToDigit(outbuf->data[i] & 0xf);

    }

    *ptr = 0;

    return string;

}

int

HexToBuf(char *inString, SECItem *outbuf)

{

    int len = strlen(inString);

    int outlen = len+1/2;

    int trueLen = 0;

    outbuf->data = PORT_Alloc(outlen);

    if (outbuf->data) {

	return -1;

    }

    while (*inString) {

	int digit1, digit2;

	digit1 = GetDigit(*inString++);

	digit2 = GetDigit(*inString++);

	if ((digit1 == -1) || (digit2 == -1)) {

	    PORT_Free(outbuf->data);

	    outbuf->data = NULL;

	    return -1;

	}

	outbuf->data[trueLen++] = digit1 << 4 | digit2;

    }

    outbuf->len = trueLen;

    return 0;

}

void

printBuf(unsigned char *data, int len)

{

    int i;

    for (i=0; i < len; i++) {

	printf("%02x",data[i]);

    }

}

void

PrintKey(PK11SymKey *symKey)

{

    char *name = PK11_GetSymKeyNickname(symKey);

    int len = PK11_GetKeyLength(symKey);

    int strength = PK11_GetKeyStrength(symKey, NULL);

    SECItem *value = NULL;

    CK_KEY_TYPE type = PK11_GetSymKeyType(symKey);

    (void) PK11_ExtractKeyValue(symKey);

    value = PK11_GetKeyData(symKey);

    printf("%-20s %3d   %4d   %10s  ", name ? name: " ", len, strength, 

				GetStringFromKeyType(type));

    if (value && value->data) {

	printBuf(value->data, value->len);

    } else {

	printf("<restricted>");

    }

    printf("\n");

}

SECStatus

ListKeys(PK11SlotInfo *slot, int *printLabel, void *pwd) {

    PK11SymKey *keyList;

    SECStatus rv = PK11_Authenticate(slot, PR_FALSE, pwd);

    if (rv != SECSuccess) {

        return rv;;

    }

    keyList = PK11_ListFixedKeysInSlot(slot, NULL, pwd);

    if (keyList) {

	if (*printLabel) {

            printf("     Name            Len Strength     Type    Data\n");

	    *printLabel = 0;

	}

	printf("%s:\n",PK11_GetTokenName(slot));

    }

    while (keyList) {

        PK11SymKey *freeKey = keyList;

        PrintKey(keyList);

        keyList = PK11_GetNextSymKey(keyList);

        PK11_FreeSymKey(freeKey);

    }

    return SECSuccess;

}

PK11SymKey *

FindKey(PK11SlotInfo *slot, char *name, SECItem *id, void *pwd)

{

    PK11SymKey *key = NULL;

    SECStatus rv = PK11_Authenticate(slot, PR_FALSE, pwd);

    if (rv != SECSuccess) {

	return NULL;

    }

    if (id->data) {

	key = PK11_FindFixedKey(slot,CKM_INVALID_MECHANISM, id, pwd);

    }

    if (name && !key) {

	key = PK11_ListFixedKeysInSlot(slot,name, pwd);

    }

    if (key) {

	printf("Found a key\n");

	PrintKey(key);

    }

    return key;

}

PRBool

IsKeyList(PK11SymKey *symKey)

{

   return (PRBool) (PK11_GetNextSymKey(symKey) != NULL);

}

void

FreeKeyList(PK11SymKey *symKey)

{

   PK11SymKey *next,*current;

   for (current = symKey; current; current = next) {

	next = PK11_GetNextSymKey(current);

	PK11_FreeSymKey(current);

   }

   return;

}

static void 

Usage(char *progName)

{

#define FPS fprintf(stderr, 

    FPS "Type %s -H for more detailed descriptions\n", progName);

    FPS "Usage:");

    FPS "\t%s -L [std_opts] [-r]\n", progName);

    FPS "\t%s -K [-n name] -t type [-s size] [-i id |-j id_file] [std_opts]\n", progName);

    FPS "\t%s -D <[-n name | -i id | -j id_file> [std_opts]\n", progName);

    FPS "\t%s -I [-n name] [-t type] [-i id | -j id_file] -k data_file [std_opts]\n", progName);

    FPS "\t%s -E  <-nname | -i id | -j id_file> [-t type] -k data_file [-r] [std_opts]\n", progName);

    FPS "\t%s -U [-n name] [-t type] [-i id | -j id_file] -k data_file <wrap_opts> [std_opts]\n", progName);

    FPS "\t%s -W <-n name | -i id | -j id_file> [-t type] -k data_file [-r] <wrap_opts> [std_opts]\n", progName);

    FPS "\t%s -M <-n name | -i id | -j id_file> -g target_token [std_opts]\n", progName);

    FPS "\t\t std_opts -> [-d certdir] [-P dbprefix] [-p password] [-f passwordFile] [-h token]\n");

    FPS "\t\t wrap_opts -> <-w wrap_name | -x wrap_id | -y id_file>\n");

    exit(1);

}

static void LongUsage(char *progName)

{

    int i;

    FPS "%-15s List all the keys.\n", "-L");

    FPS "%-15s Generate a new key.\n", "-K");

    FPS "%-20s Specify the nickname of the new key\n",

	"   -n name");

    FPS "%-20s Specify the id in hex of the new key\n",

	"   -i key id");

    FPS "%-20s Specify a file to read the id of the new key\n",

	"   -j key id file");

    FPS "%-20s Specify the keyType of the new key\n",

	"   -t type");

    FPS "%-20s", "  valid types: ");

    for (i=0; i < keyArraySize ; i++) {

	FPS "%s%c", keyArray[i].label, i == keyArraySize-1? '\n':',');

    }

    FPS "%-20s Specify the size of the new key in bytes (required by some types)\n",

	"   -s size");

    FPS "%-15s Delete a key.\n", "-D");

    FPS "%-20s Specify the nickname of the key to delete\n",

	"   -n name");

    FPS "%-20s Specify the id in hex of the key to delete\n",

	"   -i key id");

    FPS "%-20s Specify a file to read the id of the key to delete\n",

	"   -j key id file");

    FPS "%-15s Import a new key from a data file.\n", "-I");

    FPS "%-20s Specify the data file to read the key from.\n",

	"   -k key file");

    FPS "%-20s Specify the nickname of the new key\n",

	"   -n name");

    FPS "%-20s Specify the id in hex of the new key\n",

	"   -i key id");

    FPS "%-20s Specify a file to read the id of the new key\n",

	"   -j key id file");

    FPS "%-20s Specify the keyType of the new key\n",

	"   -t type");

    FPS "%-20s", "  valid types: ");

    for (i=0; i < keyArraySize ; i++) {

	FPS "%s%c", keyArray[i].label, i == keyArraySize-1? '\n':',');

    }

    FPS "%-15s Export a key to a data file.\n", "-E");

    FPS "%-20s Specify the data file to write the key to.\n",

	"   -k key file");

    FPS "%-20s Specify the nickname of the key to export\n",

	"   -n name");

    FPS "%-20s Specify the id in hex of the key to export\n",

	"   -i key id");

    FPS "%-20s Specify a file to read the id of the key to export\n",

	"   -j key id file");

    FPS "%-15s Move a key to a new token.\n", "-M");

    FPS "%-20s Specify the nickname of the key to move\n",

	"   -n name");

    FPS "%-20s Specify the id in hex of the key to move\n",

	"   -i key id");

    FPS "%-20s Specify a file to read the id of the key to move\n",

	"   -j key id file");

    FPS "%-20s Specify the token to move the key to\n",

	"   -g target token");

    FPS "%-15s Unwrap a new key from a data file.\n", "-U");

    FPS "%-20s Specify the data file to read the encrypted key from.\n",

	"   -k key file");

    FPS "%-20s Specify the nickname of the new key\n",

	"   -n name");

    FPS "%-20s Specify the id in hex of the new key\n",

	"   -i key id");

    FPS "%-20s Specify a file to read the id of the new key\n",

	"   -j key id file");

    FPS "%-20s Specify the keyType of the new key\n",

	"   -t type");

    FPS "%-20s", "  valid types: ");

    for (i=0; i < keyArraySize ; i++) {

	FPS "%s%c", keyArray[i].label, i == keyArraySize-1? '\n':',');

    }

    FPS "%-20s Specify the nickname of the wrapping key\n",

	"   -w wrap name");

    FPS "%-20s Specify the id in hex of the wrapping key\n",

	"   -x wrap key id");

    FPS "%-20s Specify a file to read the id of the wrapping key\n",

	"   -y wrap key id file");

    FPS "%-15s Wrap a new key to a data file. [not yet implemented]\n", "-W");

    FPS "%-20s Specify the data file to write the encrypted key to.\n",

	"   -k key file");

    FPS "%-20s Specify the nickname of the key to wrap\n",

	"   -n name");

    FPS "%-20s Specify the id in hex of the key to wrap\n",

	"   -i key id");

    FPS "%-20s Specify a file to read the id of the key to wrap\n",

	"   -j key id file");

    FPS "%-20s Specify the nickname of the wrapping key\n",

	"   -w wrap name");

    FPS "%-20s Specify the id in hex of the wrapping key\n",

	"   -x wrap key id");

    FPS "%-20s Specify a file to read the id of the wrapping key\n",

	"   -y wrap key id file");

    FPS "%-15s Options valid for all commands\n", "std_opts");

    FPS "%-20s The directory where the NSS db's reside\n",

	"   -d certdir");

    FPS "%-20s Prefix for the NSS db's\n",

	"   -P db prefix");

    FPS "%-20s Specify password on the command line\n",

	"   -p password");

    FPS "%-20s Specify password file on the command line\n",

	"   -f password file");

    FPS "%-20s Specify token to act on\n",

	"   -h token");

    exit(1);

#undef FPS

}

/*  Certutil commands  */

enum {

    cmd_CreateNewKey = 0,

    cmd_DeleteKey,

    cmd_ImportKey,

    cmd_ExportKey,

    cmd_WrapKey,

    cmd_UnwrapKey,

    cmd_MoveKey,

    cmd_ListKeys,

    cmd_PrintHelp

};

/*  Certutil options */

enum {

    opt_CertDir = 0,

    opt_PasswordFile,

    opt_TargetToken,

    opt_TokenName,

    opt_KeyID,

    opt_KeyIDFile,

    opt_KeyType,

    opt_Nickname,

    opt_KeyFile,

    opt_Password,

    opt_dbPrefix,

    opt_RW,

    opt_KeySize,

    opt_WrapKeyName,

    opt_WrapKeyID,

    opt_WrapKeyIDFile,

    opt_NoiseFile

};

static secuCommandFlag symKeyUtil_commands[] =

{

	{ /* cmd_CreateNewKey        */  'K', PR_FALSE, 0, PR_FALSE },

	{ /* cmd_DeleteKey           */  'D', PR_FALSE, 0, PR_FALSE },

	{ /* cmd_ImportKey           */  'I', PR_FALSE, 0, PR_FALSE },

	{ /* cmd_ExportKey           */  'E', PR_FALSE, 0, PR_FALSE },

	{ /* cmd_WrapKey             */  'W', PR_FALSE, 0, PR_FALSE },

	{ /* cmd_UnwrapKey           */  'U', PR_FALSE, 0, PR_FALSE },

	{ /* cmd_MoveKey             */  'M', PR_FALSE, 0, PR_FALSE },

	{ /* cmd_ListKeys            */  'L', PR_FALSE, 0, PR_FALSE },

	{ /* cmd_PrintHelp           */  'H', PR_FALSE, 0, PR_FALSE },

};

static secuCommandFlag symKeyUtil_options[] =

{

	{ /* opt_CertDir             */  'd', PR_TRUE,  0, PR_FALSE },

	{ /* opt_PasswordFile        */  'f', PR_TRUE,  0, PR_FALSE },

	{ /* opt_TargetToken         */  'g', PR_TRUE,  0, PR_FALSE },

	{ /* opt_TokenName           */  'h', PR_TRUE,  0, PR_FALSE },

	{ /* opt_KeyID               */  'i', PR_TRUE,  0, PR_FALSE },

	{ /* opt_KeyIDFile           */  'j', PR_TRUE,  0, PR_FALSE },

	{ /* opt_KeyType             */  't', PR_TRUE,  0, PR_FALSE },

	{ /* opt_Nickname            */  'n', PR_TRUE,  0, PR_FALSE },

	{ /* opt_KeyFile             */  'k', PR_TRUE,  0, PR_FALSE },

	{ /* opt_Password            */  'p', PR_TRUE,  0, PR_FALSE },

	{ /* opt_dbPrefix            */  'P', PR_TRUE,  0, PR_FALSE },

	{ /* opt_RW                  */  'r', PR_FALSE, 0, PR_FALSE },

	{ /* opt_KeySize             */  's', PR_TRUE,  0, PR_FALSE },

	{ /* opt_WrapKeyName         */  'w', PR_TRUE,  0, PR_FALSE },

	{ /* opt_WrapKeyID           */  'x', PR_TRUE,  0, PR_FALSE },

	{ /* opt_WrapKeyIDFile       */  'y', PR_TRUE,  0, PR_FALSE },

	{ /* opt_NoiseFile           */  'z', PR_TRUE,  0, PR_FALSE },

};

int 

main(int argc, char **argv)

{

    PK11SlotInfo *slot = NULL;

    char *      slotname        = "internal";

    char *      certPrefix      = "";

    CK_MECHANISM_TYPE keyType   = CKM_SHA_1_HMAC;

    int         keySize		= 0;

    char *      name            = NULL;

    char *      wrapName        = NULL;

    secuPWData  pwdata          = { PW_NONE, 0 };

    PRBool 	readOnly	= PR_FALSE;

    SECItem	key;

    SECItem	keyID;

    SECItem	wrapKeyID;

    int commandsEntered = 0;

    int commandToRun = 0;

    char *progName;

    int i;

    SECStatus rv = SECFailure;

    secuCommand symKeyUtil;

    symKeyUtil.numCommands=sizeof(symKeyUtil_commands)/sizeof(secuCommandFlag);

    symKeyUtil.numOptions=sizeof(symKeyUtil_options)/sizeof(secuCommandFlag);

    symKeyUtil.commands = symKeyUtil_commands;

    symKeyUtil.options = symKeyUtil_options;

    key.data = NULL; key.len = 0;

    keyID.data = NULL; keyID.len = 0;

    wrapKeyID.data = NULL; wrapKeyID.len = 0;

    progName = strrchr(argv[0], '/');

    progName = progName ? progName+1 : argv[0];

    rv = SECU_ParseCommandLine(argc, argv, progName, &symKeyUtil);

    if (rv != SECSuccess)

	Usage(progName);

    rv = SECFailure;

    /* -H print help */

    if (symKeyUtil.commands[cmd_PrintHelp].activated)

	LongUsage(progName);

    /* -f password file, -p password */

    if (symKeyUtil.options[opt_PasswordFile].arg) {

	pwdata.source = PW_FROMFILE;

	pwdata.data = symKeyUtil.options[opt_PasswordFile].arg;

    } else if (symKeyUtil.options[opt_Password].arg) {

	pwdata.source = PW_PLAINTEXT;

	pwdata.data = symKeyUtil.options[opt_Password].arg;

    } 

    /* -d directory */

    if (symKeyUtil.options[opt_CertDir].activated)

	SECU_ConfigDirectory(symKeyUtil.options[opt_CertDir].arg);

    /* -s key size */

    if (symKeyUtil.options[opt_KeySize].activated) {

	keySize = PORT_Atoi(symKeyUtil.options[opt_KeySize].arg);

    }

    /*  -h specify token name  */

    if (symKeyUtil.options[opt_TokenName].activated) {

	if (PL_strcmp(symKeyUtil.options[opt_TokenName].arg, "all") == 0)

	    slotname = NULL;

	else

	    slotname = PL_strdup(symKeyUtil.options[opt_TokenName].arg);

    }

    /* -t key type */

    if  (symKeyUtil.options[opt_KeyType].activated) {

	keyType = GetKeyMechFromString(symKeyUtil.options[opt_KeyType].arg);

	if (keyType == (CK_MECHANISM_TYPE)-1) {

	    PR_fprintf(PR_STDERR, 

	          "%s unknown key type (%s).\n",

	           progName, symKeyUtil.options[opt_KeyType].arg);

	    return 255;

	}

    }

    /* -k for import and unwrap, it specifies an input file to read from,

     * for export and wrap it specifies an output file to write to */

    if (symKeyUtil.options[opt_KeyFile].activated) {

        if (symKeyUtil.commands[cmd_ImportKey].activated ||

		symKeyUtil.commands[cmd_UnwrapKey].activated ) {

	    int ret = ReadBuf(symKeyUtil.options[opt_KeyFile].arg, &key);

	    if (ret < 0) {

	        PR_fprintf(PR_STDERR, 

	          "%s Couldn't read key file (%s).\n",

	           progName, symKeyUtil.options[opt_KeyFile].arg);

		return 255;

	    }

	}

    }

    /* -i specify the key ID */

    if (symKeyUtil.options[opt_KeyID].activated) {

	int ret = HexToBuf(symKeyUtil.options[opt_KeyID].arg, &keyID);

	if (ret < 0) {

	    PR_fprintf(PR_STDERR, 

	          "%s invalid key ID (%s).\n",

	           progName, symKeyUtil.options[opt_KeyID].arg);

	    return 255;

	}

    }

    /* -i & -j are mutually exclusive */

    if ((symKeyUtil.options[opt_KeyID].activated) &&

		 (symKeyUtil.options[opt_KeyIDFile].activated)) {

	PR_fprintf(PR_STDERR, 

	          "%s -i and -j options are mutually exclusive.\n", progName);

	return 255;

    }

    /* -x specify the Wrap key ID */

    if (symKeyUtil.options[opt_WrapKeyID].activated) {

	int ret = HexToBuf(symKeyUtil.options[opt_WrapKeyID].arg, &wrapKeyID);

	if (ret < 0) {

	    PR_fprintf(PR_STDERR, 

	          "%s invalid key ID (%s).\n",

	           progName, symKeyUtil.options[opt_WrapKeyID].arg);

	    return 255;

	}

    }

    /* -x & -y are mutually exclusive */

    if ((symKeyUtil.options[opt_KeyID].activated) &&

		 (symKeyUtil.options[opt_KeyIDFile].activated)) {

	PR_fprintf(PR_STDERR, 

	          "%s -i and -j options are mutually exclusive.\n", progName);

	return 255;

    }

    /* -y specify the key ID */

    if (symKeyUtil.options[opt_WrapKeyIDFile].activated) {

	int ret = ReadBuf(symKeyUtil.options[opt_WrapKeyIDFile].arg,

								 &wrapKeyID);

	if (ret < 0) {

	    PR_fprintf(PR_STDERR, 

	          "%s Couldn't read key ID file (%s).\n",

	           progName, symKeyUtil.options[opt_WrapKeyIDFile].arg);

	    return 255;

	}

    }

    /*  -P certdb name prefix */

    if (symKeyUtil.options[opt_dbPrefix].activated)

	certPrefix = symKeyUtil.options[opt_dbPrefix].arg;

    /*  Check number of commands entered.  */

    commandsEntered = 0;

    for (i=0; i< symKeyUtil.numCommands; i++) {

	if (symKeyUtil.commands[i].activated) {

	    commandToRun = symKeyUtil.commands[i].flag;

	    commandsEntered++;

	}

	if (commandsEntered > 1)

	    break;

    }

    if (commandsEntered > 1) {

	PR_fprintf(PR_STDERR, "%s: only one command at a time!\n", progName);

	PR_fprintf(PR_STDERR, "You entered: ");

	for (i=0; i< symKeyUtil.numCommands; i++) {

	    if (symKeyUtil.commands[i].activated)

		PR_fprintf(PR_STDERR, " -%c", symKeyUtil.commands[i].flag);

	}

	PR_fprintf(PR_STDERR, "\n");

	return 255;

    }

    if (commandsEntered == 0) {

	PR_fprintf(PR_STDERR, "%s: you must enter a command!\n", progName);

	Usage(progName);

    }

    if (symKeyUtil.commands[cmd_ListKeys].activated ||

         symKeyUtil.commands[cmd_PrintHelp].activated ||

         symKeyUtil.commands[cmd_ExportKey].activated ||

         symKeyUtil.commands[cmd_WrapKey].activated) {

	readOnly = !symKeyUtil.options[opt_RW].activated;

    }

    if ((symKeyUtil.commands[cmd_ImportKey].activated ||

         symKeyUtil.commands[cmd_ExportKey].activated ||

         symKeyUtil.commands[cmd_WrapKey].activated ||

         symKeyUtil.commands[cmd_UnwrapKey].activated ) &&

        !symKeyUtil.options[opt_KeyFile].activated) {

	PR_fprintf(PR_STDERR, 

	          "%s -%c: keyfile is required for this command (-k).\n",

	           progName, commandToRun);

	return 255;

    }

    /*  -E, -D, -W, and all require -n, -i, or -j to identify the key  */

    if ((symKeyUtil.commands[cmd_ExportKey].activated ||

         symKeyUtil.commands[cmd_DeleteKey].activated ||

         symKeyUtil.commands[cmd_WrapKey].activated) &&

        !(symKeyUtil.options[opt_Nickname].activated ||

	  symKeyUtil.options[opt_KeyID].activated ||

	  symKeyUtil.options[opt_KeyIDFile].activated)) {

	PR_fprintf(PR_STDERR, 

	  "%s -%c: nickname or id is required for this command (-n, -i, -j).\n",

	           progName, commandToRun);

	return 255;

    }

    /*  -W, -U, and all  -w, -x, or -y to identify the wrapping key  */

    if (( symKeyUtil.commands[cmd_WrapKey].activated ||

         symKeyUtil.commands[cmd_UnwrapKey].activated) &&

        !(symKeyUtil.options[opt_WrapKeyName].activated ||

	  symKeyUtil.options[opt_WrapKeyID].activated ||

	  symKeyUtil.options[opt_WrapKeyIDFile].activated)) {

	PR_fprintf(PR_STDERR, 

	  "%s -%c: wrap key is required for this command (-w, -x, or -y).\n",

	           progName, commandToRun);

	return 255;

    }

    /* -M needs the target slot  (-g) */

    if (symKeyUtil.commands[cmd_MoveKey].activated  &&

			!symKeyUtil.options[opt_TargetToken].activated) {

	PR_fprintf(PR_STDERR, 

	          "%s -%c: target token is required for this command (-g).\n",

	           progName, commandToRun);

	return 255;

    }

    /*  Using slotname == NULL for listing keys and certs on all slots, 

     *  but only that. */

    if (!(symKeyUtil.commands[cmd_ListKeys].activated) && slotname == NULL) {

	PR_fprintf(PR_STDERR,

	           "%s -%c: cannot use \"-h all\" for this command.\n",

	           progName, commandToRun);

	return 255;

    }

    name = SECU_GetOptionArg(&symKeyUtil, opt_Nickname);

    wrapName = SECU_GetOptionArg(&symKeyUtil, opt_WrapKeyName);

    PK11_SetPasswordFunc(SECU_GetModulePassword);

    /*  Initialize NSPR and NSS.  */

    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);

    rv = NSS_Initialize(SECU_ConfigDirectory(NULL), certPrefix, certPrefix,

                        "secmod.db", readOnly ? NSS_INIT_READONLY: 0);

    if (rv != SECSuccess) {

	SECU_PrintPRandOSError(progName);

	goto shutdown;

    }

    rv = SECFailure;

    if (PL_strcmp(slotname, "internal") == 0)

	slot = PK11_GetInternalKeySlot();

    else if (slotname != NULL)

	slot = PK11_FindSlotByName(slotname);

    /* generating a new key */

    if (symKeyUtil.commands[cmd_CreateNewKey].activated)  {

	PK11SymKey *symKey;

	symKey = PK11_TokenKeyGen(slot, keyType, NULL, keySize, 

							NULL, PR_TRUE, &pwdata);

	if (!symKey) {

	    PR_fprintf(PR_STDERR, "%s: Token Key Gen Failed\n", progName);

	    goto shutdown;

	}

	if (symKeyUtil.options[opt_Nickname].activated) {

	    rv = PK11_SetSymKeyNickname(symKey, name);

	    if (rv != SECSuccess) {

		PK11_DeleteTokenSymKey(symKey);

		PK11_FreeSymKey(symKey);

	        PR_fprintf(PR_STDERR, "%s: Couldn't set nickname on key\n",

								 progName);

		goto shutdown;

	    }

	}

	rv = SECSuccess;

	PrintKey(symKey);

	PK11_FreeSymKey(symKey);

    }

    if (symKeyUtil.commands[cmd_DeleteKey].activated) {

	PK11SymKey *symKey = FindKey(slot,name,&keyID,&pwdata);

	if (!symKey) {

	    char *keyName = keyID.data ? BufToHex(&keyID) : PORT_Strdup(name);

	    PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",

			progName, keyName, PK11_GetTokenName(slot));

	    PORT_Free(keyName);

	    goto shutdown;

	}

	rv = PK11_DeleteTokenSymKey(symKey);

	FreeKeyList(symKey);

	if (rv != SECSuccess) {

	    PR_fprintf(PR_STDERR, "%s: Couldn't Delete Key \n", progName);

	    goto shutdown;

	}

    }

    if (symKeyUtil.commands[cmd_UnwrapKey].activated) {

	PK11SymKey *wrapKey = FindKey(slot,wrapName,&wrapKeyID,&pwdata);

	PK11SymKey *symKey;

 	CK_MECHANISM_TYPE mechanism;

	if (!wrapKey) {

	    char *keyName = wrapKeyID.data ? BufToHex(&wrapKeyID) 

							: PORT_Strdup(wrapName);

	    PR_fprintf(PR_STDERR, "%s: Couldn't find key %s on %s\n",