Lines Matching refs:keystore
28 * Module: keystore.c
30 * package keystore files.
52 #include "keystore.h"
101 keystore_passphrase_cb cb, keystore_t *keystore);
106 /* wait on other keystore access for 1 minute before giving up */
110 * print_certs - prints certificates out of a keystore, to a file.
114 * keystore - Keystore on which to operate
131 keystore_t *keystore = keystore_h;
133 if (keystore->clcerts != NULL) {
135 for (i = 0; i < sk_X509_num(keystore->clcerts); i++) {
136 cert = sk_X509_value(keystore->clcerts, i);
141 /* no name recorded, keystore is corrupt */
168 if (keystore->cacerts != NULL) {
170 for (i = 0; i < sk_X509_num(keystore->cacerts); i++) {
171 cert = sk_X509_value(keystore->cacerts, i);
176 /* no name recorded, keystore is corrupt */
210 alias, keystore->path);
214 keystore->path);
217 keystore->path);
353 * open_keystore - Initialize new keystore object for
358 * keystore_file - Base filename or directory of keystore
360 * passwd - Password used to decrypt keystore
362 * result - Resulting keystore object stored here on success
365 * 0 - Success - result contains a pointer to the opened keystore
382 /* unable to determine keystore paths */
390 /* unable to repair keystore */
404 /* now that we have locked the keystore, go ahead and read it */
460 * keystore - The keystore to deallocate
466 free_keystore(keystore_t *keystore)
468 if (keystore->path != NULL)
469 free(keystore->path);
470 if (keystore->capath != NULL)
471 free(keystore->capath);
472 if (keystore->passphrase != NULL)
473 free(keystore->passphrase);
474 if (keystore->clpath != NULL)
475 free(keystore->clpath);
476 if (keystore->keypath != NULL)
477 free(keystore->keypath);
479 if (keystore->pkeys != NULL) {
480 sk_EVP_PKEY_pop_free(keystore->pkeys,
483 if (keystore->clcerts != NULL)
484 sk_X509_free(keystore->clcerts);
485 if (keystore->cacerts != NULL)
486 sk_X509_free(keystore->cacerts);
487 free(keystore);
491 * close_keystore - Writes keystore to disk if needed, then
492 * unlocks and closes keystore.
496 * keystore - Keystore which should be closed
497 * passwd - Password used to encrypt keystore
500 * 0 - Success - keystore is committed to disk, and unlocked
508 keystore_t *keystore = keystore_h;
510 if (keystore->dirty) {
511 /* write out the keystore first */
512 if (!write_keystore(err, keystore, cb)) {
515 keystore->path);
521 if (!unlock_keystore(err, keystore)) {
523 keystore->path);
528 free_keystore(keystore);
534 * merge_ca_cert - Adds a trusted certificate (trust anchor) to a keystore.
539 * cacert - Certificate which to merge into keystore
540 * keystore - The keystore into which the certificate is merged
544 * is merged into keystore
554 keystore_t *keystore = keystore_h;
571 /* merge certificate into the keystore */
572 if (keystore->cacerts == NULL) {
574 if ((keystore->cacerts = sk_X509_new_null()) == NULL) {
581 if (sunw_find_fname(fname, NULL, keystore->cacerts,
600 (void) sk_X509_push(keystore->cacerts, cacert);
601 keystore->dirty = B_TRUE;
609 * find_key_cert_pair - Searches a keystore for a matching
704 * find_ca_certs - Searches a keystore for trusted certificates
733 * find_cl_certs - Searches a keystore for user certificates
759 * private key to a keystore.
764 * cert - Certificate which to merge into keystore
767 * keystore - The keystore into which the certificate is merged
771 * is merged into keystore, along with key
781 keystore_t *keystore = keystore_h;
796 /* merge certificate and key into the keystore */
797 if (keystore->clcerts == NULL) {
799 if ((keystore->clcerts = sk_X509_new_null()) == NULL) {
806 if (sunw_find_fname(alias, NULL, keystore->clcerts,
825 if (keystore->pkeys == NULL) {
826 /* no existing keystore, so make a new one */
827 if ((keystore->pkeys = sk_EVP_PKEY_new_null()) == NULL) {
833 /* existing keystore, so make sure there's no duplicate entry */
834 if (sunw_find_fname(alias, keystore->pkeys, NULL,
853 (void) sk_X509_push(keystore->clcerts, cert);
854 (void) sk_EVP_PKEY_push(keystore->pkeys, key);
855 keystore->dirty = B_TRUE;
866 * and matching private keys from a keystore.
870 * ks - The keystore from which certs and keys are deleted
1081 * of a failed or aborted keystore modification, and
1082 * cleans up the files, retstores the keystore to a known
1087 * keystore_file - Base directory or filename of keystore
1096 verify_keystore_integrity(PKG_ERR *err, keystore_t *keystore)
1098 if (keystore->capath != NULL) {
1099 if (!restore_keystore_file(err, keystore->capath)) {
1103 if (keystore->clpath != NULL) {
1104 if (!restore_keystore_file(err, keystore->clpath)) {
1108 if (keystore->keypath != NULL) {
1109 if (!restore_keystore_file(err, keystore->keypath)) {
1117 * restore_keystore_file - restores a keystore file to
1123 * maintain keystore integrity by writing the files
1125 * that the keystore is in an indeterminate state.
1136 * keystore_file - keystore file path to restore.
1241 * keystore
1279 * exited with a valid keystore
1289 * or multi-file keystore
1294 * If the keystore file does not exist at <base>/<app> then
1295 * use <base> as the path to the keystore. This can be used,
1296 * for example, to access an app-specific keystore iff it
1297 * exists, otherwise revert back to an app-generic keystore.
1300 * Always use the keystore located at <keystore_path>/<app>.
1303 * back to an app-generic keystore path when the app-specific
1308 * keystore_file - base keystore file path to lock
1311 * keystore - object which is being locked
1315 * appropriate files placed in keystore.
1320 long flags, keystore_t *keystore)
1328 * figure out whether we are dealing with a single-file keystore
1329 * or a multi-file keystore
1358 * keystore
1384 * it as a multi-file keystore
1393 /* app-specific keystore */
1396 keystore->capath = xstrdup(storepath);
1399 keystore->clpath = xstrdup(storepath);
1402 keystore->keypath = xstrdup(storepath);
1404 /* app-generic keystore */
1406 /* single-file app-generic keystore */
1407 keystore->capath = xstrdup(keystore_file);
1408 keystore->keypath = NULL;
1409 keystore->clpath = NULL;
1411 /* multi-file app-generic keystore */
1414 keystore->capath = xstrdup(storepath);
1417 keystore->clpath = xstrdup(storepath);
1420 keystore->keypath = xstrdup(storepath);
1428 * lock_keystore - Locks a keystore for shared (read-only)
1434 * opens keystore read-only. Attempts to modify results in an error
1437 * opens keystore read-write
1440 * If the keystore file does not exist at <base>/<app> then
1441 * use <base> as the path to the keystore. This can be used,
1442 * for example, to access an app-specific keystore iff it
1443 * exists, otherwise revert back to an app-generic keystore.
1446 * Always use the keystore located at <keystore_path>/<app>.
1449 * back to an app-generic keystore path when the app-specific
1455 * keystore - object which is being locked
1459 * appropriate files placed in keystore.
1463 lock_keystore(PKG_ERR *err, long flags, keystore_t *keystore)
1470 if ((keystore->cafd =
1471 open(keystore->capath, O_NONBLOCK|O_RDONLY)) == -1) {
1474 * no keystore. try to create an
1478 * deleted when the keystore is closed.
1480 if ((keystore->cafd =
1481 open(keystore->capath,
1486 keystore->capath);
1493 keystore->capath, strerror(errno));
1498 if (fstat(keystore->cafd, &buf) != -1) {
1500 if (file_lock(keystore->cafd, F_RDLCK,
1504 keystore->capath);
1512 keystore->capath);
1519 keystore->capath, strerror(errno));
1526 if ((keystore->cafd = open(keystore->capath,
1530 if ((keystore->cafd =
1531 open(keystore->capath,
1536 keystore->capath);
1543 keystore->capath, strerror(errno));
1548 if (fstat(keystore->cafd, &buf) != -1) {
1550 if (file_lock(keystore->cafd, F_WRLCK,
1554 keystore->capath);
1562 keystore->capath);
1569 keystore->capath, strerror(errno));
1585 if (keystore->cafd > 0) {
1586 (void) file_unlock(keystore->cafd);
1587 (void) close(keystore->cafd);
1588 keystore->cafd = -1;
1591 if (keystore->capath != NULL)
1592 free(keystore->capath);
1593 if (keystore->clpath != NULL)
1594 free(keystore->clpath);
1595 if (keystore->keypath != NULL)
1596 free(keystore->keypath);
1597 keystore->capath = NULL;
1598 keystore->clpath = NULL;
1599 keystore->keypath = NULL;
1606 * unlock_keystore - Unocks a keystore
1610 * keystore - keystore object to unlock
1617 unlock_keystore(PKG_ERR *err, keystore_t *keystore)
1624 if (file_empty(keystore->capath)) {
1625 (void) remove(keystore->capath);
1628 (void) file_unlock(keystore->cafd);
1629 (void) close(keystore->cafd);
1634 * read_keystore - Reads keystore files of disk, parses
1639 * keystore - keystore object to read into
1643 * into keystore structure.
1647 read_keystore(PKG_ERR *err, keystore_t *keystore, keystore_passphrase_cb cb)
1656 ca_empty = file_empty(keystore->capath);
1658 if (keystore->clpath != NULL)
1659 cl_empty = file_empty(keystore->clpath);
1660 if (keystore->keypath != NULL)
1661 key_empty = file_empty(keystore->keypath);
1664 keystore->new = B_TRUE;
1670 keystore->capath)) == NULL) {
1672 gettext(ERR_KEYSTORE_CORRUPT), keystore->capath);
1679 if (!get_keystore_passwd(err, p12, cb, keystore)) {
1686 /* decrypt and parse keystore file */
1687 if (sunw_PKCS12_contents(p12, keystore->passphrase,
1688 &keystore->pkeys, &keystore->cacerts) < 0) {
1691 gettext(ERR_KEYSTORE_CORRUPT), keystore->capath);
1704 keystore->cacerts = NULL;
1711 if (keystore->clpath == NULL && !ca_empty) {
1712 if (sunw_split_certs(keystore->pkeys, keystore->cacerts,
1713 &keystore->clcerts, NULL) < 0) {
1715 gettext(ERR_KEYSTORE_CORRUPT), keystore->capath);
1721 * files are in separate files. read keys out of the keystore
1726 keystore->clpath)) == NULL) {
1729 keystore->clpath);
1737 keystore)) {
1745 keystore->passphrase) == B_FALSE) {
1753 keystore->clpath,
1754 keystore->capath, keystore->path);
1759 if (sunw_PKCS12_contents(p12, keystore->passphrase,
1760 NULL, &keystore->clcerts) < 0) {
1764 keystore->clpath);
1772 keystore->clcerts = NULL;
1777 keystore->keypath)) == NULL) {
1780 keystore->keypath);
1788 keystore)) {
1796 keystore->passphrase) == B_FALSE) {
1799 keystore->keypath,
1800 keystore->capath, keystore->path);
1805 if (sunw_PKCS12_contents(p12, keystore->passphrase,
1806 &keystore->pkeys, NULL) < 0) {
1810 keystore->keypath);
1818 keystore->pkeys = NULL;
1837 * keystore - The keystore in which the PKCS12 structure
1841 * keystore password is set in keystore->passphrase.
1846 keystore_t *keystore)
1879 keystore->passphrase = passwd;
1884 * write_keystore - Writes keystore files to disk
1888 * keystore - keystore object to write from
1889 * passwd - password used to encrypt keystore
1896 write_keystore(PKG_ERR *err, keystore_t *keystore,
1904 if (keystore->capath != NULL && keystore->clpath == NULL &&
1905 keystore->keypath == NULL) {
1908 * keystore is a file.
1911 if ((keystore->pkeys == NULL) &&
1912 (keystore->clcerts == NULL) &&
1913 (keystore->cacerts == NULL)) {
1914 if (!clear_keystore_file(err, keystore->capath)) {
1924 keystore->capath);
1930 * if the keystore is being created for the first time,
1933 if (keystore->new) {
1942 * use the one used when the keystore
1945 (void) strlcpy(passbuf, keystore->passphrase,
1949 p12 = sunw_PKCS12_create(passbuf, keystore->pkeys,
1950 keystore->clcerts, keystore->cacerts);
1955 keystore->capath);
1960 if (!write_keystore_file(err, keystore->capath, p12)) {
1963 keystore->capath);
1973 * if the keystore is being created for the first time,
1976 if (keystore->new && ((keystore->pkeys != NULL) ||
1977 (keystore->clcerts != NULL) ||
1978 (keystore->cacerts != NULL))) {
1986 /* use the one used when the keystore was read */
1987 (void) strlcpy(passbuf, keystore->passphrase,
1992 if (keystore->pkeys != NULL) {
1993 p12 = sunw_PKCS12_create(passbuf, keystore->pkeys,
1999 keystore->keypath);
2004 if (!write_keystore_file(err, keystore->keypath,
2008 keystore->keypath);
2015 if ((remove(keystore->keypath) != 0) &&
2019 keystore->keypath);
2026 if (keystore->clcerts != NULL) {
2028 keystore->clcerts, NULL);
2033 keystore->clpath);
2038 if (!write_keystore_file(err, keystore->clpath, p12)) {
2041 keystore->clpath);
2048 if ((remove(keystore->clpath) != 0) &&
2052 keystore->clpath);
2060 if (keystore->cacerts != NULL) {
2062 NULL, keystore->cacerts);
2067 keystore->capath);
2072 if (!write_keystore_file(err, keystore->capath, p12)) {
2075 keystore->capath);
2087 if (!clear_keystore_file(err, keystore->capath)) {
2090 keystore->capath);
2105 * clear_keystore_file - Clears (zeros out) a keystore file.
2109 * dest - Path of keystore file to zero out.
2148 * write_keystore_file - Writes keystore file to disk.
2153 * maintain keystore integity by writing the files
2155 * that the keystore is in an indeterminate state.
2247 * read_keystore_file - Reads single keystore file