gencert.c revision 99ebb4ca412cb0a19d77a3899a87c055b9c30fa8
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER START
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The contents of this file are subject to the terms of the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Common Development and Distribution License (the "License").
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You may not use this file except in compliance with the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * See the License for the specific language governing permissions
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * and limitations under the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * When distributing Covered Code, include this CDDL HEADER in each
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If applicable, add the following below this CDDL HEADER, with the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * fields enclosed by brackets "[]" replaced with your own identifying
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * information: Portions Copyright [yyyy] [name of copyright owner]
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER END
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Use is subject to license terms.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#pragma ident "%Z%%M% %I% %E% SMI"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define SET_VALUE(f, s) \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys uint16_t kubits, int kucrit, KMF_CREDENTIAL *tokencred)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&certSubject, 0, sizeof (certSubject));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If the subject name cannot be parsed, flag it now and exit */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* For a self-signed cert, the issuser and subject are the same */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Select a PKCS11 token */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertPubKey(kmfhandle, &pubk, &signedCert),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "keypair");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertVersion(&signedCert, 2), "version number");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSerialNumber(&signedCert, serial),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "serial number");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertValidityTimes(&signedCert, NULL, ltime),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "validity time");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSignatureAlgorithm(&signedCert, sigAlg),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "signature algorithm");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSubjectName(&signedCert, &certSubject),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "subject name");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertIssuerName(&signedCert, &certIssuer),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "issuer name");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSubjectAltName(&signedCert, altcrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertKeyUsage(&signedCert, kucrit, kubits),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "KeyUsage");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Store the cert in the DB.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = KMF_StoreCert(kmfhandle, &sc_params, &x509DER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&certSubject, 0, sizeof (certSubject));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "the cert or key\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "certificate file (%s).\n"),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "key file (%s).\n"),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If the subject name cannot be parsed, flag it now and exit */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* For a self-signed cert, the issuser and subject are the same */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertPubKey(kmfhandle, &pubk, &signedCert),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "keypair");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertVersion(&signedCert, 2), "version number");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSerialNumber(&signedCert, serial),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "serial number");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertValidityTimes(&signedCert, NULL, ltime),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "validity time");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSignatureAlgorithm(&signedCert, sigAlg),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "signature algorithm");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSubjectName(&signedCert, &certSubject),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "subject name");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertIssuerName(&signedCert, &certIssuer),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "issuer name");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSubjectAltName(&signedCert, altcrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertKeyUsage(&signedCert, kucrit, kubits),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "KeyUsage");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Store the cert in the DB.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = KMF_StoreCert(kmfhandle, &sc_params, &x509DER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&certSubject, 0, sizeof (certSubject));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If the subject name cannot be parsed, flag it now and exit */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* For a self-signed cert, the issuser and subject are the same */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertPubKey(kmfhandle, &pubk, &signedCert),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "keypair");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertVersion(&signedCert, 2), "version number");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSerialNumber(&signedCert, serial),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "serial number");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertValidityTimes(&signedCert, NULL, ltime),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "validity time");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSignatureAlgorithm(&signedCert, sigAlg),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "signature algorithm");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSubjectName(&signedCert, &certSubject),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "subject name");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertIssuerName(&signedCert, &certIssuer),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "issuer name");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSubjectAltName(&signedCert, altcrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertKeyUsage(&signedCert, kucrit, kubits),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "subjectAltName");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Store the cert in the DB.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = KMF_StoreCert(kmfhandle, &sc_params, &x509DER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys extern char *optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "ik:(keystore)s:(subject)n:(nickname)A:(altname)"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "T:(token)d:(dir)p:(prefix)t:(keytype)y:(keylen)"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "r:(trust)L:(lifetime)l:(label)c:(outcert)"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "K:(outkey)S:(serial)F:(format)u:(keyusage)")) != EOF) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "a numeric value (%s)\n"),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* No additional args allowed. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((rv = KMF_Initialize(&kmfhandle, NULL, NULL)) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("Error initializing KMF\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Assume keystore = PKCS#11 if not specified. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((kstype == KMF_KEYSTORE_NSS || kstype == KMF_KEYSTORE_PK11TOKEN) &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("A label must be specified "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "to create a self-signed certificate.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else if (kstype == KMF_KEYSTORE_OPENSSL && EMPTYSTRING(outcert)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("A certificate filename must "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "be specified to create a self-signed certificate.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (format && (fmt = Str2Format(format)) == KMF_FORMAT_UNDEF) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("Unrecognized keytype (%s).\n"),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Check the subject name.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If interactive is true, get it now interactively.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "subject name interactively.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "-i must be specified to create a self-signed "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "certificate.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "must be specified as a hex number when creating"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys " a self-signed certificate "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "(ex: serno=0x0102030405feedface)\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = KMF_HexString2Bytes((uchar_t *)serstr, &bytes, &bytelen);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "must be specified as a hex number "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "(ex: 0x0102030405ffeeddee)\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "must be specified as a name=value pair. "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "See the man page for details.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* advance the altname past the '=' sign */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "must be specified as a comma-separated list. "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "See the man page for details.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kstype == KMF_KEYSTORE_NSS || kstype == KMF_KEYSTORE_PK11TOKEN) {