gencert.c revision 99ebb4ca412cb0a19d77a3899a87c055b9c30fa8
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER START
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The contents of this file are subject to the terms of the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Common Development and Distribution License (the "License").
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You may not use this file except in compliance with the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * or http://www.opensolaris.org/os/licensing.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * See the License for the specific language governing permissions
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * and limitations under the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * When distributing Covered Code, include this CDDL HEADER in each
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If applicable, add the following below this CDDL HEADER, with the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * fields enclosed by brackets "[]" replaced with your own identifying
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * information: Portions Copyright [yyyy] [name of copyright owner]
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER END
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Use is subject to license terms.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#pragma ident "%Z%%M% %I% %E% SMI"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <stdio.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <string.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <ctype.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <malloc.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <libgen.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <errno.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <cryptoutil.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <security/cryptoki.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include "common.h"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <kmfapi.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define SET_VALUE(f, s) \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = f; \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfrv != KMF_OK) { \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Failed to set %s: 0x%02x\n"), \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys s, kmfrv); \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys goto cleanup; \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic int
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysgencert_pkcs11(KMF_HANDLE_T kmfhandle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *token, char *subject, char *altname,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_GENERALNAMECHOICES alttype, int altcrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *certlabel, KMF_KEY_ALG keyAlg,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_ALGORITHM_INDEX sigAlg,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys int keylen, uint32_t ltime, KMF_BIGINT *serial,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys uint16_t kubits, int kucrit, KMF_CREDENTIAL *tokencred)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_RETURN kmfrv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_CREATEKEYPAIR_PARAMS kp_params;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_STORECERT_PARAMS sc_params;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_KEY_HANDLE pubk, prik;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_X509_CERTIFICATE signedCert;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_X509_NAME certSubject;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_X509_NAME certIssuer;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_DATA x509DER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&signedCert, 0, sizeof (signedCert));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&certSubject, 0, sizeof (certSubject));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&certIssuer, 0, sizeof (certIssuer));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&x509DER, 0, sizeof (x509DER));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&kp_params, 0, sizeof (kp_params));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If the subject name cannot be parsed, flag it now and exit */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (KMF_DNParser(subject, &certSubject) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Subject name cannot be parsed.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* For a self-signed cert, the issuser and subject are the same */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (KMF_DNParser(subject, &certIssuer) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Subject name cannot be parsed.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.kstype = KMF_KEYSTORE_PK11TOKEN;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.keylabel = certlabel;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.keylength = keylen; /* bits */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.keytype = keyAlg;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.cred.cred = tokencred->cred;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.cred.credlen = tokencred->credlen;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Select a PKCS11 token */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = select_token(kmfhandle, token, FALSE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfrv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (kmfrv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfrv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (kmfrv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertPubKey(kmfhandle, &pubk, &signedCert),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "keypair");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertVersion(&signedCert, 2), "version number");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSerialNumber(&signedCert, serial),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "serial number");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertValidityTimes(&signedCert, NULL, ltime),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "validity time");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSignatureAlgorithm(&signedCert, sigAlg),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "signature algorithm");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSubjectName(&signedCert, &certSubject),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "subject name");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertIssuerName(&signedCert, &certIssuer),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "issuer name");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (altname != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSubjectAltName(&signedCert, altcrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys alttype, altname), "subjectAltName");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kubits != 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertKeyUsage(&signedCert, kucrit, kubits),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "KeyUsage");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((kmfrv = KMF_SignCertRecord(kmfhandle, &prik,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys &signedCert, &x509DER)) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&sc_params, 0, sizeof (sc_params));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys sc_params.kstype = KMF_KEYSTORE_PK11TOKEN;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys sc_params.certLabel = certlabel;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Store the cert in the DB.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = KMF_StoreCert(kmfhandle, &sc_params, &x509DER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_FreeData(&x509DER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_FreeDN(&certSubject);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_FreeDN(&certIssuer);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (kmfrv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic int
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysgencert_file(KMF_HANDLE_T kmfhandle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_KEY_ALG keyAlg, KMF_ALGORITHM_INDEX sigAlg,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys int keylen, KMF_ENCODE_FORMAT fmt,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys uint32_t ltime, char *subject, char *altname,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_GENERALNAMECHOICES alttype, int altcrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_BIGINT *serial, uint16_t kubits, int kucrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *dir, char *outcert, char *outkey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_RETURN kmfrv;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_CREATEKEYPAIR_PARAMS kp_params;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_STORECERT_PARAMS sc_params;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_KEY_HANDLE pubk, prik;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_X509_CERTIFICATE signedCert;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_X509_NAME certSubject;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_X509_NAME certIssuer;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_DATA x509DER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *fullcertpath = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *fullkeypath = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&signedCert, 0, sizeof (signedCert));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&certSubject, 0, sizeof (certSubject));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&certIssuer, 0, sizeof (certIssuer));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&x509DER, 0, sizeof (x509DER));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&kp_params, 0, sizeof (kp_params));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&sc_params, 0, sizeof (sc_params));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (EMPTYSTRING(outcert) || EMPTYSTRING(outkey)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("No output file was specified for "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "the cert or key\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (dir != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys fullcertpath = get_fullpath(dir, outcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (fullcertpath == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Cannot create file %s in "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "directory %s\n"), dir, outcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys fullcertpath = strdup(outcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (verify_file(fullcertpath)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Cannot write the indicated output "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "certificate file (%s).\n"),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys fullcertpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys free(fullcertpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (dir != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys fullkeypath = get_fullpath(dir, outkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (fullkeypath == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Cannot create file %s in "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "directory %s\n"), dir, outkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys free(fullcertpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys fullkeypath = strdup(outkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (verify_file(fullkeypath)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Cannot write the indicated output "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "key file (%s).\n"),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys fullkeypath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys free(fullkeypath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys free(fullcertpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If the subject name cannot be parsed, flag it now and exit */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (KMF_DNParser(subject, &certSubject) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Subject name cannot be parsed (%s)\n"),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys subject);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* For a self-signed cert, the issuser and subject are the same */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (KMF_DNParser(subject, &certIssuer) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Subject name cannot be parsed (%s)\n"),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys subject);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_FreeDN(&certSubject);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.kstype = KMF_KEYSTORE_OPENSSL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.keylength = keylen; /* bits */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.keytype = keyAlg;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.sslparms.keyfile = fullkeypath;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.sslparms.format = fmt;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfrv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertPubKey(kmfhandle, &pubk, &signedCert),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "keypair");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertVersion(&signedCert, 2), "version number");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSerialNumber(&signedCert, serial),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "serial number");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertValidityTimes(&signedCert, NULL, ltime),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "validity time");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSignatureAlgorithm(&signedCert, sigAlg),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "signature algorithm");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSubjectName(&signedCert, &certSubject),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "subject name");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertIssuerName(&signedCert, &certIssuer),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "issuer name");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (altname != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSubjectAltName(&signedCert, altcrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys alttype, altname), "subjectAltName");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kubits != 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertKeyUsage(&signedCert, kucrit, kubits),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "KeyUsage");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((kmfrv = KMF_SignCertRecord(kmfhandle, &prik,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys &signedCert, &x509DER)) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys sc_params.kstype = KMF_KEYSTORE_OPENSSL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys sc_params.sslparms.certfile = fullcertpath;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys sc_params.sslparms.keyfile = fullkeypath;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys sc_params.sslparms.format = fmt;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Store the cert in the DB.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = KMF_StoreCert(kmfhandle, &sc_params, &x509DER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (fullkeypath != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys free(fullkeypath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (fullcertpath != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys free(fullcertpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_FreeData(&x509DER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_FreeDN(&certSubject);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_FreeDN(&certIssuer);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (kmfrv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysgencert_nss(KMF_HANDLE_T kmfhandle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *token, char *subject, char *altname,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_GENERALNAMECHOICES alttype, int altcrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *nickname, char *dir, char *prefix,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_KEY_ALG keyAlg,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_ALGORITHM_INDEX sigAlg,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys int keylen, char *trust,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys uint32_t ltime, KMF_BIGINT *serial, uint16_t kubits,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys int kucrit, KMF_CREDENTIAL *tokencred)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_RETURN kmfrv;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_CREATEKEYPAIR_PARAMS kp_params;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_STORECERT_PARAMS sc_params;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_KEY_HANDLE pubk, prik;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_X509_CERTIFICATE signedCert;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_X509_NAME certSubject;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_X509_NAME certIssuer;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_DATA x509DER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (token == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys token = DEFAULT_NSS_TOKEN;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = configure_nss(kmfhandle, dir, prefix);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfrv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (kmfrv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&signedCert, 0, sizeof (signedCert));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&certSubject, 0, sizeof (certSubject));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&certIssuer, 0, sizeof (certIssuer));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&x509DER, 0, sizeof (x509DER));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If the subject name cannot be parsed, flag it now and exit */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (KMF_DNParser(subject, &certSubject) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Subject name cannot be parsed.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* For a self-signed cert, the issuser and subject are the same */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (KMF_DNParser(subject, &certIssuer) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Subject name cannot be parsed.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&kp_params, 0, sizeof (kp_params));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.kstype = KMF_KEYSTORE_NSS;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.keylabel = nickname;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.keylength = keylen; /* bits */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.keytype = keyAlg;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.cred.cred = tokencred->cred;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.cred.credlen = tokencred->credlen;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kp_params.nssparms.slotlabel = token;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfrv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (kmfrv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertPubKey(kmfhandle, &pubk, &signedCert),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "keypair");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertVersion(&signedCert, 2), "version number");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSerialNumber(&signedCert, serial),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "serial number");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertValidityTimes(&signedCert, NULL, ltime),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "validity time");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSignatureAlgorithm(&signedCert, sigAlg),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "signature algorithm");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSubjectName(&signedCert, &certSubject),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "subject name");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertIssuerName(&signedCert, &certIssuer),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "issuer name");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (altname != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertSubjectAltName(&signedCert, altcrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys alttype, altname), "subjectAltName");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kubits)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SET_VALUE(KMF_SetCertKeyUsage(&signedCert, kucrit, kubits),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "subjectAltName");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((kmfrv = KMF_SignCertRecord(kmfhandle, &prik,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys &signedCert, &x509DER)) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys sc_params.kstype = KMF_KEYSTORE_NSS;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys sc_params.certLabel = nickname;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys sc_params.nssparms.trustflag = trust;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys sc_params.nssparms.slotlabel = token;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Store the cert in the DB.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmfrv = KMF_StoreCert(kmfhandle, &sc_params, &x509DER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_FreeData(&x509DER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_FreeDN(&certSubject);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_FreeDN(&certIssuer);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (kmfrv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysint
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyspk_gencert(int argc, char *argv[])
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys int rv;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys int opt;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys extern int optind_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys extern char *optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_KEYSTORE_TYPE kstype = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *subject = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *tokenname = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *dir = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *prefix = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *keytype = PK_DEFAULT_KEYTYPE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys int keylen = PK_DEFAULT_KEYLENGTH;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *trust = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *lifetime = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *certlabel = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *outcert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *outkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *format = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *serstr = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *altname = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *keyusagestr = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_GENERALNAMECHOICES alttype = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_BIGINT serial = { NULL, 0 };
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys uint32_t ltime;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_HANDLE_T kmfhandle = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_ENCODE_FORMAT fmt = KMF_FORMAT_ASN1;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_KEY_ALG keyAlg = KMF_RSA;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_ALGORITHM_INDEX sigAlg = KMF_ALGID_MD5WithRSA;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys boolean_t interactive = B_FALSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *subname = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_CREDENTIAL tokencred = {NULL, 0};
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys uint16_t kubits = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys int altcrit = 0, kucrit = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys while ((opt = getopt_av(argc, argv,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "ik:(keystore)s:(subject)n:(nickname)A:(altname)"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "T:(token)d:(dir)p:(prefix)t:(keytype)y:(keylen)"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "r:(trust)L:(lifetime)l:(label)c:(outcert)"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "K:(outkey)S:(serial)F:(format)u:(keyusage)")) != EOF) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (opt != 'i' && EMPTYSTRING(optarg_av))
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys switch (opt) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'A':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys altname = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'i':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (interactive || subject)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys else
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys interactive = B_TRUE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'k':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kstype = KS2Int(optarg_av);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kstype == 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 's':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (interactive || subject)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys else
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys subject = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'l':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'n':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (certlabel)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys certlabel = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'T':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (tokenname)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys tokenname = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'd':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (dir)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys dir = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'p':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (prefix)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys prefix = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 't':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys keytype = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'u':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys keyusagestr = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'y':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (sscanf(optarg_av, "%d",
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys &keylen) != 1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("key length must be"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "a numeric value (%s)\n"),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys optarg_av);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'r':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (trust)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys trust = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'L':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (lifetime)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys lifetime = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'c':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (outcert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys outcert = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'K':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (outkey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys outkey = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'S':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys serstr = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case 'F':
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (format)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys format = optarg_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys default:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* No additional args allowed. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys argc -= optind_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys argv += optind_av;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (argc) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((rv = KMF_Initialize(&kmfhandle, NULL, NULL)) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("Error initializing KMF\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Assume keystore = PKCS#11 if not specified. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kstype == 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kstype = KMF_KEYSTORE_PK11TOKEN;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((kstype == KMF_KEYSTORE_NSS || kstype == KMF_KEYSTORE_PK11TOKEN) &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys EMPTYSTRING(certlabel)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("A label must be specified "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "to create a self-signed certificate.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else if (kstype == KMF_KEYSTORE_OPENSSL && EMPTYSTRING(outcert)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("A certificate filename must "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "be specified to create a self-signed certificate.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (format && (fmt = Str2Format(format)) == KMF_FORMAT_UNDEF) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Error parsing format string (%s).\n"),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys format);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (Str2Lifetime(lifetime, &ltime) != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Error parsing lifetime string\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (Str2KeyType(keytype, &keyAlg, &sigAlg) != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("Unrecognized keytype (%s).\n"),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys keytype);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Check the subject name.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If interactive is true, get it now interactively.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (interactive) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (get_subname(&subname) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("Failed to get the "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "subject name interactively.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (EMPTYSTRING(subject)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR, gettext("A subject name or "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "-i must be specified to create a self-signed "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "certificate.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_USAGE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys subname = strdup(subject);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (subname == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cryptoerror(LOG_STDERR,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Out of memory.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (PK_ERR_SYSTEM);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (serstr == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) fprintf(stderr, gettext("A serial number "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "must be specified as a hex number when creating"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys " a self-signed certificate "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "(ex: serno=0x0102030405feedface)\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = PK_ERR_USAGE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys uchar_t *bytes = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys size_t bytelen;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = KMF_HexString2Bytes((uchar_t *)serstr, &bytes, &bytelen);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (rv != KMF_OK || bytes == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) fprintf(stderr, gettext("serial number "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "must be specified as a hex number "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "(ex: 0x0102030405ffeeddee)\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = PK_ERR_USAGE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys serial.val = bytes;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys serial.len = bytelen;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (altname != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = verify_altname(altname, &alttype, &altcrit);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) fprintf(stderr, gettext("Subject AltName "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "must be specified as a name=value pair. "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "See the man page for details.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = PK_ERR_USAGE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* advance the altname past the '=' sign */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys char *p = strchr(altname, '=');
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (p != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys altname = p + 1;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (keyusagestr != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = verify_keyusage(keyusagestr, &kubits, &kucrit);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) fprintf(stderr, gettext("KeyUsage "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "must be specified as a comma-separated list. "
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "See the man page for details.\n"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = PK_ERR_USAGE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kstype == KMF_KEYSTORE_NSS || kstype == KMF_KEYSTORE_PK11TOKEN) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (tokenname == NULL || !strlen(tokenname)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kstype == KMF_KEYSTORE_NSS) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys tokenname = "internal";
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys tokenname = PK_DEFAULT_PK11TOKEN;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) get_token_password(kstype, tokenname, &tokencred);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kstype == KMF_KEYSTORE_NSS) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (dir == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys dir = PK_DEFAULT_DIRECTORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = gencert_nss(kmfhandle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys tokenname, subname, altname, alttype, altcrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys certlabel, dir, prefix, keyAlg, sigAlg, keylen,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys trust, ltime, &serial, kubits, kucrit, &tokencred);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else if (kstype == KMF_KEYSTORE_PK11TOKEN) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = gencert_pkcs11(kmfhandle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys tokenname, subname, altname, alttype, altcrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys certlabel, keyAlg, sigAlg, keylen, ltime,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys &serial, kubits, kucrit, &tokencred);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys } else if (kstype == KMF_KEYSTORE_OPENSSL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = gencert_file(kmfhandle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys keyAlg, sigAlg, keylen, fmt,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ltime, subname, altname, alttype, altcrit,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys &serial, kubits, kucrit, dir, outcert, outkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (rv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys display_error(kmfhandle, rv,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys gettext("Error creating certificate and keypair"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (subname)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys free(subname);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (tokencred.cred != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys free(tokencred.cred);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (serial.val != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys free(serial.val);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) KMF_Finalize(kmfhandle);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}