gencsr.c revision 6b35cb3cf158584a9408d44b9b6796564e8e1882
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*/
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <malloc.h>
#include <libgen.h>
#include <errno.h>
#include <cryptoutil.h>
#include <security/cryptoki.h>
#include "common.h"
#include <kmfapi.h>
#define SET_VALUE(f, s) \
kmfrv = f; \
gettext("Failed to %s: 0x%02\n"), \
s, kmfrv); \
goto cleanup; \
}
static KMF_RETURN
{
int numattr = 0;
/* If the subject name cannot be parsed, flag it now and exit */
return (kmfrv);
/* Select a PKCS11 token */
return (kmfrv);
/*
* Share the "genkeypair" routine for creating the keypair.
*/
return (kmfrv);
"SignatureAlgorithm");
alttype), "SetCSRSubjectAltName");
}
if (kubits != 0) {
"SetCSRKeyUsage");
}
int i;
"Extended Key Usage");
}
}
KMF_OK) {
}
(void) kmf_free_data(&signedCsr);
(void) kmf_free_signed_csr(&csr);
/* delete the public key */
numattr = 0;
numattr++;
&pubk, sizeof (KMF_KEY_HANDLE));
numattr++;
tokencred, sizeof (KMF_CREDENTIAL));
numattr++;
}
/*
* If there is an error, then we need to remove the private key
* from the token.
*/
numattr = 0;
numattr++;
numattr++;
sizeof (KMF_CREDENTIAL));
numattr++;
}
attrlist);
}
return (kmfrv);
}
static KMF_RETURN
{
char *fullcsrpath = NULL;
char *fullkeypath = NULL;
gettext("No output file was specified for "
"the csr or key\n"));
return (KMF_ERR_BAD_PARAMETER);
}
if (verify_file(fullcsrpath)) {
gettext("Cannot write the indicated output "
"certificate file (%s).\n"), fullcsrpath);
return (PK_ERR_USAGE);
}
/* If the subject name cannot be parsed, flag it now and exit */
return (kmfrv);
}
/*
* Share the "genkeypair" routine for creating the keypair.
*/
return (kmfrv);
"SetCSRPubKey");
"kmf_set_csr_subject");
alttype), "kmf_set_csr_subject_altname");
}
"kmf_set_csr_ku");
}
int i;
"Extended Key Usage");
}
}
KMF_OK) {
}
if (fullkeypath)
if (fullcsrpath)
return (kmfrv);
}
static KMF_RETURN
{
int numattr = 0;
return (kmfrv);
/* If the subject name cannot be parsed, flag it now and exit */
return (kmfrv);
}
return (kmfrv);
"kmf_set_csr_pubkey");
"kmf_set_csr_subject");
alttype), "kmf_set_csr_subject_altname");
}
"kmf_set_csr_ku");
}
int i;
"Extended Key Usage");
}
}
KMF_OK) {
}
(void) kmf_free_data(&signedCsr);
/* delete the key */
numattr = 0;
numattr++;
&pubk, sizeof (KMF_KEY_HANDLE));
numattr++;
tokencred, sizeof (KMF_CREDENTIAL));
numattr++;
}
numattr++;
}
(void) kmf_free_signed_csr(&csr);
return (kmfrv);
}
int
{
int opt;
extern int optind_av;
extern char *optarg_av;
KMF_KEYSTORE_TYPE kstype = 0;
int keylen = PK_DEFAULT_KEYLENGTH;
char *keytype = PK_DEFAULT_KEYTYPE;
int y_flag = 0;
"ik:(keystore)s:(subject)n:(nickname)A:(altname)"
"u:(keyusage)T:(token)d:(dir)p:(prefix)t:(keytype)"
"y:(keylen)l:(label)c:(outcsr)e:(eku)C:(curve)"
"K:(outkey)F:(format)E(listcurves)h:(hash)")) != EOF) {
switch (opt) {
case 'A':
break;
case 'i':
if (interactive)
return (PK_ERR_USAGE);
else if (subject) {
gettext("Interactive (-i) and "
"subject options are mutually "
"exclusive.\n"));
return (PK_ERR_USAGE);
} else
break;
case 'k':
if (kstype == 0)
return (PK_ERR_USAGE);
break;
case 's':
if (subject)
return (PK_ERR_USAGE);
else if (interactive) {
gettext("Interactive (-i) and "
"subject options are mutually "
"exclusive.\n"));
return (PK_ERR_USAGE);
} else
break;
case 'l':
case 'n':
if (certlabel)
return (PK_ERR_USAGE);
break;
case 'T':
if (tokenname)
return (PK_ERR_USAGE);
break;
case 'd':
break;
case 'p':
if (prefix)
return (PK_ERR_USAGE);
break;
case 't':
break;
case 'u':
break;
case 'y':
&keylen) != 1) {
gettext("Unrecognized "
"key length (%s)\n"), optarg_av);
return (PK_ERR_USAGE);
}
y_flag++;
break;
case 'c':
if (outcsr)
return (PK_ERR_USAGE);
break;
case 'K':
if (outkey)
return (PK_ERR_USAGE);
break;
case 'F':
if (format)
return (PK_ERR_USAGE);
break;
case 'e':
break;
case 'C':
gettext("Unrecognized ECC "
"curve.\n"));
return (PK_ERR_USAGE);
}
break;
case 'E':
/*
* This argument is only to be used
* by itself, no other options should
* be present.
*/
if (argc != 2) {
gettext("listcurves has no other "
"options.\n"));
return (PK_ERR_USAGE);
}
return (0);
case 'h':
gettext("Unrecognized hash.\n"));
return (PK_ERR_USAGE);
}
break;
default:
"unrecognized gencsr option '%s'\n"),
return (PK_ERR_USAGE);
}
}
/* No additional args allowed. */
if (argc) {
return (PK_ERR_USAGE);
}
/* Assume keystore = PKCS#11 if not specified. */
if (kstype == 0)
}
if (EMPTYSTRING(outcsr)) {
"the final certificate request data.\n"));
return (PK_ERR_USAGE);
}
/*
* verify that the outcsr file does not already exist
* and that it can be created.
*/
if (rv == KMF_ERR_OPEN_FILE) {
gettext("Warning: file \"%s\" exists, "
"will be overwritten."), outcsr);
return (0);
} else {
/* remove the file */
}
return (rv);
}
(void) get_certlabel(&certlabel);
if (EMPTYSTRING(certlabel)) {
"specified to create a certificate request.\n"));
return (PK_ERR_USAGE);
}
} else if (kstype == KMF_KEYSTORE_OPENSSL) {
if (EMPTYSTRING(outkey)) {
"must be specified to create a certificate "
"request.\n"));
return (PK_ERR_USAGE);
}
}
return (PK_ERR_USAGE);
}
gettext("CSR must be DER or PEM format.\n"));
return (PK_ERR_USAGE);
}
/*
* Check the subject name.
* If interactive is true, get it now interactively.
*/
if (interactive) {
"subject name interactively.\n"));
return (PK_ERR_USAGE);
}
} else {
if (EMPTYSTRING(subject)) {
"-i must be specified to create a certificate "
"request.\n"));
return (PK_ERR_USAGE);
} else {
gettext("Out of memory.\n"));
return (PK_ERR_SYSTEM);
}
}
}
"must be specified as a name=value pair. "
"See the man page for details."));
goto end;
} else {
/* advance the altname past the '=' sign */
if (p != NULL)
altname = p + 1;
}
}
"must be specified as a comma-separated list. "
"See the man page for details."));
goto end;
}
}
"be specified as a comma-separated list. "
"See the man page for details.\n"));
rv = PK_ERR_USAGE;
goto end;
}
}
goto end;
}
"valid for EC keytypes.\n"));
return (PK_ERR_USAGE);
}
"specifed when using EC keys.\n"));
return (PK_ERR_USAGE);
}
"only supported with the pkcs11 and nss keystores\n"));
rv = PK_ERR_USAGE;
goto end;
}
/* Adjust default keylength for NSS and DSA */
keylen = 1024;
if (kstype == KMF_KEYSTORE_NSS) {
tokenname = "internal";
} else {
}
}
}
return (PK_ERR_USAGE);
}
if (kstype == KMF_KEYSTORE_NSS) {
} else if (kstype == KMF_KEYSTORE_PK11TOKEN) {
} else if (kstype == KMF_KEYSTORE_OPENSSL) {
}
end:
gettext("Error creating CSR or keypair"));
if (rv == KMF_ERR_RDN_PARSER) {
"issuer name must be in proper DN format.\n"));
}
}
if (subname)
(void) kmf_finalize(kmfhandle);
return (PK_ERR_USAGE);
return (0);
}