signcsr.c revision 6b35cb3cf158584a9408d44b9b6796564e8e1882
fa9e4066f08beec538e775443c5be79dd423fcabahrens * CDDL HEADER START
fa9e4066f08beec538e775443c5be79dd423fcabahrens * The contents of this file are subject to the terms of the
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock * Common Development and Distribution License (the "License").
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock * You may not use this file except in compliance with the License.
fa9e4066f08beec538e775443c5be79dd423fcabahrens * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
fa9e4066f08beec538e775443c5be79dd423fcabahrens * See the License for the specific language governing permissions
fa9e4066f08beec538e775443c5be79dd423fcabahrens * and limitations under the License.
fa9e4066f08beec538e775443c5be79dd423fcabahrens * When distributing Covered Code, include this CDDL HEADER in each
fa9e4066f08beec538e775443c5be79dd423fcabahrens * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
fa9e4066f08beec538e775443c5be79dd423fcabahrens * If applicable, add the following below this CDDL HEADER, with the
fa9e4066f08beec538e775443c5be79dd423fcabahrens * fields enclosed by brackets "[]" replaced with your own identifying
fa9e4066f08beec538e775443c5be79dd423fcabahrens * information: Portions Copyright [yyyy] [name of copyright owner]
fa9e4066f08beec538e775443c5be79dd423fcabahrens * CDDL HEADER END
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
ec5cf9d53a1d7280f3f1a6eadd7cdabdc99814ebAlexander Stetsenko * This file implements the sign CSR operation for this tool.
fa9e4066f08beec538e775443c5be79dd423fcabahrens#define SET_VALUE(f, s) \
fa9e4066f08beec538e775443c5be79dd423fcabahrensread_csrdata(KMF_HANDLE_T handle, char *csrfile, KMF_CSR_DATA *csrdata)
fa9e4066f08beec538e775443c5be79dd423fcabahrens rv = kmf_read_input_file(handle, csrfile, &csrfiledata);
fa9e4066f08beec538e775443c5be79dd423fcabahrens rv = kmf_pem_to_der(csrfiledata.Data, csrfiledata.Length,
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Sidenfind_csr_extn(KMF_X509_EXTENSIONS *extnlist, KMF_OID *extoid,
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden (void) memset(outextn, 0, sizeof (KMF_X509_EXTENSION));
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden for (i = 0; !found && i < extnlist->numberOfExtensions; i++) {
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden * If the CSR is ok, now we can generate the final certificate.
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden (void) memset(signedCert, 0, sizeof (KMF_X509_CERTIFICATE));
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden (void) memset(&issuerDN, 0, sizeof (issuerDN));
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden (void) memset(&subjectDN, 0, sizeof (subjectDN));
fa9e4066f08beec538e775443c5be79dd423fcabahrens SET_VALUE(kmf_set_cert_version(signedCert, 2), "version number");
fa9e4066f08beec538e775443c5be79dd423fcabahrens SET_VALUE(kmf_set_cert_serial(signedCert, serial), "serial number");
fa9e4066f08beec538e775443c5be79dd423fcabahrens SET_VALUE(kmf_set_cert_validity(signedCert, NULL, ltime),
fa9e4066f08beec538e775443c5be79dd423fcabahrens "validity time");
fa9e4066f08beec538e775443c5be79dd423fcabahrens SET_VALUE(kmf_set_cert_issuer(signedCert, &issuerDN),
fa9e4066f08beec538e775443c5be79dd423fcabahrens "Issuer Name");
fa9e4066f08beec538e775443c5be79dd423fcabahrens SET_VALUE(kmf_set_cert_subject(signedCert, &subjectDN),
fa9e4066f08beec538e775443c5be79dd423fcabahrens "Subject Name");
fa9e4066f08beec538e775443c5be79dd423fcabahrens signedCert->certificate.subject = csrdata->csr.subject;
fa9e4066f08beec538e775443c5be79dd423fcabahrens signedCert->certificate.extensions = csrdata->csr.extensions;
b1b8ab34de515a5e83206da22c3d7e563241b021lling * If the CSR already has KU, merge them.
0a586cea3ceec7e5e50e7e54c745082a7a333ac2Mark Shellenbaum SET_VALUE(kmf_set_cert_ku(signedCert, kucrit, kubits),
cde58dbc6a23d4d38db7c8866312be83221c765fMatthew Ahrens SET_VALUE(kmf_set_cert_subject_altname(signedCert,
cde58dbc6a23d4d38db7c8866312be83221c765fMatthew Ahrens altcrit, alttype, altname), "subjectAltName");
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden for (i = 0; rv == KMF_OK && i < ekulist->eku_count; i++) {
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden ekulist->critlist[i]), "Extended Key Usage");
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Sidenpk_sign_cert(KMF_HANDLE_T handle, KMF_X509_CERTIFICATE *cert,
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden KMF_KEY_HANDLE *key, KMF_OID *sigoid, KMF_DATA *outdata)
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYSTORE_TYPE_ATTR,
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden &key->kstype, sizeof (KMF_KEYSTORE_TYPE));
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr++, KMF_KEY_HANDLE_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* cert data that is to be signed */
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr++, KMF_X509_CERTIFICATE_ATTR,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw /* output buffer for the signed cert */
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr++, KMF_CERT_DATA_ATTR,
0b69c2f001a429251e2d38f25aca860396551214ahrens /* Set the signature OID value so KMF knows how to generate the sig */
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr++, KMF_OID_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens if ((rv = kmf_sign_cert(handle, numattr, attrlist)) != KMF_OK) {
4445fffbbb1ea25fd0e9ea68b9380dd7a6709025Matthew Ahrens KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* verify the signature first */
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr, KMF_CSR_DATA_ATTR,
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden cryptoerror(LOG_STDERR, gettext("CSR signature "
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden "verification failed.\n"));
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock rv = build_cert_from_csr(&csrdata, &signedCert, serial, ltime,
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock issuer, subject, altname, alttype, altcrit, kubits,
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick * Find the signing key.
ad135b5d644628e791c3188a6ecbd9c257961ef8Christopher Siden kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_FILENAME_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens "Error finding CA signing key\n"));
fa9e4066f08beec538e775443c5be79dd423fcabahrens rv = pk_sign_cert(handle, &signedCert, &cakey, NULL, &certdata);
fa9e4066f08beec538e775443c5be79dd423fcabahrens "Error signing certificate.\n"));
fa9e4066f08beec538e775443c5be79dd423fcabahrens KMF_BIGINT *serial, char *certfile, char *issuer, char *subject,
fa9e4066f08beec538e775443c5be79dd423fcabahrens char *altname, KMF_GENERALNAMECHOICES alttype, int altcrit,
fa9e4066f08beec538e775443c5be79dd423fcabahrens (void) memset(&casignkey, 0, sizeof (KMF_KEY_HANDLE));
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* verify the signature first */
44cd46cadd9aab751dae6a4023c1cb5bf316d274billm kmf_set_attr_at_index(attrlist, numattr, KMF_CSR_DATA_ATTR,
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick rv = kmf_verify_csr(handle, numattr, attrlist);
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick cryptoerror(LOG_STDERR, gettext("CSR signature "
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick "verification failed.\n"));
1934e92fc930c49429ad71a8ca97340f33227e78maybee * Find the signing key.
0a586cea3ceec7e5e50e7e54c745082a7a333ac2Mark Shellenbaum kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
0a586cea3ceec7e5e50e7e54c745082a7a333ac2Mark Shellenbaum kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR,
0a586cea3ceec7e5e50e7e54c745082a7a333ac2Mark Shellenbaum kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, signkey,
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR,
ea8dc4b6d2251b437950c0056bc626b311c73c27eschrock kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens * If we found the key, now we can sign the cert.
fa9e4066f08beec538e775443c5be79dd423fcabahrens rv = pk_sign_cert(handle, &signedCert, &casignkey, NULL,
fa9e4066f08beec538e775443c5be79dd423fcabahrens "Error signing certificate.\n"));
fa9e4066f08beec538e775443c5be79dd423fcabahrens * Store it on the token if the user asked for it.
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
fa9e4066f08beec538e775443c5be79dd423fcabahrens "on PKCS#11 token.\n"));
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* Not fatal, we can still write it to a file. */
3d6926289465757c3da780cea696825b0d730283Sanjeev Bagewadi rv = kmf_create_cert_file(&outcert, fmt, certfile);
fa9e4066f08beec538e775443c5be79dd423fcabahrens * sign a CSR and generate an x509v3 certificate file.
fa9e4066f08beec538e775443c5be79dd423fcabahrens extern char *optarg_av;
d20e665c84abf083a9e8b62cca93383ecb55afdfRicardo M. Correia /* Parse command line options. Do NOT i18n/l10n. */
d20e665c84abf083a9e8b62cca93383ecb55afdfRicardo M. Correia "k:(keystore)c:(csr)T:(token)d:(dir)"
d20e665c84abf083a9e8b62cca93383ecb55afdfRicardo M. Correia "p:(prefix)S:(serial)s:(subject)a:(altname)"
d20e665c84abf083a9e8b62cca93383ecb55afdfRicardo M. Correia "t:(store)F:(format)K:(keyusage)l:(signkey)"
d20e665c84abf083a9e8b62cca93383ecb55afdfRicardo M. Correia "L:(lifetime)e:(eku)i:(issuer)"
c242f9a02a2ef021449275ae0a1d2581ee77231dchunli zhang - Sun Microsystems - Irvine United States return (PK_ERR_USAGE);
c242f9a02a2ef021449275ae0a1d2581ee77231dchunli zhang - Sun Microsystems - Irvine United States prefix = optarg_av;
c242f9a02a2ef021449275ae0a1d2581ee77231dchunli zhang - Sun Microsystems - Irvine United States break;
c242f9a02a2ef021449275ae0a1d2581ee77231dchunli zhang - Sun Microsystems - Irvine United States case 'S':
c242f9a02a2ef021449275ae0a1d2581ee77231dchunli zhang - Sun Microsystems - Irvine United States if (serstr != NULL)
c242f9a02a2ef021449275ae0a1d2581ee77231dchunli zhang - Sun Microsystems - Irvine United States return (PK_ERR_USAGE);
c242f9a02a2ef021449275ae0a1d2581ee77231dchunli zhang - Sun Microsystems - Irvine United States serstr = optarg_av;
c242f9a02a2ef021449275ae0a1d2581ee77231dchunli zhang - Sun Microsystems - Irvine United States break;
c242f9a02a2ef021449275ae0a1d2581ee77231dchunli zhang - Sun Microsystems - Irvine United States case 'c':
fa9e4066f08beec538e775443c5be79dd423fcabahrens /* No additional args allowed. */
a2eea2e101e6a163a537dcc6d4e3c4da2a0ea5b2ahrens /* Assume keystore = PKCS#11 if not specified. */
a2eea2e101e6a163a537dcc6d4e3c4da2a0ea5b2ahrens (void) fprintf(stderr, gettext("The signing key label "
fa9e4066f08beec538e775443c5be79dd423fcabahrens "or filename was not specified\n"));
a2eea2e101e6a163a537dcc6d4e3c4da2a0ea5b2ahrens (void) fprintf(stderr, gettext("The CSR filename was not"
fa9e4066f08beec538e775443c5be79dd423fcabahrens " specified\n"));
a2eea2e101e6a163a537dcc6d4e3c4da2a0ea5b2ahrens (void) fprintf(stderr, gettext("The output certificate file "
a2eea2e101e6a163a537dcc6d4e3c4da2a0ea5b2ahrens "was not specified\n"));
a2eea2e101e6a163a537dcc6d4e3c4da2a0ea5b2ahrens "was not specified\n"));
a2eea2e101e6a163a537dcc6d4e3c4da2a0ea5b2ahrens if (kstype == KMF_KEYSTORE_PK11TOKEN && EMPTYSTRING(token_spec)) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens } else if (kstype == KMF_KEYSTORE_NSS && EMPTYSTRING(token_spec)) {
71eb05381846ad14a2087631474e832d0f316654Chris Kirby rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen);
71eb05381846ad14a2087631474e832d0f316654Chris Kirby "must be specified as a hex number "
fa9e4066f08beec538e775443c5be79dd423fcabahrens "(ex: 0x0102030405ffeeddee)\n"));
fa9e4066f08beec538e775443c5be79dd423fcabahrens (void) fprintf(stderr, gettext("The serial number was not"
fa9e4066f08beec538e775443c5be79dd423fcabahrens " specified\n"));
ab04eb8ef60d9dc9614d6cccffc474f24ca1d162timh /* Need to get password for private key access */
9966ca11f4a1481acce85f690fa59e4084050627Matthew Ahrens rv = verify_keyusage(kustr, &kubits, &kucrit);
148434217c040ea38dc844384f6ba68d9b325906Matthew Ahrens "must be specified as a comma-separated list. "
f18faf3f3e5def85fdfff681617d227703ace2adek "See the man page for details.\n"));
fa9e4066f08beec538e775443c5be79dd423fcabahrens "be specified as a comma-separated list. "
c5c6ffa0498b9c8555798756141b4a3061a138c1maybee "See the man page for details.\n"));
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick (void) fprintf(stderr, gettext("Subject AltName "
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick "must be specified as a name=value pair. "
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick "See the man page for details.\n"));
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick /* advance the altname past the '=' sign */
b24ab6762772a3f6a89393947930c7fa61306783Jeff Bonwick if (format && (fmt = Str2Format(format)) == KMF_FORMAT_UNDEF) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) {
fa9e4066f08beec538e775443c5be79dd423fcabahrens signkey, csrfile, &serial, certfile, issuer, subject,
3cb34c601f3ef3016f638574f5982e80c3735c71ahrens signkey, csrfile, &serial, certfile, issuer, subject,