signcsr.c revision d00756ccb34596a328f8a15d1965da5412d366d0
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
/*
* This file implements the sign CSR operation for this tool.
*/
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <cryptoutil.h>
#include <security/cryptoki.h>
#include "common.h"
#include <kmfapi.h>
#define SET_VALUE(f, s) \
rv = f; \
goto cleanup; \
}
static int
{
return (rv);
return (rv);
if (csrfmt == KMF_FORMAT_PEM) {
return (rv);
} else {
}
return (rv);
}
static int
char *altname,
int altcrit,
int kucrit,
{
/*
* If the CSR is ok, now we can generate the final certificate.
*/
"validity time");
if (issuer) {
gettext("Issuer name cannot be parsed\n"));
return (PK_ERR_USAGE);
}
"Issuer Name");
}
if (subject) {
gettext("Subject name cannot be parsed\n"));
return (PK_ERR_USAGE);
}
"Subject Name");
} else {
}
if (kubits != 0) {
"KeyUsage");
}
}
int i;
}
}
return (rv);
}
static int
{
int numattr;
numattr = 0;
numattr++;
key, sizeof (KMF_KEY_HANDLE_ATTR));
numattr++;
/* cert data that is to be signed */
cert, sizeof (KMF_X509_CERTIFICATE));
numattr++;
/* output buffer for the signed cert */
numattr++;
gettext("Failed to sign certificate.\n"));
return (rv);
}
return (rv);
}
static int
char *signkey,
char *csrfile,
char *certfile,
char *issuer,
char *subject,
char *altname,
int altcrit,
int kucrit,
{
gettext("Error reading CSR data\n"));
return (rv);
}
/* verify the signature first */
numattr = 0;
numattr++;
"verification failed.\n"));
goto cleanup;
}
goto cleanup;
/*
* Find the signing key.
*/
numattr = 0;
numattr++;
numattr++;
numattr++;
numattr++;
count = 1;
numattr++;
"Error finding CA signing key\n"));
goto cleanup;
}
"Error signing certificate.\n"));
goto cleanup;
}
return (rv);
}
static int
{
int numattr = 0;
int keys = 1;
gettext("Error reading CSR data\n"));
return (rv);
}
if (kstype == KMF_KEYSTORE_PK11TOKEN) {
} else if (kstype == KMF_KEYSTORE_NSS) {
}
/* verify the signature first */
numattr++;
"verification failed.\n"));
goto cleanup;
}
goto cleanup;
/*
* Find the signing key.
*/
numattr = 0;
numattr++;
if (kstype == KMF_KEYSTORE_NSS) {
numattr++;
}
numattr++;
&private_bool, sizeof (private_bool));
numattr++;
&token_bool, sizeof (token_bool));
numattr++;
numattr++;
cred, sizeof (KMF_CREDENTIAL_ATTR));
numattr++;
numattr++;
numattr++;
gettext("Failed to find signing key\n"));
goto cleanup;
}
/*
* If we found the key, now we can sign the cert.
*/
"Error signing certificate.\n"));
goto cleanup;
}
/*
* Store it on the token if the user asked for it.
*/
if (store) {
numattr = 0;
numattr++;
numattr++;
numattr++;
}
if (kstype == KMF_KEYSTORE_NSS) {
numattr++;
}
gettext("Failed to store cert "
"on PKCS#11 token.\n"));
/* Not fatal, we can still write it to a file. */
}
}
return (rv);
}
/*
* sign a CSR and generate an x509v3 certificate file.
*/
int
{
int opt;
extern int optind_av;
extern char *optarg_av;
char *token_spec = NULL;
int store = 0;
KMF_KEYSTORE_TYPE kstype = 0;
"k:(keystore)c:(csr)T:(token)d:(dir)"
"p:(prefix)S:(serial)s:(subject)a:(altname)"
"t:(store)F:(format)K:(keyusage)l:(signkey)"
"L:(lifetime)e:(eku)i:(issuer)"
"n:(outlabel)o:(outcert)")) != EOF) {
if (EMPTYSTRING(optarg_av))
return (PK_ERR_USAGE);
switch (opt) {
case 'k':
if (kstype != 0)
return (PK_ERR_USAGE);
if (kstype == 0)
return (PK_ERR_USAGE);
break;
case 't':
return (PK_ERR_USAGE);
if (store == -1)
return (PK_ERR_USAGE);
break;
case 'a':
if (altname)
return (PK_ERR_USAGE);
break;
case 's':
if (subject)
return (PK_ERR_USAGE);
break;
case 'i':
if (issuer)
return (PK_ERR_USAGE);
break;
case 'd':
if (dir)
return (PK_ERR_USAGE);
break;
case 'p':
if (prefix)
return (PK_ERR_USAGE);
break;
case 'S':
return (PK_ERR_USAGE);
break;
case 'c':
if (csrfile)
return (PK_ERR_USAGE);
break;
case 'T': /* token specifier */
if (token_spec)
return (PK_ERR_USAGE);
break;
case 'l': /* object with specific label */
if (signkey)
return (PK_ERR_USAGE);
break;
case 'e':
return (PK_ERR_USAGE);
break;
case 'K':
return (PK_ERR_USAGE);
break;
case 'F':
return (PK_ERR_USAGE);
break;
case 'o':
return (PK_ERR_USAGE);
break;
case 'L':
return (PK_ERR_USAGE);
break;
case 'n':
return (PK_ERR_USAGE);
break;
default:
return (PK_ERR_USAGE);
}
}
/* No additional args allowed. */
if (argc)
return (PK_ERR_USAGE);
return (rv);
}
/* Assume keystore = PKCS#11 if not specified. */
if (kstype == 0)
"or filename was not specified\n"));
return (PK_ERR_USAGE);
}
" specified\n"));
return (PK_ERR_USAGE);
}
"was not specified\n"));
return (PK_ERR_USAGE);
}
"was not specified\n"));
return (PK_ERR_USAGE);
}
gettext("Error parsing lifetime string\n"));
return (PK_ERR_USAGE);
}
}
}
"must be specified as a hex number "
"(ex: 0x0102030405ffeeddee)\n"));
return (PK_ERR_USAGE);
}
} else {
" specified\n"));
return (PK_ERR_USAGE);
}
if ((kstype == KMF_KEYSTORE_PK11TOKEN ||
kstype == KMF_KEYSTORE_NSS)) {
/* Need to get password for private key access */
&tokencred);
}
"be specified as a comma-separated list. "
"See the man page for details.\n"));
rv = PK_ERR_USAGE;
goto end;
}
}
char *p;
"must be specified as a name=value pair. "
"See the man page for details.\n"));
rv = PK_ERR_USAGE;
goto end;
}
/* advance the altname past the '=' sign */
if (p != NULL)
altname = p + 1;
}
gettext("Error parsing format string (%s).\n"),
format);
return (PK_ERR_USAGE);
}
if (kstype == KMF_KEYSTORE_PK11TOKEN) {
} else if (kstype == KMF_KEYSTORE_NSS) {
} else if (kstype == KMF_KEYSTORE_OPENSSL) {
}
end:
gettext("Error listing objects"));
}
(void) kmf_finalize(kmfhandle);
return (rv);
}