c28749e97052f09388969427adf7df641cdcdc22kais * CDDL HEADER START
c28749e97052f09388969427adf7df641cdcdc22kais * The contents of this file are subject to the terms of the
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * Common Development and Distribution License (the "License").
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * You may not use this file except in compliance with the License.
c28749e97052f09388969427adf7df641cdcdc22kais * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
c28749e97052f09388969427adf7df641cdcdc22kais * See the License for the specific language governing permissions
c28749e97052f09388969427adf7df641cdcdc22kais * and limitations under the License.
c28749e97052f09388969427adf7df641cdcdc22kais * When distributing Covered Code, include this CDDL HEADER in each
c28749e97052f09388969427adf7df641cdcdc22kais * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
c28749e97052f09388969427adf7df641cdcdc22kais * If applicable, add the following below this CDDL HEADER, with the
c28749e97052f09388969427adf7df641cdcdc22kais * fields enclosed by brackets "[]" replaced with your own identifying
c28749e97052f09388969427adf7df641cdcdc22kais * information: Portions Copyright [yyyy] [name of copyright owner]
c28749e97052f09388969427adf7df641cdcdc22kais * CDDL HEADER END
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " -f pkcs11 [-d softtoken_directory] -T <token_label>"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " -C <certificate_label> -x <proxy_port>"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " [-h <ca_certchain_file>]"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " [options] [<server_address>] [<server_port>]\n");
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " -f pkcs12 -i <cert_and_key_pk12file> -x <proxy_port>"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " [options] [<server_address>] [<server_port>]\n");
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " -f pem -i <cert_and_key_pemfile> -x <proxy_port>"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " [options] [<server_address>] [<server_port>]\n");
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "\t[-c <ciphersuites>]\n"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "\t[-p <password_file>]\n"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "\t[-t <ssl_session_cache_timeout>]\n"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "\t[-z <ssl_session_cache_size>]\n"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "\t[-v]\n");
c28749e97052f09388969427adf7df641cdcdc22kais * Everything is allocated in one single contiguous buffer.
c28749e97052f09388969427adf7df641cdcdc22kais * The layout is the following:
c28749e97052f09388969427adf7df641cdcdc22kais * . the kssl_params_t structure
c892ebf1bef94f4f922f282c11516677c134dbe0krishna * . optional buffer containing pin (if key is non extractable)
c28749e97052f09388969427adf7df641cdcdc22kais * . the array of key attribute structs, (value of ck_attrs)
c28749e97052f09388969427adf7df641cdcdc22kais * . the key attributes values (values of ck_attrs[i].ck_value);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * . the array of sizes of the certificates, (referred to as sc_sizes[])
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * . the certificates values (referred to as sc_certs[])
c28749e97052f09388969427adf7df641cdcdc22kais * The address of the certs and key attributes values are offsets
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * from the beginning of the big buffer. sc_sizes_offset points
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * to sc_sizes[0] and sc_certs_offset points to sc_certs[0].
71593db26bb6ef7b739cffe06d53bf990cac112cwyllyskmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_TOKEN, &true, sizeof (true)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_EXTRACTABLE, &false, sizeof (false)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_object_attribute_t kssl_tmpl_attrs[MAX_ATTR_CNT] = {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < ncerts; i++)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bufsize += (tcsize + (MAX_CHAIN_LENGTH * sizeof (uint32_t)));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* and the key attributes */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "missing required attributes in private key.\n");
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < MAX_ATTR_CNT; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Compute space for the attributes and values that the
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * kssl kernel module will need in order to search for
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * the private key.
c892ebf1bef94f4f922f282c11516677c134dbe0krishna /* Add 4-byte cushion as sc_sizes[0] needs 32-bit alignment */
c28749e97052f09388969427adf7df641cdcdc22kais /* Now the big memory allocation */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys "Cannot allocate memory for the kssl_params "
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys "and values\n");
c28749e97052f09388969427adf7df641cdcdc22kais /* LINTED */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* the keys attributes structs array */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* then the key attributes values */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < MAX_ATTR_CNT; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys (void) strlcpy(tlabel, token_label, sizeof (tlabel));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * For a non-extractable key, we must provide the PIN
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * so the kssl module can access the token to find
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * the key handle.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Next in the buffer, we must provide the attributes
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * that the kssl module will use to search in the
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * token to find the protected key handle.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < attr_cnt; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_attrs[i].ka_value_len = exkey_attrs[i].ulValueLen;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* Copy the key attributes array here */
c28749e97052f09388969427adf7df641cdcdc22kais bcopy(kssl_attrs, ((char *)kssl_params) + key->ks_attrs_offset,
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna buf = (char *)P2ROUNDUP((uintptr_t)buf, sizeof (uint32_t));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Finally, add the certificate chain to the buffer.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* First, an array of certificate sizes */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < ncerts; i++) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys uint32_t certsz = (uint32_t)certs[i].certificate.Length;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna kssl_params->kssl_certs.sc_sizes_offset = buf - (char *)kssl_params;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna kssl_params->kssl_certs.sc_certs_offset = buf - (char *)kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* Now add the certificate data (ASN.1 DER encoded) */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < ncerts; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Extract a sensitive key via wrap/unwrap operations.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * This function requires that we call PKCS#11 API directly since
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * KMF does not yet support wrapping/unwrapping of keys. By extracting
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * a sensitive key in wrapped form, we then unwrap it into a session key
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * object. KMF is then used to find the session key and return it in
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * KMF_RAW_KEY format which is then passed along to KSSL by the caller.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys char *idstr, KMF_KEY_HANDLE *key, KMF_KEY_HANDLE *rawkey)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys static CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys CK_MECHANISM aes_cbc_pad_mech = {CKM_AES_CBC_PAD, aes_param,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys CK_OBJECT_HANDLE sess_privkey_obj = CK_INVALID_HANDLE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* code below depends on the following attribute order */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_TOKEN, &false, sizeof (false)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_KEY_TYPE, &privkey_type, sizeof (privkey_type)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_SENSITIVE, &false, sizeof (false)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_PRIVATE, &false, sizeof (false)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Create a wrap key with random data.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Login to create the wrap key stuff.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (ckrv != CKR_OK && ckrv != CKR_USER_ALREADY_LOGGED_IN) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "Cannot login to the token. error = %s\n",
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Turn the random key into a PKCS#11 session object.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys ckrv = SUNW_C_KeyToObject(pk11session, CKM_AES_CBC_PAD, aes_key_val,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "Cannot create wrapping key. error = %s\n",
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Find the original private key that we are going to wrap.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_IDSTR_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys REPORT_KMF_ERROR(rv, "Error finding private key", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Get the size of the wrapped private key.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Most common error here is that the token doesn't
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * support the wrapping mechanism or the key is
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * marked non-extractable. Return an error and let
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * the caller deal with it gracefully.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "Cannot get wrap key size. error = %s\n",
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Now get the actual wrapped key data.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "Cannot wrap private key. error = %s\n",
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Create a label for the wrapped session key so we can find
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * it easier later.
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) snprintf(wrapkey_label, sizeof (wrapkey_label), "ksslprikey_%d",
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Unwrap the key into the template and create a temporary
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * session private key.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys ckrv = C_UnwrapKey(pk11session, &aes_cbc_pad_mech, aes_key_obj,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "Cannot unwrap private key. error = %s\n",
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Use KMF to find the session key and return it as RAW data
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * so we can pass it along to KSSL.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((idx = kmf_find_attr(KMF_KEYCLASS_ATTR, attrlist, numattr)) != -1) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((idx = kmf_find_attr(KMF_ENCODE_FORMAT_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (idx = kmf_find_attr(KMF_KEYLABEL_ATTR, attrlist, numattr)) != -1) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((idx = kmf_find_attr(KMF_PRIVATE_BOOL_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((idx = kmf_find_attr(KMF_TOKEN_BOOL_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((idx = kmf_find_attr(KMF_KEY_HANDLE_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Clear the IDSTR attribute since it is not part of the
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * wrapped session key.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* The wrapped key should not be sensitive. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SENSITIVE_BOOL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &false, sizeof (false));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys REPORT_KMF_ERROR(rv, "Error finding raw private key", err);
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) C_DestroyObject(pk11session, aes_key_obj);
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) C_DestroyObject(pk11session, sess_privkey_obj);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys sizeof (password_buf)) <= 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_READONLY_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &false, sizeof (false));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_configure_keystore(kmfh, numattr, attrlist);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys REPORT_KMF_ERROR(rv, "Error configuring KMF keystore", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Find the certificate matching the given label.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_X509_DER_CERT_ATTR,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Find the associated private key for this cert by
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * keying off of the label and the ASCII ID string.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr = 1; /* attrlist[0] is already set to kstype */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_IDSTR_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &true, sizeof (true));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &true, sizeof (true));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* We only expect to find 1 key at most */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Get a normal key handle and then do a wrap/unwrap
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * in order to get the necessary raw data fields needed
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * to send to KSSL.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* Swap "key" for "rawkey" */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* Let kssl try to find the key. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_cert_id_data(&cert.certificate, &iddata);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Let kssl try to find the key. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_cert_id_data(&cert.certificate, &iddata);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_params = kmf_to_kssl(nxkey, (KMF_RAW_KEY_DATA *)key.keyp,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys 1, &cert, bufsize, (char *)token_label, &iddata, &creds);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * add_cacerts
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Load a chain of certificates from a PEM file.
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys kssl_params_t *old_params, const char *cacert_chain_file)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void *)cacert_chain_file, strlen(cacert_chain_file));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys REPORT_KMF_ERROR(rv, "Error finding CA certificates", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys return (0);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys (void) fprintf(stderr, "memory allocation error.\n");
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* add new attribute for the cert list to be returned */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_X509_DER_CERT_ATTR,
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna (void) printf("%d certificates read successfully\n", ncerts);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna for (i = 0; i < ncerts; i++)
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * Get a bigger structure and update the
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * fields to account for the additional certs.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* Put the cert size info starting from sc_sizes[1] */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < ncerts; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys uint32_t size = (uint32_t)certs[i].certificate.Length;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna /* Put the cert_bufs starting from sc_certs[1] */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna /* now the certs values */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna for (i = 0; i < ncerts; i++) {
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna for (i = 0; i < ncerts; i++)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Find a key and certificate(s) from a single PEM file.
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllysload_from_pem(KMF_HANDLE_T kmfh, const char *filename,
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna (void) printf("%d certificates read successfully\n", ncerts);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_params = kmf_to_kssl(0, rsa, ncerts, certs, paramsize, NULL,
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna for (i = 0; i < ncerts; i++)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Load a raw key and certificate(s) from a PKCS#12 file.
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllysload_from_pkcs12(KMF_HANDLE_T kmfh, const char *filename,
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna (void) printf("%d certificates read successfully\n", ncerts);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_params = kmf_to_kssl(0, rsa, ncerts, certs, paramsize, NULL,
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna for (i = 0; i < ncerts; i++)
c28749e97052f09388969427adf7df641cdcdc22kaisparse_and_set_addr(char *server_address, char *server_port,
c28749e97052f09388969427adf7df641cdcdc22kais return (-1);
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri if ((hp = (getipnodebyname(server_address, AF_INET6,
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) fprintf(stderr, "Error: Unknown host: %s\n",
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) memcpy((caddr_t)&addr->sin6_addr, hp->h_addr,
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal if (server_port == ep || *ep != '\0' || errno != 0) {
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr, "Error: Invalid Port value: %s\n",
c28749e97052f09388969427adf7df641cdcdc22kais return (-1);
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal (void) fprintf(stderr, "Error: Port out of range: %s\n",
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* It is safe to convert since the value is inside the boundaries. */
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kais * The order of the ciphers is important. It is used as the
c28749e97052f09388969427adf7df641cdcdc22kais * default order (when -c is not specified).
c28749e97052f09388969427adf7df641cdcdc22kais {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, B_FALSE},
c28749e97052f09388969427adf7df641cdcdc22kais {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, B_FALSE},
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishna {"rsa_aes_256_cbc_sha", TLS_RSA_WITH_AES_256_CBC_SHA, B_FALSE},
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishna {"rsa_aes_128_cbc_sha", TLS_RSA_WITH_AES_128_CBC_SHA, B_FALSE},
c28749e97052f09388969427adf7df641cdcdc22kais {"rsa_3des_ede_cbc_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, B_FALSE},
c28749e97052f09388969427adf7df641cdcdc22kais {"rsa_des_cbc_sha", SSL_RSA_WITH_DES_CBC_SHA, B_FALSE},
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna while ((c = getopt(argc, argv, "vT:d:f:h:i:p:c:C:t:x:z:")) != -1) {
c28749e97052f09388969427adf7df641cdcdc22kais switch (c) {
c28749e97052f09388969427adf7df641cdcdc22kais if (pcnt == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais if (parse_and_set_addr(addr, port, &server_addr) < 0) {
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) inet_ntop(AF_INET6, &server_addr.sin6_addr, buffer,
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) printf("addr = %s, port = %d\n", buffer,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys return (0);
c28749e97052f09388969427adf7df641cdcdc22kais "SOFTTOKEN_DIR=%s\n",
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr, "Unsupported cert format: %s\n", format);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Add the list of supported ciphers to the buffer.
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys kssl_params = add_cacerts(kmfh, kssl_params, cacert_chain_file);
c28749e97052f09388969427adf7df641cdcdc22kais if (kssl_send_command((char *)kssl_params, KSSL_ADD_ENTRY) < 0) {