c28749e97052f09388969427adf7df641cdcdc22kais/*
c28749e97052f09388969427adf7df641cdcdc22kais * CDDL HEADER START
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * The contents of this file are subject to the terms of the
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * Common Development and Distribution License (the "License").
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * You may not use this file except in compliance with the License.
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
c28749e97052f09388969427adf7df641cdcdc22kais * or http://www.opensolaris.org/os/licensing.
c28749e97052f09388969427adf7df641cdcdc22kais * See the License for the specific language governing permissions
c28749e97052f09388969427adf7df641cdcdc22kais * and limitations under the License.
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * When distributing Covered Code, include this CDDL HEADER in each
c28749e97052f09388969427adf7df641cdcdc22kais * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
c28749e97052f09388969427adf7df641cdcdc22kais * If applicable, add the following below this CDDL HEADER, with the
c28749e97052f09388969427adf7df641cdcdc22kais * fields enclosed by brackets "[]" replaced with your own identifying
c28749e97052f09388969427adf7df641cdcdc22kais * information: Portions Copyright [yyyy] [name of copyright owner]
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * CDDL HEADER END
c28749e97052f09388969427adf7df641cdcdc22kais */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
c28749e97052f09388969427adf7df641cdcdc22kais/*
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
c28749e97052f09388969427adf7df641cdcdc22kais */
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#include <errno.h>
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna#include <sys/sysmacros.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <security/cryptoki.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <security/pkcs11.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <stdio.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <strings.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <sys/types.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <sys/stat.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <sys/socket.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <netinet/in.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <arpa/inet.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <netdb.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <fcntl.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <inet/kssl/kssl.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <cryptoutil.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <libscf.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include "kssladm.h"
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <kmfapi.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
c28749e97052f09388969427adf7df641cdcdc22kaisvoid
c28749e97052f09388969427adf7df641cdcdc22kaisusage_create(boolean_t do_print)
c28749e97052f09388969427adf7df641cdcdc22kais{
c28749e97052f09388969427adf7df641cdcdc22kais if (do_print)
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr, "Usage:\n");
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr, "kssladm create"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " -f pkcs11 [-d softtoken_directory] -T <token_label>"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " -C <certificate_label> -x <proxy_port>"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " [-h <ca_certchain_file>]"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " [options] [<server_address>] [<server_port>]\n");
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr, "kssladm create"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " -f pkcs12 -i <cert_and_key_pk12file> -x <proxy_port>"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " [options] [<server_address>] [<server_port>]\n");
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr, "kssladm create"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " -f pem -i <cert_and_key_pemfile> -x <proxy_port>"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys " [options] [<server_address>] [<server_port>]\n");
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr, "options are:\n"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "\t[-c <ciphersuites>]\n"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "\t[-p <password_file>]\n"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "\t[-t <ssl_session_cache_timeout>]\n"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "\t[-z <ssl_session_cache_size>]\n"
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "\t[-v]\n");
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais/*
c28749e97052f09388969427adf7df641cdcdc22kais * Everything is allocated in one single contiguous buffer.
c28749e97052f09388969427adf7df641cdcdc22kais * The layout is the following:
c28749e97052f09388969427adf7df641cdcdc22kais * . the kssl_params_t structure
c892ebf1bef94f4f922f282c11516677c134dbe0krishna * . optional buffer containing pin (if key is non extractable)
c28749e97052f09388969427adf7df641cdcdc22kais * . the array of key attribute structs, (value of ck_attrs)
c28749e97052f09388969427adf7df641cdcdc22kais * . the key attributes values (values of ck_attrs[i].ck_value);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * . the array of sizes of the certificates, (referred to as sc_sizes[])
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * . the certificates values (referred to as sc_certs[])
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * The address of the certs and key attributes values are offsets
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * from the beginning of the big buffer. sc_sizes_offset points
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * to sc_sizes[0] and sc_certs_offset points to sc_certs[0].
c28749e97052f09388969427adf7df641cdcdc22kais */
c28749e97052f09388969427adf7df641cdcdc22kaisstatic kssl_params_t *
71593db26bb6ef7b739cffe06d53bf990cac112cwyllyskmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys KMF_X509_DER_CERT *certs, int *paramsize,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys char *token_label, KMF_DATA *idstr,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys KMF_CREDENTIAL *creds)
c28749e97052f09388969427adf7df641cdcdc22kais{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys int i, tcsize;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna kssl_params_t *kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_key_t *key;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys char *buf;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys uint32_t bufsize;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys static CK_BBOOL true = TRUE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys static CK_BBOOL false = FALSE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys static CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys static CK_KEY_TYPE keytype = CKK_RSA;
c28749e97052f09388969427adf7df641cdcdc22kais kssl_object_attribute_t kssl_attrs[MAX_ATTR_CNT];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys CK_ATTRIBUTE exkey_attrs[MAX_ATTR_CNT] = {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_TOKEN, &true, sizeof (true)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_EXTRACTABLE, &false, sizeof (false)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_CLASS, &class, sizeof (class) },
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_KEY_TYPE, &keytype, sizeof (keytype) },
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_ID, NULL, 0}
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys };
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_object_attribute_t kssl_tmpl_attrs[MAX_ATTR_CNT] = {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {SUN_CKA_MODULUS, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {SUN_CKA_PUBLIC_EXPONENT, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {SUN_CKA_PRIVATE_EXPONENT, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {SUN_CKA_PRIME_1, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {SUN_CKA_PRIME_2, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {SUN_CKA_EXPONENT_1, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {SUN_CKA_EXPONENT_2, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {SUN_CKA_COEFFICIENT, NULL, 0}
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys };
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys KMF_BIGINT priv_key_bignums[MAX_ATTR_CNT];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys int attr_cnt;
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (nxkey && idstr != NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys exkey_attrs[4].pValue = idstr->Data;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys exkey_attrs[4].ulValueLen = idstr->Length;
c28749e97052f09388969427adf7df641cdcdc22kais }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys tcsize = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < ncerts; i++)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys tcsize += certs[i].certificate.Length;
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bufsize = sizeof (kssl_params_t);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bufsize += (tcsize + (MAX_CHAIN_LENGTH * sizeof (uint32_t)));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (!nxkey) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bzero(priv_key_bignums, sizeof (KMF_BIGINT) *
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys MAX_ATTR_CNT);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* and the key attributes */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys priv_key_bignums[0] = rsa->rawdata.rsa.mod;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys priv_key_bignums[1] = rsa->rawdata.rsa.pubexp;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys priv_key_bignums[2] = rsa->rawdata.rsa.priexp;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys priv_key_bignums[3] = rsa->rawdata.rsa.prime1;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys priv_key_bignums[4] = rsa->rawdata.rsa.prime2;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys priv_key_bignums[5] = rsa->rawdata.rsa.exp1;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys priv_key_bignums[6] = rsa->rawdata.rsa.exp2;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys priv_key_bignums[7] = rsa->rawdata.rsa.coef;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (rsa->rawdata.rsa.mod.val == NULL ||
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rsa->rawdata.rsa.priexp.val == NULL) {
c892ebf1bef94f4f922f282c11516677c134dbe0krishna (void) fprintf(stderr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "missing required attributes in private key.\n");
c892ebf1bef94f4f922f282c11516677c134dbe0krishna return (NULL);
c892ebf1bef94f4f922f282c11516677c134dbe0krishna }
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys attr_cnt = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < MAX_ATTR_CNT; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (priv_key_bignums[i].val == NULL)
c892ebf1bef94f4f922f282c11516677c134dbe0krishna continue;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_attrs[attr_cnt].ka_type =
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kssl_tmpl_attrs[i].ka_type;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_attrs[attr_cnt].ka_value_len =
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys priv_key_bignums[i].len;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bufsize += sizeof (crypto_object_attribute_t) +
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_attrs[attr_cnt].ka_value_len;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys attr_cnt++;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys } else {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Compute space for the attributes and values that the
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * kssl kernel module will need in order to search for
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * the private key.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (attr_cnt = 0; attr_cnt < 5; attr_cnt++) {
c892ebf1bef94f4f922f282c11516677c134dbe0krishna bufsize += sizeof (crypto_object_attribute_t) +
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys exkey_attrs[attr_cnt].ulValueLen;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (creds)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bufsize += creds->credlen;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys }
c28749e97052f09388969427adf7df641cdcdc22kais
c892ebf1bef94f4f922f282c11516677c134dbe0krishna /* Add 4-byte cushion as sc_sizes[0] needs 32-bit alignment */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna bufsize += sizeof (uint32_t);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
c28749e97052f09388969427adf7df641cdcdc22kais /* Now the big memory allocation */
c28749e97052f09388969427adf7df641cdcdc22kais if ((buf = calloc(bufsize, 1)) == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys "Cannot allocate memory for the kssl_params "
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys "and values\n");
c28749e97052f09388969427adf7df641cdcdc22kais return (NULL);
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais /* LINTED */
c28749e97052f09388969427adf7df641cdcdc22kais kssl_params = (kssl_params_t *)buf;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais buf = (char *)(kssl_params + 1);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (!nxkey) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* the keys attributes structs array */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys key = &kssl_params->kssl_privkey;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys key->ks_format = CRYPTO_KEY_ATTR_LIST;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys key->ks_count = attr_cnt;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys key->ks_attrs_offset = buf - (char *)kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys buf += attr_cnt * sizeof (kssl_object_attribute_t);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys attr_cnt = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* then the key attributes values */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < MAX_ATTR_CNT; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (priv_key_bignums[i].val == NULL)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys continue;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys (void) memcpy(buf, priv_key_bignums[i].val,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys priv_key_bignums[i].len);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_attrs[attr_cnt].ka_value_offset =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys buf - (char *)kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys buf += kssl_attrs[attr_cnt].ka_value_len;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys attr_cnt++;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys } else {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys char tlabel[CRYPTO_EXT_SIZE_LABEL];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bzero(tlabel, sizeof (tlabel));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys (void) strlcpy(tlabel, token_label, sizeof (tlabel));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * For a non-extractable key, we must provide the PIN
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * so the kssl module can access the token to find
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * the key handle.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
c892ebf1bef94f4f922f282c11516677c134dbe0krishna kssl_params->kssl_is_nxkey = 1;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bcopy(tlabel, kssl_params->kssl_token.toklabel,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys CRYPTO_EXT_SIZE_LABEL);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_params->kssl_token.pinlen = creds->credlen;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna kssl_params->kssl_token.tokpin_offset =
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys buf - (char *)kssl_params;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna kssl_params->kssl_token.ck_rv = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bcopy(creds->cred, buf, creds->credlen);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys buf += creds->credlen;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Next in the buffer, we must provide the attributes
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * that the kssl module will use to search in the
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * token to find the protected key handle.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys key = &kssl_params->kssl_privkey;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys key->ks_format = CRYPTO_KEY_ATTR_LIST;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys key->ks_count = attr_cnt;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys key->ks_attrs_offset = buf - (char *)kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys buf += attr_cnt * sizeof (kssl_object_attribute_t);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < attr_cnt; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bcopy(exkey_attrs[i].pValue, buf,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys exkey_attrs[i].ulValueLen);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_attrs[i].ka_type = exkey_attrs[i].type;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna kssl_attrs[i].ka_value_offset =
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys buf - (char *)kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_attrs[i].ka_value_len = exkey_attrs[i].ulValueLen;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys buf += exkey_attrs[i].ulValueLen;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna }
c28749e97052f09388969427adf7df641cdcdc22kais }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* Copy the key attributes array here */
c28749e97052f09388969427adf7df641cdcdc22kais bcopy(kssl_attrs, ((char *)kssl_params) + key->ks_attrs_offset,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys attr_cnt * sizeof (kssl_object_attribute_t));
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna buf = (char *)P2ROUNDUP((uintptr_t)buf, sizeof (uint32_t));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Finally, add the certificate chain to the buffer.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_params->kssl_certs.sc_count = ncerts;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* First, an array of certificate sizes */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < ncerts; i++) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys uint32_t certsz = (uint32_t)certs[i].certificate.Length;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys char *p = buf + (i * sizeof (uint32_t));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bcopy(&certsz, p, sizeof (uint32_t));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna kssl_params->kssl_certs.sc_sizes_offset = buf - (char *)kssl_params;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna buf += MAX_CHAIN_LENGTH * sizeof (uint32_t);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna kssl_params->kssl_certs.sc_certs_offset = buf - (char *)kssl_params;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* Now add the certificate data (ASN.1 DER encoded) */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < ncerts; i++) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys bcopy(certs[i].certificate.Data, buf,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys certs[i].certificate.Length);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys buf += certs[i].certificate.Length;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
c28749e97052f09388969427adf7df641cdcdc22kais *paramsize = bufsize;
c28749e97052f09388969427adf7df641cdcdc22kais return (kssl_params);
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys/*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Extract a sensitive key via wrap/unwrap operations.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys *
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * This function requires that we call PKCS#11 API directly since
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * KMF does not yet support wrapping/unwrapping of keys. By extracting
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * a sensitive key in wrapped form, we then unwrap it into a session key
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * object. KMF is then used to find the session key and return it in
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * KMF_RAW_KEY format which is then passed along to KSSL by the caller.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysstatic KMF_RETURN
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysget_sensitive_key_data(KMF_HANDLE_T kmfh,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_CREDENTIAL *creds, char *keylabel,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys char *idstr, KMF_KEY_HANDLE *key, KMF_KEY_HANDLE *rawkey)
c28749e97052f09388969427adf7df641cdcdc22kais{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys KMF_RETURN rv = KMF_OK;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys static CK_BYTE aes_param[16];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys static CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys static CK_KEY_TYPE privkey_type = CKK_RSA;
c28749e97052f09388969427adf7df641cdcdc22kais static CK_BBOOL false = FALSE;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys boolean_t kmftrue = B_TRUE;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys boolean_t kmffalse = B_FALSE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys char *err = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys char wrapkey_label[BUFSIZ];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys int fd;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys uint32_t nkeys = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys CK_RV ckrv;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys CK_SESSION_HANDLE pk11session;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys CK_BYTE aes_key_val[16];
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys int numattr = 0;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys int idx;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_ATTRIBUTE attrlist[16];
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_KEYSTORE_TYPE kstype;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_KEY_CLASS kclass;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_ENCODE_FORMAT format;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys CK_MECHANISM aes_cbc_pad_mech = {CKM_AES_CBC_PAD, aes_param,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys sizeof (aes_param)};
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys CK_OBJECT_HANDLE aes_key_obj = CK_INVALID_HANDLE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys CK_OBJECT_HANDLE sess_privkey_obj = CK_INVALID_HANDLE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys CK_BYTE *wrapped_privkey = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys CK_ULONG wrapped_privkey_len = 0;
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys CK_ATTRIBUTE unwrap_tmpl[] = {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* code below depends on the following attribute order */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_TOKEN, &false, sizeof (false)},
c28749e97052f09388969427adf7df641cdcdc22kais {CKA_CLASS, &privkey_class, sizeof (privkey_class)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_KEY_TYPE, &privkey_type, sizeof (privkey_type)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_SENSITIVE, &false, sizeof (false)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_PRIVATE, &false, sizeof (false)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys {CKA_LABEL, NULL, 0}
c28749e97052f09388969427adf7df641cdcdc22kais };
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Create a wrap key with random data.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys fd = open("/dev/urandom", O_RDONLY);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (fd == -1) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys perror("Error reading /dev/urandom");
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys return (KMF_ERR_INTERNAL);
c28749e97052f09388969427adf7df641cdcdc22kais }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (read(fd, aes_key_val, sizeof (aes_key_val)) !=
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys sizeof (aes_key_val)) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys perror("Error reading from /dev/urandom");
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys (void) close(fd);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys return (KMF_ERR_INTERNAL);
c28749e97052f09388969427adf7df641cdcdc22kais }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys (void) close(fd);
c28749e97052f09388969427adf7df641cdcdc22kais
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pk11session = kmf_get_pk11_handle(kmfh);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Login to create the wrap key stuff.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys ckrv = C_Login(pk11session, CKU_USER,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (CK_UTF8CHAR_PTR)creds->cred, creds->credlen);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (ckrv != CKR_OK && ckrv != CKR_USER_ALREADY_LOGGED_IN) {
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "Cannot login to the token. error = %s\n",
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pkcs11_strerror(ckrv));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys return (KMF_ERR_INTERNAL);
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Turn the random key into a PKCS#11 session object.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys ckrv = SUNW_C_KeyToObject(pk11session, CKM_AES_CBC_PAD, aes_key_val,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys sizeof (aes_key_val), &aes_key_obj);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (ckrv != CKR_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys (void) fprintf(stderr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "Cannot create wrapping key. error = %s\n",
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pkcs11_strerror(ckrv));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys return (KMF_ERR_INTERNAL);
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Find the original private key that we are going to wrap.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kstype = KMF_KEYSTORE_PK11TOKEN;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &kstype, sizeof (kstype));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kclass = KMF_ASYM_PRI;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &kclass, sizeof (kclass));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys creds, sizeof (KMF_CREDENTIAL));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (keylabel) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keylabel, strlen(keylabel));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (idstr) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_IDSTR_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys idstr, strlen(idstr));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys format = KMF_FORMAT_NATIVE;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &format, sizeof (format));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &kmftrue, sizeof (kmftrue));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &kmftrue, sizeof (kmftrue));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nkeys = 1;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &nkeys, sizeof (nkeys));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys key, sizeof (KMF_KEY_HANDLE));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_find_key(kmfh, numattr, attrlist);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys REPORT_KMF_ERROR(rv, "Error finding private key", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys goto out;
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c892ebf1bef94f4f922f282c11516677c134dbe0krishna /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Get the size of the wrapped private key.
c892ebf1bef94f4f922f282c11516677c134dbe0krishna */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bzero(aes_param, sizeof (aes_param));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys ckrv = C_WrapKey(pk11session, &aes_cbc_pad_mech,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys aes_key_obj, (CK_OBJECT_HANDLE)key->keyp,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys NULL, &wrapped_privkey_len);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (ckrv != CKR_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Most common error here is that the token doesn't
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * support the wrapping mechanism or the key is
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * marked non-extractable. Return an error and let
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * the caller deal with it gracefully.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys (void) fprintf(stderr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "Cannot get wrap key size. error = %s\n",
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pkcs11_strerror(ckrv));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys rv = KMF_ERR_INTERNAL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys goto out;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys wrapped_privkey = malloc(wrapped_privkey_len);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (wrapped_privkey == NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys rv = KMF_ERR_MEMORY;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys goto out;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Now get the actual wrapped key data.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys ckrv = C_WrapKey(pk11session, &aes_cbc_pad_mech,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys aes_key_obj, (CK_OBJECT_HANDLE)key->keyp,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys wrapped_privkey, &wrapped_privkey_len);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (ckrv != CKR_OK) {
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "Cannot wrap private key. error = %s\n",
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pkcs11_strerror(ckrv));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys rv = KMF_ERR_INTERNAL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys goto out;
c28749e97052f09388969427adf7df641cdcdc22kais }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Create a label for the wrapped session key so we can find
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * it easier later.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) snprintf(wrapkey_label, sizeof (wrapkey_label), "ksslprikey_%d",
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys getpid());
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys unwrap_tmpl[5].pValue = wrapkey_label;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys unwrap_tmpl[5].ulValueLen = strlen(wrapkey_label);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Unwrap the key into the template and create a temporary
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * session private key.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys ckrv = C_UnwrapKey(pk11session, &aes_cbc_pad_mech, aes_key_obj,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys wrapped_privkey, wrapped_privkey_len,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys unwrap_tmpl, 6, &sess_privkey_obj);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (ckrv != CKR_OK) {
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "Cannot unwrap private key. error = %s\n",
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pkcs11_strerror(ckrv));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys rv = KMF_ERR_INTERNAL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys goto out;
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Use KMF to find the session key and return it as RAW data
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * so we can pass it along to KSSL.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kclass = KMF_ASYM_PRI;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((idx = kmf_find_attr(KMF_KEYCLASS_ATTR, attrlist, numattr)) != -1) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys attrlist[idx].pValue = &kclass;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys format = KMF_FORMAT_RAWKEY;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((idx = kmf_find_attr(KMF_ENCODE_FORMAT_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr)) != -1) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys attrlist[idx].pValue = &format;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (wrapkey_label != NULL &&
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (idx = kmf_find_attr(KMF_KEYLABEL_ATTR, attrlist, numattr)) != -1) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys attrlist[idx].pValue = wrapkey_label;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys attrlist[idx].valueLen = strlen(wrapkey_label);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((idx = kmf_find_attr(KMF_PRIVATE_BOOL_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr)) != -1) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys attrlist[idx].pValue = &kmffalse;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((idx = kmf_find_attr(KMF_TOKEN_BOOL_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr)) != -1) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys attrlist[idx].pValue = &kmffalse;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((idx = kmf_find_attr(KMF_KEY_HANDLE_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr)) != -1) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys attrlist[idx].pValue = rawkey;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /*
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Clear the IDSTR attribute since it is not part of the
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * wrapped session key.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((idx = kmf_find_attr(KMF_IDSTR_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr)) != -1) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys attrlist[idx].pValue = NULL;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys attrlist[idx].valueLen = 0;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* The wrapped key should not be sensitive. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_SENSITIVE_BOOL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &false, sizeof (false));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_find_key(kmfh, numattr, attrlist);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys REPORT_KMF_ERROR(rv, "Error finding raw private key", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys goto out;
c28749e97052f09388969427adf7df641cdcdc22kais }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysout:
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (wrapped_privkey)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys free(wrapped_privkey);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (aes_key_obj != CK_INVALID_HANDLE)
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) C_DestroyObject(pk11session, aes_key_obj);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (sess_privkey_obj != CK_INVALID_HANDLE)
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) C_DestroyObject(pk11session, sess_privkey_obj);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys return (rv);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys}
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysstatic kssl_params_t *
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllysload_from_pkcs11(KMF_HANDLE_T kmfh,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys const char *token_label, const char *password_file,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys const char *certname, int *bufsize)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys KMF_RETURN rv;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys KMF_X509_DER_CERT cert;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys KMF_KEY_HANDLE key, rawkey;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys KMF_CREDENTIAL creds;
6b35cb3cf158584a9408d44b9b6796564e8e1882Richard PALO KMF_DATA iddata = { 0, NULL };
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_params_t *kssl_params = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys uint32_t ncerts, nkeys;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys char *err, *idstr = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys char password_buf[1024];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys int nxkey = 0;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys int numattr = 0;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_ATTRIBUTE attrlist[16];
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_KEYSTORE_TYPE kstype;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_KEY_CLASS kclass;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_ENCODE_FORMAT format;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys boolean_t false = B_FALSE;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys boolean_t true = B_TRUE;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (get_passphrase(password_file, password_buf,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys sizeof (password_buf)) <= 0) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys perror("Unable to read passphrase");
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys goto done;
c28749e97052f09388969427adf7df641cdcdc22kais }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys creds.cred = password_buf;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys creds.credlen = strlen(password_buf);
c28749e97052f09388969427adf7df641cdcdc22kais
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) memset(&key, 0, sizeof (KMF_KEY_HANDLE));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) memset(&rawkey, 0, sizeof (KMF_KEY_HANDLE));
c28749e97052f09388969427adf7df641cdcdc22kais
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kstype = KMF_KEYSTORE_PK11TOKEN;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &kstype, sizeof (kstype));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
c28749e97052f09388969427adf7df641cdcdc22kais
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (token_label && strlen(token_label)) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_TOKEN_LABEL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void *)token_label, strlen(token_label));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_READONLY_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &false, sizeof (false));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_configure_keystore(kmfh, numattr, attrlist);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys REPORT_KMF_ERROR(rv, "Error configuring KMF keystore", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys goto done;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna }
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
c892ebf1bef94f4f922f282c11516677c134dbe0krishna /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Find the certificate matching the given label.
c892ebf1bef94f4f922f282c11516677c134dbe0krishna */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr = 0;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kstype = KMF_KEYSTORE_PK11TOKEN;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &kstype, sizeof (kstype));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (certname) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void *)certname, strlen(certname));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ncerts = 1;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &ncerts, sizeof (ncerts));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_X509_DER_CERT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &cert, sizeof (cert));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_find_cert(kmfh, numattr, attrlist);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (rv != KMF_OK || ncerts == 0)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys goto done;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
c892ebf1bef94f4f922f282c11516677c134dbe0krishna /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Find the associated private key for this cert by
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * keying off of the label and the ASCII ID string.
c892ebf1bef94f4f922f282c11516677c134dbe0krishna */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_cert_id_str(&cert.certificate, &idstr);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (rv != KMF_OK)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys goto done;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr = 1; /* attrlist[0] is already set to kstype */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kclass = KMF_ASYM_PRI;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &kclass, sizeof (kclass));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &creds, sizeof (KMF_CREDENTIAL));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys format = KMF_FORMAT_RAWKEY;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &format, sizeof (format));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (certname) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void *)certname, strlen(certname));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (idstr) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_IDSTR_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void *)idstr, strlen(idstr));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys }
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &true, sizeof (true));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &true, sizeof (true));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* We only expect to find 1 key at most */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nkeys = 1;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &nkeys, sizeof (nkeys));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &key, sizeof (KMF_KEY_HANDLE));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_find_key(kmfh, numattr, attrlist);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (rv == KMF_ERR_SENSITIVE_KEY) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_free_kmf_key(kmfh, &key);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Get a normal key handle and then do a wrap/unwrap
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * in order to get the necessary raw data fields needed
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * to send to KSSL.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys format = KMF_FORMAT_NATIVE;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = get_sensitive_key_data(kmfh, &creds,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (char *)certname, idstr, &key, &rawkey);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (rv == KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* Swap "key" for "rawkey" */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_free_kmf_key(kmfh, &key);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys key = rawkey;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys } else {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_free_kmf_key(kmfh, &key);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* Let kssl try to find the key. */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys nxkey = 1;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_cert_id_data(&cert.certificate, &iddata);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys } else if (rv == KMF_ERR_UNEXTRACTABLE_KEY) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_free_kmf_key(kmfh, &key);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Let kssl try to find the key. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nxkey = 1;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_cert_id_data(&cert.certificate, &iddata);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys } else if (rv != KMF_OK || nkeys == 0)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys goto done;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (rv == KMF_OK)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_params = kmf_to_kssl(nxkey, (KMF_RAW_KEY_DATA *)key.keyp,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys 1, &cert, bufsize, (char *)token_label, &iddata, &creds);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysdone:
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (ncerts != 0)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_free_kmf_cert(kmfh, &cert);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (nkeys != 0)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_free_kmf_key(kmfh, &key);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (idstr)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys free(idstr);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys return (kssl_params);
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna/*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * add_cacerts
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys *
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Load a chain of certificates from a PEM file.
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna */
c28749e97052f09388969427adf7df641cdcdc22kaisstatic kssl_params_t *
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllysadd_cacerts(KMF_HANDLE_T kmfh,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys kssl_params_t *old_params, const char *cacert_chain_file)
c28749e97052f09388969427adf7df641cdcdc22kais{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys int i, newlen;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys uint32_t certlen = 0, ncerts;
c28749e97052f09388969427adf7df641cdcdc22kais char *buf;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys KMF_RETURN rv;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys KMF_X509_DER_CERT *certs = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_params_t *kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys char *err = NULL;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys int numattr = 0;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_ATTRIBUTE attrlist[16];
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
c28749e97052f09388969427adf7df641cdcdc22kais
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kstype = KMF_KEYSTORE_OPENSSL;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ncerts = 0;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &kstype, sizeof (KMF_KEYSTORE_TYPE));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void *)cacert_chain_file, strlen(cacert_chain_file));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &ncerts, sizeof (ncerts));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_find_cert(kmfh, numattr, attrlist);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys REPORT_KMF_ERROR(rv, "Error finding CA certificates", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys return (0);
c28749e97052f09388969427adf7df641cdcdc22kais }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys certs = (KMF_X509_DER_CERT *)malloc(ncerts *
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys sizeof (KMF_X509_DER_CERT));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (certs == NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys (void) fprintf(stderr, "memory allocation error.\n");
c28749e97052f09388969427adf7df641cdcdc22kais return (NULL);
c28749e97052f09388969427adf7df641cdcdc22kais }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bzero(certs, ncerts * sizeof (KMF_X509_DER_CERT));
c28749e97052f09388969427adf7df641cdcdc22kais
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* add new attribute for the cert list to be returned */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(attrlist, numattr, KMF_X509_DER_CERT_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certs, (ncerts * sizeof (KMF_X509_DER_CERT)));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numattr++;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_find_cert(kmfh, numattr, attrlist);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (rv != KMF_OK || ncerts == 0) {
c892ebf1bef94f4f922f282c11516677c134dbe0krishna bzero(old_params, old_params->kssl_params_size);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna free(old_params);
c28749e97052f09388969427adf7df641cdcdc22kais return (NULL);
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna if (verbose) {
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna (void) printf("%d certificates read successfully\n", ncerts);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna }
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna newlen = old_params->kssl_params_size;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna for (i = 0; i < ncerts; i++)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys newlen += certs[i].certificate.Length;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna /*
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * Get a bigger structure and update the
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * fields to account for the additional certs.
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna kssl_params = realloc(old_params, newlen);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna kssl_params->kssl_params_size = newlen;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna kssl_params->kssl_certs.sc_count += ncerts;
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* Put the cert size info starting from sc_sizes[1] */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna buf = (char *)kssl_params;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna buf += kssl_params->kssl_certs.sc_sizes_offset;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna bcopy(buf, &certlen, sizeof (uint32_t));
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna buf += sizeof (uint32_t);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < ncerts; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys uint32_t size = (uint32_t)certs[i].certificate.Length;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bcopy(&size, buf, sizeof (uint32_t));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys buf += sizeof (uint32_t);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys }
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna /* Put the cert_bufs starting from sc_certs[1] */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna buf = (char *)kssl_params;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna buf += kssl_params->kssl_certs.sc_certs_offset;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna buf += certlen;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna /* now the certs values */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna for (i = 0; i < ncerts; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys bcopy(certs[i].certificate.Data, buf,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certs[i].certificate.Length);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys buf += certs[i].certificate.Length;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna }
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna for (i = 0; i < ncerts; i++)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_free_kmf_cert(kmfh, &certs[i]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys free(certs);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna return (kssl_params);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna}
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys/*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Find a key and certificate(s) from a single PEM file.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishnastatic kssl_params_t *
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllysload_from_pem(KMF_HANDLE_T kmfh, const char *filename,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys const char *password_file, int *paramsize)
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys int ncerts = 0, i;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna kssl_params_t *kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys KMF_RAW_KEY_DATA *rsa = NULL;
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys KMF_X509_DER_CERT *certs = NULL;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys ncerts = PEM_get_rsa_key_certs(kmfh,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys filename, (char *)password_file, &rsa, &certs);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (rsa == NULL || certs == NULL || ncerts == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais return (NULL);
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais if (verbose)
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna (void) printf("%d certificates read successfully\n", ncerts);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_params = kmf_to_kssl(0, rsa, ncerts, certs, paramsize, NULL,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys NULL, NULL);
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna for (i = 0; i < ncerts; i++)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys kmf_free_kmf_cert(kmfh, &certs[i]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys free(certs);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_free_raw_key(rsa);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
c28749e97052f09388969427adf7df641cdcdc22kais return (kssl_params);
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys/*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Load a raw key and certificate(s) from a PKCS#12 file.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishnastatic kssl_params_t *
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllysload_from_pkcs12(KMF_HANDLE_T kmfh, const char *filename,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys const char *password_file, int *paramsize)
c28749e97052f09388969427adf7df641cdcdc22kais{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys KMF_RAW_KEY_DATA *rsa = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais kssl_params_t *kssl_params;
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys KMF_X509_DER_CERT *certs = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys int ncerts = 0, i;
c28749e97052f09388969427adf7df641cdcdc22kais
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys ncerts = PKCS12_get_rsa_key_certs(kmfh, filename,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys password_file, &rsa, &certs);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys if (certs == NULL || ncerts == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr,
c28749e97052f09388969427adf7df641cdcdc22kais "Unable to read cert and/or key from %s\n", filename);
c28749e97052f09388969427adf7df641cdcdc22kais return (NULL);
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais if (verbose)
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna (void) printf("%d certificates read successfully\n", ncerts);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys kssl_params = kmf_to_kssl(0, rsa, ncerts, certs, paramsize, NULL,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys NULL, NULL);
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna for (i = 0; i < ncerts; i++)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys kmf_free_kmf_cert(kmfh, &certs[i]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys free(certs);
c28749e97052f09388969427adf7df641cdcdc22kais
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_free_raw_key(rsa);
c28749e97052f09388969427adf7df641cdcdc22kais return (kssl_params);
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaisint
c28749e97052f09388969427adf7df641cdcdc22kaisparse_and_set_addr(char *server_address, char *server_port,
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri struct sockaddr_in6 *addr)
c28749e97052f09388969427adf7df641cdcdc22kais{
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal long long tmp_port;
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal char *ep;
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal
c28749e97052f09388969427adf7df641cdcdc22kais if (server_port == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais return (-1);
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais if (server_address == NULL) {
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri addr->sin6_addr = in6addr_any;
c28749e97052f09388969427adf7df641cdcdc22kais } else {
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri struct hostent *hp;
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri int error_num;
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri if ((hp = (getipnodebyname(server_address, AF_INET6,
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri AI_DEFAULT, &error_num))) == NULL) {
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) fprintf(stderr, "Error: Unknown host: %s\n",
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri server_address);
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri return (-1);
c28749e97052f09388969427adf7df641cdcdc22kais }
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) memcpy((caddr_t)&addr->sin6_addr, hp->h_addr,
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri hp->h_length);
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri freehostent(hp);
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais errno = 0;
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal tmp_port = strtoll(server_port, &ep, 10);
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal if (server_port == ep || *ep != '\0' || errno != 0) {
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr, "Error: Invalid Port value: %s\n",
c28749e97052f09388969427adf7df641cdcdc22kais server_port);
c28749e97052f09388969427adf7df641cdcdc22kais return (-1);
c28749e97052f09388969427adf7df641cdcdc22kais }
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal if (tmp_port < 1 || tmp_port > 65535) {
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal (void) fprintf(stderr, "Error: Port out of range: %s\n",
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal server_port);
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal return (-1);
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal }
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal /* It is safe to convert since the value is inside the boundaries. */
11d0a659fdd288190c17d8600ecd218e9a9b546dVladimir Kotal addr->sin6_port = tmp_port;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais return (0);
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais/*
c28749e97052f09388969427adf7df641cdcdc22kais * The order of the ciphers is important. It is used as the
c28749e97052f09388969427adf7df641cdcdc22kais * default order (when -c is not specified).
c28749e97052f09388969427adf7df641cdcdc22kais */
c28749e97052f09388969427adf7df641cdcdc22kaisstruct csuite {
c28749e97052f09388969427adf7df641cdcdc22kais const char *suite;
c28749e97052f09388969427adf7df641cdcdc22kais uint16_t val;
c28749e97052f09388969427adf7df641cdcdc22kais boolean_t seen;
c28749e97052f09388969427adf7df641cdcdc22kais} cipher_suites[CIPHER_SUITE_COUNT - 1] = {
c28749e97052f09388969427adf7df641cdcdc22kais {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, B_FALSE},
c28749e97052f09388969427adf7df641cdcdc22kais {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, B_FALSE},
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishna {"rsa_aes_256_cbc_sha", TLS_RSA_WITH_AES_256_CBC_SHA, B_FALSE},
2bd70d4be73561631df9cb3d9eb4c65fa94fa665krishna {"rsa_aes_128_cbc_sha", TLS_RSA_WITH_AES_128_CBC_SHA, B_FALSE},
c28749e97052f09388969427adf7df641cdcdc22kais {"rsa_3des_ede_cbc_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, B_FALSE},
c28749e97052f09388969427adf7df641cdcdc22kais {"rsa_des_cbc_sha", SSL_RSA_WITH_DES_CBC_SHA, B_FALSE},
c28749e97052f09388969427adf7df641cdcdc22kais};
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishnastatic int
c28749e97052f09388969427adf7df641cdcdc22kaischeck_suites(char *suites, uint16_t *sarray)
c28749e97052f09388969427adf7df641cdcdc22kais{
c28749e97052f09388969427adf7df641cdcdc22kais int i;
c28749e97052f09388969427adf7df641cdcdc22kais int err = 0;
c28749e97052f09388969427adf7df641cdcdc22kais char *suite;
c28749e97052f09388969427adf7df641cdcdc22kais int sindx = 0;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais if (suites != NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais for (i = 0; i < CIPHER_SUITE_COUNT - 1; i++)
c28749e97052f09388969427adf7df641cdcdc22kais sarray[i] = CIPHER_NOTSET;
c28749e97052f09388969427adf7df641cdcdc22kais } else {
c28749e97052f09388969427adf7df641cdcdc22kais for (i = 0; i < CIPHER_SUITE_COUNT - 1; i++)
c28749e97052f09388969427adf7df641cdcdc22kais sarray[i] = cipher_suites[i].val;
c28749e97052f09388969427adf7df641cdcdc22kais return (err);
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais suite = strtok(suites, ",");
c28749e97052f09388969427adf7df641cdcdc22kais do {
c28749e97052f09388969427adf7df641cdcdc22kais for (i = 0; i < CIPHER_SUITE_COUNT - 1; i++) {
c28749e97052f09388969427adf7df641cdcdc22kais if (strcasecmp(suite, cipher_suites[i].suite) == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais if (!cipher_suites[i].seen) {
c28749e97052f09388969427adf7df641cdcdc22kais sarray[sindx++] = cipher_suites[i].val;
c28749e97052f09388969427adf7df641cdcdc22kais cipher_suites[i].seen = B_TRUE;
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais break;
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais if (i == (CIPHER_SUITE_COUNT - 1)) {
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr,
c28749e97052f09388969427adf7df641cdcdc22kais "Unknown Cipher suite name: %s\n", suite);
c28749e97052f09388969427adf7df641cdcdc22kais err++;
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais } while ((suite = strtok(NULL, ",")) != NULL);
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais return (err);
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaisint
c28749e97052f09388969427adf7df641cdcdc22kaisdo_create(int argc, char *argv[])
c28749e97052f09388969427adf7df641cdcdc22kais{
c28749e97052f09388969427adf7df641cdcdc22kais const char *softtoken_dir = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais const char *token_label = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais const char *password_file = NULL;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna const char *cert_key_file = NULL;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna const char *cacert_chain_file = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais const char *certname = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais char *suites = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais uint32_t timeout = DEFAULT_SID_TIMEOUT;
c28749e97052f09388969427adf7df641cdcdc22kais uint32_t scache_size = DEFAULT_SID_CACHE_NENTRIES;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna uint16_t kssl_suites[CIPHER_SUITE_COUNT - 1];
c28749e97052f09388969427adf7df641cdcdc22kais int proxy_port = -1;
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri struct sockaddr_in6 server_addr;
c28749e97052f09388969427adf7df641cdcdc22kais char *format = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais char *port, *addr;
c28749e97052f09388969427adf7df641cdcdc22kais char c;
c28749e97052f09388969427adf7df641cdcdc22kais int pcnt;
c28749e97052f09388969427adf7df641cdcdc22kais kssl_params_t *kssl_params;
c28749e97052f09388969427adf7df641cdcdc22kais int bufsize;
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys KMF_HANDLE_T kmfh = NULL;
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys KMF_RETURN rv = KMF_OK;
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys char *err = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais argc -= 1;
c28749e97052f09388969427adf7df641cdcdc22kais argv += 1;
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna while ((c = getopt(argc, argv, "vT:d:f:h:i:p:c:C:t:x:z:")) != -1) {
c28749e97052f09388969427adf7df641cdcdc22kais switch (c) {
c28749e97052f09388969427adf7df641cdcdc22kais case 'd':
c28749e97052f09388969427adf7df641cdcdc22kais softtoken_dir = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais break;
c28749e97052f09388969427adf7df641cdcdc22kais case 'c':
c28749e97052f09388969427adf7df641cdcdc22kais suites = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais break;
c28749e97052f09388969427adf7df641cdcdc22kais case 'C':
c28749e97052f09388969427adf7df641cdcdc22kais certname = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais break;
c28749e97052f09388969427adf7df641cdcdc22kais case 'f':
c28749e97052f09388969427adf7df641cdcdc22kais format = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais break;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna case 'h':
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna cacert_chain_file = optarg;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna break;
c28749e97052f09388969427adf7df641cdcdc22kais case 'i':
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna cert_key_file = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais break;
c28749e97052f09388969427adf7df641cdcdc22kais case 'T':
c28749e97052f09388969427adf7df641cdcdc22kais token_label = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais break;
c28749e97052f09388969427adf7df641cdcdc22kais case 'p':
c28749e97052f09388969427adf7df641cdcdc22kais password_file = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais break;
c28749e97052f09388969427adf7df641cdcdc22kais case 't':
c28749e97052f09388969427adf7df641cdcdc22kais timeout = atoi(optarg);
c28749e97052f09388969427adf7df641cdcdc22kais break;
c28749e97052f09388969427adf7df641cdcdc22kais case 'x':
c28749e97052f09388969427adf7df641cdcdc22kais proxy_port = atoi(optarg);
c28749e97052f09388969427adf7df641cdcdc22kais break;
c28749e97052f09388969427adf7df641cdcdc22kais case 'v':
c28749e97052f09388969427adf7df641cdcdc22kais verbose = B_TRUE;
c28749e97052f09388969427adf7df641cdcdc22kais break;
c28749e97052f09388969427adf7df641cdcdc22kais case 'z':
c28749e97052f09388969427adf7df641cdcdc22kais scache_size = atoi(optarg);
c28749e97052f09388969427adf7df641cdcdc22kais break;
c28749e97052f09388969427adf7df641cdcdc22kais default:
c28749e97052f09388969427adf7df641cdcdc22kais goto err;
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais pcnt = argc - optind;
c28749e97052f09388969427adf7df641cdcdc22kais if (pcnt == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais port = "443"; /* default SSL port */
c28749e97052f09388969427adf7df641cdcdc22kais addr = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais } else if (pcnt == 1) {
c28749e97052f09388969427adf7df641cdcdc22kais port = argv[optind];
c28749e97052f09388969427adf7df641cdcdc22kais addr = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais } else if (pcnt == 2) {
c28749e97052f09388969427adf7df641cdcdc22kais addr = argv[optind];
c28749e97052f09388969427adf7df641cdcdc22kais port = argv[optind + 1];
c28749e97052f09388969427adf7df641cdcdc22kais } else {
c28749e97052f09388969427adf7df641cdcdc22kais goto err;
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais if (parse_and_set_addr(addr, port, &server_addr) < 0) {
c28749e97052f09388969427adf7df641cdcdc22kais goto err;
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais if (verbose) {
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri char buffer[128];
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) inet_ntop(AF_INET6, &server_addr.sin6_addr, buffer,
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri sizeof (buffer));
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri (void) printf("addr = %s, port = %d\n", buffer,
2ec7cc7fc084163eaed884efee9bbd322cc8951bKrishna Yenduri server_addr.sin6_port);
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais if (format == NULL || proxy_port == -1) {
c28749e97052f09388969427adf7df641cdcdc22kais goto err;
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c892ebf1bef94f4f922f282c11516677c134dbe0krishna if (check_suites(suites, kssl_suites) != 0) {
c892ebf1bef94f4f922f282c11516677c134dbe0krishna goto err;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna }
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys rv = kmf_initialize(&kmfh, NULL, NULL);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (rv != KMF_OK) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys REPORT_KMF_ERROR(rv, "Error initializing KMF", err);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys return (0);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys }
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys
c28749e97052f09388969427adf7df641cdcdc22kais if (strcmp(format, "pkcs11") == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais if (token_label == NULL || certname == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais goto err;
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais if (softtoken_dir != NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais (void) setenv("SOFTTOKEN_DIR", softtoken_dir, 1);
c28749e97052f09388969427adf7df641cdcdc22kais if (verbose) {
c28749e97052f09388969427adf7df641cdcdc22kais (void) printf(
c28749e97052f09388969427adf7df641cdcdc22kais "SOFTTOKEN_DIR=%s\n",
c28749e97052f09388969427adf7df641cdcdc22kais getenv("SOFTTOKEN_DIR"));
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais }
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys kssl_params = load_from_pkcs11(kmfh,
c28749e97052f09388969427adf7df641cdcdc22kais token_label, password_file, certname, &bufsize);
c28749e97052f09388969427adf7df641cdcdc22kais } else if (strcmp(format, "pkcs12") == 0) {
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna if (cert_key_file == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais goto err;
c28749e97052f09388969427adf7df641cdcdc22kais }
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys kssl_params = load_from_pkcs12(kmfh,
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna cert_key_file, password_file, &bufsize);
c28749e97052f09388969427adf7df641cdcdc22kais } else if (strcmp(format, "pem") == 0) {
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna if (cert_key_file == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais goto err;
c28749e97052f09388969427adf7df641cdcdc22kais }
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys kssl_params = load_from_pem(kmfh,
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna cert_key_file, password_file, &bufsize);
c28749e97052f09388969427adf7df641cdcdc22kais } else {
c28749e97052f09388969427adf7df641cdcdc22kais (void) fprintf(stderr, "Unsupported cert format: %s\n", format);
c28749e97052f09388969427adf7df641cdcdc22kais goto err;
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais if (kssl_params == NULL) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys (void) kmf_finalize(kmfh);
c28749e97052f09388969427adf7df641cdcdc22kais return (FAILURE);
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Add the list of supported ciphers to the buffer.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
c892ebf1bef94f4f922f282c11516677c134dbe0krishna bcopy(kssl_suites, kssl_params->kssl_suites,
c892ebf1bef94f4f922f282c11516677c134dbe0krishna sizeof (kssl_params->kssl_suites));
c28749e97052f09388969427adf7df641cdcdc22kais kssl_params->kssl_params_size = bufsize;
c28749e97052f09388969427adf7df641cdcdc22kais kssl_params->kssl_addr = server_addr;
c28749e97052f09388969427adf7df641cdcdc22kais kssl_params->kssl_session_cache_timeout = timeout;
c28749e97052f09388969427adf7df641cdcdc22kais kssl_params->kssl_proxy_port = proxy_port;
c28749e97052f09388969427adf7df641cdcdc22kais kssl_params->kssl_session_cache_size = scache_size;
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna if (cacert_chain_file != NULL) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys kssl_params = add_cacerts(kmfh, kssl_params, cacert_chain_file);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna if (kssl_params == NULL) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys bzero(kssl_params, bufsize);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys free(kssl_params);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys (void) kmf_finalize(kmfh);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna return (FAILURE);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna }
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna }
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
c28749e97052f09388969427adf7df641cdcdc22kais if (kssl_send_command((char *)kssl_params, KSSL_ADD_ENTRY) < 0) {
c892ebf1bef94f4f922f282c11516677c134dbe0krishna int err = CRYPTO_FAILED;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
c892ebf1bef94f4f922f282c11516677c134dbe0krishna if (kssl_params->kssl_is_nxkey)
c892ebf1bef94f4f922f282c11516677c134dbe0krishna err = kssl_params->kssl_token.ck_rv;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna (void) fprintf(stderr,
c892ebf1bef94f4f922f282c11516677c134dbe0krishna "Error loading cert and key: 0x%x\n", err);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys bzero(kssl_params, bufsize);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys free(kssl_params);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys (void) kmf_finalize(kmfh);
c28749e97052f09388969427adf7df641cdcdc22kais return (FAILURE);
c28749e97052f09388969427adf7df641cdcdc22kais }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais if (verbose)
c28749e97052f09388969427adf7df641cdcdc22kais (void) printf("Successfully loaded cert and key\n");
c28749e97052f09388969427adf7df641cdcdc22kais
c892ebf1bef94f4f922f282c11516677c134dbe0krishna bzero(kssl_params, bufsize);
c28749e97052f09388969427adf7df641cdcdc22kais free(kssl_params);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys (void) kmf_finalize(kmfh);
c28749e97052f09388969427adf7df641cdcdc22kais return (SUCCESS);
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaiserr:
c28749e97052f09388969427adf7df641cdcdc22kais usage_create(B_TRUE);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys (void) kmf_finalize(kmfh);
c28749e97052f09388969427adf7df641cdcdc22kais return (SMF_EXIT_ERR_CONFIG);
c28749e97052f09388969427adf7df641cdcdc22kais}