kssl/kssladm/kssladm_create.c

	kssladm_create.c revision 71593db26bb6ef7b739cffe06d53bf990cac112c
c28749e97052f09388969427adf7df641cdcdc22kais/*
c28749e97052f09388969427adf7df641cdcdc22kais * CDDL HEADER START
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * The contents of this file are subject to the terms of the
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * Common Development and Distribution License (the "License").
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * You may not use this file except in compliance with the License.
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
c28749e97052f09388969427adf7df641cdcdc22kais * or http://www.opensolaris.org/os/licensing.
c28749e97052f09388969427adf7df641cdcdc22kais * See the License for the specific language governing permissions
c28749e97052f09388969427adf7df641cdcdc22kais * and limitations under the License.
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * When distributing Covered Code, include this CDDL HEADER in each
c28749e97052f09388969427adf7df641cdcdc22kais * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
c28749e97052f09388969427adf7df641cdcdc22kais * If applicable, add the following below this CDDL HEADER, with the
c28749e97052f09388969427adf7df641cdcdc22kais * fields enclosed by brackets "[]" replaced with your own identifying
c28749e97052f09388969427adf7df641cdcdc22kais * information: Portions Copyright [yyyy] [name of copyright owner]
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * CDDL HEADER END
c28749e97052f09388969427adf7df641cdcdc22kais */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
c28749e97052f09388969427adf7df641cdcdc22kais/*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
c28749e97052f09388969427adf7df641cdcdc22kais * Use is subject to license terms.
c28749e97052f09388969427adf7df641cdcdc22kais */
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#pragma ident   "%Z%%M% %I% %E% SMI"
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais#include <errno.h>
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna#include <sys/sysmacros.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <security/cryptoki.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <security/pkcs11.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <stdio.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <strings.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <sys/types.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <sys/stat.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <sys/socket.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <netinet/in.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <arpa/inet.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <netdb.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <fcntl.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include <inet/kssl/kssl.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <cryptoutil.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <libscf.h>
c28749e97052f09388969427adf7df641cdcdc22kais#include "kssladm.h"
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <kmfapi.h>
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
c28749e97052f09388969427adf7df641cdcdc22kaisvoid
c28749e97052f09388969427adf7df641cdcdc22kaisusage_create(boolean_t do_print)
c28749e97052f09388969427adf7df641cdcdc22kais{
c28749e97052f09388969427adf7df641cdcdc22kais    if (do_print)
c28749e97052f09388969427adf7df641cdcdc22kais        (void) fprintf(stderr, "Usage:\n");
c28749e97052f09388969427adf7df641cdcdc22kais    (void) fprintf(stderr, "kssladm create"
c28749e97052f09388969427adf7df641cdcdc22kais        " -f pkcs11 [-d softtoken_directory] -T <token_label>"
c28749e97052f09388969427adf7df641cdcdc22kais        " -C <certificate_label> -x <proxy_port>"
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna        " [-h <ca_certchain_file>]"
c28749e97052f09388969427adf7df641cdcdc22kais        " [options] [<server_address>] [<server_port>]\n");
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    (void) fprintf(stderr, "kssladm create"
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna        " -f pkcs12 -i <cert_and_key_pk12file> -x <proxy_port>"
c28749e97052f09388969427adf7df641cdcdc22kais        " [options] [<server_address>] [<server_port>]\n");
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    (void) fprintf(stderr, "kssladm create"
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna        " -f pem -i <cert_and_key_pemfile> -x <proxy_port>"
c28749e97052f09388969427adf7df641cdcdc22kais        " [options] [<server_address>] [<server_port>]\n");
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    (void) fprintf(stderr, "options are:\n"
c28749e97052f09388969427adf7df641cdcdc22kais        "\t[-c <ciphersuites>]\n"
c28749e97052f09388969427adf7df641cdcdc22kais        "\t[-p <password_file>]\n"
c28749e97052f09388969427adf7df641cdcdc22kais        "\t[-t <ssl_session_cache_timeout>]\n"
c28749e97052f09388969427adf7df641cdcdc22kais        "\t[-z <ssl_session_cache_size>]\n"
c28749e97052f09388969427adf7df641cdcdc22kais        "\t[-v]\n");
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais/*
c28749e97052f09388969427adf7df641cdcdc22kais * Everything is allocated in one single contiguous buffer.
c28749e97052f09388969427adf7df641cdcdc22kais * The layout is the following:
c28749e97052f09388969427adf7df641cdcdc22kais * . the kssl_params_t structure
c892ebf1bef94f4f922f282c11516677c134dbe0krishna * . optional buffer containing pin (if key is non extractable)
c28749e97052f09388969427adf7df641cdcdc22kais * . the array of key attribute structs, (value of ck_attrs)
c28749e97052f09388969427adf7df641cdcdc22kais * . the key attributes values (values of ck_attrs[i].ck_value);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * . the array of sizes of the certificates, (referred to as sc_sizes[])
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * . the certificates values (referred to as sc_certs[])
c28749e97052f09388969427adf7df641cdcdc22kais *
c28749e97052f09388969427adf7df641cdcdc22kais * The address of the certs and key attributes values are offsets
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * from the beginning of the big buffer. sc_sizes_offset points
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna * to sc_sizes[0] and sc_certs_offset points to sc_certs[0].
c28749e97052f09388969427adf7df641cdcdc22kais */
c28749e97052f09388969427adf7df641cdcdc22kaisstatic kssl_params_t *
71593db26bb6ef7b739cffe06d53bf990cac112cwyllyskmf_to_kssl(int nxkey, KMF_RAW_KEY_DATA *rsa, int ncerts,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_DATA *certs, int *paramsize, char *token_label, KMF_DATA *idstr,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_CREDENTIAL *creds)
c28749e97052f09388969427adf7df641cdcdc22kais{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    int i, tcsize;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    kssl_params_t *kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    kssl_key_t *key;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    char *buf;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    uint32_t bufsize;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    static CK_BBOOL true = TRUE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    static CK_BBOOL false = FALSE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    static CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    static CK_KEY_TYPE keytype = CKK_RSA;
c28749e97052f09388969427adf7df641cdcdc22kais    kssl_object_attribute_t kssl_attrs[MAX_ATTR_CNT];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    CK_ATTRIBUTE exkey_attrs[MAX_ATTR_CNT] = {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {CKA_TOKEN, &true, sizeof (true)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {CKA_EXTRACTABLE, &false, sizeof (false)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {CKA_CLASS, &class, sizeof (class) },
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {CKA_KEY_TYPE,  &keytype, sizeof (keytype) },
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {CKA_ID,    NULL, 0}
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    };
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    kssl_object_attribute_t kssl_tmpl_attrs[MAX_ATTR_CNT] = {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {SUN_CKA_MODULUS, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {SUN_CKA_PUBLIC_EXPONENT, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {SUN_CKA_PRIVATE_EXPONENT, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {SUN_CKA_PRIME_1, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {SUN_CKA_PRIME_2, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {SUN_CKA_EXPONENT_1, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {SUN_CKA_EXPONENT_2, NULL, 0},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {SUN_CKA_COEFFICIENT, NULL, 0}
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    };
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_BIGINT priv_key_bignums[MAX_ATTR_CNT];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    int attr_cnt;
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (nxkey && idstr != NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        exkey_attrs[4].pValue = idstr->Data;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        exkey_attrs[4].ulValueLen = idstr->Length;
c28749e97052f09388969427adf7df641cdcdc22kais    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    tcsize = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    for (i = 0; i < ncerts; i++)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        tcsize += certs[i].Length;
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    bufsize = sizeof (kssl_params_t);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    bufsize += (tcsize + (MAX_CHAIN_LENGTH * sizeof (uint32_t)));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (!nxkey) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        bzero(priv_key_bignums, sizeof (KMF_BIGINT) *
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            MAX_ATTR_CNT);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /* and the key attributes */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        priv_key_bignums[0] = rsa->rawdata.rsa.mod;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        priv_key_bignums[1] = rsa->rawdata.rsa.pubexp;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        priv_key_bignums[2] = rsa->rawdata.rsa.priexp;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        priv_key_bignums[3] = rsa->rawdata.rsa.prime1;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        priv_key_bignums[4] = rsa->rawdata.rsa.prime2;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        priv_key_bignums[5] = rsa->rawdata.rsa.exp1;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        priv_key_bignums[6] = rsa->rawdata.rsa.exp2;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        priv_key_bignums[7] = rsa->rawdata.rsa.coef;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        if (rsa->rawdata.rsa.mod.val == NULL ||
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            rsa->rawdata.rsa.priexp.val == NULL) {
c892ebf1bef94f4f922f282c11516677c134dbe0krishna            (void) fprintf(stderr,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                "missing required attributes in private key.\n");
c892ebf1bef94f4f922f282c11516677c134dbe0krishna            return (NULL);
c892ebf1bef94f4f922f282c11516677c134dbe0krishna        }
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        attr_cnt = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        for (i = 0; i < MAX_ATTR_CNT; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            if (priv_key_bignums[i].val == NULL)
c892ebf1bef94f4f922f282c11516677c134dbe0krishna                continue;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            kssl_attrs[attr_cnt].ka_type =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                kssl_tmpl_attrs[i].ka_type;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            kssl_attrs[attr_cnt].ka_value_len =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                priv_key_bignums[i].len;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            bufsize += sizeof (crypto_object_attribute_t) +
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                kssl_attrs[attr_cnt].ka_value_len;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            attr_cnt++;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    } else {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * Compute space for the attributes and values that the
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * kssl kernel module will need in order to search for
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * the private key.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        for (attr_cnt = 0; attr_cnt < 5; attr_cnt++) {
c892ebf1bef94f4f922f282c11516677c134dbe0krishna            bufsize += sizeof (crypto_object_attribute_t) +
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                exkey_attrs[attr_cnt].ulValueLen;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna        }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        if (creds)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            bufsize += creds->credlen;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
c28749e97052f09388969427adf7df641cdcdc22kais
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    /* Add 4-byte cushion as sc_sizes[0] needs 32-bit alignment */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    bufsize += sizeof (uint32_t);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
c28749e97052f09388969427adf7df641cdcdc22kais    /* Now the big memory allocation */
c28749e97052f09388969427adf7df641cdcdc22kais    if ((buf = calloc(bufsize, 1)) == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais        (void) fprintf(stderr,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            "Cannot allocate memory for the kssl_params "
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            "and values\n");
c28749e97052f09388969427adf7df641cdcdc22kais        return (NULL);
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    /* LINTED */
c28749e97052f09388969427adf7df641cdcdc22kais    kssl_params = (kssl_params_t *)buf;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    buf = (char *)(kssl_params + 1);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (!nxkey) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /* the keys attributes structs array */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        key = &kssl_params->kssl_privkey;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        key->ks_format = CRYPTO_KEY_ATTR_LIST;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        key->ks_count = attr_cnt;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        key->ks_attrs_offset = buf - (char *)kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        buf += attr_cnt * sizeof (kssl_object_attribute_t);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        attr_cnt = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /* then the key attributes values */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        for (i = 0; i < MAX_ATTR_CNT; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            if (priv_key_bignums[i].val == NULL)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                continue;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            (void) memcpy(buf, priv_key_bignums[i].val,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                priv_key_bignums[i].len);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            kssl_attrs[attr_cnt].ka_value_offset =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                buf - (char *)kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            buf += kssl_attrs[attr_cnt].ka_value_len;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            attr_cnt++;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    } else {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        char tlabel[CRYPTO_EXT_SIZE_LABEL];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        bzero(tlabel, sizeof (tlabel));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (void) strlcpy(tlabel, token_label, sizeof (tlabel));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * For a non-extractable key, we must provide the PIN
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * so the kssl module can access the token to find
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * the key handle.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         */
c892ebf1bef94f4f922f282c11516677c134dbe0krishna        kssl_params->kssl_is_nxkey = 1;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        bcopy(tlabel, kssl_params->kssl_token.toklabel,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            CRYPTO_EXT_SIZE_LABEL);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        kssl_params->kssl_token.pinlen = creds->credlen;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna        kssl_params->kssl_token.tokpin_offset =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            buf - (char *)kssl_params;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna        kssl_params->kssl_token.ck_rv = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        bcopy(creds->cred, buf, creds->credlen);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        buf += creds->credlen;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * Next in the buffer, we must provide the attributes
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * that the kssl module will use to search in the
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * token to find the protected key handle.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        key = &kssl_params->kssl_privkey;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        key->ks_format = CRYPTO_KEY_ATTR_LIST;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        key->ks_count = attr_cnt;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        key->ks_attrs_offset = buf - (char *)kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        buf += attr_cnt * sizeof (kssl_object_attribute_t);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        for (i = 0; i < attr_cnt; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            bcopy(exkey_attrs[i].pValue, buf,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                exkey_attrs[i].ulValueLen);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            kssl_attrs[i].ka_type = exkey_attrs[i].type;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna            kssl_attrs[i].ka_value_offset =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                buf - (char *)kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            kssl_attrs[i].ka_value_len = exkey_attrs[i].ulValueLen;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            buf += exkey_attrs[i].ulValueLen;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna        }
c28749e97052f09388969427adf7df641cdcdc22kais    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /* Copy the key attributes array here */
c28749e97052f09388969427adf7df641cdcdc22kais    bcopy(kssl_attrs, ((char *)kssl_params) + key->ks_attrs_offset,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        attr_cnt * sizeof (kssl_object_attribute_t));
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    buf = (char *)P2ROUNDUP((uintptr_t)buf, sizeof (uint32_t));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Finally, add the certificate chain to the buffer.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    kssl_params->kssl_certs.sc_count = ncerts;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /* First, an array of certificate sizes */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    for (i = 0; i < ncerts; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        uint32_t certsz = (uint32_t)certs[i].Length;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        char *p = buf + (i * sizeof (uint32_t));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        bcopy(&certsz, p, sizeof (uint32_t));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    kssl_params->kssl_certs.sc_sizes_offset = buf - (char *)kssl_params;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    buf += MAX_CHAIN_LENGTH * sizeof (uint32_t);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    kssl_params->kssl_certs.sc_certs_offset = buf - (char *)kssl_params;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /* Now add the certificate data (ASN.1 DER encoded) */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    for (i = 0; i < ncerts; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        bcopy(certs[i].Data, buf, certs[i].Length);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        buf += certs[i].Length;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
c28749e97052f09388969427adf7df641cdcdc22kais    *paramsize = bufsize;
c28749e97052f09388969427adf7df641cdcdc22kais    return (kssl_params);
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys/*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Extract a sensitive key via wrap/unwrap operations.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys *
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * This function requires that we call PKCS#11 API directly since
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * KMF does not yet support wrapping/unwrapping of keys.   By extracting
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * a sensitive key in wrapped form, we then unwrap it into a session key
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * object.  KMF is then used to find the session key and return it in
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * KMF_RAW_KEY format which is then passed along to KSSL by the caller.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysstatic KMF_RETURN
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysget_sensitive_key_data(KMF_HANDLE_T kmfh, KMF_FINDKEY_PARAMS *fkparams,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_KEY_HANDLE *key, KMF_KEY_HANDLE *rawkey)
c28749e97052f09388969427adf7df641cdcdc22kais{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_RETURN rv = KMF_OK;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    static CK_BYTE aes_param[16];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    static CK_OBJECT_CLASS privkey_class = CKO_PRIVATE_KEY;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    static CK_KEY_TYPE privkey_type = CKK_RSA;
c28749e97052f09388969427adf7df641cdcdc22kais    static CK_BBOOL true = TRUE;
c28749e97052f09388969427adf7df641cdcdc22kais    static CK_BBOOL false = FALSE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    char *err = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    char wrapkey_label[BUFSIZ];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    int fd;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    uint32_t nkeys = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    CK_RV ckrv;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    CK_SESSION_HANDLE pk11session;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    CK_BYTE aes_key_val[16];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    CK_MECHANISM aes_cbc_pad_mech = {CKM_AES_CBC_PAD, aes_param,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        sizeof (aes_param)};
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    CK_OBJECT_HANDLE aes_key_obj = CK_INVALID_HANDLE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    CK_OBJECT_HANDLE sess_privkey_obj = CK_INVALID_HANDLE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    CK_BYTE *wrapped_privkey = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    CK_ULONG wrapped_privkey_len = 0;
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    CK_ATTRIBUTE unwrap_tmpl[] = {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /* code below depends on the following attribute order */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {CKA_TOKEN, &false, sizeof (false)},
c28749e97052f09388969427adf7df641cdcdc22kais        {CKA_CLASS, &privkey_class, sizeof (privkey_class)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {CKA_KEY_TYPE, &privkey_type, sizeof (privkey_type)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {CKA_SENSITIVE, &false, sizeof (false)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {CKA_PRIVATE, &false, sizeof (false)},
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        {CKA_LABEL, NULL, 0}
c28749e97052f09388969427adf7df641cdcdc22kais    };
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Create a wrap key with random data.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fd = open("/dev/urandom", O_RDONLY);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (fd == -1) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        perror("Error reading /dev/urandom");
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (KMF_ERR_INTERNAL);
c28749e97052f09388969427adf7df641cdcdc22kais    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (read(fd, aes_key_val, sizeof (aes_key_val)) !=
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        sizeof (aes_key_val)) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        perror("Error reading from /dev/urandom");
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (void) close(fd);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (KMF_ERR_INTERNAL);
c28749e97052f09388969427adf7df641cdcdc22kais    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    (void) close(fd);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    pk11session = KMF_GetPK11Handle(kmfh);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Login to create the wrap key stuff.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    ckrv = C_Login(pk11session, CKU_USER,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (CK_UTF8CHAR_PTR)fkparams->cred.cred,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        fkparams->cred.credlen);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (ckrv != CKR_OK && ckrv != CKR_USER_ALREADY_LOGGED_IN) {
c28749e97052f09388969427adf7df641cdcdc22kais        (void) fprintf(stderr,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            "Cannot login to the token. error = %s\n",
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            pkcs11_strerror(ckrv));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (KMF_ERR_INTERNAL);
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Turn the random key into a PKCS#11 session object.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    ckrv = SUNW_C_KeyToObject(pk11session, CKM_AES_CBC_PAD, aes_key_val,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        sizeof (aes_key_val), &aes_key_obj);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (ckrv != CKR_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (void) fprintf(stderr,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            "Cannot create wrapping key. error = %s\n",
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            pkcs11_strerror(ckrv));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (KMF_ERR_INTERNAL);
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Find the original private key that we are going to wrap.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    rv = KMF_FindKey(kmfh, fkparams, key, &nkeys);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        REPORT_KMF_ERROR(rv, "Error finding private key", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        goto out;
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Get the size of the wrapped private key.
c892ebf1bef94f4f922f282c11516677c134dbe0krishna     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    bzero(aes_param, sizeof (aes_param));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    ckrv = C_WrapKey(pk11session, &aes_cbc_pad_mech,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        aes_key_obj, (CK_OBJECT_HANDLE)key->keyp,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        NULL, &wrapped_privkey_len);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (ckrv != CKR_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * Most common error here is that the token doesn't
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * support the wrapping mechanism or the key is
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * marked non-extractable.  Return an error and let
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * the caller deal with it gracefully.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (void) fprintf(stderr,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            "Cannot get wrap key size. error = %s\n",
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            pkcs11_strerror(ckrv));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        rv = KMF_ERR_INTERNAL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        goto out;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    wrapped_privkey = malloc(wrapped_privkey_len);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (wrapped_privkey == NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        rv = KMF_ERR_MEMORY;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        goto out;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Now get the actual wrapped key data.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    ckrv = C_WrapKey(pk11session, &aes_cbc_pad_mech,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        aes_key_obj, (CK_OBJECT_HANDLE)key->keyp,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        wrapped_privkey, &wrapped_privkey_len);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (ckrv != CKR_OK) {
c28749e97052f09388969427adf7df641cdcdc22kais        (void) fprintf(stderr,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            "Cannot wrap private key. error = %s\n",
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            pkcs11_strerror(ckrv));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        rv = KMF_ERR_INTERNAL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        goto out;
c28749e97052f09388969427adf7df641cdcdc22kais    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Create a label for the wrapped session key so we can find
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * it easier later.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    snprintf(wrapkey_label, sizeof (wrapkey_label), "ksslprikey_%d",
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        getpid());
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    unwrap_tmpl[5].pValue = wrapkey_label;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    unwrap_tmpl[5].ulValueLen = strlen(wrapkey_label);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Unwrap the key into the template and create a temporary
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * session private key.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    ckrv = C_UnwrapKey(pk11session, &aes_cbc_pad_mech, aes_key_obj,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        wrapped_privkey, wrapped_privkey_len,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        unwrap_tmpl, 6, &sess_privkey_obj);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (ckrv != CKR_OK) {
c28749e97052f09388969427adf7df641cdcdc22kais        (void) fprintf(stderr,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            "Cannot unwrap private key. error = %s\n",
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            pkcs11_strerror(ckrv));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        rv = KMF_ERR_INTERNAL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        goto out;
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Use KMF to find the session key and return it as RAW data
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * so we can pass it along to KSSL.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams->kstype = KMF_KEYSTORE_PK11TOKEN;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams->keyclass = KMF_ASYM_PRI;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams->format = KMF_FORMAT_RAWKEY;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams->findLabel = wrapkey_label;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams->pkcs11parms.sensitive = FALSE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams->pkcs11parms.private = FALSE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams->pkcs11parms.token = FALSE; /* <-- very important! */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    rv = KMF_FindKey(kmfh, fkparams, rawkey, &nkeys);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        REPORT_KMF_ERROR(rv, "Error finding raw private key", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        goto out;
c28749e97052f09388969427adf7df641cdcdc22kais    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysout:
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (wrapped_privkey)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        free(wrapped_privkey);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (aes_key_obj != CK_INVALID_HANDLE)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        C_DestroyObject(pk11session, aes_key_obj);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (sess_privkey_obj != CK_INVALID_HANDLE)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        C_DestroyObject(pk11session, sess_privkey_obj);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    return (rv);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys}
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysstatic kssl_params_t *
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysload_from_pkcs11(const char *token_label, const char *password_file,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    const char *certname, int *bufsize)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_RETURN rv;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_HANDLE_T kmfh;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_X509_DER_CERT cert;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_KEY_HANDLE key, rawkey;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_CREDENTIAL creds;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_FINDCERT_PARAMS fcparams;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_FINDKEY_PARAMS fkparams;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_CONFIG_PARAMS cfgparams;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_DATA iddata = { NULL, 0 };
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    kssl_params_t *kssl_params = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    uint32_t ncerts, nkeys;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    char *err, *idstr = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    char password_buf[1024];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    int nxkey = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    rv = KMF_Initialize(&kmfh, NULL, NULL);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        REPORT_KMF_ERROR(rv, "Error initializing KMF", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (0);
c28749e97052f09388969427adf7df641cdcdc22kais    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (get_passphrase(password_file, password_buf,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        sizeof (password_buf)) <= 0) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        perror("Unable to read passphrase");
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        goto done;
c28749e97052f09388969427adf7df641cdcdc22kais    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    creds.cred = password_buf;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    creds.credlen = strlen(password_buf);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    bzero(&cfgparams, sizeof (cfgparams));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    bzero(&fcparams, sizeof (fcparams));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    bzero(&fkparams, sizeof (fkparams));
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    cfgparams.kstype = KMF_KEYSTORE_PK11TOKEN;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    cfgparams.pkcs11config.label = (char *)token_label;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    cfgparams.pkcs11config.readonly = B_FALSE;
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    rv = KMF_ConfigureKeystore(kmfh, &cfgparams);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        REPORT_KMF_ERROR(rv, "Error configuring KMF keystore", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        goto done;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    }
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Find the certificate matching the given label.
c892ebf1bef94f4f922f282c11516677c134dbe0krishna     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fcparams.kstype = KMF_KEYSTORE_PK11TOKEN;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fcparams.certLabel = (char *)certname;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    rv = KMF_FindCert(kmfh, &fcparams, &cert, &ncerts);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv != KMF_OK || ncerts == 0)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        goto done;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Find the associated private key for this cert by
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * keying off of the label and the ASCII ID string.
c892ebf1bef94f4f922f282c11516677c134dbe0krishna     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    rv = KMF_GetCertIDString(&cert.certificate, &idstr);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv != KMF_OK)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        goto done;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams.kstype = KMF_KEYSTORE_PK11TOKEN;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams.keyclass = KMF_ASYM_PRI;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams.cred = creds;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams.format = KMF_FORMAT_RAWKEY;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams.findLabel = (char *)certname;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams.idstr = idstr;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams.pkcs11parms.private = TRUE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fkparams.pkcs11parms.token = TRUE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    rv = KMF_FindKey(kmfh, &fkparams, &key, &nkeys);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv == KMF_ERR_SENSITIVE_KEY) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        KMF_FreeKMFKey(kmfh, &key);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * Get a normal key handle and then do a wrap/unwrap
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * in order to get the necessary raw data fields needed
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * to send to KSSL.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        fkparams.format = KMF_FORMAT_NATIVE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        rv = get_sensitive_key_data(kmfh, &fkparams, &key, &rawkey);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        if (rv == KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            /* Swap "key" for "rawkey" */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            KMF_FreeKMFKey(kmfh, &key);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            key = rawkey;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        } else {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            KMF_FreeKMFKey(kmfh, &key);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            /* Let kssl try to find the key. */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            nxkey = 1;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            rv = KMF_GetCertIDData(&cert.certificate, &iddata);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    } else if (rv == KMF_ERR_UNEXTRACTABLE_KEY) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            KMF_FreeKMFKey(kmfh, &key);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            /* Let kssl try to find the key. */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            nxkey = 1;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            rv = KMF_GetCertIDData(&cert.certificate, &iddata);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    } else if (rv != KMF_OK || nkeys == 0)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        goto done;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv == KMF_OK)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        kssl_params = kmf_to_kssl(nxkey, (KMF_RAW_KEY_DATA *)key.keyp,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            1, &cert.certificate, bufsize,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            (char *)token_label, &iddata, &creds);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysdone:
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (ncerts != 0)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        KMF_FreeKMFCert(kmfh, &cert);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (nkeys != 0)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        KMF_FreeKMFKey(kmfh, &key);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (idstr)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        free(idstr);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (kmfh != NULL)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (void) KMF_Finalize(kmfh);
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    return (kssl_params);
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna/*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * add_cacerts
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys *
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Load a chain of certificates from a PEM file.
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna */
c28749e97052f09388969427adf7df641cdcdc22kaisstatic kssl_params_t *
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysadd_cacerts(kssl_params_t *old_params, const char *cacert_chain_file)
c28749e97052f09388969427adf7df641cdcdc22kais{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    int i, newlen;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    uint32_t certlen = 0, ncerts;
c28749e97052f09388969427adf7df641cdcdc22kais    char *buf;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_RETURN rv;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_X509_DER_CERT *certs = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_FINDCERT_PARAMS fcparms;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    kssl_params_t *kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_HANDLE_T kmfh;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    char *err = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    bzero(&fcparms, sizeof (fcparms));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fcparms.kstype = KMF_KEYSTORE_OPENSSL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fcparms.sslparms.certfile = (char *)cacert_chain_file;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    rv = KMF_Initialize(&kmfh, NULL, NULL);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        REPORT_KMF_ERROR(rv, "Error initializing KMF", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (0);
c28749e97052f09388969427adf7df641cdcdc22kais    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    rv = KMF_FindCert(kmfh, &fcparms, NULL, &ncerts);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        REPORT_KMF_ERROR(rv, "Error finding CA certificates", err);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (void) KMF_Finalize(kmfh);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (0);
c28749e97052f09388969427adf7df641cdcdc22kais    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    certs = (KMF_X509_DER_CERT *)malloc(ncerts *
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        sizeof (KMF_X509_DER_CERT));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (certs == NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (void) fprintf(stderr, "memory allocation error.\n");
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (void) KMF_Finalize(kmfh);
c28749e97052f09388969427adf7df641cdcdc22kais        return (NULL);
c28749e97052f09388969427adf7df641cdcdc22kais    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    bzero(certs, ncerts * sizeof (KMF_X509_DER_CERT));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    rv = KMF_FindCert(kmfh, &fcparms, certs, &ncerts);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    (void) KMF_Finalize(kmfh);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv != KMF_OK || ncerts == 0) {
c892ebf1bef94f4f922f282c11516677c134dbe0krishna        bzero(old_params, old_params->kssl_params_size);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna        free(old_params);
c28749e97052f09388969427adf7df641cdcdc22kais        return (NULL);
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    if (verbose) {
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna        (void) printf("%d certificates read successfully\n", ncerts);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    }
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    newlen = old_params->kssl_params_size;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    for (i = 0; i < ncerts; i++)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        newlen += certs[i].certificate.Length;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    /*
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna     * Get a bigger structure and update the
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna     * fields to account for the additional certs.
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna     */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    kssl_params = realloc(old_params, newlen);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    kssl_params->kssl_params_size = newlen;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    kssl_params->kssl_certs.sc_count += ncerts;
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /* Put the cert size info starting from sc_sizes[1] */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    buf = (char *)kssl_params;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    buf += kssl_params->kssl_certs.sc_sizes_offset;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    bcopy(buf, &certlen, sizeof (uint32_t));
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    buf += sizeof (uint32_t);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    for (i = 0; i < ncerts; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        uint32_t size = (uint32_t)certs[i].certificate.Length;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        bcopy(&size, buf, sizeof (uint32_t));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        buf += sizeof (uint32_t);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    /* Put the cert_bufs starting from sc_certs[1] */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    buf = (char *)kssl_params;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    buf += kssl_params->kssl_certs.sc_certs_offset;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    buf += certlen;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    /* now the certs values */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    for (i = 0; i < ncerts; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        bcopy(certs[i].certificate.Data, buf,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            certs[i].certificate.Length);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        buf += certs[i].certificate.Length;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    }
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    for (i = 0; i < ncerts; i++)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        KMF_FreeKMFCert(kmfh, &certs[i]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    free(certs);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    return (kssl_params);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna}
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys/*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Find a key and certificate(s) from a single PEM file.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishnastatic kssl_params_t *
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishnaload_from_pem(const char *filename, const char *password_file, int *paramsize)
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    int ncerts = 0, i;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    kssl_params_t *kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_RAW_KEY_DATA *rsa = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_DATA *certs = NULL;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    ncerts = PEM_get_rsa_key_certs(filename, (char *)password_file,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        &rsa, &certs);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rsa == NULL || certs == NULL || ncerts == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais        return (NULL);
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    if (verbose)
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna        (void) printf("%d certificates read successfully\n", ncerts);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    kssl_params = kmf_to_kssl(0, rsa, ncerts, certs, paramsize, NULL,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        NULL, NULL);
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    for (i = 0; i < ncerts; i++)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        KMF_FreeData(&certs[i]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    free(certs);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_FreeRawKey(rsa);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
c28749e97052f09388969427adf7df641cdcdc22kais    return (kssl_params);
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys/*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Load a raw key and certificate(s) from a PKCS#12 file.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishnastatic kssl_params_t *
c28749e97052f09388969427adf7df641cdcdc22kaisload_from_pkcs12(const char *filename, const char *password_file,
c28749e97052f09388969427adf7df641cdcdc22kais    int *paramsize)
c28749e97052f09388969427adf7df641cdcdc22kais{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_RAW_KEY_DATA *rsa = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais    kssl_params_t *kssl_params;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_DATA *certs = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    int ncerts = 0, i;
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    ncerts = PKCS12_get_rsa_key_certs(filename,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        password_file, &rsa, &certs);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (certs == NULL || ncerts == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais        (void) fprintf(stderr,
c28749e97052f09388969427adf7df641cdcdc22kais            "Unable to read cert and/or key from %s\n", filename);
c28749e97052f09388969427adf7df641cdcdc22kais        return (NULL);
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    if (verbose)
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna        (void) printf("%d certificates read successfully\n", ncerts);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    kssl_params = kmf_to_kssl(0, rsa, ncerts, certs, paramsize, NULL,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        NULL, NULL);
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    for (i = 0; i < ncerts; i++)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        KMF_FreeData(&certs[i]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    free(certs);
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_FreeRawKey(rsa);
c28749e97052f09388969427adf7df641cdcdc22kais    return (kssl_params);
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaisint
c28749e97052f09388969427adf7df641cdcdc22kaisparse_and_set_addr(char *server_address, char *server_port,
c28749e97052f09388969427adf7df641cdcdc22kais    struct sockaddr_in *addr)
c28749e97052f09388969427adf7df641cdcdc22kais{
c28749e97052f09388969427adf7df641cdcdc22kais    if (server_port == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais        return (-1);
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    if (server_address == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais        addr->sin_addr.s_addr = INADDR_ANY;
c28749e97052f09388969427adf7df641cdcdc22kais    } else {
c28749e97052f09388969427adf7df641cdcdc22kais        addr->sin_addr.s_addr = inet_addr(server_address);
c28749e97052f09388969427adf7df641cdcdc22kais        if ((int)addr->sin_addr.s_addr == -1) {
c28749e97052f09388969427adf7df641cdcdc22kais            struct hostent *hp;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais            if ((hp = gethostbyname(server_address)) == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais                (void) fprintf(stderr,
c28749e97052f09388969427adf7df641cdcdc22kais                    "Error: Unknown host: %s\n",
c28749e97052f09388969427adf7df641cdcdc22kais                    server_address);
c28749e97052f09388969427adf7df641cdcdc22kais                return (-1);
c28749e97052f09388969427adf7df641cdcdc22kais            }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais            (void) memcpy(&addr->sin_addr.s_addr,
c28749e97052f09388969427adf7df641cdcdc22kais                hp->h_addr_list[0],
c28749e97052f09388969427adf7df641cdcdc22kais                sizeof (addr->sin_addr.s_addr));
c28749e97052f09388969427adf7df641cdcdc22kais        }
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    errno = 0;
c28749e97052f09388969427adf7df641cdcdc22kais    addr->sin_port = strtol(server_port, NULL, 10);
c28749e97052f09388969427adf7df641cdcdc22kais    if (addr->sin_port == 0 || errno != 0) {
c28749e97052f09388969427adf7df641cdcdc22kais        (void) fprintf(stderr, "Error: Invalid Port value: %s\n",
c28749e97052f09388969427adf7df641cdcdc22kais            server_port);
c28749e97052f09388969427adf7df641cdcdc22kais        return (-1);
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    return (0);
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais/*
c28749e97052f09388969427adf7df641cdcdc22kais * The order of the ciphers is important. It is used as the
c28749e97052f09388969427adf7df641cdcdc22kais * default order (when -c is not specified).
c28749e97052f09388969427adf7df641cdcdc22kais */
c28749e97052f09388969427adf7df641cdcdc22kaisstruct csuite {
c28749e97052f09388969427adf7df641cdcdc22kais    const char *suite;
c28749e97052f09388969427adf7df641cdcdc22kais    uint16_t val;
c28749e97052f09388969427adf7df641cdcdc22kais    boolean_t seen;
c28749e97052f09388969427adf7df641cdcdc22kais} cipher_suites[CIPHER_SUITE_COUNT - 1] = {
c28749e97052f09388969427adf7df641cdcdc22kais    {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, B_FALSE},
c28749e97052f09388969427adf7df641cdcdc22kais    {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, B_FALSE},
c28749e97052f09388969427adf7df641cdcdc22kais    {"rsa_3des_ede_cbc_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, B_FALSE},
c28749e97052f09388969427adf7df641cdcdc22kais    {"rsa_des_cbc_sha", SSL_RSA_WITH_DES_CBC_SHA, B_FALSE},
c28749e97052f09388969427adf7df641cdcdc22kais};
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishnastatic int
c28749e97052f09388969427adf7df641cdcdc22kaischeck_suites(char *suites, uint16_t *sarray)
c28749e97052f09388969427adf7df641cdcdc22kais{
c28749e97052f09388969427adf7df641cdcdc22kais    int i;
c28749e97052f09388969427adf7df641cdcdc22kais    int err = 0;
c28749e97052f09388969427adf7df641cdcdc22kais    char *suite;
c28749e97052f09388969427adf7df641cdcdc22kais    int sindx = 0;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    if (suites != NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais        for (i = 0; i < CIPHER_SUITE_COUNT - 1; i++)
c28749e97052f09388969427adf7df641cdcdc22kais            sarray[i] = CIPHER_NOTSET;
c28749e97052f09388969427adf7df641cdcdc22kais    } else {
c28749e97052f09388969427adf7df641cdcdc22kais        for (i = 0; i < CIPHER_SUITE_COUNT - 1; i++)
c28749e97052f09388969427adf7df641cdcdc22kais            sarray[i] = cipher_suites[i].val;
c28749e97052f09388969427adf7df641cdcdc22kais        return (err);
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    suite = strtok(suites, ",");
c28749e97052f09388969427adf7df641cdcdc22kais    do {
c28749e97052f09388969427adf7df641cdcdc22kais        for (i = 0; i < CIPHER_SUITE_COUNT - 1; i++) {
c28749e97052f09388969427adf7df641cdcdc22kais            if (strcasecmp(suite, cipher_suites[i].suite) == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais                if (!cipher_suites[i].seen) {
c28749e97052f09388969427adf7df641cdcdc22kais                    sarray[sindx++] = cipher_suites[i].val;
c28749e97052f09388969427adf7df641cdcdc22kais                    cipher_suites[i].seen = B_TRUE;
c28749e97052f09388969427adf7df641cdcdc22kais                }
c28749e97052f09388969427adf7df641cdcdc22kais                break;
c28749e97052f09388969427adf7df641cdcdc22kais            }
c28749e97052f09388969427adf7df641cdcdc22kais        }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais        if (i == (CIPHER_SUITE_COUNT - 1)) {
c28749e97052f09388969427adf7df641cdcdc22kais            (void) fprintf(stderr,
c28749e97052f09388969427adf7df641cdcdc22kais                "Unknown Cipher suite name: %s\n", suite);
c28749e97052f09388969427adf7df641cdcdc22kais            err++;
c28749e97052f09388969427adf7df641cdcdc22kais        }
c28749e97052f09388969427adf7df641cdcdc22kais    } while ((suite = strtok(NULL, ",")) != NULL);
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    return (err);
c28749e97052f09388969427adf7df641cdcdc22kais}
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaisint
c28749e97052f09388969427adf7df641cdcdc22kaisdo_create(int argc, char *argv[])
c28749e97052f09388969427adf7df641cdcdc22kais{
c28749e97052f09388969427adf7df641cdcdc22kais    const char *softtoken_dir = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais    const char *token_label = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais    const char *password_file = NULL;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    const char *cert_key_file = NULL;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    const char *cacert_chain_file = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais    const char *certname = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais    char *suites = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais    uint32_t timeout = DEFAULT_SID_TIMEOUT;
c28749e97052f09388969427adf7df641cdcdc22kais    uint32_t scache_size = DEFAULT_SID_CACHE_NENTRIES;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    uint16_t kssl_suites[CIPHER_SUITE_COUNT - 1];
c28749e97052f09388969427adf7df641cdcdc22kais    int proxy_port = -1;
c28749e97052f09388969427adf7df641cdcdc22kais    struct sockaddr_in server_addr;
c28749e97052f09388969427adf7df641cdcdc22kais    char *format = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais    char *port, *addr;
c28749e97052f09388969427adf7df641cdcdc22kais    char c;
c28749e97052f09388969427adf7df641cdcdc22kais    int pcnt;
c28749e97052f09388969427adf7df641cdcdc22kais    kssl_params_t *kssl_params;
c28749e97052f09388969427adf7df641cdcdc22kais    int bufsize;
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    argc -= 1;
c28749e97052f09388969427adf7df641cdcdc22kais    argv += 1;
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    while ((c = getopt(argc, argv, "vT:d:f:h:i:p:c:C:t:x:z:")) != -1) {
c28749e97052f09388969427adf7df641cdcdc22kais        switch (c) {
c28749e97052f09388969427adf7df641cdcdc22kais        case 'd':
c28749e97052f09388969427adf7df641cdcdc22kais            softtoken_dir = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais            break;
c28749e97052f09388969427adf7df641cdcdc22kais        case 'c':
c28749e97052f09388969427adf7df641cdcdc22kais            suites = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais            break;
c28749e97052f09388969427adf7df641cdcdc22kais        case 'C':
c28749e97052f09388969427adf7df641cdcdc22kais            certname = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais            break;
c28749e97052f09388969427adf7df641cdcdc22kais        case 'f':
c28749e97052f09388969427adf7df641cdcdc22kais            format = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais            break;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna        case 'h':
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna            cacert_chain_file = optarg;
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna            break;
c28749e97052f09388969427adf7df641cdcdc22kais        case 'i':
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna            cert_key_file = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais            break;
c28749e97052f09388969427adf7df641cdcdc22kais        case 'T':
c28749e97052f09388969427adf7df641cdcdc22kais            token_label = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais            break;
c28749e97052f09388969427adf7df641cdcdc22kais        case 'p':
c28749e97052f09388969427adf7df641cdcdc22kais            password_file = optarg;
c28749e97052f09388969427adf7df641cdcdc22kais            break;
c28749e97052f09388969427adf7df641cdcdc22kais        case 't':
c28749e97052f09388969427adf7df641cdcdc22kais            timeout = atoi(optarg);
c28749e97052f09388969427adf7df641cdcdc22kais            break;
c28749e97052f09388969427adf7df641cdcdc22kais        case 'x':
c28749e97052f09388969427adf7df641cdcdc22kais            proxy_port = atoi(optarg);
c28749e97052f09388969427adf7df641cdcdc22kais            break;
c28749e97052f09388969427adf7df641cdcdc22kais        case 'v':
c28749e97052f09388969427adf7df641cdcdc22kais            verbose = B_TRUE;
c28749e97052f09388969427adf7df641cdcdc22kais            break;
c28749e97052f09388969427adf7df641cdcdc22kais        case 'z':
c28749e97052f09388969427adf7df641cdcdc22kais            scache_size = atoi(optarg);
c28749e97052f09388969427adf7df641cdcdc22kais            break;
c28749e97052f09388969427adf7df641cdcdc22kais        default:
c28749e97052f09388969427adf7df641cdcdc22kais            goto err;
c28749e97052f09388969427adf7df641cdcdc22kais        }
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    pcnt = argc - optind;
c28749e97052f09388969427adf7df641cdcdc22kais    if (pcnt == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais        port = "443";   /* default SSL port */
c28749e97052f09388969427adf7df641cdcdc22kais        addr = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais    } else if (pcnt == 1) {
c28749e97052f09388969427adf7df641cdcdc22kais        port = argv[optind];
c28749e97052f09388969427adf7df641cdcdc22kais        addr = NULL;
c28749e97052f09388969427adf7df641cdcdc22kais    } else if (pcnt == 2) {
c28749e97052f09388969427adf7df641cdcdc22kais        addr = argv[optind];
c28749e97052f09388969427adf7df641cdcdc22kais        port = argv[optind + 1];
c28749e97052f09388969427adf7df641cdcdc22kais    } else {
c28749e97052f09388969427adf7df641cdcdc22kais        goto err;
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    if (parse_and_set_addr(addr, port, &server_addr) < 0) {
c28749e97052f09388969427adf7df641cdcdc22kais        goto err;
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    if (verbose) {
c28749e97052f09388969427adf7df641cdcdc22kais        (void) printf("addr=%s, port = %d\n",
c28749e97052f09388969427adf7df641cdcdc22kais            inet_ntoa(server_addr.sin_addr), server_addr.sin_port);
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    if (format == NULL || proxy_port == -1) {
c28749e97052f09388969427adf7df641cdcdc22kais        goto err;
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    if (check_suites(suites, kssl_suites) != 0) {
c892ebf1bef94f4f922f282c11516677c134dbe0krishna        goto err;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    }
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
c28749e97052f09388969427adf7df641cdcdc22kais    if (strcmp(format, "pkcs11") == 0) {
c28749e97052f09388969427adf7df641cdcdc22kais        if (token_label == NULL || certname == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais            goto err;
c28749e97052f09388969427adf7df641cdcdc22kais        }
c28749e97052f09388969427adf7df641cdcdc22kais        if (softtoken_dir != NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais            (void) setenv("SOFTTOKEN_DIR", softtoken_dir, 1);
c28749e97052f09388969427adf7df641cdcdc22kais            if (verbose) {
c28749e97052f09388969427adf7df641cdcdc22kais                (void) printf(
c28749e97052f09388969427adf7df641cdcdc22kais                    "SOFTTOKEN_DIR=%s\n",
c28749e97052f09388969427adf7df641cdcdc22kais                    getenv("SOFTTOKEN_DIR"));
c28749e97052f09388969427adf7df641cdcdc22kais            }
c28749e97052f09388969427adf7df641cdcdc22kais        }
c28749e97052f09388969427adf7df641cdcdc22kais        kssl_params = load_from_pkcs11(
c28749e97052f09388969427adf7df641cdcdc22kais            token_label, password_file, certname, &bufsize);
c28749e97052f09388969427adf7df641cdcdc22kais    } else if (strcmp(format, "pkcs12") == 0) {
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna        if (cert_key_file == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais            goto err;
c28749e97052f09388969427adf7df641cdcdc22kais        }
c28749e97052f09388969427adf7df641cdcdc22kais        kssl_params = load_from_pkcs12(
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna            cert_key_file, password_file, &bufsize);
c28749e97052f09388969427adf7df641cdcdc22kais    } else if (strcmp(format, "pem") == 0) {
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna        if (cert_key_file == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais            goto err;
c28749e97052f09388969427adf7df641cdcdc22kais        }
c28749e97052f09388969427adf7df641cdcdc22kais        kssl_params = load_from_pem(
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna            cert_key_file, password_file, &bufsize);
c28749e97052f09388969427adf7df641cdcdc22kais    } else {
c28749e97052f09388969427adf7df641cdcdc22kais        (void) fprintf(stderr, "Unsupported cert format: %s\n", format);
c28749e97052f09388969427adf7df641cdcdc22kais        goto err;
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    if (kssl_params == NULL) {
c28749e97052f09388969427adf7df641cdcdc22kais        return (FAILURE);
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Add the list of supported ciphers to the buffer.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    bcopy(kssl_suites, kssl_params->kssl_suites,
c892ebf1bef94f4f922f282c11516677c134dbe0krishna        sizeof (kssl_params->kssl_suites));
c28749e97052f09388969427adf7df641cdcdc22kais    kssl_params->kssl_params_size = bufsize;
c28749e97052f09388969427adf7df641cdcdc22kais    kssl_params->kssl_addr = server_addr;
c28749e97052f09388969427adf7df641cdcdc22kais    kssl_params->kssl_session_cache_timeout = timeout;
c28749e97052f09388969427adf7df641cdcdc22kais    kssl_params->kssl_proxy_port = proxy_port;
c28749e97052f09388969427adf7df641cdcdc22kais    kssl_params->kssl_session_cache_size = scache_size;
c28749e97052f09388969427adf7df641cdcdc22kais
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    if (cacert_chain_file != NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        kssl_params = add_cacerts(kssl_params, cacert_chain_file);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna        if (kssl_params == NULL) {
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna            return (FAILURE);
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna        }
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna    }
164c0dd6f561db19bdaf1d0b7f2a8dec44355b69krishna
c28749e97052f09388969427adf7df641cdcdc22kais    if (kssl_send_command((char *)kssl_params, KSSL_ADD_ENTRY) < 0) {
c892ebf1bef94f4f922f282c11516677c134dbe0krishna        int err = CRYPTO_FAILED;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna
c892ebf1bef94f4f922f282c11516677c134dbe0krishna        if (kssl_params->kssl_is_nxkey)
c892ebf1bef94f4f922f282c11516677c134dbe0krishna            err = kssl_params->kssl_token.ck_rv;
c892ebf1bef94f4f922f282c11516677c134dbe0krishna        (void) fprintf(stderr,
c892ebf1bef94f4f922f282c11516677c134dbe0krishna            "Error loading cert and key: 0x%x\n", err);
c28749e97052f09388969427adf7df641cdcdc22kais        return (FAILURE);
c28749e97052f09388969427adf7df641cdcdc22kais    }
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kais    if (verbose)
c28749e97052f09388969427adf7df641cdcdc22kais        (void) printf("Successfully loaded cert and key\n");
c28749e97052f09388969427adf7df641cdcdc22kais
c892ebf1bef94f4f922f282c11516677c134dbe0krishna    bzero(kssl_params, bufsize);
c28749e97052f09388969427adf7df641cdcdc22kais    free(kssl_params);
c28749e97052f09388969427adf7df641cdcdc22kais    return (SUCCESS);
c28749e97052f09388969427adf7df641cdcdc22kais
c28749e97052f09388969427adf7df641cdcdc22kaiserr:
c28749e97052f09388969427adf7df641cdcdc22kais    usage_create(B_TRUE);
c28749e97052f09388969427adf7df641cdcdc22kais    return (SMF_EXIT_ERR_CONFIG);
c28749e97052f09388969427adf7df641cdcdc22kais}