/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* This file includes interfaces to be used together with SSL to get PKCS#12
* certs and pass them to SSL. They replace similar functions for PEM,
* already provided for within SSL.
*
* The interfaces included here are:
* sunw_p12_use_certfile - gets the user's cert from a pkcs12 file & pass
* it to SSL.
* sunw_p12_use_keyfile - gets the RSA private key from a pkcs12 file and
* pass it to SSL
* sunw_p12_use_trustfile - read the pkcs12 trust anchor (aka certificate
* authority certs) file into memory and hand them off to SSL.
*
* These functions use the sunw_PKCS12_parse to read the certs.
*
* Copyright 2002-2003 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <stdio.h>
#include <strings.h>
#include <stdlib.h>
#include <unistd.h>
#include <p12access.h>
#include <p12err.h>
static PKCS12 *p12_read_file(char *);
static int checkfile(char *);
static int check_password(PKCS12 *, char *);
/*
* sunw_use_x509cert - pass an x509 client certificate to ssl
*
* Arguments:
* ctx - SSL's context structure
* cert - Certificate to pass in x509 format
*
* Returns:
* <=0 - Error occurred. Check the error stack for specifics.
* >0 - Success. Cert was successfully added.
*/
static int
{
return (-1);
}
return (-1);
}
return (1);
}
/*
* sunw_use_pkey - pass an EVP_PKEY private key to ssl
*
* Arguments:
* ctx - SSL's context structure
* pkey - EVP_PKEY formatted private key
*
* Returns:
* <=0 - Error occurred. Check the error stack for specifics.
* >0 - Success.
*/
static int
{
return (-1);
}
return (-1);
}
return (1);
}
/*
* sunw_use_tastore - take a stack of X509 certs and add them to the
* SSL store of trust anchors (aka CA certs).
*
* This function takes the certs in the stack and passes them into
* SSL for addition to the cache of TA certs.
*
* Arguments:
* ctx - SSL's context structure
* ta_certs - Stack of certs to add to the list of SSL trust anchors.
*
* Returns:
* <=0 - Error occurred. Check the error stack for specifics.
* >0 - Success. Certs were successfully added.
*/
static int
{
int i;
return (-1);
}
if (sk_X509_num(ta_certs) == 0) {
return (-1);
}
for (i = 0; i < sk_X509_num(ta_certs); i++) {
if (ret == 0) {
if (ERR_GET_REASON(ERR_peek_error()) ==
continue;
}
return (-1);
} else if (ret < 0) {
break;
}
}
if (ret < 0) {
}
return (ret);
}
/*
* sunw_p12_use_certfile - read a client certificate from a pkcs12 file and
* pass it in to SSL.
*
* Read in the certificate in pkcs12-formated file. Use the provided
* passphrase to decrypt it. Pass the cert to SSL.
*
* Arguments:
* ctx - SSL's context structure
* filename - Name of file with the client certificate.
* passwd - Passphrase for pkcs12 data.
*
* Returns:
* <=0 - Error occurred. Check the error stack for specifics.
* >0 - Success. Cert was successfully added.
*/
int
{
return (-1);
}
/*
* Error already on stack
*/
ret = -1;
}
}
}
}
return (ret);
}
/*
* sunw_p12_use_keyfile - read a RSA private key from a pkcs12 file and pass
* it in to SSL.
*
* Read in the RSA private key in pkcs12 format. Use the provided
* passphrase to decrypt it. Pass the cert to SSL.
*
* Arguments:
* ctx - SSL's context structure
* filename - Name of file with private key.
* passwd - Passphrase for pkcs12 data.
*
* Returns:
* <=0 - Error occurred. Check the error stack for specifics.
* >0 - Success. Key was successfully added.
*/
int
{
return (-1);
}
NULL);
/*
* Error already on stack
*/
ret = -1;
}
} else {
}
} else {
}
}
return (ret);
}
/*
* sunw_p12_use_trustfile - read a list of trustanchors from a pkcs12 file and
* pass the stack in to SSL.
*
* Read in the trust anchors from pkcs12-formated file. Use the provided
* passphrase to decrypt it. Pass the cert to SSL.
*
* Arguments:
* ctx - SSL's context structure
* filename - Name of file with the certificates.
* passwd - Passphrase for pkcs12 data.
*
* Returns:
* <=0 - Error occurred. Check the error stack for specifics.
* >0 - Success. Trust anchors were successfully added.
*/
int
{
return (-1);
}
&ta_sk);
else {
ret = -1;
}
} else {
}
return (ret);
}
/*
* p12_read_file - read a pkcs12 file and get its contents. Return the
* pkcs12 structures.
*
* Arguments:
* filename - Name of file with the client certificate.
*
*
* Returns:
* NULL - Error occurred. Check the error stack for specifics.
* != NULL - Success. The return value is the address of a pkcs12
* structure.
*/
static PKCS12 *
{
int ret = 0;
/*
* Error already on stack
*/
return (NULL);
}
return (NULL);
}
ret = -1;
}
}
return (p12);
}
/*
* p12_doparse - Given a pkcs12 structure, check the passphrase and then
* parse it.
*
* Arguments:
* p12 - Structure with pkcs12 data which has been read in
* passwd - Passphrase for pkcs12 data & key.
* matchty - How to decide which matching entry to take... See the
* DO_* definitions for valid values.
* pkey - Points at pointer to private key structure.
* cert - Points at pointer to client certificate structure
* ca - Points at pointer to list of CA certs
*
* Returns:
* <=0 - Error occurred. Check the error stack for specifics.
* >0 - Success. Bits set reflect the kind of information
* returned. (See the FOUND_* definitions.)
*/
static int
{
int ret = 0;
/*
* Check passphrase (including null one).
*/
return (-1);
}
if (ret <= 0) {
/*
* Error already on stack
*/
return (-1);
}
return (ret);
}
/*
* checkfile - given a file name, verify that the file exists and is
* readable.
*/
/* ARGSUSED */
static int
{
#ifndef _BOOT
return (-1);
}
return (-1);
}
#endif
return (0);
}
/*
* check_password - do various password checks to see if the current password
* will work or we need to prompt for a new one.
*
* Arguments:
* pass - password to check
*
* Returns:
* 1 - Password is OK.
* 0 - Password not valid. Error stack was set - use ERR_get_error() to
* to get the error.
*/
static int
{
/*
* If password is zero length or NULL then try verifying both cases
* to determine which password is correct. The reason for this is that
* under PKCS#12 password based encryption no password and a zero
* length password are two different things. Otherwise, calling
* PKCS12_verify_mac() with a length of -1 means that the length
* can be determined via strlen().
*/
/* Check the mac */
ret = 0;
ret = 0;
}
return (ret);
}