/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2002, 2003 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* Copyright (c) 2015 by Delphix. All rights reserved.
*/
#ifndef _P12AUX_H
#define _P12AUX_H
#include <openssl/pkcs12.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
* I really hate to do this. It's pretty gross, but go ahead and use the
* macros and functions already defined to provide new EVP_PKEY-specific
* macros, for use within this file only.
*
* My apologies.
*/
/* BEGIN CSTYLED */
DECLARE_STACK_OF(EVP_PKEY)
/* END CSTYLED */
#define sk_EVP_PKEY_new_null() SKM_sk_new_null(EVP_PKEY)
#define sk_EVP_PKEY_free(st) SKM_sk_free(EVP_PKEY, (st))
#define sk_EVP_PKEY_num(st) SKM_sk_num(EVP_PKEY, (st))
#define sk_EVP_PKEY_value(st, i) SKM_sk_value(EVP_PKEY, (st), (i))
#define sk_EVP_PKEY_push(st, val) SKM_sk_push(EVP_PKEY, (st), (val))
#define sk_EVP_PKEY_find(st, val) SKM_sk_find(EVP_PKEY, (st), (val))
#define sk_EVP_PKEY_delete(st, i) SKM_sk_delete(EVP_PKEY, (st), (i))
#define sk_EVP_PKEY_delete_ptr(st, ptr) SKM_sk_delete_ptr(EVP_PKEY, (st), (ptr))
#define sk_EVP_PKEY_insert(st, val, i) SKM_sk_insert(EVP_PKEY, (st), (val), (i))
#define sk_EVP_PKEY_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY, (st), \
(free_func))
#define sk_EVP_PKEY_pop(st) SKM_sk_pop(EVP_PKEY, (st))
/*
* This type indicates what to do with an attribute being returned.
*/
typedef enum {
GETDO_COPY = 1, /* Simply return the value of the attribute */
GETDO_DEL /* Delete the attribute at the same time. */
} getdo_actions_t;
/*
* The following is used to call the sunw_print_times function which is
* described at the bottom of the page.
*/
typedef enum {
PRNT_NOT_BEFORE = 1, /* Print 'not before' date */
PRNT_NOT_AFTER, /* Print 'not after' date */
PRNT_BOTH /* Prints both dates */
} prnt_actions_t;
/*
* For sunw_pkcs12_parse, the following are values for bits that indicate
* various types of searches/matching to do. Any of these values can be
* OR'd together. However, the order in which an attempt will be made
* to satisfy them is the order in which they are listed below. The
* exception is DO_NONE. It should not be OR'd with any other value.
*/
#define DO_NONE 0x00 /* Don't even try to match */
#define DO_FIND_KEYID 0x01 /* 1st cert, key with matching localkeyid */
#define DO_FIND_FN 0x02 /* 1st cert, key with matching friendlyname */
#define DO_FIRST_PAIR 0x04 /* Return first matching cert/key pair found */
#define DO_LAST_PAIR 0x08 /* Return last matching cert/key pair found */
#define DO_UNMATCHING 0x10 /* Return first cert and/or key */
/* Bits returned, which indicate what values were found. */
#define FOUND_PKEY 0x01 /* Found one or more private key */
#define FOUND_CERT 0x02 /* Found one or more client certificate */
#define FOUND_CA_CERTS 0x04 /* Added at least one cert to the CA list */
#define FOUND_XPKEY 0x08 /* Found at least one private key which does */
/* not match a certificate in the certs list */
/*
* sunw_cryto_init() does crypto-specific initialization.
*
* Arguments:
* None.
*
* Returns:
* None.
*/
void sunw_crypto_init(void);
/*
* sunw_PKCS12_parse() parses a pkcs#12 structure and returns component parts.
*
* Parse and decrypt a PKCS#12 structure returning user key, user cert and/or
* other (CA) certs. Note either ca should be NULL, *ca should be NULL,
* or it should point to a valid STACK_OF(X509) structure. pkey and cert can
* be passed uninitialized.
*
* Arguments:
* p12 - Structure with pkcs12 info to be parsed
* pass - Pass phrase for the private key and entire pkcs12 wad (possibly
* empty) or NULL if there is none.
* matchty - Info about which certs/keys to return if many are in the file.
* keyid_str- If private key localkeyids are to match a predetermined value,
* the value to match.
* keyid_len- Length of the keyid byte string.
* name_str - If friendlynames are to match a predetermined value, the value
* to match.
* pkey - Points to location pointing to the private key returned.
* cert - Points to locaiton which points to the client cert returned
* ca - Points to location that points to a stack of 'certificate
* authority' certs (possibly including trust anchors).
*
* Match based on the value of 'matchty' and the contents of 'keyid_str'
* and/or 'name_str', as appropriate. Go through the lists of certs and
* private keys which were taken from the pkcs12 structure, looking for
* matches of the requested type. This function only searches the lists of
* matching private keys and client certificates. Kinds of matches allowed,
* and the order in which they will be checked, are:
*
* 1) Find the key and/or cert whose localkeyid attributes matches 'cmpstr'
* 2) Find the key and/or cert whose friendlyname attributes matches 'cmpstr'
* 3) Return the first matching key/cert pair found.
* 4) Return the last matching key/cert pair found.
* 5) Return whatever cert and/or key are available, even unmatching.
*
* Append the certs which do not have matching private keys and which were
* not selected to the CA list.
*
* If none of the bits are set, no client certs or private keys will be
* returned. CA (aka trust anchor) certs can be.
*
* Notes: If #3 is selected, then #4 will never occur. CA certs will be
* selected after a cert/key pairs are isolated.
*
* Returns:
* < 0 - An error returned. Call ERR_get_error() to get errors information.
* Where possible, memory has been freed.
* >= 0 - Objects were found and returned. Which objects are indicated by
* which bits are set (FOUND_PKEY, FOUND_CERT, FOUND_CA_CERTS).
*/
int sunw_PKCS12_parse(PKCS12 *, const char *, int, char *, int, char *,
EVP_PKEY **, X509 **, STACK_OF(X509) **);
/*
* sunw_PKCS12_create() creates a pkcs#12 structure and given component parts.
*
* Given one or more of user private key, user cert and/or other (CA) certs,
* return an encrypted PKCS12 structure containing them.
*
* Arguments:
* pass - Pass phrase for the pkcs12 structure and private key (possibly
* empty) or NULL if there is none. It will be used to encrypt
* both the private key(s) and as the pass phrase for the whole
* pkcs12 wad.
* pkey - Points to stack of private keys.
* cert - Points to stack of client (public ke) certs
* ca - Points to stack of 'certificate authority' certs (or trust
* anchors).
*
* Note that any of these may be NULL.
*
* Returns:
* NULL - An error occurred.
* != NULL - Address of PKCS12 structure. The user is responsible for
* freeing the memory when done.
*/
PKCS12 *sunw_PKCS12_create(const char *, STACK_OF(EVP_PKEY) *, STACK_OF(X509) *,
STACK_OF(X509) *);
/*
* sunw_split_certs() - Given a list of certs and a list of private keys,
* moves certs which match one of the keys to a different stack.
*
* Arguments:
* allkeys - Points to a stack of private keys to search.
* allcerts - Points to a stack of certs to be searched.
* keycerts - Points to address of a stack of certs with matching private
* keys. They are moved from 'allcerts'. This may not be NULL
* when called. If *keycerts is NULL upon entry, a new stack will
* be allocated. Otherwise, it must be a valid STACK_OF(509).
* nocerts - Points to address of a stack for keys which have no matching
* certs. Keys are moved from 'allkeys' here when they have no
* matching certs. If this is NULL, matchless keys will be
* discarded.
*
* Notes: If an error occurs while moving certs, the cert being move may be
* lost. 'keycerts' may only contain part of the matching certs. The number
* of certs successfully moved can be found by checking sk_X509_num(keycerts).
*
* If there is a key which does not have a matching cert, it is moved to
* the list nocerts.
*
* If all certs are removed from 'certs' and/or 'pkeys', it will be the
* caller's responsibility to free the empty stacks.
*
* Returns:
* < 0 - An error returned. Call ERR_get_error() to get errors information.
* Where possible, memory has been freed.
* >= 0 - The number of certs moved from 'cert' to 'pkcerts'.
*/
int sunw_split_certs(STACK_OF(EVP_PKEY) *, STACK_OF(X509) *, STACK_OF(X509) **,
STACK_OF(EVP_PKEY) **);
/*
* sunw_evp_pkey_free() Given an EVP_PKEY structure, free any attributes
* that are attached. Then free the EVP_PKEY itself.
*
* This is the replacement for EVP_PKEY_free() for the sunw stuff.
* It should be used in places where EVP_PKEY_free would be used,
* including calls to sk_EVP_PKEY_pop_free().
*
* Arguments:
* pkey - Entry which potentially has attributes to be freed.
*
* Returns:
* None.
*/
void sunw_evp_pkey_free(EVP_PKEY *);
/*
* sunw_set_localkeyid() sets the localkeyid in a cert, a private key or
* both. Any existing localkeyid will be discarded.
*
* Arguments:
* keyid_str- A byte string with the localkeyid to set
* keyid_len- Length of the keyid byte string.
* pkey - Points to a private key to set the keyidstr in.
* cert - Points to a cert to set the keyidstr in.
*
* Note that setting a keyid into a cert which will not be written out as
* a PKCS12 cert is pointless since it will be lost.
*
* Returns:
* 0 - Success.
* < 0 - An error occurred. It was probably an error in allocating
* memory. The error will be set in the error stack. Call
* ERR_get_error() to get specific information.
*/
int sunw_set_localkeyid(const char *, int, EVP_PKEY *, X509 *);
/*
* sunw_get_pkey_localkeyid() gets the localkeyid from a private key. It can
* optionally remove the value found.
*
* Arguments:
* dowhat - What to do with the attributes (remove them or copy them).
* pkey - Points to a private key to set the keyidstr in.
* keyid_str- Points to a location which will receive the pointer to
* a byte string containing the binary localkeyid. Note that
* this is a copy, and the caller must free it.
* keyid_len- Length of keyid_str.
*
* Returns:
* >= 0 - The number of characters in the keyid returned.
* < 0 - An error occurred. It was probably an error in allocating
* memory. The error will be set in the error stack. Call
* ERR_get_error() to get specific information.
*/
int sunw_get_pkey_localkeyid(getdo_actions_t, EVP_PKEY *, char **, int *);
/*
* sunw_get_pkey_fname() gets the friendlyName from a private key. It can
* optionally remove the value found.
*
* Arguments:
* dowhat - What to do with the attributes (remove them or just return
* them).
* pkey - Points to a private key to get the keyid from
* fname - Points to a location which will receive the pointer to a
* byte string with the ASCII friendlyname
*
* Returns:
* >= 0 - The number of characters in the keyid returned.
* < 0 - An error occurred. It was probably an error in allocating
* memory. The error will be set in the error stack. Call
* ERR_get_error() to get specific information.
*/
int sunw_get_pkey_fname(getdo_actions_t, EVP_PKEY *, char **);
/*
* sunw_find_localkeyid() searches stacks of certs and private keys, and
* returns the first matching cert/private key found.
*
* Look for a keyid in a stack of certs. if 'certs' is NULL and 'pkeys' is
* not NULL, search the list of private keys. Move the matching cert to
* 'matching_cert' and its matching private key to 'matching_pkey'. If no
* cert or keys match, no match occurred.
*
* Arguments:
* keyid_str- A byte string with the localkeyid to match
* keyid_len- Length of the keyid byte string.
* pkeys - Points to a stack of private keys which match the certs.
* This may be NULL, in which case no keys are returned.
* certs - Points to a stack of certs to search. If NULL, search the
* stack of keys instead.
* matching_pkey
* - Pointer to receive address of first matching pkey found.
* 'matching_pkey' must not be NULL; '*matching_pkey' will be
* reset.
* matching_cert
* - Pointer to receive address of first matching cert found.
* 'matching_cert' must not be NULL; '*matching_cert' will be
* reset.
*
* Returns:
* < 0 - An error returned. Call ERR_get_error() to get errors information.
* Where possible, memory has been freed.
* >= 0 - Objects were found and returned. Which objects are indicated by
* which bits are set (FOUND_PKEY and/or FOUND_CERT).
*/
int sunw_find_localkeyid(char *, int, STACK_OF(EVP_PKEY) *, STACK_OF(X509) *,
EVP_PKEY **, X509 **);
/*
* sunw_find_fname() searches stacks of certs and private keys for one with
* a matching friendlyname and returns the first matching cert/private
* key found.
*
* Look for a friendlyname in a stack of certs. if 'certs' is NULL and 'pkeys'
* is not NULL, search the list of private keys. Move the matching cert to
* 'matching_cert' and its matching private key to 'matching_pkey'. If no
* cert or keys match, no match occurred.
*
* Arguments:
* fname - Friendlyname to find (NULL-terminated ASCII string).
* pkeys - Points to a stack of private keys which match the certs.
* This may be NULL, in which case no keys are returned.
* certs - Points to a stack of certs to search. If NULL, search the
* stack of keys instead.
* matching_pkey
* - Pointer to receive address of first matching pkey found.
* matching_cert
* - Pointer to receive address of first matching cert found.
*
* Returns:
* < 0 - An error returned. Call ERR_get_error() to get errors information.
* Where possible, memory has been freed.
* >= 0 - Objects were found and returned. Which objects are indicated by
* which bits are set (FOUND_PKEY and/or FOUND_CERT).
*/
int sunw_find_fname(char *, STACK_OF(EVP_PKEY) *, STACK_OF(X509) *, EVP_PKEY **,
X509 **);
/*
* sunw_print_times() formats and prints cert times to the given file.
*
* The label is printed on one line. One or both dates are printed on
* the following line or two, each with it's own indented label in the
* format:
*
* label
* 'not before' date: whatever
* 'not after' date: whatever
*
* Arguments:
* fp - file pointer for file to write to.
* dowhat - what field(s) to print.
* label - Label to use. If NULL, no line will be printed.
* cert - Points to a client or CA cert to check
*
* Returns:
* < 0 - An error occured.
* >= 0 - Number of lines written.
*/
int sunw_print_times(FILE *, prnt_actions_t, char *, X509 *);
/*
* sunw_check_keys() compares the public key in the certificate and a
* private key to ensure that they match.
*
* Arguments:
* cert - Points to a certificate.
* pkey - Points to a private key.
*
* Returns:
* == 0 - These do not match.
* != 0 - The cert's public key and the private key match.
*/
int sunw_check_keys(X509 *, EVP_PKEY *);
/*
* sunw_issuer_attrs - Given a cert, return the issuer-specific attributes
* as one ASCII string.
*
* Arguments:
* cert - Cert to process
* buf - If non-NULL, buffer to receive string. If NULL, one will
* be allocated and its value will be returned to the caller.
* len - If 'buff' is non-null, the buffer's length.
*
* This returns an ASCII string with all issuer-related attributes in one
* string separated by '/' characters. Each attribute begins with its name
* and an equal sign. Two attributes (ATTR1 and Attr2) would have the
* following form:
*
* ATTR1=attr_value/ATTR2=attr2_value
*
* Returns:
* != NULL - Pointer to the ASCII string containing the issuer-related
* attributes. If the 'buf' argument was NULL, this is a
* dynamically-allocated buffer and the caller will have the
* responsibility for freeing it.
* NULL - Memory needed to be allocated but could not be. Errors
* are set on the error stack.
*/
char *sunw_issuer_attrs(X509 *cert, char *buf, int len);
/*
* sunw_subject_attrs - Given a cert, return the subject-specific attributes
* as one ASCII string.
*
* Arguments:
* cert - Cert to process
* buf - If non-NULL, buffer to receive string. If NULL, one will
* be allocated and its value will be returned to the caller.
* len - If 'buff' is non-null, the buffer's length.
*
* This returns an ASCII string with all subject-related attributes in one
* string separated by '/' characters. Each attribute begins with its name
* and an equal sign. Two attributes (ATTR1 and Attr2) would have the
* following form:
*
* ATTR1=attr_value/ATTR2=attr2_value
*
* Returns:
* != NULL - Pointer to the ASCII string containing the subject-related
* attributes. If the 'buf' argument was NULL, this is a
* dynamically-allocated buffer and the caller will have the
* responsibility for freeing it.
* NULL - Memory needed to be allocated but could not be. Errors
* are set on the error stack.
*/
char *sunw_subject_attrs(X509 *cert, char *buf, int len);
/*
* sunw_append_keys - Given two stacks of private keys, remove the keys from
* the second stack and append them to the first. Both stacks must exist
* at time of call.
*
* Arguments:
* dst - the stack to receive the keys from 'src'
* src - the stack whose keys are to be moved.
*
* Returns:
* -1 - An error occurred. The error status is set.
* >= 0 - The number of keys that were copied.
*/
int sunw_append_keys(STACK_OF(EVP_PKEY) *, STACK_OF(EVP_PKEY) *);
#ifdef __cplusplus
}
#endif
#endif /* _P12AUX_H */