elfcertlib.c revision 2225707c7e7edf7c636ed349df2592ef85329cdd
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * CDDL HEADER START
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * The contents of this file are subject to the terms of the
df8bdeb362277e8d95a74d6c097341fe97409948johnz * Common Development and Distribution License (the "License").
df8bdeb362277e8d95a74d6c097341fe97409948johnz * You may not use this file except in compliance with the License.
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz * or http://www.opensolaris.org/os/licensing.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * See the License for the specific language governing permissions
df8bdeb362277e8d95a74d6c097341fe97409948johnz * and limitations under the License.
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * When distributing Covered Code, include this CDDL HEADER in each
df8bdeb362277e8d95a74d6c097341fe97409948johnz * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * If applicable, add the following below this CDDL HEADER, with the
df8bdeb362277e8d95a74d6c097341fe97409948johnz * fields enclosed by brackets "[]" replaced with your own identifying
df8bdeb362277e8d95a74d6c097341fe97409948johnz * information: Portions Copyright [yyyy] [name of copyright owner]
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * CDDL HEADER END
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * Use is subject to license terms.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <limits.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <sys/types.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <sys/stat.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <fcntl.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <unistd.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <dirent.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <strings.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <stdio.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <stdlib.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <errno.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <sys/mman.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <md5.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <pthread.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <cryptoutil.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <kmfapi.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <sys/crypto/elfsign.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <libelfsign.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <synch.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzconst char _PATH_ELFSIGN_CRYPTO_CERTS[] = CRYPTO_CERTS_DIR;
df8bdeb362277e8d95a74d6c097341fe97409948johnzconst char _PATH_ELFSIGN_ETC_CERTS[] = ETC_CERTS_DIR;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * The CACERT and OBJCACERT are the Cryptographic Trust Anchors
df8bdeb362277e8d95a74d6c097341fe97409948johnz * for the Solaris Cryptographic Framework.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic const char _PATH_CRYPTO_CACERT[] = CRYPTO_CERTS_DIR "/CA";
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic const char _PATH_CRYPTO_OBJCACERT[] = CRYPTO_CERTS_DIR "/SUNWObjectCA";
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic ELFCert_t CACERT = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic ELFCert_t OBJCACERT = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic pthread_mutex_t ca_mutex = PTHREAD_MUTEX_INITIALIZER;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic void elfcertlib_freecert(ELFsign_t, ELFCert_t);
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic ELFCert_t elfcertlib_allocatecert(void);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_verifycert - Verify the Cert with a Trust Anchor
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN ess - elfsign context structure
df8bdeb362277e8d95a74d6c097341fe97409948johnz * cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT NONE
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURN TRUE/FALSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * We first setup the Trust Anchor (CA and SUNWObjectCA) certs
df8bdeb362277e8d95a74d6c097341fe97409948johnz * if it hasn't been done already. We verify that the files on disk
df8bdeb362277e8d95a74d6c097341fe97409948johnz * are those we expected.
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * We then verify the given cert using the publickey of a TA.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * If the passed in cert is a TA or it has been verified already we
df8bdeb362277e8d95a74d6c097341fe97409948johnz * short cut and return TRUE without futher validation.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*ARGSUSED*/
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_verifycert(ELFsign_t ess, ELFCert_t cert)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_RETURN rv;
df8bdeb362277e8d95a74d6c097341fe97409948johnz if ((cert->c_verified == E_OK) || (cert->c_verified == E_IS_TA)) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_TRUE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) pthread_mutex_lock(&ca_mutex);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (CACERT == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) elfcertlib_getcert(ess, (char *)_PATH_CRYPTO_CACERT,
df8bdeb362277e8d95a74d6c097341fe97409948johnz NULL, &CACERT, ES_GET);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (OBJCACERT == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) elfcertlib_getcert(ess, (char *)_PATH_CRYPTO_OBJCACERT,
df8bdeb362277e8d95a74d6c097341fe97409948johnz NULL, &OBJCACERT, ES_GET);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) pthread_mutex_unlock(&ca_mutex);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (CACERT != NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz rv = KMF_VerifyCertWithCert(ess->es_kmfhandle,
df8bdeb362277e8d95a74d6c097341fe97409948johnz (const KMF_DATA *)&cert->c_cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz (const KMF_DATA *)&CACERT->c_cert.certificate);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv == KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ess->es_certCAcallback != NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz (ess->es_certvercallback)(ess->es_callbackctx,
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert, CACERT);
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_verified = E_OK;
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_TRUE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (OBJCACERT != NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz rv = KMF_VerifyCertWithCert(ess->es_kmfhandle,
df8bdeb362277e8d95a74d6c097341fe97409948johnz (const KMF_DATA *)&cert->c_cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz (const KMF_DATA *)&OBJCACERT->c_cert.certificate);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv == KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ess->es_certCAcallback != NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz (ess->es_certvercallback)(ess->es_callbackctx,
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert, OBJCACERT);
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_verified = E_OK;
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_TRUE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_getcert - Get the certificate for signer_DN
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN ess - elfsign context structure
df8bdeb362277e8d95a74d6c097341fe97409948johnz * cert_pathname - path to cert (May be NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz * signer_DN - The DN we are looking for (May be NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz * action - indicates crypto verification call
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT certp - allocated/loaded ELFCert_t
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * If the cert_pathname is passed use it and don't search.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * Otherwise, go looking in certificate directories
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_getcert(ELFsign_t ess, char *cert_pathname,
df8bdeb362277e8d95a74d6c097341fe97409948johnz char *signer_DN, ELFCert_t *certp, enum ES_ACTION action)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_RETURN rv;
df8bdeb362277e8d95a74d6c097341fe97409948johnz ELFCert_t cert = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_FINDCERT_PARAMS fcparams;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_X509_DER_CERT certbuf[2];
df8bdeb362277e8d95a74d6c097341fe97409948johnz uint32_t ncerts;
df8bdeb362277e8d95a74d6c097341fe97409948johnz boolean_t ret = B_FALSE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz char *pathlist[3], **plp;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_getcert: path=%s, DN=%s",
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert_pathname ? cert_pathname : "-none-",
df8bdeb362277e8d95a74d6c097341fe97409948johnz signer_DN ? signer_DN : "-none-");
df8bdeb362277e8d95a74d6c097341fe97409948johnz *certp = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (cert_pathname == NULL && signer_DN == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_getcert: lack of specificity");
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (ret);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz plp = pathlist;
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (cert_pathname != NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz /* look in the specified object */
df8bdeb362277e8d95a74d6c097341fe97409948johnz *plp++ = cert_pathname;
df8bdeb362277e8d95a74d6c097341fe97409948johnz } else {
df8bdeb362277e8d95a74d6c097341fe97409948johnz /* look in the certificate directories */
df8bdeb362277e8d95a74d6c097341fe97409948johnz *plp++ = (char *)_PATH_ELFSIGN_CRYPTO_CERTS;
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * crypto verifications don't search beyond
df8bdeb362277e8d95a74d6c097341fe97409948johnz * _PATH_ELFSIGN_CRYPTO_CERTS
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (action != ES_GET_CRYPTO)
df8bdeb362277e8d95a74d6c097341fe97409948johnz *plp++ = (char *)_PATH_ELFSIGN_ETC_CERTS;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz *plp = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz if ((cert = elfcertlib_allocatecert()) == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (ret);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz for (plp = pathlist; *plp; plp++) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) memset(&fcparams, 0, sizeof (fcparams));
df8bdeb362277e8d95a74d6c097341fe97409948johnz fcparams.kstype = KMF_KEYSTORE_OPENSSL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz fcparams.sslparms.certfile = *plp;
df8bdeb362277e8d95a74d6c097341fe97409948johnz fcparams.subject = signer_DN;
df8bdeb362277e8d95a74d6c097341fe97409948johnz ncerts = 2;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz rv = KMF_FindCert(ess->es_kmfhandle, &fcparams, certbuf,
df8bdeb362277e8d95a74d6c097341fe97409948johnz &ncerts);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK)
df8bdeb362277e8d95a74d6c097341fe97409948johnz continue;
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ncerts > 1 && signer_DN == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz /* There can be only one */
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_getcert: "
df8bdeb362277e8d95a74d6c097341fe97409948johnz "too many certificates found in %s",
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert_pathname);
df8bdeb362277e8d95a74d6c097341fe97409948johnz goto cleanup;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz /* found it, cache subject and issuer */
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_cert = certbuf[0];
df8bdeb362277e8d95a74d6c097341fe97409948johnz rv = KMF_GetCertSubjectNameString(ess->es_kmfhandle,
df8bdeb362277e8d95a74d6c097341fe97409948johnz &cert->c_cert.certificate, &cert->c_subject);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK)
df8bdeb362277e8d95a74d6c097341fe97409948johnz goto cleanup;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz rv = KMF_GetCertIssuerNameString(ess->es_kmfhandle,
df8bdeb362277e8d95a74d6c097341fe97409948johnz &cert->c_cert.certificate, &cert->c_issuer);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK)
df8bdeb362277e8d95a74d6c097341fe97409948johnz goto cleanup;
df8bdeb362277e8d95a74d6c097341fe97409948johnz break;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (*plp == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_getcert: no certificate found");
df8bdeb362277e8d95a74d6c097341fe97409948johnz goto cleanup;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_verified = E_UNCHECKED;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick * If the cert we are loading is the trust anchor (ie the CA) then
df8bdeb362277e8d95a74d6c097341fe97409948johnz * we mark it as such in cert. This is so that we don't attempt
df8bdeb362277e8d95a74d6c097341fe97409948johnz * to verify it later. The CA is always implicitly verified.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (cert_pathname != NULL && (
df8bdeb362277e8d95a74d6c097341fe97409948johnz strcmp(cert_pathname, _PATH_CRYPTO_CACERT) == 0 ||
df8bdeb362277e8d95a74d6c097341fe97409948johnz strcmp(cert_pathname, _PATH_CRYPTO_OBJCACERT) == 0)) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ess->es_certCAcallback != NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz (ess->es_certCAcallback)(ess->es_callbackctx, cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert_pathname);
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_verified = E_IS_TA;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz ret = B_TRUE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzcleanup:
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ret) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz *certp = cert;
df8bdeb362277e8d95a74d6c097341fe97409948johnz } else {
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (cert != NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz elfcertlib_freecert(ess, cert);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (signer_DN != NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptoerror(LOG_ERR, "unable to find a certificate "
df8bdeb362277e8d95a74d6c097341fe97409948johnz "for DN: %s", signer_DN);
df8bdeb362277e8d95a74d6c097341fe97409948johnz else
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptoerror(LOG_ERR, "unable to load certificate "
df8bdeb362277e8d95a74d6c097341fe97409948johnz "from %s", cert_pathname);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (ret);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_loadprivatekey - Load the private key from path
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN ess - elfsign context structure
df8bdeb362277e8d95a74d6c097341fe97409948johnz * cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * pathname
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURNS TRUE/FALSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_loadprivatekey(ELFsign_t ess, ELFCert_t cert, const char *pathname)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_RETURN rv = KMF_OK;
df8bdeb362277e8d95a74d6c097341fe97409948johnz uint32_t nkeys = 2;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_FINDKEY_PARAMS fkparams;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_KEY_HANDLE keybuf[2];
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) memset(&fkparams, 0, sizeof (fkparams));
df8bdeb362277e8d95a74d6c097341fe97409948johnz fkparams.keyclass = KMF_ASYM_PRI;
df8bdeb362277e8d95a74d6c097341fe97409948johnz fkparams.kstype = KMF_KEYSTORE_OPENSSL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz fkparams.sslparms.keyfile = (char *)pathname;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz rv = KMF_FindKey(ess->es_kmfhandle, &fkparams, keybuf, &nkeys);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK)
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (nkeys != 1) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz /* lack of specificity */
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("found %d keys at %s", nkeys, pathname);
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_privatekey = keybuf[0];
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("key %s loaded", pathname);
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_TRUE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_loadtokenkey - Load the private key from token
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN ess - elfsign context structure
df8bdeb362277e8d95a74d6c097341fe97409948johnz * cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * token_label
df8bdeb362277e8d95a74d6c097341fe97409948johnz * pin
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURNS TRUE/FALSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_loadtokenkey(ELFsign_t ess, ELFCert_t cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz const char *token_label, const char *pin)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_RETURN rv = KMF_OK;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_FINDKEY_PARAMS fkparams;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_CONFIG_PARAMS cfgparams;
df8bdeb362277e8d95a74d6c097341fe97409948johnz uint32_t nkeys = 1;
df8bdeb362277e8d95a74d6c097341fe97409948johnz char *idstr = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz char *err = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) memset(&fkparams, 0, sizeof (fkparams));
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) memset(&cfgparams, 0, sizeof (cfgparams));
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz cfgparams.kstype = KMF_KEYSTORE_PK11TOKEN;
df8bdeb362277e8d95a74d6c097341fe97409948johnz cfgparams.pkcs11config.label = (char *)token_label;
df8bdeb362277e8d95a74d6c097341fe97409948johnz cfgparams.pkcs11config.readonly = B_TRUE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz rv = KMF_ConfigureKeystore(ess->es_kmfhandle, &cfgparams);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (KMF_GetKMFErrorString(rv, &err) == KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("Error configuring token access:"
df8bdeb362277e8d95a74d6c097341fe97409948johnz " %s\n", err);
df8bdeb362277e8d95a74d6c097341fe97409948johnz free(err);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz fkparams.idstr = idstr;
df8bdeb362277e8d95a74d6c097341fe97409948johnz fkparams.kstype = KMF_KEYSTORE_PK11TOKEN;
df8bdeb362277e8d95a74d6c097341fe97409948johnz fkparams.keyclass = KMF_ASYM_PRI;
df8bdeb362277e8d95a74d6c097341fe97409948johnz fkparams.cred.cred = (char *)pin;
df8bdeb362277e8d95a74d6c097341fe97409948johnz fkparams.cred.credlen = (pin != NULL ? strlen(pin) : 0);
df8bdeb362277e8d95a74d6c097341fe97409948johnz fkparams.pkcs11parms.private = B_TRUE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * We will search for the key based on the ID attribute
df8bdeb362277e8d95a74d6c097341fe97409948johnz * which was added when the key was created. ID is
df8bdeb362277e8d95a74d6c097341fe97409948johnz * a SHA-1 hash of the public modulus shared by the
df8bdeb362277e8d95a74d6c097341fe97409948johnz * key and the certificate.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz rv = KMF_GetCertIDString(&cert->c_cert.certificate, &idstr);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (KMF_GetKMFErrorString(rv, &err) == KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("Error getting ID from cert: %s\n", err);
df8bdeb362277e8d95a74d6c097341fe97409948johnz free(err);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz fkparams.idstr = idstr;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz rv = KMF_FindKey(ess->es_kmfhandle, &fkparams,
df8bdeb362277e8d95a74d6c097341fe97409948johnz &cert->c_privatekey, &nkeys);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK || nkeys != 1) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (KMF_GetKMFErrorString(rv, &err) == KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("Error finding private key: %s\n", err);
df8bdeb362277e8d95a74d6c097341fe97409948johnz free(err);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz free(idstr);
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("key found in %s", token_label);
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_loadprivatekey = 0x%.8X",
df8bdeb362277e8d95a74d6c097341fe97409948johnz &cert->c_privatekey);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz free(idstr);
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_TRUE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic const CK_BYTE MD5_DER_PREFIX[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
df8bdeb362277e8d95a74d6c097341fe97409948johnz 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_sign - sign the given DATA using the privatekey in cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN ess - elfsign context structure
df8bdeb362277e8d95a74d6c097341fe97409948johnz * cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * data
df8bdeb362277e8d95a74d6c097341fe97409948johnz * data_len
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT sig - must be big enough to hold the signature of data
df8bdeb362277e8d95a74d6c097341fe97409948johnz * Caller must allocate
df8bdeb362277e8d95a74d6c097341fe97409948johnz * sig_len - actual length used; 0 on failure.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURNS TRUE/FALSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*ARGSUSED*/
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_sign(ELFsign_t ess, ELFCert_t cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz const uchar_t *data, size_t data_len,
df8bdeb362277e8d95a74d6c097341fe97409948johnz uchar_t *sig, size_t *sig_len)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_RETURN ret = KMF_OK;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_DATA tobesigned;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_DATA signature;
df8bdeb362277e8d95a74d6c097341fe97409948johnz uchar_t der_data[sizeof (MD5_DER_PREFIX) + MD5_DIGEST_LENGTH];
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ess->es_version <= FILESIG_VERSION2) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz /* compatibility: take MD5 hash of SHA1 hash */
df8bdeb362277e8d95a74d6c097341fe97409948johnz size_t derlen = MD5_DIGEST_LENGTH;
df8bdeb362277e8d95a74d6c097341fe97409948johnz MD5_CTX ctx;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * first: digest using software-based methods, don't
df8bdeb362277e8d95a74d6c097341fe97409948johnz * rely on the token for hashing.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz MD5Init(&ctx);
df8bdeb362277e8d95a74d6c097341fe97409948johnz MD5Update(&ctx, data, data_len);
df8bdeb362277e8d95a74d6c097341fe97409948johnz MD5Final(&der_data[sizeof (MD5_DER_PREFIX)], &ctx);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * second: insert prefix
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) memcpy(der_data, MD5_DER_PREFIX,
df8bdeb362277e8d95a74d6c097341fe97409948johnz sizeof (MD5_DER_PREFIX));
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * prepare to sign the local buffer
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz tobesigned.Data = (uchar_t *)der_data;
df8bdeb362277e8d95a74d6c097341fe97409948johnz tobesigned.Length = sizeof (MD5_DER_PREFIX) + derlen;
df8bdeb362277e8d95a74d6c097341fe97409948johnz } else {
df8bdeb362277e8d95a74d6c097341fe97409948johnz tobesigned.Data = (uchar_t *)data;
df8bdeb362277e8d95a74d6c097341fe97409948johnz tobesigned.Length = data_len;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz signature.Data = (uchar_t *)sig;
df8bdeb362277e8d95a74d6c097341fe97409948johnz signature.Length = *sig_len;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz ret = KMF_SignDataWithKey(ess->es_kmfhandle,
df8bdeb362277e8d95a74d6c097341fe97409948johnz &cert->c_privatekey, (KMF_OID *)&KMFOID_RSA,
df8bdeb362277e8d95a74d6c097341fe97409948johnz &tobesigned, &signature);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ret != KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz char *err;
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (KMF_GetKMFErrorString(ret, &err) == KMF_OK &&
df8bdeb362277e8d95a74d6c097341fe97409948johnz err != NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("Error signing data: %s\n", err);
df8bdeb362277e8d95a74d6c097341fe97409948johnz free(err);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz *sig_len = 0;
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz *sig_len = signature.Length;
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_TRUE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_verifysig - verify the given DATA using the public key in cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN ess - elfsign context structure
df8bdeb362277e8d95a74d6c097341fe97409948johnz * cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * signature
df8bdeb362277e8d95a74d6c097341fe97409948johnz * sig_len
df8bdeb362277e8d95a74d6c097341fe97409948johnz * data
df8bdeb362277e8d95a74d6c097341fe97409948johnz * data_len
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT N/A
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURNS TRUE/FALSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_verifysig(ELFsign_t ess, ELFCert_t cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz const uchar_t *signature, size_t sig_len,
df8bdeb362277e8d95a74d6c097341fe97409948johnz const uchar_t *data, size_t data_len)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_RETURN rv;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_DATA indata;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_DATA insig;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_ALGORITHM_INDEX algid;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz indata.Data = (uchar_t *)data;
df8bdeb362277e8d95a74d6c097341fe97409948johnz indata.Length = data_len;
df8bdeb362277e8d95a74d6c097341fe97409948johnz insig.Data = (uchar_t *)signature;
df8bdeb362277e8d95a74d6c097341fe97409948johnz insig.Length = sig_len;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ess->es_version <= FILESIG_VERSION2)
df8bdeb362277e8d95a74d6c097341fe97409948johnz algid = KMF_ALGID_MD5WithRSA;
df8bdeb362277e8d95a74d6c097341fe97409948johnz else
df8bdeb362277e8d95a74d6c097341fe97409948johnz algid = KMF_ALGID_RSA;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick * We tell KMF to use the PKCS11 verification APIs
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick * here to prevent the use of OpenSSL and to keep
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick * all validation within the FIPS-140 boundary for
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick * the Cryptographic Framework.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz rv = KMF_VerifyDataWithCert(ess->es_kmfhandle,
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick KMF_KEYSTORE_PK11TOKEN, algid,
df8bdeb362277e8d95a74d6c097341fe97409948johnz &indata, &insig, &cert->c_cert.certificate);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz return ((rv == KMF_OK));
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_getdn
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT NONE
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURN dn or NULL
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzchar *
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_getdn(ELFCert_t cert)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_getdn");
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (cert->c_subject);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_getissuer
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT NONE
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURN dn or NULL
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzchar *
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_getissuer(ELFCert_t cert)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_issuer");
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (cert->c_issuer);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_init(ELFsign_t ess)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz boolean_t rc = B_TRUE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_RETURN rv;
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ess->es_kmfhandle == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz rv = KMF_Initialize(&ess->es_kmfhandle, NULL, NULL);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptoerror(LOG_ERR,
df8bdeb362277e8d95a74d6c097341fe97409948johnz "unable to initialize KMF library");
df8bdeb362277e8d95a74d6c097341fe97409948johnz rc = B_FALSE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (rc);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzvoid
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_fini(ELFsign_t ess)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) KMF_Finalize(ess->es_kmfhandle);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * set the token device
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_settoken(ELFsign_t ess, char *token)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz boolean_t rc = B_TRUE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_RETURN rv;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_CONFIG_PARAMS cfgparams;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) memset(&cfgparams, 0, sizeof (cfgparams));
df8bdeb362277e8d95a74d6c097341fe97409948johnz cfgparams.kstype = KMF_KEYSTORE_PK11TOKEN;
df8bdeb362277e8d95a74d6c097341fe97409948johnz cfgparams.pkcs11config.label = token;
df8bdeb362277e8d95a74d6c097341fe97409948johnz cfgparams.pkcs11config.readonly = B_TRUE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz rv = KMF_ConfigureKeystore(ess->es_kmfhandle, &cfgparams);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptoerror(LOG_ERR, "unable to select token\n");
df8bdeb362277e8d95a74d6c097341fe97409948johnz rc = B_FALSE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (rc);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * set the certificate CA identification callback
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzvoid
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_setcertCAcallback(ELFsign_t ess,
df8bdeb362277e8d95a74d6c097341fe97409948johnz void (*cb)(void *, ELFCert_t, char *))
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz ess->es_certCAcallback = cb;
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * set the certificate verification callback
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzvoid
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_setcertvercallback(ELFsign_t ess,
df8bdeb362277e8d95a74d6c097341fe97409948johnz void (*cb)(void *, ELFCert_t, ELFCert_t))
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz ess->es_certvercallback = cb;
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_releasecert - release a cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURN N/A
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzvoid
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_releasecert(ELFsign_t ess, ELFCert_t cert)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz elfcertlib_freecert(ess, cert);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_allocatecert - create a new ELFCert_t
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN N/A
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT N/A
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURN ELFCert_t, NULL on failure.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic ELFCert_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_allocatecert(void)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz ELFCert_t cert = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert = malloc(sizeof (struct ELFCert_s));
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (cert == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptoerror(LOG_ERR,
df8bdeb362277e8d95a74d6c097341fe97409948johnz "elfcertlib_allocatecert: malloc failed %s",
df8bdeb362277e8d95a74d6c097341fe97409948johnz strerror(errno));
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (NULL);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) memset(cert, 0, sizeof (struct ELFCert_s));
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_verified = E_UNCHECKED;
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_subject = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_issuer = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (cert);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_freecert - freeup the memory of a cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURN N/A
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic void
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_freecert(ELFsign_t ess, ELFCert_t cert)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (cert == NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz return;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz free(cert->c_subject);
df8bdeb362277e8d95a74d6c097341fe97409948johnz free(cert->c_issuer);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_FreeKMFCert(ess->es_kmfhandle, &cert->c_cert);
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_FreeKMFKey(ess->es_kmfhandle, &cert->c_privatekey);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz free(cert);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}