elfcertlib.c revision 735564919188238196dbd0d320770dda59b38369
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * CDDL HEADER START
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * The contents of this file are subject to the terms of the
df8bdeb362277e8d95a74d6c097341fe97409948johnz * Common Development and Distribution License (the "License").
df8bdeb362277e8d95a74d6c097341fe97409948johnz * You may not use this file except in compliance with the License.
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz * or http://www.opensolaris.org/os/licensing.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * See the License for the specific language governing permissions
df8bdeb362277e8d95a74d6c097341fe97409948johnz * and limitations under the License.
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * When distributing Covered Code, include this CDDL HEADER in each
df8bdeb362277e8d95a74d6c097341fe97409948johnz * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * If applicable, add the following below this CDDL HEADER, with the
df8bdeb362277e8d95a74d6c097341fe97409948johnz * fields enclosed by brackets "[]" replaced with your own identifying
df8bdeb362277e8d95a74d6c097341fe97409948johnz * information: Portions Copyright [yyyy] [name of copyright owner]
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * CDDL HEADER END
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * Use is subject to license terms.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <limits.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <sys/types.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <sys/stat.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <fcntl.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <unistd.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <dirent.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <strings.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <stdio.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <stdlib.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <errno.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <sys/mman.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <md5.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <pthread.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <cryptoutil.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <kmfapi.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <sys/crypto/elfsign.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <libelfsign.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz#include <synch.h>
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzconst char _PATH_ELFSIGN_CRYPTO_CERTS[] = CRYPTO_CERTS_DIR;
df8bdeb362277e8d95a74d6c097341fe97409948johnzconst char _PATH_ELFSIGN_ETC_CERTS[] = ETC_CERTS_DIR;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * The CACERT and OBJCACERT are the Cryptographic Trust Anchors
df8bdeb362277e8d95a74d6c097341fe97409948johnz * for the Solaris Cryptographic Framework.
735564919188238196dbd0d320770dda59b38369Anthony Scarpino *
735564919188238196dbd0d320770dda59b38369Anthony Scarpino * The SECACERT is the Signed Execution Trust Anchor that the
735564919188238196dbd0d320770dda59b38369Anthony Scarpino * Cryptographic Framework uses for FIPS-140 validation of non-crypto
735564919188238196dbd0d320770dda59b38369Anthony Scarpino * binaries
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic const char _PATH_CRYPTO_CACERT[] = CRYPTO_CERTS_DIR "/CA";
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic const char _PATH_CRYPTO_OBJCACERT[] = CRYPTO_CERTS_DIR "/SUNWObjectCA";
735564919188238196dbd0d320770dda59b38369Anthony Scarpinostatic const char _PATH_CRYPTO_SECACERT[] = ETC_CERTS_DIR "/SUNWSolarisCA";
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic ELFCert_t CACERT = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic ELFCert_t OBJCACERT = NULL;
735564919188238196dbd0d320770dda59b38369Anthony Scarpinostatic ELFCert_t SECACERT = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic pthread_mutex_t ca_mutex = PTHREAD_MUTEX_INITIALIZER;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic void elfcertlib_freecert(ELFsign_t, ELFCert_t);
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic ELFCert_t elfcertlib_allocatecert(void);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_verifycert - Verify the Cert with a Trust Anchor
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN ess - elfsign context structure
df8bdeb362277e8d95a74d6c097341fe97409948johnz * cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT NONE
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURN TRUE/FALSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * We first setup the Trust Anchor (CA and SUNWObjectCA) certs
df8bdeb362277e8d95a74d6c097341fe97409948johnz * if it hasn't been done already. We verify that the files on disk
df8bdeb362277e8d95a74d6c097341fe97409948johnz * are those we expected.
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * We then verify the given cert using the publickey of a TA.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * If the passed in cert is a TA or it has been verified already we
df8bdeb362277e8d95a74d6c097341fe97409948johnz * short cut and return TRUE without futher validation.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*ARGSUSED*/
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_verifycert(ELFsign_t ess, ELFCert_t cert)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_ATTRIBUTE attrlist[8];
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM int numattr;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_RETURN rv;
df8bdeb362277e8d95a74d6c097341fe97409948johnz if ((cert->c_verified == E_OK) || (cert->c_verified == E_IS_TA)) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_TRUE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) pthread_mutex_lock(&ca_mutex);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (CACERT == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) elfcertlib_getcert(ess, (char *)_PATH_CRYPTO_CACERT,
df8bdeb362277e8d95a74d6c097341fe97409948johnz NULL, &CACERT, ES_GET);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
735564919188238196dbd0d320770dda59b38369Anthony Scarpino
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (OBJCACERT == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) elfcertlib_getcert(ess, (char *)_PATH_CRYPTO_OBJCACERT,
df8bdeb362277e8d95a74d6c097341fe97409948johnz NULL, &OBJCACERT, ES_GET);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
735564919188238196dbd0d320770dda59b38369Anthony Scarpino
735564919188238196dbd0d320770dda59b38369Anthony Scarpino if (SECACERT == NULL) {
735564919188238196dbd0d320770dda59b38369Anthony Scarpino (void) elfcertlib_getcert(ess,
735564919188238196dbd0d320770dda59b38369Anthony Scarpino (char *)_PATH_CRYPTO_SECACERT, NULL, &SECACERT,
735564919188238196dbd0d320770dda59b38369Anthony Scarpino ES_GET_FIPS140);
735564919188238196dbd0d320770dda59b38369Anthony Scarpino }
735564919188238196dbd0d320770dda59b38369Anthony Scarpino
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) pthread_mutex_unlock(&ca_mutex);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (CACERT != NULL) {
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM numattr = 0;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_CERT_DATA_ATTR, &cert->c_cert.certificate,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM sizeof (KMF_DATA));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_SIGNER_CERT_DATA_ATTR, &CACERT->c_cert.certificate,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM sizeof (KMF_DATA));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM rv = kmf_verify_cert(ess->es_kmfhandle, numattr, attrlist);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv == KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ess->es_certCAcallback != NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz (ess->es_certvercallback)(ess->es_callbackctx,
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert, CACERT);
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_verified = E_OK;
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_TRUE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (OBJCACERT != NULL) {
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM numattr = 0;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_CERT_DATA_ATTR, &cert->c_cert.certificate,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM sizeof (KMF_DATA));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_SIGNER_CERT_DATA_ATTR, &OBJCACERT->c_cert.certificate,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM sizeof (KMF_DATA));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM rv = kmf_verify_cert(ess->es_kmfhandle, numattr, attrlist);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv == KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ess->es_certCAcallback != NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz (ess->es_certvercallback)(ess->es_callbackctx,
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert, OBJCACERT);
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_verified = E_OK;
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_TRUE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
735564919188238196dbd0d320770dda59b38369Anthony Scarpino if (SECACERT != NULL) {
735564919188238196dbd0d320770dda59b38369Anthony Scarpino rv = KMF_VerifyCertWithCert(ess->es_kmfhandle,
735564919188238196dbd0d320770dda59b38369Anthony Scarpino (const KMF_DATA *)&cert->c_cert,
735564919188238196dbd0d320770dda59b38369Anthony Scarpino (const KMF_DATA *)&SECACERT->c_cert.certificate);
735564919188238196dbd0d320770dda59b38369Anthony Scarpino if (rv == KMF_OK) {
735564919188238196dbd0d320770dda59b38369Anthony Scarpino if (ess->es_certCAcallback != NULL)
735564919188238196dbd0d320770dda59b38369Anthony Scarpino (ess->es_certvercallback)(ess->es_callbackctx,
735564919188238196dbd0d320770dda59b38369Anthony Scarpino cert, SECACERT);
735564919188238196dbd0d320770dda59b38369Anthony Scarpino cert->c_verified = E_OK;
735564919188238196dbd0d320770dda59b38369Anthony Scarpino return (B_TRUE);
735564919188238196dbd0d320770dda59b38369Anthony Scarpino }
735564919188238196dbd0d320770dda59b38369Anthony Scarpino }
735564919188238196dbd0d320770dda59b38369Anthony Scarpino
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_getcert - Get the certificate for signer_DN
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN ess - elfsign context structure
df8bdeb362277e8d95a74d6c097341fe97409948johnz * cert_pathname - path to cert (May be NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz * signer_DN - The DN we are looking for (May be NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz * action - indicates crypto verification call
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT certp - allocated/loaded ELFCert_t
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * If the cert_pathname is passed use it and don't search.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * Otherwise, go looking in certificate directories
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_getcert(ELFsign_t ess, char *cert_pathname,
df8bdeb362277e8d95a74d6c097341fe97409948johnz char *signer_DN, ELFCert_t *certp, enum ES_ACTION action)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_RETURN rv;
df8bdeb362277e8d95a74d6c097341fe97409948johnz ELFCert_t cert = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_X509_DER_CERT certbuf[2];
df8bdeb362277e8d95a74d6c097341fe97409948johnz uint32_t ncerts;
df8bdeb362277e8d95a74d6c097341fe97409948johnz boolean_t ret = B_FALSE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz char *pathlist[3], **plp;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_getcert: path=%s, DN=%s",
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert_pathname ? cert_pathname : "-none-",
df8bdeb362277e8d95a74d6c097341fe97409948johnz signer_DN ? signer_DN : "-none-");
df8bdeb362277e8d95a74d6c097341fe97409948johnz *certp = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (cert_pathname == NULL && signer_DN == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_getcert: lack of specificity");
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (ret);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz plp = pathlist;
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (cert_pathname != NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz /* look in the specified object */
df8bdeb362277e8d95a74d6c097341fe97409948johnz *plp++ = cert_pathname;
df8bdeb362277e8d95a74d6c097341fe97409948johnz } else {
df8bdeb362277e8d95a74d6c097341fe97409948johnz /* look in the certificate directories */
df8bdeb362277e8d95a74d6c097341fe97409948johnz *plp++ = (char *)_PATH_ELFSIGN_CRYPTO_CERTS;
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * crypto verifications don't search beyond
df8bdeb362277e8d95a74d6c097341fe97409948johnz * _PATH_ELFSIGN_CRYPTO_CERTS
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (action != ES_GET_CRYPTO)
df8bdeb362277e8d95a74d6c097341fe97409948johnz *plp++ = (char *)_PATH_ELFSIGN_ETC_CERTS;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz *plp = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz if ((cert = elfcertlib_allocatecert()) == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (ret);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz for (plp = pathlist; *plp; plp++) {
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_ATTRIBUTE attrlist[8];
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEYSTORE_TYPE kstype;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_CERT_VALIDITY certvalidity;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM int numattr;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kstype = KMF_KEYSTORE_OPENSSL;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM certvalidity = KMF_ALL_CERTS;
df8bdeb362277e8d95a74d6c097341fe97409948johnz ncerts = 2;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM numattr = 0;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_X509_DER_CERT_ATTR, certbuf,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM sizeof (KMF_X509_DER_CERT));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_COUNT_ATTR, &ncerts, sizeof (uint32_t));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM if (signer_DN != NULL) {
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_SUBJECT_NAME_ATTR, signer_DN,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM strlen(signer_DN));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM }
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_CERT_VALIDITY_ATTR, &certvalidity,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM sizeof (KMF_CERT_VALIDITY));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_CERT_FILENAME_ATTR, *plp, strlen (*plp));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM rv = kmf_find_cert(ess->es_kmfhandle, numattr, attrlist);
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK)
df8bdeb362277e8d95a74d6c097341fe97409948johnz continue;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM /* found one */
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_cert = certbuf[0];
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM if (ncerts > 1) {
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM /* release any extras */
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_free_kmf_cert(ess->es_kmfhandle, &certbuf[1]);
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM if (signer_DN == NULL) {
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM /* There can be only one */
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM cryptodebug("elfcertlib_getcert: "
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM "too many certificates found in %s",
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM cert_pathname);
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM goto cleanup;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM }
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM }
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM /* cache subject and issuer */
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM rv = kmf_get_cert_subject_str(ess->es_kmfhandle,
df8bdeb362277e8d95a74d6c097341fe97409948johnz &cert->c_cert.certificate, &cert->c_subject);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK)
df8bdeb362277e8d95a74d6c097341fe97409948johnz goto cleanup;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM rv = kmf_get_cert_issuer_str(ess->es_kmfhandle,
df8bdeb362277e8d95a74d6c097341fe97409948johnz &cert->c_cert.certificate, &cert->c_issuer);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK)
df8bdeb362277e8d95a74d6c097341fe97409948johnz goto cleanup;
df8bdeb362277e8d95a74d6c097341fe97409948johnz break;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (*plp == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_getcert: no certificate found");
df8bdeb362277e8d95a74d6c097341fe97409948johnz goto cleanup;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_verified = E_UNCHECKED;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick * If the cert we are loading is the trust anchor (ie the CA) then
df8bdeb362277e8d95a74d6c097341fe97409948johnz * we mark it as such in cert. This is so that we don't attempt
df8bdeb362277e8d95a74d6c097341fe97409948johnz * to verify it later. The CA is always implicitly verified.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (cert_pathname != NULL && (
df8bdeb362277e8d95a74d6c097341fe97409948johnz strcmp(cert_pathname, _PATH_CRYPTO_CACERT) == 0 ||
735564919188238196dbd0d320770dda59b38369Anthony Scarpino strcmp(cert_pathname, _PATH_CRYPTO_OBJCACERT) == 0 ||
735564919188238196dbd0d320770dda59b38369Anthony Scarpino strcmp(cert_pathname, _PATH_CRYPTO_SECACERT) == 0)) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ess->es_certCAcallback != NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz (ess->es_certCAcallback)(ess->es_callbackctx, cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert_pathname);
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_verified = E_IS_TA;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz ret = B_TRUE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzcleanup:
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ret) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz *certp = cert;
df8bdeb362277e8d95a74d6c097341fe97409948johnz } else {
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (cert != NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz elfcertlib_freecert(ess, cert);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (signer_DN != NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptoerror(LOG_ERR, "unable to find a certificate "
df8bdeb362277e8d95a74d6c097341fe97409948johnz "for DN: %s", signer_DN);
df8bdeb362277e8d95a74d6c097341fe97409948johnz else
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptoerror(LOG_ERR, "unable to load certificate "
df8bdeb362277e8d95a74d6c097341fe97409948johnz "from %s", cert_pathname);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (ret);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_loadprivatekey - Load the private key from path
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN ess - elfsign context structure
df8bdeb362277e8d95a74d6c097341fe97409948johnz * cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * pathname
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURNS TRUE/FALSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_loadprivatekey(ELFsign_t ess, ELFCert_t cert, const char *pathname)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_RETURN rv = KMF_OK;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_KEY_HANDLE keybuf[2];
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_ATTRIBUTE attrlist[16];
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM uint32_t nkeys;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEYSTORE_TYPE kstype;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEY_ALG keytype;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEY_CLASS keyclass;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_ENCODE_FORMAT format;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM int numattr;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kstype = KMF_KEYSTORE_OPENSSL;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM nkeys = 2;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM keytype = KMF_KEYALG_NONE;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM keyclass = KMF_ASYM_PRI;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM format = KMF_FORMAT_UNDEF;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM numattr = 0;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYSTORE_TYPE_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &kstype, sizeof (kstype));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_KEY_HANDLE_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM keybuf, sizeof (KMF_KEY_HANDLE));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_COUNT_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &nkeys, sizeof (uint32_t));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYALG_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &keytype, sizeof (keytype));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYCLASS_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &keyclass, sizeof (keyclass));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_ENCODE_FORMAT_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &format, sizeof (format));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_KEY_FILENAME_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM (char *)pathname, strlen(pathname));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM rv = kmf_find_key(ess->es_kmfhandle, numattr, attrlist);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK)
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (nkeys != 1) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz /* lack of specificity */
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("found %d keys at %s", nkeys, pathname);
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_privatekey = keybuf[0];
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("key %s loaded", pathname);
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_TRUE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_loadtokenkey - Load the private key from token
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN ess - elfsign context structure
df8bdeb362277e8d95a74d6c097341fe97409948johnz * cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * token_label
df8bdeb362277e8d95a74d6c097341fe97409948johnz * pin
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURNS TRUE/FALSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_loadtokenkey(ELFsign_t ess, ELFCert_t cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz const char *token_label, const char *pin)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_RETURN rv;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM char *idstr = NULL;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM char *kmferr;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_ATTRIBUTE attrlist[16];
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM uint32_t nkeys;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEYSTORE_TYPE kstype;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEY_ALG keytype;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEY_CLASS keyclass;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_ENCODE_FORMAT format;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_CREDENTIAL pincred;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM boolean_t tokenbool, privatebool;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM int numattr;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * We will search for the key based on the ID attribute
df8bdeb362277e8d95a74d6c097341fe97409948johnz * which was added when the key was created. ID is
df8bdeb362277e8d95a74d6c097341fe97409948johnz * a SHA-1 hash of the public modulus shared by the
df8bdeb362277e8d95a74d6c097341fe97409948johnz * key and the certificate.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM rv = kmf_get_cert_id_str(&cert->c_cert.certificate, &idstr);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK) {
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM (void) kmf_get_kmf_error_str(rv, &kmferr);
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM cryptodebug("Error getting ID from cert: %s\n",
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM (kmferr ? kmferr : "Unrecognized KMF error"));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM free(kmferr);
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kstype = KMF_KEYSTORE_PK11TOKEN;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM nkeys = 1;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM keytype = KMF_KEYALG_NONE;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM keyclass = KMF_ASYM_PRI;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM format = KMF_FORMAT_UNDEF;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM pincred.cred = (char *)pin;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM pincred.credlen = strlen(pin);
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM tokenbool = B_FALSE;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM privatebool = B_TRUE;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM numattr = 0;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYSTORE_TYPE_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &kstype, sizeof (kstype));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_KEY_HANDLE_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &cert->c_privatekey, sizeof (KMF_KEY_HANDLE));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_COUNT_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &nkeys, sizeof (uint32_t));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYALG_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &keytype, sizeof (keytype));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYCLASS_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &keyclass, sizeof (keyclass));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_ENCODE_FORMAT_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &format, sizeof (format));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_IDSTR_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM idstr, strlen(idstr));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_CREDENTIAL_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &pincred, sizeof (KMF_CREDENTIAL));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_TOKEN_BOOL_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &tokenbool, sizeof (tokenbool));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_PRIVATE_BOOL_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &privatebool, sizeof (privatebool));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM rv = kmf_find_key(ess->es_kmfhandle, numattr, attrlist);
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM free(idstr);
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM if (rv != KMF_OK) {
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM (void) kmf_get_kmf_error_str(rv, &kmferr);
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM cryptodebug("Error finding private key: %s\n",
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM (kmferr ? kmferr : "Unrecognized KMF error"));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM free(kmferr);
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM return (B_FALSE);
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM }
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM if (nkeys != 1) {
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM cryptodebug("Error finding private key: No key found\n");
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("key found in %s", token_label);
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_loadprivatekey = 0x%.8X",
df8bdeb362277e8d95a74d6c097341fe97409948johnz &cert->c_privatekey);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_TRUE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic const CK_BYTE MD5_DER_PREFIX[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
df8bdeb362277e8d95a74d6c097341fe97409948johnz 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_sign - sign the given DATA using the privatekey in cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN ess - elfsign context structure
df8bdeb362277e8d95a74d6c097341fe97409948johnz * cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * data
df8bdeb362277e8d95a74d6c097341fe97409948johnz * data_len
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT sig - must be big enough to hold the signature of data
df8bdeb362277e8d95a74d6c097341fe97409948johnz * Caller must allocate
df8bdeb362277e8d95a74d6c097341fe97409948johnz * sig_len - actual length used; 0 on failure.
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURNS TRUE/FALSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*ARGSUSED*/
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_sign(ELFsign_t ess, ELFCert_t cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz const uchar_t *data, size_t data_len,
df8bdeb362277e8d95a74d6c097341fe97409948johnz uchar_t *sig, size_t *sig_len)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_RETURN ret;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_DATA tobesigned;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_DATA signature;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM uchar_t der_data[sizeof (MD5_DER_PREFIX) + MD5_DIGEST_LENGTH];
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_ATTRIBUTE attrlist[8];
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM int numattr;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ess->es_version <= FILESIG_VERSION2) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz /* compatibility: take MD5 hash of SHA1 hash */
df8bdeb362277e8d95a74d6c097341fe97409948johnz size_t derlen = MD5_DIGEST_LENGTH;
df8bdeb362277e8d95a74d6c097341fe97409948johnz MD5_CTX ctx;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * first: digest using software-based methods, don't
df8bdeb362277e8d95a74d6c097341fe97409948johnz * rely on the token for hashing.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz MD5Init(&ctx);
df8bdeb362277e8d95a74d6c097341fe97409948johnz MD5Update(&ctx, data, data_len);
df8bdeb362277e8d95a74d6c097341fe97409948johnz MD5Final(&der_data[sizeof (MD5_DER_PREFIX)], &ctx);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * second: insert prefix
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) memcpy(der_data, MD5_DER_PREFIX,
df8bdeb362277e8d95a74d6c097341fe97409948johnz sizeof (MD5_DER_PREFIX));
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * prepare to sign the local buffer
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnz tobesigned.Data = (uchar_t *)der_data;
df8bdeb362277e8d95a74d6c097341fe97409948johnz tobesigned.Length = sizeof (MD5_DER_PREFIX) + derlen;
df8bdeb362277e8d95a74d6c097341fe97409948johnz } else {
df8bdeb362277e8d95a74d6c097341fe97409948johnz tobesigned.Data = (uchar_t *)data;
df8bdeb362277e8d95a74d6c097341fe97409948johnz tobesigned.Length = data_len;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz signature.Data = (uchar_t *)sig;
df8bdeb362277e8d95a74d6c097341fe97409948johnz signature.Length = *sig_len;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM numattr = 0;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEYSTORE_TYPE_ATTR, &(cert->c_privatekey.kstype),
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM sizeof (KMF_KEYSTORE_TYPE));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEY_HANDLE_ATTR, &cert->c_privatekey, sizeof (KMF_KEY_HANDLE));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_OID_ATTR, (KMF_OID *)&KMFOID_RSA, sizeof (KMF_OID));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_DATA_ATTR, &tobesigned, sizeof (KMF_DATA));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_OUT_DATA_ATTR, &signature, sizeof (KMF_DATA));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM ret = kmf_sign_data(ess->es_kmfhandle, numattr, attrlist);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ret != KMF_OK) {
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM char *kmferr;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM (void) kmf_get_kmf_error_str(ret, &kmferr);
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM cryptodebug("Error signing data: %s\n",
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM (kmferr ? kmferr : "Unrecognized KMF error"));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM free(kmferr);
df8bdeb362277e8d95a74d6c097341fe97409948johnz *sig_len = 0;
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_FALSE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz *sig_len = signature.Length;
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (B_TRUE);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_verifysig - verify the given DATA using the public key in cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN ess - elfsign context structure
df8bdeb362277e8d95a74d6c097341fe97409948johnz * cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * signature
df8bdeb362277e8d95a74d6c097341fe97409948johnz * sig_len
df8bdeb362277e8d95a74d6c097341fe97409948johnz * data
df8bdeb362277e8d95a74d6c097341fe97409948johnz * data_len
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT N/A
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURNS TRUE/FALSE
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_verifysig(ELFsign_t ess, ELFCert_t cert,
df8bdeb362277e8d95a74d6c097341fe97409948johnz const uchar_t *signature, size_t sig_len,
df8bdeb362277e8d95a74d6c097341fe97409948johnz const uchar_t *data, size_t data_len)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_RETURN rv;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_DATA indata;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_DATA insig;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_ALGORITHM_INDEX algid;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_ATTRIBUTE attrlist[8];
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEYSTORE_TYPE kstype;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM int numattr;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz indata.Data = (uchar_t *)data;
df8bdeb362277e8d95a74d6c097341fe97409948johnz indata.Length = data_len;
df8bdeb362277e8d95a74d6c097341fe97409948johnz insig.Data = (uchar_t *)signature;
df8bdeb362277e8d95a74d6c097341fe97409948johnz insig.Length = sig_len;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ess->es_version <= FILESIG_VERSION2)
df8bdeb362277e8d95a74d6c097341fe97409948johnz algid = KMF_ALGID_MD5WithRSA;
df8bdeb362277e8d95a74d6c097341fe97409948johnz else
df8bdeb362277e8d95a74d6c097341fe97409948johnz algid = KMF_ALGID_RSA;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz /*
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick * We tell KMF to use the PKCS11 verification APIs
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick * here to prevent the use of OpenSSL and to keep
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick * all validation within the FIPS-140 boundary for
2225707c7e7edf7c636ed349df2592ef85329cddValerie Bubb Fenwick * the Cryptographic Framework.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kstype = KMF_KEYSTORE_PK11TOKEN;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM numattr = 0;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYSTORE_TYPE_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &kstype, sizeof (kstype));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_DATA_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &indata, sizeof (KMF_DATA));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_IN_SIGN_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &insig, sizeof (KMF_DATA));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_SIGNER_CERT_DATA_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM (KMF_DATA *)(&cert->c_cert.certificate), sizeof (KMF_DATA));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++, KMF_ALGORITHM_INDEX_ATTR,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM &algid, sizeof (algid));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM rv = kmf_verify_data(ess->es_kmfhandle, numattr, attrlist);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz return ((rv == KMF_OK));
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_getdn
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT NONE
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURN dn or NULL
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzchar *
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_getdn(ELFCert_t cert)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_getdn");
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (cert->c_subject);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_getissuer
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT NONE
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURN dn or NULL
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzchar *
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_getissuer(ELFCert_t cert)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptodebug("elfcertlib_issuer");
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (cert->c_issuer);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_init(ELFsign_t ess)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz boolean_t rc = B_TRUE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz KMF_RETURN rv;
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (ess->es_kmfhandle == NULL) {
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM rv = kmf_initialize(&ess->es_kmfhandle, NULL, NULL);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptoerror(LOG_ERR,
df8bdeb362277e8d95a74d6c097341fe97409948johnz "unable to initialize KMF library");
df8bdeb362277e8d95a74d6c097341fe97409948johnz rc = B_FALSE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (rc);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnzvoid
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_fini(ELFsign_t ess)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM (void) kmf_finalize(ess->es_kmfhandle);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * set the token device
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzboolean_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_settoken(ELFsign_t ess, char *token)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM boolean_t rc = B_TRUE;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_RETURN rv;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_ATTRIBUTE attrlist[8];
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEYSTORE_TYPE kstype;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM boolean_t readonly;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM int numattr;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kstype = KMF_KEYSTORE_PK11TOKEN;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM readonly = B_TRUE;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM numattr = 0;
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_TOKEN_LABEL_ATTR, token, strlen(token));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_set_attr_at_index(attrlist, numattr++,
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM KMF_READONLY_ATTR, &readonly, sizeof (readonly));
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM rv = kmf_configure_keystore(ess->es_kmfhandle, numattr, attrlist);
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (rv != KMF_OK) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptoerror(LOG_ERR, "unable to select token\n");
df8bdeb362277e8d95a74d6c097341fe97409948johnz rc = B_FALSE;
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (rc);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * set the certificate CA identification callback
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzvoid
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_setcertCAcallback(ELFsign_t ess,
df8bdeb362277e8d95a74d6c097341fe97409948johnz void (*cb)(void *, ELFCert_t, char *))
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz ess->es_certCAcallback = cb;
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * set the certificate verification callback
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzvoid
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_setcertvercallback(ELFsign_t ess,
df8bdeb362277e8d95a74d6c097341fe97409948johnz void (*cb)(void *, ELFCert_t, ELFCert_t))
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz ess->es_certvercallback = cb;
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_releasecert - release a cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURN N/A
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzvoid
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_releasecert(ELFsign_t ess, ELFCert_t cert)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz elfcertlib_freecert(ess, cert);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_allocatecert - create a new ELFCert_t
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN N/A
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT N/A
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURN ELFCert_t, NULL on failure.
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic ELFCert_t
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_allocatecert(void)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz ELFCert_t cert = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert = malloc(sizeof (struct ELFCert_s));
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (cert == NULL) {
df8bdeb362277e8d95a74d6c097341fe97409948johnz cryptoerror(LOG_ERR,
df8bdeb362277e8d95a74d6c097341fe97409948johnz "elfcertlib_allocatecert: malloc failed %s",
df8bdeb362277e8d95a74d6c097341fe97409948johnz strerror(errno));
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (NULL);
df8bdeb362277e8d95a74d6c097341fe97409948johnz }
df8bdeb362277e8d95a74d6c097341fe97409948johnz (void) memset(cert, 0, sizeof (struct ELFCert_s));
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_verified = E_UNCHECKED;
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_subject = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz cert->c_issuer = NULL;
df8bdeb362277e8d95a74d6c097341fe97409948johnz return (cert);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz/*
df8bdeb362277e8d95a74d6c097341fe97409948johnz * elfcertlib_freecert - freeup the memory of a cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz * IN cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * OUT cert
df8bdeb362277e8d95a74d6c097341fe97409948johnz * RETURN N/A
df8bdeb362277e8d95a74d6c097341fe97409948johnz *
df8bdeb362277e8d95a74d6c097341fe97409948johnz */
df8bdeb362277e8d95a74d6c097341fe97409948johnzstatic void
df8bdeb362277e8d95a74d6c097341fe97409948johnzelfcertlib_freecert(ELFsign_t ess, ELFCert_t cert)
df8bdeb362277e8d95a74d6c097341fe97409948johnz{
df8bdeb362277e8d95a74d6c097341fe97409948johnz if (cert == NULL)
df8bdeb362277e8d95a74d6c097341fe97409948johnz return;
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz free(cert->c_subject);
df8bdeb362277e8d95a74d6c097341fe97409948johnz free(cert->c_issuer);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_free_kmf_cert(ess->es_kmfhandle, &cert->c_cert);
8bab47abcb471dffa36ddbf409a8ef5303398ddfJohn.Zolnowsky@Sun.COM kmf_free_kmf_key(ess->es_kmfhandle, &cert->c_privatekey);
df8bdeb362277e8d95a74d6c097341fe97409948johnz
df8bdeb362277e8d95a74d6c097341fe97409948johnz free(cert);
df8bdeb362277e8d95a74d6c097341fe97409948johnz}