99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER START
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The contents of this file are subject to the terms of the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Common Development and Distribution License (the "License").
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You may not use this file except in compliance with the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * See the License for the specific language governing permissions
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * and limitations under the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * When distributing Covered Code, include this CDDL HEADER in each
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If applicable, add the following below this CDDL HEADER, with the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * fields enclosed by brackets "[]" replaced with your own identifying
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * information: Portions Copyright [yyyy] [name of copyright owner]
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER END
2c9a247fb01631b3eb3b85a1127e72f0b60ae108Wyllys Ingersoll * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(dstext, 0, sizeof (KMF_X509_EXTENSION));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = copy_data(&dstext->BERvalue, &srcext->BERvalue);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys dstext->value.tagAndValue = malloc(sizeof (KMF_X509EXT_TAGandVALUE));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys dstext->value.tagAndValue->type = srcext->value.tagAndValue->type;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Given a block of DER encoded X.509 certificate data and
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * an OID for the desired extension, this routine will
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * parse the cert data and return the data associated with
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * the extension if it is found.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_OK - if extension found and copied OK.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_ERR_EXTENSION_NOT_FOUND - extension not found.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * parsing and memory allocation errors are also possible.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (certdata == NULL || extoid == NULL || extdata == NULL)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (cert->certificate.extensions.numberOfExtensions == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset((void *)extdata, 0, sizeof (KMF_X509_EXTENSION));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; !found &&
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Given a block of DER encoded X.509 certificate data and
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * a "crit/non-crit/all" flag, search the extensions and
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * return the OIDs for critical, non-critical or all extensions.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_OK - if extension found and copied OK.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * parsing and memory allocation errors are also possible.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * OIDlist - array of KMF_OID records, allocated
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * by this function.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * NumOIDs - number of critical extensions found.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_extns(const KMF_DATA *certdata, KMF_FLAG_CERT_EXTN flag,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (certdata == NULL || extlist == NULL || nextns == NULL)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (flag < KMF_ALL_EXTNS || flag > KMF_NONCRITICAL_EXTNS)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (cert->certificate.extensions.numberOfExtensions == 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < cert->certificate.extensions.numberOfExtensions;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (flag == KMF_CRITICAL_EXTNS && eptr->critical == 0)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys else if (flag == KMF_NONCRITICAL_EXTNS && eptr->critical != 0)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = copy_extension_data(&elist[(*nextns) - 1], eptr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If the flag is not all, then it is possible that we did not find
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * any critical or non_critical extensions. When that happened,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * return KMF_ERR_EXTENSION_NOT_FOUND.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (flag != KMF_ALL_EXTNS && ret == KMF_OK && *nextns == 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If the given certificate data (X.509 DER encoded data)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * contains the Key Usage extension, parse that
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * data and return it in the KMF_X509EXT_BASICCONSTRAINTS
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_OK - success
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_ERR_BAD_PARAMETER - input data was bad.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_ERR_EXTENSION_NOT_FOUND - extension not found.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Check standard KeyUsage bits
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = kmf_get_cert_extn(certdata, (KMF_OID *)&KMFOID_KeyUsage, &extn);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keyusage->KeyUsageBits = extn.value.tagAndValue->value.Data[0];
d00756ccb34596a328f8a15d1965da5412d366d0wyllysis_eku_present(KMF_X509EXT_EKU *ekuptr, KMF_OID *ekuoid)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (0);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (IsEqualOid(&ekuptr->keyPurposeIdList[i], ekuoid))
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (0);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysparse_eku_data(const KMF_DATA *asn1data, KMF_X509EXT_EKU *ekuptr)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Decode the ASN.1 data for the extension.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (kmfber_first_element(asn1, &size, &end) != BER_OBJECT_IDENTIFIER) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Count the number of EKU OIDs and store in
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * the array.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Skip over the CONSTRUCTED SET tag */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfber_scanf(asn1, "D", &oid) == KMFBER_DEFAULT) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ekuptr->keyPurposeIdList = realloc(ekuptr->keyPurposeIdList,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys free_keyidlist(ekuptr->keyPurposeIdList, ekuptr->nEKUs);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&extn, 0, sizeof (KMF_X509_EXTENSION));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If the given certificate data (X.509 DER encoded data)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * contains the Basic Constraints extension, parse that
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * data and return it in the KMF_X509EXT_BASICCONSTRAINTS
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_OK - success
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_ERR_BAD_PARAMETER - input data was bad.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_ERR_EXTENSION_NOT_FOUND - extension not found.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_basic_constraint(const KMF_DATA *certdata,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_BOOL *critical, KMF_X509EXT_BASICCONSTRAINTS *constraint)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (certdata == NULL || constraint == NULL || critical == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&extn, 0, sizeof (KMF_X509_EXTENSION));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys exdata.bv_val = (char *)extn.value.tagAndValue->value.Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys exdata.bv_len = extn.value.tagAndValue->value.Length;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfber_scanf(asn1, "b", &constraint->cA) == KMFBER_DEFAULT) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Policy Qualifiers may be a list of sequences.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * PolicyInformation ::= SEQUENCE {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * policyIdentifier CertPolicyId,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * policyQualifiers SEQUENCE SIZE (1..MAX) OF
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * PolicyQualifierInfo OPTIONAL
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * PolicyQualifierInfo ::= SEQUENCE {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * policyQualifierId PolicyQualifierId,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * qualifier ANY DEFINED BY policyQualifierId
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * We already got the CertPolicyId, we just need to
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * find all of the policyQualifiers in the set.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Mark the first element of the SEQUENCE and reset the end ptr
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * so the ber/der code knows when to stop looking.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((tag = kmfber_first_element(asn1, &size, &end)) !=
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* We found a sequence, loop until done */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys while ((tag = kmfber_next_element(asn1, &size, end)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Skip over the CONSTRUCTED SET tag */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfber_scanf(asn1, "T", &tag) == KMFBER_DEFAULT) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Allocate memory for the Policy Qualifier Info
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys pqinfo = malloc(sizeof (KMF_X509EXT_POLICYQUALIFIERINFO));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Read the PolicyQualifier OID
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The OID of the policyQualifierId determines what
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * sort of data comes next.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CPS uri must be an IA5STRING
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * For now, just copy the while UserNotice ASN.1
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * blob into the pqinfo data record.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * TBD - parse it into individual fields.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If the given certificate data (X.509 DER encoded data)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * contains the Certificate Policies extension, parse that
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * data and return it in the KMF_X509EXT_CERT_POLICIES
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_OK - success
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_ERR_BAD_PARAMETER - input data was bad.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_ERR_EXTENSION_NOT_FOUND - extension not found.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * parsing and memory allocation errors are also possible.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_BOOL *critical, KMF_X509EXT_CERT_POLICIES *extptr)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (certdata == NULL || critical == NULL || extptr == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Decode the ASN.1 data for the extension.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset((void *)extptr, 0, sizeof (KMF_X509EXT_CERT_POLICIES));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((tag = kmfber_first_element(asn1, &size, &end)) !=
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Collect all of the PolicyInformation SEQUENCES
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * PolicyInformation ::= SEQUENCE {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * policyIdentifier CertPolicyId,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * policyQualifiers SEQUENCE SIZE (1..MAX) OF
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * PolicyQualifierInfo OPTIONAL
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Loop over the SEQUENCES of PolicyInfo
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys while ((tag = kmfber_next_element(asn1, &size, end)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Skip over the CONSTRUCTED SET tag */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfber_scanf(asn1, "T", &tag) == KMFBER_DEFAULT) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Decode the PolicyInformation SEQUENCE
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Gather all of the associated PolicyQualifierInfo recs
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (pinfo->policyQualifiers.policyQualifier == NULL) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pinfo->policyQualifiers.numberOfPolicyQualifiers = cnt;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys extptr->policyInfo[extptr->numberOfPolicyInfo-1] = *pinfo;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If the given certificate data (X.509 DER encoded data)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * contains the Authority Information Access extension, parse that
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * data and return it in the KMF_X509EXT_AUTHINFOACCESS
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_OK - success
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_ERR_BAD_PARAMETER - input data was bad.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF_ERR_EXTENSION_NOT_FOUND - extension not found.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_auth_info_access(const KMF_DATA *certdata,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&extn, 0, sizeof (KMF_X509_EXTENSION));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Decode the ASN.1 data for the extension.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset((void *)aia, 0, sizeof (KMF_X509EXT_AUTHINFOACCESS));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * AuthorityInfoAccessSyntax ::=
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * SEQUENCE SIZE (1..MAX) OF AccessDescription
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((tag = kmfber_first_element(asn1, &size, &end)) !=
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * AccessDescription ::= SEQUENCE {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * accessMethod OBJECT IDENTIFIER,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * accessLocation GeneralName }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys while ((tag = kmfber_next_element(asn1, &size, end)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Skip over the CONSTRUCTED SET tag */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfber_scanf(asn1, "T", &tag) == KMFBER_DEFAULT) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys access_info = malloc(sizeof (KMF_X509EXT_ACCESSDESC));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Read the AccessMethod OID
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The OID of the AccessMethod determines what
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * sort of data comes next.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * OCSP uri must be an IA5STRING or a GENNAME_URI
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * with an implicit tag.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* will be supported later with PKIX */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This function parses the name portion of a der-encoded distribution point
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * returns it in the KMF_CRL_DIST_POINT record.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The "DistributionPointName" syntax is
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * DistributionPointName ::= CHOICE {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * fullName [0] GeneralNames,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GerneralName
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Note: for phase 1, we support fullName only.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysparse_dp_name(char *dp_der_code, int dp_der_size, KMF_CRL_DIST_POINT *dp)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (dp_der_code == NULL || dp_der_size == 0 || dp == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Skip over the explicit tag and size */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* For phase 1, we are interested in a URI name only */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Skip type and len, then read url and save it. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys fullname->namelist[fullname->number - 1].name.Length =
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (unsigned char *)url;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* "nameRelativeToCRLIssuer" is not supported at phase 1. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This function retrieves the CRL Distribution Points extension data from
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * a DER encoded certificate if it contains this extension, parses the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * extension data, and returns it in the KMF_X509EXT_CRLDISTPOINTS record.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get the ASN.1 data for this extension. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&extn, 0, sizeof (KMF_X509_EXTENSION));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Decode the CRLDistributionPoints ASN.1 data. The Syntax for
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CRLDistributionPoints is
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CRLDistributionPoints ::=
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * SEQUENCE SIZE (1..MAX) OF DistributionPoint
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * DistributionPoint ::= SEQUENCE {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * distributionPoint [0] DistributionPointName OPTIONAL,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * reasons [1] ReasonFlags OPTIONAL,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * cRLIssuer [2] GeneralNames OPTIONAL }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((tag = kmfber_first_element(asn1, &size, &end)) !=
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset((void *)crl_dps, 0, sizeof (KMF_X509EXT_CRLDISTPOINTS));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys while ((tag = kmfber_next_element(asn1, &size, end)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Skip over the CONSTRUCTED SET tag */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfber_scanf(asn1, "T", &tag) == KMFBER_DEFAULT) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((dp = malloc(sizeof (KMF_CRL_DIST_POINT))) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset((void *)dp, 0, sizeof (KMF_CRL_DIST_POINT));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* next field */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((dp->reasons.Data = malloc(dp->reasons.Length)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memcpy(dp->reasons.Data, (uchar_t *)bit_string,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* next field */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* For cRLIssuer, read the data only at phase 1 */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* A distribution point cannot have a "reasons" field only. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Although it is legal that a distributioon point contains
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * a cRLIssuer field only, with or without "reasons", we will
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * skip it if the name field is not presented for phase 1.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* free the dp itself since we just used its contents */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_RETURN (*getPrintableFn)(void *, const KMF_DATA *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This framework function is actually implemented in the openssl
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * plugin library, so we find the function address and call it.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys getPrintableFn = (KMF_RETURN(*)())dlsym(plugin->dldesc,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "OpenSSL_CertGetPrintable");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (getPrintableFn(handle, SignedCert, flag, resultStr));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_version_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_VERSION,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_subject_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_SUBJECT,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_issuer_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_ISSUER,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_serial_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_SERIALNUM,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_start_date_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_NOTBEFORE,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_end_date_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_NOTAFTER,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_pubkey_alg_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_PUBKEY_ALG,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_sig_alg_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_SIGNATURE_ALG,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_pubkey_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_PUBKEY_DATA,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_email_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_EMAIL, tmpstr);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Given a certificate (DER Encoded data) and a KMF
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * extension identifier constant (e.g. KMF_X509_EXT_*),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * return a human readable interpretation of the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * extension data.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The string will be a maximum of KMF_CERT_PRINTABLE_LEN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * bytes long. The string is allocated locally and
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * must be freed by the caller.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_extn_str(KMF_HANDLE_T handle, const KMF_DATA *cert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_CertGetPrintable(handle, cert, extension, tmpstr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_id_data(const KMF_DATA *SignedCert, KMF_DATA *ID)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = GetIDFromSPKI(&cert->certificate.subjectPublicKeyInfo, ID);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_id_str(const KMF_DATA *SignedCert, char **idstr)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This function gets the time_t values of the notbefore and notafter dates
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * from a der-encoded certificate.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_get_cert_validity(const KMF_DATA *cert, time_t *not_before,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (cert == NULL || not_before == NULL || not_after == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get notBefore */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys not_before_str = certData->certificate.validity.notBefore.time.Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (strptime((const char *)not_before_str, "%y %m %d %H %M %S",
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (((t_notbefore = mktime(&tm_tmp)) == (time_t)(-1)) &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get notAfter */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys not_after_str = certData->certificate.validity.notAfter.time.Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (strptime((const char *)not_after_str, "%y %m %d %H %M %S",
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (((t_notafter = mktime(&tm_tmp)) == (time_t)(-1)) &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* The keystore must extract the pubkey data */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (plugin != NULL && plugin->funclist->EncodePubkeyData != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = copy_data(&extn.extnId, (KMF_OID *)&KMFOID_KeyUsage);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* empty body */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfber_printf(asn1, "B", (char *)&kubits, bitlen) == -1) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = set_key_usage_extension(&CertData->certificate.extensions,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) copy_data(&CertData->certificate.signature.parameters,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys &CertData->certificate.subjectPublicKeyInfo.algorithm.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Set up validity fields */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Build the format in 2 parts so SCCS doesn't get confused */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CertData->certificate.validity.notBefore.timeType = BER_UTCTIME;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CertData->certificate.validity.notBefore.time.Length =
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Build the format in 2 parts so SCCS doesn't get confused */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CertData->certificate.validity.notAfter.timeType = BER_UTCTIME;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CertData->certificate.validity.notAfter.time.Length =
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Utility routine to set Integer values in the Certificate template
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * for things like serialNumber and Version. The data structure
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * expects pointers, not literal values, so we must allocate
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * and copy here. Don't use memory from the stack since this data
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * is freed later and that would be bad.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memcpy((void *)data->Data, (const void *)value, length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (data == NULL || bigint == NULL || bigint->len == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memcpy((void *)data->val, bigint->val, bigint->len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (CertData == NULL || serno == NULL || serno->len == 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (set_bigint(&CertData->certificate.serialNumber, serno));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * From RFC 3280:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Version ::= INTEGER { v1(0), v2(1), v3(2) }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (set_integer(&CertData->certificate.version, (void *)&version,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_set_cert_issuer_altname(KMF_X509_CERTIFICATE *CertData,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (kmf_set_altname(&CertData->certificate.extensions,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (KMF_OID *)&KMFOID_IssuerAltName, critical, nametype, namedata));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_set_cert_subject_altname(KMF_X509_CERTIFICATE *CertData,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (kmf_set_altname(&CertData->certificate.extensions,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (KMF_OID *)&KMFOID_SubjectAltName, critical, nametype, namedata));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_add_cert_eku(KMF_X509_CERTIFICATE *CertData, KMF_OID *ekuOID,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&ekudata, 0, sizeof (KMF_X509EXT_EKU));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys foundextn = FindExtn(&CertData->certificate.extensions,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = GetSequenceContents((char *)foundextn->BERvalue.Data,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If the EKU is already in the cert, then just return OK.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = parse_eku_data(&foundextn->BERvalue, &ekudata);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Write the old extension data first */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Append this EKU OID and close the sequence */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If we are just adding to an existing list of EKU OIDs,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * just replace the BER data associated with the found extension.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys foundextn->BERvalue.Data = (uchar_t *)extdata->bv_val;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_set_cert_basic_constraint(KMF_X509_CERTIFICATE *CertData,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_BOOL critical, KMF_X509EXT_BASICCONSTRAINTS *constraint)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = copy_data(&extn.extnId, (KMF_OID *)&KMFOID_BasicConstraints);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (kmfber_printf(asn1, "b", constraint->cA) == -1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Write the pathLenConstraint value */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Phase 1 APIs still needed to maintain compat with elfsign.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMF_GetCertSubjectNameString(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (kmf_get_cert_subject_str(handle, SignedCert, result));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysKMF_GetCertIssuerNameString(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (kmf_get_cert_issuer_str(handle, SignedCert, result));