certop.c revision e65e5c2d2f32a99e8c5f740cabae9075dab03ce7
199767f8919635c4928607450d9e0abb932109ceToomas Soome * CDDL HEADER START
199767f8919635c4928607450d9e0abb932109ceToomas Soome * The contents of this file are subject to the terms of the
199767f8919635c4928607450d9e0abb932109ceToomas Soome * Common Development and Distribution License (the "License").
199767f8919635c4928607450d9e0abb932109ceToomas Soome * You may not use this file except in compliance with the License.
199767f8919635c4928607450d9e0abb932109ceToomas Soome * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
199767f8919635c4928607450d9e0abb932109ceToomas Soome * See the License for the specific language governing permissions
199767f8919635c4928607450d9e0abb932109ceToomas Soome * and limitations under the License.
199767f8919635c4928607450d9e0abb932109ceToomas Soome * When distributing Covered Code, include this CDDL HEADER in each
199767f8919635c4928607450d9e0abb932109ceToomas Soome * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
199767f8919635c4928607450d9e0abb932109ceToomas Soome * If applicable, add the following below this CDDL HEADER, with the
199767f8919635c4928607450d9e0abb932109ceToomas Soome * fields enclosed by brackets "[]" replaced with your own identifying
199767f8919635c4928607450d9e0abb932109ceToomas Soome * information: Portions Copyright [yyyy] [name of copyright owner]
199767f8919635c4928607450d9e0abb932109ceToomas Soome * CDDL HEADER END
199767f8919635c4928607450d9e0abb932109ceToomas Soome * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
199767f8919635c4928607450d9e0abb932109ceToomas Soome * Use is subject to license terms.
199767f8919635c4928607450d9e0abb932109ceToomas Soome#define CERTFILE_TEMPNAME "/tmp/user.certXXXXXX"
199767f8919635c4928607450d9e0abb932109ceToomas Soomesign_cert(KMF_HANDLE_T, const KMF_DATA *, KMF_KEY_HANDLE *,
199767f8919635c4928607450d9e0abb932109ceToomas Soomeverify_cert_with_key(KMF_HANDLE_T, KMF_DATA *, const KMF_DATA *);
199767f8919635c4928607450d9e0abb932109ceToomas Soomeverify_cert_with_cert(KMF_HANDLE_T, const KMF_DATA *, const KMF_DATA *);
199767f8919635c4928607450d9e0abb932109ceToomas Soomeget_sigalg_from_cert(KMF_DATA *, KMF_ALGORITHM_INDEX *);
199767f8919635c4928607450d9e0abb932109ceToomas Soomeget_keyalg_from_cert(KMF_DATA *cert, KMF_KEY_ALG *keyalg)
199767f8919635c4928607450d9e0abb932109ceToomas Soome rv = DerDecodeSignedCertificate(cert, &SignerCert);
199767f8919635c4928607450d9e0abb932109ceToomas Soome /* Get the algorithm info from the signer certificate */
199767f8919635c4928607450d9e0abb932109ceToomas Soome &SignerCert->signature.algorithmIdentifier.algorithm);
199767f8919635c4928607450d9e0abb932109ceToomas Soome * Name: kmf_find_prikey_by_cert
199767f8919635c4928607450d9e0abb932109ceToomas Soome * Description:
199767f8919635c4928607450d9e0abb932109ceToomas Soome * This function finds the corresponding private key in keystore
199767f8919635c4928607450d9e0abb932109ceToomas Soome * for a certificate
199767f8919635c4928607450d9e0abb932109ceToomas Soomekmf_find_prikey_by_cert(KMF_HANDLE_T handle, int numattr,
199767f8919635c4928607450d9e0abb932109ceToomas Soome {KMF_KEYSTORE_TYPE_ATTR, FALSE, 1, sizeof (KMF_KEYSTORE_TYPE)},
199767f8919635c4928607450d9e0abb932109ceToomas Soome {KMF_CERT_DATA_ATTR, FALSE, sizeof (KMF_DATA), sizeof (KMF_DATA)},
199767f8919635c4928607450d9e0abb932109ceToomas Soome {KMF_KEY_HANDLE_ATTR, TRUE, sizeof (KMF_KEY_HANDLE),
199767f8919635c4928607450d9e0abb932109ceToomas Soome ret = test_attributes(num_req_attrs, required_attrs,
199767f8919635c4928607450d9e0abb932109ceToomas Soome * First, get the key algorithm info from the certificate and saves it
199767f8919635c4928607450d9e0abb932109ceToomas Soome * in the returned key handle.
199767f8919635c4928607450d9e0abb932109ceToomas Soome cert = kmf_get_attr_ptr(KMF_CERT_DATA_ATTR, attrlist, numattr);
199767f8919635c4928607450d9e0abb932109ceToomas Soome key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
199767f8919635c4928607450d9e0abb932109ceToomas Soome /* Call the plugin to do the work. */
199767f8919635c4928607450d9e0abb932109ceToomas Soome ret = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr,
199767f8919635c4928607450d9e0abb932109ceToomas Soome if (plugin == NULL || plugin->funclist->FindPrikeyByCert == NULL)
199767f8919635c4928607450d9e0abb932109ceToomas Soome return (plugin->funclist->FindPrikeyByCert(handle, numattr, attrlist));
return (KMF_ERR_BAD_PARAMETER);
return (ret);
switch (purpose) {
case KMF_KU_SIGN_CERT:
&constraint);
return (ret);
return (KMF_ERR_KEYUSAGE);
case KMF_KU_SIGN_DATA:
return (KMF_ERR_KEYUSAGE);
case KMF_KU_ENCRYPT_DATA:
return (KMF_ERR_KEYUSAGE);
return (KMF_ERR_BAD_PARAMETER);
return (KMF_OK);
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (ret);
return (KMF_ERR_PLUGIN_NOTFOUND);
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_INCOMPLETE_TBS_CERT);
return (ret);
static KMF_RETURN
int index;
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_MEMORY);
for (i = 0; i < src_num; i++) {
cur_num++;
cur_num++;
return (KMF_OK);
int freethekey = 0;
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
numattr);
numattr);
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
goto out;
goto out;
numattr);
numattr);
goto out;
goto out;
goto out;
numattr);
goto out;
out:
if (new_attrlist)
if (freethekey)
return (ret);
static KMF_RETURN
return (ret);
return (ret);
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
numattr);
numattr);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
output);
goto cleanup;
goto cleanup;
return (ret);
int num_args,
sizeof (KMF_DATA)},
sizeof (KMF_DATA)}
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (ret);
num_args);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (ret);
return (KMF_ERR_BAD_ALGORITHM);
return (KMF_ERR_PLUGIN_NOTFOUND);
return (ret);
sizeof (KMF_ATTRIBUTE_TESTER);
return (ret);
return (ret);
numattr);
return (KMF_ERR_BAD_PARAMETER);
numattr);
return (KMF_ERR_BAD_PARAMETER);
NULL) {
return (KMF_ERR_PLUGIN_NOTFOUND);
return (ret);
sizeof (KMF_DATA)},
sizeof (KMF_DATA)},
sizeof (KMF_DATA)}
sizeof (KMF_ATTRIBUTE_TESTER);
return (ret);
return (ret);
numattr);
numattr);
numattr);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (ret);
return (KMF_ERR_BAD_ALGORITHM);
return (ret);
int new_numattr;
sizeof (KMF_DATA)},
sizeof (KMF_DATA)},
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
numattr);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
numattr);
return (KMF_ERR_BAD_PARAMETER);
numattr);
return (KMF_ERR_BAD_PARAMETER);
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
return (ret);
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (ret);
return (KMF_ERR_PLUGIN_NOTFOUND);
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (ret);
return (KMF_ERR_PLUGIN_NOTFOUND);
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (ret);
return (KMF_ERR_PLUGIN_NOTFOUND);
static KMF_RETURN
int proxy_port = 0;
return (KMF_ERR_BAD_PARAMETER);
&crl_dps);
goto out;
if (done)
goto out;
out:
return (ret);
static KMF_RETURN
return (KMF_ERR_BAD_PARAMETER);
return (KMF_OK);
return (ret);
return (ret);
return (ret);
static KMF_RETURN
int numattr = 0;
int fd;
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_BAD_PARAMETER);
goto cleanup;
goto checkcrl;
sizeof (crlfile_tmp));
goto cleanup;
goto cleanup;
return (ret);
numattr = 0;
numattr++;
numattr++;
numattr++;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
return (ret);
numattr = 0;
numattr++;
switch (*kstype) {
case KMF_KEYSTORE_NSS:
numattr++;
case KMF_KEYSTORE_PK11TOKEN:
case KMF_KEYSTORE_OPENSSL:
sizeof (user_certfile));
goto cleanup;
goto cleanup;
numattr++;
numattr++;
goto cleanup;
return (ret);
static KMF_RETURN
int response_status;
int reason;
int cert_status;
int numattr;
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_OCSP_RESPONSE_LIFETIME);
char *signer_name;
int fc_numattr = 0;
return (KMF_ERR_POLICY_NOT_FOUND);
goto out;
goto out;
sizeof (KMF_KEYSTORE_TYPE));
fc_numattr++;
fc_numattr++;
fc_numattr++;
fc_numattr++;
fc_numattr++;
fc_numattr++;
num = 0;
fc_numattr++;
if (num == 0)
if (num > 0)
goto out;
sizeof (KMF_X509_DER_CERT));
fc_numattr++;
goto out;
goto out;
goto out;
numattr = 0;
numattr++;
numattr++;
numattr++;
numattr++;
numattr++;
sizeof (boolean_t));
numattr++;
numattr++;
numattr++;
numattr++;
switch (cert_status) {
case OCSP_GOOD:
case OCSP_UNKNOWN:
case OCSP_REVOKED:
out:
if (new_response) {
if (signer_cert) {
return (ret);
static KMF_RETURN
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_KEYUSAGE);
return (KMF_OK);
return (ret);
* If KeyCertSign is set, then constraints.cA must be TRUE and
return (ret);
return (KMF_ERR_KEYUSAGE);
return (KMF_OK);
return (KMF_ERR_KEYUSAGE);
static KMF_RETURN
return (KMF_ERR_BAD_PARAMETER);
return (KMF_OK);
return (ret);
cert_eku = 0;
return (KMF_ERR_KEYUSAGE);
return (KMF_ERR_KEYUSAGE);
return (KMF_OK);
return (KMF_ERR_KEYUSAGE);
static KMF_RETURN
int fc_numattr = 0;
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_BAD_PARAMETER);
fc_numattr++;
fc_numattr++;
fc_numattr++;
fc_numattr++;
fc_numattr++;
num = 0;
fc_numattr++;
sizeof (KMF_X509_DER_CERT));
goto out;
sizeof (KMF_X509_DER_CERT));
fc_numattr++;
goto out;
goto out;
latest = 0;
for (i = 0; i < num; i++) {
goto out;
goto out;
out:
for (i = 0; i < num; i++)
return (ret);
static KMF_RETURN
char *ta_name;
int fc_numattr = 0;
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_BAD_PARAMETER);
goto out;
fc_numattr++;
fc_numattr++;
fc_numattr++;
fc_numattr++;
fc_numattr++;
fc_numattr++;
num = 0;
fc_numattr++;
if (num == 0)
goto out;
fc_numattr++;
goto out;
goto out;
goto out;
goto out;
out:
if (ta_subject)
return (ret);
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (KMF_ERR_BAD_PARAMETER);
numattr);
goto out;
goto out;
goto out;
goto out;
goto out;
goto out;
goto out;
goto check_revocation;
if (self_signed) {
goto out;
goto out;
if (self_signed) {
goto out;
goto out;
goto out;
goto out;
goto out;
out:
if (user_issuer) {
if (user_subject)
return (ret);
char *certfile)
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_BAD_PARAMETER);
int len;
goto cleanup;
goto cleanup;
return (rv);
int len = 0;
return (KMF_ERR_BAD_PARAMETER);
return (rv);
switch (*fmt) {
case KMF_FORMAT_ASN1:
case KMF_FORMAT_PEM:
&d, &len);
return (rv);
case KMF_FORMAT_PKCS12:
case KMF_FORMAT_UNDEF:
return (KMF_ERR_ENCODING);
return (rv);
return (ret);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (ret);
return (rv);
return (KMF_ERR_BAD_PARAMETER);
return (rv);
return (KMF_ERR_VALIDITY_PERIOD);
adj = 0;
return (rv);
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (ret);
return (KMF_ERR_PLUGIN_NOTFOUND);
return (rv);
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_PLUGIN_NOTFOUND);
return (KMF_ERR_FUNCTION_NOT_FOUND);
filename);
return (rv);
return (rv);
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_PLUGIN_NOTFOUND);
return (KMF_ERR_FUNCTION_NOT_FOUND);
return (rv);
static KMF_RETURN
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_MEMORY);
return (KMF_OK);
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_MEMORY);
return (KMF_ERR_MEMORY);
return (ret);
static KMF_RETURN
if (!SignedCert)
return (KMF_ERR_BAD_PARAMETER);
if (!SubjectCert)
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_BAD_PARAMETER);
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
if (ret)
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
return (ret);
static KMF_RETURN
return (KMF_ERR_BAD_PARAMETER);
goto cleanup;
goto cleanup;
return (ret);
return (KMF_ERR_BAD_ALGORITHM);
goto cleanup;
goto cleanup;
if (signed_cert) {
return (ret);
static KMF_RETURN
return (KMF_ERR_BAD_PARAMETER);
if (!SignerCertData ||
return (KMF_ERR_BAD_PARAMETER);
return (ret);
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
* Force use of PKCS11 API for kcfd/libelfsign. This is
if (SignerCert) {
if (ToBeVerifiedCert) {
return (ret);