99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER START
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The contents of this file are subject to the terms of the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Common Development and Distribution License (the "License").
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You may not use this file except in compliance with the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * See the License for the specific language governing permissions
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * and limitations under the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * When distributing Covered Code, include this CDDL HEADER in each
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If applicable, add the following below this CDDL HEADER, with the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * fields enclosed by brackets "[]" replaced with your own identifying
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * information: Portions Copyright [yyyy] [name of copyright owner]
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER END
9f0bc604621fbb9b9b038e6de7da8f9c46e28608Wyllys Ingersoll * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Use is subject to license terms.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyssetup_crl_call(KMF_HANDLE_T, int, KMF_ATTRIBUTE *, KMF_PLUGIN **);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Name: kmf_set_csr_pubkey
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Description:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This function converts the specified plugin public key to SPKI form,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * and save it in the KMF_CSR_DATA internal structure
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Parameters:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMFkey(input) - pointer to the KMF_KEY_HANDLE structure containing the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * public key generated by the plug-in CreateKeypair
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Csr(input/output) - pointer to a KMF_CSR_DATA structure containing
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * A KMF_RETURN value indicating success or specifying a particular
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * error condition.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The value KMF_OK indicates success. All other values represent
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * an error condition.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* The keystore must extract the pubkey data */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (plugin != NULL && plugin->funclist->EncodePubkeyData != NULL) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_set_csr_version(KMF_CSR_DATA *CsrData, uint32_t version)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * From RFC 3280:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Version ::= INTEGER { v1(0), v2(1), v3(2) }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (set_integer(&CsrData->csr.version, (void *)&version,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_create_csr_file(KMF_DATA *csrdata, KMF_ENCODE_FORMAT format,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (format != KMF_FORMAT_PEM && format != KMF_FORMAT_ASN1)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((fd = open(csrfile, O_CREAT |O_RDWR, 0644)) == -1) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_set_csr_extn(KMF_CSR_DATA *Csr, KMF_X509_EXTENSION *extn)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys &CsrData->csr.subjectPublicKeyInfo.algorithm.parameters);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (KMF_OID *)&KMFOID_SubjectAltName, critical, alttype,
d00756ccb34596a328f8a15d1965da5412d366d0wyllyskmf_add_csr_eku(KMF_CSR_DATA *CSRData, KMF_OID *ekuOID,
d00756ccb34596a328f8a15d1965da5412d366d0wyllys (void) memset(&ekudata, 0, sizeof (KMF_X509EXT_EKU));
d00756ccb34596a328f8a15d1965da5412d366d0wyllys ret = GetSequenceContents((char *)foundextn->BERvalue.Data,
d00756ccb34596a328f8a15d1965da5412d366d0wyllys * If the EKU is already in the cert, then just return OK.
d00756ccb34596a328f8a15d1965da5412d366d0wyllys ret = parse_eku_data(&foundextn->BERvalue, &ekudata);
d00756ccb34596a328f8a15d1965da5412d366d0wyllys /* Write the old extension data first */
d00756ccb34596a328f8a15d1965da5412d366d0wyllys /* Append this EKU OID and close the sequence */
d00756ccb34596a328f8a15d1965da5412d366d0wyllys * If we are just adding to an existing list of EKU OIDs,
d00756ccb34596a328f8a15d1965da5412d366d0wyllys * just replace the BER data associated with the found extension.
d00756ccb34596a328f8a15d1965da5412d366d0wyllys foundextn->BERvalue.Data = (uchar_t *)extdata->bv_val;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Estimate the signed data length generously */
9f0bc604621fbb9b9b038e6de7da8f9c46e28608Wyllys Ingersoll KMF_KEY_HANDLE_ATTR, Signkey, sizeof (KMF_KEY_HANDLE));
9f0bc604621fbb9b9b038e6de7da8f9c46e28608Wyllys Ingersoll kmf_set_attr_at_index(attlist, i++, KMF_OID_ATTR, &algo->algorithm,
9f0bc604621fbb9b9b038e6de7da8f9c46e28608Wyllys Ingersoll kmf_set_attr_at_index(attlist, i++, KMF_DATA_ATTR,
9f0bc604621fbb9b9b038e6de7da8f9c46e28608Wyllys Ingersoll (KMF_DATA *)SubjectCsr, sizeof (KMF_DATA));
9f0bc604621fbb9b9b038e6de7da8f9c46e28608Wyllys Ingersoll kmf_set_attr_at_index(attlist, i++, KMF_OUT_DATA_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If we got here OK, decode into a structure and then re-encode
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * the complete CSR.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) memcpy(&subj_csr.csr, tbs_csr, sizeof (KMF_TBS_CSR));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = copy_algoid(&subj_csr.signature.algorithmIdentifier, algo);
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll algid = x509_algoid_to_algid(&algo->algorithm);
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * For DSA and ECDSA, we must encode the
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * signature correctly.
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll ret = DerEncodeDSASignature(&signed_data, &signature);
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll subj_csr.signature.encrypted = signed_data;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Now, re-encode the CSR with the new signature */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Cleanup & return */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_free_algoid(&subj_csr.signature.algorithmIdentifier);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Name: kmf_sign_csr
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Description:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This function signs a CSR and returns the result as a
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * signed, encoded CSR in SignedCsr
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Parameters:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * tbsCsr(input) - pointer to a KMF_DATA structure containing a
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * DER encoded TBS CSR data
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Signkey(input) - pointer to the KMF_KEY_HANDLE structure containing
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * the private key generated by the plug-in CreateKeypair
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * algo(input) - contains algorithm info needed for signing
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * SignedCsr(output) - pointer to the KMF_DATA structure containing
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * the signed CSR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * A KMF_RETURN value indicating success or specifying a particular
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * error condition.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The value KMF_OK indicates success. All other values represent
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * an error condition.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (tbsCsr == NULL || Signkey == NULL || SignedCsr == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys err = DerEncodeTbsCsr((KMF_TBS_CSR *)&tbsCsr->csr, &csrdata);
d00756ccb34596a328f8a15d1965da5412d366d0wyllys * kmf_decode_csr
d00756ccb34596a328f8a15d1965da5412d366d0wyllys * Description:
d00756ccb34596a328f8a15d1965da5412d366d0wyllys * This function decodes raw CSR data and fills in the KMF_CSR_DATA
d00756ccb34596a328f8a15d1965da5412d366d0wyllys * KMF_HANDLE_T handle
d00756ccb34596a328f8a15d1965da5412d366d0wyllys * KMF_DATA *rawcsr
d00756ccb34596a328f8a15d1965da5412d366d0wyllys * KMF_CSR_DATA *csrdata;
d00756ccb34596a328f8a15d1965da5412d366d0wyllyskmf_decode_csr(KMF_HANDLE_T handle, KMF_DATA *rawcsr, KMF_CSR_DATA *csrdata)
d00756ccb34596a328f8a15d1965da5412d366d0wyllys if (handle == NULL || rawcsr == NULL || csrdata == NULL)
d00756ccb34596a328f8a15d1965da5412d366d0wyllys (void) memcpy(csrdata, cdata, sizeof (KMF_CSR_DATA));
d00756ccb34596a328f8a15d1965da5412d366d0wyllys csrdata = kmf_get_attr_ptr(KMF_CSR_DATA_ATTR, attrlist, numattr);
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* Decode the DSA signature before verifying it */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll rv = DerDecodeDSASignature(&csrdata->signature.encrypted,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll } else if (algid == KMF_ALGID_SHA1WithECDSA ||
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll rv = DerDecodeECDSASignature(&csrdata->signature.encrypted,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys {KMF_KEYSTORE_TYPE_ATTR, FALSE, 1, sizeof (KMF_KEYSTORE_TYPE)}
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys case KMF_KEYSTORE_PK11TOKEN: /* PKCS#11 CRL is file-based */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_import_crl(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = setup_crl_call(handle, numattr, attrlist, &plugin);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (plugin->funclist->ImportCRL(handle, numattr, attrlist));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_delete_crl(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = setup_crl_call(handle, numattr, attrlist, &plugin);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (plugin->funclist->DeleteCRL(handle, numattr, attrlist));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_list_crl(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = setup_crl_call(handle, numattr, attrlist, &plugin);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (plugin->funclist->ListCRL(handle, numattr, attrlist));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_find_crl(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys sizeof (char *), sizeof (char *)}
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * FindCRL is only implemented for NSS. PKCS#11
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * and file-based keystores just store in a file
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * and don't need a "Find" function.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_find_cert_in_crl(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = setup_crl_call(handle, numattr, attrlist, &plugin);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (plugin->funclist->FindCertInCRL(handle, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_verify_crl_file(KMF_HANDLE_T handle, char *crlfile, KMF_DATA *tacert)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_RETURN (*verifyCRLFile)(KMF_HANDLE_T, char *, KMF_DATA *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys verifyCRLFile = (KMF_RETURN(*)())dlsym(plugin->dldesc,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "OpenSSL_VerifyCRLFile");
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_check_crl_date(KMF_HANDLE_T handle, char *crlname)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys checkCRLDate = (KMF_RETURN(*)())dlsym(plugin->dldesc,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "OpenSSL_CheckCRLDate");
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_is_crl_file(KMF_HANDLE_T handle, char *filename, KMF_ENCODE_FORMAT *pformat)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_RETURN (*IsCRLFileFn)(void *, char *, KMF_ENCODE_FORMAT *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This framework function is actually implemented in the openssl
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * plugin library, so we find the function address and call it.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys "OpenSSL_IsCRLFile");