csrcrlop.c revision 6b35cb3cf158584a9408d44b9b6796564e8e1882
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
* Copyright 2010 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include <stdio.h>
#include <link.h>
#include <fcntl.h>
#include <ctype.h>
#include <ber_der.h>
#include <kmfapiP.h>
#include <pem_encode.h>
#include <libgen.h>
#include <cryptoutil.h>
static KMF_RETURN
/*
*
* Name: kmf_set_csr_pubkey
*
* Description:
* This function converts the specified plugin public key to SPKI form,
* and save it in the KMF_CSR_DATA internal structure
*
* Parameters:
* KMFkey(input) - pointer to the KMF_KEY_HANDLE structure containing the
* public key generated by the plug-in CreateKeypair
* SPKI
*
* Returns:
* A KMF_RETURN value indicating success or specifying a particular
* error condition.
* The value KMF_OK indicates success. All other values represent
* an error condition.
*
*/
{
return (ret);
return (KMF_ERR_BAD_PARAMETER);
}
/* The keystore must extract the pubkey data */
} else {
return (KMF_ERR_PLUGIN_NOTFOUND);
}
return (ret);
}
{
return (KMF_ERR_BAD_PARAMETER);
/*
* From RFC 3280:
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
*/
return (KMF_ERR_BAD_PARAMETER);
sizeof (uint32_t)));
}
{
}
} else {
return (KMF_ERR_BAD_PARAMETER);
}
return (rv);
}
char *csrfile)
{
int fd = -1;
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_BAD_PARAMETER);
if (format == KMF_FORMAT_PEM) {
int len;
goto cleanup;
}
goto cleanup;
}
if (format == KMF_FORMAT_PEM) {
}
} else {
}
}
if (fd != -1)
return (rv);
}
{
return (KMF_ERR_BAD_PARAMETER);
return (ret);
}
{
return (KMF_ERR_BAD_PARAMETER);
(void) copy_data(
} else {
return (KMF_ERR_BAD_PARAMETER);
}
return (KMF_OK);
}
{
return (KMF_ERR_BAD_PARAMETER);
altname);
return (ret);
}
{
return (KMF_ERR_BAD_PARAMETER);
return (ret);
}
int critical)
{
return (KMF_ERR_BAD_PARAMETER);
goto out;
/*
* If the EKU is already in the cert, then just return OK.
*/
goto out;
}
}
}
return (KMF_ERR_MEMORY);
goto out;
}
/* Write the old extension data first */
goto out;
}
}
/* Append this EKU OID and close the sequence */
goto out;
}
goto out;
}
/*
* If we are just adding to an existing list of EKU OIDs,
* just replace the BER data associated with the found extension.
*/
} else {
goto out;
}
out:
return (ret);
}
static KMF_RETURN
const KMF_DATA *SubjectCsr,
{
int i = 0;
if (!SignedCsr)
return (KMF_ERR_BAD_PARAMETER);
if (!SubjectCsr)
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_BAD_PARAMETER);
/* Estimate the signed data length generously */
if (!signed_data.Data) {
goto cleanup;
}
kmf_set_attr_at_index(attlist, i++,
kmf_set_attr_at_index(attlist, i++,
sizeof (KMF_OID));
&signed_data, sizeof (KMF_DATA));
goto cleanup;
/*
* If we got here OK, decode into a structure and then re-encode
* the complete CSR.
*/
if (ret)
goto cleanup;
if (ret)
goto cleanup;
if (algid == KMF_ALGID_SHA1WithDSA ||
algid == KMF_ALGID_SHA256WithDSA ||
algid == KMF_ALGID_SHA1WithECDSA ||
/*
* For DSA and ECDSA, we must encode the
* signature correctly.
*/
goto cleanup;
} else {
}
/* Now, re-encode the CSR with the new signature */
goto cleanup;
}
/* Cleanup & return */
return (ret);
}
/*
*
* Name: kmf_sign_csr
*
* Description:
* This function signs a CSR and returns the result as a
* signed, encoded CSR in SignedCsr
*
* Parameters:
* tbsCsr(input) - pointer to a KMF_DATA structure containing a
* DER encoded TBS CSR data
* Signkey(input) - pointer to the KMF_KEY_HANDLE structure containing
* the private key generated by the plug-in CreateKeypair
* algo(input) - contains algorithm info needed for signing
* SignedCsr(output) - pointer to the KMF_DATA structure containing
* the signed CSR
*
* Returns:
* A KMF_RETURN value indicating success or specifying a particular
* error condition.
* The value KMF_OK indicates success. All other values represent
* an error condition.
*
*/
const KMF_CSR_DATA *tbsCsr,
{
return (err);
return (KMF_ERR_BAD_PARAMETER);
}
}
return (err);
}
/*
* kmf_decode_csr
*
* Description:
* This function decodes raw CSR data and fills in the KMF_CSR_DATA
* record.
*
* Inputs:
* KMF_HANDLE_T handle
* KMF_DATA *rawcsr
* KMF_CSR_DATA *csrdata;
*/
{
return (KMF_ERR_BAD_PARAMETER);
return (rv);
return (rv);
}
{
sizeof (KMF_CSR_DATA)},
};
int num_req_attrs = sizeof (required_attrs) /
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (rv);
return (KMF_ERR_BAD_PARAMETER);
return (rv);
if (algid == KMF_ALGID_SHA1WithDSA ||
algid == KMF_ALGID_SHA256WithDSA) {
/* Decode the DSA signature before verifying it */
&signature);
goto end;
} else if (algid == KMF_ALGID_SHA1WithECDSA ||
&signature);
goto end;
} else {
&rawcsr,
}
end:
return (rv);
}
static KMF_RETURN
{
};
int num_req_attrs = sizeof (required_attrs) /
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (ret);
switch (kstype) {
case KMF_KEYSTORE_NSS:
break;
case KMF_KEYSTORE_OPENSSL:
case KMF_KEYSTORE_PK11TOKEN: /* PKCS#11 CRL is file-based */
break;
default:
return (KMF_ERR_PLUGIN_NOTFOUND);
}
return (KMF_OK);
}
{
return (ret);
return (KMF_ERR_PLUGIN_NOTFOUND);
return (KMF_ERR_FUNCTION_NOT_FOUND);
}
{
return (ret);
return (KMF_ERR_PLUGIN_NOTFOUND);
return (KMF_ERR_FUNCTION_NOT_FOUND);
}
{
return (ret);
return (KMF_ERR_PLUGIN_NOTFOUND);
return (KMF_ERR_FUNCTION_NOT_FOUND);
}
{
sizeof (KMF_KEYSTORE_TYPE)},
sizeof (char *), sizeof (char *)}
};
int num_req_attrs = sizeof (required_attrs) /
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (ret);
switch (kstype) {
case KMF_KEYSTORE_NSS:
break;
case KMF_KEYSTORE_OPENSSL:
case KMF_KEYSTORE_PK11TOKEN:
return (KMF_ERR_FUNCTION_NOT_FOUND);
default:
/*
* FindCRL is only implemented for NSS. PKCS#11
* and file-based keystores just store in a file
* and don't need a "Find" function.
*/
return (KMF_ERR_PLUGIN_NOTFOUND);
}
return (KMF_ERR_PLUGIN_NOTFOUND);
attrlist));
}
return (KMF_ERR_FUNCTION_NOT_FOUND);
}
{
return (ret);
return (KMF_ERR_PLUGIN_NOTFOUND);
attrlist));
return (KMF_ERR_FUNCTION_NOT_FOUND);
}
{
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_PLUGIN_NOTFOUND);
}
"OpenSSL_VerifyCRLFile");
if (verifyCRLFile == NULL) {
return (KMF_ERR_FUNCTION_NOT_FOUND);
}
}
{
KMF_RETURN (*checkCRLDate)(void *, char *);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (KMF_ERR_PLUGIN_NOTFOUND);
}
"OpenSSL_CheckCRLDate");
if (checkCRLDate == NULL) {
return (KMF_ERR_FUNCTION_NOT_FOUND);
}
}
{
return (ret);
return (KMF_ERR_BAD_PARAMETER);
}
/*
* This framework function is actually implemented in the openssl
* plugin library, so we find the function address and call it.
*/
return (KMF_ERR_PLUGIN_NOTFOUND);
}
"OpenSSL_IsCRLFile");
if (IsCRLFileFn == NULL) {
return (KMF_ERR_FUNCTION_NOT_FOUND);
}
}