generalop.c revision 269e59f9a28bf47e0f463e64fc5af4a408b73b21
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*/
#include <stdio.h>
#include <dlfcn.h>
#include <link.h>
#include <fcntl.h>
#include <ctype.h>
#include <errno.h>
#include <thread.h>
#include <ber_der.h>
#include <kmfapiP.h>
#include <pem_encode.h>
#include <rdn_parser.h>
#include <libgen.h>
#include <cryptoutil.h>
static uchar_t pkcs11_initialized = 0;
extern int errno;
typedef struct {
char *message;
static kmf_error_map kmf_errcodes[] = {
{KMF_OK, "KMF_OK"},
{KMF_ERR_BAD_PARAMETER, "KMF_ERR_BAD_PARAMETER"},
{KMF_ERR_BAD_KEY_FORMAT, "KMF_ERR_BAD_KEY_FORMAT"},
{KMF_ERR_BAD_ALGORITHM, "KMF_ERR_BAD_ALGORITHM"},
{KMF_ERR_MEMORY, "KMF_ERR_MEMORY"},
{KMF_ERR_ENCODING, "KMF_ERR_ENCODING"},
{KMF_ERR_PLUGIN_INIT, "KMF_ERR_PLUGIN_INIT"},
{KMF_ERR_PLUGIN_NOTFOUND, "KMF_ERR_PLUGIN_NOTFOUND"},
{KMF_ERR_INTERNAL, "KMF_ERR_INTERNAL"},
{KMF_ERR_BAD_CERT_FORMAT, "KMF_ERR_BAD_CERT_FORMAT"},
{KMF_ERR_KEYGEN_FAILED, "KMF_ERR_KEYGEN_FAILED"},
{KMF_ERR_UNINITIALIZED, "KMF_ERR_UNINITIALIZED"},
{KMF_ERR_ISSUER, "KMF_ERR_ISSUER"},
{KMF_ERR_NOT_REVOKED, "KMF_ERR_NOT_REVOKED"},
{KMF_ERR_CERT_NOT_FOUND, "KMF_ERR_CERT_NOT_FOUND"},
{KMF_ERR_CRL_NOT_FOUND, "KMF_ERR_CRL_NOT_FOUND"},
{KMF_ERR_RDN_PARSER, "KMF_ERR_RDN_PARSER"},
{KMF_ERR_RDN_ATTR, "KMF_ERR_RDN_ATTR"},
{KMF_ERR_SLOTNAME, "KMF_ERR_SLOTNAME"},
{KMF_ERR_EMPTY_CRL, "KMF_ERR_EMPTY_CRL"},
{KMF_ERR_BUFFER_SIZE, "KMF_ERR_BUFFER_SIZE"},
{KMF_ERR_AUTH_FAILED, "KMF_ERR_AUTH_FAILED"},
{KMF_ERR_TOKEN_SELECTED, "KMF_ERR_TOKEN_SELECTED"},
{KMF_ERR_NO_TOKEN_SELECTED, "KMF_ERR_NO_TOKEN_SELECTED"},
{KMF_ERR_TOKEN_NOT_PRESENT, "KMF_ERR_TOKEN_NOT_PRESENT"},
{KMF_ERR_EXTENSION_NOT_FOUND, "KMF_ERR_EXTENSION_NOT_FOUND"},
{KMF_ERR_POLICY_ENGINE, "KMF_ERR_POLICY_ENGINE"},
{KMF_ERR_POLICY_DB_FORMAT, "KMF_ERR_POLICY_DB_FORMAT"},
{KMF_ERR_POLICY_NOT_FOUND, "KMF_ERR_POLICY_NOT_FOUND"},
{KMF_ERR_POLICY_DB_FILE, "KMF_ERR_POLICY_DB_FILE"},
{KMF_ERR_POLICY_NAME, "KMF_ERR_POLICY_NAME"},
{KMF_ERR_OCSP_POLICY, "KMF_ERR_OCSP_POLICY"},
{KMF_ERR_TA_POLICY, "KMF_ERR_TA_POLICY"},
{KMF_ERR_KEY_NOT_FOUND, "KMF_ERR_KEY_NOT_FOUND"},
{KMF_ERR_OPEN_FILE, "KMF_ERR_OPEN_FILE"},
{KMF_ERR_OCSP_BAD_ISSUER, "KMF_ERR_OCSP_BAD_ISSUER"},
{KMF_ERR_OCSP_BAD_CERT, "KMF_ERR_OCSP_BAD_CERT"},
{KMF_ERR_OCSP_CREATE_REQUEST, "KMF_ERR_OCSP_CREATE_REQUEST"},
{KMF_ERR_CONNECT_SERVER, "KMF_ERR_CONNECT_SERVER"},
{KMF_ERR_SEND_REQUEST, "KMF_ERR_SEND_REQUEST"},
{KMF_ERR_OCSP_CERTID, "KMF_ERR_OCSP_CERTID"},
{KMF_ERR_OCSP_MALFORMED_RESPONSE, "KMF_ERR_OCSP_MALFORMED_RESPONSE"},
{KMF_ERR_OCSP_RESPONSE_STATUS, "KMF_ERR_OCSP_RESPONSE_STATUS"},
{KMF_ERR_OCSP_NO_BASIC_RESPONSE, "KMF_ERR_OCSP_NO_BASIC_RESPONSE"},
{KMF_ERR_OCSP_BAD_SIGNER, "KMF_ERR_OCSP_BAD_SIGNER"},
{KMF_ERR_OCSP_RESPONSE_SIGNATURE, "KMF_ERR_OCSP_RESPONSE_SIGNATURE"},
{KMF_ERR_OCSP_UNKNOWN_CERT, "KMF_ERR_OCSP_UNKNOWN_CERT"},
{KMF_ERR_OCSP_STATUS_TIME_INVALID, "KMF_ERR_OCSP_STATUS_TIME_INVALID"},
{KMF_ERR_BAD_HTTP_RESPONSE, "KMF_ERR_BAD_HTTP_RESPONSE"},
{KMF_ERR_RECV_RESPONSE, "KMF_ERR_RECV_RESPONSE"},
{KMF_ERR_RECV_TIMEOUT, "KMF_ERR_RECV_TIMEOUT"},
{KMF_ERR_DUPLICATE_KEYFILE, "KMF_ERR_DUPLICATE_KEYFILE"},
{KMF_ERR_AMBIGUOUS_PATHNAME, "KMF_ERR_AMBIGUOUS_PATHNAME"},
{KMF_ERR_FUNCTION_NOT_FOUND, "KMF_ERR_FUNCTION_NOT_FOUND"},
{KMF_ERR_PKCS12_FORMAT, "KMF_ERR_PKCS12_FORMAT"},
{KMF_ERR_BAD_KEY_TYPE, "KMF_ERR_BAD_KEY_TYPE"},
{KMF_ERR_BAD_KEY_CLASS, "KMF_ERR_BAD_KEY_CLASS"},
{KMF_ERR_BAD_KEY_SIZE, "KMF_ERR_BAD_KEY_SIZE"},
{KMF_ERR_BAD_HEX_STRING, "KMF_ERR_BAD_HEX_STRING"},
{KMF_ERR_KEYUSAGE, "KMF_ERR_KEYUSAGE"},
{KMF_ERR_VALIDITY_PERIOD, "KMF_ERR_VALIDITY_PERIOD"},
{KMF_ERR_OCSP_REVOKED, "KMF_ERR_OCSP_REVOKED"},
{KMF_ERR_CERT_MULTIPLE_FOUND, "KMF_ERR_CERT_MULTIPLE_FOUND"},
{KMF_ERR_WRITE_FILE, "KMF_ERR_WRITE_FILE"},
{KMF_ERR_BAD_URI, "KMF_ERR_BAD_URI"},
{KMF_ERR_BAD_CRLFILE, "KMF_ERR_BAD_CRLFILE"},
{KMF_ERR_BAD_CERTFILE, "KMF_ERR_BAD_CERTFILE"},
{KMF_ERR_GETKEYVALUE_FAILED, "KMF_ERR_GETKEYVALUE_FAILED"},
{KMF_ERR_BAD_KEYHANDLE, "KMF_ERR_BAD_KEYHANDLE"},
{KMF_ERR_BAD_OBJECT_TYPE, "KMF_ERR_BAD_OBJECT_TYPE"},
{KMF_ERR_OCSP_RESPONSE_LIFETIME, "KMF_ERR_OCSP_RESPONSE_LIFETIME"},
{KMF_ERR_UNKNOWN_CSR_ATTRIBUTE, "KMF_ERR_UNKNOWN_CSR_ATTRIBUTE"},
{KMF_ERR_UNINITIALIZED_TOKEN, "KMF_ERR_UNINITIALIZED_TOKEN"},
{KMF_ERR_INCOMPLETE_TBS_CERT, "KMF_ERR_INCOMPLETE_TBS_CERT"},
{KMF_ERR_MISSING_ERRCODE, "KMF_ERR_MISSING_ERRCODE"},
{KMF_KEYSTORE_ALREADY_INITIALIZED, "KMF_KEYSTORE_ALREADY_INITIALIZED"},
{KMF_ERR_SENSITIVE_KEY, "KMF_ERR_SENSITIVE_KEY"},
{KMF_ERR_UNEXTRACTABLE_KEY, "KMF_ERR_UNEXTRACTABLE_KEY"},
{KMF_ERR_KEY_MISMATCH, "KMF_ERR_KEY_MISMATCH"},
{KMF_ERR_ATTR_NOT_FOUND, "KMF_ERR_ATTR_NOT_FOUND"},
{KMF_ERR_KMF_CONF, "KMF_ERR_KMF_CONF"},
{KMF_ERR_NAME_NOT_MATCHED, "KMF_ERR_NAME_NOT_MATCHED"},
{KMF_ERR_MAPPER_OPEN, "KMF_ERR_MAPPER_OPEN"},
{KMF_ERR_MAPPER_NOT_FOUND, "KMF_ERR_MAPPER_NOT_FOUND"},
{KMF_ERR_MAPPING_FAILED, "KMF_ERR_MAPPING_FAILED"}
};
typedef struct {
char *path;
KMF_PLUGIN_ITEM plugin_list[] = {
};
static void DestroyPlugin(KMF_PLUGIN *);
#if defined(__sparcv9)
#define ISA_PATH "/sparcv9"
#define ISA_PATH "/"
#define ISA_PATH "/"
#define ISA_PATH "/amd64"
#endif
#define DEFAULT_KEYSTORE_NUM 3
static int kstore_num = DEFAULT_KEYSTORE_NUM;
{
(void) mutex_lock(&init_lock);
if (!pkcs11_initialized) {
(rv != CKR_CRYPTOKI_ALREADY_INITIALIZED)) {
(void) mutex_unlock(&init_lock);
return (KMF_ERR_UNINITIALIZED);
} else {
pkcs11_initialized = 1;
}
}
(void) mutex_unlock(&init_lock);
return (KMF_OK);
}
/*
* Private method for searching the plugin list for the correct
* Plugin to use.
*/
{
return (NULL);
/* See if the desired plugin was already initialized. */
/* The plugin was not found, try to initialize it here. */
if (VALID_DEFAULT_KEYSTORE_TYPE(kstype)) {
int i;
for (i = 0; i < numitems; i++) {
break;
}
}
goto out;
} else {
/*
* Not a built-in plugin. Check if it is in the
* extra_plugin_list. If it is, try to initialize it here.
*/
char realpath[MAXPATHLEN];
break;
else
}
return (NULL);
/*
* Get the absolute path of the module.
* - If modulepath is not a full path, then prepend it
* with KMF_PLUGIN_PATH.
* - If modulepath is a full path and contain $ISA, then
* subsitute the architecture dependent path.
*/
} else {
char *isa;
char *isa_str;
return (NULL);
} else {
}
}
&pluginrec);
goto out;
}
out:
/* No matching plugins found in the built-in list */
return (NULL);
}
return (pluginrec);
}
static KMF_RETURN
{
KMF_PLUGIN *p = NULL;
KMF_PLUGIN_FUNCLIST *(*sym)();
return (KMF_ERR_BAD_PARAMETER);
if (p == NULL)
return (KMF_ERR_MEMORY);
free(p);
return (KMF_ERR_MEMORY);
}
/*
* Do not use RTLD_GROUP here, or this will cause a circular
* dependency when kmf_pkcs11.so.1 gets its PKCS#11 functions
* from libpkcs11.so.1 when kmf is used via libelfsign.so.1
* called from kcfd.
*/
free(p);
return (KMF_ERR_PLUGIN_INIT);
}
free(p);
return (KMF_ERR_PLUGIN_INIT);
}
/* Get the function list */
free(p);
return (KMF_ERR_PLUGIN_INIT);
}
*plugin = p;
return (KMF_OK);
}
static KMF_RETURN
{
KMF_PLUGIN_LIST *n;
return (KMF_ERR_BAD_PARAMETER);
/* If the head is NULL, create it */
sizeof (KMF_PLUGIN_LIST));
return (KMF_ERR_MEMORY);
} else {
/* walk the list to find the tail */
n = n->next;
return (KMF_ERR_MEMORY);
}
return (0);
}
static void
{
if (plugin) {
}
}
static void
{
}
}
}
void
{
/* Close active session on a pkcs11 token */
}
}
}
{
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_MEMORY);
/*
* When this function is called the first time, get the additional
* plugins from the config file.
*/
(void) mutex_lock(&extra_plugin_lock);
if (!check_extra_plugin) {
/*
* Assign the kstype number to the additional plugins here.
* The global kstore_num will be protected by the mutex lock.
*/
}
}
/*
* If the KMF configuration file does not exist or cannot be
* parsed correctly, we will give a warning in syslog and
* continue on as there is no extra plugins in the system.
*/
if (ret == KMF_ERR_KMF_CONF) {
"the private KMF config file.\n");
}
(void) mutex_unlock(&extra_plugin_lock);
goto errout;
}
}
(void) mutex_unlock(&extra_plugin_lock);
/* Initialize the handle with the policy */
goto errout;
/*
* Let's have the mapper status structure even if no cert-to-name
* mapping is initialized. It's better not to coredump in the
* kmf_get_mapper_lasterror function, for example, when there is no
* mapping initialized.
*/
goto errout;
}
/*
* Initialize the mapping scheme according to the policy. If no mapping
* is set in the policy database we silently ignore the error.
*/
}
return (ret);
}
int num_args,
{
};
int num_req_attrs = sizeof (required_attrs) /
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
return (ret);
attrlist));
} else {
/* return KMF_OK, if the plugin does not have an entry */
return (KMF_OK);
}
}
{
return (ret);
if (pkcs11_initialized) {
}
return (ret);
}
{
int i, maxerr;
return (KMF_ERR_BAD_PARAMETER);
/* empty body */
;
if (i == maxerr)
return (KMF_ERR_MISSING_ERRCODE);
else {
return (KMF_ERR_MEMORY);
}
return (ret);
}
{
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_MISSING_ERRCODE);
}
return (KMF_ERR_MEMORY);
}
return (KMF_OK);
}
return (KMF_ERR_PLUGIN_NOTFOUND);
} else {
return (KMF_ERR_FUNCTION_NOT_FOUND);
}
return (ret);
}
#define SET_SYS_ERROR(h, c) if (h) {\
}
{
struct stat s;
int fd;
if (handle) {
return (ret);
}
return (KMF_ERR_BAD_PARAMETER);
}
return (KMF_ERR_OPEN_FILE);
}
return (KMF_ERR_OPEN_FILE);
}
return (KMF_ERR_MEMORY);
}
do {
if (nread < 0) {
return (KMF_ERR_INTERNAL);
}
return (KMF_OK);
}
/*
*
* Name: kmf_der_to_pem
*
* Description:
* Function for converting DER encoded format to PEM encoded format
*
* Parameters:
* type(input) - CERTIFICATE or CSR
* data(input) - pointer to the DER encoded data
* len(input) - length of input data
* out(output) - contains the output buffer address to be returned
* outlen(output) - pointer to the returned output length
*
* Returns:
* A KMF_RETURN value indicating success or specifying a particular
* error condition.
* The value KMF_OK indicates success. All other values represent
* an error condition.
*
*/
{
return (KMF_ERR_BAD_PARAMETER);
return (err);
}
/*
*
* Name: kmf_pem_to_der
*
* Description:
* Function for converting PEM encoded format to DER encoded format
*
* Parameters:
* in(input) - pointer to the PEM encoded data
* inlen(input) - length of input data
* out(output) - contains the output buffer address to be returned
* outlen(output) - pointer to the returned output length
*
* Returns:
* A KMF_RETURN value indicating success or specifying a particular
* error condition.
* The value KMF_OK indicates success. All other values represent
* an error condition.
*
*/
{
return (KMF_ERR_BAD_PARAMETER);
return (err);
}
char *
{
char numstr[128];
int numshift;
char *bp;
/* First determine the size of the string */
string_length = 0;
number = 0;
numshift = 0;
numshift += 7;
} else {
return (NULL);
}
if ((cp[i] & 0x80) == 0) {
number = 0;
numshift = 0;
}
}
/*
* If we get here, we've calculated the length of "n n n ... n ". Add 4
* here for "{ " and "}\0".
*/
string_length += 4;
number = 0;
if ((cp[i] & 0x80) == 0) {
number = 0;
}
}
}
return (bp);
}
static boolean_t
{
char *p;
int i;
return (FALSE);
/* loop to make sure this is ascii */;
if (i != 8)
return (FALSE);
return (TRUE);
}
/* Look for "-----BEGIN" right after a newline */
while (p != NULL) {
*fmt = KMF_FORMAT_PEM;
/* Restore the buffer */
return (TRUE);
}
}
return (FALSE);
}
static unsigned char pkcs12_oid[11] =
{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01};
/*
* This function takes a BER encoded string as input and checks the version
* and the oid in the the top-level ASN.1 structure to see if it complies to
* the PKCS#12 Syntax.
*/
static boolean_t
{
int index = 0;
int length_octets;
return (FALSE);
/*
* The top level structure for a PKCS12 string:
*
* PFX ::= SEQUENCE {
* version INTEGER {v3(3)}(v3,...)
* authSafe ContentInfo
* macData MacData OPTIONAL
* }
*
* ContentInfo
* FROM PKCS-7 {iso(1) member-body(2) us(840) rsadsi(113549)
* pkcs(1) pkcs-7(7) modules(0) pkcs-7(1)}
*
* sequences up to the oid part is as following:
*
* SEQUENCE {
* INTEGER 3
* SEQUENCE {
* OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
*/
/*
* Check the first sequence and calculate the number of bytes used
* to store the length.
*/
return (FALSE);
} else {
}
index += length_octets;
return (FALSE);
/* Skip the length octets and check the pkcs12 version */
return (FALSE);
index += sizeof (pkcs12_version);
return (FALSE);
/*
* Check the 2nd sequence and calculate the number of bytes used
* to store the length.
*/
return (FALSE);
} else {
length_octets = 1;
}
index += length_octets;
return (FALSE);
/* Skip the length octets and check the oid */
return (FALSE);
else
return (TRUE);
}
{
*fmt = KMF_FORMAT_PKCS12;
/* It is most likely a generic ASN.1 encoded file */
*fmt = KMF_FORMAT_ASN1;
/* Cannot determine this file format */
*fmt = KMF_FORMAT_UNDEF;
return (KMF_ERR_ENCODING);
}
return (KMF_OK);
}
{
return (KMF_ERR_BAD_PARAMETER);
*fmt = 0;
return (ret);
goto end;
}
end:
return (ret);
}
{
int i;
unsigned char ch;
return (KMF_ERR_BAD_PARAMETER);
}
hexstr += 2;
/* empty body */
;
/*
* If all the characters are not legitimate hex chars,
* return an error.
*/
return (KMF_ERR_BAD_HEX_STRING);
stringlen = i;
return (KMF_ERR_MEMORY);
}
for (i = 0; i < stringlen; i++) {
hexstr++;
ch -= '0';
else {
goto out;
}
if (i & 1) {
} else {
}
}
out:
}
return (ret);
}
void
{
int i, j;
for (i = 0; i < name->numberOfRDNs; i++) {
for (j = 0; j < newrdn->numberOfPairs; j++) {
}
newrdn->numberOfPairs = 0;
}
name->numberOfRDNs = 0;
}
}
void
{
return;
return;
}
}
void
{
}
}
void
{
return;
}
void
{
return;
}
}
void
{
if (tbscsr) {
}
}
void
{
if (csr) {
}
}
static void
{
return;
}
static void
{
int i;
for (i = 0; i < extns->numberOfExtensions; i++) {
}
extns->numberOfExtensions = 0;
}
}
void
{
if (tbscert) {
}
}
void
{
if (!certptr)
return;
}
void
kmf_free_str(char *pstr)
{
}
void
{
int i;
for (i = 0; i < len; i++) {
}
}
void
{
}
void
{
}
}
void
{
int i = 0;
return;
return;
i++;
i++;
}
}
}
void
{
/* Clear it out before returning it to the pool */
}
}
static void
{
return;
}
static void
{
return;
}
static void
{
return;
}
void
{
return;
case KMF_RSA:
break;
case KMF_DSA:
break;
case KMF_AES:
case KMF_RC4:
case KMF_DES:
case KMF_DES3:
break;
}
}
}
void
{
return;
}
/*
* This function frees the space allocated for the name portion of a
* KMF_CRL_DIST_POINT.
*/
void
{
int i;
return;
/* For phase 1, we only need to free the fullname space. */
return;
}
}
/*
* This function frees the space allocated for a KMF_CRL_DIST_POINT.
*/
void
{
return;
/* Need not to free crl_issuer space at phase 1 */
}
/*
* This function frees space for a KMF_X509EXT_CRLDISTPOINTS internally.
*/
void
{
int i;
return;
}
int num_args,
{
sizeof (KMF_DATA)},
sizeof (KMF_DATA)},
};
int num_req_attrs = sizeof (required_attrs) /
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
/*
* This framework function is actually implemented in the openssl
* plugin library, so we find the function address and call it.
*/
return (KMF_ERR_PLUGIN_NOTFOUND);
}
"OpenSSL_CreateOCSPRequest");
if (createReqFn == NULL) {
return (KMF_ERR_FUNCTION_NOT_FOUND);
}
}
int num_args,
{
sizeof (KMF_DATA)},
sizeof (KMF_DATA)},
sizeof (KMF_DATA)},
{KMF_OCSP_RESPONSE_STATUS_ATTR, FALSE, sizeof (int),
sizeof (uint32_t)},
{KMF_OCSP_RESPONSE_REASON_ATTR, FALSE, sizeof (int),
sizeof (uint32_t)},
{KMF_OCSP_RESPONSE_CERT_STATUS_ATTR, FALSE, sizeof (int),
sizeof (uint32_t)},
};
int num_req_attrs = sizeof (required_attrs) /
sizeof (KMF_ATTRIBUTE_TESTER);
return (KMF_ERR_BAD_PARAMETER);
return (ret);
/*
* This framework function is actually implemented in the openssl
* plugin library, so we find the function address and call it.
*/
return (KMF_ERR_INTERNAL);
}
"OpenSSL_GetOCSPStatusForCert");
if (getCertStatusFn == NULL) {
return (KMF_ERR_INTERNAL);
}
}
{
int numbuf;
int onumbuf;
int len;
unsigned char *op;
return (KMF_ERR_BAD_PARAMETER);
/* Skip over leading space */
bp++;
nbytes = 0;
/*
* The first two numbers are chewed up by the first octet.
*/
return (KMF_ERR_BAD_PARAMETER);
bp++;
bp++;
return (KMF_ERR_BAD_PARAMETER);
bp++;
bp++;
nbytes++;
return (KMF_ERR_BAD_PARAMETER);
while (numbuf) {
nbytes++;
numbuf >>= 7;
}
bp++;
bp++;
}
return (KMF_ERR_MEMORY);
}
op++;
nbytes = 0;
/* Have to fill in the bytes msb-first */
while (numbuf) {
nbytes++;
numbuf >>= 7;
}
index = -1;
while (numbuf) {
if (index != -1)
index--;
numbuf >>= 7;
}
}
return (rv);
}
static KMF_RETURN
{
return (KMF_ERR_BAD_PARAMETER);
return (rv);
}
static KMF_RETURN
{
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_ENCODING);
} else {
}
return (KMF_ERR_MEMORY);
return (rv);
}
static KMF_RETURN
{
return (KMF_ERR_ENCODING);
*at = 0;
/*
* KRB5PrincipalName ::= SEQUENCE {
* realm [0] Realm,
* principalName [1] PrincipalName
* }
*
* KerberosString ::= GeneralString (IA5String)
* Realm ::= KerberosString
* PrincipalName ::= SEQUENCE {
* name-type [0] Int32,
* name-string [1] SEQUENCE OF KerberosString
* }
*/
/*
* Construct the "principalName" first.
*
* The name may be split with a "/" to indicate a new instance.
* This must be separated in the ASN.1
*/
*slash = 0;
}
rv = KMF_ERR_MEMORY;
goto cleanup;
}
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
} else {
goto cleanup;
goto cleanup;
}
goto cleanup;
goto cleanup;
}
/* Next construct the KRB5PrincipalNameSeq */
rv = KMF_ERR_MEMORY;
goto cleanup;
}
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
}
/*
* GeneralName ::= CHOICE {
* otherName [0] OtherName,
* ...
* }
*
* OtherName ::= SEQUENCE {
* type-id OBJECT IDENTIFIER,
* value [0] EXPLICIT ANY DEFINED BY type-id
* }
*/
/* Now construct the SAN: OID + typed data. */
rv = KMF_ERR_MEMORY;
goto cleanup;
}
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
}
if (*at == 0)
*at = '@';
*slash = '/';
return (rv);
}
static KMF_RETURN
{
return (KMF_ERR_MEMORY);
/* The name is encoded as a KerberosString (IA5STRING) */
goto cleanup;
goto cleanup;
}
return (rv);
}
static KMF_RETURN
verify_uri_format(char *uristring)
{
/* Parse the URI string; get the hostname and port */
goto out;
}
goto out;
}
goto out;
}
out:
return (ret);
}
static KMF_RETURN
encode_altname(char *namedata,
{
return (KMF_ERR_BAD_PARAMETER);
/*
* Encode the namedata according to rules in RFC 3280 for GeneralName.
* The input "namedata" is assumed to be an ASCII string representation
* of the AltName, we need to convert it to correct ASN.1 here before
* adding it to the cert.
*/
switch (nametype) {
case GENNAME_RFC822NAME: /* rfc 822 */
/* IA5String, no encoding needed */
return (KMF_ERR_MEMORY);
break;
case GENNAME_DNSNAME: /* rfc 1034 */
return (KMF_ERR_MEMORY);
break;
case GENNAME_URI: /* rfc 1738 */
return (ret);
/* IA5String, no encoding needed */
return (KMF_ERR_MEMORY);
break;
case GENNAME_IPADDRESS:
break;
case GENNAME_REGISTEREDID:
break;
case GENNAME_DIRECTORYNAME:
}
(void) kmf_free_dn(&dnname);
break;
case GENNAME_KRB5PRINC:
break;
case GENNAME_SCLOGON_UPN:
break;
default:
/* unsupported */
return (KMF_ERR_BAD_PARAMETER);
}
return (ret);
}
return (KMF_ERR_MEMORY);
goto cleanup;
goto cleanup;
}
goto cleanup;
}
if (asn1)
return (ret);
}
{
int i;
return (NULL);
for (i = 0; i < exts->numberOfExtensions; i++) {
break;
}
}
return (foundextn);
}
{
int tag;
return (KMF_ERR_BAD_PARAMETER);
/*
* Decode the sequence of general names
*/
goto out;
}
/*
* Unwrap the sequence to find the size of the block
* of GeneralName items in the set.
*
* Peek at the tag and length ("tl"),
* then consume them ("{").
*/
oldsize == 0) {
goto out;
}
goto out;
}
/*
* Read the entire blob of GeneralNames, we don't
* need to interpret them now.
*/
goto out;
}
out:
*outlen = 0;
} else {
}
return (ret);
}
{
return (KMF_ERR_BAD_PARAMETER);
return (KMF_ERR_MEMORY);
sizeof (KMF_X509_EXTENSION));
return (ret);
}
int critical,
char *namedata)
{
return (KMF_ERR_BAD_PARAMETER);
return (ret);
goto out;
/*
* Check to see if this cert already has a subjectAltName.
*/
goto out;
}
/*
* Assume (!!) that the namedata given is already properly encoded.
*/
return (KMF_ERR_MEMORY);
goto out;
}
/* Write the old extension data first */
goto out;
}
}
/* Now add the new name to the list */
goto out;
}
/* Now close the sequence */
goto out;
}
goto out;
}
/*
* If we are just adding to an existing list of altNames,
* just replace the BER data associated with the found extension.
*/
} else {
}
out:
return (ret);
}
/*
* Search a list of attributes for one that matches the given type.
* Return a pointer into the attribute list. This does not
* return a copy of the value, it returns a reference into the
* given list.
*/
int
{
int i;
for (i = 0; i < numattrs; i++) {
return (i);
}
return (-1);
}
/*
* Verify that a given attribute is consistent with the
* "test" attribute.
*/
static KMF_RETURN
{
/* A NULL pValue was found where one is required */
return (KMF_ERR_BAD_PARAMETER);
/* If the given valueLen is too small, return error */
return (KMF_ERR_BAD_PARAMETER);
/* If the given valueLen is too big, return error */
return (KMF_ERR_BAD_PARAMETER);
return (KMF_OK);
}
/*
* Given a set of required attribute tests and optional
* attributes, make sure that the actual attributes
* being tested (attrlist below) are allowed and are
* properly specified.
*/
{
int i, idx;
/*
* If the caller didn't supply enough attributes,
* return an error.
*/
return (KMF_ERR_BAD_PARAMETER);
/*
* Make sure all required attrs are present and
* correct.
*/
/* If a required attr is not found, return error */
if (idx == -1) {
return (KMF_ERR_BAD_PARAMETER);
}
}
/*
* Now test the optional parameters.
*/
/* If a optional attr is not found, continue. */
if (idx == -1) {
continue;
}
}
return (ret);
}
/*
* Given an already allocated attribute list, insert
* the given attribute information at a specific index
* in the list.
*/
void
{
return;
}
/*
* Find an attribute matching a particular type and set
* the pValue and length fields to the given values.
*/
{
int idx;
return (KMF_ERR_BAD_PARAMETER);
if (idx == -1)
return (KMF_ERR_ATTR_NOT_FOUND);
/* Assumes the attribute pValue can hold the result */
else
return (KMF_ERR_BUFFER_SIZE);
}
return (KMF_OK);
}
/*
* Find a particular attribute in a list and return
* a pointer to its value.
*/
void *
int numattrs)
{
int i;
if (i == -1)
return (NULL);
}
/*
* Find a particular attribute in a list and return
* the value and length values. Value and length
* may be NULL if the caller doesn't want their values
* to be filled in.
*/
{
int i;
if (i == -1)
return (KMF_ERR_ATTR_NOT_FOUND);
/* This assumes that the ptr passed in is pre-allocated space */
/*
* If the caller did not specify a length,
* assume "outValue" is big enough.
*/
else
return (KMF_ERR_BUFFER_SIZE);
} else {
}
}
return (KMF_OK);
}
/*
* Utility routine to find a string type attribute, allocate it
* and return the value to the caller. This simplifies the
* operation by doing both "kmf_get_attr" calls and avoids
* duplicating this block of code in lots of places.
*/
{
return (KMF_ERR_BAD_PARAMETER);
KMF_OK) {
return (KMF_ERR_MEMORY);
}
}
return (rv);
}
void
{
return;
}
void
{
}
}
static KMF_RETURN
{
char *token1;
char *token2;
char *token3;
char *lasts;
char *value;
return (KMF_ERR_KMF_CONF);
return (KMF_ERR_MEMORY);
goto end;
}
goto end;
}
/* need to get token3 first to satisfy nested strtok invocations */
/* parse token2 */
goto end;
}
value++; /* get rid of = */
} else {
goto end;
}
goto end;
}
/* parse token3, if it exists */
!= 0) {
goto end;
}
value++; /* get rid of = */
} else {
goto end;
}
goto end;
}
}
end:
}
return (ret);
}
{
return (NULL);
return (NULL);
goto out;
goto out;
goto out;
return (rtn_entry);
out:
return (NULL);
}
/*
* This function takes a keystore_name as input and returns
* the KMF_KEYSTORE_TYPE value assigned to it. If the "option"
* argument is not NULL, this function also returns the option string
* if there is an option string for the plugin module.
*/
{
/*
* Although handle is not really used in the function, we will
* check the handle to make sure that kmf_intialize() is called
* before this function.
*/
return (KMF_ERR_BAD_PARAMETER);
} else {
}
if (is_default) {
goto out;
}
/* Not a built-in plugin; check if it is in extra_plugin_list. */
break;
}
goto out;
}
/* found it */
else {
goto out;
}
}
}
out:
return (ret);
}
/*
* Retrieve the non-default plugin list from the kmf.conf file.
*/
{
char buffer[MAXPATHLEN];
return (KMF_ERR_KMF_CONF);
}
continue; /* ignore comment lines */
}
len--;
}
goto end;
}
rv = KMF_ERR_MEMORY;
goto end;
}
} else {
}
}
end:
}
return (rv);
}
{
return (B_TRUE);
else
return (B_FALSE);
}