kmf_openssl/common/openssl_spi.c

	openssl_spi.c revision 9b37d29632d2cb262ba42f1d804f85fcb0aa3709
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * Use is subject to license terms.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay */
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay/*
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * project 2000.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay */
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay/*
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * ====================================================================
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * Redistribution and use in source and binary forms, with or without
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * modification, are permitted provided that the following conditions
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * are met:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * 1. Redistributions of source code must retain the above copyright
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    notice, this list of conditions and the following disclaimer.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * 2. Redistributions in binary form must reproduce the above copyright
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    notice, this list of conditions and the following disclaimer in
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    the documentation and/or other materials provided with the
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    distribution.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * 3. All advertising materials mentioning features or use of this
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    software must display the following acknowledgment:
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    "This product includes software developed by the OpenSSL Project
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    endorse or promote products derived from this software without
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    prior written permission. For written permission, please contact
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    licensing@OpenSSL.org.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * 5. Products derived from this software may not be called "OpenSSL"
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    nor may "OpenSSL" appear in their names without prior written
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    permission of the OpenSSL Project.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * 6. Redistributions of any form whatsoever must retain the following
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    acknowledgment:
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    "This product includes software developed by the OpenSSL Project
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * OF THE POSSIBILITY OF SUCH DAMAGE.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * ====================================================================
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay *
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * This product includes cryptographic software written by Eric Young
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * (eay@cryptsoft.com).  This product includes software written by Tim
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * Hudson (tjh@cryptsoft.com).
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#pragma ident   "%Z%%M% %I% %E% SMI"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#include <stdlib.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <kmfapiP.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <ber_der.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <fcntl.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <sys/stat.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <dirent.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <cryptoutil.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <synch.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <thread.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/* OPENSSL related headers */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/bio.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/bn.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/asn1.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/err.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/bn.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/x509.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/rsa.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/dsa.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/x509v3.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/objects.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/pem.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/pkcs12.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/ocsp.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/des.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#include <openssl/rand.h>
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define PRINT_ANY_EXTENSION (\
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_EXT_KEY_USAGE |\
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_EXT_CERT_POLICIES |\
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_EXT_SUBJALTNAME |\
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_EXT_BASIC_CONSTRAINTS |\
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_EXT_NAME_CONSTRAINTS |\
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_EXT_POLICY_CONSTRAINTS |\
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_EXT_EXT_KEY_USAGE |\
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_EXT_INHIBIT_ANY_POLICY |\
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_EXT_AUTH_KEY_ID |\
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_EXT_SUBJ_KEY_ID |\
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_EXT_POLICY_MAPPING)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic BIO *bio_err = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic uchar_t P[] = { 0x00, 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0xaa, 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0xcb, 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0xf7, 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0xe5, 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0xaf, 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0xac, 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0xc2, 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0x91 };
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic uchar_t Q[] = { 0x00, 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0xee, 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0x8e, 0xda, 0xce, 0x91, 0x5f };
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic uchar_t G[] = { 0x00, 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0x13, 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0x00, 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0xcb, 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0x2e, 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0xbf, 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0x9c, 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0x8c, 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    0x02 };
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define SET_ERROR(h, c) h->lasterr.kstype = KMF_KEYSTORE_OPENSSL; \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    h->lasterr.errcode = c;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define SET_SYS_ERROR(h, c) h->lasterr.kstype = -1; h->lasterr.errcode = c;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysmutex_t init_lock = DEFAULTMUTEX;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic int ssl_initialized = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysstatic KMF_RETURN
02744e811b15322c5f109827a116c33bfe3438b5wyllysextract_objects(KMF_HANDLE *, KMF_FINDCERT_PARAMS *, char *,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    CK_UTF8CHAR *, CK_ULONG, EVP_PKEY **, KMF_DATA **, int *);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysstatic KMF_RETURN
71593db26bb6ef7b739cffe06d53bf990cac112cwyllyskmf_load_cert(KMF_HANDLE *, KMF_FINDCERT_PARAMS *, char *, KMF_DATA *);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllysstatic KMF_RETURN
02744e811b15322c5f109827a116c33bfe3438b5wyllyssslBN2KMFBN(BIGNUM *, KMF_BIGINT *);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllysstatic EVP_PKEY *
02744e811b15322c5f109827a116c33bfe3438b5wyllysImportRawRSAKey(KMF_RAW_RSA_KEY *);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_FindCert(KMF_HANDLE_T,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_FINDCERT_PARAMS *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_DER_CERT *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    uint32_t *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysvoid
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_FreeKMFCert(KMF_HANDLE_T, KMF_X509_DER_CERT *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_StoreCert(KMF_HANDLE_T handle, KMF_STORECERT_PARAMS *, KMF_DATA *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_DeleteCert(KMF_HANDLE_T handle, KMF_DELETECERT_PARAMS *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_CreateKeypair(KMF_HANDLE_T, KMF_CREATEKEYPAIR_PARAMS *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_KEY_HANDLE *, KMF_KEY_HANDLE *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_EncodePubKeyData(KMF_HANDLE_T,  KMF_KEY_HANDLE *, KMF_DATA *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_SignData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA *, KMF_DATA *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_DeleteKey(KMF_HANDLE_T, KMF_DELETEKEY_PARAMS *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_KEY_HANDLE *, boolean_t);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_ImportCRL(KMF_HANDLE_T, KMF_IMPORTCRL_PARAMS *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_DeleteCRL(KMF_HANDLE_T, KMF_DELETECRL_PARAMS *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_ListCRL(KMF_HANDLE_T, KMF_LISTCRL_PARAMS *, char **);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_FindCertInCRL(KMF_HANDLE_T, KMF_FINDCERTINCRL_PARAMS *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_CertGetPrintable(KMF_HANDLE_T, const KMF_DATA *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_PRINTABLE_ITEM, char *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_GetErrorString(KMF_HANDLE_T, char **);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_GetPrikeyByCert(KMF_HANDLE_T, KMF_CRYPTOWITHCERT_PARAMS *, KMF_DATA *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_KEY_HANDLE *, KMF_KEY_ALG);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_DecryptData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA *, KMF_DATA *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_CreateOCSPRequest(KMF_HANDLE_T, KMF_OCSPREQUEST_PARAMS *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *reqfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_GetOCSPStatusForCert(KMF_HANDLE_T, KMF_OCSPRESPONSE_PARAMS_INPUT *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_OCSPRESPONSE_PARAMS_OUTPUT *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_FindKey(KMF_HANDLE_T, KMF_FINDKEY_PARAMS *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_KEY_HANDLE *, uint32_t *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_ExportP12(KMF_HANDLE_T,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_EXPORTP12_PARAMS *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int, KMF_X509_DER_CERT *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int, KMF_KEY_HANDLE *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_StorePrivateKey(KMF_HANDLE_T, KMF_STOREKEY_PARAMS *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RAW_KEY_DATA *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_CreateSymKey(KMF_HANDLE_T, KMF_CREATESYMKEY_PARAMS *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_KEY_HANDLE *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_GetSymKeyValue(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_RAW_SYM_KEY *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_VerifyCRLFile(KMF_HANDLE_T, KMF_VERIFYCRL_PARAMS *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_CheckCRLDate(KMF_HANDLE_T, KMF_CHECKCRLDATE_PARAMS *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllysKMF_RETURN
02744e811b15322c5f109827a116c33bfe3438b5wyllysOpenSSL_VerifyDataWithCert(KMF_HANDLE_T, KMF_ALGORITHM_INDEX,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    KMF_DATA *, KMF_DATA *, KMF_DATA *);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_PLUGIN_FUNCLIST openssl_plugin_table =
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    1,              /* Version */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    NULL, /* ConfigureKeystore */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_FindCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_FreeKMFCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_StoreCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    NULL, /* ImportCert */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_ImportCRL,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_DeleteCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_DeleteCRL,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_CreateKeypair,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_FindKey,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_EncodePubKeyData,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_SignData,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_DeleteKey,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_ListCRL,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    NULL,   /* FindCRL */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_FindCertInCRL,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_GetErrorString,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_GetPrikeyByCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_DecryptData,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_ExportP12,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_StorePrivateKey,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_CreateSymKey,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OpenSSL_GetSymKeyValue,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    NULL,   /* SetTokenPin */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    OpenSSL_VerifyDataWithCert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    NULL    /* Finalize */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys};
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic mutex_t *lock_cs;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic long *lock_count;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic void
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyslocking_cb(int mode, int type, char *file, int line)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (mode & CRYPTO_LOCK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) mutex_lock(&(lock_cs[type]));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        lock_count[type]++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) mutex_unlock(&(lock_cs[type]));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic unsigned long
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysthread_id()
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return ((unsigned long)thr_self());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_PLUGIN_FUNCLIST *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_Plugin_Initialize()
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int i;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) mutex_lock(&init_lock);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (!ssl_initialized) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        OpenSSL_add_all_algorithms();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Enable error strings for reporting */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ERR_load_crypto_strings();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * Add support for extension OIDs that are not yet in the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * openssl default set.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) OBJ_create("2.5.29.30", "nameConstraints",
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                "X509v3 Name Constraints");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) OBJ_create("2.5.29.33", "policyMappings",
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                "X509v3 Policy Mappings");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) OBJ_create("2.5.29.36", "policyConstraints",
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            "X509v3 Policy Constraints");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) OBJ_create("2.5.29.46", "freshestCRL",
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            "X509v3 Freshest CRL");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) OBJ_create("2.5.29.54", "inhibitAnyPolicy",
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            "X509v3 Inhibit Any-Policy");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * Set up for thread-safe operation.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof (mutex_t));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (lock_cs == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (void) mutex_unlock(&init_lock);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof (long));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (lock_count == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            OPENSSL_free(lock_cs);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (void) mutex_unlock(&init_lock);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        for (i = 0; i < CRYPTO_num_locks(); i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            lock_count[i] = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (void) mutex_init(&lock_cs[i], USYNC_THREAD, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        CRYPTO_set_id_callback((unsigned long (*)())thread_id);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        CRYPTO_set_locking_callback((void (*)())locking_cb);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ssl_initialized = 1;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) mutex_unlock(&init_lock);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (&openssl_plugin_table);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Convert an SSL DN to a KMF DN.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysget_x509_dn(X509_NAME *sslDN, KMF_X509_NAME *kmfDN)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA derdata;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    uchar_t *tmp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Convert to raw DER format */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    derdata.Length = i2d_X509_NAME(sslDN, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((tmp = derdata.Data = (uchar_t *)OPENSSL_malloc(derdata.Length))
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_MEMORY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) i2d_X509_NAME(sslDN, &tmp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Decode to KMF format */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    rv = DerDecodeName(&derdata, kmfDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_BAD_CERT_FORMAT;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OPENSSL_free(derdata.Data);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic int
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysisdir(char *path)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    struct stat s;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (stat(path, &s) == -1)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (0);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (s.st_mode & S_IFDIR);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysssl_cert2KMFDATA(KMF_HANDLE *kmfh, X509 *x509cert, KMF_DATA *cert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char *buf = NULL, *p;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Convert the X509 internal struct to DER encoded data
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((len = i2d_X509(x509cert, NULL)) < 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_BAD_CERT_FORMAT;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((buf = malloc(len)) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_SYS_ERROR(kmfh, errno);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * i2d_X509 will increment the buf pointer so that we need to
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * save it.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    p = buf;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((len = i2d_X509(x509cert, &p)) < 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(buf);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_BAD_CERT_FORMAT;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* caller's responsibility to free it */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    cert->Data = buf;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    cert->Length = len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (buf)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(buf);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        cert->Data = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        cert->Length = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscheck_cert(X509 *xcert, KMF_FINDCERT_PARAMS *params, boolean_t *match)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t findIssuer = FALSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t findSubject = FALSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t findSerial = FALSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_NAME issuerDN, subjectDN;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_NAME certIssuerDN, certSubjectDN;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *match = FALSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memset(&issuerDN, 0, sizeof (KMF_X509_NAME));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memset(&subjectDN, 0, sizeof (KMF_X509_NAME));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memset(&certIssuerDN, 0, sizeof (KMF_X509_NAME));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memset(&certSubjectDN, 0, sizeof (KMF_X509_NAME));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params->issuer != NULL && strlen(params->issuer)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_DNParser(params->issuer, &issuerDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = get_x509_dn(xcert->cert_info->issuer, &certIssuerDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            KMF_FreeDN(&issuerDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        findIssuer = TRUE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params->subject != NULL && strlen(params->subject)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_DNParser(params->subject, &subjectDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_BAD_PARAMETER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = get_x509_dn(xcert->cert_info->subject, &certSubjectDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_BAD_PARAMETER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        findSubject = TRUE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params->serial != NULL && params->serial->val != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        findSerial = TRUE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (findSerial) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        BIGNUM *bn;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Comparing BIGNUMs is a pain! */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        bn = ASN1_INTEGER_to_BN(xcert->cert_info->serialNumber, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (bn != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            int bnlen = BN_num_bytes(bn);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (bnlen == params->serial->len) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                uchar_t *a = malloc(bnlen);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (a == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    rv = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    BN_free(bn);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                bnlen = BN_bn2bin(bn, a);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                *match = !memcmp(a,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    params->serial->val,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    params->serial->len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                free(a);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            BN_free(bn);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (!(*match))
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (findIssuer) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        *match = !KMF_CompareRDNs(&issuerDN, &certIssuerDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!(*match)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (findSubject) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        *match = !KMF_CompareRDNs(&subjectDN, &certSubjectDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!(*match)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *match = TRUE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (findIssuer) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        KMF_FreeDN(&issuerDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        KMF_FreeDN(&certIssuerDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (findSubject) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        KMF_FreeDN(&subjectDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        KMF_FreeDN(&certSubjectDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysload_X509cert(KMF_HANDLE *kmfh,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_FINDCERT_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *pathname,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509 **outcert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509 *xcert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *bcert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    boolean_t  match = FALSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_ENCODE_FORMAT format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * auto-detect the file format, regardless of what
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * the 'format' parameters in the params say.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    rv = KMF_GetFileFormat(pathname, &format);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv == KMF_ERR_OPEN_FILE)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_CERT_NOT_FOUND;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Not ASN1(DER) format */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((bcert = BIO_new_file(pathname, "rb")) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (format == KMF_FORMAT_PEM)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcert = PEM_read_bio_X509_AUX(bcert, NULL, NULL, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    else if (format == KMF_FORMAT_ASN1)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcert = d2i_X509_bio(bcert, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    else if (format == KMF_FORMAT_PKCS12) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        PKCS12 *p12 = d2i_PKCS12_bio(bcert, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (p12 != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (void) PKCS12_parse(p12, NULL, NULL, &xcert, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            PKCS12_free(p12);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            p12 = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_BAD_CERT_FORMAT;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_BAD_PARAMETER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_BAD_CERT_FORMAT;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (check_cert(xcert, params, &match) != KMF_OK || match == FALSE) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_CERT_NOT_FOUND;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (outcert != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        *outcert = xcert;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bcert != NULL) (void) BIO_free(bcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv != KMF_OK && xcert != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysstatic int
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysdatacmp(const void *a, const void *b)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_DATA *adata = (KMF_DATA *)a;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_DATA *bdata = (KMF_DATA *)b;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (adata->Length > bdata->Length)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (-1);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (adata->Length < bdata->Length)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (1);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    return (0);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys}
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysstatic KMF_RETURN
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysload_certs(KMF_HANDLE *kmfh, KMF_FINDCERT_PARAMS *params, char *pathname,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_DATA **certlist, uint32_t *numcerts)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_RETURN rv = KMF_OK;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    int i;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_DATA *certs = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    int nc = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    int hits = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_ENCODE_FORMAT format;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    rv = KMF_GetFileFormat(pathname, &format);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        if (rv == KMF_ERR_OPEN_FILE)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            rv = KMF_ERR_CERT_NOT_FOUND;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (rv);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (format == KMF_FORMAT_ASN1) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /* load a single certificate */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        certs = (KMF_DATA *)malloc(sizeof (KMF_DATA));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        if (certs == NULL)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            return (KMF_ERR_MEMORY);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        certs->Data = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        certs->Length = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        rv = kmf_load_cert(kmfh, params, pathname, certs);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        if (rv == KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            *certlist = certs;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            *numcerts = 1;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (rv);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    } else if (format == KMF_FORMAT_PKCS12) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /* We need a credential to access a PKCS#12 file */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        rv = KMF_ERR_BAD_CERT_FORMAT;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    } else if (format == KMF_FORMAT_PEM ||
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        format != KMF_FORMAT_PEM_KEYPAIR) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /* This function only works on PEM files */
02744e811b15322c5f109827a116c33bfe3438b5wyllys        rv = extract_objects(kmfh, params, pathname,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            (uchar_t *)NULL, 0, NULL,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            &certs, &nc);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    } else {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (KMF_ERR_ENCODING);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv != KMF_OK)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (rv);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    for (i = 0; i < nc; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        if (params->find_cert_validity == KMF_NONEXPIRED_CERTS) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            rv = KMF_CheckCertDate(kmfh, &certs[i]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        } else if (params->find_cert_validity == KMF_EXPIRED_CERTS) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            rv = KMF_CheckCertDate(kmfh, &certs[i]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            if (rv == KMF_OK)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                rv = KMF_ERR_CERT_NOT_FOUND;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            if (rv == KMF_ERR_VALIDITY_PERIOD)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                rv = KMF_OK;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            /* Remove this cert from the list by clearing it. */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            KMF_FreeData(&certs[i]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        } else {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            hits++; /* count valid certs found */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        rv = KMF_OK;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv == KMF_OK && hits == 0) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        rv = KMF_ERR_CERT_NOT_FOUND;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    } else if (rv == KMF_OK && hits > 0) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * Sort the list of certs by length to put the cleared ones
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         * at the end so they don't get accessed by the caller.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys         */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        qsort((void *)certs, nc, sizeof (KMF_DATA), datacmp);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        *certlist = certs;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /* since we sorted the list, just return the number of hits */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        *numcerts = hits;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    return (rv);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys}
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyskmf_load_cert(KMF_HANDLE *kmfh,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_FINDCERT_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *pathname,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA *cert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509 *x509cert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    rv = load_X509cert(kmfh, params, pathname, &x509cert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv == KMF_OK && x509cert != NULL && cert != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = ssl_cert2KMFDATA(kmfh, x509cert, cert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (params->find_cert_validity == KMF_NONEXPIRED_CERTS) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_CheckCertDate(kmfh, cert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else if (params->find_cert_validity == KMF_EXPIRED_CERTS) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_CheckCertDate(kmfh, cert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (rv == KMF_OK)  {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                 * This is a valid cert so skip it.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                 */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = KMF_ERR_CERT_NOT_FOUND;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (rv == KMF_ERR_VALIDITY_PERIOD) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                 * We want to return success when we
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                 * find an invalid cert.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                 */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (x509cert != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(x509cert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllysstatic KMF_RETURN
02744e811b15322c5f109827a116c33bfe3438b5wyllysreadAltFormatPrivateKey(KMF_DATA *filedata, EVP_PKEY **pkey)
02744e811b15322c5f109827a116c33bfe3438b5wyllys{
02744e811b15322c5f109827a116c33bfe3438b5wyllys    KMF_RETURN ret = KMF_OK;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    KMF_RAW_RSA_KEY rsa;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    BerElement *asn1 = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    BerValue filebuf;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    BerValue OID = { NULL, 0 };
02744e811b15322c5f109827a116c33bfe3438b5wyllys    BerValue *Mod = NULL, *PubExp = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    BerValue *PriExp = NULL, *Prime1 = NULL, *Prime2 = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    BerValue *Coef = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    BIGNUM *D = NULL, *P = NULL, *Q = NULL, *COEF = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    BIGNUM *Exp1 = NULL, *Exp2 = NULL, *pminus1 = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    BIGNUM *qminus1 = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    BN_CTX *ctx = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    *pkey = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    filebuf.bv_val = (char *)filedata->Data;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    filebuf.bv_len = filedata->Length;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    asn1 = kmfder_init(&filebuf);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (asn1 == NULL) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        ret = KMF_ERR_MEMORY;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        goto out;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (kmfber_scanf(asn1, "{{Dn{IIIIII}}}",
02744e811b15322c5f109827a116c33bfe3438b5wyllys        &OID, &Mod, &PubExp, &PriExp, &Prime1,
02744e811b15322c5f109827a116c33bfe3438b5wyllys        &Prime2, &Coef) == -1)  {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        ret = KMF_ERR_ENCODING;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        goto out;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    /*
02744e811b15322c5f109827a116c33bfe3438b5wyllys     * We have to derive the 2 Exponents using Bignumber math.
02744e811b15322c5f109827a116c33bfe3438b5wyllys     * Exp1 = PriExp mod (Prime1 - 1)
02744e811b15322c5f109827a116c33bfe3438b5wyllys     * Exp2 = PriExp mod (Prime2 - 1)
02744e811b15322c5f109827a116c33bfe3438b5wyllys     */
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    /* D = PrivateExponent */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    D = BN_bin2bn((const uchar_t *)PriExp->bv_val, PriExp->bv_len, D);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (D == NULL) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        ret = KMF_ERR_MEMORY;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        goto out;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    /* P = Prime1 (first prime factor of Modulus) */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    P = BN_bin2bn((const uchar_t *)Prime1->bv_val, Prime1->bv_len, P);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (D == NULL) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        ret = KMF_ERR_MEMORY;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        goto out;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    /* Q = Prime2 (second prime factor of Modulus) */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    Q = BN_bin2bn((const uchar_t *)Prime2->bv_val, Prime2->bv_len, Q);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if ((ctx = BN_CTX_new()) == NULL) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        ret = KMF_ERR_MEMORY;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        goto out;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    /* Compute (P - 1) */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    pminus1 = BN_new();
02744e811b15322c5f109827a116c33bfe3438b5wyllys    (void) BN_sub(pminus1, P, BN_value_one());
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    /* Exponent1 = D mod (P - 1) */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    Exp1 = BN_new();
02744e811b15322c5f109827a116c33bfe3438b5wyllys    (void) BN_mod(Exp1, D, pminus1, ctx);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    /* Compute (Q - 1) */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    qminus1 = BN_new();
02744e811b15322c5f109827a116c33bfe3438b5wyllys    (void) BN_sub(qminus1, Q, BN_value_one());
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    /* Exponent2 = D mod (Q - 1) */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    Exp2 = BN_new();
02744e811b15322c5f109827a116c33bfe3438b5wyllys    (void) BN_mod(Exp2, D, qminus1, ctx);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    /* Coef = (Inverse Q) mod P */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    COEF = BN_new();
02744e811b15322c5f109827a116c33bfe3438b5wyllys    (void) BN_mod_inverse(COEF, Q, P, ctx);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    /* Convert back to KMF format */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    (void) memset(&rsa, 0, sizeof (rsa));
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if ((ret = sslBN2KMFBN(Exp1, &rsa.exp1)) != KMF_OK)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        goto out;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if ((ret = sslBN2KMFBN(Exp2, &rsa.exp2)) != KMF_OK)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        goto out;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if ((ret = sslBN2KMFBN(COEF, &rsa.coef)) != KMF_OK)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        goto out;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    rsa.mod.val = (uchar_t *)Mod->bv_val;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    rsa.mod.len = Mod->bv_len;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    rsa.pubexp.val = (uchar_t *)PubExp->bv_val;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    rsa.pubexp.len = PubExp->bv_len;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    rsa.priexp.val = (uchar_t *)PriExp->bv_val;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    rsa.priexp.len = PriExp->bv_len;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    rsa.prime1.val = (uchar_t *)Prime1->bv_val;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    rsa.prime1.len = Prime1->bv_len;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    rsa.prime2.val = (uchar_t *)Prime2->bv_val;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    rsa.prime2.len = Prime2->bv_len;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    *pkey = ImportRawRSAKey(&rsa);
02744e811b15322c5f109827a116c33bfe3438b5wyllysout:
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (asn1 != NULL)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        kmfber_free(asn1, 1);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (OID.bv_val) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        free(OID.bv_val);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (PriExp)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        free(PriExp);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (Mod)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        free(Mod);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (PubExp)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        free(PubExp);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (Coef) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        (void) memset(Coef->bv_val, 0, Coef->bv_len);
02744e811b15322c5f109827a116c33bfe3438b5wyllys        free(Coef->bv_val);
02744e811b15322c5f109827a116c33bfe3438b5wyllys        free(Coef);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (Prime1)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        free(Prime1);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (Prime2)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        free(Prime2);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (ctx != NULL)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        BN_CTX_free(ctx);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (D)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        BN_clear_free(D);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (P)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        BN_clear_free(P);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (Q)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        BN_clear_free(Q);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (pminus1)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        BN_clear_free(pminus1);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (qminus1)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        BN_clear_free(qminus1);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (Exp1)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        BN_clear_free(Exp1);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (Exp2)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        BN_clear_free(Exp2);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    return (ret);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys}
02744e811b15322c5f109827a116c33bfe3438b5wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic EVP_PKEY *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysopenssl_load_key(KMF_HANDLE_T handle, const char *file)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *keyfile = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY *pkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_ENCODE_FORMAT format;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    KMF_RETURN rv;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    KMF_DATA filedata;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (file == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (KMF_GetFileFormat((char *)file, &format) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    keyfile = BIO_new_file(file, "rb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (keyfile == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (format == KMF_FORMAT_ASN1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        pkey = d2i_PrivateKey_bio(keyfile, NULL);
02744e811b15322c5f109827a116c33bfe3438b5wyllys        if (pkey == NULL) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys            (void) BIO_free(keyfile);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            keyfile = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            /* Try odd ASN.1 variations */
02744e811b15322c5f109827a116c33bfe3438b5wyllys            rv = KMF_ReadInputFile(kmfh, (char *)file,
02744e811b15322c5f109827a116c33bfe3438b5wyllys                &filedata);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            if (rv == KMF_OK) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys                (void) readAltFormatPrivateKey(&filedata,
02744e811b15322c5f109827a116c33bfe3438b5wyllys                    &pkey);
02744e811b15322c5f109827a116c33bfe3438b5wyllys                KMF_FreeData(&filedata);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            }
02744e811b15322c5f109827a116c33bfe3438b5wyllys        }
02744e811b15322c5f109827a116c33bfe3438b5wyllys    } else if (format == KMF_FORMAT_PEM ||
02744e811b15322c5f109827a116c33bfe3438b5wyllys        format == KMF_FORMAT_PEM_KEYPAIR) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        pkey = PEM_read_bio_PrivateKey(keyfile, NULL, NULL, NULL);
02744e811b15322c5f109827a116c33bfe3438b5wyllys        if (pkey == NULL) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys            KMF_DATA derdata;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            /*
02744e811b15322c5f109827a116c33bfe3438b5wyllys             * Check if this is the alt. format
02744e811b15322c5f109827a116c33bfe3438b5wyllys             * RSA private key file.
02744e811b15322c5f109827a116c33bfe3438b5wyllys             */
02744e811b15322c5f109827a116c33bfe3438b5wyllys            rv = KMF_ReadInputFile(kmfh, (char *)file,
02744e811b15322c5f109827a116c33bfe3438b5wyllys                &filedata);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            if (rv == KMF_OK) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys                uchar_t *d = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys                int len;
02744e811b15322c5f109827a116c33bfe3438b5wyllys                rv = KMF_Pem2Der(filedata.Data,
02744e811b15322c5f109827a116c33bfe3438b5wyllys                    filedata.Length, &d, &len);
02744e811b15322c5f109827a116c33bfe3438b5wyllys                if (rv == KMF_OK && d != NULL) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys                    derdata.Data = d;
02744e811b15322c5f109827a116c33bfe3438b5wyllys                    derdata.Length = (size_t)len;
02744e811b15322c5f109827a116c33bfe3438b5wyllys                    (void) readAltFormatPrivateKey(
02744e811b15322c5f109827a116c33bfe3438b5wyllys                        &derdata, &pkey);
02744e811b15322c5f109827a116c33bfe3438b5wyllys                    free(d);
02744e811b15322c5f109827a116c33bfe3438b5wyllys                }
02744e811b15322c5f109827a116c33bfe3438b5wyllys                KMF_FreeData(&filedata);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            }
02744e811b15322c5f109827a116c33bfe3438b5wyllys        }
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (pkey == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (keyfile != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(keyfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_FindCert(KMF_HANDLE_T handle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_FINDCERT_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_DER_CERT *kmf_cert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    uint32_t *num_certs)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *fullpath;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    int i;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (num_certs == NULL || params == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *num_certs = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fullpath = get_fullpath(params->sslparms.dirpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->sslparms.certfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fullpath == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (isdir(fullpath)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        DIR *dirp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        struct dirent *dp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        int n = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* open all files in the directory and attempt to read them */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((dirp = opendir(fullpath)) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        while ((dp = readdir(dirp)) != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            char *fname;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            KMF_DATA *certlist = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            uint32_t numcerts = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (strcmp(dp->d_name, ".") == 0 ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                strcmp(dp->d_name, "..") == 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                continue;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            fname = get_fullpath(fullpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                (char *)&dp->d_name);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            rv = load_certs(kmfh, params, fname, &certlist,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                &numcerts);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                free(fname);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                if (certlist != NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    for (i = 0; i < numcerts; i++)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                        KMF_FreeData(&certlist[i]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    free(certlist);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                continue;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            /* If load succeeds, add certdata to the list */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (kmf_cert != NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                for (i = 0; i < numcerts; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    kmf_cert[n].certificate.Data =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                        certlist[i].Data;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    kmf_cert[n].certificate.Length =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                        certlist[i].Length;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    kmf_cert[n].kmf_private.keystore_type =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                        KMF_KEYSTORE_OPENSSL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    kmf_cert[n].kmf_private.flags =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                        KMF_FLAG_CERT_VALID;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    kmf_cert[n].kmf_private.label =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                        strdup(fname);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    n++;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                free(certlist);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            } else {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                for (i = 0; i < numcerts; i++)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    KMF_FreeData(&certlist[i]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                free(certlist);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                n += numcerts;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            free(fname);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (*num_certs) = n;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (*num_certs == 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_CERT_NOT_FOUND;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (*num_certs > 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysexit:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) closedir(dirp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        KMF_DATA *certlist = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        uint32_t numcerts = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        rv = load_certs(kmfh, params, fullpath, &certlist, &numcerts);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        if (kmf_cert != NULL && certlist != NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            for (i = 0; i < numcerts; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                kmf_cert[i].certificate.Data =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    certlist[i].Data;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                kmf_cert[i].certificate.Length =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    certlist[i].Length;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                kmf_cert[i].kmf_private.keystore_type =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    KMF_KEYSTORE_OPENSSL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                kmf_cert[i].kmf_private.flags =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    KMF_FLAG_CERT_VALID;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                kmf_cert[i].kmf_private.label =
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    strdup(fullpath);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            free(certlist);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            if (certlist != NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                for (i = 0; i < numcerts; i++)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                    KMF_FreeData(&certlist[i]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys                free(certlist);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        *num_certs = numcerts;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysvoid
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_FreeKMFCert(KMF_HANDLE_T handle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_X509_DER_CERT *kmf_cert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (kmf_cert != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (kmf_cert->certificate.Data != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(kmf_cert->certificate.Data);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            kmf_cert->certificate.Data = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            kmf_cert->certificate.Length = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (kmf_cert->kmf_private.label)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(kmf_cert->kmf_private.label);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_StoreCert(KMF_HANDLE_T handle, KMF_STORECERT_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA * pcert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509 *xcert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    FILE *fp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char *outbuf;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char *outbuf_p;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *fullpath;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int outbuflen;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_ENCODE_FORMAT format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params == NULL || params->ks_opt_u.openssl_opts.certfile == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * check if the cert output format is supported by OPENSSL.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * however, since the keystore for OPENSSL is just a file, we have
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * no way to store the format along with the file.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    format = params->sslparms.format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (format != KMF_FORMAT_ASN1 && format != KMF_FORMAT_PEM)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_CERT_FORMAT);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fullpath = get_fullpath(params->sslparms.dirpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->sslparms.certfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fullpath == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * When storing a certificate, you must specify a filename.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (isdir(fullpath)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* copy cert data to outbuf */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    outbuflen = pcert->Length;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    outbuf = malloc(outbuflen);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (outbuf == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_MEMORY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memcpy(outbuf, pcert->Data, pcert->Length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((fp = fopen(fullpath, "w")) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_SYS_ERROR(kmfh, errno);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_INTERNAL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (format == KMF_FORMAT_ASN1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        len = fwrite(outbuf, 1, outbuflen, fp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (len != outbuflen) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_SYS_ERROR(kmfh, errno);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_WRITE_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * The output format is not KMF_FORMAT_ASN1, so we will
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Convert the cert data to OpenSSL internal X509 first.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    outbuf_p = outbuf; /* use a temp pointer; required by openssl */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    xcert = d2i_X509(NULL, (const uchar_t **)&outbuf_p, outbuflen);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_ENCODING;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (format == KMF_FORMAT_PEM) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Convert to the PEM format and write it out */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!PEM_write_X509(fp, xcert)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_ENCODING;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysout:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fullpath != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (outbuf != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(outbuf);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fp != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) fclose(fp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_DeleteCert(KMF_HANDLE_T handle, KMF_DELETECERT_PARAMS *params)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *fullpath = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA certdata = {NULL, 0};
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fullpath = get_fullpath(params->sslparms.dirpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->sslparms.certfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fullpath == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (isdir(fullpath)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        DIR *dirp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        struct dirent *dp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* open all files in the directory and attempt to read them */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((dirp = opendir(fullpath)) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        while ((dp = readdir(dirp)) != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (strcmp(dp->d_name, ".") != 0 &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                strcmp(dp->d_name, "..") != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                char *fname;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                fname = get_fullpath(fullpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    (char *)&dp->d_name);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (fname == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    rv = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = kmf_load_cert(kmfh, params, fname,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    &certdata);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (rv == KMF_ERR_CERT_NOT_FOUND) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    free(fname);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    if (certdata.Data)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                        free(certdata.Data);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    continue;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                } else if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    free(fname);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (unlink(fname) != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    SET_SYS_ERROR(kmfh, errno);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    rv = KMF_ERR_INTERNAL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    free(fname);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                free(fname);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (certdata.Data)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    free(certdata.Data);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) closedir(dirp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Just try to load a single certificate */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = kmf_load_cert(kmfh, params, fullpath, &certdata);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv == KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (unlink(fullpath) != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                SET_SYS_ERROR(kmfh, errno);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = KMF_ERR_INTERNAL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysout:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fullpath != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (certdata.Data)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(certdata.Data);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_EncodePubKeyData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA *keydata)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int n;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key == NULL || keydata == NULL ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        key->keyp == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key->keyalg == KMF_RSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        RSA *pubkey = EVP_PKEY_get1_RSA(key->keyp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!(n = i2d_RSA_PUBKEY(pubkey, &keydata->Data))) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_ENCODING);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        RSA_free(pubkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (key->keyalg == KMF_DSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        DSA *pubkey = EVP_PKEY_get1_DSA(key->keyp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!(n = i2d_DSA_PUBKEY(pubkey, &keydata->Data))) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_ENCODING);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        DSA_free(pubkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    keydata->Length = n;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (keydata->Data)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(keydata->Data);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        keydata->Data = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        keydata->Length = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysssl_write_private_key(KMF_HANDLE *kmfh, KMF_ENCODE_FORMAT format, BIO *out,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_CREDENTIAL *cred, EVP_PKEY *pkey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int rv = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    RSA *rsa;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    DSA *dsa;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    switch (format) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_FORMAT_ASN1:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (pkey->type == EVP_PKEY_RSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rsa = EVP_PKEY_get1_RSA(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = i2d_RSAPrivateKey_bio(out, rsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                RSA_free(rsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            } else if (pkey->type == EVP_PKEY_DSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                dsa = EVP_PKEY_get1_DSA(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = i2d_DSAPrivateKey_bio(out, dsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                DSA_free(dsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (rv == 1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                SET_ERROR(kmfh, rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_FORMAT_PEM:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (pkey->type == EVP_PKEY_RSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rsa = EVP_PKEY_get1_RSA(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = PEM_write_bio_RSAPrivateKey(out,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    rsa,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    NULL /* encryption type */,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    NULL, 0, NULL,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    cred->cred);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                RSA_free(rsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            } else if (pkey->type == EVP_PKEY_DSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                dsa = EVP_PKEY_get1_DSA(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = PEM_write_bio_DSAPrivateKey(out,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    dsa,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    NULL /* encryption type */,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    NULL, 0, NULL,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    cred->cred);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                DSA_free(dsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (rv == 1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                SET_ERROR(kmfh, rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        default:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_BAD_PARAMETER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_CreateKeypair(KMF_HANDLE_T handle, KMF_CREATEKEYPAIR_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_KEY_HANDLE *privkey, KMF_KEY_HANDLE *pubkey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    uint32_t eValue = 0x010001;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    RSA *sslPrivKey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    DSA *sslDSAKey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY *eprikey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY *epubkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *out = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *fullpath = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params == NULL || params->sslparms.keyfile == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fullpath = get_fullpath(params->sslparms.dirpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            params->sslparms.keyfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fullpath == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* If the requested file exists, return an error */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (access(fullpath, F_OK) == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_DUPLICATE_KEYFILE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    eprikey = EVP_PKEY_new();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (eprikey == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_KEYGEN_FAILED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    epubkey = EVP_PKEY_new();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (epubkey == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_KEYGEN_FAILED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params->keytype == KMF_RSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (params->rsa_exponent.len > 0 &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            params->rsa_exponent.len <= sizeof (eValue) &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            params->rsa_exponent.val != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            /*LINTED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            eValue = *(uint32_t *)params->rsa_exponent.val;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        sslPrivKey = RSA_generate_key(params->keylength, eValue,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            NULL, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (sslPrivKey == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_KEYGEN_FAILED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (privkey != NULL &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                EVP_PKEY_set1_RSA(eprikey, sslPrivKey)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                privkey->kstype = KMF_KEYSTORE_OPENSSL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                privkey->keyalg = KMF_RSA;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                privkey->keyclass = KMF_ASYM_PRI;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                privkey->israw = FALSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                privkey->keylabel = (char *)strdup(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                privkey->keyp = (void *)eprikey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            /* OpenSSL derives the public key from the private */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (pubkey != NULL &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                EVP_PKEY_set1_RSA(epubkey, sslPrivKey)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                pubkey->kstype = KMF_KEYSTORE_OPENSSL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                pubkey->keyalg = KMF_RSA;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                pubkey->israw = FALSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                pubkey->keyclass = KMF_ASYM_PUB;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                pubkey->keylabel = (char *)strdup(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                pubkey->keyp = (void *)epubkey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (params->keytype == KMF_DSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        sslDSAKey = DSA_new();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (sslDSAKey == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_MEMORY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((sslDSAKey->p = BN_bin2bn(P, sizeof (P), sslDSAKey->p)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_KEYGEN_FAILED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((sslDSAKey->q = BN_bin2bn(Q, sizeof (Q), sslDSAKey->q)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_KEYGEN_FAILED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((sslDSAKey->g = BN_bin2bn(G, sizeof (G), sslDSAKey->g)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_KEYGEN_FAILED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!DSA_generate_key(sslDSAKey)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_KEYGEN_FAILED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (privkey != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            privkey->kstype = KMF_KEYSTORE_OPENSSL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            privkey->keyalg = KMF_DSA;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            privkey->keyclass = KMF_ASYM_PRI;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            privkey->israw = FALSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            privkey->keylabel = (char *)strdup(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (EVP_PKEY_set1_DSA(eprikey, sslDSAKey)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                privkey->keyp = (void *)eprikey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = KMF_ERR_KEYGEN_FAILED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (pubkey != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            DSA *dp = DSA_new();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            /* Make a copy for the public key */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (dp != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if ((dp->p = BN_new()) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    rv = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    DSA_free(dp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if ((dp->q = BN_new()) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    rv = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    BN_free(dp->p);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    DSA_free(dp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if ((dp->g = BN_new()) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    rv = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    BN_free(dp->q);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    BN_free(dp->p);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    DSA_free(dp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if ((dp->pub_key = BN_new()) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    rv = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    BN_free(dp->q);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    BN_free(dp->p);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    BN_free(dp->g);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    DSA_free(dp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                (void) BN_copy(dp->p, sslDSAKey->p);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                (void) BN_copy(dp->q, sslDSAKey->q);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                (void) BN_copy(dp->g, sslDSAKey->g);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                (void) BN_copy(dp->pub_key, sslDSAKey->pub_key);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                pubkey->kstype = KMF_KEYSTORE_OPENSSL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                pubkey->keyalg = KMF_DSA;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                pubkey->keyclass = KMF_ASYM_PUB;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                pubkey->israw = FALSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                pubkey->keylabel = (char *)strdup(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (EVP_PKEY_set1_DSA(epubkey, sslDSAKey)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    pubkey->keyp = (void *)epubkey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    rv = KMF_ERR_KEYGEN_FAILED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Store the private key to the keyfile */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    format = params->sslparms.format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    out = BIO_new_file(fullpath, "wb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (out == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    rv = ssl_write_private_key(kmfh, format, out, &params->cred, eprikey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (eprikey != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            EVP_PKEY_free(eprikey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (epubkey != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            EVP_PKEY_free(epubkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (pubkey->keylabel) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(pubkey->keylabel);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            pubkey->keylabel = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (privkey->keylabel) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(privkey->keylabel);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            privkey->keylabel = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        pubkey->keyp = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        privkey->keyp = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (sslPrivKey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        RSA_free(sslPrivKey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (sslDSAKey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        DSA_free(sslDSAKey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (out != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(out);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fullpath)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Protect the file by making it read-only */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv == KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) chmod(fullpath, 0400);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_OID *AlgOID, KMF_DATA *tobesigned, KMF_DATA *output)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_ALGORITHM_INDEX     AlgId;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_MD_CTX ctx;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    const EVP_MD *md;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key == NULL || AlgOID == NULL ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        tobesigned == NULL || output == NULL ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        tobesigned->Data == NULL ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        output->Data == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Map the OID to an OpenSSL algorithm */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    AlgId = X509_AlgorithmOidToAlgId(AlgOID);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (AlgId == KMF_ALGID_NONE)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key->keyalg == KMF_RSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        EVP_PKEY *pkey = (EVP_PKEY *)key->keyp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        uchar_t *p;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        int len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (AlgId == KMF_ALGID_MD5WithRSA)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            md = EVP_md5();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        else if (AlgId == KMF_ALGID_MD2WithRSA)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            md = EVP_md2();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        else if (AlgId == KMF_ALGID_SHA1WithRSA)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            md = EVP_sha1();
02744e811b15322c5f109827a116c33bfe3438b5wyllys        else if (AlgId == KMF_ALGID_RSA)
02744e811b15322c5f109827a116c33bfe3438b5wyllys            md = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        else
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys        if ((md == NULL) && (AlgId == KMF_ALGID_RSA)) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys            RSA *rsa = EVP_PKEY_get1_RSA((EVP_PKEY *)pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys            p = output->Data;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            if ((len = RSA_private_encrypt(tobesigned->Length,
02744e811b15322c5f109827a116c33bfe3438b5wyllys                tobesigned->Data, p, rsa,
02744e811b15322c5f109827a116c33bfe3438b5wyllys                RSA_PKCS1_PADDING)) <= 0) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys                SET_ERROR(kmfh, ERR_get_error());
02744e811b15322c5f109827a116c33bfe3438b5wyllys                ret = KMF_ERR_INTERNAL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            }
02744e811b15322c5f109827a116c33bfe3438b5wyllys            output->Length = len;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        } else {
02744e811b15322c5f109827a116c33bfe3438b5wyllys            (void) EVP_MD_CTX_init(&ctx);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            (void) EVP_SignInit_ex(&ctx, md, NULL);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            (void) EVP_SignUpdate(&ctx, tobesigned->Data,
02744e811b15322c5f109827a116c33bfe3438b5wyllys                (uint32_t)tobesigned->Length);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            len = (uint32_t)output->Length;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            p = output->Data;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            if (!EVP_SignFinal(&ctx, p, (uint32_t *)&len, pkey)) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys                SET_ERROR(kmfh, ERR_get_error());
02744e811b15322c5f109827a116c33bfe3438b5wyllys                len = 0;
02744e811b15322c5f109827a116c33bfe3438b5wyllys                ret = KMF_ERR_INTERNAL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            }
02744e811b15322c5f109827a116c33bfe3438b5wyllys            output->Length = len;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            (void) EVP_MD_CTX_cleanup(&ctx);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (key->keyalg == KMF_DSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        DSA *dsa = EVP_PKEY_get1_DSA(key->keyp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        uchar_t hash[EVP_MAX_MD_SIZE];
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        uint32_t hashlen;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        DSA_SIG *dsasig;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * OpenSSL EVP_Sign operation automatically converts to
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * ASN.1 output so we do the operations separately so we
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * are assured of NOT getting ASN.1 output returned.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * KMF does not want ASN.1 encoded results because
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * not all mechanisms return ASN.1 encodings (PKCS#11
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * and NSS return raw signature data).
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        md = EVP_sha1();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        EVP_MD_CTX_init(&ctx);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) EVP_DigestInit_ex(&ctx, md, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) EVP_DigestUpdate(&ctx, tobesigned->Data,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            tobesigned->Length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) EVP_DigestFinal_ex(&ctx, hash, &hashlen);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) EVP_MD_CTX_cleanup(&ctx);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        dsasig = DSA_do_sign(hash, hashlen, dsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (dsasig != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            int i;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            output->Length = i = BN_bn2bin(dsasig->r, output->Data);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            output->Length += BN_bn2bin(dsasig->s,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                &output->Data[i]);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            DSA_SIG_free(dsasig);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_DeleteKey(KMF_HANDLE_T handle, KMF_DELETEKEY_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_KEY_HANDLE *key, boolean_t destroy)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key == NULL || key->keyp == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key->keyclass != KMF_ASYM_PUB &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        key->keyclass != KMF_ASYM_PRI &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        key->keyclass != KMF_SYMMETRIC)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_KEY_CLASS);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key->keyclass == KMF_SYMMETRIC) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        KMF_FreeRawSymKey((KMF_RAW_SYM_KEY *)key->keyp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        key->keyp = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (key->keyp != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            EVP_PKEY_free(key->keyp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->keyp = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key->keylabel != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        EVP_PKEY *pkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* If the file exists, make sure it is a proper key. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        pkey = openssl_load_key(handle, key->keylabel);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (pkey == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(key->keylabel);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->keylabel = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_KEY_NOT_FOUND);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        EVP_PKEY_free(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (destroy) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (unlink(key->keylabel) != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                SET_SYS_ERROR(kmfh, errno);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = KMF_ERR_INTERNAL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (key->keylabel != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(key->keylabel);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->keylabel = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_ImportCRL(KMF_HANDLE_T handle, KMF_IMPORTCRL_PARAMS *params)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN  ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509_CRL    *xcrl = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509        *xcert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY    *pkey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_ENCODE_FORMAT format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *in = NULL, *out = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int openssl_ret = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *outcrlfile = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_ENCODE_FORMAT outformat;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params == NULL || params->sslparms.crlfile == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params->sslparms.crl_check == B_TRUE &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->sslparms.certfile == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    outcrlfile = get_fullpath(params->sslparms.dirpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->sslparms.outcrlfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (outcrlfile == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (isdir(outcrlfile)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(outcrlfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = KMF_IsCRLFile(handle, params->sslparms.crlfile, &format);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(outcrlfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    in = BIO_new_file(params->sslparms.crlfile, "rb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (in == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (format == KMF_FORMAT_ASN1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcrl = d2i_X509_CRL_bio(in, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (format == KMF_FORMAT_PEM) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcrl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcrl == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CRLFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* If bypasscheck is specified, no need to verify. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params->sslparms.crl_check == B_FALSE) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto output;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = KMF_IsCertFile(handle, params->sslparms.certfile, &format);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Read in the CA cert file and convert to X509 */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (BIO_read_filename(in, params->sslparms.certfile) <= 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (format == KMF_FORMAT_ASN1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcert = d2i_X509_bio(in, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (format == KMF_FORMAT_PEM) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CERT_FORMAT;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CERT_FORMAT;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Now get the public key from the CA cert */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    pkey = X509_get_pubkey(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (!pkey) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CERTFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Verify the CRL with the CA's public key */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    openssl_ret = X509_CRL_verify(xcrl, pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY_free(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (openssl_ret > 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_OK;  /* verify succeed */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, openssl_ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CRLFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysoutput:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    outformat = params->sslparms.format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    out = BIO_new_file(outcrlfile, "wb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (out == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (outformat == KMF_FORMAT_ASN1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        openssl_ret = (int)i2d_X509_CRL_bio(out, xcrl);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (outformat == KMF_FORMAT_PEM) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        openssl_ret = PEM_write_bio_X509_CRL(out, xcrl);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_PARAMETER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (openssl_ret <= 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_WRITE_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcrl != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_CRL_free(xcrl);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (in != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(in);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (out != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(out);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (outcrlfile != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(outcrlfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_ListCRL(KMF_HANDLE_T handle, KMF_LISTCRL_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char **crldata)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509_CRL   *x = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_ENCODE_FORMAT format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *crlfile = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *in = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *mem = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    long len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *memptr;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *data = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params == NULL || params->sslparms.crlfile == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    crlfile = get_fullpath(params->sslparms.dirpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->sslparms.crlfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (crlfile == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (isdir(crlfile)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(crlfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = KMF_IsCRLFile(handle, crlfile, &format);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(crlfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bio_err == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    in = BIO_new_file(crlfile, "rb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (in == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (format == KMF_FORMAT_ASN1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        x = d2i_X509_CRL_bio(in, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (format == KMF_FORMAT_PEM) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (x == NULL) { /* should not happen */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    mem = BIO_new(BIO_s_mem());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (mem == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) X509_CRL_print(mem, x);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    len = BIO_get_mem_data(mem, &memptr);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (len <= 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    data = malloc(len + 1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (data == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memcpy(data, memptr, len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    data[len] = '\0';
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *crldata = data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (x != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_CRL_free(x);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (crlfile != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(crlfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (in != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(in);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (mem != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(mem);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_DeleteCRL(KMF_HANDLE_T handle, KMF_DELETECRL_PARAMS *params)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_ENCODE_FORMAT format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *crlfile = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *in = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params == NULL || params->sslparms.crlfile == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    crlfile = get_fullpath(params->sslparms.dirpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->sslparms.crlfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (crlfile == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (isdir(crlfile)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_PARAMETER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = KMF_IsCRLFile(handle, crlfile, &format);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (unlink(crlfile) != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_SYS_ERROR(kmfh, errno);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_INTERNAL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (in != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(in);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (crlfile != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(crlfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_FindCertInCRL(KMF_HANDLE_T handle, KMF_FINDCERTINCRL_PARAMS *params)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_ENCODE_FORMAT format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *in = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509   *xcert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509_CRL   *xcrl = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    STACK_OF(X509_REVOKED) *revoke_stack = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509_REVOKED *revoke;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int i;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params == NULL || params->sslparms.crlfile == NULL ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->sslparms.certfile == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = KMF_IsCRLFile(handle, params->sslparms.crlfile, &format);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Read the CRL file and load it into a X509_CRL structure */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    in = BIO_new_file(params->sslparms.crlfile, "rb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (in == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (format == KMF_FORMAT_ASN1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcrl = d2i_X509_CRL_bio(in, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (format == KMF_FORMAT_PEM) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcrl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcrl == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CRLFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) BIO_free(in);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Read the Certificate file and load it into a X509 structure */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = KMF_IsCertFile(handle, params->sslparms.certfile, &format);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    in = BIO_new_file(params->sslparms.certfile, "rb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (in == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (format == KMF_FORMAT_ASN1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcert = d2i_X509_bio(in, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (format == KMF_FORMAT_PEM) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CERTFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Check if the certificate and the CRL have same issuer */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (X509_NAME_cmp(xcert->cert_info->issuer, xcrl->crl->issuer) != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_ISSUER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Check to see if the certificate serial number is revoked */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    revoke_stack = X509_CRL_get_REVOKED(xcrl);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (sk_X509_REVOKED_num(revoke_stack) <= 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* No revoked certificates in the CRL file */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_EMPTY_CRL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /*LINTED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        revoke = sk_X509_REVOKED_value(revoke_stack, i);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (ASN1_INTEGER_cmp(xcert->cert_info->serialNumber,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            revoke->serialNumber) == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (i < sk_X509_REVOKED_num(revoke_stack)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_NOT_REVOKED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (in != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(in);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcrl != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_CRL_free(xcrl);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_GetErrorString(KMF_HANDLE_T handle, char **msgstr)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char str[256];  /* OpenSSL needs at least 120 byte buffer */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ERR_error_string_n(kmfh->lasterr.errcode, str, sizeof (str));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (strlen(str)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        *msgstr = (char *)strdup(str);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((*msgstr) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        *msgstr = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic int
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysext2NID(int kmfext)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    switch (kmfext) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_KEY_USAGE:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NID_key_usage);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NID_private_key_usage_period);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_CERT_POLICIES:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NID_certificate_policies);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_SUBJ_ALTNAME:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NID_subject_alt_name);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_ISSUER_ALTNAME:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NID_issuer_alt_name);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_BASIC_CONSTRAINTS:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NID_basic_constraints);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_EXT_KEY_USAGE:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NID_ext_key_usage);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_AUTH_KEY_ID:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NID_authority_key_identifier);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_CRL_DIST_POINTS:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NID_crl_distribution_points);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_SUBJ_KEY_ID:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NID_subject_key_identifier);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_POLICY_MAPPINGS:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (OBJ_sn2nid("policyMappings"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_NAME_CONSTRAINTS:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (OBJ_sn2nid("nameConstraints"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_POLICY_CONSTRAINTS:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (OBJ_sn2nid("policyConstraints"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_INHIBIT_ANY_POLICY:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (OBJ_sn2nid("inhibitAnyPolicy"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        case KMF_X509_EXT_FRESHEST_CRL:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (OBJ_sn2nid("freshestCRL"));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        default:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NID_undef);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_PRINTABLE_ITEM flag, char *resultStr)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509 *xcert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char *outbuf = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char *outbuf_p;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *tmpstr = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int j;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int ext_index, nid, len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *mem = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    STACK *emlst = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509_EXTENSION *ex;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509_CINF *ci;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (pcert == NULL || pcert->Data == NULL || pcert->Length == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* copy cert data to outbuf */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    outbuf = malloc(pcert->Length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (outbuf == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_MEMORY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memcpy(outbuf, pcert->Data, pcert->Length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    outbuf_p = outbuf; /* use a temp pointer; required by openssl */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    xcert = d2i_X509(NULL, (const uchar_t **)&outbuf_p, pcert->Length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_ENCODING;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    mem = BIO_new(BIO_s_mem());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (mem == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    switch (flag) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_CERT_ISSUER:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) X509_NAME_print_ex(mem, X509_get_issuer_name(xcert), 0,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            XN_FLAG_SEP_CPLUS_SPC);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_CERT_SUBJECT:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) X509_NAME_print_ex(mem, X509_get_subject_name(xcert), 0,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            XN_FLAG_SEP_CPLUS_SPC);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_CERT_VERSION:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        tmpstr = i2s_ASN1_INTEGER(NULL, xcert->cert_info->version);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) strncpy(resultStr, tmpstr, KMF_CERT_PRINTABLE_LEN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        OPENSSL_free(tmpstr);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        len = strlen(resultStr);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_CERT_SERIALNUM:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (i2a_ASN1_INTEGER(mem, X509_get_serialNumber(xcert)) > 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (void) strcpy(resultStr, "0x");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            len = BIO_gets(mem, &resultStr[2],
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                KMF_CERT_PRINTABLE_LEN - 2);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_CERT_NOTBEFORE:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) ASN1_TIME_print(mem, X509_get_notBefore(xcert));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_CERT_NOTAFTER:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) ASN1_TIME_print(mem, X509_get_notAfter(xcert));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_CERT_PUBKEY_DATA:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            EVP_PKEY *pkey = X509_get_pubkey(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (pkey == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                ret = KMF_ERR_ENCODING;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (pkey->type == EVP_PKEY_RSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                (void) BIO_printf(mem,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    "RSA Public Key: (%d bit)\n",
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    BN_num_bits(pkey->pkey.rsa->n));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                (void) RSA_print(mem, pkey->pkey.rsa, 0);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            } else if (pkey->type == EVP_PKEY_DSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                (void) BIO_printf(mem,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    "%12sDSA Public Key:\n", "");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                (void) DSA_print(mem, pkey->pkey.dsa, 0);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                (void) BIO_printf(mem,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    "%12sUnknown Public Key:\n", "");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (void) BIO_printf(mem, "\n");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            EVP_PKEY_free(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        len = BIO_read(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_CERT_SIGNATURE_ALG:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_CERT_PUBKEY_ALG:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (flag == KMF_CERT_SIGNATURE_ALG) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            len = i2a_ASN1_OBJECT(mem,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                xcert->sig_alg->algorithm);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            len = i2a_ASN1_OBJECT(mem,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                xcert->cert_info->key->algor->algorithm);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (len > 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            len = BIO_read(mem, resultStr,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                KMF_CERT_PRINTABLE_LEN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_CERT_EMAIL:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        emlst = X509_get1_email(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        for (j = 0; j < sk_num(emlst); j++)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (void) BIO_printf(mem, "%s\n", sk_value(emlst, j));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_email_free(emlst);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_ISSUER_ALTNAME:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_SUBJ_ALTNAME:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_KEY_USAGE:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_CERT_POLICIES:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_BASIC_CONSTRAINTS:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_NAME_CONSTRAINTS:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_POLICY_CONSTRAINTS:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_EXT_KEY_USAGE:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_INHIBIT_ANY_POLICY:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_AUTH_KEY_ID:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_SUBJ_KEY_ID:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_POLICY_MAPPINGS:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_CRL_DIST_POINTS:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    case KMF_X509_EXT_FRESHEST_CRL:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        nid = ext2NID(flag);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (nid == NID_undef) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_EXTENSION_NOT_FOUND;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ci = xcert->cert_info;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ext_index = X509v3_get_ext_by_NID(ci->extensions, nid, -1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (ext_index == -1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_EXTENSION_NOT_FOUND;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ex = X509v3_get_ext(ci->extensions, ext_index);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) i2a_ASN1_OBJECT(mem, X509_EXTENSION_get_object(ex));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (BIO_printf(mem, ": %s\n",
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            X509_EXTENSION_get_critical(ex) ? "critical" : "") <=
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_ENCODING;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!X509V3_EXT_print(mem, ex, X509V3_EXT_DUMP_UNKNOWN, 4)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (void) BIO_printf(mem, "%*s", 4, "");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (void) M_ASN1_OCTET_STRING_print(mem, ex->value);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (BIO_write(mem, "\n", 1) <= 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_ENCODING;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        len = BIO_read(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (len <= 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_ENCODING;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysout:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (outbuf != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(outbuf);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (mem != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(mem);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_GetPrikeyByCert(KMF_HANDLE_T handle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_CRYPTOWITHCERT_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA *SignerCertData, KMF_KEY_HANDLE *key,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_KEY_ALG keytype)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_FINDKEY_PARAMS fkparms;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    uint32_t numkeys = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (params == NULL || params->sslparms.keyfile == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * This is really just a FindKey operation, reuse the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * FindKey function.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void *)memset(&fkparms, 0, sizeof (fkparms));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fkparms.kstype = KMF_KEYSTORE_OPENSSL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fkparms.keyclass = KMF_ASYM_PRI;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fkparms.keytype = keytype;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fkparms.format = params->format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fkparms.sslparms = params->sslparms;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    rv = OpenSSL_FindKey(handle, &fkparms, key, &numkeys);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_DecryptData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_OID *AlgOID, KMF_DATA *ciphertext,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA *output)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN      ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    RSA *rsa = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned int in_len = 0, out_len = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned int total_decrypted = 0, modulus_len = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    uint8_t *in_data, *out_data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int i, blocks;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key == NULL || AlgOID == NULL ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ciphertext == NULL || output == NULL ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ciphertext->Data == NULL ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        output->Data == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key->keyalg == KMF_RSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rsa = EVP_PKEY_get1_RSA((EVP_PKEY *)key->keyp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        modulus_len = RSA_size(rsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    blocks = ciphertext->Length/modulus_len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    out_data = output->Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    in_data = ciphertext->Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    out_len = modulus_len - 11;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    in_len = modulus_len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    for (i = 0; i < blocks; i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        out_len  = RSA_private_decrypt(in_len,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            in_data, out_data, rsa, RSA_PKCS1_PADDING);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (out_len == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_INTERNAL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        out_data += out_len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        total_decrypted += out_len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        in_data += in_len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    output->Length = total_decrypted;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    RSA_free(rsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        output->Length = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *  This function will create a certid from issuer_cert and user_cert.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *  The caller should use OCSP_CERTID_free(OCSP_CERTID *) to deallocate
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys *  certid memory after use.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscreate_certid(KMF_HANDLE_T handle, const KMF_DATA *issuer_cert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    const KMF_DATA *user_cert, OCSP_CERTID **certid)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509   *issuer = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509   *cert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char *ptmp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (issuer_cert == NULL || user_cert == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* convert the DER-encoded issuer cert to an internal X509 */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ptmp = issuer_cert->Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    issuer = d2i_X509(NULL, (const uchar_t **)&ptmp,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        issuer_cert->Length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (issuer == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_BAD_ISSUER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* convert the DER-encoded user cert to an internal X509 */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ptmp = user_cert->Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    cert = d2i_X509(NULL, (const uchar_t **)&ptmp,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        user_cert->Length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (cert == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_BAD_CERT;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* create a CERTID */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *certid = OCSP_cert_to_id(NULL, cert, issuer);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (*certid == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_CERTID;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (issuer != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(issuer);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (cert != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(cert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_CreateOCSPRequest(KMF_HANDLE_T handle, KMF_OCSPREQUEST_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *reqfile)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OCSP_CERTID *id = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OCSP_REQUEST *req = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *derbio = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params->user_cert == NULL || params->issuer_cert == NULL ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        reqfile == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = create_certid(handle, params->issuer_cert, params->user_cert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        &id);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Create an OCSP request */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    req = OCSP_REQUEST_new();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (req == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_CREATE_REQUEST;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (!OCSP_request_add0_id(req, id)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_CREATE_REQUEST;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Write the request to the output file with DER encoding */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    derbio = BIO_new_file(reqfile, "wb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (!derbio) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (i2d_OCSP_REQUEST_bio(derbio, req) <= 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_ENCODING;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * We don't need to free "id" explicitely, because OCSP_REQUEST_free()
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * will deallocate certid's space also.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (req != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        OCSP_REQUEST_free(req);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (derbio != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(derbio);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/* ocsp_find_signer_sk() is copied from openssl source */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int i;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Easy if lookup by name */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (id->type == V_OCSP_RESPID_NAME)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (X509_find_by_subject(certs, id->value.byName));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Lookup by key hash */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* If key hash isn't SHA1 length then forget it */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (id->value.byKey->length != SHA_DIGEST_LENGTH)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    keyhash = id->value.byKey->data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Calculate hash of each key and compare */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    for (i = 0; i < sk_X509_num(certs); i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /*LINTED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509 *x = sk_X509_value(certs, i);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (x);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/* ocsp_find_signer() is copied from openssl source */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic int
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509_STORE *st, unsigned long flags)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509 *signer;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OCSP_RESPID *rid = bs->tbsResponseData->responderId;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((signer = ocsp_find_signer_sk(certs, rid))) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        *psigner = signer;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (2);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (!(flags & OCSP_NOINTERN) &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (signer = ocsp_find_signer_sk(bs->certs, rid))) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        *psigner = signer;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Maybe lookup from store if by subject name */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *psigner = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (0);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This function will verify the signature of a basic response, using
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * the public key from the OCSP responder certificate.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscheck_response_signature(KMF_HANDLE_T handle, OCSP_BASICRESP *bs,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA *signer_cert, KMF_DATA *issuer_cert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    STACK_OF(X509) *cert_stack = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509 *signer = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509 *issuer = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY *skey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char *ptmp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bs == NULL || issuer_cert == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Find the certificate that signed the basic response.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * If signer_cert is not NULL, we will use that as the signer cert.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Otherwise, we will check if the issuer cert is actually the signer.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * If we still do not find a signer, we will look for it from the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * certificate list came with the response file.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (signer_cert != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ptmp = signer_cert->Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        signer = d2i_X509(NULL, (const uchar_t **)&ptmp,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            signer_cert->Length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (signer == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_OCSP_BAD_SIGNER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * Convert the issuer cert into X509 and push it into a
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * stack to be used by ocsp_find_signer().
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ptmp = issuer_cert->Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        issuer = d2i_X509(NULL, (const uchar_t **)&ptmp,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            issuer_cert->Length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (issuer == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_OCSP_BAD_ISSUER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((cert_stack = sk_X509_new_null()) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_INTERNAL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (sk_X509_push(cert_stack, issuer) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_INTERNAL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = ocsp_find_signer(&signer, bs, cert_stack, NULL, 0);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!ret) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            /* can not find the signer */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_OCSP_BAD_SIGNER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Verify the signature of the response */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    skey = X509_get_pubkey(signer);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (skey == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_BAD_SIGNER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = OCSP_BASICRESP_verify(bs, skey, 0);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_RESPONSE_SIGNATURE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (issuer != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(issuer);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (signer != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(signer);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (skey != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        EVP_PKEY_free(skey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (cert_stack != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        sk_X509_free(cert_stack);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_GetOCSPStatusForCert(KMF_HANDLE_T handle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_OCSPRESPONSE_PARAMS_INPUT *params_in,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_OCSPRESPONSE_PARAMS_OUTPUT *params_out)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *derbio = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OCSP_RESPONSE *resp = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OCSP_BASICRESP *bs = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OCSP_CERTID *id = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    OCSP_SINGLERESP *single = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int index, status, reason;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params_in == NULL || params_in->issuer_cert == NULL ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params_in->user_cert == NULL || params_in->response == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params_out == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Read in the response */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    derbio = BIO_new_mem_buf(params_in->response->Data,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params_in->response->Length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (!derbio) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (resp == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_MALFORMED_RESPONSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Check the response status */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    status = OCSP_response_status(resp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    params_out->response_status = status;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_RESPONSE_STATUS;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#ifdef DEBUG
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    printf("Successfully checked the response file status.\n");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#endif /* DEBUG */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Extract basic response */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    bs = OCSP_response_get1_basic(resp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bs == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_NO_BASIC_RESPONSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#ifdef DEBUG
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    printf("Successfully retrieved the basic response.\n");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#endif /* DEBUG */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Check the basic response signature if required */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params_in->ignore_response_sign == B_FALSE) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = check_response_signature(handle, bs,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            params_in->signer_cert, params_in->issuer_cert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (ret != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#ifdef DEBUG
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    printf("Successfully verified the response signature.\n");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#endif /* DEBUG */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Create a certid for the certificate in question */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = create_certid(handle, params_in->issuer_cert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params_in->user_cert, &id);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_CERTID;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#ifdef DEBUG
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    printf("successfully created a certid for the cert.\n");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#endif /* DEBUG */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Find the index of the single response for the certid */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    index = OCSP_resp_find(bs, id, -1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (index < 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* cound not find this certificate in the response */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_UNKNOWN_CERT;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#ifdef DEBUG
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    printf("Successfully found the single response index for the cert.\n");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#endif /* DEBUG */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Retrieve the single response and get the cert status */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    single = OCSP_resp_get0(bs, index);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    status = OCSP_single_get0_status(single, &reason, &rev, &thisupd,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        &nextupd);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (status == V_OCSP_CERTSTATUS_GOOD) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params_out->cert_status = OCSP_GOOD;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (status == V_OCSP_CERTSTATUS_UNKNOWN) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params_out->cert_status = OCSP_UNKNOWN;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else { /* revoked */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params_out->cert_status = OCSP_REVOKED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params_out->reason = reason;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Verify the time */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (!OCSP_check_validity(thisupd, nextupd, 300,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params_in->response_lifetime)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OCSP_STATUS_TIME_INVALID;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#ifdef DEBUG
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    printf("Successfully verify the time.\n");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#endif /* DEBUG */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (derbio != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(derbio);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (resp != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        OCSP_RESPONSE_free(resp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bs != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        OCSP_BASICRESP_free(bs);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (id != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        OCSP_CERTID_free(id);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysfetch_key(KMF_HANDLE_T handle, char *path,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_KEY_CLASS keyclass, KMF_KEY_HANDLE *key)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY *pkey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RAW_SYM_KEY *rkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Make sure the requested file actually exists. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (access(path, F_OK) != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_KEY_NOT_FOUND);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (keyclass == KMF_ASYM_PRI ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        keyclass == KMF_ASYM_PUB) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        pkey = openssl_load_key(handle, path);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (pkey == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_KEY_NOT_FOUND);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (key != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (pkey->type == EVP_PKEY_RSA)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                key->keyalg = KMF_RSA;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            else if (pkey->type == EVP_PKEY_DSA)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                key->keyalg = KMF_DSA;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->kstype = KMF_KEYSTORE_OPENSSL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->keyclass = keyclass;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->keyp = (void *)pkey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->israw = FALSE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->keylabel = path;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            EVP_PKEY_free(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            pkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (keyclass == KMF_SYMMETRIC) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        KMF_ENCODE_FORMAT fmt;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * If the file is a recognized format,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * then it is NOT a symmetric key.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_GetFileFormat(path, &fmt);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv == KMF_OK || fmt != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_KEY_NOT_FOUND);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else if (rv == KMF_ERR_ENCODING) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys             * If we don't know the encoding,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys             * it is probably  a symmetric key.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys             */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (key != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            KMF_DATA keyvalue;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rkey = malloc(sizeof (KMF_RAW_SYM_KEY));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (rkey == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (void) memset(rkey, 0, sizeof (KMF_RAW_SYM_KEY));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ReadInputFile(handle, path, &keyvalue);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (rv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rkey->keydata.len = keyvalue.Length;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rkey->keydata.val = keyvalue.Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->kstype = KMF_KEYSTORE_OPENSSL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->keyclass = keyclass;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->israw = TRUE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->keylabel = path;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->keyp = (void *)rkey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysout:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rkey != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            KMF_FreeRawSymKey(rkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (pkey != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            EVP_PKEY_free(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (key != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->keyalg = KMF_KEYALG_NONE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->keyclass = KMF_KEYCLASS_NONE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            key->keyp = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_FindKey(KMF_HANDLE_T handle, KMF_FINDKEY_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_KEY_HANDLE *key, uint32_t *numkeys)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *fullpath = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (handle == NULL || params == NULL || numkeys == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params->keyclass != KMF_ASYM_PUB &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->keyclass != KMF_ASYM_PRI &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->keyclass != KMF_SYMMETRIC)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_KEY_CLASS);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fullpath = get_fullpath(params->sslparms.dirpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->sslparms.keyfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fullpath == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *numkeys = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (isdir(fullpath)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        DIR *dirp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        struct dirent *dp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        int n = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* open all files in the directory and attempt to read them */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((dirp = opendir(fullpath)) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rewinddir(dirp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        while ((dp = readdir(dirp)) != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (strcmp(dp->d_name, ".") &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                strcmp(dp->d_name, "..")) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                char *fname;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                fname = get_fullpath(fullpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    (char *)&dp->d_name);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = fetch_key(handle, fname,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    params->keyclass,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    key ? &key[n] : NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (rv == KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    n++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (rv != KMF_OK || key == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    free(fname);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) closedir(dirp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (*numkeys) = n;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = fetch_key(handle, fullpath, params->keyclass, key);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv == KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (*numkeys) = 1;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv != KMF_OK || key == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((*numkeys) == 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_KEY_NOT_FOUND;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define HANDLE_PK12_ERROR { \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    SET_ERROR(kmfh, ERR_get_error()); \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    rv = KMF_ERR_ENCODING; \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    goto out; \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyswrite_pkcs12(KMF_HANDLE *kmfh,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *bio,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_CREDENTIAL *cred,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY *pkey,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509 *sslcert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    STACK_OF(PKCS12_SAFEBAG)    *bag_stack = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    PKCS12_SAFEBAG          *bag = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    PKCS7               *cert_authsafe = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    PKCS8_PRIV_KEY_INFO     *p8 = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    PKCS7               *key_authsafe = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    STACK_OF(PKCS7)         *authsafe_stack = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    PKCS12              *p12_elem = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char                *lab = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int             lab_len = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char keyid[EVP_MAX_MD_SIZE];
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned int keyidlen = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Must have at least a cert OR a key */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (sslcert == NULL && pkey == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memset(keyid, 0, sizeof (keyid));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Section 1:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * The first PKCS#12 container (safebag) will hold the certificates
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * associated with this key.  The result of this section is a
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * PIN-encrypted PKCS#7 container (authsafe).  If there are no
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * certificates, there is no point in creating the "safebag" or the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * "authsafe" so we go to the next section.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (sslcert != NULL && pkey != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (X509_check_private_key(sslcert, pkey)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (void) X509_digest(sslcert, EVP_sha1(), keyid,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                &keyidlen);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            /* The key doesn't match the cert */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    bag_stack = sk_PKCS12_SAFEBAG_new_null();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bag_stack == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_MEMORY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (sslcert != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Convert cert from X509 struct to PKCS#12 bag */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        bag = PKCS12_x5092certbag(sslcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (bag == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Add the key id to the certificate bag. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (keyidlen > 0 &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            !PKCS12_add_localkeyid(bag, keyid, keyidlen)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Pile it on the bag_stack. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!sk_PKCS12_SAFEBAG_push(bag_stack, bag)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#if 0
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* No support for CA certs yet */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (cacerts != NULL && ncacerts > 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            int i;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            for (i = 0; i < ncacerts; i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                KMF_X509_DER_CERT *c = &cacerts[i];
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                X509 *ca = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                uchar_t *p = (uchar_t *)c->certificate.Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                ca = d2i_X509(NULL, &p,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    c->certificate.Length);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (ca == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                /* Convert CA cert to PKCS#12 bag. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                bag = PKCS12_x5092certbag(ca);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (bag == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    sk_PKCS12_SAFEBAG_pop_free(bag_stack,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                        PKCS12_SAFEBAG_free);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                /* Pile it onto the bag_stack. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (!sk_PKCS12_SAFEBAG_push(bag_stack, bag)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#endif
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Turn bag_stack of certs into encrypted authsafe. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        cert_authsafe = PKCS12_pack_p7encdata(
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            NID_pbe_WithSHA1And40BitRC2_CBC,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            cred->cred,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            cred->credlen, NULL, 0,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            PKCS12_DEFAULT_ITER,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            bag_stack);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Clear away this bag_stack, we're done with it. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        sk_PKCS12_SAFEBAG_pop_free(bag_stack, PKCS12_SAFEBAG_free);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        bag_stack = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (cert_authsafe == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Section 2:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * The second PKCS#12 container (safebag) will hold the private key
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * that goes with the certificates above.  The results of this section
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * is an unencrypted PKCS#7 container (authsafe).  If there is no
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * private key, there is no point in creating the "safebag" or the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * "authsafe" so we go to the next section.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (pkey != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        p8 = EVP_PKEY2PKCS8(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (p8 == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Put the shrouded key into a PKCS#12 bag. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        bag = PKCS12_MAKE_SHKEYBAG(
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            cred->cred, cred->credlen,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            NULL, 0, PKCS12_DEFAULT_ITER, p8);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Clean up the PKCS#8 shrouded key, don't need it now. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        PKCS8_PRIV_KEY_INFO_free(p8);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        p8 = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (bag == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (keyidlen &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            !PKCS12_add_localkeyid(bag, keyid, keyidlen)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (lab != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (!PKCS12_add_friendlyname(bag,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                (char *)lab, lab_len)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Start a PKCS#12 safebag container for the private key. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        bag_stack = sk_PKCS12_SAFEBAG_new_null();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (bag_stack == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Pile on the private key on the bag_stack. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!sk_PKCS12_SAFEBAG_push(bag_stack, bag)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        key_authsafe = PKCS12_pack_p7data(bag_stack);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Clear away this bag_stack, we're done with it. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        sk_PKCS12_SAFEBAG_pop_free(bag_stack, PKCS12_SAFEBAG_free);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        bag_stack = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (key_authsafe == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Section 3:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * This is where the two PKCS#7 containers, one for the certificates
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * and one for the private key, are put together into a PKCS#12
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * element.  This final PKCS#12 element is written to the export file.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Start a PKCS#7 stack. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    authsafe_stack = sk_PKCS7_new_null();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (authsafe_stack == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key_authsafe != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!sk_PKCS7_push(authsafe_stack, key_authsafe)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (cert_authsafe != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (!sk_PKCS7_push(authsafe_stack, cert_authsafe)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    p12_elem = PKCS12_init(NID_pkcs7_data);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (p12_elem == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        sk_PKCS7_pop_free(authsafe_stack, PKCS7_free);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Put the PKCS#7 stack into the PKCS#12 element. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (!PKCS12_pack_authsafes(p12_elem, authsafe_stack)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Clear away the PKCS#7 stack, we're done with it. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    sk_PKCS7_pop_free(authsafe_stack, PKCS7_free);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    authsafe_stack = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Set the integrity MAC on the PKCS#12 element. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (!PKCS12_set_mac(p12_elem, cred->cred, cred->credlen,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        NULL, 0, PKCS12_DEFAULT_ITER, NULL)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Write the PKCS#12 element to the export file. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (!i2d_PKCS12_bio(bio, p12_elem)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        HANDLE_PK12_ERROR
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    PKCS12_free(p12_elem);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysout:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Clear away this bag_stack, we're done with it. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        sk_PKCS12_SAFEBAG_pop_free(bag_stack, PKCS12_SAFEBAG_free);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        sk_PKCS7_pop_free(authsafe_stack, PKCS7_free);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic EVP_PKEY *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysImportRawRSAKey(KMF_RAW_RSA_KEY *key)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    RSA     *rsa = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY    *newkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((rsa = RSA_new()) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((rsa->n = BN_bin2bn(key->mod.val, key->mod.len, rsa->n)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((rsa->e = BN_bin2bn(key->pubexp.val, key->pubexp.len, rsa->e)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key->priexp.val != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rsa->d = BN_bin2bn(key->priexp.val, key->priexp.len,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rsa->d)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key->prime1.val != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rsa->p = BN_bin2bn(key->prime1.val, key->prime1.len,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rsa->p)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key->prime2.val != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rsa->q = BN_bin2bn(key->prime2.val, key->prime2.len,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rsa->q)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key->exp1.val != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rsa->dmp1 = BN_bin2bn(key->exp1.val, key->exp1.len,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rsa->dmp1)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key->exp2.val != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rsa->dmq1 = BN_bin2bn(key->exp2.val, key->exp2.len,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rsa->dmq1)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key->coef.val != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rsa->iqmp = BN_bin2bn(key->coef.val, key->coef.len,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rsa->iqmp)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((newkey = EVP_PKEY_new()) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) EVP_PKEY_set1_RSA(newkey, rsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* The original key must be freed once here or it leaks memory */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    RSA_free(rsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (newkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic EVP_PKEY *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysImportRawDSAKey(KMF_RAW_DSA_KEY *key)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    DSA     *dsa = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY    *newkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((dsa = DSA_new()) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((dsa->p = BN_bin2bn(key->prime.val, key->prime.len,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        dsa->p)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((dsa->q = BN_bin2bn(key->subprime.val, key->subprime.len,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        dsa->q)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((dsa->g = BN_bin2bn(key->base.val, key->base.len,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        dsa->g)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((dsa->priv_key = BN_bin2bn(key->value.val, key->value.len,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        dsa->priv_key)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((newkey = EVP_PKEY_new()) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) EVP_PKEY_set1_DSA(newkey, dsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* The original key must be freed once here or it leaks memory */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    DSA_free(dsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (newkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysExportPK12FromRawData(KMF_HANDLE_T handle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_CREDENTIAL *cred,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int numcerts, KMF_X509_DER_CERT *certlist,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int numkeys, KMF_KEY_HANDLE *keylist,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *filename)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *bio = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509 *xcert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY *pkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int i;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Open the output file.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((bio = BIO_new_file(filename, "wb")) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (numcerts > 0 && numkeys > 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        for (i = 0; rv == KMF_OK && i < numcerts; i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            KMF_RAW_KEY_DATA *key = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            const uchar_t *p = certlist[i].certificate.Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            long len = certlist[i].certificate.Length;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (i < numkeys) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                key = (KMF_RAW_KEY_DATA *)keylist[i].keyp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (key->keytype == KMF_RSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    pkey = ImportRawRSAKey(
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                        &key->rawdata.rsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                } else if (key->keytype == KMF_DSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    pkey = ImportRawDSAKey(
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                        &key->rawdata.dsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    rv = KMF_ERR_BAD_PARAMETER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            xcert = d2i_X509(NULL, &p, len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (xcert == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = KMF_ERR_ENCODING;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            /* Stick the key and the cert into a PKCS#12 file */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = write_pkcs12(kmfh, bio, cred, pkey, xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (xcert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                X509_free(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (pkey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                EVP_PKEY_free(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bio != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free_all(bio);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_ExportP12(KMF_HANDLE_T handle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_EXPORTP12_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int numcerts, KMF_X509_DER_CERT *certlist,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int numkeys, KMF_KEY_HANDLE *keylist,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *filename)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE  *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_FINDCERT_PARAMS fcargs;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO *bio = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509 *xcert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *fullpath = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY *pkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     *  First, find the certificate.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * If the caller already sent the raw keys and certs,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * shortcut the search and just export that
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * data.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * One *may* export a key OR a cert by itself.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (certlist != NULL || keylist != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = ExportPK12FromRawData(handle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            &params->p12cred,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            numcerts, certlist,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            numkeys, keylist,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            filename);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params->sslparms.certfile != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        fullpath = get_fullpath(params->sslparms.dirpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            params->sslparms.certfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (fullpath == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (isdir(fullpath)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_AMBIGUOUS_PATHNAME);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void *)memset(&fcargs, 0, sizeof (fcargs));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        fcargs.kstype = params->kstype;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        fcargs.certLabel = params->certLabel;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        fcargs.issuer = params->issuer;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        fcargs.subject = params->subject;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        fcargs.serial = params->serial;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        fcargs.idstr = params->idstr;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        fcargs.sslparms.dirpath = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        fcargs.sslparms.certfile = fullpath;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        fcargs.sslparms.format = params->sslparms.format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = load_X509cert(kmfh, &fcargs, fullpath, &xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Now find the private key.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params->sslparms.keyfile != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        fullpath = get_fullpath(params->sslparms.dirpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            params->sslparms.keyfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (fullpath == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (isdir(fullpath)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_AMBIGUOUS_PATHNAME);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        pkey = openssl_load_key(handle, fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (pkey == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_KEY_NOT_FOUND;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Open the output file.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((bio = BIO_new_file(filename, "wb")) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Stick the key and the cert into a PKCS#12 file */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    rv = write_pkcs12(kmfh, bio, &params->p12cred,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        pkey, xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fullpath)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (pkey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        EVP_PKEY_free(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bio)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(bio);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys#define MAX_CHAIN_LENGTH 100
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys/*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Helper function to extract keys and certificates from
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * a single PEM file.  Typically the file should contain a
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * private key and an associated public key wrapped in an x509 cert.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * However, the file may be just a list of X509 certs with no keys.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysstatic KMF_RETURN
02744e811b15322c5f109827a116c33bfe3438b5wyllysextract_objects(KMF_HANDLE *kmfh, KMF_FINDCERT_PARAMS *params,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    char *filename, CK_UTF8CHAR *pin,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    CK_ULONG pinlen, EVP_PKEY **priv_key, KMF_DATA **certs,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    int *numcerts)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys/* ARGSUSED */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_RETURN rv = KMF_OK;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    FILE *fp;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    STACK_OF(X509_INFO) *x509_info_stack;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    int i, ncerts = 0, matchcerts = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    EVP_PKEY *pkey = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    X509_INFO *info;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    X509 *x;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    X509_INFO *cert_infos[MAX_CHAIN_LENGTH];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_DATA *certlist = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (priv_key)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        *priv_key = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (certs)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        *certs = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    fp = fopen(filename, "r");
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (fp == NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (KMF_ERR_OPEN_FILE);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    x509_info_stack = PEM_X509_INFO_read(fp, NULL, NULL, pin);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (x509_info_stack == NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (void) fclose(fp);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (KMF_ERR_ENCODING);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*LINTED*/
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    while ((info = sk_X509_INFO_pop(x509_info_stack)) != NULL &&
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        ncerts < MAX_CHAIN_LENGTH) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        cert_infos[ncerts] = info;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        ncerts++;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (ncerts == 0) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (void) fclose(fp);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (KMF_ERR_CERT_NOT_FOUND);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (priv_key != NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        rewind(fp);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        pkey = PEM_read_PrivateKey(fp, NULL, NULL, pin);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    (void) fclose(fp);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    x = cert_infos[ncerts - 1]->x509;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Make sure the private key matchs the last cert in the file.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (pkey != NULL && !X509_check_private_key(x, pkey)) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        EVP_PKEY_free(pkey);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (KMF_ERR_KEY_MISMATCH);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    certlist = (KMF_DATA *)malloc(ncerts * sizeof (KMF_DATA));
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (certlist == NULL) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        if (pkey != NULL)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            EVP_PKEY_free(pkey);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        X509_INFO_free(info);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (KMF_ERR_MEMORY);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * Convert all of the certs to DER format.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    matchcerts = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    for (i = 0; rv == KMF_OK && certs != NULL && i < ncerts; i++) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        boolean_t match = FALSE;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        info =  cert_infos[ncerts - 1 - i];
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys        if (params != NULL) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys            rv = check_cert(info->x509, params, &match);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            if (rv != KMF_OK || match != TRUE) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys                X509_INFO_free(info);
02744e811b15322c5f109827a116c33bfe3438b5wyllys                rv = KMF_OK;
02744e811b15322c5f109827a116c33bfe3438b5wyllys                continue;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            }
02744e811b15322c5f109827a116c33bfe3438b5wyllys        }
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys        rv = ssl_cert2KMFDATA(kmfh, info->x509,
02744e811b15322c5f109827a116c33bfe3438b5wyllys            &certlist[matchcerts++]);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            free(certlist);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            certlist = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            ncerts = matchcerts = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        }
02744e811b15322c5f109827a116c33bfe3438b5wyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        X509_INFO_free(info);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (numcerts != NULL)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        *numcerts = matchcerts;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (certs != NULL)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        *certs = certlist;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (priv_key == NULL && pkey != NULL)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        EVP_PKEY_free(pkey);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    else if (priv_key != NULL && pkey != NULL)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        *priv_key = pkey;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    return (rv);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys}
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Helper function to decrypt and parse PKCS#12 import file.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysextract_pkcs12(BIO *fbio, CK_UTF8CHAR *pin, CK_ULONG pinlen,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY **priv_key, X509 **cert, STACK_OF(X509) **ca)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/* ARGSUSED */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    PKCS12      *pk12, *pk12_tmp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY    *temp_pkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509        *temp_cert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    STACK_OF(X509)  *temp_ca = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((pk12 = PKCS12_new()) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_MEMORY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((pk12_tmp = d2i_PKCS12_bio(fbio, &pk12)) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* This is ok; it seems to mean there is no more to read. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (ERR_GET_LIB(ERR_peek_error()) == ERR_LIB_ASN1 &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ERR_GET_REASON(ERR_peek_error()) == ASN1_R_HEADER_TOO_LONG)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto end_extract_pkcs12;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        PKCS12_free(pk12);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_PKCS12_FORMAT);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    pk12 = pk12_tmp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (PKCS12_parse(pk12, (char *)pin, &temp_pkey, &temp_cert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        &temp_ca) <= 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        PKCS12_free(pk12);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_PKCS12_FORMAT);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend_extract_pkcs12:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *priv_key = temp_pkey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *cert = temp_cert;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *ca = temp_ca;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    PKCS12_free(pk12);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (KMF_OK);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyssslBN2KMFBN(BIGNUM *from, KMF_BIGINT *to)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    uint32_t sz;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    sz = BN_num_bytes(from);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    to->val = (uchar_t *)malloc(sz);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (to->val == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_MEMORY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((to->len = BN_bn2bin(from, to->val)) != sz) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(to->val);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        to->val = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        to->len = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysexportRawRSAKey(RSA *rsa, KMF_RAW_KEY_DATA *key)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RAW_RSA_KEY *kmfkey = &key->rawdata.rsa;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memset(kmfkey, 0, sizeof (KMF_RAW_RSA_KEY));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((rv = sslBN2KMFBN(rsa->n, &kmfkey->mod)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((rv = sslBN2KMFBN(rsa->e, &kmfkey->pubexp)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rsa->d != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rv = sslBN2KMFBN(rsa->d, &kmfkey->priexp)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rsa->p != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rv = sslBN2KMFBN(rsa->p, &kmfkey->prime1)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rsa->q != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rv = sslBN2KMFBN(rsa->q, &kmfkey->prime2)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rsa->dmp1 != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rv = sslBN2KMFBN(rsa->dmp1, &kmfkey->exp1)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rsa->dmq1 != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rv = sslBN2KMFBN(rsa->dmq1, &kmfkey->exp2)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rsa->iqmp != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rv = sslBN2KMFBN(rsa->iqmp, &kmfkey->coef)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        KMF_FreeRawKey(key);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    else
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        key->keytype = KMF_RSA;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Free the reference to this key, SSL will not actually free
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * the memory until the refcount == 0, so this is safe.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    RSA_free(rsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysexportRawDSAKey(DSA *dsa, KMF_RAW_KEY_DATA *key)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RAW_DSA_KEY *kmfkey = &key->rawdata.dsa;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memset(kmfkey, 0, sizeof (KMF_RAW_DSA_KEY));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((rv = sslBN2KMFBN(dsa->p, &kmfkey->prime)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((rv = sslBN2KMFBN(dsa->q, &kmfkey->subprime)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((rv = sslBN2KMFBN(dsa->g, &kmfkey->base)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((rv = sslBN2KMFBN(dsa->priv_key, &kmfkey->value)) != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        KMF_FreeRawKey(key);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    else
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        key->keytype = KMF_DSA;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Free the reference to this key, SSL will not actually free
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * the memory until the refcount == 0, so this is safe.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    DSA_free(dsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysadd_cert_to_list(KMF_HANDLE *kmfh, X509 *sslcert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA **certlist, int *ncerts)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA *list = (*certlist);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA cert;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int n = (*ncerts);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (list == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        list = (KMF_DATA *)malloc(sizeof (KMF_DATA));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        list = (KMF_DATA *)realloc(list, sizeof (KMF_DATA) * (n + 1));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (list == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_MEMORY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    rv = ssl_cert2KMFDATA(kmfh, sslcert, &cert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv == KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        list[n] = cert;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (*ncerts) = n + 1;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        *certlist = list;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(list);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysadd_key_to_list(KMF_RAW_KEY_DATA **keylist,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RAW_KEY_DATA *newkey, int *nkeys)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RAW_KEY_DATA *list = (*keylist);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int n = (*nkeys);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (list == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        list = (KMF_RAW_KEY_DATA *)malloc(sizeof (KMF_RAW_KEY_DATA));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        list = (KMF_RAW_KEY_DATA *)realloc(list,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            sizeof (KMF_RAW_KEY_DATA) * (n + 1));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (list == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_MEMORY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    list[n] = *newkey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (*nkeys) = n + 1;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *keylist = list;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (KMF_OK);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysconvertPK12Objects(
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY *sslkey, X509 *sslcert, STACK_OF(X509) *sslcacerts,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RAW_KEY_DATA **keylist, int *nkeys,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA **certlist, int *ncerts)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RAW_KEY_DATA key;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int i;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (sslkey != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Convert SSL key to raw key */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        switch (sslkey->type) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            case EVP_PKEY_RSA:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = exportRawRSAKey(EVP_PKEY_get1_RSA(sslkey),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    &key);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (rv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            case EVP_PKEY_DSA:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                rv = exportRawDSAKey(EVP_PKEY_get1_DSA(sslkey),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    &key);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                if (rv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            default:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = add_key_to_list(keylist, &key, nkeys);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Now add the certificate to the certlist */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (sslcert != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = add_cert_to_list(kmfh, sslcert, certlist, ncerts);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Also add any included CA certs to the list */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    for (i = 0; sslcacerts != NULL && i < sk_X509_num(sslcacerts); i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509 *c;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * sk_X509_value() is macro that embeds a cast to (X509 *).
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * Here it translates into ((X509 *)sk_value((ca), (i))).
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * Lint is complaining about the embedded casting, and
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         * to fix it, you need to fix openssl header files.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys         */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* LINTED E_BAD_PTR_CAST_ALIGN */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        c = sk_X509_value(sslcacerts, i);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Now add the ca cert to the certlist */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = add_cert_to_list(kmfh, c, certlist, ncerts);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysopenssl_read_pkcs12(KMF_HANDLE *kmfh,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *filename, KMF_CREDENTIAL *cred,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA **certlist, int *ncerts,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RAW_KEY_DATA **keylist, int *nkeys)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN  rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO     *bio = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY    *privkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509        *cert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    STACK_OF(X509)  *cacerts = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    bio = BIO_new_file(filename, "rb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bio == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto end;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *certlist = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *keylist = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *ncerts = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *nkeys = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    while (rv == KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = extract_pkcs12(bio,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (uchar_t *)cred->cred,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            (uint32_t)cred->credlen,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            &privkey, &cert, &cacerts);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        /* Reached end of import file? */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv == KMF_OK && privkey == NULL &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            cert == NULL && cacerts == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            break;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv == KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            /* Convert keys and certs to exportable format */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = convertPK12Objects(kmfh, privkey, cert, cacerts,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                keylist, nkeys, certlist, ncerts);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (privkey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            EVP_PKEY_free(privkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (cert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            X509_free(cert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (cacerts)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            sk_X509_free(cacerts);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysend:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bio != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(bio);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (privkey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        EVP_PKEY_free(privkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (cert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(cert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (cacerts)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        sk_X509_free(cacerts);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysKMF_RETURN
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysopenssl_import_keypair(KMF_HANDLE *kmfh,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    char *filename, KMF_CREDENTIAL *cred,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_DATA **certlist, int *ncerts,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_RAW_KEY_DATA **keylist, int *nkeys)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys{
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_RETURN  rv = KMF_OK;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    EVP_PKEY    *privkey = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    KMF_ENCODE_FORMAT format;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /*
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * auto-detect the file format, regardless of what
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     * the 'format' parameters in the params say.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys     */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    rv = KMF_GetFileFormat(filename, &format);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv != KMF_OK) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        if (rv == KMF_ERR_OPEN_FILE)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            rv = KMF_ERR_CERT_NOT_FOUND;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (rv);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    }
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /* This function only works on PEM files */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (format != KMF_FORMAT_PEM &&
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        format != KMF_FORMAT_PEM_KEYPAIR)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        return (KMF_ERR_ENCODING);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    *certlist = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    *keylist = NULL;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    *ncerts = 0;
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    *nkeys = 0;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    rv = extract_objects(kmfh, NULL, filename,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (uchar_t *)cred->cred,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        (uint32_t)cred->credlen,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        &privkey, certlist, ncerts);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    /* Reached end of import file? */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (rv == KMF_OK)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        /* Convert keys and certs to exportable format */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        rv = convertPK12Objects(kmfh, privkey, NULL, NULL,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys            keylist, nkeys, NULL, NULL);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysend:
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    if (privkey)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys        EVP_PKEY_free(privkey);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys    return (rv);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys}
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_StorePrivateKey(KMF_HANDLE_T handle, KMF_STOREKEY_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RAW_KEY_DATA *key)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN  rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE  *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char        *fullpath;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY    *pkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO     *bio = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (key->keytype == KMF_RSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            pkey = ImportRawRSAKey(&key->rawdata.rsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else if (key->keytype == KMF_DSA) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            pkey = ImportRawDSAKey(&key->rawdata.dsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rv = KMF_ERR_BAD_PARAMETER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_BAD_PARAMETER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv != KMF_OK || pkey == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fullpath = get_fullpath(params->sslparms.dirpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            params->sslparms.keyfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fullpath == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* If the requested file exists, return an error */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (access(fullpath, F_OK) == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_DUPLICATE_KEYFILE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    bio = BIO_new_file(fullpath, "wb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bio == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    rv = ssl_write_private_key(kmfh,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->sslparms.format,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        bio, &params->cred, pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fullpath)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (pkey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        EVP_PKEY_free(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bio)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(bio);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Protect the file by making it read-only */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rv == KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) chmod(fullpath, 0400);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscreate_deskey(DES_cblock **deskey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    DES_cblock *key;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    key = (DES_cblock *) malloc(sizeof (DES_cblock));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (key == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_MEMORY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (DES_random_key(key) == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(key);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_KEYGEN_FAILED);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *deskey = key;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (KMF_OK);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define KEYGEN_RETRY 3
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define DES3_KEY_SIZE 24
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic KMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscreate_des3key(unsigned char **des3key)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    DES_cblock *deskey1 = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    DES_cblock *deskey2 = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    DES_cblock *deskey3 = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char *newkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int retry;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((newkey = malloc(DES3_KEY_SIZE)) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_MEMORY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* create the 1st DES key */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((ret = create_deskey(&deskey1)) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Create the 2nd DES key and make sure its value is different
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * from the 1st DES key.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    retry = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    do {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (deskey2 != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(deskey2);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            deskey2 = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((ret = create_deskey(&deskey2)) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (memcmp((const void *) deskey1, (const void *) deskey2, 8)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_KEYGEN_FAILED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            retry++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } while (ret == KMF_ERR_KEYGEN_FAILED && retry < KEYGEN_RETRY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Create the 3rd DES key and make sure its value is different
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * from the 2nd DES key.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    retry = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    do {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (deskey3 != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            free(deskey3);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            deskey3 = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((ret = create_deskey(&deskey3)) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (memcmp((const void *)deskey2, (const void *)deskey3, 8)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_KEYGEN_FAILED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            retry++;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } while (ret == KMF_ERR_KEYGEN_FAILED && retry < KEYGEN_RETRY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Concatenate 3 DES keys into a DES3 key */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memcpy((void *)newkey, (const void *)deskey1, 8);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memcpy((void *)(newkey + 8), (const void *)deskey2, 8);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memcpy((void *)(newkey + 16), (const void *)deskey3, 8);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    *des3key = newkey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysout:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (deskey1 != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(deskey1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (deskey2 != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(deskey2);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (deskey3 != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(deskey3);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK && newkey != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(newkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_CreateSymKey(KMF_HANDLE_T handle, KMF_CREATESYMKEY_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_KEY_HANDLE *symkey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    char *fullpath = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RAW_SYM_KEY *rkey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    DES_cblock *deskey = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char *des3key = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char *random = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int fd = -1;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (kmfh == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_UNINITIALIZED);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params == NULL || params->sslparms.keyfile == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fullpath = get_fullpath(params->sslparms.dirpath,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        params->sslparms.keyfile);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fullpath == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* If the requested file exists, return an error */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (access(fullpath, F_OK) == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_DUPLICATE_KEYFILE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    fd = open(fullpath, O_CREAT|O_TRUNC|O_RDWR, 0400);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fd == -1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    rkey = malloc(sizeof (KMF_RAW_SYM_KEY));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (rkey == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) memset(rkey, 0, sizeof (KMF_RAW_SYM_KEY));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params->keytype == KMF_DES) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((ret = create_deskey(&deskey)) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rkey->keydata.val = (uchar_t *)deskey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rkey->keydata.len = 8;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        symkey->keyalg = KMF_DES;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (params->keytype == KMF_DES3) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((ret = create_des3key(&des3key)) != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rkey->keydata.val = (uchar_t *)des3key;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rkey->keydata.len = DES3_KEY_SIZE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        symkey->keyalg = KMF_DES3;
9b37d29632d2cb262ba42f1d804f85fcb0aa3709wyllys
c197cb9db36685d2808c057fdbe5700734483ab2hylee    } else if (params->keytype == KMF_AES || params->keytype == KMF_RC4 ||
c197cb9db36685d2808c057fdbe5700734483ab2hylee        params->keytype == KMF_GENERIC_SECRET) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        int bytes;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (params->keylength % 8 != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_BAD_KEY_SIZE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (params->keytype == KMF_AES) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            if (params->keylength != 128 &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                params->keylength != 192 &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                params->keylength != 256) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                ret = KMF_ERR_BAD_KEY_SIZE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys                goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        bytes = params->keylength/8;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        random = malloc(bytes);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (random == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_MEMORY;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (RAND_bytes(random, bytes) != 1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_KEYGEN_FAILED;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rkey->keydata.val = (uchar_t *)random;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rkey->keydata.len = bytes;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        symkey->keyalg = params->keytype;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_KEY_TYPE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) write(fd, (const void *) rkey->keydata.val, rkey->keydata.len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    symkey->kstype = KMF_KEYSTORE_OPENSSL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    symkey->keyclass = KMF_SYMMETRIC;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    symkey->keylabel = (char *)fullpath;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    symkey->israw = TRUE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    symkey->keyp = rkey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysout:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (fd != -1)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) close(fd);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK && fullpath != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        free(fullpath);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        KMF_FreeRawSymKey(rkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        symkey->keyp = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        symkey->keyalg = KMF_KEYALG_NONE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_VerifyCRLFile(KMF_HANDLE_T handle, KMF_VERIFYCRL_PARAMS *params)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN  ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE  *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO     *bcrl = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509_CRL    *xcrl = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509        *xcert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY    *pkey;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int     sslret;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_ENCODE_FORMAT crl_format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    unsigned char   *p;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    long        len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params->crl_name == NULL || params->tacert == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = KMF_GetFileFormat(params->crl_name, &crl_format);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    bcrl = BIO_new_file(params->crl_name, "rb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bcrl == NULL)   {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (crl_format == KMF_FORMAT_ASN1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcrl = d2i_X509_CRL_bio(bcrl, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (crl_format == KMF_FORMAT_PEM) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcrl = PEM_read_bio_X509_CRL(bcrl, NULL, NULL, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_PARAMETER;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcrl == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CRLFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    p = params->tacert->Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    len = params->tacert->Length;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    xcert = d2i_X509(NULL, (const uchar_t **)&p, len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CERTFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Get issuer certificate public key */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    pkey = X509_get_pubkey(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (!pkey) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CERT_FORMAT;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /* Verify CRL signature */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    sslret = X509_CRL_verify(xcrl, pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    EVP_PKEY_free(pkey);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (sslret > 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, sslret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CRLFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bcrl != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(bcrl);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcrl != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_CRL_free(xcrl);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_CheckCRLDate(KMF_HANDLE_T handle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_CHECKCRLDATE_PARAMS *params)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN  ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE  *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_ENCODE_FORMAT crl_format;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO     *bcrl = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509_CRL    *xcrl = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    int     i;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (params == NULL || params->crl_name == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = KMF_IsCRLFile(handle, params->crl_name, &crl_format);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    bcrl = BIO_new_file(params->crl_name, "rb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bcrl == NULL)   {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (crl_format == KMF_FORMAT_ASN1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcrl = d2i_X509_CRL_bio(bcrl, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if (crl_format == KMF_FORMAT_PEM) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        xcrl = PEM_read_bio_X509_CRL(bcrl, NULL, NULL, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcrl == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CRLFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    i = X509_cmp_time(X509_CRL_get_lastUpdate(xcrl), NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (i >= 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_VALIDITY_PERIOD;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (X509_CRL_get_nextUpdate(xcrl)) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        i = X509_cmp_time(X509_CRL_get_nextUpdate(xcrl), NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (i <= 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_VALIDITY_PERIOD;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            goto cleanup;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllyscleanup:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bcrl != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(bcrl);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcrl != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_CRL_free(xcrl);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Check a file to see if it is a CRL file with PEM or DER format.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If success, return its format in the "pformat" argument.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_IsCRLFile(KMF_HANDLE_T handle, char *filename, int *pformat)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN  ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE  *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO     *bio = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509_CRL    *xcrl = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (filename == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    bio = BIO_new_file(filename, "rb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bio == NULL)    {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((xcrl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL)) != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        *pformat = KMF_FORMAT_PEM;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    (void) BIO_free(bio);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    /*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     * Now try to read it as raw DER data.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys     */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    bio = BIO_new_file(filename, "rb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bio == NULL)    {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((xcrl = d2i_X509_CRL_bio(bio, NULL)) != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        *pformat = KMF_FORMAT_ASN1;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CRLFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysout:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bio != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(bio);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcrl != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_CRL_free(xcrl);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Check a file to see if it is a certficate file with PEM or DER format.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If success, return its format in the pformat argument.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_IsCertFile(KMF_HANDLE_T handle, char *filename,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_ENCODE_FORMAT *pformat)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN  ret = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE  *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    BIO     *bio = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    X509        *xcert = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (filename == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    ret = KMF_GetFileFormat(filename, pformat);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (ret != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    bio = BIO_new_file(filename, "rb");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bio == NULL)    {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        SET_ERROR(kmfh, ERR_get_error());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_OPEN_FILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        goto out;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if ((*pformat) == KMF_FORMAT_PEM) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((xcert = PEM_read_bio_X509(bio, NULL,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            NULL, NULL)) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_BAD_CERTFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else if ((*pformat) == KMF_FORMAT_ASN1) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((xcert = d2i_X509_bio(bio, NULL)) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            ret = KMF_ERR_BAD_CERTFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        ret = KMF_ERR_BAD_CERTFILE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysout:
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (bio != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) BIO_free(bio);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (xcert != NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        X509_free(xcert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (ret);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysKMF_RETURN
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_GetSymKeyValue(KMF_HANDLE_T handle, KMF_KEY_HANDLE *symkey,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RAW_SYM_KEY *rkey)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys{
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_RETURN  rv = KMF_OK;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_HANDLE  *kmfh = (KMF_HANDLE *)handle;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    KMF_DATA    keyvalue;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (kmfh == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_UNINITIALIZED);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (symkey == NULL || rkey == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_PARAMETER);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    else if (symkey->keyclass != KMF_SYMMETRIC)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        return (KMF_ERR_BAD_KEY_CLASS);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    if (symkey->israw) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        KMF_RAW_SYM_KEY *rawkey = (KMF_RAW_SYM_KEY *)symkey->keyp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rawkey == NULL ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rawkey->keydata.val == NULL ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rawkey->keydata.len == 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_BAD_KEYHANDLE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rkey->keydata.len = rawkey->keydata.len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if ((rkey->keydata.val = malloc(rkey->keydata.len)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (KMF_ERR_MEMORY);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        (void) memcpy(rkey->keydata.val, rawkey->keydata.val,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            rkey->keydata.len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    } else {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rv = KMF_ReadInputFile(handle, symkey->keylabel, &keyvalue);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        if (rv != KMF_OK)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys            return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rkey->keydata.len = keyvalue.Length;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys        rkey->keydata.val = keyvalue.Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    }
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys    return (rv);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys}
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys/*
02744e811b15322c5f109827a116c33bfe3438b5wyllys * id-sha1    OBJECT IDENTIFIER ::= {
02744e811b15322c5f109827a116c33bfe3438b5wyllys *     iso(1) identified-organization(3) oiw(14) secsig(3)
02744e811b15322c5f109827a116c33bfe3438b5wyllys *     algorithms(2) 26
02744e811b15322c5f109827a116c33bfe3438b5wyllys * }
02744e811b15322c5f109827a116c33bfe3438b5wyllys */
02744e811b15322c5f109827a116c33bfe3438b5wyllys#define ASN1_SHA1_OID_PREFIX_LEN 15
02744e811b15322c5f109827a116c33bfe3438b5wyllysstatic uchar_t SHA1_DER_PREFIX[ASN1_SHA1_OID_PREFIX_LEN] = {
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x30, 0x21, 0x30, 0x09,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x06, 0x05, 0x2b, 0x0e,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x03, 0x02, 0x1a, 0x05,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x00, 0x04, 0x14
02744e811b15322c5f109827a116c33bfe3438b5wyllys};
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys/*
02744e811b15322c5f109827a116c33bfe3438b5wyllys * id-md2 OBJECT IDENTIFIER ::= {
02744e811b15322c5f109827a116c33bfe3438b5wyllys *     iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2
02744e811b15322c5f109827a116c33bfe3438b5wyllys * }
02744e811b15322c5f109827a116c33bfe3438b5wyllys */
02744e811b15322c5f109827a116c33bfe3438b5wyllys#define ASN1_MD2_OID_PREFIX_LEN 18
02744e811b15322c5f109827a116c33bfe3438b5wyllysstatic uchar_t MD2_DER_PREFIX[ASN1_MD2_OID_PREFIX_LEN] = {
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x30, 0x20, 0x30, 0x0c,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x06, 0x08, 0x2a, 0x86,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x48, 0x86, 0xf7, 0x0d,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x02, 0x02, 0x05, 0x00,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x04, 0x10
02744e811b15322c5f109827a116c33bfe3438b5wyllys};
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys/*
02744e811b15322c5f109827a116c33bfe3438b5wyllys * id-md5 OBJECT IDENTIFIER ::= {
02744e811b15322c5f109827a116c33bfe3438b5wyllys *     iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 5
02744e811b15322c5f109827a116c33bfe3438b5wyllys * }
02744e811b15322c5f109827a116c33bfe3438b5wyllys */
02744e811b15322c5f109827a116c33bfe3438b5wyllys#define ASN1_MD5_OID_PREFIX_LEN 18
02744e811b15322c5f109827a116c33bfe3438b5wyllysstatic uchar_t MD5_DER_PREFIX[ASN1_MD5_OID_PREFIX_LEN] = {
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x30, 0x20, 0x30, 0x0c,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x06, 0x08, 0x2a, 0x86,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x48, 0x86, 0xf7, 0x0d,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x02, 0x05, 0x05, 0x00,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    0x04, 0x10
02744e811b15322c5f109827a116c33bfe3438b5wyllys};
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllysKMF_RETURN
02744e811b15322c5f109827a116c33bfe3438b5wyllysOpenSSL_VerifyDataWithCert(KMF_HANDLE_T handle,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    KMF_ALGORITHM_INDEX algid, KMF_DATA *indata,
02744e811b15322c5f109827a116c33bfe3438b5wyllys    KMF_DATA *insig, KMF_DATA *cert)
02744e811b15322c5f109827a116c33bfe3438b5wyllys{
02744e811b15322c5f109827a116c33bfe3438b5wyllys    KMF_RETURN ret = KMF_OK;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    KMF_HANDLE  *kmfh = (KMF_HANDLE *)handle;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    X509    *xcert = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    EVP_PKEY *pkey = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    uchar_t *p;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    uchar_t *rsaout = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    uchar_t *pfx = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    const EVP_MD *md;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    int pfxlen = 0, len;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (handle == NULL || indata == NULL ||
02744e811b15322c5f109827a116c33bfe3438b5wyllys        indata->Data == NULL || indata->Length == 0 ||
02744e811b15322c5f109827a116c33bfe3438b5wyllys        insig == NULL|| insig->Data == NULL || insig->Length == 0 ||
02744e811b15322c5f109827a116c33bfe3438b5wyllys        cert == NULL || cert->Data == NULL || cert->Length == 0)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        return (KMF_ERR_BAD_PARAMETER);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    p = cert->Data;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    xcert = d2i_X509(NULL, (const uchar_t **)&p, cert->Length);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (xcert == NULL) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        SET_ERROR(kmfh, ERR_get_error());
02744e811b15322c5f109827a116c33bfe3438b5wyllys        ret = KMF_ERR_BAD_CERT_FORMAT;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        goto cleanup;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    pkey = X509_get_pubkey(xcert);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (!pkey) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        SET_ERROR(kmfh, ERR_get_error());
02744e811b15322c5f109827a116c33bfe3438b5wyllys        ret = KMF_ERR_BAD_CERT_FORMAT;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        goto cleanup;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (algid != KMF_ALGID_NONE) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        switch (algid) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys            case KMF_ALGID_MD5WithRSA:
02744e811b15322c5f109827a116c33bfe3438b5wyllys                md = EVP_md5();
02744e811b15322c5f109827a116c33bfe3438b5wyllys                break;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            case KMF_ALGID_MD2WithRSA:
02744e811b15322c5f109827a116c33bfe3438b5wyllys                md = EVP_md2();
02744e811b15322c5f109827a116c33bfe3438b5wyllys                break;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            case KMF_ALGID_SHA1WithRSA:
02744e811b15322c5f109827a116c33bfe3438b5wyllys                md = EVP_sha1();
02744e811b15322c5f109827a116c33bfe3438b5wyllys                break;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            case KMF_ALGID_RSA:
02744e811b15322c5f109827a116c33bfe3438b5wyllys                md = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys                break;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            default:
02744e811b15322c5f109827a116c33bfe3438b5wyllys                ret = KMF_ERR_BAD_PARAMETER;
02744e811b15322c5f109827a116c33bfe3438b5wyllys                goto cleanup;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        }
02744e811b15322c5f109827a116c33bfe3438b5wyllys    } else {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        /* Get the hash type from the cert signature */
02744e811b15322c5f109827a116c33bfe3438b5wyllys        md = EVP_get_digestbyobj(xcert->sig_alg->algorithm);
02744e811b15322c5f109827a116c33bfe3438b5wyllys        if (md == NULL) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys            SET_ERROR(kmfh, ERR_get_error());
02744e811b15322c5f109827a116c33bfe3438b5wyllys            ret = KMF_ERR_BAD_PARAMETER;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            goto cleanup;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        }
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
9b37d29632d2cb262ba42f1d804f85fcb0aa3709wyllys    if (md != NULL) {
9b37d29632d2cb262ba42f1d804f85fcb0aa3709wyllys        switch (EVP_MD_type(md)) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        case NID_md2:
02744e811b15322c5f109827a116c33bfe3438b5wyllys        case NID_md2WithRSAEncryption:
02744e811b15322c5f109827a116c33bfe3438b5wyllys            pfxlen = ASN1_MD2_OID_PREFIX_LEN;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            pfx = MD2_DER_PREFIX;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            break;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        case NID_md5:
02744e811b15322c5f109827a116c33bfe3438b5wyllys        case NID_md5WithRSAEncryption:
02744e811b15322c5f109827a116c33bfe3438b5wyllys            pfxlen = ASN1_MD5_OID_PREFIX_LEN;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            pfx = MD5_DER_PREFIX;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            break;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        case NID_sha1:
02744e811b15322c5f109827a116c33bfe3438b5wyllys        case NID_sha1WithRSAEncryption:
02744e811b15322c5f109827a116c33bfe3438b5wyllys            pfxlen = ASN1_SHA1_OID_PREFIX_LEN;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            pfx = SHA1_DER_PREFIX;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            break;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        default: /* Unsupported */
02744e811b15322c5f109827a116c33bfe3438b5wyllys            pfxlen = 0;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            pfx = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            break;
9b37d29632d2cb262ba42f1d804f85fcb0aa3709wyllys        }
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    /* RSA with no hash is a special case */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    rsaout = malloc(RSA_size(pkey->pkey.rsa));
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (rsaout == NULL)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        return (KMF_ERR_MEMORY);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    /* Decrypt the input signature */
02744e811b15322c5f109827a116c33bfe3438b5wyllys    len = RSA_public_decrypt(insig->Length,
02744e811b15322c5f109827a116c33bfe3438b5wyllys        insig->Data, rsaout, pkey->pkey.rsa, RSA_PKCS1_PADDING);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (len < 1) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        SET_ERROR(kmfh, ERR_get_error());
02744e811b15322c5f109827a116c33bfe3438b5wyllys        ret = KMF_ERR_BAD_PARAMETER;
02744e811b15322c5f109827a116c33bfe3438b5wyllys    } else {
02744e811b15322c5f109827a116c33bfe3438b5wyllys        size_t hashlen = 0;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        uint32_t dlen;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        char *digest = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys        /*
02744e811b15322c5f109827a116c33bfe3438b5wyllys         * If the AlgId requires it, hash the input data before
02744e811b15322c5f109827a116c33bfe3438b5wyllys         * comparing it to the decrypted signature.
02744e811b15322c5f109827a116c33bfe3438b5wyllys         */
02744e811b15322c5f109827a116c33bfe3438b5wyllys        if (md) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys            EVP_MD_CTX ctx;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys            hashlen = md->md_size;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys            digest = malloc(hashlen + pfxlen);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            if (digest == NULL)
02744e811b15322c5f109827a116c33bfe3438b5wyllys                return (KMF_ERR_MEMORY);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            /* Add the prefix to the comparison buffer. */
02744e811b15322c5f109827a116c33bfe3438b5wyllys            if (pfx && pfxlen > 0) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys                (void) memcpy(digest, pfx, pfxlen);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            }
02744e811b15322c5f109827a116c33bfe3438b5wyllys            (void) EVP_DigestInit(&ctx, md);
02744e811b15322c5f109827a116c33bfe3438b5wyllys            (void) EVP_DigestUpdate(&ctx, indata->Data,
02744e811b15322c5f109827a116c33bfe3438b5wyllys                indata->Length);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys            /* Add the digest AFTER the ASN1 prefix */
02744e811b15322c5f109827a116c33bfe3438b5wyllys            (void) EVP_DigestFinal(&ctx,
02744e811b15322c5f109827a116c33bfe3438b5wyllys                (uchar_t *)digest + pfxlen, &dlen);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys            dlen += pfxlen;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        } else {
02744e811b15322c5f109827a116c33bfe3438b5wyllys            digest = (char *)indata->Data;
02744e811b15322c5f109827a116c33bfe3438b5wyllys            dlen = indata->Length;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        }
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys        /*
02744e811b15322c5f109827a116c33bfe3438b5wyllys         * The result of the RSA decryption should be ASN1(OID | Hash).
02744e811b15322c5f109827a116c33bfe3438b5wyllys         * Compare the output hash to the input data for the final
02744e811b15322c5f109827a116c33bfe3438b5wyllys         * result.
02744e811b15322c5f109827a116c33bfe3438b5wyllys         */
02744e811b15322c5f109827a116c33bfe3438b5wyllys        if (memcmp(rsaout, digest, dlen))
02744e811b15322c5f109827a116c33bfe3438b5wyllys            ret = KMF_ERR_INTERNAL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys        else
02744e811b15322c5f109827a116c33bfe3438b5wyllys            ret = KMF_OK;
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys        /* If we had to allocate space for the digest, free it now */
02744e811b15322c5f109827a116c33bfe3438b5wyllys        if (hashlen)
02744e811b15322c5f109827a116c33bfe3438b5wyllys            free(digest);
02744e811b15322c5f109827a116c33bfe3438b5wyllys    }
02744e811b15322c5f109827a116c33bfe3438b5wyllyscleanup:
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (pkey)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        EVP_PKEY_free(pkey);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (xcert)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        X509_free(xcert);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    if (rsaout)
02744e811b15322c5f109827a116c33bfe3438b5wyllys        free(rsaout);
02744e811b15322c5f109827a116c33bfe3438b5wyllys
02744e811b15322c5f109827a116c33bfe3438b5wyllys    return (ret);
02744e811b15322c5f109827a116c33bfe3438b5wyllys}