openssl_spi.c revision d7141854234c22ab8fe0547bf51a2f3a30781870
2c9a247fb01631b3eb3b85a1127e72f0b60ae108Wyllys Ingersoll * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * Use is subject to license terms.
70f9559bd0c02885d84a425eaafc8c280df10efbTheo Schlossnagle * Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * project 2000.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * ====================================================================
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * Redistribution and use in source and binary forms, with or without
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * modification, are permitted provided that the following conditions
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * 1. Redistributions of source code must retain the above copyright
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * notice, this list of conditions and the following disclaimer.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * 2. Redistributions in binary form must reproduce the above copyright
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * notice, this list of conditions and the following disclaimer in
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * the documentation and/or other materials provided with the
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * distribution.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * 3. All advertising materials mentioning features or use of this
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * software must display the following acknowledgment:
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * "This product includes software developed by the OpenSSL Project
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * endorse or promote products derived from this software without
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * prior written permission. For written permission, please contact
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * licensing@OpenSSL.org.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * 5. Products derived from this software may not be called "OpenSSL"
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * nor may "OpenSSL" appear in their names without prior written
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * permission of the OpenSSL Project.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * 6. Redistributions of any form whatsoever must retain the following
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * acknowledgment:
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * "This product includes software developed by the OpenSSL Project
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * OF THE POSSIBILITY OF SUCH DAMAGE.
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * ====================================================================
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * This product includes cryptographic software written by Eric Young
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * (eay@cryptsoft.com). This product includes software written by Tim
9a7670889e9c36ec355371e6b02f2d9084f040dchaimay * Hudson (tjh@cryptsoft.com).
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/* OPENSSL related headers */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic uchar_t P[] = { 0x00, 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic uchar_t Q[] = { 0x00, 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic uchar_t G[] = { 0x00, 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define SET_ERROR(h, c) h->lasterr.kstype = KMF_KEYSTORE_OPENSSL; \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define SET_SYS_ERROR(h, c) h->lasterr.kstype = -1; h->lasterr.errcode = c;
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * Declare some new macros for managing stacks of EVP_PKEYS, similar to
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * what wanboot did.
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys#define sk_EVP_PKEY_new_null() SKM_sk_new_null(EVP_PKEY)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys#define sk_EVP_PKEY_free(st) SKM_sk_free(EVP_PKEY, (st))
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys#define sk_EVP_PKEY_num(st) SKM_sk_num(EVP_PKEY, (st))
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys#define sk_EVP_PKEY_value(st, i) SKM_sk_value(EVP_PKEY, (st), (i))
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys#define sk_EVP_PKEY_push(st, val) SKM_sk_push(EVP_PKEY, (st), (val))
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys#define sk_EVP_PKEY_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY, (st), \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic int ssl_initialized = 0;
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllyslocal_export_pk12(KMF_HANDLE_T, KMF_CREDENTIAL *, int, KMF_X509_DER_CERT *,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys int, KMF_KEY_HANDLE *, char *);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllysstatic KMF_RETURN set_pkey_attrib(EVP_PKEY *, ASN1_TYPE *, int);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysextract_pem(KMF_HANDLE *, char *, char *, KMF_BIGINT *, char *,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys CK_UTF8CHAR *, CK_ULONG, EVP_PKEY **, KMF_DATA **, int *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyskmf_load_cert(KMF_HANDLE *, char *, char *, KMF_BIGINT *, KMF_CERT_VALIDITY,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysload_certs(KMF_HANDLE *, char *, char *, KMF_BIGINT *, KMF_CERT_VALIDITY,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_FreeKMFCert(KMF_HANDLE_T, KMF_X509_DER_CERT *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_StoreCert(KMF_HANDLE_T handle, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_DeleteCert(KMF_HANDLE_T handle, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_CreateKeypair(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_EncodePubKeyData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_DATA *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_SignData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_DeleteKey(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_ImportCRL(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_DeleteCRL(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_FindCertInCRL(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_CertGetPrintable(KMF_HANDLE_T, const KMF_DATA *,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_FindPrikeyByCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_DecryptData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_CreateOCSPRequest(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_GetOCSPStatusForCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_ExportPK12(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_CreateSymKey(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_GetSymKeyValue(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_RAW_SYM_KEY *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_VerifyCRLFile(KMF_HANDLE_T, char *, KMF_DATA *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic long *lock_count;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic unsigned long
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return ((unsigned long)thr_self());
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Add support for extension OIDs that are not yet in the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * openssl default set.
34acef6775bd2319a3708b750f10ccc4f1292562wyllys "X509v3 Name Constraints");
34acef6775bd2319a3708b750f10ccc4f1292562wyllys "X509v3 Policy Mappings");
34acef6775bd2319a3708b750f10ccc4f1292562wyllys "X509v3 Policy Constraints");
34acef6775bd2319a3708b750f10ccc4f1292562wyllys "X509v3 Freshest CRL");
34acef6775bd2319a3708b750f10ccc4f1292562wyllys "X509v3 Inhibit Any-Policy");
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Set up for thread-safe operation.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof (mutex_t));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof (long));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < CRYPTO_num_locks(); i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CRYPTO_set_id_callback((unsigned long (*)())thread_id);
2c9a247fb01631b3eb3b85a1127e72f0b60ae108Wyllys Ingersoll CRYPTO_set_locking_callback((void (*)())locking_cb);
2c9a247fb01631b3eb3b85a1127e72f0b60ae108Wyllys Ingersoll /* Enable error strings for reporting */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Convert an SSL DN to a KMF DN.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Convert to raw DER format */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((tmp = derdata.Data = (uchar_t *)OPENSSL_malloc(derdata.Length))
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Decode to KMF format */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (0);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysssl_cert2KMFDATA(KMF_HANDLE *kmfh, X509 *x509cert, KMF_DATA *cert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Convert the X509 internal struct to DER encoded data
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * i2d_X509 will increment the buf pointer so that we need to
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* caller's responsibility to free it */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyscheck_cert(X509 *xcert, char *issuer, char *subject, KMF_BIGINT *serial,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&subjectDN, 0, sizeof (KMF_X509_NAME));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&certIssuerDN, 0, sizeof (KMF_X509_NAME));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memset(&certSubjectDN, 0, sizeof (KMF_X509_NAME));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = get_x509_dn(xcert->cert_info->issuer, &certIssuerDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = get_x509_dn(xcert->cert_info->subject, &certSubjectDN);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Comparing BIGNUMs is a pain! */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys bn = ASN1_INTEGER_to_BN(xcert->cert_info->serialNumber, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (a == NULL) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys *match = (kmf_compare_rdns(&issuerDN, &certIssuerDN) == 0);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* stop checking and bail */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys *match = (kmf_compare_rdns(&subjectDN, &certSubjectDN) == 0);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* stop checking and bail */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * This function loads a certificate file into an X509 data structure, and
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * checks if its issuer, subject or the serial number matches with those
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * values. If it matches, then return the X509 data structure.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * auto-detect the file format, regardless of what
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * the 'format' parameters in the params say.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Not ASN1(DER) format */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((bcert = BIO_new_file(pathname, "rb")) == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys xcert = PEM_read_bio_X509_AUX(bcert, NULL, NULL, NULL);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (check_cert(xcert, issuer, subject, serial, &match) != KMF_OK ||
71593db26bb6ef7b739cffe06d53bf990cac112cwyllysdatacmp(const void *a, const void *b)
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys return (-1);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys return (1);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys return (0);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysload_certs(KMF_HANDLE *kmfh, char *issuer, char *subject, KMF_BIGINT *serial,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* load a single certificate */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_load_cert(kmfh, issuer, subject, serial, validity,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* We need a credential to access a PKCS#12 file */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* This function only works on PEM files */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = extract_pem(kmfh, issuer, subject, serial, pathname,
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys for (i = 0; i < nc; i++) {
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* Remove this cert from the list by clearing it. */
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * Sort the list of certs by length to put the cleared ones
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys * at the end so they don't get accessed by the caller.
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys qsort((void *)certs, nc, sizeof (KMF_DATA), datacmp);
71593db26bb6ef7b739cffe06d53bf990cac112cwyllys /* since we sorted the list, just return the number of hits */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = load_X509cert(kmfh, issuer, subject, serial, pathname, &x509cert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (rv == KMF_OK && x509cert != NULL && cert != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This is a valid cert so skip it.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * We want to return success when we
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * find an invalid cert.
02744e811b15322c5f109827a116c33bfe3438b5wyllysreadAltFormatPrivateKey(KMF_DATA *filedata, EVP_PKEY **pkey)
02744e811b15322c5f109827a116c33bfe3438b5wyllys BerValue *PriExp = NULL, *Prime1 = NULL, *Prime2 = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys BIGNUM *D = NULL, *P = NULL, *Q = NULL, *COEF = NULL;
02744e811b15322c5f109827a116c33bfe3438b5wyllys * We have to derive the 2 Exponents using Bignumber math.
02744e811b15322c5f109827a116c33bfe3438b5wyllys * Exp1 = PriExp mod (Prime1 - 1)
02744e811b15322c5f109827a116c33bfe3438b5wyllys * Exp2 = PriExp mod (Prime2 - 1)
02744e811b15322c5f109827a116c33bfe3438b5wyllys /* D = PrivateExponent */
02744e811b15322c5f109827a116c33bfe3438b5wyllys D = BN_bin2bn((const uchar_t *)PriExp->bv_val, PriExp->bv_len, D);
02744e811b15322c5f109827a116c33bfe3438b5wyllys if (D == NULL) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys /* P = Prime1 (first prime factor of Modulus) */
02744e811b15322c5f109827a116c33bfe3438b5wyllys P = BN_bin2bn((const uchar_t *)Prime1->bv_val, Prime1->bv_len, P);
02744e811b15322c5f109827a116c33bfe3438b5wyllys if (D == NULL) {
02744e811b15322c5f109827a116c33bfe3438b5wyllys /* Q = Prime2 (second prime factor of Modulus) */
02744e811b15322c5f109827a116c33bfe3438b5wyllys Q = BN_bin2bn((const uchar_t *)Prime2->bv_val, Prime2->bv_len, Q);
02744e811b15322c5f109827a116c33bfe3438b5wyllys /* Compute (P - 1) */
02744e811b15322c5f109827a116c33bfe3438b5wyllys /* Exponent1 = D mod (P - 1) */
02744e811b15322c5f109827a116c33bfe3438b5wyllys /* Compute (Q - 1) */
02744e811b15322c5f109827a116c33bfe3438b5wyllys /* Exponent2 = D mod (Q - 1) */
02744e811b15322c5f109827a116c33bfe3438b5wyllys /* Coef = (Inverse Q) mod P */
02744e811b15322c5f109827a116c33bfe3438b5wyllys /* Convert back to KMF format */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysopenssl_load_key(KMF_HANDLE_T handle, const char *file)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (kmf_get_file_format((char *)file, &format) != KMF_OK)
02744e811b15322c5f109827a116c33bfe3438b5wyllys /* Try odd ASN.1 variations */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys pkey = PEM_read_bio_PrivateKey(keyfile, NULL, NULL, NULL);
02744e811b15322c5f109827a116c33bfe3438b5wyllys * Check if this is the alt. format
02744e811b15322c5f109827a116c33bfe3438b5wyllys * RSA private key file.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_FindCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys num_certs = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* num_certs should reference the size of kmf_cert */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the optional returned certificate list */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_cert = kmf_get_attr_ptr(KMF_X509_DER_CERT_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * The dirpath attribute and the filename attribute can not be NULL
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * at the same time.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys filename = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get optional search criteria attributes */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys issuer = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys subject = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys serial = kmf_get_attr_ptr(KMF_BIGINT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CERT_VALIDITY_ATTR, attrlist, numattr,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* open all files in the directory and attempt to read them */
f482c776bc557f0256e776932c7842b9db390de1wyllys for (i = 0; i < loaded_certs; i++)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If load succeeds, add certdata to the list */
f482c776bc557f0256e776932c7842b9db390de1wyllys for (i = 0; i < loaded_certs &&
b4058258308bb6a33809f15962013af85f890c36wyllys * If maxcerts < loaded_certs, clean up the
b4058258308bb6a33809f15962013af85f890c36wyllys * certs that were not used.
f482c776bc557f0256e776932c7842b9db390de1wyllys for (; i < loaded_certs; i++)
f482c776bc557f0256e776932c7842b9db390de1wyllys for (i = 0; i < loaded_certs; i++)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = load_certs(kmfh, issuer, subject, serial, validity,
f482c776bc557f0256e776932c7842b9db390de1wyllys /* If maxcerts < loaded_certs, clean up */
f482c776bc557f0256e776932c7842b9db390de1wyllys for (; i < loaded_certs; i++)
f482c776bc557f0256e776932c7842b9db390de1wyllys for (i = 0; i < loaded_certs; i++)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys/*ARGSUSED*/
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_StoreCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the cert data */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cert = kmf_get_attr_ptr(KMF_CERT_DATA_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Check the output filename and directory attributes. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys outfilename = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Check the optional format attribute */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* If there is no format attribute, then default to PEM */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys } else if (format != KMF_FORMAT_ASN1 && format != KMF_FORMAT_PEM) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Store the certificate in the file with the specified format */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_DeleteCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Get the DIRPATH and CERT_FILENAME attributes. They can not be
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * NULL at the same time.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys filename = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get optional search criteria attributes */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys issuer = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys subject = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys serial = kmf_get_attr_ptr(KMF_BIGINT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CERT_VALIDITY_ATTR, attrlist, numattr,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* open all files in the directory and attempt to read them */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Just try to load a single certificate */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_load_cert(kmfh, issuer, subject, serial, validity,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_EncodePubKeyData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysssl_write_key(KMF_HANDLE *kmfh, KMF_ENCODE_FORMAT format, BIO *out,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_CREDENTIAL *cred, EVP_PKEY *pkey, boolean_t private)
73cc0e021f4115db3085cd78083c42c8be4559e3wyllys /* same as ASN.1 */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_STOREKEY_BOOL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* "storekey" is optional. Default is TRUE */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYALG_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* keytype is optional. KMF_RSA is default */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys privkey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rsaexp = kmf_get_attr_ptr(KMF_RSAEXP_ATTR, attrlist, numattr);
a2d4930d8e20c711535bea8fe88a53eeba789d2dDan OpenSolaris Anderson /* LINTED E_BAD_PTR_CAST_ALIGN */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* RSA Exponent is optional. Default is 0x10001 */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYLENGTH_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* keylen is optional, default is 1024 */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys sslPrivKey = RSA_generate_key(keylen, eValue, NULL, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* OpenSSL derives the public key from the private */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((sslDSAKey->p = BN_bin2bn(P, sizeof (P), sslDSAKey->p)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((sslDSAKey->q = BN_bin2bn(Q, sizeof (Q), sslDSAKey->q)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((sslDSAKey->g = BN_bin2bn(G, sizeof (G), sslDSAKey->g)) ==
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Make a copy for the public key */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_ATTRIBUTE storeattrs[4]; /* max. 4 attributes needed */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Construct a new attribute arrray and call openssl_store_key
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmf_set_attr_at_index(storeattrs, i, KMF_PRIVKEY_HANDLE_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * Make sure the BN conversion is properly padded with 0x00
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * bytes. If not, signature verification for DSA signatures
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * may fail in the case where the bignum value does not use
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * all of the bits.
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersollfixbnlen(BIGNUM *bn, unsigned char *buf, int len) {
2c9a247fb01631b3eb3b85a1127e72f0b60ae108Wyllys Ingersoll /* prepend with leading 0x00 if necessary */
2c9a247fb01631b3eb3b85a1127e72f0b60ae108Wyllys Ingersoll * Return the desired length since we prepended it
2c9a247fb01631b3eb3b85a1127e72f0b60ae108Wyllys Ingersoll * with the necessary 0x00 padding.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysOpenSSL_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_OID *AlgOID, KMF_DATA *tobesigned, KMF_DATA *output)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Map the OID to an OpenSSL algorithm */
02744e811b15322c5f109827a116c33bfe3438b5wyllys if (!EVP_SignFinal(&ctx, p, (uint32_t *)&len, pkey)) {
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll else /* Bad algorithm */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * OpenSSL EVP_Sign operation automatically converts to
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * ASN.1 output so we do the operations separately so we
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * are assured of NOT getting ASN.1 output returned.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * KMF does not want ASN.1 encoded results because
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * not all mechanisms return ASN.1 encodings (PKCS#11
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * and NSS return raw signature data).
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll /* Only sign first 20 bytes for SHA2 */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll output->Length = i = fixbnlen(dsasig->r, output->Data,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll output->Length += fixbnlen(dsasig->s, &output->Data[i],
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_DESTROY_BOOL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* "destroy" is optional. Default is TRUE */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If the file exists, make sure it is a proper key. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_GetErrorString(KMF_HANDLE_T handle, char **msgstr)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys char str[256]; /* OpenSSL needs at least 120 byte buffer */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ERR_error_string_n(kmfh->lasterr.errcode, str, sizeof (str));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys unsigned char *outbuf_p;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (pcert == NULL || pcert->Data == NULL || pcert->Length == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* copy cert data to outbuf */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys outbuf_p = outbuf; /* use a temp pointer; required by openssl */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys xcert = d2i_X509(NULL, (const uchar_t **)&outbuf_p, pcert->Length);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) X509_NAME_print_ex(mem, X509_get_issuer_name(xcert), 0,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) X509_NAME_print_ex(mem, X509_get_subject_name(xcert), 0,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys tmpstr = i2s_ASN1_INTEGER(NULL, xcert->cert_info->version);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) strncpy(resultStr, tmpstr, KMF_CERT_PRINTABLE_LEN);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (i2a_ASN1_INTEGER(mem, X509_get_serialNumber(xcert)) > 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) ASN1_TIME_print(mem, X509_get_notBefore(xcert));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) ASN1_TIME_print(mem, X509_get_notAfter(xcert));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys "RSA Public Key: (%d bit)\n",
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys len = BIO_read(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
70f9559bd0c02885d84a425eaafc8c280df10efbTheo Schlossnagle for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ext_index = X509v3_get_ext_by_NID(ci->extensions, nid, -1);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) i2a_ASN1_OBJECT(mem, X509_EXTENSION_get_object(ex));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys X509_EXTENSION_get_critical(ex) ? "critical" : "") <= 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (!X509V3_EXT_print(mem, ex, X509V3_EXT_DUMP_UNKNOWN, 4)) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys len = BIO_read(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (len <= 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys/*ARGSUSED*/
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_FindPrikeyByCert(KMF_HANDLE_T handle, int numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * This is really just a FindKey operation, reuse the
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * FindKey function.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys/*ARGSUSED*/
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_DecryptData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys for (i = 0; i < blocks; i++) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * This function will create a certid from issuer_cert and user_cert.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * The caller should use OCSP_CERTID_free(OCSP_CERTID *) to deallocate
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * certid memory after use.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyscreate_certid(KMF_HANDLE_T handle, const KMF_DATA *issuer_cert,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys unsigned char *ptmp;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* convert the DER-encoded issuer cert to an internal X509 */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* convert the DER-encoded user cert to an internal X509 */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* create a CERTID */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys user_cert = kmf_get_attr_ptr(KMF_USER_CERT_DATA_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys issuer_cert = kmf_get_attr_ptr(KMF_ISSUER_CERT_DATA_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys reqfile = kmf_get_attr_ptr(KMF_OCSP_REQUEST_FILENAME_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = create_certid(handle, issuer_cert, user_cert, &id);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Create an OCSP request */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Write the request to the output file with DER encoding */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * We don't need to free "id" explicitely, because OCSP_REQUEST_free()
a2d4930d8e20c711535bea8fe88a53eeba789d2dDan OpenSolaris Anderson * will also deallocate certid's space.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys/* ocsp_find_signer_sk() is copied from openssl source */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysstatic X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Easy if lookup by name */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (X509_find_by_subject(certs, id->value.byName));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Lookup by key hash */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* If key hash isn't SHA1 length then forget it */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Calculate hash of each key and compare */
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Use pubkey_digest to get the key ID value */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (x);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys/* ocsp_find_signer() is copied from openssl source */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (2);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (1);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Maybe lookup from store if by subject name */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (0);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * This function will verify the signature of a basic response, using
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * the public key from the OCSP responder certificate.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllyscheck_response_signature(KMF_HANDLE_T handle, OCSP_BASICRESP *bs,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys unsigned char *ptmp;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Find the certificate that signed the basic response.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If signer_cert is not NULL, we will use that as the signer cert.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Otherwise, we will check if the issuer cert is actually the signer.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If we still do not find a signer, we will look for it from the
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * certificate list came with the response file.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Convert the issuer cert into X509 and push it into a
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * stack to be used by ocsp_find_signer().
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = ocsp_find_signer(&signer, bs, cert_stack, NULL, 0);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* can not find the signer */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Verify the signature of the response */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (ret == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys int *response_reason, *response_status, *cert_status;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys boolean_t ignore_response_sign = B_FALSE; /* default is FALSE */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys issuer_cert = kmf_get_attr_ptr(KMF_ISSUER_CERT_DATA_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys user_cert = kmf_get_attr_ptr(KMF_USER_CERT_DATA_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys response = kmf_get_attr_ptr(KMF_OCSP_RESPONSE_DATA_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys response_status = kmf_get_attr_ptr(KMF_OCSP_RESPONSE_STATUS_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys response_reason = kmf_get_attr_ptr(KMF_OCSP_RESPONSE_REASON_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cert_status = kmf_get_attr_ptr(KMF_OCSP_RESPONSE_CERT_STATUS_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Read in the response */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys derbio = BIO_new_mem_buf(response->Data, response->Length);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Check the response status */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys printf("Successfully checked the response file status.\n");
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys#endif /* DEBUG */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Extract basic response */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys printf("Successfully retrieved the basic response.\n");
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys#endif /* DEBUG */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Check the basic response signature if required */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = kmf_get_attr(KMF_IGNORE_RESPONSE_SIGN_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys signer_cert = kmf_get_attr_ptr(KMF_SIGNER_CERT_DATA_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys printf("Successfully verified the response signature.\n");
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys#endif /* DEBUG */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Create a certid for the certificate in question */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = create_certid(handle, issuer_cert, user_cert, &id);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys printf("successfully created a certid for the cert.\n");
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys#endif /* DEBUG */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Find the index of the single response for the certid */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* cound not find this certificate in the response */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys printf("Successfully found the single response index for the cert.\n");
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys#endif /* DEBUG */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Retrieve the single response and get the cert status */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys status = OCSP_single_get0_status(single, &reason, &rev, &thisupd,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys } else { /* revoked */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* resp. time is optional, so we don't care about the return code. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_RESPONSE_LIFETIME_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys#endif /* DEBUG */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If the file is a recognized format,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * then it is NOT a symmetric key.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If we don't know the encoding,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * it is probably a symmetric key.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numkeys = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYCLASS_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* it is okay to have "keys" contains NULL */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * The caller may want a list of the raw key data as well.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Useful for importing keys from a file into other keystores.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rawkey = kmf_get_attr_ptr(KMF_RAW_KEY_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* open all files in the directory and attempt to read them */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys while ((dp = readdir(dirp)) != NULL && n < maxkeys) {
73cc0e021f4115db3085cd78083c42c8be4559e3wyllys else if (rv == KMF_ERR_KEY_NOT_FOUND && (*numkeys) > 0)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys return (0);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys return (1);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Convert cert from X509 struct to PKCS#12 bag */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Add the key id to the certificate bag. */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (keyidlen > 0 && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Pile it on the bag_stack. */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Turn bag_stack of certs into encrypted authsafe. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys sk_PKCS12_SAFEBAG_pop_free(bag_stack, PKCS12_SAFEBAG_free);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Put the shrouded key into a PKCS#12 bag. */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Clean up the PKCS#8 shrouded key, don't need it now. */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (label != NULL && !PKCS12_add_friendlyname(bag, label, label_len))
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Start a PKCS#12 safebag container for the private key. */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Pile on the private key on the bag_stack. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys sk_PKCS12_SAFEBAG_pop_free(bag_stack, PKCS12_SAFEBAG_free);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rsa->n = BN_bin2bn(key->mod.val, key->mod.len, rsa->n)) == NULL)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rsa->e = BN_bin2bn(key->pubexp.val, key->pubexp.len, rsa->e)) ==
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rsa->d = BN_bin2bn(key->priexp.val, key->priexp.len,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rsa->p = BN_bin2bn(key->prime1.val, key->prime1.len,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rsa->q = BN_bin2bn(key->prime2.val, key->prime2.len,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rsa->dmp1 = BN_bin2bn(key->exp1.val, key->exp1.len,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rsa->dmq1 = BN_bin2bn(key->exp2.val, key->exp2.len,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rsa->iqmp = BN_bin2bn(key->coef.val, key->coef.len,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* The original key must be freed once here or it leaks memory */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((dsa->p = BN_bin2bn(key->prime.val, key->prime.len,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((dsa->q = BN_bin2bn(key->subprime.val, key->subprime.len,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((dsa->g = BN_bin2bn(key->base.val, key->base.len,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((dsa->priv_key = BN_bin2bn(key->value.val, key->value.len,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* The original key must be freed once here or it leaks memory */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * OpenSSL in Solaris does not support EC for
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * legal reasons
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* wrong kind of key */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys attr->value.bmpstring = ASN1_STRING_type_new(V_ASN1_BMPSTRING);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys (void) ASN1_STRING_set(attr->value.bmpstring, rawkey->label,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * Search a list of private keys to find one that goes with the certificate.
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllysfind_matching_key(X509 *xcert, int numkeys, KMF_KEY_HANDLE *keylist)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (numkeys == 0 || keylist == NULL || xcert == NULL)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys for (i = 0; i < numkeys; i++) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Open the output file.
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Start a PKCS#7 stack. */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys unsigned int keyidlen = 0;
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Set alias attribute */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Check if there is a key corresponding to this cert */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * If key is found, get fingerprint and create a
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Put the key safe into the Auth Safe */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* create a certificate safebag */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * If only adding keys to the file.
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys for (i = 0; i < numkeys; i++) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Put the PKCS#7 stack into the PKCS#12 element. */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (!PKCS12_pack_authsafes(p12_elem, authsafe_stack)) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Set the integrity MAC on the PKCS#12 element. */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (!PKCS12_set_mac(p12_elem, cred->cred, cred->credlen,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Write the PKCS#12 element to the export file. */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Clear away the PKCS#7 stack, we're done with it. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_X509_DER_CERT *certlist, int numkeys, KMF_KEY_HANDLE *keylist,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys rv = local_export_pk12(handle, p12cred, numcerts, certlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_ExportPK12(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * First, find the certificate.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certfile = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist, numattr);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys certdata.kmf_private.keystore_type = KMF_KEYSTORE_OPENSSL;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Now find the private key.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist, numattr);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys rv = fetch_key(handle, fullpath, KMF_ASYM_PRI, &key);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Open the output file.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys filename = kmf_get_attr_ptr(KMF_OUTPUT_FILENAME_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Stick the key and the cert into a PKCS#12 file */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys p12cred = kmf_get_attr_ptr(KMF_PK12CRED_ATTR, attrlist, numattr);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys rv = local_export_pk12(handle, p12cred, 1, &certdata,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Helper function to extract keys and certificates from
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * a single PEM file. Typically the file should contain a
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * private key and an associated public key wrapped in an x509 cert.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * However, the file may be just a list of X509 certs with no keys.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys CK_ULONG pinlen, EVP_PKEY **priv_key, KMF_DATA **certs,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys x509_info_stack = PEM_X509_INFO_read(fp, NULL, NULL, pin);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys cert_infos = (X509_INFO **)malloc(sk_X509_INFO_num(x509_info_stack) *
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys sizeof (X509_INFO *));
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cert_infos[ncerts] = sk_X509_INFO_value(x509_info_stack, i);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (ncerts == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Make sure the private key matchs the last cert in the file.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (pkey != NULL && !X509_check_private_key(x, pkey)) {
a2d4930d8e20c711535bea8fe88a53eeba789d2dDan OpenSolaris Anderson certlist = (KMF_DATA *)calloc(ncerts, sizeof (KMF_DATA));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Convert all of the certs to DER format.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys for (i = 0; rv == KMF_OK && certs != NULL && i < ncerts; i++) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = check_cert(info->x509, issuer, subject, serial, &match);
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll for (j = 0; j < matchcerts; j++)
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll for (i = 0; i < ncerts; i++)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Cleanup the stack of X509 info records */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys info = (X509_INFO *)sk_X509_INFO_value(x509_info_stack, i);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllysopenssl_parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(bags, i);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys ret = openssl_parse_bag(bag, pin, (pin ? strlen(pin) : 0),
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllysset_pkey_attrib(EVP_PKEY *pkey, ASN1_TYPE *attrib, int nid)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys attr = X509_ATTRIBUTE_create(nid, attrib->type, attrib->value.ptr);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys for (i = 0;
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CASE_ALIGN */
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (sk_X509_ATTRIBUTE_push(pkey->attributes, attr) == NULL) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllysopenssl_parse_bag(PKCS12_SAFEBAG *bag, char *pass, int passlen,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys STACK_OF(EVP_PKEY) *keylist, STACK_OF(X509) *certlist)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (r == NULL) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * Set the ID and/or FriendlyName attributes on the key.
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * If converting to PKCS11 objects, these can translate to CKA_ID
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * and CKA_LABEL values.
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (keyid != NULL && keyid->type == V_ASN1_OCTET_STRING) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys for (i = 0; ret == KMF_OK && i < sk_PKCS7_num(asafes); i++) {
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (openssl_parse_bags(bags, pin, keys, certs) != KMF_OK)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Helper function to decrypt and parse PKCS#12 import file.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysextract_pkcs12(BIO *fbio, CK_UTF8CHAR *pin, CK_ULONG pinlen,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys STACK_OF(EVP_PKEY) **priv_key, STACK_OF(X509) **certs,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((pk12_tmp = d2i_PKCS12_bio(fbio, &pk12)) == NULL) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* This is ok; it seems to mean there is no more to read. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ERR_GET_REASON(ERR_peek_error()) == ASN1_R_HEADER_TOO_LONG)
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys if (openssl_pkcs12_parse(pk12, (char *)pin, pkeylist, xcertlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = sslBN2KMFBN(rsa->n, &kmfkey->mod)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = sslBN2KMFBN(rsa->e, &kmfkey->pubexp)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = sslBN2KMFBN(rsa->d, &kmfkey->priexp)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = sslBN2KMFBN(rsa->p, &kmfkey->prime1)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = sslBN2KMFBN(rsa->q, &kmfkey->prime2)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = sslBN2KMFBN(rsa->dmp1, &kmfkey->exp1)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = sslBN2KMFBN(rsa->dmq1, &kmfkey->exp2)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = sslBN2KMFBN(rsa->iqmp, &kmfkey->coef)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Free the reference to this key, SSL will not actually free
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * the memory until the refcount == 0, so this is safe.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = sslBN2KMFBN(dsa->p, &kmfkey->prime)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = sslBN2KMFBN(dsa->q, &kmfkey->subprime)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = sslBN2KMFBN(dsa->g, &kmfkey->base)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = sslBN2KMFBN(dsa->priv_key, &kmfkey->value)) != KMF_OK)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Free the reference to this key, SSL will not actually free
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * the memory until the refcount == 0, so this is safe.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys int n = (*ncerts);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys list = (KMF_X509_DER_CERT *)malloc(sizeof (KMF_X509_DER_CERT));
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys rv = ssl_cert2KMFDATA(kmfh, sslcert, &cert.certificate);
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* Get the alias name for the cert if there is one */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys cert.kmf_private.keystore_type = KMF_KEYSTORE_OPENSSL;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys int n = (*nkeys);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys list = (KMF_RAW_KEY_DATA *)malloc(sizeof (KMF_RAW_KEY_DATA));
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys return (a);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysconvertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Convert SSL key to raw key */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * If friendlyName, add it to record.
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys attr = find_attr(pkey->attributes, NID_friendlyName);
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
70f9559bd0c02885d84a425eaafc8c280df10efbTheo Schlossnagle key->label = OPENSSL_uni2asc(ty->value.bmpstring->data,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * If KeyID, add it to record as a KMF_DATA object.
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys (void) memcpy(key->id.Data, ty->value.octet_string->data,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys for (i = 0; sslkeys != NULL && i < sk_EVP_PKEY_num(sslkeys); i++) {
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Now add the certificate to the certlist */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys for (i = 0; sslcert != NULL && i < sk_X509_num(sslcert); i++) {
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Also add any included CA certs to the list */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys for (i = 0; sslcacerts != NULL && i < sk_X509_num(sslcacerts); i++) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * sk_X509_value() is macro that embeds a cast to (X509 *).
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Here it translates into ((X509 *)sk_value((ca), (i))).
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Lint is complaining about the embedded casting, and
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * to fix it, you need to fix openssl header files.
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Now add the ca cert to the certlist */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * auto-detect the file format, regardless of what
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * the 'format' parameters in the params say.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* This function only works for PEM or PKCS#12 files */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys (uint32_t)cred->credlen, &privkeys, &certs, &cacerts);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Convert keys and certs to exportable format */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys rv = convertPK12Objects(kmfh, privkeys, certs, cacerts,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Reached end of import file? */
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys /* convert the certificate list here */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll kmfcerts = (KMF_X509_DER_CERT *)calloc(*ncerts,
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys for (i = 0; i < *ncerts; i++) {
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * Convert keys to exportable format, the certs
5b3e1433c6213363bcb6387e66fc84ee9ff21a5dwyllys * are already OK.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* create the 1st DES key */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Create the 2nd DES key and make sure its value is different
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * from the 1st DES key.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (memcmp((const void *) deskey1, (const void *) deskey2, 8)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys } while (ret == KMF_ERR_KEYGEN_FAILED && retry < KEYGEN_RETRY);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Create the 3rd DES key and make sure its value is different
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * from the 2nd DES key.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (memcmp((const void *)deskey2, (const void *)deskey3, 8)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys } while (ret == KMF_ERR_KEYGEN_FAILED && retry < KEYGEN_RETRY);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Concatenate 3 DES keys into a DES3 key */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) memcpy((void *)newkey, (const void *)deskey1, 8);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) memcpy((void *)(newkey + 8), (const void *)deskey2, 8);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) memcpy((void *)(newkey + 16), (const void *)deskey3, 8);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys symkey = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = kmf_get_attr(KMF_KEYALG_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = kmf_get_attr(KMF_KEYLENGTH_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* keylength is not required for DES and 3DES */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* If the requested file exists, return an error */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys } else if (keytype == KMF_AES || keytype == KMF_RC4 ||
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) write(fd, (const void *) rkey->keydata.val, rkey->keydata.len);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Check a file to see if it is a CRL file with PEM or DER format.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If success, return its format in the "pformat" argument.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_IsCRLFile(KMF_HANDLE_T handle, char *filename, int *pformat)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((xcrl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL)) != NULL) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Now try to read it as raw DER data.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_GetSymKeyValue(KMF_HANDLE_T handle, KMF_KEY_HANDLE *symkey,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_RAW_SYM_KEY *rawkey = (KMF_RAW_SYM_KEY *)symkey->keyp;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rkey->keydata.val = malloc(rkey->keydata.len)) == NULL)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) memcpy(rkey->keydata.val, rawkey->keydata.val,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_read_input_file(handle, symkey->keylabel, &keyvalue);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * substitute for the unsafe access(2) function.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If the file in question already exists, return 1.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * else 0. If an error occurs during testing (other
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * than EEXIST), return -1.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Try to create the file with the EXCL flag.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * The call should fail if the file exists.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (1);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (-1);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* The file did NOT exist. Delete the testcase. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys return (0);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys prikey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rawkey = kmf_get_attr_ptr(KMF_RAW_KEY_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Exactly 1 type of key must be passed to this function.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keyfile = (char *)kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Once we have the full path, we don't need the pieces */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If the requested file exists, return an error */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* format is optional. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* CRED is not required for OpenSSL files */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Store the private key to the keyfile */
73cc0e021f4115db3085cd78083c42c8be4559e3wyllys rv = kmf_get_attr(KMF_KEYCLASS_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_ImportCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys char *certfile, *dirpath, *crlfile, *incrl, *outcrl, *outcrlfile;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* CRL check is optional */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_CRL_CHECK_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certfile = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys incrl = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys outcrl = kmf_get_attr_ptr(KMF_CRL_OUTFILE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* If bypasscheck is specified, no need to verify. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Read in the CA cert file and convert to X509 */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Now get the public key from the CA cert */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Verify the CRL with the CA's public key */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_ListCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys crlfilename = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys crldata = (char **)kmf_get_attr_ptr(KMF_CRL_DATA_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (len <= 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_DeleteCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys crlfilename = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_FindCertInCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys crlfilename = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certfile = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Read the CRL file and load it into a X509_CRL structure */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Read the Certificate file and load it into a X509 structure */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Check if the certificate and the CRL have same issuer */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (X509_NAME_cmp(xcert->cert_info->issuer, xcrl->crl->issuer) != 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Check to see if the certificate serial number is revoked */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* No revoked certificates in the CRL file */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) {
d7141854234c22ab8fe0547bf51a2f3a30781870Robert Mustacchi /* LINTED E_BAD_PTR_CAST_ALIGN */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_VerifyCRLFile(KMF_HANDLE_T handle, char *crlname, KMF_DATA *tacert)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys unsigned char *p;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (handle == NULL || crlname == NULL || tacert == NULL) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys xcrl = PEM_read_bio_X509_CRL(bcrl, NULL, NULL, NULL);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get issuer certificate public key */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Verify CRL signature */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysOpenSSL_CheckCRLDate(KMF_HANDLE_T handle, char *crlname)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys xcrl = PEM_read_bio_X509_CRL(bcrl, NULL, NULL, NULL);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys i = X509_cmp_time(X509_CRL_get_lastUpdate(xcrl), NULL);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (i >= 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys i = X509_cmp_time(X509_CRL_get_nextUpdate(xcrl), NULL);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (i <= 0) {