2N/A/*
2N/A * CDDL HEADER START
2N/A *
2N/A * The contents of this file are subject to the terms of the
2N/A * Common Development and Distribution License (the "License").
2N/A * You may not use this file except in compliance with the License.
2N/A *
2N/A * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
2N/A * or http://www.opensolaris.org/os/licensing.
2N/A * See the License for the specific language governing permissions
2N/A * and limitations under the License.
2N/A *
2N/A * When distributing Covered Code, include this CDDL HEADER in each
2N/A * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
2N/A * If applicable, add the following below this CDDL HEADER, with the
2N/A * fields enclosed by brackets "[]" replaced with your own identifying
2N/A * information: Portions Copyright [yyyy] [name of copyright owner]
2N/A *
2N/A * CDDL HEADER END
2N/A *
2N/A * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
2N/A */
2N/A
2N/A#include <stdio.h>
2N/A#include <link.h>
2N/A#include <fcntl.h>
2N/A#include <ctype.h>
2N/A#include <sys/param.h>
2N/A#include <sys/types.h>
2N/A#include <sys/stat.h>
2N/A#include <errno.h>
2N/A#include <sys/socket.h>
2N/A#include <netinet/in.h>
2N/A#include <arpa/inet.h>
2N/A#include <ber_der.h>
2N/A#include <kmfapiP.h>
2N/A#include <libgen.h>
2N/A#include <cryptoutil.h>
2N/A
2N/AKMF_RETURN
2N/Acopy_data(KMF_DATA *dst, KMF_DATA *src)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A
2N/A if (dst == NULL || src == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A if (src->Length == 0) {
2N/A dst->Length = 0;
2N/A dst->Data = NULL;
2N/A src->Data = NULL;
2N/A return (ret);
2N/A }
2N/A
2N/A dst->Data = malloc(src->Length);
2N/A if (dst->Data == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A
2N/A dst->Length = src->Length;
2N/A (void) memcpy(dst->Data, src->Data, src->Length);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Acopy_extension_data(KMF_X509_EXTENSION *dstext,
2N/A KMF_X509_EXTENSION *srcext)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A
2N/A if (dstext == NULL || srcext == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A (void) memset(dstext, 0, sizeof (KMF_X509_EXTENSION));
2N/A
2N/A ret = copy_data(&dstext->extnId, &srcext->extnId);
2N/A if (ret != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A dstext->extnId.Length = srcext->extnId.Length;
2N/A dstext->critical = srcext->critical;
2N/A dstext->format = srcext->format;
2N/A
2N/A ret = copy_data(&dstext->BERvalue, &srcext->BERvalue);
2N/A if (ret != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A dstext->value.tagAndValue = malloc(sizeof (KMF_X509EXT_TAGandVALUE));
2N/A if (dstext->value.tagAndValue == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto cleanup;
2N/A }
2N/A (void) memset(dstext->value.tagAndValue, 0,
2N/A sizeof (KMF_X509EXT_TAGandVALUE));
2N/A
2N/A ret = copy_data(&dstext->value.tagAndValue->value,
2N/A &srcext->value.tagAndValue->value);
2N/A if (ret != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A dstext->value.tagAndValue->type = srcext->value.tagAndValue->type;
2N/A
2N/Acleanup:
2N/A if (ret != KMF_OK) {
2N/A if (dstext->extnId.Data != NULL)
2N/A kmf_free_data(&dstext->extnId);
2N/A
2N/A if (dstext->BERvalue.Data != NULL)
2N/A kmf_free_data(&dstext->BERvalue);
2N/A
2N/A if (dstext->value.tagAndValue->value.Data == NULL)
2N/A kmf_free_data(&dstext->value.tagAndValue->value);
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A/*
2N/A * Given a block of DER encoded X.509 certificate data and
2N/A * an OID for the desired extension, this routine will
2N/A * parse the cert data and return the data associated with
2N/A * the extension if it is found.
2N/A *
2N/A * RETURNS:
2N/A * KMF_OK - if extension found and copied OK.
2N/A * KMF_ERR_EXTENSION_NOT_FOUND - extension not found.
2N/A * parsing and memory allocation errors are also possible.
2N/A */
2N/AKMF_RETURN
2N/Akmf_get_cert_extn(const KMF_DATA *certdata,
2N/A KMF_OID *extoid, KMF_X509_EXTENSION *extdata)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_CERTIFICATE *cert = NULL;
2N/A KMF_X509_EXTENSION *eptr = NULL;
2N/A int i, found = 0;
2N/A
2N/A if (certdata == NULL || extoid == NULL || extdata == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A ret = DerDecodeSignedCertificate(certdata, &cert);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (cert->certificate.extensions.numberOfExtensions == 0) {
2N/A goto end;
2N/A }
2N/A
2N/A (void) memset((void *)extdata, 0, sizeof (KMF_X509_EXTENSION));
2N/A for (i = 0; !found &&
2N/A i < cert->certificate.extensions.numberOfExtensions;
2N/A i++) {
2N/A eptr = &cert->certificate.extensions.extensions[i];
2N/A if (IsEqualOid(extoid, &eptr->extnId)) {
2N/A ret = copy_extension_data(extdata, eptr);
2N/A found++;
2N/A }
2N/A }
2N/Aend:
2N/A if (!found)
2N/A ret = KMF_ERR_EXTENSION_NOT_FOUND;
2N/A
2N/A if (cert != NULL) {
2N/A kmf_free_signed_cert(cert);
2N/A free(cert);
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A/*
2N/A * Given a block of DER encoded X.509 certificate data and
2N/A * a "crit/non-crit/all" flag, search the extensions and
2N/A * return the OIDs for critical, non-critical or all extensions.
2N/A *
2N/A * RETURNS:
2N/A * KMF_OK - if extension found and copied OK.
2N/A * parsing and memory allocation errors are also possible.
2N/A *
2N/A * OIDlist - array of KMF_OID records, allocated
2N/A * by this function.
2N/A * NumOIDs - number of critical extensions found.
2N/A */
2N/AKMF_RETURN
2N/Akmf_get_cert_extns(const KMF_DATA *certdata, KMF_FLAG_CERT_EXTN flag,
2N/A KMF_X509_EXTENSION **extlist, int *nextns)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_CERTIFICATE *cert;
2N/A KMF_X509_EXTENSION *eptr, *elist;
2N/A int i;
2N/A
2N/A if (certdata == NULL || extlist == NULL || nextns == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A if (flag < KMF_ALL_EXTNS || flag > KMF_NONCRITICAL_EXTNS)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A *nextns = 0;
2N/A *extlist = elist = NULL;
2N/A ret = DerDecodeSignedCertificate(certdata, &cert);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (cert->certificate.extensions.numberOfExtensions == 0)
2N/A return (KMF_ERR_EXTENSION_NOT_FOUND);
2N/A
2N/A for (i = 0; i < cert->certificate.extensions.numberOfExtensions;
2N/A i++) {
2N/A eptr = &cert->certificate.extensions.extensions[i];
2N/A
2N/A if (flag == KMF_CRITICAL_EXTNS && eptr->critical == 0)
2N/A continue;
2N/A else if (flag == KMF_NONCRITICAL_EXTNS && eptr->critical != 0)
2N/A continue;
2N/A
2N/A (*nextns)++;
2N/A elist = realloc(elist, sizeof (KMF_X509_EXTENSION) *
2N/A (*nextns));
2N/A if (elist == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A
2N/A ret = copy_extension_data(&elist[(*nextns) - 1], eptr);
2N/A if (ret != KMF_OK)
2N/A goto end;
2N/A }
2N/A
2N/Aend:
2N/A kmf_free_signed_cert(cert);
2N/A free(cert);
2N/A if (ret != KMF_OK) {
2N/A if (elist != NULL) {
2N/A free(elist);
2N/A elist = NULL;
2N/A }
2N/A *nextns = 0;
2N/A }
2N/A
2N/A /*
2N/A * If the flag is not all, then it is possible that we did not find
2N/A * any critical or non_critical extensions. When that happened,
2N/A * return KMF_ERR_EXTENSION_NOT_FOUND.
2N/A */
2N/A if (flag != KMF_ALL_EXTNS && ret == KMF_OK && *nextns == 0)
2N/A ret = KMF_ERR_EXTENSION_NOT_FOUND;
2N/A
2N/A *extlist = elist;
2N/A return (ret);
2N/A}
2N/A
2N/A/*
2N/A * If the given certificate data (X.509 DER encoded data)
2N/A * contains the Key Usage extension, parse that
2N/A * data and return it in the KMF_X509EXT_BASICCONSTRAINTS
2N/A * record.
2N/A *
2N/A * RETURNS:
2N/A * KMF_OK - success
2N/A * KMF_ERR_BAD_PARAMETER - input data was bad.
2N/A * KMF_ERR_EXTENSION_NOT_FOUND - extension not found.
2N/A */
2N/AKMF_RETURN
2N/Akmf_get_cert_ku(const KMF_DATA *certdata,
2N/A KMF_X509EXT_KEY_USAGE *keyusage)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_EXTENSION extn;
2N/A
2N/A if (certdata == NULL || keyusage == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A (void) memset(&extn, 0, sizeof (extn));
2N/A /*
2N/A * Check standard KeyUsage bits
2N/A */
2N/A ret = kmf_get_cert_extn(certdata, (KMF_OID *)&KMFOID_KeyUsage, &extn);
2N/A
2N/A if (ret != KMF_OK) {
2N/A goto end;
2N/A }
2N/A keyusage->critical = (extn.critical != 0);
2N/A if (extn.value.tagAndValue->value.Length > 1) {
2N/A keyusage->KeyUsageBits =
2N/A extn.value.tagAndValue->value.Data[1] << 8;
2N/A } else {
2N/A keyusage->KeyUsageBits = extn.value.tagAndValue->value.Data[0];
2N/A }
2N/Aend:
2N/A kmf_free_extn(&extn);
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_BOOL
2N/Ais_eku_present(KMF_X509EXT_EKU *ekuptr, KMF_OID *ekuoid)
2N/A{
2N/A int i;
2N/A
2N/A if (ekuptr == NULL || ekuoid == NULL)
2N/A return (0);
2N/A
2N/A for (i = 0; i < ekuptr->nEKUs; i++)
2N/A if (IsEqualOid(&ekuptr->keyPurposeIdList[i], ekuoid))
2N/A return (1);
2N/A
2N/A return (0);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Aparse_eku_data(const KMF_DATA *asn1data, KMF_X509EXT_EKU *ekuptr)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A BerElement *asn1 = NULL;
2N/A BerValue exdata;
2N/A KMF_OID oid;
2N/A char *end = NULL;
2N/A ber_len_t size;
2N/A
2N/A /*
2N/A * Decode the ASN.1 data for the extension.
2N/A */
2N/A exdata.bv_val = (char *)asn1data->Data;
2N/A exdata.bv_len = asn1data->Length;
2N/A
2N/A if ((asn1 = kmfder_init(&exdata)) == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A
2N/A /*
2N/A * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
2N/A */
2N/A if (kmfber_first_element(asn1, &size, &end) != BER_OBJECT_IDENTIFIER) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A
2N/A /*
2N/A * Count the number of EKU OIDs and store in
2N/A * the array.
2N/A */
2N/A while (kmfber_next_element(asn1, &size, end) ==
2N/A BER_OBJECT_IDENTIFIER) {
2N/A
2N/A /* Skip over the CONSTRUCTED SET tag */
2N/A if (kmfber_scanf(asn1, "D", &oid) == KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A ekuptr->nEKUs++;
2N/A ekuptr->keyPurposeIdList = realloc(ekuptr->keyPurposeIdList,
2N/A ekuptr->nEKUs * sizeof (KMF_OID));
2N/A if (ekuptr->keyPurposeIdList == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A ekuptr->keyPurposeIdList[ekuptr->nEKUs - 1] = oid;
2N/A }
2N/A
2N/Aend:
2N/A if (asn1 != NULL)
2N/A kmfber_free(asn1, 1);
2N/A
2N/A if (ret != KMF_OK) {
2N/A if (ekuptr->keyPurposeIdList != NULL) {
2N/A free_keyidlist(ekuptr->keyPurposeIdList, ekuptr->nEKUs);
2N/A ekuptr->keyPurposeIdList = NULL;
2N/A ekuptr->critical = 0;
2N/A }
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_eku(const KMF_DATA *certdata,
2N/A KMF_X509EXT_EKU *ekuptr)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_EXTENSION extn;
2N/A
2N/A if (certdata == NULL || ekuptr == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A (void) memset(&extn, 0, sizeof (KMF_X509_EXTENSION));
2N/A
2N/A ekuptr->nEKUs = 0;
2N/A ekuptr->keyPurposeIdList = NULL;
2N/A ekuptr->critical = 0;
2N/A
2N/A ret = kmf_get_cert_extn(certdata,
2N/A (KMF_OID *)&KMFOID_ExtendedKeyUsage, &extn);
2N/A
2N/A if (ret != KMF_OK) {
2N/A goto end;
2N/A }
2N/A
2N/A ret = parse_eku_data(&extn.BERvalue, ekuptr);
2N/A
2N/Aend:
2N/A kmf_free_extn(&extn);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A/*
2N/A * If the given certificate data (X.509 DER encoded data)
2N/A * contains the Basic Constraints extension, parse that
2N/A * data and return it in the KMF_X509EXT_BASICCONSTRAINTS
2N/A * record.
2N/A *
2N/A * RETURNS:
2N/A * KMF_OK - success
2N/A * KMF_ERR_BAD_PARAMETER - input data was bad.
2N/A * KMF_ERR_EXTENSION_NOT_FOUND - extension not found.
2N/A */
2N/AKMF_RETURN
2N/Akmf_get_cert_basic_constraint(const KMF_DATA *certdata,
2N/A KMF_BOOL *critical, KMF_X509EXT_BASICCONSTRAINTS *constraint)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_EXTENSION extn;
2N/A BerElement *asn1 = NULL;
2N/A BerValue exdata;
2N/A ber_len_t size;
2N/A char *end = NULL;
2N/A int tag;
2N/A
2N/A if (certdata == NULL || constraint == NULL || critical == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A (void) memset(&extn, 0, sizeof (KMF_X509_EXTENSION));
2N/A ret = kmf_get_cert_extn(certdata,
2N/A (KMF_OID *)&KMFOID_BasicConstraints, &extn);
2N/A
2N/A if (ret != KMF_OK) {
2N/A goto end;
2N/A }
2N/A
2N/A *critical = (extn.critical != 0);
2N/A
2N/A exdata.bv_val = (char *)extn.value.tagAndValue->value.Data;
2N/A exdata.bv_len = extn.value.tagAndValue->value.Length;
2N/A
2N/A if ((asn1 = kmfder_init(&exdata)) == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A
2N/A if (kmfber_scanf(asn1, "b", &constraint->cA) == KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A constraint->pathLenConstraintPresent = KMF_FALSE;
2N/A
2N/A tag = kmfber_next_element(asn1, &size, end);
2N/A if (tag == BER_INTEGER) {
2N/A if (kmfber_scanf(asn1, "i",
2N/A &constraint->pathLenConstraint) == KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A constraint->pathLenConstraintPresent = KMF_TRUE;
2N/A }
2N/Aend:
2N/A kmf_free_extn(&extn);
2N/A if (asn1 != NULL)
2N/A kmfber_free(asn1, 1);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/Astatic KMF_X509EXT_POLICYQUALIFIERINFO *
2N/Aget_pqinfo(BerElement *asn1)
2N/A{
2N/A KMF_X509EXT_POLICYQUALIFIERINFO *pqinfo = NULL;
2N/A KMF_RETURN ret = KMF_OK;
2N/A int tag;
2N/A ber_len_t size;
2N/A char *end = NULL;
2N/A
2N/A /*
2N/A * Policy Qualifiers may be a list of sequences.
2N/A *
2N/A * PolicyInformation ::= SEQUENCE {
2N/A * policyIdentifier CertPolicyId,
2N/A * policyQualifiers SEQUENCE SIZE (1..MAX) OF
2N/A * PolicyQualifierInfo OPTIONAL
2N/A * }
2N/A *
2N/A * PolicyQualifierInfo ::= SEQUENCE {
2N/A * policyQualifierId PolicyQualifierId,
2N/A * qualifier ANY DEFINED BY policyQualifierId
2N/A * }
2N/A */
2N/A
2N/A
2N/A /*
2N/A * We already got the CertPolicyId, we just need to
2N/A * find all of the policyQualifiers in the set.
2N/A *
2N/A * Mark the first element of the SEQUENCE and reset the end ptr
2N/A * so the ber/der code knows when to stop looking.
2N/A */
2N/A if ((tag = kmfber_first_element(asn1, &size, &end)) !=
2N/A BER_CONSTRUCTED_SEQUENCE) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A /* We found a sequence, loop until done */
2N/A while ((tag = kmfber_next_element(asn1, &size, end)) ==
2N/A BER_CONSTRUCTED_SEQUENCE) {
2N/A
2N/A /* Skip over the CONSTRUCTED SET tag */
2N/A if (kmfber_scanf(asn1, "T", &tag) == KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A /*
2N/A * Allocate memory for the Policy Qualifier Info
2N/A */
2N/A pqinfo = malloc(sizeof (KMF_X509EXT_POLICYQUALIFIERINFO));
2N/A if (pqinfo == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A (void) memset((void *)pqinfo, 0,
2N/A sizeof (KMF_X509EXT_POLICYQUALIFIERINFO));
2N/A /*
2N/A * Read the PolicyQualifier OID
2N/A */
2N/A if (kmfber_scanf(asn1, "D",
2N/A &pqinfo->policyQualifierId) == KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A /*
2N/A * The OID of the policyQualifierId determines what
2N/A * sort of data comes next.
2N/A */
2N/A if (IsEqualOid(&pqinfo->policyQualifierId,
2N/A (KMF_OID *)&KMFOID_PKIX_PQ_CPSuri)) {
2N/A /*
2N/A * CPS uri must be an IA5STRING
2N/A */
2N/A if (kmfber_scanf(asn1, "tl", &tag, &size) ==
2N/A KMFBER_DEFAULT || tag != BER_IA5STRING ||
2N/A size == 0) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A if ((pqinfo->value.Data = malloc(size)) == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A if (kmfber_scanf(asn1, "s", pqinfo->value.Data,
2N/A &pqinfo->value.Length) == KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A } else if (IsEqualOid(&pqinfo->policyQualifierId,
2N/A (KMF_OID *)&KMFOID_PKIX_PQ_Unotice)) {
2N/A if (kmfber_scanf(asn1, "tl", &tag, &size) ==
2N/A KMFBER_DEFAULT ||
2N/A tag != BER_CONSTRUCTED_SEQUENCE) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A /*
2N/A * For now, just copy the while UserNotice ASN.1
2N/A * blob into the pqinfo data record.
2N/A * TBD - parse it into individual fields.
2N/A */
2N/A if ((pqinfo->value.Data = malloc(size)) == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A if (kmfber_scanf(asn1, "s", pqinfo->value.Data,
2N/A &pqinfo->value.Length) == KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A } else {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A }
2N/Aend:
2N/A if (ret != KMF_OK) {
2N/A if (pqinfo != NULL) {
2N/A kmf_free_data(&pqinfo->value);
2N/A kmf_free_data(&pqinfo->policyQualifierId);
2N/A free(pqinfo);
2N/A pqinfo = NULL;
2N/A }
2N/A }
2N/A return (pqinfo);
2N/A}
2N/A
2N/A/*
2N/A * If the given certificate data (X.509 DER encoded data)
2N/A * contains the Certificate Policies extension, parse that
2N/A * data and return it in the KMF_X509EXT_CERT_POLICIES
2N/A * record.
2N/A *
2N/A * RETURNS:
2N/A * KMF_OK - success
2N/A * KMF_ERR_BAD_PARAMETER - input data was bad.
2N/A * KMF_ERR_EXTENSION_NOT_FOUND - extension not found.
2N/A * parsing and memory allocation errors are also possible.
2N/A */
2N/AKMF_RETURN
2N/Akmf_get_cert_policies(const KMF_DATA *certdata,
2N/A KMF_BOOL *critical, KMF_X509EXT_CERT_POLICIES *extptr)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_EXTENSION extn;
2N/A KMF_X509EXT_POLICYINFO *pinfo;
2N/A KMF_X509EXT_POLICYQUALIFIERINFO *pqinfo;
2N/A BerElement *asn1 = NULL;
2N/A BerValue exdata;
2N/A ber_len_t size;
2N/A char *end = NULL;
2N/A int tag;
2N/A
2N/A if (certdata == NULL || critical == NULL || extptr == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A (void) memset(&extn, 0, sizeof (extn));
2N/A ret = kmf_get_cert_extn(certdata,
2N/A (KMF_OID *)&KMFOID_CertificatePolicies, &extn);
2N/A
2N/A if (ret != KMF_OK) {
2N/A goto end;
2N/A }
2N/A
2N/A *critical = (extn.critical != 0);
2N/A
2N/A /*
2N/A * Decode the ASN.1 data for the extension.
2N/A */
2N/A exdata.bv_val = (char *)extn.BERvalue.Data;
2N/A exdata.bv_len = extn.BERvalue.Length;
2N/A
2N/A (void) memset((void *)extptr, 0, sizeof (KMF_X509EXT_CERT_POLICIES));
2N/A
2N/A if ((asn1 = kmfder_init(&exdata)) == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A
2N/A /*
2N/A * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation
2N/A */
2N/A if ((tag = kmfber_first_element(asn1, &size, &end)) !=
2N/A BER_CONSTRUCTED_SEQUENCE) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A
2N/A /*
2N/A * Collect all of the PolicyInformation SEQUENCES
2N/A *
2N/A * PolicyInformation ::= SEQUENCE {
2N/A * policyIdentifier CertPolicyId,
2N/A * policyQualifiers SEQUENCE SIZE (1..MAX) OF
2N/A * PolicyQualifierInfo OPTIONAL
2N/A * }
2N/A *
2N/A * Loop over the SEQUENCES of PolicyInfo
2N/A */
2N/A while ((tag = kmfber_next_element(asn1, &size, end)) ==
2N/A BER_CONSTRUCTED_SEQUENCE) {
2N/A
2N/A /* Skip over the CONSTRUCTED SET tag */
2N/A if (kmfber_scanf(asn1, "T", &tag) == KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A
2N/A pinfo = malloc(sizeof (KMF_X509EXT_POLICYINFO));
2N/A if (pinfo == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A (void) memset((void *)pinfo, 0,
2N/A sizeof (KMF_X509EXT_POLICYINFO));
2N/A /*
2N/A * Decode the PolicyInformation SEQUENCE
2N/A */
2N/A if ((tag = kmfber_scanf(asn1, "D",
2N/A &pinfo->policyIdentifier)) == KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A /*
2N/A * Gather all of the associated PolicyQualifierInfo recs
2N/A */
2N/A pqinfo = get_pqinfo(asn1);
2N/A if (pqinfo != NULL) {
2N/A int cnt =
2N/A pinfo->policyQualifiers.numberOfPolicyQualifiers;
2N/A cnt++;
2N/A pinfo->policyQualifiers.policyQualifier = realloc(
2N/A pinfo->policyQualifiers.policyQualifier,
2N/A cnt * sizeof (KMF_X509EXT_POLICYQUALIFIERINFO));
2N/A if (pinfo->policyQualifiers.policyQualifier == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A pinfo->policyQualifiers.numberOfPolicyQualifiers = cnt;
2N/A pinfo->policyQualifiers.policyQualifier[cnt-1] =
2N/A *pqinfo;
2N/A
2N/A free(pqinfo);
2N/A }
2N/A extptr->numberOfPolicyInfo++;
2N/A extptr->policyInfo = realloc(extptr->policyInfo,
2N/A extptr->numberOfPolicyInfo *
2N/A sizeof (KMF_X509EXT_POLICYINFO));
2N/A if (extptr->policyInfo == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A extptr->policyInfo[extptr->numberOfPolicyInfo-1] = *pinfo;
2N/A free(pinfo);
2N/A }
2N/A
2N/A
2N/Aend:
2N/A kmf_free_extn(&extn);
2N/A if (asn1 != NULL)
2N/A kmfber_free(asn1, 1);
2N/A return (ret);
2N/A}
2N/A
2N/A/*
2N/A * If the given certificate data (X.509 DER encoded data)
2N/A * contains the Authority Information Access extension, parse that
2N/A * data and return it in the KMF_X509EXT_AUTHINFOACCESS
2N/A * record.
2N/A *
2N/A * RETURNS:
2N/A * KMF_OK - success
2N/A * KMF_ERR_BAD_PARAMETER - input data was bad.
2N/A * KMF_ERR_EXTENSION_NOT_FOUND - extension not found.
2N/A */
2N/AKMF_RETURN
2N/Akmf_get_cert_auth_info_access(const KMF_DATA *certdata,
2N/A KMF_X509EXT_AUTHINFOACCESS *aia)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_EXTENSION extn;
2N/A BerElement *asn1 = NULL;
2N/A BerValue exdata;
2N/A ber_len_t size;
2N/A char *end = NULL;
2N/A int tag;
2N/A KMF_X509EXT_ACCESSDESC *access_info = NULL;
2N/A
2N/A if (certdata == NULL || aia == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A (void) memset(&extn, 0, sizeof (KMF_X509_EXTENSION));
2N/A ret = kmf_get_cert_extn(certdata,
2N/A (KMF_OID *)&KMFOID_AuthorityInfoAccess, &extn);
2N/A
2N/A if (ret != KMF_OK) {
2N/A goto end;
2N/A }
2N/A
2N/A /*
2N/A * Decode the ASN.1 data for the extension.
2N/A */
2N/A exdata.bv_val = (char *)extn.BERvalue.Data;
2N/A exdata.bv_len = extn.BERvalue.Length;
2N/A
2N/A (void) memset((void *)aia, 0, sizeof (KMF_X509EXT_AUTHINFOACCESS));
2N/A
2N/A if ((asn1 = kmfder_init(&exdata)) == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A
2N/A /*
2N/A * AuthorityInfoAccessSyntax ::=
2N/A * SEQUENCE SIZE (1..MAX) OF AccessDescription
2N/A */
2N/A if ((tag = kmfber_first_element(asn1, &size, &end)) !=
2N/A BER_CONSTRUCTED_SEQUENCE) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A
2N/A /*
2N/A * AccessDescription ::= SEQUENCE {
2N/A * accessMethod OBJECT IDENTIFIER,
2N/A * accessLocation GeneralName }
2N/A */
2N/A while ((tag = kmfber_next_element(asn1, &size, end)) ==
2N/A BER_CONSTRUCTED_SEQUENCE) {
2N/A
2N/A /* Skip over the CONSTRUCTED SET tag */
2N/A if (kmfber_scanf(asn1, "T", &tag) == KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A
2N/A access_info = malloc(sizeof (KMF_X509EXT_ACCESSDESC));
2N/A if (access_info == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A
2N/A (void) memset((void *)access_info, 0,
2N/A sizeof (KMF_X509EXT_ACCESSDESC));
2N/A
2N/A /*
2N/A * Read the AccessMethod OID
2N/A */
2N/A if (kmfber_scanf(asn1, "D",
2N/A &access_info->AccessMethod) == KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A
2N/A /*
2N/A * The OID of the AccessMethod determines what
2N/A * sort of data comes next.
2N/A */
2N/A if (IsEqualOid(&access_info->AccessMethod,
2N/A (KMF_OID *)&KMFOID_PkixAdOcsp)) {
2N/A if (kmfber_scanf(asn1, "tl", &tag, &size) ==
2N/A KMFBER_DEFAULT || size == 0) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A
2N/A /*
2N/A * OCSP uri must be an IA5STRING or a GENNAME_URI
2N/A * with an implicit tag.
2N/A */
2N/A if (tag != BER_IA5STRING &&
2N/A tag != (0x80 | GENNAME_URI)) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A
2N/A if ((access_info->AccessLocation.Data =
2N/A malloc(size)) == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A
2N/A if (kmfber_scanf(asn1, "s",
2N/A access_info->AccessLocation.Data,
2N/A &access_info->AccessLocation.Length) ==
2N/A KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A } else if (IsEqualOid(&access_info->AccessMethod,
2N/A (KMF_OID *)&KMFOID_PkixAdCaIssuers)) {
2N/A /* will be supported later with PKIX */
2N/A free(access_info);
2N/A access_info = NULL;
2N/A continue;
2N/A } else {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A
2N/A aia->numberOfAccessDescription++;
2N/A aia->AccessDesc = realloc(aia->AccessDesc,
2N/A aia->numberOfAccessDescription *
2N/A sizeof (KMF_X509EXT_ACCESSDESC));
2N/A
2N/A if (aia->AccessDesc == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A
2N/A aia->AccessDesc[aia->numberOfAccessDescription-1] =
2N/A *access_info;
2N/A free(access_info);
2N/A access_info = NULL;
2N/A }
2N/A
2N/Aend:
2N/A kmf_free_extn(&extn);
2N/A if (access_info != NULL)
2N/A free(access_info);
2N/A if (asn1 != NULL)
2N/A kmfber_free(asn1, 1);
2N/A return (ret);
2N/A
2N/A}
2N/A
2N/A/*
2N/A * This function parses the name portion of a der-encoded distribution point
2N/A * returns it in the KMF_CRL_DIST_POINT record.
2N/A *
2N/A * The "DistributionPointName" syntax is
2N/A *
2N/A * DistributionPointName ::= CHOICE {
2N/A * fullName [0] GeneralNames,
2N/A * nameRelativeToCRLIssuer [1] RelativeDistinguishedName }
2N/A *
2N/A * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GerneralName
2N/A *
2N/A * Note: for phase 1, we support fullName only.
2N/A */
2N/Astatic KMF_RETURN
2N/Aparse_dp_name(char *dp_der_code, int dp_der_size, KMF_CRL_DIST_POINT *dp)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A char *url = NULL;
2N/A BerElement *asn1 = NULL;
2N/A BerValue ber_data;
2N/A ber_len_t size;
2N/A char *end = NULL;
2N/A int tag;
2N/A KMF_GENERALNAMES *fullname;
2N/A
2N/A if (dp_der_code == NULL || dp_der_size == 0 || dp == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A ber_data.bv_val = dp_der_code;
2N/A ber_data.bv_len = dp_der_size;
2N/A if ((asn1 = kmfder_init(&ber_data)) == NULL)
2N/A return (KMF_ERR_BAD_CERT_FORMAT);
2N/A
2N/A tag = kmfber_first_element(asn1, &size, &end);
2N/A if (tag != 0xA0 && tag != 0xA1) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto out;
2N/A }
2N/A
2N/A if (tag == 0xA0) { /* fullName */
2N/A dp->type = DP_GENERAL_NAME;
2N/A
2N/A fullname = &(dp->name.full_name);
2N/A fullname->number = 0;
2N/A
2N/A /* Skip over the explicit tag and size */
2N/A (void) kmfber_scanf(asn1, "T", &tag);
2N/A
2N/A tag = kmfber_next_element(asn1, &size, end);
2N/A while (tag != KMFBER_DEFAULT &&
2N/A tag != KMFBER_END_OF_SEQORSET) {
2N/A
2N/A if (kmfber_scanf(asn1, "tl", &tag, &size) ==
2N/A KMFBER_DEFAULT || size == 0) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto out;
2N/A }
2N/A
2N/A /* For phase 1, we are interested in a URI name only */
2N/A if (tag != (0x80 | GENNAME_URI)) {
2N/A tag = kmfber_next_element(asn1, &size, end);
2N/A continue;
2N/A }
2N/A
2N/A if ((url = malloc(size)) == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto out;
2N/A }
2N/A
2N/A /* Skip type and len, then read url and save it. */
2N/A if (kmfber_read(asn1, url, 2) != 2) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto out;
2N/A }
2N/A
2N/A if (kmfber_read(asn1, url, size) !=
2N/A (ber_slen_t)size) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto out;
2N/A }
2N/A
2N/A fullname->number++;
2N/A fullname->namelist = realloc(fullname->namelist,
2N/A fullname->number * sizeof (KMF_GENERALNAME));
2N/A if (fullname->namelist == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto out;
2N/A }
2N/A
2N/A fullname->namelist[fullname->number - 1].choice =
2N/A GENNAME_URI;
2N/A fullname->namelist[fullname->number - 1].name.Length =
2N/A size;
2N/A fullname->namelist[fullname->number - 1].name.Data =
2N/A (unsigned char *)url;
2N/A
2N/A /* next */
2N/A tag = kmfber_next_element(asn1, &size, end);
2N/A }
2N/A
2N/A } else if (tag == 0xA1) {
2N/A /* "nameRelativeToCRLIssuer" is not supported at phase 1. */
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto out;
2N/A }
2N/A
2N/Aout:
2N/A if (asn1 != NULL)
2N/A kmfber_free(asn1, 1);
2N/A
2N/A if (ret != KMF_OK) {
2N/A free_dp_name(dp);
2N/A }
2N/A
2N/A if (ret == KMF_OK && fullname->number == 0) {
2N/A ret = KMF_ERR_EXTENSION_NOT_FOUND;
2N/A if (url != NULL)
2N/A free(url);
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A/*
2N/A * This function retrieves the CRL Distribution Points extension data from
2N/A * a DER encoded certificate if it contains this extension, parses the
2N/A * extension data, and returns it in the KMF_X509EXT_CRLDISTPOINTS record.
2N/A */
2N/AKMF_RETURN
2N/Akmf_get_cert_crl_dist_pts(const KMF_DATA *certdata,
2N/A KMF_X509EXT_CRLDISTPOINTS *crl_dps)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_EXTENSION extn;
2N/A BerElement *asn1 = NULL;
2N/A BerValue exdata;
2N/A ber_len_t size;
2N/A char *end = NULL;
2N/A int tag;
2N/A KMF_CRL_DIST_POINT *dp = NULL;
2N/A int i;
2N/A
2N/A if (certdata == NULL || crl_dps == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A /* Get the ASN.1 data for this extension. */
2N/A (void) memset(&extn, 0, sizeof (KMF_X509_EXTENSION));
2N/A ret = kmf_get_cert_extn(certdata,
2N/A (KMF_OID *)&KMFOID_CrlDistributionPoints, &extn);
2N/A if (ret != KMF_OK) {
2N/A return (ret);
2N/A }
2N/A
2N/A /*
2N/A * Decode the CRLDistributionPoints ASN.1 data. The Syntax for
2N/A * CRLDistributionPoints is
2N/A *
2N/A * CRLDistributionPoints ::=
2N/A * SEQUENCE SIZE (1..MAX) OF DistributionPoint
2N/A *
2N/A * DistributionPoint ::= SEQUENCE {
2N/A * distributionPoint [0] DistributionPointName OPTIONAL,
2N/A * reasons [1] ReasonFlags OPTIONAL,
2N/A * cRLIssuer [2] GeneralNames OPTIONAL }
2N/A */
2N/A
2N/A exdata.bv_val = (char *)extn.BERvalue.Data;
2N/A exdata.bv_len = extn.BERvalue.Length;
2N/A if ((asn1 = kmfder_init(&exdata)) == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto out;
2N/A }
2N/A
2N/A if ((tag = kmfber_first_element(asn1, &size, &end)) !=
2N/A BER_CONSTRUCTED_SEQUENCE) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto out;
2N/A }
2N/A
2N/A (void) memset((void *)crl_dps, 0, sizeof (KMF_X509EXT_CRLDISTPOINTS));
2N/A
2N/A while ((tag = kmfber_next_element(asn1, &size, end)) ==
2N/A BER_CONSTRUCTED_SEQUENCE) {
2N/A boolean_t has_name = B_FALSE;
2N/A boolean_t has_issuer = B_FALSE;
2N/A
2N/A /* Skip over the CONSTRUCTED SET tag */
2N/A if (kmfber_scanf(asn1, "T", &tag) == KMFBER_DEFAULT) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto out;
2N/A }
2N/A
2N/A tag = kmfber_next_element(asn1, &size, end);
2N/A if (tag != 0xA0 && tag != 0xA1 && tag != 0xA2)
2N/A goto out;
2N/A
2N/A if ((dp = malloc(sizeof (KMF_CRL_DIST_POINT))) == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto out;
2N/A }
2N/A (void) memset((void *)dp, 0, sizeof (KMF_CRL_DIST_POINT));
2N/A
2N/A if (tag == 0xA0) { /* distributionPoint Name */
2N/A char *name_der;
2N/A int name_size = size + 2;
2N/A
2N/A if ((name_der = malloc(name_size)) == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A free(dp);
2N/A dp = NULL;
2N/A goto out;
2N/A }
2N/A
2N/A if (kmfber_read(asn1, name_der, name_size) !=
2N/A (ber_slen_t)(name_size)) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A free(name_der);
2N/A free(dp);
2N/A dp = NULL;
2N/A goto out;
2N/A }
2N/A has_name = B_TRUE;
2N/A
2N/A ret = parse_dp_name(name_der, name_size, dp);
2N/A free(name_der);
2N/A if (ret != KMF_OK) {
2N/A free(dp);
2N/A dp = NULL;
2N/A goto out;
2N/A }
2N/A
2N/A /* next field */
2N/A tag = kmfber_next_element(asn1, &size, end);
2N/A }
2N/A
2N/A if (tag == 0XA1) { /* reasons */
2N/A char *bit_string;
2N/A int len;
2N/A
2N/A if (kmfber_scanf(asn1, "B", &bit_string, &len) !=
2N/A BER_BIT_STRING) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A free(dp);
2N/A dp = NULL;
2N/A goto out;
2N/A }
2N/A
2N/A dp->reasons.Length = len / 8;
2N/A if ((dp->reasons.Data = malloc(dp->reasons.Length)) ==
2N/A NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A free(dp);
2N/A dp = NULL;
2N/A goto out;
2N/A }
2N/A (void) memcpy(dp->reasons.Data, (uchar_t *)bit_string,
2N/A dp->reasons.Length);
2N/A
2N/A /* next field */
2N/A tag = kmfber_next_element(asn1, &size, end);
2N/A }
2N/A
2N/A if (tag == 0XA2) { /* cRLIssuer */
2N/A char *issuer_der = NULL;
2N/A int issuer_size;
2N/A
2N/A /* For cRLIssuer, read the data only at phase 1 */
2N/A issuer_size = size + 2;
2N/A issuer_der = malloc(issuer_size);
2N/A if (issuer_der == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A free(dp);
2N/A dp = NULL;
2N/A goto out;
2N/A }
2N/A
2N/A if (kmfber_read(asn1, issuer_der, issuer_size) !=
2N/A (ber_slen_t)(issuer_size)) {
2N/A free(issuer_der);
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A free(dp);
2N/A dp = NULL;
2N/A goto out;
2N/A }
2N/A
2N/A has_issuer = B_TRUE;
2N/A free(issuer_der);
2N/A }
2N/A
2N/A /* A distribution point cannot have a "reasons" field only. */
2N/A if (has_name == B_FALSE && has_issuer == B_FALSE) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A free_dp(dp);
2N/A free(dp);
2N/A dp = NULL;
2N/A goto out;
2N/A }
2N/A
2N/A /*
2N/A * Although it is legal that a distribution point contains
2N/A * a cRLIssuer field only, with or without "reasons", we will
2N/A * skip it if the name field is not presented for phase 1.
2N/A */
2N/A if (has_name == B_FALSE) {
2N/A free_dp(dp);
2N/A } else {
2N/A crl_dps->number++;
2N/A crl_dps->dplist = realloc(crl_dps->dplist,
2N/A crl_dps->number * sizeof (KMF_CRL_DIST_POINT));
2N/A if (crl_dps->dplist == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A free_dp(dp);
2N/A free(dp);
2N/A dp = NULL;
2N/A goto out;
2N/A }
2N/A crl_dps->dplist[crl_dps->number - 1] = *dp;
2N/A /* free the dp itself since we just used its contents */
2N/A }
2N/A if (dp != NULL) {
2N/A free(dp);
2N/A dp = NULL;
2N/A }
2N/A }
2N/A
2N/Aout:
2N/A kmf_free_extn(&extn);
2N/A
2N/A if (asn1 != NULL)
2N/A kmfber_free(asn1, 1);
2N/A
2N/A if (ret != KMF_OK) {
2N/A for (i = 0; i < crl_dps->number; i++)
2N/A free_dp(&(crl_dps->dplist[i]));
2N/A free(crl_dps->dplist);
2N/A }
2N/A
2N/A if (ret == KMF_OK && crl_dps->number == 0) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/AKMF_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A KMF_PRINTABLE_ITEM flag, char *resultStr)
2N/A{
2N/A KMF_PLUGIN *plugin;
2N/A KMF_RETURN (*getPrintableFn)(void *, const KMF_DATA *,
2N/A KMF_PRINTABLE_ITEM, char *);
2N/A KMF_RETURN ret;
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (SignedCert == NULL || resultStr == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A /*
2N/A * This framework function is actually implemented in the openssl
2N/A * plugin library, so we find the function address and call it.
2N/A */
2N/A plugin = FindPlugin(handle, KMF_KEYSTORE_OPENSSL);
2N/A if (plugin == NULL || plugin->dldesc == NULL) {
2N/A return (KMF_ERR_PLUGIN_NOTFOUND);
2N/A }
2N/A
2N/A getPrintableFn = (KMF_RETURN(*)())dlsym(plugin->dldesc,
2N/A "OpenSSL_CertGetPrintable");
2N/A if (getPrintableFn == NULL) {
2N/A return (KMF_ERR_FUNCTION_NOT_FOUND);
2N/A }
2N/A
2N/A return (getPrintableFn(handle, SignedCert, flag, resultStr));
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_version_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A char **result)
2N/A{
2N/A KMF_RETURN ret;
2N/A char *tmpstr;
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (SignedCert == NULL || result == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A tmpstr = malloc(KMF_CERT_PRINTABLE_LEN);
2N/A if (tmpstr == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memset(tmpstr, 0, KMF_CERT_PRINTABLE_LEN);
2N/A
2N/A ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_VERSION,
2N/A tmpstr);
2N/A
2N/A if (ret == KMF_OK) {
2N/A *result = tmpstr;
2N/A } else {
2N/A free(tmpstr);
2N/A *result = NULL;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_subject_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A char **result)
2N/A{
2N/A KMF_RETURN ret;
2N/A char *tmpstr;
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (SignedCert == NULL || result == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A tmpstr = malloc(KMF_CERT_PRINTABLE_LEN);
2N/A if (tmpstr == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memset(tmpstr, 0, KMF_CERT_PRINTABLE_LEN);
2N/A
2N/A ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_SUBJECT,
2N/A tmpstr);
2N/A
2N/A if (ret == KMF_OK) {
2N/A *result = tmpstr;
2N/A } else {
2N/A free(tmpstr);
2N/A *result = NULL;
2N/A }
2N/A
2N/A return (ret);
2N/A
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_issuer_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A char **result)
2N/A{
2N/A KMF_RETURN ret;
2N/A char *tmpstr;
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (SignedCert == NULL || result == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A tmpstr = malloc(KMF_CERT_PRINTABLE_LEN);
2N/A if (tmpstr == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memset(tmpstr, 0, KMF_CERT_PRINTABLE_LEN);
2N/A
2N/A ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_ISSUER,
2N/A tmpstr);
2N/A
2N/A if (ret == KMF_OK) {
2N/A *result = tmpstr;
2N/A } else {
2N/A free(tmpstr);
2N/A *result = NULL;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_serial_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A char **result)
2N/A{
2N/A KMF_RETURN ret;
2N/A char *tmpstr;
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (SignedCert == NULL || result == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A tmpstr = malloc(KMF_CERT_PRINTABLE_LEN);
2N/A if (tmpstr == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memset(tmpstr, 0, KMF_CERT_PRINTABLE_LEN);
2N/A
2N/A ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_SERIALNUM,
2N/A tmpstr);
2N/A
2N/A if (ret == KMF_OK) {
2N/A *result = tmpstr;
2N/A } else {
2N/A free(tmpstr);
2N/A *result = NULL;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_start_date_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A char **result)
2N/A{
2N/A KMF_RETURN ret;
2N/A char *tmpstr;
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (SignedCert == NULL || result == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A tmpstr = malloc(KMF_CERT_PRINTABLE_LEN);
2N/A if (tmpstr == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memset(tmpstr, 0, KMF_CERT_PRINTABLE_LEN);
2N/A
2N/A ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_NOTBEFORE,
2N/A tmpstr);
2N/A
2N/A if (ret == KMF_OK) {
2N/A *result = tmpstr;
2N/A } else {
2N/A free(tmpstr);
2N/A *result = NULL;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_end_date_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A char **result)
2N/A{
2N/A KMF_RETURN ret;
2N/A char *tmpstr;
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (SignedCert == NULL || result == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A tmpstr = malloc(KMF_CERT_PRINTABLE_LEN);
2N/A if (tmpstr == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memset(tmpstr, 0, KMF_CERT_PRINTABLE_LEN);
2N/A
2N/A ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_NOTAFTER,
2N/A tmpstr);
2N/A
2N/A if (ret == KMF_OK) {
2N/A *result = tmpstr;
2N/A } else {
2N/A free(tmpstr);
2N/A *result = NULL;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_pubkey_alg_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A char **result)
2N/A{
2N/A KMF_RETURN ret;
2N/A char *tmpstr;
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (SignedCert == NULL || result == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A tmpstr = malloc(KMF_CERT_PRINTABLE_LEN);
2N/A if (tmpstr == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memset(tmpstr, 0, KMF_CERT_PRINTABLE_LEN);
2N/A
2N/A ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_PUBKEY_ALG,
2N/A tmpstr);
2N/A
2N/A if (ret == KMF_OK) {
2N/A *result = tmpstr;
2N/A } else {
2N/A free(tmpstr);
2N/A *result = NULL;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_sig_alg_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A char **result)
2N/A{
2N/A KMF_RETURN ret;
2N/A char *tmpstr;
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (SignedCert == NULL || result == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A tmpstr = malloc(KMF_CERT_PRINTABLE_LEN);
2N/A if (tmpstr == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memset(tmpstr, 0, KMF_CERT_PRINTABLE_LEN);
2N/A
2N/A ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_SIGNATURE_ALG,
2N/A tmpstr);
2N/A
2N/A if (ret == KMF_OK) {
2N/A *result = tmpstr;
2N/A } else {
2N/A free(tmpstr);
2N/A *result = NULL;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_pubkey_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A char **result)
2N/A{
2N/A KMF_RETURN ret;
2N/A char *tmpstr;
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (SignedCert == NULL || result == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A tmpstr = malloc(KMF_CERT_PRINTABLE_LEN);
2N/A if (tmpstr == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memset(tmpstr, 0, KMF_CERT_PRINTABLE_LEN);
2N/A
2N/A ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_PUBKEY_DATA,
2N/A tmpstr);
2N/A
2N/A if (ret == KMF_OK) {
2N/A *result = tmpstr;
2N/A } else {
2N/A free(tmpstr);
2N/A *result = NULL;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_email_str(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A char **result)
2N/A{
2N/A KMF_RETURN ret;
2N/A char *tmpstr;
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (SignedCert == NULL || result == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A tmpstr = malloc(KMF_CERT_PRINTABLE_LEN);
2N/A if (tmpstr == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memset(tmpstr, 0, KMF_CERT_PRINTABLE_LEN);
2N/A
2N/A ret = KMF_CertGetPrintable(handle, SignedCert, KMF_CERT_EMAIL, tmpstr);
2N/A
2N/A if (ret == KMF_OK) {
2N/A *result = tmpstr;
2N/A } else {
2N/A free(tmpstr);
2N/A *result = NULL;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A/*
2N/A * Given a certificate (DER Encoded data) and a KMF
2N/A * extension identifier constant (e.g. KMF_X509_EXT_*),
2N/A * return a human readable interpretation of the
2N/A * extension data.
2N/A *
2N/A * The string will be a maximum of KMF_CERT_PRINTABLE_LEN
2N/A * bytes long. The string is allocated locally and
2N/A * must be freed by the caller.
2N/A */
2N/AKMF_RETURN
2N/Akmf_get_cert_extn_str(KMF_HANDLE_T handle, const KMF_DATA *cert,
2N/A KMF_PRINTABLE_ITEM extension, char **result)
2N/A{
2N/A KMF_RETURN ret;
2N/A char *tmpstr;
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (cert == NULL || result == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A tmpstr = malloc(KMF_CERT_PRINTABLE_LEN);
2N/A if (tmpstr == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memset(tmpstr, 0, KMF_CERT_PRINTABLE_LEN);
2N/A
2N/A ret = KMF_CertGetPrintable(handle, cert, extension, tmpstr);
2N/A
2N/A if (ret == KMF_OK) {
2N/A *result = tmpstr;
2N/A } else {
2N/A free(tmpstr);
2N/A *result = NULL;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_id_data(const KMF_DATA *SignedCert, KMF_DATA *ID)
2N/A{
2N/A KMF_RETURN ret;
2N/A KMF_X509_CERTIFICATE *cert = NULL;
2N/A
2N/A if (SignedCert == NULL || ID == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A ret = DerDecodeSignedCertificate(SignedCert, &cert);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A ret = GetIDFromSPKI(&cert->certificate.subjectPublicKeyInfo, ID);
2N/A
2N/A kmf_free_signed_cert(cert);
2N/A free(cert);
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_get_cert_id_str(const KMF_DATA *SignedCert, char **idstr)
2N/A{
2N/A KMF_RETURN ret;
2N/A KMF_DATA ID = {NULL, 0};
2N/A char tmpstr[256];
2N/A int i;
2N/A
2N/A if (SignedCert == NULL || idstr == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A ret = kmf_get_cert_id_data(SignedCert, &ID);
2N/A if (ret != KMF_OK) {
2N/A kmf_free_data(&ID);
2N/A return (ret);
2N/A }
2N/A
2N/A (void) memset(tmpstr, 0, sizeof (tmpstr));
2N/A for (i = 0; i < ID.Length; i++) {
2N/A int len = strlen(tmpstr);
2N/A (void) snprintf(&tmpstr[len], sizeof (tmpstr) - len,
2N/A "%02x", (uchar_t)ID.Data[i]);
2N/A if ((i+1) < ID.Length)
2N/A (void) strcat(tmpstr, ":");
2N/A }
2N/A *idstr = strdup(tmpstr);
2N/A if ((*idstr) == NULL)
2N/A ret = KMF_ERR_MEMORY;
2N/A
2N/A kmf_free_data(&ID);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A
2N/A/*
2N/A * This function gets the time_t values of the notbefore and notafter dates
2N/A * from a der-encoded certificate.
2N/A */
2N/AKMF_RETURN
2N/Akmf_get_cert_validity(const KMF_DATA *cert, time_t *not_before,
2N/A time_t *not_after)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_X509_CERTIFICATE *certData = NULL;
2N/A struct tm tm_tmp;
2N/A time_t t_notbefore;
2N/A time_t t_notafter;
2N/A unsigned char *not_before_str;
2N/A unsigned char *not_after_str;
2N/A
2N/A if (cert == NULL || not_before == NULL || not_after == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A rv = DerDecodeSignedCertificate(cert, &certData);
2N/A if (rv != KMF_OK)
2N/A return (rv);
2N/A
2N/A /* Get notBefore */
2N/A not_before_str = certData->certificate.validity.notBefore.time.Data;
2N/A if (strptime((const char *)not_before_str, "%y %m %d %H %M %S",
2N/A &tm_tmp) == NULL) {
2N/A rv = KMF_ERR_VALIDITY_PERIOD;
2N/A goto out;
2N/A }
2N/A
2N/A errno = 0;
2N/A if (((t_notbefore = mktime(&tm_tmp)) == (time_t)(-1)) &&
2N/A errno == EOVERFLOW) {
2N/A rv = KMF_ERR_VALIDITY_PERIOD;
2N/A goto out;
2N/A }
2N/A *not_before = t_notbefore;
2N/A
2N/A /* Get notAfter */
2N/A not_after_str = certData->certificate.validity.notAfter.time.Data;
2N/A if (strptime((const char *)not_after_str, "%y %m %d %H %M %S",
2N/A &tm_tmp) == NULL) {
2N/A rv = KMF_ERR_VALIDITY_PERIOD;
2N/A goto out;
2N/A }
2N/A
2N/A errno = 0;
2N/A if (((t_notafter = mktime(&tm_tmp)) == (time_t)(-1)) &&
2N/A errno == EOVERFLOW) {
2N/A rv = KMF_ERR_VALIDITY_PERIOD;
2N/A goto out;
2N/A }
2N/A *not_after = t_notafter;
2N/A
2N/Aout:
2N/A if (certData != NULL) {
2N/A kmf_free_signed_cert(certData);
2N/A free(certData);
2N/A }
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_set_cert_pubkey(KMF_HANDLE_T handle,
2N/A KMF_KEY_HANDLE *KMFKey,
2N/A KMF_X509_CERTIFICATE *Cert)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_SPKI *spki_ptr;
2N/A KMF_PLUGIN *plugin;
2N/A KMF_DATA KeyData = {NULL, 0};
2N/A
2N/A CLEAR_ERROR(handle, ret);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A if (KMFKey == NULL || Cert == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A /* The keystore must extract the pubkey data */
2N/A plugin = FindPlugin(handle, KMFKey->kstype);
2N/A if (plugin != NULL && plugin->funclist->EncodePubkeyData != NULL) {
2N/A ret = plugin->funclist->EncodePubkeyData(handle,
2N/A KMFKey, &KeyData);
2N/A } else {
2N/A return (KMF_ERR_PLUGIN_NOTFOUND);
2N/A }
2N/A
2N/A spki_ptr = &Cert->certificate.subjectPublicKeyInfo;
2N/A
2N/A if (KeyData.Data != NULL) {
2N/A ret = DerDecodeSPKI(&KeyData, spki_ptr);
2N/A free(KeyData.Data);
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_set_cert_subject(KMF_X509_CERTIFICATE *CertData,
2N/A KMF_X509_NAME *subject_name_ptr)
2N/A{
2N/A
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_X509_NAME *temp_name_ptr = NULL;
2N/A
2N/A if (CertData != NULL && subject_name_ptr != NULL) {
2N/A rv = CopyRDN(subject_name_ptr, &temp_name_ptr);
2N/A if (rv == KMF_OK) {
2N/A CertData->certificate.subject = *temp_name_ptr;
2N/A }
2N/A } else {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A return (rv);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Aset_key_usage_extension(KMF_X509_EXTENSIONS *extns,
2N/A int critical, uint32_t bits)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_EXTENSION extn;
2N/A BerElement *asn1 = NULL;
2N/A BerValue *extdata;
2N/A int bitlen, i;
2N/A uint16_t kubits = (uint16_t)(bits & 0x0000ffff);
2N/A
2N/A if (extns == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A (void) memset(&extn, 0, sizeof (extn));
2N/A ret = copy_data(&extn.extnId, (KMF_OID *)&KMFOID_KeyUsage);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A extn.critical = critical;
2N/A extn.format = KMF_X509_DATAFORMAT_ENCODED;
2N/A
2N/A for (i = 7; i <= 15 && !(kubits & (1 << i)); i++)
2N/A /* empty body */
2N/A ;
2N/A
2N/A bitlen = 16 - i;
2N/A
2N/A if ((asn1 = kmfder_alloc()) == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A
2N/A kubits = htons(kubits);
2N/A if (kmfber_printf(asn1, "B", (char *)&kubits, bitlen) == -1) {
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A if (kmfber_flatten(asn1, &extdata) == -1) {
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A
2N/A extn.BERvalue.Data = (uchar_t *)extdata->bv_val;
2N/A extn.BERvalue.Length = extdata->bv_len;
2N/A
2N/A free(extdata);
2N/A
2N/A ret = add_an_extension(extns, &extn);
2N/A if (ret != KMF_OK) {
2N/A free(extn.BERvalue.Data);
2N/A }
2N/Aout:
2N/A if (asn1 != NULL)
2N/A kmfber_free(asn1, 1);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_set_cert_ku(KMF_X509_CERTIFICATE *CertData,
2N/A int critical, uint16_t kubits)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A
2N/A if (CertData == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A ret = set_key_usage_extension(&CertData->certificate.extensions,
2N/A critical, kubits);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_set_cert_issuer(KMF_X509_CERTIFICATE *CertData,
2N/A KMF_X509_NAME *issuer_name_ptr)
2N/A{
2N/A
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_X509_NAME *temp_name_ptr = NULL;
2N/A
2N/A if (CertData != NULL && issuer_name_ptr != NULL) {
2N/A rv = CopyRDN(issuer_name_ptr, &temp_name_ptr);
2N/A if (rv == KMF_OK) {
2N/A CertData->certificate.issuer = *temp_name_ptr;
2N/A }
2N/A } else {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_set_cert_sig_alg(KMF_X509_CERTIFICATE *CertData,
2N/A KMF_ALGORITHM_INDEX sigAlg)
2N/A{
2N/A KMF_OID *alg;
2N/A
2N/A if (CertData == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A alg = x509_algid_to_algoid(sigAlg);
2N/A
2N/A if (alg != NULL) {
2N/A (void) copy_data((KMF_DATA *)
2N/A &CertData->certificate.signature.algorithm,
2N/A (KMF_DATA *)alg);
2N/A (void) copy_data(&CertData->certificate.signature.parameters,
2N/A &CertData->certificate.subjectPublicKeyInfo.algorithm.
2N/A parameters);
2N/A
2N/A (void) copy_data(
2N/A &CertData->signature.algorithmIdentifier.algorithm,
2N/A &CertData->certificate.signature.algorithm);
2N/A (void) copy_data(
2N/A &CertData->signature.algorithmIdentifier.parameters,
2N/A &CertData->certificate.signature.parameters);
2N/A } else {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A return (KMF_OK);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_set_cert_validity(KMF_X509_CERTIFICATE *CertData,
2N/A time_t notBefore, uint32_t delta)
2N/A{
2N/A time_t clock;
2N/A struct tm *gmt;
2N/A char szNotBefore[256];
2N/A char szNotAfter[256];
2N/A
2N/A if (CertData == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A /* Set up validity fields */
2N/A if (notBefore == NULL)
2N/A clock = time(NULL);
2N/A else
2N/A clock = notBefore;
2N/A
2N/A gmt = gmtime(&clock); /* valid starting today */
2N/A
2N/A /* Build the format in 2 parts so SCCS doesn't get confused */
2N/A (void) strftime(szNotBefore, sizeof (szNotBefore),
2N/A "%y%m%d%H" "%M00Z", gmt);
2N/A
2N/A CertData->certificate.validity.notBefore.timeType = BER_UTCTIME;
2N/A CertData->certificate.validity.notBefore.time.Length =
2N/A strlen((char *)szNotBefore);
2N/A CertData->certificate.validity.notBefore.time.Data =
2N/A (uchar_t *)strdup(szNotBefore);
2N/A
2N/A clock += delta;
2N/A gmt = gmtime(&clock);
2N/A
2N/A /* Build the format in 2 parts so SCCS doesn't get confused */
2N/A (void) strftime(szNotAfter, sizeof (szNotAfter),
2N/A "%y%m%d%H" "%M00Z", gmt);
2N/A
2N/A CertData->certificate.validity.notAfter.timeType = BER_UTCTIME;
2N/A CertData->certificate.validity.notAfter.time.Length =
2N/A strlen((char *)szNotAfter);
2N/A CertData->certificate.validity.notAfter.time.Data =
2N/A (uchar_t *)strdup(szNotAfter);
2N/A
2N/A return (KMF_OK);
2N/A}
2N/A
2N/A/*
2N/A * Utility routine to set Integer values in the Certificate template
2N/A * for things like serialNumber and Version. The data structure
2N/A * expects pointers, not literal values, so we must allocate
2N/A * and copy here. Don't use memory from the stack since this data
2N/A * is freed later and that would be bad.
2N/A */
2N/AKMF_RETURN
2N/Aset_integer(KMF_DATA *data, void *value, int length)
2N/A{
2N/A if (data == NULL || value == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A data->Data = malloc(length);
2N/A if (data->Data == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A
2N/A data->Length = length;
2N/A (void) memcpy((void *)data->Data, (const void *)value, length);
2N/A
2N/A return (KMF_OK);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Aset_bigint(KMF_BIGINT *data, KMF_BIGINT *bigint)
2N/A{
2N/A if (data == NULL || bigint == NULL || bigint->len == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A data->val = malloc(bigint->len);
2N/A if (data->val == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A
2N/A data->len = bigint->len;
2N/A
2N/A (void) memcpy((void *)data->val, bigint->val, bigint->len);
2N/A
2N/A return (KMF_OK);
2N/A
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_set_cert_serial(KMF_X509_CERTIFICATE *CertData,
2N/A KMF_BIGINT *serno)
2N/A{
2N/A if (CertData == NULL || serno == NULL || serno->len == 0)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A return (set_bigint(&CertData->certificate.serialNumber, serno));
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_set_cert_version(KMF_X509_CERTIFICATE *CertData,
2N/A uint32_t version)
2N/A{
2N/A if (CertData == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A /*
2N/A * From RFC 3280:
2N/A * Version ::= INTEGER { v1(0), v2(1), v3(2) }
2N/A */
2N/A if (version != 0 && version != 1 && version != 2)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A return (set_integer(&CertData->certificate.version, (void *)&version,
2N/A sizeof (uint32_t)));
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_set_cert_issuer_altname(KMF_X509_CERTIFICATE *CertData,
2N/A int critical,
2N/A KMF_GENERALNAMECHOICES nametype,
2N/A char *namedata)
2N/A{
2N/A if (CertData == NULL || namedata == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A return (kmf_set_altname(&CertData->certificate.extensions,
2N/A (KMF_OID *)&KMFOID_IssuerAltName, critical, nametype, namedata));
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_set_cert_subject_altname(KMF_X509_CERTIFICATE *CertData,
2N/A int critical,
2N/A KMF_GENERALNAMECHOICES nametype,
2N/A char *namedata)
2N/A{
2N/A if (CertData == NULL || namedata == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A return (kmf_set_altname(&CertData->certificate.extensions,
2N/A (KMF_OID *)&KMFOID_SubjectAltName, critical, nametype, namedata));
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_add_cert_eku(KMF_X509_CERTIFICATE *CertData, KMF_OID *ekuOID,
2N/A int critical)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_EXTENSION *foundextn;
2N/A KMF_X509_EXTENSION newextn;
2N/A BerElement *asn1 = NULL;
2N/A BerValue *extdata = NULL;
2N/A char *olddata = NULL;
2N/A size_t oldsize = 0;
2N/A KMF_X509EXT_EKU ekudata;
2N/A
2N/A if (CertData == NULL || ekuOID == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A (void) memset(&ekudata, 0, sizeof (KMF_X509EXT_EKU));
2N/A (void) memset(&newextn, 0, sizeof (newextn));
2N/A
2N/A foundextn = FindExtn(&CertData->certificate.extensions,
2N/A (KMF_OID *)&KMFOID_ExtendedKeyUsage);
2N/A if (foundextn != NULL) {
2N/A ret = GetSequenceContents((char *)foundextn->BERvalue.Data,
2N/A foundextn->BERvalue.Length, &olddata, &oldsize);
2N/A if (ret != KMF_OK)
2N/A goto out;
2N/A
2N/A /*
2N/A * If the EKU is already in the cert, then just return OK.
2N/A */
2N/A ret = parse_eku_data(&foundextn->BERvalue, &ekudata);
2N/A if (ret == KMF_OK) {
2N/A if (is_eku_present(&ekudata, ekuOID)) {
2N/A goto out;
2N/A }
2N/A }
2N/A }
2N/A if ((asn1 = kmfder_alloc()) == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A
2N/A if (kmfber_printf(asn1, "{") == -1) {
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A
2N/A /* Write the old extension data first */
2N/A if (olddata != NULL && oldsize > 0) {
2N/A if (kmfber_write(asn1, olddata, oldsize, 0) == -1) {
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A }
2N/A
2N/A /* Append this EKU OID and close the sequence */
2N/A if (kmfber_printf(asn1, "D}", ekuOID) == -1) {
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A
2N/A if (kmfber_flatten(asn1, &extdata) == -1) {
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A
2N/A /*
2N/A * If we are just adding to an existing list of EKU OIDs,
2N/A * just replace the BER data associated with the found extension.
2N/A */
2N/A if (foundextn != NULL) {
2N/A free(foundextn->BERvalue.Data);
2N/A foundextn->critical = critical;
2N/A foundextn->BERvalue.Data = (uchar_t *)extdata->bv_val;
2N/A foundextn->BERvalue.Length = extdata->bv_len;
2N/A } else {
2N/A ret = copy_data(&newextn.extnId,
2N/A (KMF_DATA *)&KMFOID_ExtendedKeyUsage);
2N/A if (ret != KMF_OK)
2N/A goto out;
2N/A newextn.critical = critical;
2N/A newextn.format = KMF_X509_DATAFORMAT_ENCODED;
2N/A newextn.BERvalue.Data = (uchar_t *)extdata->bv_val;
2N/A newextn.BERvalue.Length = extdata->bv_len;
2N/A ret = kmf_set_cert_extn(CertData, &newextn);
2N/A if (ret != KMF_OK)
2N/A free(newextn.BERvalue.Data);
2N/A }
2N/A
2N/Aout:
2N/A kmf_free_eku(&ekudata);
2N/A if (extdata != NULL)
2N/A free(extdata);
2N/A
2N/A if (olddata != NULL)
2N/A free(olddata);
2N/A
2N/A if (asn1 != NULL)
2N/A kmfber_free(asn1, 1);
2N/A
2N/A if (ret != KMF_OK)
2N/A kmf_free_data(&newextn.extnId);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_set_cert_extn(KMF_X509_CERTIFICATE *CertData,
2N/A KMF_X509_EXTENSION *extn)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_EXTENSIONS *exts;
2N/A
2N/A if (CertData == NULL || extn == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A exts = &CertData->certificate.extensions;
2N/A
2N/A ret = add_an_extension(exts, extn);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Akmf_set_cert_basic_constraint(KMF_X509_CERTIFICATE *CertData,
2N/A KMF_BOOL critical, KMF_X509EXT_BASICCONSTRAINTS *constraint)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_X509_EXTENSION extn;
2N/A BerElement *asn1 = NULL;
2N/A BerValue *extdata;
2N/A
2N/A if ((CertData == NULL) || (constraint == NULL))
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A (void) memset(&extn, 0, sizeof (extn));
2N/A ret = copy_data(&extn.extnId, (KMF_OID *)&KMFOID_BasicConstraints);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A extn.critical = critical;
2N/A extn.format = KMF_X509_DATAFORMAT_ENCODED;
2N/A
2N/A if ((asn1 = kmfder_alloc()) == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A
2N/A if (kmfber_printf(asn1, "{") == -1) {
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A
2N/A if (kmfber_printf(asn1, "b", constraint->cA) == -1) {
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A
2N/A if (constraint->pathLenConstraintPresent) {
2N/A /* Write the pathLenConstraint value */
2N/A if (kmfber_printf(asn1, "i",
2N/A constraint->pathLenConstraint) == -1) {
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A }
2N/A
2N/A if (kmfber_printf(asn1, "}") == -1) {
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A
2N/A if (kmfber_flatten(asn1, &extdata) == -1) {
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A
2N/A extn.BERvalue.Data = (uchar_t *)extdata->bv_val;
2N/A extn.BERvalue.Length = extdata->bv_len;
2N/A
2N/A free(extdata);
2N/A ret = kmf_set_cert_extn(CertData, &extn);
2N/A if (ret != KMF_OK) {
2N/A free(extn.BERvalue.Data);
2N/A }
2N/A
2N/Aout:
2N/A if (asn1 != NULL)
2N/A kmfber_free(asn1, 1);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A
2N/A/*
2N/A * Phase 1 APIs still needed to maintain compat with elfsign.
2N/A */
2N/AKMF_RETURN
2N/AKMF_GetCertSubjectNameString(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A char **result)
2N/A{
2N/A return (kmf_get_cert_subject_str(handle, SignedCert, result));
2N/A}
2N/A
2N/AKMF_RETURN
2N/AKMF_GetCertIssuerNameString(KMF_HANDLE_T handle, const KMF_DATA *SignedCert,
2N/A char **result)
2N/A{
2N/A return (kmf_get_cert_issuer_str(handle, SignedCert, result));
2N/A}
2N/A
2N/AKMF_RETURN
2N/AKMF_GetCertIDString(const KMF_DATA *SignedCert, char **idstr)
2N/A{
2N/A return (kmf_get_cert_id_str(SignedCert, idstr));
2N/A}