2N/A/*
2N/A * Copyright (c) 2006, 2011, Oracle and/or its affiliates. All rights reserved.
2N/A */
2N/A/*
2N/A * Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
2N/A * project 2000.
2N/A */
2N/A/*
2N/A * ====================================================================
2N/A * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
2N/A *
2N/A * Redistribution and use in source and binary forms, with or without
2N/A * modification, are permitted provided that the following conditions
2N/A * are met:
2N/A *
2N/A * 1. Redistributions of source code must retain the above copyright
2N/A * notice, this list of conditions and the following disclaimer.
2N/A *
2N/A * 2. Redistributions in binary form must reproduce the above copyright
2N/A * notice, this list of conditions and the following disclaimer in
2N/A * the documentation and/or other materials provided with the
2N/A * distribution.
2N/A *
2N/A * 3. All advertising materials mentioning features or use of this
2N/A * software must display the following acknowledgment:
2N/A * "This product includes software developed by the OpenSSL Project
2N/A * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
2N/A *
2N/A * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
2N/A * endorse or promote products derived from this software without
2N/A * prior written permission. For written permission, please contact
2N/A * licensing@OpenSSL.org.
2N/A *
2N/A * 5. Products derived from this software may not be called "OpenSSL"
2N/A * nor may "OpenSSL" appear in their names without prior written
2N/A * permission of the OpenSSL Project.
2N/A *
2N/A * 6. Redistributions of any form whatsoever must retain the following
2N/A * acknowledgment:
2N/A * "This product includes software developed by the OpenSSL Project
2N/A * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
2N/A *
2N/A * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
2N/A * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
2N/A * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
2N/A * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
2N/A * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
2N/A * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
2N/A * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
2N/A * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2N/A * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
2N/A * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
2N/A * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
2N/A * OF THE POSSIBILITY OF SUCH DAMAGE.
2N/A * ====================================================================
2N/A *
2N/A * This product includes cryptographic software written by Eric Young
2N/A * (eay@cryptsoft.com). This product includes software written by Tim
2N/A * Hudson (tjh@cryptsoft.com).
2N/A *
2N/A */
2N/A
2N/A#include <stdlib.h>
2N/A#include <kmfapiP.h>
2N/A#include <ber_der.h>
2N/A#include <fcntl.h>
2N/A#include <sys/stat.h>
2N/A#include <dirent.h>
2N/A#include <cryptoutil.h>
2N/A#include <synch.h>
2N/A#include <thread.h>
2N/A
2N/A/* OPENSSL related headers */
2N/A#include <openssl/bio.h>
2N/A#include <openssl/bn.h>
2N/A#include <openssl/asn1.h>
2N/A#include <openssl/err.h>
2N/A#include <openssl/bn.h>
2N/A#include <openssl/x509.h>
2N/A#include <openssl/rsa.h>
2N/A#include <openssl/dsa.h>
2N/A#include <openssl/x509v3.h>
2N/A#include <openssl/objects.h>
2N/A#include <openssl/pem.h>
2N/A#include <openssl/pkcs12.h>
2N/A#include <openssl/ocsp.h>
2N/A#include <openssl/des.h>
2N/A#include <openssl/rand.h>
2N/A
2N/A#define PRINT_ANY_EXTENSION (\
2N/A KMF_X509_EXT_KEY_USAGE |\
2N/A KMF_X509_EXT_CERT_POLICIES |\
2N/A KMF_X509_EXT_SUBJALTNAME |\
2N/A KMF_X509_EXT_BASIC_CONSTRAINTS |\
2N/A KMF_X509_EXT_NAME_CONSTRAINTS |\
2N/A KMF_X509_EXT_POLICY_CONSTRAINTS |\
2N/A KMF_X509_EXT_EXT_KEY_USAGE |\
2N/A KMF_X509_EXT_INHIBIT_ANY_POLICY |\
2N/A KMF_X509_EXT_AUTH_KEY_ID |\
2N/A KMF_X509_EXT_SUBJ_KEY_ID |\
2N/A KMF_X509_EXT_POLICY_MAPPING)
2N/A
2N/Astatic uchar_t P[] = { 0x00, 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76,
2N/A 0xaa, 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69,
2N/A 0xcb, 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c,
2N/A 0xf7, 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82,
2N/A 0xe5, 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e,
2N/A 0xaf, 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a,
2N/A 0xac, 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24,
2N/A 0xc2, 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02,
2N/A 0x91 };
2N/A
2N/Astatic uchar_t Q[] = { 0x00, 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8,
2N/A 0xee, 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4,
2N/A 0x8e, 0xda, 0xce, 0x91, 0x5f };
2N/A
2N/Astatic uchar_t G[] = { 0x00, 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a,
2N/A 0x13, 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5,
2N/A 0x00, 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef,
2N/A 0xcb, 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c,
2N/A 0x2e, 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba,
2N/A 0xbf, 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c,
2N/A 0x9c, 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08,
2N/A 0x8c, 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88,
2N/A 0x02 };
2N/A
2N/A#define SET_ERROR(h, c) h->lasterr.kstype = KMF_KEYSTORE_OPENSSL; \
2N/A h->lasterr.errcode = c;
2N/A
2N/A#define SET_SYS_ERROR(h, c) h->lasterr.kstype = -1; h->lasterr.errcode = c;
2N/A
2N/A/*
2N/A * Declare some new macros for managing stacks of EVP_PKEYS, similar to
2N/A * what wanboot did.
2N/A */
2N/ADECLARE_STACK_OF(EVP_PKEY)
2N/A
2N/A#define sk_EVP_PKEY_new_null() SKM_sk_new_null(EVP_PKEY)
2N/A#define sk_EVP_PKEY_free(st) SKM_sk_free(EVP_PKEY, (st))
2N/A#define sk_EVP_PKEY_num(st) SKM_sk_num(EVP_PKEY, (st))
2N/A#define sk_EVP_PKEY_value(st, i) SKM_sk_value(EVP_PKEY, (st), (i))
2N/A#define sk_EVP_PKEY_push(st, val) SKM_sk_push(EVP_PKEY, (st), (val))
2N/A#define sk_EVP_PKEY_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY, (st), \
2N/A (free_func))
2N/A
2N/Amutex_t init_lock = DEFAULTMUTEX;
2N/Astatic int ssl_initialized = 0;
2N/Astatic BIO *bio_err = NULL;
2N/A
2N/Astatic int
2N/Atest_for_file(char *, mode_t);
2N/Astatic KMF_RETURN
2N/Aopenssl_parse_bag(PKCS12_SAFEBAG *, char *, int,
2N/A STACK_OF(EVP_PKEY) *, STACK_OF(X509) *);
2N/A
2N/Astatic KMF_RETURN
2N/Alocal_export_pk12(KMF_HANDLE_T, KMF_CREDENTIAL *, int, KMF_X509_DER_CERT *,
2N/A int, KMF_KEY_HANDLE *, char *);
2N/A
2N/Astatic KMF_RETURN set_pkey_attrib(EVP_PKEY *, ASN1_TYPE *, int);
2N/A
2N/Astatic KMF_RETURN
2N/Aextract_pem(KMF_HANDLE *, char *, char *, KMF_BIGINT *, char *,
2N/A CK_UTF8CHAR *, CK_ULONG, EVP_PKEY **, KMF_DATA **, int *);
2N/A
2N/Astatic KMF_RETURN
2N/Akmf_load_cert(KMF_HANDLE *, char *, char *, KMF_BIGINT *, KMF_CERT_VALIDITY,
2N/A char *, KMF_DATA *);
2N/A
2N/Astatic KMF_RETURN
2N/Aload_certs(KMF_HANDLE *, char *, char *, KMF_BIGINT *, KMF_CERT_VALIDITY,
2N/A char *, KMF_DATA **, uint32_t *);
2N/A
2N/Astatic KMF_RETURN
2N/AsslBN2KMFBN(BIGNUM *, KMF_BIGINT *);
2N/A
2N/Astatic EVP_PKEY *
2N/AImportRawRSAKey(KMF_RAW_RSA_KEY *);
2N/A
2N/Astatic KMF_RETURN
2N/AconvertToRawKey(EVP_PKEY *, KMF_RAW_KEY_DATA *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_FindCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/Avoid
2N/AOpenSSL_FreeKMFCert(KMF_HANDLE_T, KMF_X509_DER_CERT *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_StoreCert(KMF_HANDLE_T handle, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_DeleteCert(KMF_HANDLE_T handle, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_CreateKeypair(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_StoreKey(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_EncodePubKeyData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_DATA *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_SignData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
2N/A KMF_DATA *, KMF_DATA *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_DeleteKey(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_ImportCRL(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_DeleteCRL(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_ListCRL(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_FindCertInCRL(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_CertGetPrintable(KMF_HANDLE_T, const KMF_DATA *,
2N/A KMF_PRINTABLE_ITEM, char *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_GetErrorString(KMF_HANDLE_T, char **);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_FindPrikeyByCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_DecryptData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
2N/A KMF_DATA *, KMF_DATA *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_CreateOCSPRequest(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_GetOCSPStatusForCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_FindKey(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_ExportPK12(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_CreateSymKey(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_GetSymKeyValue(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_RAW_SYM_KEY *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_VerifyCRLFile(KMF_HANDLE_T, char *, KMF_DATA *);
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_CheckCRLDate(KMF_HANDLE_T, char *);
2N/A
2N/Astatic
2N/AKMF_PLUGIN_FUNCLIST openssl_plugin_table =
2N/A{
2N/A 1, /* Version */
2N/A NULL, /* ConfigureKeystore */
2N/A OpenSSL_FindCert,
2N/A OpenSSL_FreeKMFCert,
2N/A OpenSSL_StoreCert,
2N/A NULL, /* ImportCert */
2N/A OpenSSL_ImportCRL,
2N/A OpenSSL_DeleteCert,
2N/A OpenSSL_DeleteCRL,
2N/A OpenSSL_CreateKeypair,
2N/A OpenSSL_FindKey,
2N/A OpenSSL_EncodePubKeyData,
2N/A OpenSSL_SignData,
2N/A OpenSSL_DeleteKey,
2N/A OpenSSL_ListCRL,
2N/A NULL, /* FindCRL */
2N/A OpenSSL_FindCertInCRL,
2N/A OpenSSL_GetErrorString,
2N/A OpenSSL_FindPrikeyByCert,
2N/A OpenSSL_DecryptData,
2N/A OpenSSL_ExportPK12,
2N/A OpenSSL_CreateSymKey,
2N/A OpenSSL_GetSymKeyValue,
2N/A NULL, /* SetTokenPin */
2N/A OpenSSL_StoreKey,
2N/A NULL /* Finalize */
2N/A};
2N/A
2N/Astatic mutex_t *lock_cs;
2N/Astatic long *lock_count;
2N/A
2N/Astatic void
2N/A/* ARGSUSED1 */
2N/Alocking_cb(int mode, int type, char *file, int line)
2N/A{
2N/A if (mode & CRYPTO_LOCK) {
2N/A (void) mutex_lock(&(lock_cs[type]));
2N/A lock_count[type]++;
2N/A } else {
2N/A (void) mutex_unlock(&(lock_cs[type]));
2N/A }
2N/A}
2N/A
2N/Astatic unsigned long
2N/Athread_id()
2N/A{
2N/A return ((unsigned long)thr_self());
2N/A}
2N/A
2N/AKMF_PLUGIN_FUNCLIST *
2N/AKMF_Plugin_Initialize()
2N/A{
2N/A int i;
2N/A
2N/A (void) mutex_lock(&init_lock);
2N/A if (!ssl_initialized) {
2N/A /*
2N/A * Add support for extension OIDs that are not yet in the
2N/A * openssl default set.
2N/A */
2N/A (void) OBJ_create("2.5.29.30", "nameConstraints",
2N/A "X509v3 Name Constraints");
2N/A (void) OBJ_create("2.5.29.33", "policyMappings",
2N/A "X509v3 Policy Mappings");
2N/A (void) OBJ_create("2.5.29.36", "policyConstraints",
2N/A "X509v3 Policy Constraints");
2N/A (void) OBJ_create("2.5.29.46", "freshestCRL",
2N/A "X509v3 Freshest CRL");
2N/A (void) OBJ_create("2.5.29.54", "inhibitAnyPolicy",
2N/A "X509v3 Inhibit Any-Policy");
2N/A /*
2N/A * Set up for thread-safe operation.
2N/A */
2N/A lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof (mutex_t));
2N/A if (lock_cs == NULL) {
2N/A (void) mutex_unlock(&init_lock);
2N/A return (NULL);
2N/A }
2N/A
2N/A lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof (long));
2N/A if (lock_count == NULL) {
2N/A OPENSSL_free(lock_cs);
2N/A (void) mutex_unlock(&init_lock);
2N/A return (NULL);
2N/A }
2N/A
2N/A for (i = 0; i < CRYPTO_num_locks(); i++) {
2N/A lock_count[i] = 0;
2N/A (void) mutex_init(&lock_cs[i], USYNC_THREAD, NULL);
2N/A }
2N/A
2N/A CRYPTO_set_id_callback((unsigned long (*)())thread_id);
2N/A if (CRYPTO_get_locking_callback() == NULL)
2N/A CRYPTO_set_locking_callback((void (*)())locking_cb);
2N/A
2N/A OpenSSL_add_all_algorithms();
2N/A
2N/A /* Enable error strings for reporting */
2N/A ERR_load_crypto_strings();
2N/A
2N/A ssl_initialized = 1;
2N/A }
2N/A (void) mutex_unlock(&init_lock);
2N/A
2N/A return (&openssl_plugin_table);
2N/A}
2N/A/*
2N/A * Convert an SSL DN to a KMF DN.
2N/A */
2N/Astatic KMF_RETURN
2N/Aget_x509_dn(X509_NAME *sslDN, KMF_X509_NAME *kmfDN)
2N/A{
2N/A KMF_DATA derdata;
2N/A KMF_RETURN rv = KMF_OK;
2N/A uchar_t *tmp;
2N/A
2N/A /* Convert to raw DER format */
2N/A derdata.Length = i2d_X509_NAME(sslDN, NULL);
2N/A if ((tmp = derdata.Data = (uchar_t *)OPENSSL_malloc(derdata.Length))
2N/A == NULL) {
2N/A return (KMF_ERR_MEMORY);
2N/A }
2N/A (void) i2d_X509_NAME(sslDN, &tmp);
2N/A
2N/A /* Decode to KMF format */
2N/A rv = DerDecodeName(&derdata, kmfDN);
2N/A if (rv != KMF_OK) {
2N/A rv = KMF_ERR_BAD_CERT_FORMAT;
2N/A }
2N/A OPENSSL_free(derdata.Data);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/Aint
2N/Aisdir(char *path)
2N/A{
2N/A struct stat s;
2N/A
2N/A if (stat(path, &s) == -1)
2N/A return (0);
2N/A
2N/A return ((s.st_mode & S_IFMT) == S_IFDIR);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Assl_cert2KMFDATA(KMF_HANDLE *kmfh, X509 *x509cert, KMF_DATA *cert)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A unsigned char *buf = NULL, *p;
2N/A int len;
2N/A
2N/A /*
2N/A * Convert the X509 internal struct to DER encoded data
2N/A */
2N/A if ((len = i2d_X509(x509cert, NULL)) < 0) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto cleanup;
2N/A }
2N/A if ((buf = malloc(len)) == NULL) {
2N/A SET_SYS_ERROR(kmfh, errno);
2N/A rv = KMF_ERR_MEMORY;
2N/A goto cleanup;
2N/A }
2N/A
2N/A /*
2N/A * i2d_X509 will increment the buf pointer so that we need to
2N/A * save it.
2N/A */
2N/A p = buf;
2N/A if ((len = i2d_X509(x509cert, &p)) < 0) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto cleanup;
2N/A }
2N/A
2N/A /* caller's responsibility to free it */
2N/A cert->Data = buf;
2N/A cert->Length = len;
2N/A
2N/Acleanup:
2N/A if (rv != KMF_OK) {
2N/A if (buf)
2N/A free(buf);
2N/A cert->Data = NULL;
2N/A cert->Length = 0;
2N/A }
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/A
2N/Astatic KMF_RETURN
2N/Acheck_cert(X509 *xcert, char *issuer, char *subject, KMF_BIGINT *serial,
2N/A boolean_t *match)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A boolean_t findIssuer = FALSE;
2N/A boolean_t findSubject = FALSE;
2N/A boolean_t findSerial = FALSE;
2N/A KMF_X509_NAME issuerDN, subjectDN;
2N/A KMF_X509_NAME certIssuerDN, certSubjectDN;
2N/A
2N/A *match = FALSE;
2N/A if (xcert == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A (void) memset(&issuerDN, 0, sizeof (KMF_X509_NAME));
2N/A (void) memset(&subjectDN, 0, sizeof (KMF_X509_NAME));
2N/A (void) memset(&certIssuerDN, 0, sizeof (KMF_X509_NAME));
2N/A (void) memset(&certSubjectDN, 0, sizeof (KMF_X509_NAME));
2N/A
2N/A if (issuer != NULL && strlen(issuer)) {
2N/A rv = kmf_dn_parser(issuer, &issuerDN);
2N/A if (rv != KMF_OK)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A rv = get_x509_dn(xcert->cert_info->issuer, &certIssuerDN);
2N/A if (rv != KMF_OK) {
2N/A kmf_free_dn(&issuerDN);
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A findIssuer = TRUE;
2N/A }
2N/A if (subject != NULL && strlen(subject)) {
2N/A rv = kmf_dn_parser(subject, &subjectDN);
2N/A if (rv != KMF_OK) {
2N/A rv = KMF_ERR_BAD_PARAMETER;
2N/A goto cleanup;
2N/A }
2N/A
2N/A rv = get_x509_dn(xcert->cert_info->subject, &certSubjectDN);
2N/A if (rv != KMF_OK) {
2N/A rv = KMF_ERR_BAD_PARAMETER;
2N/A goto cleanup;
2N/A }
2N/A findSubject = TRUE;
2N/A }
2N/A if (serial != NULL && serial->val != NULL)
2N/A findSerial = TRUE;
2N/A
2N/A if (findSerial) {
2N/A BIGNUM *bn;
2N/A
2N/A /* Comparing BIGNUMs is a pain! */
2N/A bn = ASN1_INTEGER_to_BN(xcert->cert_info->serialNumber, NULL);
2N/A if (bn != NULL) {
2N/A int bnlen = BN_num_bytes(bn);
2N/A
2N/A if (bnlen == serial->len) {
2N/A uchar_t *a = malloc(bnlen);
2N/A if (a == NULL) {
2N/A rv = KMF_ERR_MEMORY;
2N/A BN_free(bn);
2N/A goto cleanup;
2N/A }
2N/A bnlen = BN_bn2bin(bn, a);
2N/A *match = (memcmp(a, serial->val, serial->len) ==
2N/A 0);
2N/A rv = KMF_OK;
2N/A free(a);
2N/A }
2N/A BN_free(bn);
2N/A if (!(*match))
2N/A goto cleanup;
2N/A } else {
2N/A rv = KMF_OK;
2N/A goto cleanup;
2N/A }
2N/A }
2N/A if (findIssuer) {
2N/A *match = (kmf_compare_rdns(&issuerDN, &certIssuerDN) == 0);
2N/A if ((*match) == B_FALSE) {
2N/A /* stop checking and bail */
2N/A rv = KMF_OK;
2N/A goto cleanup;
2N/A }
2N/A }
2N/A if (findSubject) {
2N/A *match = (kmf_compare_rdns(&subjectDN, &certSubjectDN) == 0);
2N/A if ((*match) == B_FALSE) {
2N/A /* stop checking and bail */
2N/A rv = KMF_OK;
2N/A goto cleanup;
2N/A }
2N/A }
2N/A
2N/A *match = TRUE;
2N/Acleanup:
2N/A if (findIssuer) {
2N/A kmf_free_dn(&issuerDN);
2N/A kmf_free_dn(&certIssuerDN);
2N/A }
2N/A if (findSubject) {
2N/A kmf_free_dn(&subjectDN);
2N/A kmf_free_dn(&certSubjectDN);
2N/A }
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/A
2N/A/*
2N/A * This function loads a certificate file into an X509 data structure, and
2N/A * checks if its issuer, subject or the serial number matches with those
2N/A * values. If it matches, then return the X509 data structure.
2N/A */
2N/Astatic KMF_RETURN
2N/Aload_X509cert(KMF_HANDLE *kmfh,
2N/A char *issuer, char *subject, KMF_BIGINT *serial,
2N/A char *pathname, X509 **outcert)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A X509 *xcert = NULL;
2N/A BIO *bcert = NULL;
2N/A boolean_t match = FALSE;
2N/A KMF_ENCODE_FORMAT format;
2N/A
2N/A /*
2N/A * auto-detect the file format, regardless of what
2N/A * the 'format' parameters in the params say.
2N/A */
2N/A rv = kmf_get_file_format(pathname, &format);
2N/A if (rv != KMF_OK) {
2N/A if (rv == KMF_ERR_OPEN_FILE)
2N/A rv = KMF_ERR_CERT_NOT_FOUND;
2N/A return (rv);
2N/A }
2N/A
2N/A /* Not ASN1(DER) format */
2N/A if ((bcert = BIO_new_file(pathname, "rb")) == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_OPEN_FILE;
2N/A goto cleanup;
2N/A }
2N/A
2N/A if (format == KMF_FORMAT_PEM)
2N/A xcert = PEM_read_bio_X509_AUX(bcert, NULL, NULL, NULL);
2N/A else if (format == KMF_FORMAT_ASN1)
2N/A xcert = d2i_X509_bio(bcert, NULL);
2N/A else if (format == KMF_FORMAT_PKCS12) {
2N/A PKCS12 *p12 = d2i_PKCS12_bio(bcert, NULL);
2N/A if (p12 != NULL) {
2N/A (void) PKCS12_parse(p12, NULL, NULL, &xcert, NULL);
2N/A PKCS12_free(p12);
2N/A p12 = NULL;
2N/A } else {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_BAD_CERT_FORMAT;
2N/A }
2N/A } else {
2N/A rv = KMF_ERR_BAD_PARAMETER;
2N/A goto cleanup;
2N/A }
2N/A
2N/A if (xcert == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto cleanup;
2N/A }
2N/A
2N/A if (check_cert(xcert, issuer, subject, serial, &match) != KMF_OK ||
2N/A match == FALSE) {
2N/A rv = KMF_ERR_CERT_NOT_FOUND;
2N/A goto cleanup;
2N/A }
2N/A
2N/A if (outcert != NULL) {
2N/A *outcert = xcert;
2N/A }
2N/A
2N/Acleanup:
2N/A if (bcert != NULL) (void) BIO_free(bcert);
2N/A if (rv != KMF_OK && xcert != NULL)
2N/A X509_free(xcert);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/Astatic int
2N/Adatacmp(const void *a, const void *b)
2N/A{
2N/A KMF_DATA *adata = (KMF_DATA *)a;
2N/A KMF_DATA *bdata = (KMF_DATA *)b;
2N/A if (adata->Length > bdata->Length)
2N/A return (-1);
2N/A if (adata->Length < bdata->Length)
2N/A return (1);
2N/A return (0);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Aload_certs(KMF_HANDLE *kmfh, char *issuer, char *subject, KMF_BIGINT *serial,
2N/A KMF_CERT_VALIDITY validity, char *pathname,
2N/A KMF_DATA **certlist, uint32_t *numcerts)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A int i;
2N/A KMF_DATA *certs = NULL;
2N/A int nc = 0;
2N/A int hits = 0;
2N/A KMF_ENCODE_FORMAT format;
2N/A
2N/A rv = kmf_get_file_format(pathname, &format);
2N/A if (rv != KMF_OK) {
2N/A if (rv == KMF_ERR_OPEN_FILE)
2N/A rv = KMF_ERR_CERT_NOT_FOUND;
2N/A return (rv);
2N/A }
2N/A if (format == KMF_FORMAT_ASN1) {
2N/A /* load a single certificate */
2N/A certs = (KMF_DATA *)malloc(sizeof (KMF_DATA));
2N/A if (certs == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A certs->Data = NULL;
2N/A certs->Length = 0;
2N/A rv = kmf_load_cert(kmfh, issuer, subject, serial, validity,
2N/A pathname, certs);
2N/A if (rv == KMF_OK) {
2N/A *certlist = certs;
2N/A *numcerts = 1;
2N/A } else {
2N/A kmf_free_data(certs);
2N/A free(certs);
2N/A certs = NULL;
2N/A }
2N/A return (rv);
2N/A } else if (format == KMF_FORMAT_PKCS12) {
2N/A /* We need a credential to access a PKCS#12 file */
2N/A rv = KMF_ERR_BAD_CERT_FORMAT;
2N/A } else if (format == KMF_FORMAT_PEM ||
2N/A format != KMF_FORMAT_PEM_KEYPAIR) {
2N/A
2N/A /* This function only works on PEM files */
2N/A rv = extract_pem(kmfh, issuer, subject, serial, pathname,
2N/A (uchar_t *)NULL, 0, NULL, &certs, &nc);
2N/A } else {
2N/A return (KMF_ERR_ENCODING);
2N/A }
2N/A
2N/A if (rv != KMF_OK)
2N/A return (rv);
2N/A
2N/A for (i = 0; i < nc; i++) {
2N/A if (validity == KMF_NONEXPIRED_CERTS) {
2N/A rv = kmf_check_cert_date(kmfh, &certs[i]);
2N/A } else if (validity == KMF_EXPIRED_CERTS) {
2N/A rv = kmf_check_cert_date(kmfh, &certs[i]);
2N/A if (rv == KMF_OK)
2N/A rv = KMF_ERR_CERT_NOT_FOUND;
2N/A if (rv == KMF_ERR_VALIDITY_PERIOD)
2N/A rv = KMF_OK;
2N/A }
2N/A if (rv != KMF_OK) {
2N/A /* Remove this cert from the list by clearing it. */
2N/A kmf_free_data(&certs[i]);
2N/A } else {
2N/A hits++; /* count valid certs found */
2N/A }
2N/A rv = KMF_OK;
2N/A }
2N/A if (rv == KMF_OK && hits > 0) {
2N/A /*
2N/A * Sort the list of certs by length to put the cleared ones
2N/A * at the end so they don't get accessed by the caller.
2N/A */
2N/A qsort((void *)certs, nc, sizeof (KMF_DATA), datacmp);
2N/A *certlist = certs;
2N/A
2N/A /* since we sorted the list, just return the number of hits */
2N/A *numcerts = hits;
2N/A } else {
2N/A if (rv == KMF_OK && hits == 0)
2N/A rv = KMF_ERR_CERT_NOT_FOUND;
2N/A if (certs != NULL) {
2N/A free(certs);
2N/A certs = NULL;
2N/A }
2N/A }
2N/A return (rv);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Akmf_load_cert(KMF_HANDLE *kmfh,
2N/A char *issuer, char *subject, KMF_BIGINT *serial,
2N/A KMF_CERT_VALIDITY validity,
2N/A char *pathname,
2N/A KMF_DATA *cert)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A X509 *x509cert = NULL;
2N/A
2N/A rv = load_X509cert(kmfh, issuer, subject, serial, pathname, &x509cert);
2N/A if (rv == KMF_OK && x509cert != NULL && cert != NULL) {
2N/A rv = ssl_cert2KMFDATA(kmfh, x509cert, cert);
2N/A if (rv != KMF_OK) {
2N/A goto cleanup;
2N/A }
2N/A if (validity == KMF_NONEXPIRED_CERTS) {
2N/A rv = kmf_check_cert_date(kmfh, cert);
2N/A } else if (validity == KMF_EXPIRED_CERTS) {
2N/A rv = kmf_check_cert_date(kmfh, cert);
2N/A if (rv == KMF_OK) {
2N/A /*
2N/A * This is a valid cert so skip it.
2N/A */
2N/A rv = KMF_ERR_CERT_NOT_FOUND;
2N/A }
2N/A if (rv == KMF_ERR_VALIDITY_PERIOD) {
2N/A /*
2N/A * We want to return success when we
2N/A * find an invalid cert.
2N/A */
2N/A rv = KMF_OK;
2N/A goto cleanup;
2N/A }
2N/A }
2N/A }
2N/Acleanup:
2N/A if (x509cert != NULL)
2N/A X509_free(x509cert);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/AreadAltFormatPrivateKey(KMF_DATA *filedata, EVP_PKEY **pkey)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_RAW_RSA_KEY rsa;
2N/A BerElement *asn1 = NULL;
2N/A BerValue filebuf;
2N/A BerValue OID = { NULL, 0 };
2N/A BerValue *Mod = NULL, *PubExp = NULL;
2N/A BerValue *PriExp = NULL, *Prime1 = NULL, *Prime2 = NULL;
2N/A BerValue *Coef = NULL;
2N/A BIGNUM *D = NULL, *P = NULL, *Q = NULL, *COEF = NULL;
2N/A BIGNUM *Exp1 = NULL, *Exp2 = NULL, *pminus1 = NULL;
2N/A BIGNUM *qminus1 = NULL;
2N/A BN_CTX *ctx = NULL;
2N/A
2N/A *pkey = NULL;
2N/A
2N/A filebuf.bv_val = (char *)filedata->Data;
2N/A filebuf.bv_len = filedata->Length;
2N/A
2N/A asn1 = kmfder_init(&filebuf);
2N/A if (asn1 == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto out;
2N/A }
2N/A
2N/A if (kmfber_scanf(asn1, "{{Dn{IIIIII}}}",
2N/A &OID, &Mod, &PubExp, &PriExp, &Prime1,
2N/A &Prime2, &Coef) == -1) {
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A
2N/A /*
2N/A * We have to derive the 2 Exponents using Bignumber math.
2N/A * Exp1 = PriExp mod (Prime1 - 1)
2N/A * Exp2 = PriExp mod (Prime2 - 1)
2N/A */
2N/A
2N/A /* D = PrivateExponent */
2N/A D = BN_bin2bn((const uchar_t *)PriExp->bv_val, PriExp->bv_len, D);
2N/A if (D == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto out;
2N/A }
2N/A
2N/A /* P = Prime1 (first prime factor of Modulus) */
2N/A P = BN_bin2bn((const uchar_t *)Prime1->bv_val, Prime1->bv_len, P);
2N/A if (D == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto out;
2N/A }
2N/A
2N/A /* Q = Prime2 (second prime factor of Modulus) */
2N/A Q = BN_bin2bn((const uchar_t *)Prime2->bv_val, Prime2->bv_len, Q);
2N/A
2N/A if ((ctx = BN_CTX_new()) == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto out;
2N/A }
2N/A
2N/A /* Compute (P - 1) */
2N/A pminus1 = BN_new();
2N/A (void) BN_sub(pminus1, P, BN_value_one());
2N/A
2N/A /* Exponent1 = D mod (P - 1) */
2N/A Exp1 = BN_new();
2N/A (void) BN_mod(Exp1, D, pminus1, ctx);
2N/A
2N/A /* Compute (Q - 1) */
2N/A qminus1 = BN_new();
2N/A (void) BN_sub(qminus1, Q, BN_value_one());
2N/A
2N/A /* Exponent2 = D mod (Q - 1) */
2N/A Exp2 = BN_new();
2N/A (void) BN_mod(Exp2, D, qminus1, ctx);
2N/A
2N/A /* Coef = (Inverse Q) mod P */
2N/A COEF = BN_new();
2N/A (void) BN_mod_inverse(COEF, Q, P, ctx);
2N/A
2N/A /* Convert back to KMF format */
2N/A (void) memset(&rsa, 0, sizeof (rsa));
2N/A
2N/A if ((ret = sslBN2KMFBN(Exp1, &rsa.exp1)) != KMF_OK)
2N/A goto out;
2N/A if ((ret = sslBN2KMFBN(Exp2, &rsa.exp2)) != KMF_OK)
2N/A goto out;
2N/A if ((ret = sslBN2KMFBN(COEF, &rsa.coef)) != KMF_OK)
2N/A goto out;
2N/A
2N/A rsa.mod.val = (uchar_t *)Mod->bv_val;
2N/A rsa.mod.len = Mod->bv_len;
2N/A
2N/A rsa.pubexp.val = (uchar_t *)PubExp->bv_val;
2N/A rsa.pubexp.len = PubExp->bv_len;
2N/A
2N/A rsa.priexp.val = (uchar_t *)PriExp->bv_val;
2N/A rsa.priexp.len = PriExp->bv_len;
2N/A
2N/A rsa.prime1.val = (uchar_t *)Prime1->bv_val;
2N/A rsa.prime1.len = Prime1->bv_len;
2N/A
2N/A rsa.prime2.val = (uchar_t *)Prime2->bv_val;
2N/A rsa.prime2.len = Prime2->bv_len;
2N/A
2N/A *pkey = ImportRawRSAKey(&rsa);
2N/Aout:
2N/A if (asn1 != NULL)
2N/A kmfber_free(asn1, 1);
2N/A
2N/A if (OID.bv_val) {
2N/A free(OID.bv_val);
2N/A }
2N/A if (PriExp)
2N/A free(PriExp);
2N/A
2N/A if (Mod)
2N/A free(Mod);
2N/A
2N/A if (PubExp)
2N/A free(PubExp);
2N/A
2N/A if (Coef) {
2N/A (void) memset(Coef->bv_val, 0, Coef->bv_len);
2N/A free(Coef->bv_val);
2N/A free(Coef);
2N/A }
2N/A if (Prime1)
2N/A free(Prime1);
2N/A if (Prime2)
2N/A free(Prime2);
2N/A
2N/A if (ctx != NULL)
2N/A BN_CTX_free(ctx);
2N/A
2N/A if (D)
2N/A BN_clear_free(D);
2N/A if (P)
2N/A BN_clear_free(P);
2N/A if (Q)
2N/A BN_clear_free(Q);
2N/A if (pminus1)
2N/A BN_clear_free(pminus1);
2N/A if (qminus1)
2N/A BN_clear_free(qminus1);
2N/A if (Exp1)
2N/A BN_clear_free(Exp1);
2N/A if (Exp2)
2N/A BN_clear_free(Exp2);
2N/A
2N/A return (ret);
2N/A
2N/A}
2N/A
2N/Astatic EVP_PKEY *
2N/Aopenssl_load_key(KMF_HANDLE_T handle, const char *file)
2N/A{
2N/A BIO *keyfile = NULL;
2N/A EVP_PKEY *pkey = NULL;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A KMF_ENCODE_FORMAT format;
2N/A KMF_RETURN rv;
2N/A KMF_DATA filedata;
2N/A
2N/A if (file == NULL) {
2N/A return (NULL);
2N/A }
2N/A
2N/A if (kmf_get_file_format((char *)file, &format) != KMF_OK)
2N/A return (NULL);
2N/A
2N/A keyfile = BIO_new_file(file, "rb");
2N/A if (keyfile == NULL) {
2N/A goto end;
2N/A }
2N/A
2N/A if (format == KMF_FORMAT_ASN1) {
2N/A pkey = d2i_PrivateKey_bio(keyfile, NULL);
2N/A if (pkey == NULL) {
2N/A
2N/A (void) BIO_free(keyfile);
2N/A keyfile = NULL;
2N/A /* Try odd ASN.1 variations */
2N/A rv = kmf_read_input_file(kmfh, (char *)file,
2N/A &filedata);
2N/A if (rv == KMF_OK) {
2N/A (void) readAltFormatPrivateKey(&filedata,
2N/A &pkey);
2N/A kmf_free_data(&filedata);
2N/A }
2N/A }
2N/A } else if (format == KMF_FORMAT_PEM ||
2N/A format == KMF_FORMAT_PEM_KEYPAIR) {
2N/A pkey = PEM_read_bio_PrivateKey(keyfile, NULL, NULL, NULL);
2N/A if (pkey == NULL) {
2N/A KMF_DATA derdata;
2N/A /*
2N/A * Check if this is the alt. format
2N/A * RSA private key file.
2N/A */
2N/A rv = kmf_read_input_file(kmfh, (char *)file,
2N/A &filedata);
2N/A if (rv == KMF_OK) {
2N/A uchar_t *d = NULL;
2N/A int len;
2N/A rv = kmf_pem_to_der(filedata.Data,
2N/A filedata.Length, &d, &len);
2N/A if (rv == KMF_OK && d != NULL) {
2N/A derdata.Data = d;
2N/A derdata.Length = (size_t)len;
2N/A (void) readAltFormatPrivateKey(
2N/A &derdata, &pkey);
2N/A free(d);
2N/A }
2N/A kmf_free_data(&filedata);
2N/A }
2N/A }
2N/A }
2N/A
2N/Aend:
2N/A if (pkey == NULL)
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A
2N/A if (keyfile != NULL)
2N/A (void) BIO_free(keyfile);
2N/A
2N/A return (pkey);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_FindCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A int i, n;
2N/A uint32_t maxcerts = 0;
2N/A uint32_t *num_certs;
2N/A KMF_X509_DER_CERT *kmf_cert = NULL;
2N/A char *dirpath = NULL;
2N/A char *filename = NULL;
2N/A char *fullpath = NULL;
2N/A char *issuer = NULL;
2N/A char *subject = NULL;
2N/A KMF_BIGINT *serial = NULL;
2N/A KMF_CERT_VALIDITY validity;
2N/A
2N/A num_certs = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
2N/A if (num_certs == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A /* num_certs should reference the size of kmf_cert */
2N/A maxcerts = *num_certs;
2N/A if (maxcerts == 0)
2N/A maxcerts = 0xFFFFFFFF;
2N/A *num_certs = 0;
2N/A
2N/A /* Get the optional returned certificate list */
2N/A kmf_cert = kmf_get_attr_ptr(KMF_X509_DER_CERT_ATTR, attrlist,
2N/A numattr);
2N/A
2N/A /*
2N/A * The dirpath attribute and the filename attribute can not be NULL
2N/A * at the same time.
2N/A */
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A filename = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist,
2N/A numattr);
2N/A
2N/A fullpath = get_fullpath(dirpath, filename);
2N/A if (fullpath == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A /* Get optional search criteria attributes */
2N/A issuer = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist, numattr);
2N/A subject = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist, numattr);
2N/A serial = kmf_get_attr_ptr(KMF_BIGINT_ATTR, attrlist, numattr);
2N/A rv = kmf_get_attr(KMF_CERT_VALIDITY_ATTR, attrlist, numattr,
2N/A &validity, NULL);
2N/A if (rv != KMF_OK) {
2N/A validity = KMF_ALL_CERTS;
2N/A rv = KMF_OK;
2N/A }
2N/A
2N/A if (isdir(fullpath)) {
2N/A DIR *dirp;
2N/A struct dirent *dp;
2N/A
2N/A n = 0;
2N/A /* open all files in the directory and attempt to read them */
2N/A if ((dirp = opendir(fullpath)) == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A while ((dp = readdir(dirp)) != NULL) {
2N/A char *fname;
2N/A KMF_DATA *certlist = NULL;
2N/A uint32_t loaded_certs = 0;
2N/A
2N/A if (strcmp(dp->d_name, ".") == 0 ||
2N/A strcmp(dp->d_name, "..") == 0)
2N/A continue;
2N/A
2N/A fname = get_fullpath(fullpath, (char *)&dp->d_name);
2N/A
2N/A rv = load_certs(kmfh, issuer, subject, serial,
2N/A validity, fname, &certlist, &loaded_certs);
2N/A
2N/A if (rv != KMF_OK) {
2N/A free(fname);
2N/A if (certlist != NULL) {
2N/A for (i = 0; i < loaded_certs; i++)
2N/A kmf_free_data(&certlist[i]);
2N/A free(certlist);
2N/A }
2N/A continue;
2N/A }
2N/A
2N/A /* If load succeeds, add certdata to the list */
2N/A if (kmf_cert != NULL) {
2N/A for (i = 0; i < loaded_certs &&
2N/A n < maxcerts; i++) {
2N/A kmf_cert[n].certificate.Data =
2N/A certlist[i].Data;
2N/A kmf_cert[n].certificate.Length =
2N/A certlist[i].Length;
2N/A
2N/A kmf_cert[n].kmf_private.keystore_type =
2N/A KMF_KEYSTORE_OPENSSL;
2N/A kmf_cert[n].kmf_private.flags =
2N/A KMF_FLAG_CERT_VALID;
2N/A kmf_cert[n].kmf_private.label =
2N/A strdup(fname);
2N/A n++;
2N/A }
2N/A /*
2N/A * If maxcerts < loaded_certs, clean up the
2N/A * certs that were not used.
2N/A */
2N/A for (; i < loaded_certs; i++)
2N/A kmf_free_data(&certlist[i]);
2N/A } else {
2N/A for (i = 0; i < loaded_certs; i++)
2N/A kmf_free_data(&certlist[i]);
2N/A n += loaded_certs;
2N/A }
2N/A free(certlist);
2N/A free(fname);
2N/A }
2N/A (*num_certs) = n;
2N/A if (*num_certs == 0)
2N/A rv = KMF_ERR_CERT_NOT_FOUND;
2N/A if (*num_certs > 0)
2N/A rv = KMF_OK;
2N/Aexit:
2N/A (void) closedir(dirp);
2N/A } else {
2N/A KMF_DATA *certlist = NULL;
2N/A uint32_t loaded_certs = 0;
2N/A
2N/A rv = load_certs(kmfh, issuer, subject, serial, validity,
2N/A fullpath, &certlist, &loaded_certs);
2N/A if (rv != KMF_OK) {
2N/A free(fullpath);
2N/A return (rv);
2N/A }
2N/A
2N/A n = 0;
2N/A if (kmf_cert != NULL && certlist != NULL) {
2N/A for (i = 0; i < loaded_certs && i < maxcerts; i++) {
2N/A kmf_cert[n].certificate.Data =
2N/A certlist[i].Data;
2N/A kmf_cert[n].certificate.Length =
2N/A certlist[i].Length;
2N/A kmf_cert[n].kmf_private.keystore_type =
2N/A KMF_KEYSTORE_OPENSSL;
2N/A kmf_cert[n].kmf_private.flags =
2N/A KMF_FLAG_CERT_VALID;
2N/A kmf_cert[n].kmf_private.label =
2N/A strdup(fullpath);
2N/A n++;
2N/A }
2N/A /* If maxcerts < loaded_certs, clean up */
2N/A for (; i < loaded_certs; i++)
2N/A kmf_free_data(&certlist[i]);
2N/A } else if (certlist != NULL) {
2N/A for (i = 0; i < loaded_certs; i++)
2N/A kmf_free_data(&certlist[i]);
2N/A n = loaded_certs;
2N/A }
2N/A if (certlist != NULL)
2N/A free(certlist);
2N/A *num_certs = n;
2N/A }
2N/A
2N/A free(fullpath);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/Avoid
2N/A/*ARGSUSED*/
2N/AOpenSSL_FreeKMFCert(KMF_HANDLE_T handle,
2N/A KMF_X509_DER_CERT *kmf_cert)
2N/A{
2N/A if (kmf_cert != NULL) {
2N/A if (kmf_cert->certificate.Data != NULL) {
2N/A kmf_free_data(&kmf_cert->certificate);
2N/A }
2N/A if (kmf_cert->kmf_private.label)
2N/A free(kmf_cert->kmf_private.label);
2N/A }
2N/A}
2N/A
2N/A/*ARGSUSED*/
2N/AKMF_RETURN
2N/AOpenSSL_StoreCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_DATA *cert = NULL;
2N/A char *outfilename = NULL;
2N/A char *dirpath = NULL;
2N/A char *fullpath = NULL;
2N/A KMF_ENCODE_FORMAT format;
2N/A
2N/A /* Get the cert data */
2N/A cert = kmf_get_attr_ptr(KMF_CERT_DATA_ATTR, attrlist, numattr);
2N/A if (cert == NULL || cert->Data == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A /* Check the output filename and directory attributes. */
2N/A outfilename = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist,
2N/A numattr);
2N/A if (outfilename == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A fullpath = get_fullpath(dirpath, outfilename);
2N/A if (fullpath == NULL)
2N/A return (KMF_ERR_BAD_CERTFILE);
2N/A
2N/A /* Check the optional format attribute */
2N/A ret = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
2N/A &format, NULL);
2N/A if (ret != KMF_OK) {
2N/A /* If there is no format attribute, then default to PEM */
2N/A format = KMF_FORMAT_PEM;
2N/A ret = KMF_OK;
2N/A } else if (format != KMF_FORMAT_ASN1 && format != KMF_FORMAT_PEM) {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto out;
2N/A }
2N/A
2N/A /* Store the certificate in the file with the specified format */
2N/A ret = kmf_create_cert_file(cert, format, fullpath);
2N/A
2N/Aout:
2N/A if (fullpath != NULL)
2N/A free(fullpath);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_DeleteCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN rv;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A KMF_DATA certdata = {NULL, 0};
2N/A char *dirpath = NULL;
2N/A char *filename = NULL;
2N/A char *fullpath = NULL;
2N/A char *issuer = NULL;
2N/A char *subject = NULL;
2N/A KMF_BIGINT *serial = NULL;
2N/A KMF_CERT_VALIDITY validity;
2N/A
2N/A /*
2N/A * Get the DIRPATH and CERT_FILENAME attributes. They can not be
2N/A * NULL at the same time.
2N/A */
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A filename = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist,
2N/A numattr);
2N/A fullpath = get_fullpath(dirpath, filename);
2N/A if (fullpath == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A /* Get optional search criteria attributes */
2N/A issuer = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist, numattr);
2N/A subject = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist, numattr);
2N/A serial = kmf_get_attr_ptr(KMF_BIGINT_ATTR, attrlist, numattr);
2N/A rv = kmf_get_attr(KMF_CERT_VALIDITY_ATTR, attrlist, numattr,
2N/A &validity, NULL);
2N/A if (rv != KMF_OK) {
2N/A validity = KMF_ALL_CERTS;
2N/A rv = KMF_OK;
2N/A }
2N/A
2N/A if (isdir(fullpath)) {
2N/A DIR *dirp;
2N/A struct dirent *dp;
2N/A
2N/A /* open all files in the directory and attempt to read them */
2N/A if ((dirp = opendir(fullpath)) == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A while ((dp = readdir(dirp)) != NULL) {
2N/A if (strcmp(dp->d_name, ".") != 0 &&
2N/A strcmp(dp->d_name, "..") != 0) {
2N/A char *fname;
2N/A
2N/A fname = get_fullpath(fullpath,
2N/A (char *)&dp->d_name);
2N/A
2N/A if (fname == NULL) {
2N/A rv = KMF_ERR_MEMORY;
2N/A break;
2N/A }
2N/A
2N/A rv = kmf_load_cert(kmfh, issuer, subject,
2N/A serial, validity, fname, &certdata);
2N/A
2N/A if (rv == KMF_ERR_CERT_NOT_FOUND) {
2N/A free(fname);
2N/A kmf_free_data(&certdata);
2N/A rv = KMF_OK;
2N/A continue;
2N/A } else if (rv != KMF_OK) {
2N/A free(fname);
2N/A break;
2N/A }
2N/A
2N/A if (unlink(fname) != 0) {
2N/A SET_SYS_ERROR(kmfh, errno);
2N/A rv = KMF_ERR_INTERNAL;
2N/A free(fname);
2N/A break;
2N/A }
2N/A free(fname);
2N/A kmf_free_data(&certdata);
2N/A }
2N/A }
2N/A (void) closedir(dirp);
2N/A } else {
2N/A /* Just try to load a single certificate */
2N/A rv = kmf_load_cert(kmfh, issuer, subject, serial, validity,
2N/A fullpath, &certdata);
2N/A if (rv == KMF_OK) {
2N/A if (unlink(fullpath) != 0) {
2N/A SET_SYS_ERROR(kmfh, errno);
2N/A rv = KMF_ERR_INTERNAL;
2N/A }
2N/A }
2N/A }
2N/A
2N/Aout:
2N/A if (fullpath != NULL)
2N/A free(fullpath);
2N/A
2N/A kmf_free_data(&certdata);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_EncodePubKeyData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
2N/A KMF_DATA *keydata)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A int n;
2N/A
2N/A if (key == NULL || keydata == NULL ||
2N/A key->keyp == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A if (key->keyalg == KMF_RSA) {
2N/A RSA *pubkey = EVP_PKEY_get1_RSA(key->keyp);
2N/A
2N/A if (!(n = i2d_RSA_PUBKEY(pubkey, &keydata->Data))) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A return (KMF_ERR_ENCODING);
2N/A }
2N/A RSA_free(pubkey);
2N/A } else if (key->keyalg == KMF_DSA) {
2N/A DSA *pubkey = EVP_PKEY_get1_DSA(key->keyp);
2N/A
2N/A if (!(n = i2d_DSA_PUBKEY(pubkey, &keydata->Data))) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A return (KMF_ERR_ENCODING);
2N/A }
2N/A DSA_free(pubkey);
2N/A } else {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A keydata->Length = n;
2N/A
2N/Acleanup:
2N/A if (rv != KMF_OK) {
2N/A if (keydata->Data)
2N/A free(keydata->Data);
2N/A keydata->Data = NULL;
2N/A keydata->Length = 0;
2N/A }
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Assl_write_key(KMF_HANDLE *kmfh, KMF_ENCODE_FORMAT format, BIO *out,
2N/A KMF_CREDENTIAL *cred, EVP_PKEY *pkey, boolean_t private)
2N/A{
2N/A int rv = 0;
2N/A RSA *rsa;
2N/A DSA *dsa;
2N/A
2N/A if (pkey == NULL || out == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A switch (format) {
2N/A case KMF_FORMAT_RAWKEY:
2N/A /* same as ASN.1 */
2N/A case KMF_FORMAT_ASN1:
2N/A if (pkey->type == EVP_PKEY_RSA) {
2N/A rsa = EVP_PKEY_get1_RSA(pkey);
2N/A if (private)
2N/A rv = i2d_RSAPrivateKey_bio(out, rsa);
2N/A else
2N/A rv = i2d_RSAPublicKey_bio(out, rsa);
2N/A RSA_free(rsa);
2N/A } else if (pkey->type == EVP_PKEY_DSA) {
2N/A dsa = EVP_PKEY_get1_DSA(pkey);
2N/A rv = i2d_DSAPrivateKey_bio(out, dsa);
2N/A DSA_free(dsa);
2N/A }
2N/A if (rv == 1) {
2N/A rv = KMF_OK;
2N/A } else {
2N/A SET_ERROR(kmfh, rv);
2N/A }
2N/A break;
2N/A case KMF_FORMAT_PEM:
2N/A if (pkey->type == EVP_PKEY_RSA) {
2N/A rsa = EVP_PKEY_get1_RSA(pkey);
2N/A if (private)
2N/A rv = PEM_write_bio_RSAPrivateKey(out,
2N/A rsa, NULL, NULL, 0, NULL,
2N/A (cred != NULL ? cred->cred : NULL));
2N/A else
2N/A rv = PEM_write_bio_RSAPublicKey(out,
2N/A rsa);
2N/A RSA_free(rsa);
2N/A } else if (pkey->type == EVP_PKEY_DSA) {
2N/A dsa = EVP_PKEY_get1_DSA(pkey);
2N/A rv = PEM_write_bio_DSAPrivateKey(out,
2N/A dsa, NULL, NULL, 0, NULL,
2N/A (cred != NULL ? cred->cred : NULL));
2N/A DSA_free(dsa);
2N/A }
2N/A
2N/A if (rv == 1) {
2N/A rv = KMF_OK;
2N/A } else {
2N/A SET_ERROR(kmfh, rv);
2N/A }
2N/A break;
2N/A
2N/A default:
2N/A rv = KMF_ERR_BAD_PARAMETER;
2N/A }
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr,
2N/A KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A uint32_t eValue = 0x010001;
2N/A RSA *sslPrivKey = NULL;
2N/A DSA *sslDSAKey = NULL;
2N/A EVP_PKEY *eprikey = NULL;
2N/A EVP_PKEY *epubkey = NULL;
2N/A BIO *out = NULL;
2N/A KMF_KEY_HANDLE *pubkey = NULL, *privkey = NULL;
2N/A uint32_t keylen = 1024;
2N/A uint32_t keylen_size = sizeof (uint32_t);
2N/A boolean_t storekey = TRUE;
2N/A KMF_KEY_ALG keytype = KMF_RSA;
2N/A
2N/A rv = kmf_get_attr(KMF_STOREKEY_BOOL_ATTR, attrlist, numattr,
2N/A &storekey, NULL);
2N/A if (rv != KMF_OK) {
2N/A /* "storekey" is optional. Default is TRUE */
2N/A rv = KMF_OK;
2N/A }
2N/A
2N/A rv = kmf_get_attr(KMF_KEYALG_ATTR, attrlist, numattr,
2N/A (void *)&keytype, NULL);
2N/A if (rv != KMF_OK)
2N/A /* keytype is optional. KMF_RSA is default */
2N/A rv = KMF_OK;
2N/A
2N/A pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attrlist, numattr);
2N/A if (pubkey == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A privkey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attrlist, numattr);
2N/A if (privkey == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A (void) memset(pubkey, 0, sizeof (KMF_KEY_HANDLE));
2N/A (void) memset(privkey, 0, sizeof (KMF_KEY_HANDLE));
2N/A
2N/A eprikey = EVP_PKEY_new();
2N/A if (eprikey == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_KEYGEN_FAILED;
2N/A goto cleanup;
2N/A }
2N/A epubkey = EVP_PKEY_new();
2N/A if (epubkey == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_KEYGEN_FAILED;
2N/A goto cleanup;
2N/A }
2N/A if (keytype == KMF_RSA) {
2N/A KMF_BIGINT *rsaexp = NULL;
2N/A
2N/A rsaexp = kmf_get_attr_ptr(KMF_RSAEXP_ATTR, attrlist, numattr);
2N/A if (rsaexp != NULL) {
2N/A if (rsaexp->len > 0 &&
2N/A rsaexp->len <= sizeof (eValue) &&
2N/A rsaexp->val != NULL) {
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A eValue = *(uint32_t *)rsaexp->val;
2N/A } else {
2N/A rv = KMF_ERR_BAD_PARAMETER;
2N/A goto cleanup;
2N/A }
2N/A } else {
2N/A /* RSA Exponent is optional. Default is 0x10001 */
2N/A rv = KMF_OK;
2N/A }
2N/A
2N/A rv = kmf_get_attr(KMF_KEYLENGTH_ATTR, attrlist, numattr,
2N/A &keylen, &keylen_size);
2N/A if (rv == KMF_ERR_ATTR_NOT_FOUND)
2N/A /* keylen is optional, default is 1024 */
2N/A rv = KMF_OK;
2N/A if (rv != KMF_OK) {
2N/A rv = KMF_ERR_BAD_PARAMETER;
2N/A goto cleanup;
2N/A }
2N/A
2N/A sslPrivKey = RSA_generate_key(keylen, eValue, NULL, NULL);
2N/A if (sslPrivKey == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_KEYGEN_FAILED;
2N/A } else {
2N/A (void) EVP_PKEY_set1_RSA(eprikey, sslPrivKey);
2N/A privkey->kstype = KMF_KEYSTORE_OPENSSL;
2N/A privkey->keyalg = KMF_RSA;
2N/A privkey->keyclass = KMF_ASYM_PRI;
2N/A privkey->israw = FALSE;
2N/A privkey->keyp = (void *)eprikey;
2N/A
2N/A /* OpenSSL derives the public key from the private */
2N/A (void) EVP_PKEY_set1_RSA(epubkey, sslPrivKey);
2N/A pubkey->kstype = KMF_KEYSTORE_OPENSSL;
2N/A pubkey->keyalg = KMF_RSA;
2N/A pubkey->israw = FALSE;
2N/A pubkey->keyclass = KMF_ASYM_PUB;
2N/A pubkey->keyp = (void *)epubkey;
2N/A }
2N/A } else if (keytype == KMF_DSA) {
2N/A DSA *dp;
2N/A sslDSAKey = DSA_new();
2N/A if (sslDSAKey == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A return (KMF_ERR_MEMORY);
2N/A }
2N/A
2N/A if ((sslDSAKey->p = BN_bin2bn(P, sizeof (P), sslDSAKey->p)) ==
2N/A NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_KEYGEN_FAILED;
2N/A goto cleanup;
2N/A }
2N/A if ((sslDSAKey->q = BN_bin2bn(Q, sizeof (Q), sslDSAKey->q)) ==
2N/A NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_KEYGEN_FAILED;
2N/A goto cleanup;
2N/A }
2N/A if ((sslDSAKey->g = BN_bin2bn(G, sizeof (G), sslDSAKey->g)) ==
2N/A NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_KEYGEN_FAILED;
2N/A goto cleanup;
2N/A }
2N/A
2N/A if (!DSA_generate_key(sslDSAKey)) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_KEYGEN_FAILED;
2N/A goto cleanup;
2N/A }
2N/A
2N/A privkey->kstype = KMF_KEYSTORE_OPENSSL;
2N/A privkey->keyalg = KMF_DSA;
2N/A privkey->keyclass = KMF_ASYM_PRI;
2N/A privkey->israw = FALSE;
2N/A if (EVP_PKEY_set1_DSA(eprikey, sslDSAKey)) {
2N/A privkey->keyp = (void *)eprikey;
2N/A } else {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_KEYGEN_FAILED;
2N/A goto cleanup;
2N/A }
2N/A dp = DSA_new();
2N/A /* Make a copy for the public key */
2N/A if (dp != NULL) {
2N/A if ((dp->p = BN_new()) == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_MEMORY;
2N/A DSA_free(dp);
2N/A goto cleanup;
2N/A }
2N/A if ((dp->q = BN_new()) == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_MEMORY;
2N/A BN_free(dp->p);
2N/A DSA_free(dp);
2N/A goto cleanup;
2N/A }
2N/A if ((dp->g = BN_new()) == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_MEMORY;
2N/A BN_free(dp->q);
2N/A BN_free(dp->p);
2N/A DSA_free(dp);
2N/A goto cleanup;
2N/A }
2N/A if ((dp->pub_key = BN_new()) == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_MEMORY;
2N/A BN_free(dp->q);
2N/A BN_free(dp->p);
2N/A BN_free(dp->g);
2N/A DSA_free(dp);
2N/A goto cleanup;
2N/A }
2N/A (void) BN_copy(dp->p, sslDSAKey->p);
2N/A (void) BN_copy(dp->q, sslDSAKey->q);
2N/A (void) BN_copy(dp->g, sslDSAKey->g);
2N/A (void) BN_copy(dp->pub_key, sslDSAKey->pub_key);
2N/A
2N/A pubkey->kstype = KMF_KEYSTORE_OPENSSL;
2N/A pubkey->keyalg = KMF_DSA;
2N/A pubkey->keyclass = KMF_ASYM_PUB;
2N/A pubkey->israw = FALSE;
2N/A
2N/A if (EVP_PKEY_set1_DSA(epubkey, sslDSAKey)) {
2N/A pubkey->keyp = (void *)epubkey;
2N/A } else {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_KEYGEN_FAILED;
2N/A goto cleanup;
2N/A }
2N/A }
2N/A }
2N/A
2N/A if (rv != KMF_OK) {
2N/A goto cleanup;
2N/A }
2N/A
2N/A if (storekey) {
2N/A KMF_ATTRIBUTE storeattrs[4]; /* max. 4 attributes needed */
2N/A int i = 0;
2N/A char *keyfile = NULL, *dirpath = NULL;
2N/A KMF_ENCODE_FORMAT format;
2N/A /*
2N/A * Construct a new attribute arrray and call openssl_store_key
2N/A */
2N/A kmf_set_attr_at_index(storeattrs, i, KMF_PRIVKEY_HANDLE_ATTR,
2N/A privkey, sizeof (privkey));
2N/A i++;
2N/A
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A if (dirpath != NULL) {
2N/A storeattrs[i].type = KMF_DIRPATH_ATTR;
2N/A storeattrs[i].pValue = dirpath;
2N/A storeattrs[i].valueLen = strlen(dirpath);
2N/A i++;
2N/A } else {
2N/A rv = KMF_OK; /* DIRPATH is optional */
2N/A }
2N/A keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR,
2N/A attrlist, numattr);
2N/A if (keyfile != NULL) {
2N/A storeattrs[i].type = KMF_KEY_FILENAME_ATTR;
2N/A storeattrs[i].pValue = keyfile;
2N/A storeattrs[i].valueLen = strlen(keyfile);
2N/A i++;
2N/A } else {
2N/A goto cleanup; /* KEYFILE is required */
2N/A }
2N/A rv = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
2N/A (void *)&format, NULL);
2N/A if (rv == KMF_OK) {
2N/A storeattrs[i].type = KMF_ENCODE_FORMAT_ATTR;
2N/A storeattrs[i].pValue = &format;
2N/A storeattrs[i].valueLen = sizeof (format);
2N/A i++;
2N/A }
2N/A
2N/A rv = OpenSSL_StoreKey(handle, i, storeattrs);
2N/A }
2N/A
2N/Acleanup:
2N/A if (rv != KMF_OK) {
2N/A if (eprikey != NULL)
2N/A EVP_PKEY_free(eprikey);
2N/A
2N/A if (epubkey != NULL)
2N/A EVP_PKEY_free(epubkey);
2N/A
2N/A if (pubkey->keylabel) {
2N/A free(pubkey->keylabel);
2N/A pubkey->keylabel = NULL;
2N/A }
2N/A
2N/A if (privkey->keylabel) {
2N/A free(privkey->keylabel);
2N/A privkey->keylabel = NULL;
2N/A }
2N/A
2N/A pubkey->keyp = NULL;
2N/A privkey->keyp = NULL;
2N/A }
2N/A
2N/A if (sslPrivKey)
2N/A RSA_free(sslPrivKey);
2N/A
2N/A if (sslDSAKey)
2N/A DSA_free(sslDSAKey);
2N/A
2N/A if (out != NULL)
2N/A (void) BIO_free(out);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/A/*
2N/A * Make sure the BN conversion is properly padded with 0x00
2N/A * bytes. If not, signature verification for DSA signatures
2N/A * may fail in the case where the bignum value does not use
2N/A * all of the bits.
2N/A */
2N/Astatic int
2N/Afixbnlen(BIGNUM *bn, unsigned char *buf, int len) {
2N/A int bytes = len - BN_num_bytes(bn);
2N/A
2N/A /* prepend with leading 0x00 if necessary */
2N/A while (bytes-- > 0)
2N/A *buf++ = 0;
2N/A
2N/A (void) BN_bn2bin(bn, buf);
2N/A /*
2N/A * Return the desired length since we prepended it
2N/A * with the necessary 0x00 padding.
2N/A */
2N/A return (len);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
2N/A KMF_OID *AlgOID, KMF_DATA *tobesigned, KMF_DATA *output)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A KMF_ALGORITHM_INDEX AlgId;
2N/A EVP_MD_CTX ctx;
2N/A const EVP_MD *md;
2N/A
2N/A if (key == NULL || AlgOID == NULL ||
2N/A tobesigned == NULL || output == NULL ||
2N/A tobesigned->Data == NULL ||
2N/A output->Data == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A /* Map the OID to an OpenSSL algorithm */
2N/A AlgId = x509_algoid_to_algid(AlgOID);
2N/A if (AlgId == KMF_ALGID_NONE)
2N/A return (KMF_ERR_BAD_ALGORITHM);
2N/A
2N/A if (key->keyalg == KMF_RSA) {
2N/A EVP_PKEY *pkey = (EVP_PKEY *)key->keyp;
2N/A uchar_t *p;
2N/A int len;
2N/A if (AlgId == KMF_ALGID_MD5WithRSA)
2N/A md = EVP_md5();
2N/A else if (AlgId == KMF_ALGID_MD2WithRSA)
2N/A md = EVP_md2();
2N/A else if (AlgId == KMF_ALGID_SHA1WithRSA)
2N/A md = EVP_sha1();
2N/A else if (AlgId == KMF_ALGID_SHA256WithRSA)
2N/A md = EVP_sha256();
2N/A else if (AlgId == KMF_ALGID_SHA384WithRSA)
2N/A md = EVP_sha384();
2N/A else if (AlgId == KMF_ALGID_SHA512WithRSA)
2N/A md = EVP_sha512();
2N/A else if (AlgId == KMF_ALGID_RSA)
2N/A md = NULL;
2N/A else
2N/A return (KMF_ERR_BAD_ALGORITHM);
2N/A
2N/A if ((md == NULL) && (AlgId == KMF_ALGID_RSA)) {
2N/A RSA *rsa = EVP_PKEY_get1_RSA((EVP_PKEY *)pkey);
2N/A
2N/A p = output->Data;
2N/A if ((len = RSA_private_encrypt(tobesigned->Length,
2N/A tobesigned->Data, p, rsa,
2N/A RSA_PKCS1_PADDING)) <= 0) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_INTERNAL;
2N/A }
2N/A output->Length = len;
2N/A } else {
2N/A (void) EVP_MD_CTX_init(&ctx);
2N/A (void) EVP_SignInit_ex(&ctx, md, NULL);
2N/A (void) EVP_SignUpdate(&ctx, tobesigned->Data,
2N/A (uint32_t)tobesigned->Length);
2N/A len = (uint32_t)output->Length;
2N/A p = output->Data;
2N/A if (!EVP_SignFinal(&ctx, p, (uint32_t *)&len, pkey)) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A len = 0;
2N/A ret = KMF_ERR_INTERNAL;
2N/A }
2N/A output->Length = len;
2N/A (void) EVP_MD_CTX_cleanup(&ctx);
2N/A }
2N/A } else if (key->keyalg == KMF_DSA) {
2N/A DSA *dsa = EVP_PKEY_get1_DSA(key->keyp);
2N/A
2N/A uchar_t hash[EVP_MAX_MD_SIZE];
2N/A uint32_t hashlen;
2N/A DSA_SIG *dsasig;
2N/A
2N/A if (AlgId == KMF_ALGID_DSA ||
2N/A AlgId == KMF_ALGID_SHA1WithDSA)
2N/A md = EVP_sha1();
2N/A else if (AlgId == KMF_ALGID_SHA256WithDSA)
2N/A md = EVP_sha256();
2N/A else /* Bad algorithm */
2N/A return (KMF_ERR_BAD_ALGORITHM);
2N/A
2N/A /*
2N/A * OpenSSL EVP_Sign operation automatically converts to
2N/A * ASN.1 output so we do the operations separately so we
2N/A * are assured of NOT getting ASN.1 output returned.
2N/A * KMF does not want ASN.1 encoded results because
2N/A * not all mechanisms return ASN.1 encodings (PKCS#11
2N/A * and NSS return raw signature data).
2N/A */
2N/A EVP_MD_CTX_init(&ctx);
2N/A (void) EVP_DigestInit_ex(&ctx, md, NULL);
2N/A (void) EVP_DigestUpdate(&ctx, tobesigned->Data,
2N/A tobesigned->Length);
2N/A (void) EVP_DigestFinal_ex(&ctx, hash, &hashlen);
2N/A
2N/A /* Only sign first 20 bytes for SHA2 */
2N/A if (AlgId == KMF_ALGID_SHA256WithDSA)
2N/A hashlen = 20;
2N/A dsasig = DSA_do_sign(hash, hashlen, dsa);
2N/A if (dsasig != NULL) {
2N/A int i;
2N/A output->Length = i = fixbnlen(dsasig->r, output->Data,
2N/A hashlen);
2N/A
2N/A output->Length += fixbnlen(dsasig->s, &output->Data[i],
2N/A hashlen);
2N/A
2N/A DSA_SIG_free(dsasig);
2N/A } else {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A }
2N/A (void) EVP_MD_CTX_cleanup(&ctx);
2N/A } else {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/Acleanup:
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/A/*ARGSUSED*/
2N/AOpenSSL_DeleteKey(KMF_HANDLE_T handle,
2N/A int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_KEY_HANDLE *key;
2N/A boolean_t destroy = B_TRUE;
2N/A
2N/A key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
2N/A if (key == NULL || key->keyp == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A rv = kmf_get_attr(KMF_DESTROY_BOOL_ATTR, attrlist, numattr,
2N/A (void *)&destroy, NULL);
2N/A if (rv != KMF_OK) {
2N/A /* "destroy" is optional. Default is TRUE */
2N/A rv = KMF_OK;
2N/A }
2N/A
2N/A if (key->keyclass != KMF_ASYM_PUB &&
2N/A key->keyclass != KMF_ASYM_PRI &&
2N/A key->keyclass != KMF_SYMMETRIC)
2N/A return (KMF_ERR_BAD_KEY_CLASS);
2N/A
2N/A if (key->keyclass == KMF_SYMMETRIC) {
2N/A kmf_free_raw_sym_key((KMF_RAW_SYM_KEY *)key->keyp);
2N/A key->keyp = NULL;
2N/A } else {
2N/A if (key->keyp != NULL) {
2N/A EVP_PKEY_free(key->keyp);
2N/A key->keyp = NULL;
2N/A }
2N/A }
2N/A
2N/A if (key->keylabel != NULL) {
2N/A EVP_PKEY *pkey = NULL;
2N/A /* If the file exists, make sure it is a proper key. */
2N/A pkey = openssl_load_key(handle, key->keylabel);
2N/A if (pkey == NULL) {
2N/A if (key->keylabel != NULL) {
2N/A free(key->keylabel);
2N/A key->keylabel = NULL;
2N/A }
2N/A return (KMF_ERR_KEY_NOT_FOUND);
2N/A }
2N/A EVP_PKEY_free(pkey);
2N/A
2N/A if (destroy) {
2N/A if (unlink(key->keylabel) != 0) {
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A SET_SYS_ERROR(kmfh, errno);
2N/A rv = KMF_ERR_INTERNAL;
2N/A }
2N/A }
2N/A if (key->keylabel != NULL) {
2N/A free(key->keylabel);
2N/A key->keylabel = NULL;
2N/A }
2N/A }
2N/A return (rv);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_GetErrorString(KMF_HANDLE_T handle, char **msgstr)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A char str[256]; /* OpenSSL needs at least 120 byte buffer */
2N/A
2N/A ERR_error_string_n(kmfh->lasterr.errcode, str, sizeof (str));
2N/A if (strlen(str)) {
2N/A *msgstr = (char *)strdup(str);
2N/A if ((*msgstr) == NULL)
2N/A ret = KMF_ERR_MEMORY;
2N/A } else {
2N/A *msgstr = NULL;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/Astatic int
2N/Aext2NID(int kmfext)
2N/A{
2N/A switch (kmfext) {
2N/A case KMF_X509_EXT_KEY_USAGE:
2N/A return (NID_key_usage);
2N/A case KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD:
2N/A return (NID_private_key_usage_period);
2N/A case KMF_X509_EXT_CERT_POLICIES:
2N/A return (NID_certificate_policies);
2N/A case KMF_X509_EXT_SUBJ_ALTNAME:
2N/A return (NID_subject_alt_name);
2N/A case KMF_X509_EXT_ISSUER_ALTNAME:
2N/A return (NID_issuer_alt_name);
2N/A case KMF_X509_EXT_BASIC_CONSTRAINTS:
2N/A return (NID_basic_constraints);
2N/A case KMF_X509_EXT_EXT_KEY_USAGE:
2N/A return (NID_ext_key_usage);
2N/A case KMF_X509_EXT_AUTH_KEY_ID:
2N/A return (NID_authority_key_identifier);
2N/A case KMF_X509_EXT_CRL_DIST_POINTS:
2N/A return (NID_crl_distribution_points);
2N/A case KMF_X509_EXT_SUBJ_KEY_ID:
2N/A return (NID_subject_key_identifier);
2N/A case KMF_X509_EXT_POLICY_MAPPINGS:
2N/A return (OBJ_sn2nid("policyMappings"));
2N/A case KMF_X509_EXT_NAME_CONSTRAINTS:
2N/A return (OBJ_sn2nid("nameConstraints"));
2N/A case KMF_X509_EXT_POLICY_CONSTRAINTS:
2N/A return (OBJ_sn2nid("policyConstraints"));
2N/A case KMF_X509_EXT_INHIBIT_ANY_POLICY:
2N/A return (OBJ_sn2nid("inhibitAnyPolicy"));
2N/A case KMF_X509_EXT_FRESHEST_CRL:
2N/A return (OBJ_sn2nid("freshestCRL"));
2N/A default:
2N/A return (NID_undef);
2N/A }
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert,
2N/A KMF_PRINTABLE_ITEM flag, char *resultStr)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A X509 *xcert = NULL;
2N/A unsigned char *outbuf = NULL;
2N/A unsigned char *outbuf_p;
2N/A char *tmpstr = NULL;
2N/A int j;
2N/A int ext_index, nid, len;
2N/A BIO *mem = NULL;
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A STACK *emlst = NULL;
2N/A#else
2N/A STACK_OF(OPENSSL_STRING) *emlst = NULL;
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A
2N/A X509_EXTENSION *ex;
2N/A X509_CINF *ci;
2N/A
2N/A if (pcert == NULL || pcert->Data == NULL || pcert->Length == 0) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A /* copy cert data to outbuf */
2N/A outbuf = malloc(pcert->Length);
2N/A if (outbuf == NULL) {
2N/A return (KMF_ERR_MEMORY);
2N/A }
2N/A (void) memcpy(outbuf, pcert->Data, pcert->Length);
2N/A
2N/A outbuf_p = outbuf; /* use a temp pointer; required by openssl */
2N/A xcert = d2i_X509(NULL, (const uchar_t **)&outbuf_p, pcert->Length);
2N/A if (xcert == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A
2N/A mem = BIO_new(BIO_s_mem());
2N/A if (mem == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_MEMORY;
2N/A goto out;
2N/A }
2N/A
2N/A switch (flag) {
2N/A case KMF_CERT_ISSUER:
2N/A (void) X509_NAME_print_ex(mem, X509_get_issuer_name(xcert), 0,
2N/A XN_FLAG_SEP_CPLUS_SPC);
2N/A len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2N/A break;
2N/A
2N/A case KMF_CERT_SUBJECT:
2N/A (void) X509_NAME_print_ex(mem, X509_get_subject_name(xcert), 0,
2N/A XN_FLAG_SEP_CPLUS_SPC);
2N/A len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2N/A break;
2N/A
2N/A case KMF_CERT_VERSION:
2N/A tmpstr = i2s_ASN1_INTEGER(NULL, xcert->cert_info->version);
2N/A (void) strncpy(resultStr, tmpstr, KMF_CERT_PRINTABLE_LEN);
2N/A OPENSSL_free(tmpstr);
2N/A len = strlen(resultStr);
2N/A break;
2N/A
2N/A case KMF_CERT_SERIALNUM:
2N/A if (i2a_ASN1_INTEGER(mem, X509_get_serialNumber(xcert)) > 0) {
2N/A (void) strcpy(resultStr, "0x");
2N/A len = BIO_gets(mem, &resultStr[2],
2N/A KMF_CERT_PRINTABLE_LEN - 2);
2N/A }
2N/A break;
2N/A
2N/A case KMF_CERT_NOTBEFORE:
2N/A (void) ASN1_TIME_print(mem, X509_get_notBefore(xcert));
2N/A len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2N/A break;
2N/A
2N/A case KMF_CERT_NOTAFTER:
2N/A (void) ASN1_TIME_print(mem, X509_get_notAfter(xcert));
2N/A len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2N/A break;
2N/A
2N/A case KMF_CERT_PUBKEY_DATA:
2N/A {
2N/A EVP_PKEY *pkey = X509_get_pubkey(xcert);
2N/A if (pkey == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A
2N/A if (pkey->type == EVP_PKEY_RSA) {
2N/A (void) BIO_printf(mem,
2N/A "RSA Public Key: (%d bit)\n",
2N/A BN_num_bits(pkey->pkey.rsa->n));
2N/A (void) RSA_print(mem, pkey->pkey.rsa, 0);
2N/A } else if (pkey->type == EVP_PKEY_DSA) {
2N/A (void) BIO_printf(mem,
2N/A "%12sDSA Public Key:\n", "");
2N/A (void) DSA_print(mem, pkey->pkey.dsa, 0);
2N/A } else {
2N/A (void) BIO_printf(mem,
2N/A "%12sUnknown Public Key:\n", "");
2N/A }
2N/A (void) BIO_printf(mem, "\n");
2N/A EVP_PKEY_free(pkey);
2N/A }
2N/A len = BIO_read(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2N/A break;
2N/A case KMF_CERT_SIGNATURE_ALG:
2N/A case KMF_CERT_PUBKEY_ALG:
2N/A if (flag == KMF_CERT_SIGNATURE_ALG) {
2N/A len = i2a_ASN1_OBJECT(mem,
2N/A xcert->sig_alg->algorithm);
2N/A } else {
2N/A len = i2a_ASN1_OBJECT(mem,
2N/A xcert->cert_info->key->algor->algorithm);
2N/A }
2N/A
2N/A if (len > 0) {
2N/A len = BIO_read(mem, resultStr,
2N/A KMF_CERT_PRINTABLE_LEN);
2N/A }
2N/A break;
2N/A
2N/A case KMF_CERT_EMAIL:
2N/A emlst = X509_get1_email(xcert);
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A for (j = 0; j < sk_num((const STACK *)emlst); j++)
2N/A (void) BIO_printf(mem, "%s\n",
2N/A sk_value((const STACK *)emlst, j));
2N/A#else
2N/A for (j = 0; j < sk_num((const _STACK *)emlst); j++)
2N/A (void) BIO_printf(mem, "%s\n",
2N/A (char *)sk_value((const _STACK *)emlst, j));
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A
2N/A len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2N/A X509_email_free(emlst);
2N/A break;
2N/A case KMF_X509_EXT_ISSUER_ALTNAME:
2N/A case KMF_X509_EXT_SUBJ_ALTNAME:
2N/A case KMF_X509_EXT_KEY_USAGE:
2N/A case KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD:
2N/A case KMF_X509_EXT_CERT_POLICIES:
2N/A case KMF_X509_EXT_BASIC_CONSTRAINTS:
2N/A case KMF_X509_EXT_NAME_CONSTRAINTS:
2N/A case KMF_X509_EXT_POLICY_CONSTRAINTS:
2N/A case KMF_X509_EXT_EXT_KEY_USAGE:
2N/A case KMF_X509_EXT_INHIBIT_ANY_POLICY:
2N/A case KMF_X509_EXT_AUTH_KEY_ID:
2N/A case KMF_X509_EXT_SUBJ_KEY_ID:
2N/A case KMF_X509_EXT_POLICY_MAPPINGS:
2N/A case KMF_X509_EXT_CRL_DIST_POINTS:
2N/A case KMF_X509_EXT_FRESHEST_CRL:
2N/A nid = ext2NID(flag);
2N/A if (nid == NID_undef) {
2N/A ret = KMF_ERR_EXTENSION_NOT_FOUND;
2N/A goto out;
2N/A }
2N/A ci = xcert->cert_info;
2N/A
2N/A ext_index = X509v3_get_ext_by_NID(ci->extensions, nid, -1);
2N/A if (ext_index == -1) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A
2N/A ret = KMF_ERR_EXTENSION_NOT_FOUND;
2N/A goto out;
2N/A }
2N/A ex = X509v3_get_ext(ci->extensions, ext_index);
2N/A
2N/A (void) i2a_ASN1_OBJECT(mem, X509_EXTENSION_get_object(ex));
2N/A
2N/A if (BIO_printf(mem, ": %s\n",
2N/A X509_EXTENSION_get_critical(ex) ? "critical" : "") <= 0) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A if (!X509V3_EXT_print(mem, ex, X509V3_EXT_DUMP_UNKNOWN, 4)) {
2N/A (void) BIO_printf(mem, "%*s", 4, "");
2N/A (void) M_ASN1_OCTET_STRING_print(mem, ex->value);
2N/A }
2N/A if (BIO_write(mem, "\n", 1) <= 0) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_ENCODING;
2N/A goto out;
2N/A }
2N/A len = BIO_read(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2N/A }
2N/A if (len <= 0) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_ENCODING;
2N/A }
2N/A
2N/Aout:
2N/A if (outbuf != NULL) {
2N/A free(outbuf);
2N/A }
2N/A
2N/A if (xcert != NULL) {
2N/A X509_free(xcert);
2N/A }
2N/A
2N/A if (mem != NULL) {
2N/A (void) BIO_free(mem);
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/A/*ARGSUSED*/
2N/AOpenSSL_FindPrikeyByCert(KMF_HANDLE_T handle, int numattr,
2N/A KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
2N/A KMF_KEY_CLASS keyclass = KMF_ASYM_PRI;
2N/A KMF_KEY_HANDLE *key = NULL;
2N/A uint32_t numkeys = 1; /* 1 key only */
2N/A char *dirpath = NULL;
2N/A char *keyfile = NULL;
2N/A KMF_ATTRIBUTE new_attrlist[16];
2N/A int i = 0;
2N/A
2N/A /*
2N/A * This is really just a FindKey operation, reuse the
2N/A * FindKey function.
2N/A */
2N/A kmf_set_attr_at_index(new_attrlist, i,
2N/A KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
2N/A i++;
2N/A
2N/A kmf_set_attr_at_index(new_attrlist, i,
2N/A KMF_COUNT_ATTR, &numkeys, sizeof (uint32_t));
2N/A i++;
2N/A
2N/A kmf_set_attr_at_index(new_attrlist, i,
2N/A KMF_KEYCLASS_ATTR, &keyclass, sizeof (keyclass));
2N/A i++;
2N/A
2N/A key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
2N/A if (key == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A } else {
2N/A kmf_set_attr_at_index(new_attrlist, i,
2N/A KMF_KEY_HANDLE_ATTR, key, sizeof (KMF_KEY_HANDLE));
2N/A i++;
2N/A }
2N/A
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A if (dirpath != NULL) {
2N/A kmf_set_attr_at_index(new_attrlist, i,
2N/A KMF_DIRPATH_ATTR, dirpath, strlen(dirpath));
2N/A i++;
2N/A }
2N/A
2N/A keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist, numattr);
2N/A if (keyfile == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A else {
2N/A kmf_set_attr_at_index(new_attrlist, i,
2N/A KMF_KEY_FILENAME_ATTR, keyfile, strlen(keyfile));
2N/A i++;
2N/A }
2N/A
2N/A rv = OpenSSL_FindKey(handle, i, new_attrlist);
2N/A return (rv);
2N/A}
2N/A
2N/AKMF_RETURN
2N/A/*ARGSUSED*/
2N/AOpenSSL_DecryptData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
2N/A KMF_OID *AlgOID, KMF_DATA *ciphertext,
2N/A KMF_DATA *output)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A RSA *rsa = NULL;
2N/A unsigned int in_len = 0, out_len = 0;
2N/A unsigned int total_decrypted = 0, modulus_len = 0;
2N/A uint8_t *in_data, *out_data;
2N/A int i, blocks;
2N/A
2N/A if (key == NULL || AlgOID == NULL ||
2N/A ciphertext == NULL || output == NULL ||
2N/A ciphertext->Data == NULL ||
2N/A output->Data == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A if (key->keyalg == KMF_RSA) {
2N/A rsa = EVP_PKEY_get1_RSA((EVP_PKEY *)key->keyp);
2N/A modulus_len = RSA_size(rsa);
2N/A } else {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A blocks = ciphertext->Length/modulus_len;
2N/A out_data = output->Data;
2N/A in_data = ciphertext->Data;
2N/A out_len = modulus_len - 11;
2N/A in_len = modulus_len;
2N/A
2N/A for (i = 0; i < blocks; i++) {
2N/A out_len = RSA_private_decrypt(in_len,
2N/A in_data, out_data, rsa, RSA_PKCS1_PADDING);
2N/A
2N/A if (out_len == 0) {
2N/A ret = KMF_ERR_INTERNAL;
2N/A goto cleanup;
2N/A }
2N/A
2N/A out_data += out_len;
2N/A total_decrypted += out_len;
2N/A in_data += in_len;
2N/A }
2N/A
2N/A output->Length = total_decrypted;
2N/A
2N/Acleanup:
2N/A RSA_free(rsa);
2N/A if (ret != KMF_OK)
2N/A output->Length = 0;
2N/A
2N/A return (ret);
2N/A
2N/A}
2N/A
2N/A/*
2N/A * This function will create a certid from issuer_cert and user_cert.
2N/A * The caller should use OCSP_CERTID_free(OCSP_CERTID *) to deallocate
2N/A * certid memory after use.
2N/A */
2N/Astatic KMF_RETURN
2N/Acreate_certid(KMF_HANDLE_T handle, const KMF_DATA *issuer_cert,
2N/A const KMF_DATA *user_cert, OCSP_CERTID **certid)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A X509 *issuer = NULL;
2N/A X509 *cert = NULL;
2N/A unsigned char *ptmp;
2N/A
2N/A if (issuer_cert == NULL || user_cert == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A /* convert the DER-encoded issuer cert to an internal X509 */
2N/A ptmp = issuer_cert->Data;
2N/A issuer = d2i_X509(NULL, (const uchar_t **)&ptmp,
2N/A issuer_cert->Length);
2N/A if (issuer == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OCSP_BAD_ISSUER;
2N/A goto end;
2N/A }
2N/A
2N/A /* convert the DER-encoded user cert to an internal X509 */
2N/A ptmp = user_cert->Data;
2N/A cert = d2i_X509(NULL, (const uchar_t **)&ptmp,
2N/A user_cert->Length);
2N/A if (cert == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A
2N/A ret = KMF_ERR_OCSP_BAD_CERT;
2N/A goto end;
2N/A }
2N/A
2N/A /* create a CERTID */
2N/A *certid = OCSP_cert_to_id(NULL, cert, issuer);
2N/A if (*certid == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OCSP_CERTID;
2N/A goto end;
2N/A }
2N/A
2N/Aend:
2N/A if (issuer != NULL) {
2N/A X509_free(issuer);
2N/A }
2N/A
2N/A if (cert != NULL) {
2N/A X509_free(cert);
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_CreateOCSPRequest(KMF_HANDLE_T handle,
2N/A int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A OCSP_CERTID *id = NULL;
2N/A OCSP_REQUEST *req = NULL;
2N/A BIO *derbio = NULL;
2N/A char *reqfile;
2N/A KMF_DATA *issuer_cert;
2N/A KMF_DATA *user_cert;
2N/A
2N/A user_cert = kmf_get_attr_ptr(KMF_USER_CERT_DATA_ATTR,
2N/A attrlist, numattr);
2N/A if (user_cert == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A issuer_cert = kmf_get_attr_ptr(KMF_ISSUER_CERT_DATA_ATTR,
2N/A attrlist, numattr);
2N/A if (issuer_cert == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A reqfile = kmf_get_attr_ptr(KMF_OCSP_REQUEST_FILENAME_ATTR,
2N/A attrlist, numattr);
2N/A if (reqfile == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A ret = create_certid(handle, issuer_cert, user_cert, &id);
2N/A if (ret != KMF_OK) {
2N/A return (ret);
2N/A }
2N/A
2N/A /* Create an OCSP request */
2N/A req = OCSP_REQUEST_new();
2N/A if (req == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OCSP_CREATE_REQUEST;
2N/A goto end;
2N/A }
2N/A
2N/A if (!OCSP_request_add0_id(req, id)) {
2N/A ret = KMF_ERR_OCSP_CREATE_REQUEST;
2N/A goto end;
2N/A }
2N/A
2N/A /* Write the request to the output file with DER encoding */
2N/A derbio = BIO_new_file(reqfile, "wb");
2N/A if (!derbio) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto end;
2N/A }
2N/A if (i2d_OCSP_REQUEST_bio(derbio, req) <= 0) {
2N/A ret = KMF_ERR_ENCODING;
2N/A }
2N/A
2N/Aend:
2N/A /*
2N/A * We don't need to free "id" explicitely, because OCSP_REQUEST_free()
2N/A * will also deallocate certid's space.
2N/A */
2N/A if (req != NULL) {
2N/A OCSP_REQUEST_free(req);
2N/A }
2N/A
2N/A if (derbio != NULL) {
2N/A (void) BIO_free(derbio);
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A/* ocsp_find_signer_sk() is copied from openssl source */
2N/Astatic X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
2N/A{
2N/A int i;
2N/A unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
2N/A
2N/A /* Easy if lookup by name */
2N/A if (id->type == V_OCSP_RESPID_NAME)
2N/A return (X509_find_by_subject(certs, id->value.byName));
2N/A
2N/A /* Lookup by key hash */
2N/A
2N/A /* If key hash isn't SHA1 length then forget it */
2N/A if (id->value.byKey->length != SHA_DIGEST_LENGTH)
2N/A return (NULL);
2N/A
2N/A keyhash = id->value.byKey->data;
2N/A /* Calculate hash of each key and compare */
2N/A for (i = 0; i < sk_X509_num(certs); i++) {
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A X509 *x = sk_X509_value(certs, i);
2N/A#else
2N/A X509 *x = sk_X509_value(certs, i);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A /* Use pubkey_digest to get the key ID value */
2N/A (void) X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
2N/A if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
2N/A return (x);
2N/A }
2N/A return (NULL);
2N/A}
2N/A
2N/A/* ocsp_find_signer() is copied from openssl source */
2N/A/* ARGSUSED2 */
2N/Astatic int
2N/Aocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
2N/A X509_STORE *st, unsigned long flags)
2N/A{
2N/A X509 *signer;
2N/A OCSP_RESPID *rid = bs->tbsResponseData->responderId;
2N/A if ((signer = ocsp_find_signer_sk(certs, rid))) {
2N/A *psigner = signer;
2N/A return (2);
2N/A }
2N/A if (!(flags & OCSP_NOINTERN) &&
2N/A (signer = ocsp_find_signer_sk(bs->certs, rid))) {
2N/A *psigner = signer;
2N/A return (1);
2N/A }
2N/A /* Maybe lookup from store if by subject name */
2N/A
2N/A *psigner = NULL;
2N/A return (0);
2N/A}
2N/A
2N/A/*
2N/A * This function will verify the signature of a basic response, using
2N/A * the public key from the OCSP responder certificate.
2N/A */
2N/Astatic KMF_RETURN
2N/Acheck_response_signature(KMF_HANDLE_T handle, OCSP_BASICRESP *bs,
2N/A KMF_DATA *signer_cert, KMF_DATA *issuer_cert)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A STACK_OF(X509) *cert_stack = NULL;
2N/A X509 *signer = NULL;
2N/A X509 *issuer = NULL;
2N/A EVP_PKEY *skey = NULL;
2N/A unsigned char *ptmp;
2N/A
2N/A
2N/A if (bs == NULL || issuer_cert == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A /*
2N/A * Find the certificate that signed the basic response.
2N/A *
2N/A * If signer_cert is not NULL, we will use that as the signer cert.
2N/A * Otherwise, we will check if the issuer cert is actually the signer.
2N/A * If we still do not find a signer, we will look for it from the
2N/A * certificate list came with the response file.
2N/A */
2N/A if (signer_cert != NULL) {
2N/A ptmp = signer_cert->Data;
2N/A signer = d2i_X509(NULL, (const uchar_t **)&ptmp,
2N/A signer_cert->Length);
2N/A if (signer == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OCSP_BAD_SIGNER;
2N/A goto end;
2N/A }
2N/A } else {
2N/A /*
2N/A * Convert the issuer cert into X509 and push it into a
2N/A * stack to be used by ocsp_find_signer().
2N/A */
2N/A ptmp = issuer_cert->Data;
2N/A issuer = d2i_X509(NULL, (const uchar_t **)&ptmp,
2N/A issuer_cert->Length);
2N/A if (issuer == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OCSP_BAD_ISSUER;
2N/A goto end;
2N/A }
2N/A
2N/A if ((cert_stack = sk_X509_new_null()) == NULL) {
2N/A ret = KMF_ERR_INTERNAL;
2N/A goto end;
2N/A }
2N/A
2N/A if (sk_X509_push(cert_stack, issuer) == NULL) {
2N/A ret = KMF_ERR_INTERNAL;
2N/A goto end;
2N/A }
2N/A
2N/A ret = ocsp_find_signer(&signer, bs, cert_stack, NULL, 0);
2N/A if (!ret) {
2N/A /* can not find the signer */
2N/A ret = KMF_ERR_OCSP_BAD_SIGNER;
2N/A goto end;
2N/A }
2N/A }
2N/A
2N/A /* Verify the signature of the response */
2N/A skey = X509_get_pubkey(signer);
2N/A if (skey == NULL) {
2N/A ret = KMF_ERR_OCSP_BAD_SIGNER;
2N/A goto end;
2N/A }
2N/A
2N/A ret = OCSP_BASICRESP_verify(bs, skey, 0);
2N/A if (ret == 0) {
2N/A ret = KMF_ERR_OCSP_RESPONSE_SIGNATURE;
2N/A goto end;
2N/A }
2N/A
2N/Aend:
2N/A if (issuer != NULL) {
2N/A X509_free(issuer);
2N/A }
2N/A
2N/A if (signer != NULL) {
2N/A X509_free(signer);
2N/A }
2N/A
2N/A if (skey != NULL) {
2N/A EVP_PKEY_free(skey);
2N/A }
2N/A
2N/A if (cert_stack != NULL) {
2N/A sk_X509_free(cert_stack);
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_GetOCSPStatusForCert(KMF_HANDLE_T handle,
2N/A int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A BIO *derbio = NULL;
2N/A OCSP_RESPONSE *resp = NULL;
2N/A OCSP_BASICRESP *bs = NULL;
2N/A OCSP_CERTID *id = NULL;
2N/A OCSP_SINGLERESP *single = NULL;
2N/A ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
2N/A int index, status, reason;
2N/A KMF_DATA *issuer_cert;
2N/A KMF_DATA *user_cert;
2N/A KMF_DATA *signer_cert;
2N/A KMF_DATA *response;
2N/A int *response_reason, *response_status, *cert_status;
2N/A boolean_t ignore_response_sign = B_FALSE; /* default is FALSE */
2N/A uint32_t response_lifetime;
2N/A
2N/A issuer_cert = kmf_get_attr_ptr(KMF_ISSUER_CERT_DATA_ATTR,
2N/A attrlist, numattr);
2N/A if (issuer_cert == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A user_cert = kmf_get_attr_ptr(KMF_USER_CERT_DATA_ATTR,
2N/A attrlist, numattr);
2N/A if (user_cert == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A response = kmf_get_attr_ptr(KMF_OCSP_RESPONSE_DATA_ATTR,
2N/A attrlist, numattr);
2N/A if (response == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A response_status = kmf_get_attr_ptr(KMF_OCSP_RESPONSE_STATUS_ATTR,
2N/A attrlist, numattr);
2N/A if (response_status == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A response_reason = kmf_get_attr_ptr(KMF_OCSP_RESPONSE_REASON_ATTR,
2N/A attrlist, numattr);
2N/A if (response_reason == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A cert_status = kmf_get_attr_ptr(KMF_OCSP_RESPONSE_CERT_STATUS_ATTR,
2N/A attrlist, numattr);
2N/A if (cert_status == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A /* Read in the response */
2N/A derbio = BIO_new_mem_buf(response->Data, response->Length);
2N/A if (!derbio) {
2N/A ret = KMF_ERR_MEMORY;
2N/A return (ret);
2N/A }
2N/A
2N/A resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
2N/A if (resp == NULL) {
2N/A ret = KMF_ERR_OCSP_MALFORMED_RESPONSE;
2N/A goto end;
2N/A }
2N/A
2N/A /* Check the response status */
2N/A status = OCSP_response_status(resp);
2N/A *response_status = status;
2N/A if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
2N/A ret = KMF_ERR_OCSP_RESPONSE_STATUS;
2N/A goto end;
2N/A }
2N/A
2N/A#ifdef DEBUG
2N/A printf("Successfully checked the response file status.\n");
2N/A#endif /* DEBUG */
2N/A
2N/A /* Extract basic response */
2N/A bs = OCSP_response_get1_basic(resp);
2N/A if (bs == NULL) {
2N/A ret = KMF_ERR_OCSP_NO_BASIC_RESPONSE;
2N/A goto end;
2N/A }
2N/A
2N/A#ifdef DEBUG
2N/A printf("Successfully retrieved the basic response.\n");
2N/A#endif /* DEBUG */
2N/A
2N/A /* Check the basic response signature if required */
2N/A ret = kmf_get_attr(KMF_IGNORE_RESPONSE_SIGN_ATTR, attrlist, numattr,
2N/A (void *)&ignore_response_sign, NULL);
2N/A if (ret != KMF_OK)
2N/A ret = KMF_OK;
2N/A
2N/A signer_cert = kmf_get_attr_ptr(KMF_SIGNER_CERT_DATA_ATTR,
2N/A attrlist, numattr);
2N/A
2N/A if (ignore_response_sign == B_FALSE) {
2N/A ret = check_response_signature(handle, bs,
2N/A signer_cert, issuer_cert);
2N/A if (ret != KMF_OK)
2N/A goto end;
2N/A }
2N/A
2N/A#ifdef DEBUG
2N/A printf("Successfully verified the response signature.\n");
2N/A#endif /* DEBUG */
2N/A
2N/A /* Create a certid for the certificate in question */
2N/A ret = create_certid(handle, issuer_cert, user_cert, &id);
2N/A if (ret != KMF_OK) {
2N/A ret = KMF_ERR_OCSP_CERTID;
2N/A goto end;
2N/A }
2N/A
2N/A#ifdef DEBUG
2N/A printf("successfully created a certid for the cert.\n");
2N/A#endif /* DEBUG */
2N/A
2N/A /* Find the index of the single response for the certid */
2N/A index = OCSP_resp_find(bs, id, -1);
2N/A if (index < 0) {
2N/A /* cound not find this certificate in the response */
2N/A ret = KMF_ERR_OCSP_UNKNOWN_CERT;
2N/A goto end;
2N/A }
2N/A
2N/A#ifdef DEBUG
2N/A printf("Successfully found the single response index for the cert.\n");
2N/A#endif /* DEBUG */
2N/A
2N/A /* Retrieve the single response and get the cert status */
2N/A single = OCSP_resp_get0(bs, index);
2N/A status = OCSP_single_get0_status(single, &reason, &rev, &thisupd,
2N/A &nextupd);
2N/A if (status == V_OCSP_CERTSTATUS_GOOD) {
2N/A *cert_status = OCSP_GOOD;
2N/A } else if (status == V_OCSP_CERTSTATUS_UNKNOWN) {
2N/A *cert_status = OCSP_UNKNOWN;
2N/A } else { /* revoked */
2N/A *cert_status = OCSP_REVOKED;
2N/A *response_reason = reason;
2N/A }
2N/A ret = KMF_OK;
2N/A
2N/A /* resp. time is optional, so we don't care about the return code. */
2N/A (void) kmf_get_attr(KMF_RESPONSE_LIFETIME_ATTR, attrlist, numattr,
2N/A (void *)&response_lifetime, NULL);
2N/A
2N/A if (!OCSP_check_validity(thisupd, nextupd, 300,
2N/A response_lifetime)) {
2N/A ret = KMF_ERR_OCSP_STATUS_TIME_INVALID;
2N/A goto end;
2N/A }
2N/A
2N/A#ifdef DEBUG
2N/A printf("Successfully verify the time.\n");
2N/A#endif /* DEBUG */
2N/A
2N/Aend:
2N/A if (derbio != NULL)
2N/A (void) BIO_free(derbio);
2N/A
2N/A if (resp != NULL)
2N/A OCSP_RESPONSE_free(resp);
2N/A
2N/A if (bs != NULL)
2N/A OCSP_BASICRESP_free(bs);
2N/A
2N/A if (id != NULL)
2N/A OCSP_CERTID_free(id);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Afetch_key(KMF_HANDLE_T handle, char *path,
2N/A KMF_KEY_CLASS keyclass, KMF_KEY_HANDLE *key)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A EVP_PKEY *pkey = NULL;
2N/A KMF_RAW_SYM_KEY *rkey = NULL;
2N/A
2N/A if (keyclass == KMF_ASYM_PRI ||
2N/A keyclass == KMF_ASYM_PUB) {
2N/A pkey = openssl_load_key(handle, path);
2N/A if (pkey == NULL) {
2N/A return (KMF_ERR_KEY_NOT_FOUND);
2N/A }
2N/A if (key != NULL) {
2N/A if (pkey->type == EVP_PKEY_RSA)
2N/A key->keyalg = KMF_RSA;
2N/A else if (pkey->type == EVP_PKEY_DSA)
2N/A key->keyalg = KMF_DSA;
2N/A
2N/A key->kstype = KMF_KEYSTORE_OPENSSL;
2N/A key->keyclass = keyclass;
2N/A key->keyp = (void *)pkey;
2N/A key->israw = FALSE;
2N/A if (path != NULL &&
2N/A ((key->keylabel = strdup(path)) == NULL)) {
2N/A EVP_PKEY_free(pkey);
2N/A return (KMF_ERR_MEMORY);
2N/A }
2N/A } else {
2N/A EVP_PKEY_free(pkey);
2N/A pkey = NULL;
2N/A }
2N/A } else if (keyclass == KMF_SYMMETRIC) {
2N/A KMF_ENCODE_FORMAT fmt;
2N/A /*
2N/A * If the file is a recognized format,
2N/A * then it is NOT a symmetric key.
2N/A */
2N/A rv = kmf_get_file_format(path, &fmt);
2N/A if (rv == KMF_OK || fmt != 0) {
2N/A return (KMF_ERR_KEY_NOT_FOUND);
2N/A } else if (rv == KMF_ERR_ENCODING) {
2N/A /*
2N/A * If we don't know the encoding,
2N/A * it is probably a symmetric key.
2N/A */
2N/A rv = KMF_OK;
2N/A } else if (rv == KMF_ERR_OPEN_FILE) {
2N/A return (KMF_ERR_KEY_NOT_FOUND);
2N/A }
2N/A
2N/A if (key != NULL) {
2N/A KMF_DATA keyvalue;
2N/A rkey = malloc(sizeof (KMF_RAW_SYM_KEY));
2N/A if (rkey == NULL) {
2N/A rv = KMF_ERR_MEMORY;
2N/A goto out;
2N/A }
2N/A
2N/A (void) memset(rkey, 0, sizeof (KMF_RAW_SYM_KEY));
2N/A rv = kmf_read_input_file(handle, path, &keyvalue);
2N/A if (rv != KMF_OK)
2N/A goto out;
2N/A
2N/A rkey->keydata.len = keyvalue.Length;
2N/A rkey->keydata.val = keyvalue.Data;
2N/A
2N/A key->kstype = KMF_KEYSTORE_OPENSSL;
2N/A key->keyclass = keyclass;
2N/A key->israw = TRUE;
2N/A key->keyp = (void *)rkey;
2N/A if (path != NULL &&
2N/A ((key->keylabel = strdup(path)) == NULL)) {
2N/A rv = KMF_ERR_MEMORY;
2N/A }
2N/A }
2N/A }
2N/Aout:
2N/A if (rv != KMF_OK) {
2N/A if (rkey != NULL) {
2N/A kmf_free_raw_sym_key(rkey);
2N/A }
2N/A if (pkey != NULL)
2N/A EVP_PKEY_free(pkey);
2N/A
2N/A if (key != NULL) {
2N/A key->keyalg = KMF_KEYALG_NONE;
2N/A key->keyclass = KMF_KEYCLASS_NONE;
2N/A key->keyp = NULL;
2N/A }
2N/A }
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_FindKey(KMF_HANDLE_T handle,
2N/A int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A char *fullpath = NULL;
2N/A uint32_t maxkeys;
2N/A KMF_KEY_HANDLE *key;
2N/A uint32_t *numkeys;
2N/A KMF_KEY_CLASS keyclass;
2N/A KMF_RAW_KEY_DATA *rawkey;
2N/A char *dirpath;
2N/A char *keyfile;
2N/A
2N/A if (handle == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A numkeys = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
2N/A if (numkeys == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A rv = kmf_get_attr(KMF_KEYCLASS_ATTR, attrlist, numattr,
2N/A (void *)&keyclass, NULL);
2N/A if (rv != KMF_OK)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A if (keyclass != KMF_ASYM_PUB &&
2N/A keyclass != KMF_ASYM_PRI &&
2N/A keyclass != KMF_SYMMETRIC)
2N/A return (KMF_ERR_BAD_KEY_CLASS);
2N/A
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist, numattr);
2N/A
2N/A fullpath = get_fullpath(dirpath, keyfile);
2N/A
2N/A if (fullpath == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A maxkeys = *numkeys;
2N/A if (maxkeys == 0)
2N/A maxkeys = 0xFFFFFFFF;
2N/A *numkeys = 0;
2N/A
2N/A key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
2N/A /* it is okay to have "keys" contains NULL */
2N/A
2N/A /*
2N/A * The caller may want a list of the raw key data as well.
2N/A * Useful for importing keys from a file into other keystores.
2N/A */
2N/A rawkey = kmf_get_attr_ptr(KMF_RAW_KEY_ATTR, attrlist, numattr);
2N/A
2N/A if (isdir(fullpath)) {
2N/A DIR *dirp;
2N/A struct dirent *dp;
2N/A int n = 0;
2N/A
2N/A /* open all files in the directory and attempt to read them */
2N/A if ((dirp = opendir(fullpath)) == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A rewinddir(dirp);
2N/A while ((dp = readdir(dirp)) != NULL && n < maxkeys) {
2N/A if (strcmp(dp->d_name, ".") &&
2N/A strcmp(dp->d_name, "..")) {
2N/A char *fname;
2N/A
2N/A fname = get_fullpath(fullpath,
2N/A (char *)&dp->d_name);
2N/A
2N/A rv = fetch_key(handle, fname,
2N/A keyclass, key ? &key[n] : NULL);
2N/A
2N/A if (rv == KMF_OK) {
2N/A if (key != NULL && rawkey != NULL)
2N/A rv = convertToRawKey(
2N/A key[n].keyp, &rawkey[n]);
2N/A n++;
2N/A }
2N/A
2N/A if (rv != KMF_OK || key == NULL)
2N/A free(fname);
2N/A }
2N/A }
2N/A (void) closedir(dirp);
2N/A free(fullpath);
2N/A (*numkeys) = n;
2N/A } else {
2N/A rv = fetch_key(handle, fullpath, keyclass, key);
2N/A if (rv == KMF_OK)
2N/A (*numkeys) = 1;
2N/A
2N/A if (rv != KMF_OK || key == NULL)
2N/A free(fullpath);
2N/A
2N/A if (rv == KMF_OK && key != NULL && rawkey != NULL) {
2N/A rv = convertToRawKey(key->keyp, rawkey);
2N/A }
2N/A }
2N/A
2N/A if (rv == KMF_OK && (*numkeys) == 0)
2N/A rv = KMF_ERR_KEY_NOT_FOUND;
2N/A else if (rv == KMF_ERR_KEY_NOT_FOUND && (*numkeys) > 0)
2N/A rv = KMF_OK;
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/A#define HANDLE_PK12_ERROR { \
2N/A SET_ERROR(kmfh, ERR_get_error()); \
2N/A rv = KMF_ERR_ENCODING; \
2N/A goto out; \
2N/A}
2N/A
2N/Astatic int
2N/Aadd_alias_to_bag(PKCS12_SAFEBAG *bag, X509 *xcert)
2N/A{
2N/A if (xcert != NULL && xcert->aux != NULL &&
2N/A xcert->aux->alias != NULL) {
2N/A if (PKCS12_add_friendlyname_asc(bag,
2N/A (const char *)xcert->aux->alias->data,
2N/A xcert->aux->alias->length) == 0)
2N/A return (0);
2N/A }
2N/A return (1);
2N/A}
2N/A
2N/Astatic PKCS7 *
2N/Aadd_cert_to_safe(X509 *sslcert, KMF_CREDENTIAL *cred,
2N/A uchar_t *keyid, unsigned int keyidlen)
2N/A{
2N/A PKCS12_SAFEBAG *bag = NULL;
2N/A PKCS7 *cert_authsafe = NULL;
2N/A STACK_OF(PKCS12_SAFEBAG) *bag_stack;
2N/A
2N/A bag_stack = sk_PKCS12_SAFEBAG_new_null();
2N/A if (bag_stack == NULL)
2N/A return (NULL);
2N/A
2N/A /* Convert cert from X509 struct to PKCS#12 bag */
2N/A bag = PKCS12_x5092certbag(sslcert);
2N/A if (bag == NULL) {
2N/A goto out;
2N/A }
2N/A
2N/A /* Add the key id to the certificate bag. */
2N/A if (keyidlen > 0 && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) {
2N/A goto out;
2N/A }
2N/A
2N/A if (!add_alias_to_bag(bag, sslcert))
2N/A goto out;
2N/A
2N/A /* Pile it on the bag_stack. */
2N/A if (!sk_PKCS12_SAFEBAG_push(bag_stack, bag)) {
2N/A goto out;
2N/A }
2N/A /* Turn bag_stack of certs into encrypted authsafe. */
2N/A cert_authsafe = PKCS12_pack_p7encdata(
2N/A NID_pbe_WithSHA1And40BitRC2_CBC,
2N/A cred->cred, cred->credlen, NULL, 0,
2N/A PKCS12_DEFAULT_ITER, bag_stack);
2N/A
2N/Aout:
2N/A if (bag_stack != NULL)
2N/A sk_PKCS12_SAFEBAG_pop_free(bag_stack, PKCS12_SAFEBAG_free);
2N/A
2N/A return (cert_authsafe);
2N/A}
2N/A
2N/Astatic PKCS7 *
2N/Aadd_key_to_safe(EVP_PKEY *pkey, KMF_CREDENTIAL *cred,
2N/A uchar_t *keyid, unsigned int keyidlen,
2N/A char *label, int label_len)
2N/A{
2N/A PKCS8_PRIV_KEY_INFO *p8 = NULL;
2N/A STACK_OF(PKCS12_SAFEBAG) *bag_stack = NULL;
2N/A PKCS12_SAFEBAG *bag = NULL;
2N/A PKCS7 *key_authsafe = NULL;
2N/A
2N/A p8 = EVP_PKEY2PKCS8(pkey);
2N/A if (p8 == NULL) {
2N/A return (NULL);
2N/A }
2N/A /* Put the shrouded key into a PKCS#12 bag. */
2N/A bag = PKCS12_MAKE_SHKEYBAG(
2N/A NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
2N/A cred->cred, cred->credlen,
2N/A NULL, 0, PKCS12_DEFAULT_ITER, p8);
2N/A
2N/A /* Clean up the PKCS#8 shrouded key, don't need it now. */
2N/A PKCS8_PRIV_KEY_INFO_free(p8);
2N/A p8 = NULL;
2N/A
2N/A if (bag == NULL) {
2N/A return (NULL);
2N/A }
2N/A if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
2N/A goto out;
2N/A if (label != NULL && !PKCS12_add_friendlyname(bag, label, label_len))
2N/A goto out;
2N/A
2N/A /* Start a PKCS#12 safebag container for the private key. */
2N/A bag_stack = sk_PKCS12_SAFEBAG_new_null();
2N/A if (bag_stack == NULL)
2N/A goto out;
2N/A
2N/A /* Pile on the private key on the bag_stack. */
2N/A if (!sk_PKCS12_SAFEBAG_push(bag_stack, bag))
2N/A goto out;
2N/A
2N/A key_authsafe = PKCS12_pack_p7data(bag_stack);
2N/A
2N/Aout:
2N/A if (bag_stack != NULL)
2N/A sk_PKCS12_SAFEBAG_pop_free(bag_stack, PKCS12_SAFEBAG_free);
2N/A bag_stack = NULL;
2N/A return (key_authsafe);
2N/A}
2N/A
2N/Astatic EVP_PKEY *
2N/AImportRawRSAKey(KMF_RAW_RSA_KEY *key)
2N/A{
2N/A RSA *rsa = NULL;
2N/A EVP_PKEY *newkey = NULL;
2N/A
2N/A if ((rsa = RSA_new()) == NULL)
2N/A return (NULL);
2N/A
2N/A if ((rsa->n = BN_bin2bn(key->mod.val, key->mod.len, rsa->n)) == NULL)
2N/A return (NULL);
2N/A
2N/A if ((rsa->e = BN_bin2bn(key->pubexp.val, key->pubexp.len, rsa->e)) ==
2N/A NULL)
2N/A return (NULL);
2N/A
2N/A if (key->priexp.val != NULL)
2N/A if ((rsa->d = BN_bin2bn(key->priexp.val, key->priexp.len,
2N/A rsa->d)) == NULL)
2N/A return (NULL);
2N/A
2N/A if (key->prime1.val != NULL)
2N/A if ((rsa->p = BN_bin2bn(key->prime1.val, key->prime1.len,
2N/A rsa->p)) == NULL)
2N/A return (NULL);
2N/A
2N/A if (key->prime2.val != NULL)
2N/A if ((rsa->q = BN_bin2bn(key->prime2.val, key->prime2.len,
2N/A rsa->q)) == NULL)
2N/A return (NULL);
2N/A
2N/A if (key->exp1.val != NULL)
2N/A if ((rsa->dmp1 = BN_bin2bn(key->exp1.val, key->exp1.len,
2N/A rsa->dmp1)) == NULL)
2N/A return (NULL);
2N/A
2N/A if (key->exp2.val != NULL)
2N/A if ((rsa->dmq1 = BN_bin2bn(key->exp2.val, key->exp2.len,
2N/A rsa->dmq1)) == NULL)
2N/A return (NULL);
2N/A
2N/A if (key->coef.val != NULL)
2N/A if ((rsa->iqmp = BN_bin2bn(key->coef.val, key->coef.len,
2N/A rsa->iqmp)) == NULL)
2N/A return (NULL);
2N/A
2N/A if ((newkey = EVP_PKEY_new()) == NULL)
2N/A return (NULL);
2N/A
2N/A (void) EVP_PKEY_set1_RSA(newkey, rsa);
2N/A
2N/A /* The original key must be freed once here or it leaks memory */
2N/A RSA_free(rsa);
2N/A
2N/A return (newkey);
2N/A}
2N/A
2N/Astatic EVP_PKEY *
2N/AImportRawDSAKey(KMF_RAW_DSA_KEY *key)
2N/A{
2N/A DSA *dsa = NULL;
2N/A EVP_PKEY *newkey = NULL;
2N/A
2N/A if ((dsa = DSA_new()) == NULL)
2N/A return (NULL);
2N/A
2N/A if ((dsa->p = BN_bin2bn(key->prime.val, key->prime.len,
2N/A dsa->p)) == NULL)
2N/A return (NULL);
2N/A
2N/A if ((dsa->q = BN_bin2bn(key->subprime.val, key->subprime.len,
2N/A dsa->q)) == NULL)
2N/A return (NULL);
2N/A
2N/A if ((dsa->g = BN_bin2bn(key->base.val, key->base.len,
2N/A dsa->g)) == NULL)
2N/A return (NULL);
2N/A
2N/A if ((dsa->priv_key = BN_bin2bn(key->value.val, key->value.len,
2N/A dsa->priv_key)) == NULL)
2N/A return (NULL);
2N/A
2N/A if (key->pubvalue.val != NULL) {
2N/A if ((dsa->pub_key = BN_bin2bn(key->pubvalue.val,
2N/A key->pubvalue.len, dsa->pub_key)) == NULL)
2N/A return (NULL);
2N/A }
2N/A
2N/A if ((newkey = EVP_PKEY_new()) == NULL)
2N/A return (NULL);
2N/A
2N/A (void) EVP_PKEY_set1_DSA(newkey, dsa);
2N/A
2N/A /* The original key must be freed once here or it leaks memory */
2N/A DSA_free(dsa);
2N/A return (newkey);
2N/A}
2N/A
2N/Astatic EVP_PKEY *
2N/Araw_key_to_pkey(KMF_KEY_HANDLE *key)
2N/A{
2N/A EVP_PKEY *pkey = NULL;
2N/A KMF_RAW_KEY_DATA *rawkey;
2N/A ASN1_TYPE *attr = NULL;
2N/A KMF_RETURN ret;
2N/A
2N/A if (key == NULL || !key->israw)
2N/A return (NULL);
2N/A
2N/A rawkey = (KMF_RAW_KEY_DATA *)key->keyp;
2N/A if (rawkey->keytype == KMF_RSA) {
2N/A pkey = ImportRawRSAKey(&rawkey->rawdata.rsa);
2N/A } else if (rawkey->keytype == KMF_DSA) {
2N/A pkey = ImportRawDSAKey(&rawkey->rawdata.dsa);
2N/A } else if (rawkey->keytype == KMF_ECDSA) {
2N/A /*
2N/A * OpenSSL in Solaris does not support EC for
2N/A * legal reasons
2N/A */
2N/A return (NULL);
2N/A } else {
2N/A /* wrong kind of key */
2N/A return (NULL);
2N/A }
2N/A
2N/A if (rawkey->label != NULL) {
2N/A if ((attr = ASN1_TYPE_new()) == NULL) {
2N/A EVP_PKEY_free(pkey);
2N/A return (NULL);
2N/A }
2N/A attr->value.bmpstring = ASN1_STRING_type_new(V_ASN1_BMPSTRING);
2N/A (void) ASN1_STRING_set(attr->value.bmpstring, rawkey->label,
2N/A strlen(rawkey->label));
2N/A attr->type = V_ASN1_BMPSTRING;
2N/A attr->value.ptr = (char *)attr->value.bmpstring;
2N/A ret = set_pkey_attrib(pkey, attr, NID_friendlyName);
2N/A if (ret != KMF_OK) {
2N/A EVP_PKEY_free(pkey);
2N/A ASN1_TYPE_free(attr);
2N/A return (NULL);
2N/A }
2N/A }
2N/A if (rawkey->id.Data != NULL) {
2N/A if ((attr = ASN1_TYPE_new()) == NULL) {
2N/A EVP_PKEY_free(pkey);
2N/A return (NULL);
2N/A }
2N/A attr->value.octet_string =
2N/A ASN1_STRING_type_new(V_ASN1_OCTET_STRING);
2N/A attr->type = V_ASN1_OCTET_STRING;
2N/A (void) ASN1_STRING_set(attr->value.octet_string,
2N/A rawkey->id.Data, rawkey->id.Length);
2N/A attr->value.ptr = (char *)attr->value.octet_string;
2N/A ret = set_pkey_attrib(pkey, attr, NID_localKeyID);
2N/A if (ret != KMF_OK) {
2N/A EVP_PKEY_free(pkey);
2N/A ASN1_TYPE_free(attr);
2N/A return (NULL);
2N/A }
2N/A }
2N/A return (pkey);
2N/A}
2N/A
2N/A/*
2N/A * Search a list of private keys to find one that goes with the certificate.
2N/A */
2N/Astatic EVP_PKEY *
2N/Afind_matching_key(X509 *xcert, int numkeys, KMF_KEY_HANDLE *keylist)
2N/A{
2N/A int i;
2N/A EVP_PKEY *pkey = NULL;
2N/A
2N/A if (numkeys == 0 || keylist == NULL || xcert == NULL)
2N/A return (NULL);
2N/A for (i = 0; i < numkeys; i++) {
2N/A if (keylist[i].israw)
2N/A pkey = raw_key_to_pkey(&keylist[i]);
2N/A else
2N/A pkey = (EVP_PKEY *)keylist[i].keyp;
2N/A if (pkey != NULL) {
2N/A if (X509_check_private_key(xcert, pkey)) {
2N/A return (pkey);
2N/A } else {
2N/A EVP_PKEY_free(pkey);
2N/A pkey = NULL;
2N/A }
2N/A }
2N/A }
2N/A return (pkey);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Alocal_export_pk12(KMF_HANDLE_T handle,
2N/A KMF_CREDENTIAL *cred,
2N/A int numcerts, KMF_X509_DER_CERT *certlist,
2N/A int numkeys, KMF_KEY_HANDLE *keylist,
2N/A char *filename)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A BIO *bio = NULL;
2N/A PKCS7 *cert_authsafe = NULL;
2N/A PKCS7 *key_authsafe = NULL;
2N/A STACK_OF(PKCS7) *authsafe_stack = NULL;
2N/A PKCS12 *p12_elem = NULL;
2N/A int i;
2N/A
2N/A if (numcerts == 0 && numkeys == 0)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A /*
2N/A * Open the output file.
2N/A */
2N/A if ((bio = BIO_new_file(filename, "wb")) == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_OPEN_FILE;
2N/A goto cleanup;
2N/A }
2N/A
2N/A /* Start a PKCS#7 stack. */
2N/A authsafe_stack = sk_PKCS7_new_null();
2N/A if (authsafe_stack == NULL) {
2N/A rv = KMF_ERR_MEMORY;
2N/A goto cleanup;
2N/A }
2N/A if (numcerts > 0) {
2N/A for (i = 0; rv == KMF_OK && i < numcerts; i++) {
2N/A const uchar_t *p = certlist[i].certificate.Data;
2N/A long len = certlist[i].certificate.Length;
2N/A X509 *xcert = NULL;
2N/A EVP_PKEY *pkey = NULL;
2N/A unsigned char keyid[EVP_MAX_MD_SIZE];
2N/A unsigned int keyidlen = 0;
2N/A
2N/A xcert = d2i_X509(NULL, &p, len);
2N/A if (xcert == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_ENCODING;
2N/A }
2N/A if (certlist[i].kmf_private.label != NULL) {
2N/A /* Set alias attribute */
2N/A (void) X509_alias_set1(xcert,
2N/A (uchar_t *)certlist[i].kmf_private.label,
2N/A strlen(certlist[i].kmf_private.label));
2N/A }
2N/A /* Check if there is a key corresponding to this cert */
2N/A pkey = find_matching_key(xcert, numkeys, keylist);
2N/A
2N/A /*
2N/A * If key is found, get fingerprint and create a
2N/A * safebag.
2N/A */
2N/A if (pkey != NULL) {
2N/A (void) X509_digest(xcert, EVP_sha1(),
2N/A keyid, &keyidlen);
2N/A key_authsafe = add_key_to_safe(pkey, cred,
2N/A keyid, keyidlen,
2N/A certlist[i].kmf_private.label,
2N/A (certlist[i].kmf_private.label ?
2N/A strlen(certlist[i].kmf_private.label) : 0));
2N/A
2N/A if (key_authsafe == NULL) {
2N/A X509_free(xcert);
2N/A EVP_PKEY_free(pkey);
2N/A goto cleanup;
2N/A }
2N/A /* Put the key safe into the Auth Safe */
2N/A if (!sk_PKCS7_push(authsafe_stack,
2N/A key_authsafe)) {
2N/A X509_free(xcert);
2N/A EVP_PKEY_free(pkey);
2N/A goto cleanup;
2N/A }
2N/A }
2N/A
2N/A /* create a certificate safebag */
2N/A cert_authsafe = add_cert_to_safe(xcert, cred, keyid,
2N/A keyidlen);
2N/A if (cert_authsafe == NULL) {
2N/A X509_free(xcert);
2N/A EVP_PKEY_free(pkey);
2N/A goto cleanup;
2N/A }
2N/A if (!sk_PKCS7_push(authsafe_stack, cert_authsafe)) {
2N/A X509_free(xcert);
2N/A EVP_PKEY_free(pkey);
2N/A goto cleanup;
2N/A }
2N/A
2N/A X509_free(xcert);
2N/A if (pkey)
2N/A EVP_PKEY_free(pkey);
2N/A }
2N/A } else if (numcerts == 0 && numkeys > 0) {
2N/A /*
2N/A * If only adding keys to the file.
2N/A */
2N/A for (i = 0; i < numkeys; i++) {
2N/A EVP_PKEY *pkey = NULL;
2N/A
2N/A if (keylist[i].israw)
2N/A pkey = raw_key_to_pkey(&keylist[i]);
2N/A else
2N/A pkey = (EVP_PKEY *)keylist[i].keyp;
2N/A
2N/A if (pkey == NULL)
2N/A continue;
2N/A
2N/A key_authsafe = add_key_to_safe(pkey, cred,
2N/A NULL, 0, NULL, 0);
2N/A
2N/A if (key_authsafe == NULL) {
2N/A EVP_PKEY_free(pkey);
2N/A goto cleanup;
2N/A }
2N/A if (!sk_PKCS7_push(authsafe_stack, key_authsafe)) {
2N/A EVP_PKEY_free(pkey);
2N/A goto cleanup;
2N/A }
2N/A }
2N/A }
2N/A p12_elem = PKCS12_init(NID_pkcs7_data);
2N/A if (p12_elem == NULL) {
2N/A goto cleanup;
2N/A }
2N/A
2N/A /* Put the PKCS#7 stack into the PKCS#12 element. */
2N/A if (!PKCS12_pack_authsafes(p12_elem, authsafe_stack)) {
2N/A goto cleanup;
2N/A }
2N/A
2N/A /* Set the integrity MAC on the PKCS#12 element. */
2N/A if (!PKCS12_set_mac(p12_elem, cred->cred, cred->credlen,
2N/A NULL, 0, PKCS12_DEFAULT_ITER, NULL)) {
2N/A goto cleanup;
2N/A }
2N/A
2N/A /* Write the PKCS#12 element to the export file. */
2N/A if (!i2d_PKCS12_bio(bio, p12_elem)) {
2N/A goto cleanup;
2N/A }
2N/A PKCS12_free(p12_elem);
2N/A
2N/Acleanup:
2N/A /* Clear away the PKCS#7 stack, we're done with it. */
2N/A if (authsafe_stack)
2N/A sk_PKCS7_pop_free(authsafe_stack, PKCS7_free);
2N/A
2N/A if (bio != NULL)
2N/A (void) BIO_free_all(bio);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Aopenssl_build_pk12(KMF_HANDLE_T handle, int numcerts,
2N/A KMF_X509_DER_CERT *certlist, int numkeys, KMF_KEY_HANDLE *keylist,
2N/A KMF_CREDENTIAL *p12cred, char *filename)
2N/A{
2N/A KMF_RETURN rv;
2N/A
2N/A if (certlist == NULL && keylist == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A rv = local_export_pk12(handle, p12cred, numcerts, certlist,
2N/A numkeys, keylist, filename);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_ExportPK12(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN rv;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A char *fullpath = NULL;
2N/A char *dirpath = NULL;
2N/A char *certfile = NULL;
2N/A char *keyfile = NULL;
2N/A char *filename = NULL;
2N/A KMF_CREDENTIAL *p12cred = NULL;
2N/A KMF_X509_DER_CERT certdata;
2N/A KMF_KEY_HANDLE key;
2N/A int gotkey = 0;
2N/A int gotcert = 0;
2N/A
2N/A if (handle == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A /*
2N/A * First, find the certificate.
2N/A */
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A certfile = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist, numattr);
2N/A if (certfile != NULL) {
2N/A fullpath = get_fullpath(dirpath, certfile);
2N/A if (fullpath == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A if (isdir(fullpath)) {
2N/A free(fullpath);
2N/A return (KMF_ERR_AMBIGUOUS_PATHNAME);
2N/A }
2N/A
2N/A (void) memset(&certdata, 0, sizeof (certdata));
2N/A rv = kmf_load_cert(kmfh, NULL, NULL, NULL, NULL,
2N/A fullpath, &certdata.certificate);
2N/A if (rv != KMF_OK)
2N/A goto end;
2N/A
2N/A gotcert++;
2N/A certdata.kmf_private.keystore_type = KMF_KEYSTORE_OPENSSL;
2N/A free(fullpath);
2N/A }
2N/A
2N/A /*
2N/A * Now find the private key.
2N/A */
2N/A keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist, numattr);
2N/A if (keyfile != NULL) {
2N/A fullpath = get_fullpath(dirpath, keyfile);
2N/A if (fullpath == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A if (isdir(fullpath)) {
2N/A free(fullpath);
2N/A return (KMF_ERR_AMBIGUOUS_PATHNAME);
2N/A }
2N/A
2N/A (void) memset(&key, 0, sizeof (KMF_KEY_HANDLE));
2N/A rv = fetch_key(handle, fullpath, KMF_ASYM_PRI, &key);
2N/A if (rv != KMF_OK)
2N/A goto end;
2N/A gotkey++;
2N/A }
2N/A
2N/A /*
2N/A * Open the output file.
2N/A */
2N/A filename = kmf_get_attr_ptr(KMF_OUTPUT_FILENAME_ATTR, attrlist,
2N/A numattr);
2N/A if (filename == NULL) {
2N/A rv = KMF_ERR_BAD_PARAMETER;
2N/A goto end;
2N/A }
2N/A
2N/A /* Stick the key and the cert into a PKCS#12 file */
2N/A p12cred = kmf_get_attr_ptr(KMF_PK12CRED_ATTR, attrlist, numattr);
2N/A if (p12cred == NULL) {
2N/A rv = KMF_ERR_BAD_PARAMETER;
2N/A goto end;
2N/A }
2N/A
2N/A rv = local_export_pk12(handle, p12cred, 1, &certdata,
2N/A 1, &key, filename);
2N/A
2N/Aend:
2N/A if (fullpath)
2N/A free(fullpath);
2N/A
2N/A if (gotcert)
2N/A kmf_free_kmf_cert(handle, &certdata);
2N/A if (gotkey)
2N/A kmf_free_kmf_key(handle, &key);
2N/A return (rv);
2N/A}
2N/A
2N/A/*
2N/A * Helper function to extract keys and certificates from
2N/A * a single PEM file. Typically the file should contain a
2N/A * private key and an associated public key wrapped in an x509 cert.
2N/A * However, the file may be just a list of X509 certs with no keys.
2N/A */
2N/Astatic KMF_RETURN
2N/Aextract_pem(KMF_HANDLE *kmfh,
2N/A char *issuer, char *subject, KMF_BIGINT *serial,
2N/A char *filename, CK_UTF8CHAR *pin,
2N/A CK_ULONG pinlen, EVP_PKEY **priv_key, KMF_DATA **certs,
2N/A int *numcerts)
2N/A/* ARGSUSED6 */
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A FILE *fp;
2N/A STACK_OF(X509_INFO) *x509_info_stack = NULL;
2N/A int i, ncerts = 0, matchcerts = 0;
2N/A EVP_PKEY *pkey = NULL;
2N/A X509_INFO *info;
2N/A X509 *x;
2N/A X509_INFO **cert_infos = NULL;
2N/A KMF_DATA *certlist = NULL;
2N/A
2N/A if (priv_key)
2N/A *priv_key = NULL;
2N/A if (certs)
2N/A *certs = NULL;
2N/A fp = fopen(filename, "r");
2N/A if (fp == NULL)
2N/A return (KMF_ERR_OPEN_FILE);
2N/A
2N/A x509_info_stack = PEM_X509_INFO_read(fp, NULL, NULL, pin);
2N/A if (x509_info_stack == NULL) {
2N/A (void) fclose(fp);
2N/A return (KMF_ERR_ENCODING);
2N/A }
2N/A cert_infos = (X509_INFO **)malloc(sk_X509_INFO_num(x509_info_stack) *
2N/A sizeof (X509_INFO *));
2N/A if (cert_infos == NULL) {
2N/A (void) fclose(fp);
2N/A rv = KMF_ERR_MEMORY;
2N/A goto err;
2N/A }
2N/A
2N/A for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A cert_infos[ncerts] = sk_X509_INFO_value(x509_info_stack, i);
2N/A#else
2N/A cert_infos[ncerts] = sk_X509_INFO_value(x509_info_stack, i);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A ncerts++;
2N/A }
2N/A
2N/A if (ncerts == 0) {
2N/A (void) fclose(fp);
2N/A rv = KMF_ERR_CERT_NOT_FOUND;
2N/A goto err;
2N/A }
2N/A
2N/A if (priv_key != NULL) {
2N/A rewind(fp);
2N/A pkey = PEM_read_PrivateKey(fp, NULL, NULL, pin);
2N/A }
2N/A (void) fclose(fp);
2N/A
2N/A x = cert_infos[ncerts - 1]->x509;
2N/A /*
2N/A * Make sure the private key matchs the last cert in the file.
2N/A */
2N/A if (pkey != NULL && !X509_check_private_key(x, pkey)) {
2N/A EVP_PKEY_free(pkey);
2N/A rv = KMF_ERR_KEY_MISMATCH;
2N/A goto err;
2N/A }
2N/A
2N/A certlist = (KMF_DATA *)calloc(ncerts, sizeof (KMF_DATA));
2N/A if (certlist == NULL) {
2N/A if (pkey != NULL)
2N/A EVP_PKEY_free(pkey);
2N/A rv = KMF_ERR_MEMORY;
2N/A goto err;
2N/A }
2N/A
2N/A /*
2N/A * Convert all of the certs to DER format.
2N/A */
2N/A matchcerts = 0;
2N/A for (i = 0; rv == KMF_OK && certs != NULL && i < ncerts; i++) {
2N/A boolean_t match = FALSE;
2N/A info = cert_infos[ncerts - 1 - i];
2N/A
2N/A rv = check_cert(info->x509, issuer, subject, serial, &match);
2N/A if (rv != KMF_OK || match != TRUE) {
2N/A rv = KMF_OK;
2N/A continue;
2N/A }
2N/A
2N/A rv = ssl_cert2KMFDATA(kmfh, info->x509,
2N/A &certlist[matchcerts++]);
2N/A
2N/A if (rv != KMF_OK) {
2N/A int j;
2N/A for (j = 0; j < matchcerts; j++)
2N/A kmf_free_data(&certlist[j]);
2N/A free(certlist);
2N/A certlist = NULL;
2N/A ncerts = matchcerts = 0;
2N/A }
2N/A }
2N/A
2N/A if (numcerts != NULL)
2N/A *numcerts = matchcerts;
2N/A
2N/A if (certs != NULL)
2N/A *certs = certlist;
2N/A else if (certlist != NULL) {
2N/A for (i = 0; i < ncerts; i++)
2N/A kmf_free_data(&certlist[i]);
2N/A free(certlist);
2N/A certlist = NULL;
2N/A }
2N/A
2N/A if (priv_key == NULL && pkey != NULL)
2N/A EVP_PKEY_free(pkey);
2N/A else if (priv_key != NULL && pkey != NULL)
2N/A *priv_key = pkey;
2N/A
2N/Aerr:
2N/A /* Cleanup the stack of X509 info records */
2N/A for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A info = (X509_INFO *)sk_X509_INFO_value(x509_info_stack, i);
2N/A#else
2N/A info = (X509_INFO *)sk_X509_INFO_value(x509_info_stack, i);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A X509_INFO_free(info);
2N/A }
2N/A if (x509_info_stack)
2N/A sk_X509_INFO_free(x509_info_stack);
2N/A
2N/A if (cert_infos != NULL)
2N/A free(cert_infos);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Aopenssl_parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
2N/A STACK_OF(EVP_PKEY) *keys, STACK_OF(X509) *certs)
2N/A{
2N/A KMF_RETURN ret;
2N/A int i;
2N/A
2N/A for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(bags, i);
2N/A#else
2N/A PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(bags, i);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A ret = openssl_parse_bag(bag, pin, (pin ? strlen(pin) : 0),
2N/A keys, certs);
2N/A
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Aset_pkey_attrib(EVP_PKEY *pkey, ASN1_TYPE *attrib, int nid)
2N/A{
2N/A X509_ATTRIBUTE *attr = NULL;
2N/A
2N/A if (pkey == NULL || attrib == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A if (pkey->attributes == NULL) {
2N/A pkey->attributes = sk_X509_ATTRIBUTE_new_null();
2N/A if (pkey->attributes == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A }
2N/A attr = X509_ATTRIBUTE_create(nid, attrib->type, attrib->value.ptr);
2N/A if (attr != NULL) {
2N/A int i;
2N/A X509_ATTRIBUTE *a;
2N/A for (i = 0;
2N/A i < sk_X509_ATTRIBUTE_num(pkey->attributes); i++) {
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CASE_ALIGN */
2N/A a = sk_X509_ATTRIBUTE_value(pkey->attributes, i);
2N/A#else
2N/A a = sk_X509_ATTRIBUTE_value(pkey->attributes, i);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A if (OBJ_obj2nid(a->object) == nid) {
2N/A X509_ATTRIBUTE_free(a);
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A sk_X509_ATTRIBUTE_set(pkey->attributes,
2N/A i, attr);
2N/A#else
2N/A (void) sk_X509_ATTRIBUTE_set(pkey->attributes,
2N/A i, attr);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A return (KMF_OK);
2N/A }
2N/A }
2N/A if (sk_X509_ATTRIBUTE_push(pkey->attributes, attr) == NULL) {
2N/A X509_ATTRIBUTE_free(attr);
2N/A return (KMF_ERR_MEMORY);
2N/A }
2N/A } else {
2N/A return (KMF_ERR_MEMORY);
2N/A }
2N/A
2N/A return (KMF_OK);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Aopenssl_parse_bag(PKCS12_SAFEBAG *bag, char *pass, int passlen,
2N/A STACK_OF(EVP_PKEY) *keylist, STACK_OF(X509) *certlist)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A PKCS8_PRIV_KEY_INFO *p8 = NULL;
2N/A EVP_PKEY *pkey = NULL;
2N/A X509 *xcert = NULL;
2N/A ASN1_TYPE *keyid = NULL;
2N/A ASN1_TYPE *fname = NULL;
2N/A uchar_t *data = NULL;
2N/A
2N/A keyid = PKCS12_get_attr(bag, NID_localKeyID);
2N/A fname = PKCS12_get_attr(bag, NID_friendlyName);
2N/A
2N/A switch (M_PKCS12_bag_type(bag)) {
2N/A case NID_keyBag:
2N/A if (keylist == NULL)
2N/A goto end;
2N/A pkey = EVP_PKCS82PKEY(bag->value.keybag);
2N/A if (pkey == NULL)
2N/A ret = KMF_ERR_PKCS12_FORMAT;
2N/A
2N/A break;
2N/A case NID_pkcs8ShroudedKeyBag:
2N/A if (keylist == NULL)
2N/A goto end;
2N/A p8 = M_PKCS12_decrypt_skey(bag, pass, passlen);
2N/A if (p8 == NULL)
2N/A return (KMF_ERR_AUTH_FAILED);
2N/A pkey = EVP_PKCS82PKEY(p8);
2N/A PKCS8_PRIV_KEY_INFO_free(p8);
2N/A if (pkey == NULL)
2N/A ret = KMF_ERR_PKCS12_FORMAT;
2N/A break;
2N/A case NID_certBag:
2N/A if (certlist == NULL)
2N/A goto end;
2N/A if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
2N/A return (KMF_ERR_PKCS12_FORMAT);
2N/A xcert = M_PKCS12_certbag2x509(bag);
2N/A if (xcert == NULL) {
2N/A ret = KMF_ERR_PKCS12_FORMAT;
2N/A goto end;
2N/A }
2N/A if (keyid != NULL) {
2N/A if (X509_keyid_set1(xcert,
2N/A keyid->value.octet_string->data,
2N/A keyid->value.octet_string->length) == 0) {
2N/A ret = KMF_ERR_PKCS12_FORMAT;
2N/A goto end;
2N/A }
2N/A }
2N/A if (fname != NULL) {
2N/A int len, r;
2N/A len = ASN1_STRING_to_UTF8(&data,
2N/A fname->value.asn1_string);
2N/A if (len > 0 && data != NULL) {
2N/A r = X509_alias_set1(xcert, data, len);
2N/A if (r == NULL) {
2N/A ret = KMF_ERR_PKCS12_FORMAT;
2N/A goto end;
2N/A }
2N/A } else {
2N/A ret = KMF_ERR_PKCS12_FORMAT;
2N/A goto end;
2N/A }
2N/A }
2N/A if (sk_X509_push(certlist, xcert) == 0)
2N/A ret = KMF_ERR_MEMORY;
2N/A else
2N/A xcert = NULL;
2N/A break;
2N/A case NID_safeContentsBag:
2N/A return (openssl_parse_bags(bag->value.safes, pass,
2N/A keylist, certlist));
2N/A default:
2N/A ret = KMF_ERR_PKCS12_FORMAT;
2N/A break;
2N/A }
2N/A
2N/A /*
2N/A * Set the ID and/or FriendlyName attributes on the key.
2N/A * If converting to PKCS11 objects, these can translate to CKA_ID
2N/A * and CKA_LABEL values.
2N/A */
2N/A if (pkey != NULL && ret == KMF_OK) {
2N/A ASN1_TYPE *attr = NULL;
2N/A if (keyid != NULL && keyid->type == V_ASN1_OCTET_STRING) {
2N/A if ((attr = ASN1_TYPE_new()) == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A attr->value.octet_string =
2N/A ASN1_STRING_dup(keyid->value.octet_string);
2N/A attr->type = V_ASN1_OCTET_STRING;
2N/A attr->value.ptr = (char *)attr->value.octet_string;
2N/A ret = set_pkey_attrib(pkey, attr, NID_localKeyID);
2N/A OPENSSL_free(attr);
2N/A }
2N/A
2N/A if (ret == KMF_OK && fname != NULL &&
2N/A fname->type == V_ASN1_BMPSTRING) {
2N/A if ((attr = ASN1_TYPE_new()) == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A attr->value.bmpstring =
2N/A ASN1_STRING_dup(fname->value.bmpstring);
2N/A attr->type = V_ASN1_BMPSTRING;
2N/A attr->value.ptr = (char *)attr->value.bmpstring;
2N/A ret = set_pkey_attrib(pkey, attr, NID_friendlyName);
2N/A OPENSSL_free(attr);
2N/A }
2N/A
2N/A if (ret == KMF_OK && keylist != NULL &&
2N/A sk_EVP_PKEY_push(keylist, pkey) == 0)
2N/A ret = KMF_ERR_MEMORY;
2N/A }
2N/A if (ret == KMF_OK && keylist != NULL)
2N/A pkey = NULL;
2N/Aend:
2N/A if (pkey != NULL)
2N/A EVP_PKEY_free(pkey);
2N/A if (xcert != NULL)
2N/A X509_free(xcert);
2N/A if (data != NULL)
2N/A OPENSSL_free(data);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Aopenssl_pkcs12_parse(PKCS12 *p12, char *pin,
2N/A STACK_OF(EVP_PKEY) *keys,
2N/A STACK_OF(X509) *certs,
2N/A STACK_OF(X509) *ca)
2N/A/* ARGSUSED3 */
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A STACK_OF(PKCS7) *asafes = NULL;
2N/A STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
2N/A int i, bagnid;
2N/A PKCS7 *p7;
2N/A
2N/A if (p12 == NULL || (keys == NULL && certs == NULL))
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A if (pin == NULL || *pin == NULL) {
2N/A if (PKCS12_verify_mac(p12, NULL, 0)) {
2N/A pin = NULL;
2N/A } else if (PKCS12_verify_mac(p12, "", 0)) {
2N/A pin = "";
2N/A } else {
2N/A return (KMF_ERR_AUTH_FAILED);
2N/A }
2N/A } else if (!PKCS12_verify_mac(p12, pin, -1)) {
2N/A return (KMF_ERR_AUTH_FAILED);
2N/A }
2N/A
2N/A if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL)
2N/A return (KMF_ERR_PKCS12_FORMAT);
2N/A
2N/A for (i = 0; ret == KMF_OK && i < sk_PKCS7_num(asafes); i++) {
2N/A bags = NULL;
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A p7 = sk_PKCS7_value(asafes, i);
2N/A#else
2N/A p7 = sk_PKCS7_value(asafes, i);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A bagnid = OBJ_obj2nid(p7->type);
2N/A
2N/A if (bagnid == NID_pkcs7_data) {
2N/A bags = PKCS12_unpack_p7data(p7);
2N/A } else if (bagnid == NID_pkcs7_encrypted) {
2N/A bags = PKCS12_unpack_p7encdata(p7, pin,
2N/A (pin ? strlen(pin) : 0));
2N/A } else {
2N/A continue;
2N/A }
2N/A if (bags == NULL) {
2N/A ret = KMF_ERR_PKCS12_FORMAT;
2N/A goto out;
2N/A }
2N/A
2N/A if (openssl_parse_bags(bags, pin, keys, certs) != KMF_OK)
2N/A ret = KMF_ERR_PKCS12_FORMAT;
2N/A
2N/A sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
2N/A }
2N/Aout:
2N/A if (asafes != NULL)
2N/A sk_PKCS7_pop_free(asafes, PKCS7_free);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A/*
2N/A * Helper function to decrypt and parse PKCS#12 import file.
2N/A */
2N/Astatic KMF_RETURN
2N/Aextract_pkcs12(BIO *fbio, CK_UTF8CHAR *pin, CK_ULONG pinlen,
2N/A STACK_OF(EVP_PKEY) **priv_key, STACK_OF(X509) **certs,
2N/A STACK_OF(X509) **ca)
2N/A/* ARGSUSED2 */
2N/A{
2N/A PKCS12 *pk12, *pk12_tmp;
2N/A STACK_OF(EVP_PKEY) *pkeylist = NULL;
2N/A STACK_OF(X509) *xcertlist = NULL;
2N/A STACK_OF(X509) *cacertlist = NULL;
2N/A
2N/A if ((pk12 = PKCS12_new()) == NULL) {
2N/A return (KMF_ERR_MEMORY);
2N/A }
2N/A
2N/A if ((pk12_tmp = d2i_PKCS12_bio(fbio, &pk12)) == NULL) {
2N/A /* This is ok; it seems to mean there is no more to read. */
2N/A if (ERR_GET_LIB(ERR_peek_error()) == ERR_LIB_ASN1 &&
2N/A ERR_GET_REASON(ERR_peek_error()) == ASN1_R_HEADER_TOO_LONG)
2N/A goto end_extract_pkcs12;
2N/A
2N/A PKCS12_free(pk12);
2N/A return (KMF_ERR_PKCS12_FORMAT);
2N/A }
2N/A pk12 = pk12_tmp;
2N/A
2N/A xcertlist = sk_X509_new_null();
2N/A if (xcertlist == NULL) {
2N/A PKCS12_free(pk12);
2N/A return (KMF_ERR_MEMORY);
2N/A }
2N/A pkeylist = sk_EVP_PKEY_new_null();
2N/A if (pkeylist == NULL) {
2N/A sk_X509_pop_free(xcertlist, X509_free);
2N/A PKCS12_free(pk12);
2N/A return (KMF_ERR_MEMORY);
2N/A }
2N/A
2N/A if (openssl_pkcs12_parse(pk12, (char *)pin, pkeylist, xcertlist,
2N/A cacertlist) != KMF_OK) {
2N/A sk_X509_pop_free(xcertlist, X509_free);
2N/A sk_EVP_PKEY_pop_free(pkeylist, EVP_PKEY_free);
2N/A PKCS12_free(pk12);
2N/A return (KMF_ERR_PKCS12_FORMAT);
2N/A }
2N/A
2N/A if (priv_key && pkeylist)
2N/A *priv_key = pkeylist;
2N/A else if (pkeylist)
2N/A sk_EVP_PKEY_pop_free(pkeylist, EVP_PKEY_free);
2N/A if (certs && xcertlist)
2N/A *certs = xcertlist;
2N/A else if (xcertlist)
2N/A sk_X509_pop_free(xcertlist, X509_free);
2N/A if (ca && cacertlist)
2N/A *ca = cacertlist;
2N/A else if (cacertlist)
2N/A sk_X509_pop_free(cacertlist, X509_free);
2N/A
2N/Aend_extract_pkcs12:
2N/A
2N/A PKCS12_free(pk12);
2N/A return (KMF_OK);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/AsslBN2KMFBN(BIGNUM *from, KMF_BIGINT *to)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A uint32_t sz;
2N/A
2N/A sz = BN_num_bytes(from);
2N/A to->val = (uchar_t *)malloc(sz);
2N/A if (to->val == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A
2N/A if ((to->len = BN_bn2bin(from, to->val)) != sz) {
2N/A free(to->val);
2N/A to->val = NULL;
2N/A to->len = 0;
2N/A rv = KMF_ERR_MEMORY;
2N/A }
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/AexportRawRSAKey(RSA *rsa, KMF_RAW_KEY_DATA *key)
2N/A{
2N/A KMF_RETURN rv;
2N/A KMF_RAW_RSA_KEY *kmfkey = &key->rawdata.rsa;
2N/A
2N/A (void) memset(kmfkey, 0, sizeof (KMF_RAW_RSA_KEY));
2N/A if ((rv = sslBN2KMFBN(rsa->n, &kmfkey->mod)) != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A if ((rv = sslBN2KMFBN(rsa->e, &kmfkey->pubexp)) != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A if (rsa->d != NULL)
2N/A if ((rv = sslBN2KMFBN(rsa->d, &kmfkey->priexp)) != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A if (rsa->p != NULL)
2N/A if ((rv = sslBN2KMFBN(rsa->p, &kmfkey->prime1)) != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A if (rsa->q != NULL)
2N/A if ((rv = sslBN2KMFBN(rsa->q, &kmfkey->prime2)) != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A if (rsa->dmp1 != NULL)
2N/A if ((rv = sslBN2KMFBN(rsa->dmp1, &kmfkey->exp1)) != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A if (rsa->dmq1 != NULL)
2N/A if ((rv = sslBN2KMFBN(rsa->dmq1, &kmfkey->exp2)) != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A if (rsa->iqmp != NULL)
2N/A if ((rv = sslBN2KMFBN(rsa->iqmp, &kmfkey->coef)) != KMF_OK)
2N/A goto cleanup;
2N/Acleanup:
2N/A if (rv != KMF_OK)
2N/A kmf_free_raw_key(key);
2N/A else
2N/A key->keytype = KMF_RSA;
2N/A
2N/A /*
2N/A * Free the reference to this key, SSL will not actually free
2N/A * the memory until the refcount == 0, so this is safe.
2N/A */
2N/A RSA_free(rsa);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/AexportRawDSAKey(DSA *dsa, KMF_RAW_KEY_DATA *key)
2N/A{
2N/A KMF_RETURN rv;
2N/A KMF_RAW_DSA_KEY *kmfkey = &key->rawdata.dsa;
2N/A
2N/A (void) memset(kmfkey, 0, sizeof (KMF_RAW_DSA_KEY));
2N/A if ((rv = sslBN2KMFBN(dsa->p, &kmfkey->prime)) != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A if ((rv = sslBN2KMFBN(dsa->q, &kmfkey->subprime)) != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A if ((rv = sslBN2KMFBN(dsa->g, &kmfkey->base)) != KMF_OK)
2N/A goto cleanup;
2N/A
2N/A if ((rv = sslBN2KMFBN(dsa->priv_key, &kmfkey->value)) != KMF_OK)
2N/A goto cleanup;
2N/A
2N/Acleanup:
2N/A if (rv != KMF_OK)
2N/A kmf_free_raw_key(key);
2N/A else
2N/A key->keytype = KMF_DSA;
2N/A
2N/A /*
2N/A * Free the reference to this key, SSL will not actually free
2N/A * the memory until the refcount == 0, so this is safe.
2N/A */
2N/A DSA_free(dsa);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Aadd_cert_to_list(KMF_HANDLE *kmfh, X509 *sslcert,
2N/A KMF_X509_DER_CERT **certlist, int *ncerts)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_X509_DER_CERT *list = (*certlist);
2N/A KMF_X509_DER_CERT cert;
2N/A int n = (*ncerts);
2N/A
2N/A if (list == NULL) {
2N/A list = (KMF_X509_DER_CERT *)malloc(sizeof (KMF_X509_DER_CERT));
2N/A } else {
2N/A list = (KMF_X509_DER_CERT *)realloc(list,
2N/A sizeof (KMF_X509_DER_CERT) * (n + 1));
2N/A }
2N/A
2N/A if (list == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A
2N/A (void) memset(&cert, 0, sizeof (cert));
2N/A rv = ssl_cert2KMFDATA(kmfh, sslcert, &cert.certificate);
2N/A if (rv == KMF_OK) {
2N/A int len = 0;
2N/A /* Get the alias name for the cert if there is one */
2N/A char *a = (char *)X509_alias_get0(sslcert, &len);
2N/A if (a != NULL)
2N/A cert.kmf_private.label = strdup(a);
2N/A cert.kmf_private.keystore_type = KMF_KEYSTORE_OPENSSL;
2N/A
2N/A list[n] = cert;
2N/A (*ncerts) = n + 1;
2N/A
2N/A *certlist = list;
2N/A } else {
2N/A free(list);
2N/A }
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Aadd_key_to_list(KMF_RAW_KEY_DATA **keylist,
2N/A KMF_RAW_KEY_DATA *newkey, int *nkeys)
2N/A{
2N/A KMF_RAW_KEY_DATA *list = (*keylist);
2N/A int n = (*nkeys);
2N/A
2N/A if (list == NULL) {
2N/A list = (KMF_RAW_KEY_DATA *)malloc(sizeof (KMF_RAW_KEY_DATA));
2N/A } else {
2N/A list = (KMF_RAW_KEY_DATA *)realloc(list,
2N/A sizeof (KMF_RAW_KEY_DATA) * (n + 1));
2N/A }
2N/A
2N/A if (list == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A
2N/A list[n] = *newkey;
2N/A (*nkeys) = n + 1;
2N/A
2N/A *keylist = list;
2N/A
2N/A return (KMF_OK);
2N/A}
2N/A
2N/Astatic X509_ATTRIBUTE *
2N/Afind_attr(STACK_OF(X509_ATTRIBUTE) *attrs, int nid)
2N/A{
2N/A X509_ATTRIBUTE *a;
2N/A int i;
2N/A
2N/A if (attrs == NULL)
2N/A return (NULL);
2N/A
2N/A for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A a = sk_X509_ATTRIBUTE_value(attrs, i);
2N/A#else
2N/A a = sk_X509_ATTRIBUTE_value(attrs, i);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A if (OBJ_obj2nid(a->object) == nid)
2N/A return (a);
2N/A }
2N/A return (NULL);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/AconvertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A X509_ATTRIBUTE *attr;
2N/A
2N/A if (pkey == NULL || key == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A /* Convert SSL key to raw key */
2N/A switch (pkey->type) {
2N/A case EVP_PKEY_RSA:
2N/A rv = exportRawRSAKey(EVP_PKEY_get1_RSA(pkey),
2N/A key);
2N/A if (rv != KMF_OK)
2N/A return (rv);
2N/A break;
2N/A case EVP_PKEY_DSA:
2N/A rv = exportRawDSAKey(EVP_PKEY_get1_DSA(pkey),
2N/A key);
2N/A if (rv != KMF_OK)
2N/A return (rv);
2N/A break;
2N/A default:
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A /*
2N/A * If friendlyName, add it to record.
2N/A */
2N/A attr = find_attr(pkey->attributes, NID_friendlyName);
2N/A if (attr != NULL) {
2N/A ASN1_TYPE *ty = NULL;
2N/A int numattr = sk_ASN1_TYPE_num(attr->value.set);
2N/A if (attr->single == 0 && numattr > 0) {
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A ty = sk_ASN1_TYPE_value(attr->value.set, 0);
2N/A#else
2N/A ty = sk_ASN1_TYPE_value(attr->value.set, 0);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A }
2N/A if (ty != NULL) {
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A key->label = uni2asc(ty->value.bmpstring->data,
2N/A ty->value.bmpstring->length);
2N/A#else
2N/A key->label = OPENSSL_uni2asc(
2N/A ty->value.bmpstring->data,
2N/A ty->value.bmpstring->length);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A }
2N/A } else {
2N/A key->label = NULL;
2N/A }
2N/A
2N/A /*
2N/A * If KeyID, add it to record as a KMF_DATA object.
2N/A */
2N/A attr = find_attr(pkey->attributes, NID_localKeyID);
2N/A if (attr != NULL) {
2N/A ASN1_TYPE *ty = NULL;
2N/A int numattr = sk_ASN1_TYPE_num(attr->value.set);
2N/A if (attr->single == 0 && numattr > 0) {
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A ty = sk_ASN1_TYPE_value(attr->value.set, 0);
2N/A#else
2N/A ty = sk_ASN1_TYPE_value(attr->value.set, 0);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A }
2N/A key->id.Data = (uchar_t *)malloc(
2N/A ty->value.octet_string->length);
2N/A if (key->id.Data == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memcpy(key->id.Data, ty->value.octet_string->data,
2N/A ty->value.octet_string->length);
2N/A key->id.Length = ty->value.octet_string->length;
2N/A } else {
2N/A (void) memset(&key->id, 0, sizeof (KMF_DATA));
2N/A }
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/AconvertPK12Objects(
2N/A KMF_HANDLE *kmfh,
2N/A STACK_OF(EVP_PKEY) *sslkeys,
2N/A STACK_OF(X509) *sslcert,
2N/A STACK_OF(X509) *sslcacerts,
2N/A KMF_RAW_KEY_DATA **keylist, int *nkeys,
2N/A KMF_X509_DER_CERT **certlist, int *ncerts)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_RAW_KEY_DATA key;
2N/A int i;
2N/A
2N/A for (i = 0; sslkeys != NULL && i < sk_EVP_PKEY_num(sslkeys); i++) {
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A EVP_PKEY *pkey = sk_EVP_PKEY_value(sslkeys, i);
2N/A#else
2N/A EVP_PKEY *pkey = sk_EVP_PKEY_value(sslkeys, i);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A rv = convertToRawKey(pkey, &key);
2N/A if (rv == KMF_OK)
2N/A rv = add_key_to_list(keylist, &key, nkeys);
2N/A
2N/A if (rv != KMF_OK)
2N/A return (rv);
2N/A }
2N/A
2N/A /* Now add the certificate to the certlist */
2N/A for (i = 0; sslcert != NULL && i < sk_X509_num(sslcert); i++) {
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A X509 *cert = sk_X509_value(sslcert, i);
2N/A#else
2N/A X509 *cert = sk_X509_value(sslcert, i);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A rv = add_cert_to_list(kmfh, cert, certlist, ncerts);
2N/A if (rv != KMF_OK)
2N/A return (rv);
2N/A }
2N/A
2N/A /* Also add any included CA certs to the list */
2N/A for (i = 0; sslcacerts != NULL && i < sk_X509_num(sslcacerts); i++) {
2N/A X509 *c;
2N/A /*
2N/A * sk_X509_value() is macro that embeds a cast to (X509 *).
2N/A * Here it translates into ((X509 *)sk_value((ca), (i))).
2N/A * Lint is complaining about the embedded casting, and
2N/A * to fix it, you need to fix openssl header files.
2N/A */
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A c = sk_X509_value(sslcacerts, i);
2N/A#else
2N/A c = sk_X509_value(sslcacerts, i);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A
2N/A /* Now add the ca cert to the certlist */
2N/A rv = add_cert_to_list(kmfh, c, certlist, ncerts);
2N/A if (rv != KMF_OK)
2N/A return (rv);
2N/A }
2N/A return (rv);
2N/A}
2N/A
2N/AKMF_RETURN
2N/Aopenssl_import_objects(KMF_HANDLE *kmfh,
2N/A char *filename, KMF_CREDENTIAL *cred,
2N/A KMF_X509_DER_CERT **certlist, int *ncerts,
2N/A KMF_RAW_KEY_DATA **keylist, int *nkeys)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_ENCODE_FORMAT format;
2N/A BIO *bio = NULL;
2N/A STACK_OF(EVP_PKEY) *privkeys = NULL;
2N/A STACK_OF(X509) *certs = NULL;
2N/A STACK_OF(X509) *cacerts = NULL;
2N/A
2N/A /*
2N/A * auto-detect the file format, regardless of what
2N/A * the 'format' parameters in the params say.
2N/A */
2N/A rv = kmf_get_file_format(filename, &format);
2N/A if (rv != KMF_OK) {
2N/A return (rv);
2N/A }
2N/A
2N/A /* This function only works for PEM or PKCS#12 files */
2N/A if (format != KMF_FORMAT_PEM &&
2N/A format != KMF_FORMAT_PEM_KEYPAIR &&
2N/A format != KMF_FORMAT_PKCS12)
2N/A return (KMF_ERR_ENCODING);
2N/A
2N/A *certlist = NULL;
2N/A *keylist = NULL;
2N/A *ncerts = 0;
2N/A *nkeys = 0;
2N/A
2N/A if (format == KMF_FORMAT_PKCS12) {
2N/A bio = BIO_new_file(filename, "rb");
2N/A if (bio == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_OPEN_FILE;
2N/A goto end;
2N/A }
2N/A
2N/A rv = extract_pkcs12(bio, (uchar_t *)cred->cred,
2N/A (uint32_t)cred->credlen, &privkeys, &certs, &cacerts);
2N/A
2N/A if (rv == KMF_OK)
2N/A /* Convert keys and certs to exportable format */
2N/A rv = convertPK12Objects(kmfh, privkeys, certs, cacerts,
2N/A keylist, nkeys, certlist, ncerts);
2N/A } else {
2N/A EVP_PKEY *pkey;
2N/A KMF_DATA *certdata = NULL;
2N/A KMF_X509_DER_CERT *kmfcerts = NULL;
2N/A int i;
2N/A rv = extract_pem(kmfh, NULL, NULL, NULL, filename,
2N/A (uchar_t *)cred->cred, (uint32_t)cred->credlen,
2N/A &pkey, &certdata, ncerts);
2N/A
2N/A /* Reached end of import file? */
2N/A if (rv == KMF_OK && pkey != NULL) {
2N/A privkeys = sk_EVP_PKEY_new_null();
2N/A if (privkeys == NULL) {
2N/A rv = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A (void) sk_EVP_PKEY_push(privkeys, pkey);
2N/A /* convert the certificate list here */
2N/A if (*ncerts > 0 && certlist != NULL) {
2N/A kmfcerts = (KMF_X509_DER_CERT *)calloc(*ncerts,
2N/A sizeof (KMF_X509_DER_CERT));
2N/A if (kmfcerts == NULL) {
2N/A rv = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A for (i = 0; i < *ncerts; i++) {
2N/A kmfcerts[i].certificate = certdata[i];
2N/A kmfcerts[i].kmf_private.keystore_type =
2N/A KMF_KEYSTORE_OPENSSL;
2N/A }
2N/A *certlist = kmfcerts;
2N/A }
2N/A /*
2N/A * Convert keys to exportable format, the certs
2N/A * are already OK.
2N/A */
2N/A rv = convertPK12Objects(kmfh, privkeys, NULL, NULL,
2N/A keylist, nkeys, NULL, NULL);
2N/A }
2N/A }
2N/Aend:
2N/A if (bio != NULL)
2N/A (void) BIO_free(bio);
2N/A
2N/A if (privkeys)
2N/A sk_EVP_PKEY_pop_free(privkeys, EVP_PKEY_free);
2N/A if (certs)
2N/A sk_X509_pop_free(certs, X509_free);
2N/A if (cacerts)
2N/A sk_X509_pop_free(cacerts, X509_free);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/Astatic KMF_RETURN
2N/Acreate_deskey(DES_cblock **deskey)
2N/A{
2N/A DES_cblock *key;
2N/A
2N/A key = (DES_cblock *) malloc(sizeof (DES_cblock));
2N/A if (key == NULL) {
2N/A return (KMF_ERR_MEMORY);
2N/A }
2N/A
2N/A if (DES_random_key(key) == 0) {
2N/A free(key);
2N/A return (KMF_ERR_KEYGEN_FAILED);
2N/A }
2N/A
2N/A *deskey = key;
2N/A return (KMF_OK);
2N/A}
2N/A
2N/A#define KEYGEN_RETRY 3
2N/A#define DES3_KEY_SIZE 24
2N/A
2N/Astatic KMF_RETURN
2N/Acreate_des3key(unsigned char **des3key)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A DES_cblock *deskey1 = NULL;
2N/A DES_cblock *deskey2 = NULL;
2N/A DES_cblock *deskey3 = NULL;
2N/A unsigned char *newkey = NULL;
2N/A int retry;
2N/A
2N/A if ((newkey = malloc(DES3_KEY_SIZE)) == NULL) {
2N/A return (KMF_ERR_MEMORY);
2N/A }
2N/A
2N/A /* create the 1st DES key */
2N/A if ((ret = create_deskey(&deskey1)) != KMF_OK) {
2N/A goto out;
2N/A }
2N/A
2N/A /*
2N/A * Create the 2nd DES key and make sure its value is different
2N/A * from the 1st DES key.
2N/A */
2N/A retry = 0;
2N/A do {
2N/A if (deskey2 != NULL) {
2N/A free(deskey2);
2N/A deskey2 = NULL;
2N/A }
2N/A
2N/A if ((ret = create_deskey(&deskey2)) != KMF_OK) {
2N/A goto out;
2N/A }
2N/A
2N/A if (memcmp((const void *) deskey1, (const void *) deskey2, 8)
2N/A == 0) {
2N/A ret = KMF_ERR_KEYGEN_FAILED;
2N/A retry++;
2N/A }
2N/A } while (ret == KMF_ERR_KEYGEN_FAILED && retry < KEYGEN_RETRY);
2N/A
2N/A if (ret != KMF_OK) {
2N/A goto out;
2N/A }
2N/A
2N/A /*
2N/A * Create the 3rd DES key and make sure its value is different
2N/A * from the 2nd DES key.
2N/A */
2N/A retry = 0;
2N/A do {
2N/A if (deskey3 != NULL) {
2N/A free(deskey3);
2N/A deskey3 = NULL;
2N/A }
2N/A
2N/A if ((ret = create_deskey(&deskey3)) != KMF_OK) {
2N/A goto out;
2N/A }
2N/A
2N/A if (memcmp((const void *)deskey2, (const void *)deskey3, 8)
2N/A == 0) {
2N/A ret = KMF_ERR_KEYGEN_FAILED;
2N/A retry++;
2N/A }
2N/A } while (ret == KMF_ERR_KEYGEN_FAILED && retry < KEYGEN_RETRY);
2N/A
2N/A if (ret != KMF_OK) {
2N/A goto out;
2N/A }
2N/A
2N/A /* Concatenate 3 DES keys into a DES3 key */
2N/A (void) memcpy((void *)newkey, (const void *)deskey1, 8);
2N/A (void) memcpy((void *)(newkey + 8), (const void *)deskey2, 8);
2N/A (void) memcpy((void *)(newkey + 16), (const void *)deskey3, 8);
2N/A *des3key = newkey;
2N/A
2N/Aout:
2N/A if (deskey1 != NULL)
2N/A free(deskey1);
2N/A
2N/A if (deskey2 != NULL)
2N/A free(deskey2);
2N/A
2N/A if (deskey3 != NULL)
2N/A free(deskey3);
2N/A
2N/A if (ret != KMF_OK && newkey != NULL)
2N/A free(newkey);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_CreateSymKey(KMF_HANDLE_T handle,
2N/A int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A char *fullpath = NULL;
2N/A KMF_RAW_SYM_KEY *rkey = NULL;
2N/A DES_cblock *deskey = NULL;
2N/A unsigned char *des3key = NULL;
2N/A unsigned char *random = NULL;
2N/A int fd = -1;
2N/A KMF_KEY_HANDLE *symkey;
2N/A KMF_KEY_ALG keytype;
2N/A uint32_t keylen;
2N/A uint32_t keylen_size = sizeof (keylen);
2N/A char *dirpath;
2N/A char *keyfile;
2N/A
2N/A if (kmfh == NULL)
2N/A return (KMF_ERR_UNINITIALIZED);
2N/A
2N/A symkey = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
2N/A if (symkey == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A
2N/A keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist, numattr);
2N/A if (keyfile == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A ret = kmf_get_attr(KMF_KEYALG_ATTR, attrlist, numattr,
2N/A (void *)&keytype, NULL);
2N/A if (ret != KMF_OK)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A ret = kmf_get_attr(KMF_KEYLENGTH_ATTR, attrlist, numattr,
2N/A &keylen, &keylen_size);
2N/A if (ret == KMF_ERR_ATTR_NOT_FOUND &&
2N/A (keytype == KMF_DES || keytype == KMF_DES3))
2N/A /* keylength is not required for DES and 3DES */
2N/A ret = KMF_OK;
2N/A if (ret != KMF_OK)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A fullpath = get_fullpath(dirpath, keyfile);
2N/A if (fullpath == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A /* If the requested file exists, return an error */
2N/A if (test_for_file(fullpath, 0400) == 1) {
2N/A free(fullpath);
2N/A return (KMF_ERR_DUPLICATE_KEYFILE);
2N/A }
2N/A
2N/A fd = open(fullpath, O_CREAT|O_TRUNC|O_RDWR, 0400);
2N/A if (fd == -1) {
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto out;
2N/A }
2N/A
2N/A rkey = malloc(sizeof (KMF_RAW_SYM_KEY));
2N/A if (rkey == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto out;
2N/A }
2N/A (void) memset(rkey, 0, sizeof (KMF_RAW_SYM_KEY));
2N/A
2N/A if (keytype == KMF_DES) {
2N/A if ((ret = create_deskey(&deskey)) != KMF_OK) {
2N/A goto out;
2N/A }
2N/A rkey->keydata.val = (uchar_t *)deskey;
2N/A rkey->keydata.len = 8;
2N/A
2N/A symkey->keyalg = KMF_DES;
2N/A
2N/A } else if (keytype == KMF_DES3) {
2N/A if ((ret = create_des3key(&des3key)) != KMF_OK) {
2N/A goto out;
2N/A }
2N/A rkey->keydata.val = (uchar_t *)des3key;
2N/A rkey->keydata.len = DES3_KEY_SIZE;
2N/A symkey->keyalg = KMF_DES3;
2N/A
2N/A } else if (keytype == KMF_AES || keytype == KMF_RC4 ||
2N/A keytype == KMF_GENERIC_SECRET) {
2N/A int bytes;
2N/A
2N/A if (keylen % 8 != 0) {
2N/A ret = KMF_ERR_BAD_KEY_SIZE;
2N/A goto out;
2N/A }
2N/A
2N/A if (keytype == KMF_AES) {
2N/A if (keylen != 128 &&
2N/A keylen != 192 &&
2N/A keylen != 256) {
2N/A ret = KMF_ERR_BAD_KEY_SIZE;
2N/A goto out;
2N/A }
2N/A }
2N/A
2N/A bytes = keylen/8;
2N/A random = malloc(bytes);
2N/A if (random == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto out;
2N/A }
2N/A if (RAND_bytes(random, bytes) != 1) {
2N/A ret = KMF_ERR_KEYGEN_FAILED;
2N/A goto out;
2N/A }
2N/A
2N/A rkey->keydata.val = (uchar_t *)random;
2N/A rkey->keydata.len = bytes;
2N/A symkey->keyalg = keytype;
2N/A
2N/A } else {
2N/A ret = KMF_ERR_BAD_KEY_TYPE;
2N/A goto out;
2N/A }
2N/A
2N/A (void) write(fd, (const void *) rkey->keydata.val, rkey->keydata.len);
2N/A
2N/A symkey->kstype = KMF_KEYSTORE_OPENSSL;
2N/A symkey->keyclass = KMF_SYMMETRIC;
2N/A symkey->keylabel = (char *)fullpath;
2N/A symkey->israw = TRUE;
2N/A symkey->keyp = rkey;
2N/A
2N/Aout:
2N/A if (fd != -1)
2N/A (void) close(fd);
2N/A
2N/A if (ret != KMF_OK && fullpath != NULL) {
2N/A free(fullpath);
2N/A }
2N/A if (ret != KMF_OK) {
2N/A kmf_free_raw_sym_key(rkey);
2N/A symkey->keyp = NULL;
2N/A symkey->keyalg = KMF_KEYALG_NONE;
2N/A }
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/A/*
2N/A * Check a file to see if it is a CRL file with PEM or DER format.
2N/A * If success, return its format in the "pformat" argument.
2N/A */
2N/AKMF_RETURN
2N/AOpenSSL_IsCRLFile(KMF_HANDLE_T handle, char *filename, int *pformat)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A BIO *bio = NULL;
2N/A X509_CRL *xcrl = NULL;
2N/A
2N/A if (filename == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A bio = BIO_new_file(filename, "rb");
2N/A if (bio == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto out;
2N/A }
2N/A
2N/A if ((xcrl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL)) != NULL) {
2N/A *pformat = KMF_FORMAT_PEM;
2N/A goto out;
2N/A }
2N/A (void) BIO_free(bio);
2N/A
2N/A /*
2N/A * Now try to read it as raw DER data.
2N/A */
2N/A bio = BIO_new_file(filename, "rb");
2N/A if (bio == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto out;
2N/A }
2N/A
2N/A if ((xcrl = d2i_X509_CRL_bio(bio, NULL)) != NULL) {
2N/A *pformat = KMF_FORMAT_ASN1;
2N/A } else {
2N/A ret = KMF_ERR_BAD_CRLFILE;
2N/A }
2N/A
2N/Aout:
2N/A if (bio != NULL)
2N/A (void) BIO_free(bio);
2N/A
2N/A if (xcrl != NULL)
2N/A X509_CRL_free(xcrl);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_GetSymKeyValue(KMF_HANDLE_T handle, KMF_KEY_HANDLE *symkey,
2N/A KMF_RAW_SYM_KEY *rkey)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A KMF_DATA keyvalue;
2N/A
2N/A if (kmfh == NULL)
2N/A return (KMF_ERR_UNINITIALIZED);
2N/A
2N/A if (symkey == NULL || rkey == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A else if (symkey->keyclass != KMF_SYMMETRIC)
2N/A return (KMF_ERR_BAD_KEY_CLASS);
2N/A
2N/A if (symkey->israw) {
2N/A KMF_RAW_SYM_KEY *rawkey = (KMF_RAW_SYM_KEY *)symkey->keyp;
2N/A
2N/A if (rawkey == NULL ||
2N/A rawkey->keydata.val == NULL ||
2N/A rawkey->keydata.len == 0)
2N/A return (KMF_ERR_BAD_KEYHANDLE);
2N/A
2N/A rkey->keydata.len = rawkey->keydata.len;
2N/A if ((rkey->keydata.val = malloc(rkey->keydata.len)) == NULL)
2N/A return (KMF_ERR_MEMORY);
2N/A (void) memcpy(rkey->keydata.val, rawkey->keydata.val,
2N/A rkey->keydata.len);
2N/A } else {
2N/A rv = kmf_read_input_file(handle, symkey->keylabel, &keyvalue);
2N/A if (rv != KMF_OK)
2N/A return (rv);
2N/A rkey->keydata.len = keyvalue.Length;
2N/A rkey->keydata.val = keyvalue.Data;
2N/A }
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/A/*
2N/A * substitute for the unsafe access(2) function.
2N/A * If the file in question already exists, return 1.
2N/A * else 0. If an error occurs during testing (other
2N/A * than EEXIST), return -1.
2N/A */
2N/Astatic int
2N/Atest_for_file(char *filename, mode_t mode)
2N/A{
2N/A int fd;
2N/A
2N/A /*
2N/A * Try to create the file with the EXCL flag.
2N/A * The call should fail if the file exists.
2N/A */
2N/A fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
2N/A if (fd == -1 && errno == EEXIST)
2N/A return (1);
2N/A else if (fd == -1) /* some other error */
2N/A return (-1);
2N/A
2N/A /* The file did NOT exist. Delete the testcase. */
2N/A (void) close(fd);
2N/A (void) unlink(filename);
2N/A return (0);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_StoreKey(KMF_HANDLE_T handle, int numattr,
2N/A KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN rv = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A KMF_KEY_HANDLE *pubkey = NULL, *prikey = NULL;
2N/A KMF_RAW_KEY_DATA *rawkey;
2N/A EVP_PKEY *pkey = NULL;
2N/A KMF_ENCODE_FORMAT format = KMF_FORMAT_PEM;
2N/A KMF_CREDENTIAL cred = {NULL, 0};
2N/A BIO *out = NULL;
2N/A int keys = 0;
2N/A char *fullpath = NULL;
2N/A char *keyfile = NULL;
2N/A char *dirpath = NULL;
2N/A
2N/A pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attrlist, numattr);
2N/A if (pubkey != NULL)
2N/A keys++;
2N/A
2N/A prikey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attrlist, numattr);
2N/A if (prikey != NULL)
2N/A keys++;
2N/A
2N/A rawkey = kmf_get_attr_ptr(KMF_RAW_KEY_ATTR, attrlist, numattr);
2N/A if (rawkey != NULL)
2N/A keys++;
2N/A
2N/A /*
2N/A * Exactly 1 type of key must be passed to this function.
2N/A */
2N/A if (keys != 1)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A keyfile = (char *)kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist,
2N/A numattr);
2N/A if (keyfile == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A
2N/A fullpath = get_fullpath(dirpath, keyfile);
2N/A
2N/A /* Once we have the full path, we don't need the pieces */
2N/A if (fullpath == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A /* If the requested file exists, return an error */
2N/A if (test_for_file(fullpath, 0400) == 1) {
2N/A free(fullpath);
2N/A return (KMF_ERR_DUPLICATE_KEYFILE);
2N/A }
2N/A
2N/A rv = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
2N/A &format, NULL);
2N/A if (rv != KMF_OK)
2N/A /* format is optional. */
2N/A rv = KMF_OK;
2N/A
2N/A /* CRED is not required for OpenSSL files */
2N/A (void) kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
2N/A &cred, NULL);
2N/A
2N/A /* Store the private key to the keyfile */
2N/A out = BIO_new_file(fullpath, "wb");
2N/A if (out == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A rv = KMF_ERR_OPEN_FILE;
2N/A goto end;
2N/A }
2N/A
2N/A if (prikey != NULL && prikey->keyp != NULL) {
2N/A if (prikey->keyalg == KMF_RSA ||
2N/A prikey->keyalg == KMF_DSA) {
2N/A pkey = (EVP_PKEY *)prikey->keyp;
2N/A
2N/A rv = ssl_write_key(kmfh, format,
2N/A out, &cred, pkey, TRUE);
2N/A
2N/A if (rv == KMF_OK && prikey->keylabel == NULL) {
2N/A prikey->keylabel = strdup(fullpath);
2N/A if (prikey->keylabel == NULL)
2N/A rv = KMF_ERR_MEMORY;
2N/A }
2N/A }
2N/A } else if (pubkey != NULL && pubkey->keyp != NULL) {
2N/A if (pubkey->keyalg == KMF_RSA ||
2N/A pubkey->keyalg == KMF_DSA) {
2N/A pkey = (EVP_PKEY *)pubkey->keyp;
2N/A
2N/A rv = ssl_write_key(kmfh, format,
2N/A out, &cred, pkey, FALSE);
2N/A
2N/A if (rv == KMF_OK && pubkey->keylabel == NULL) {
2N/A pubkey->keylabel = strdup(fullpath);
2N/A if (pubkey->keylabel == NULL)
2N/A rv = KMF_ERR_MEMORY;
2N/A }
2N/A }
2N/A } else if (rawkey != NULL) {
2N/A if (rawkey->keytype == KMF_RSA) {
2N/A pkey = ImportRawRSAKey(&rawkey->rawdata.rsa);
2N/A } else if (rawkey->keytype == KMF_DSA) {
2N/A pkey = ImportRawDSAKey(&rawkey->rawdata.dsa);
2N/A } else {
2N/A rv = KMF_ERR_BAD_PARAMETER;
2N/A }
2N/A if (pkey != NULL) {
2N/A KMF_KEY_CLASS kclass = KMF_ASYM_PRI;
2N/A
2N/A rv = kmf_get_attr(KMF_KEYCLASS_ATTR, attrlist, numattr,
2N/A (void *)&kclass, NULL);
2N/A if (rv != KMF_OK)
2N/A rv = KMF_OK;
2N/A rv = ssl_write_key(kmfh, format, out,
2N/A &cred, pkey, (kclass == KMF_ASYM_PRI));
2N/A EVP_PKEY_free(pkey);
2N/A }
2N/A }
2N/A
2N/Aend:
2N/A
2N/A if (out)
2N/A (void) BIO_free(out);
2N/A
2N/A
2N/A if (rv == KMF_OK)
2N/A (void) chmod(fullpath, 0400);
2N/A
2N/A free(fullpath);
2N/A return (rv);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_ImportCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A X509_CRL *xcrl = NULL;
2N/A X509 *xcert = NULL;
2N/A EVP_PKEY *pkey;
2N/A KMF_ENCODE_FORMAT format;
2N/A BIO *in = NULL, *out = NULL;
2N/A int openssl_ret = 0;
2N/A KMF_ENCODE_FORMAT outformat;
2N/A boolean_t crlcheck = FALSE;
2N/A char *certfile, *dirpath, *crlfile, *incrl, *outcrl, *outcrlfile;
2N/A
2N/A if (numattr == 0 || attrlist == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A /* CRL check is optional */
2N/A (void) kmf_get_attr(KMF_CRL_CHECK_ATTR, attrlist, numattr,
2N/A &crlcheck, NULL);
2N/A
2N/A certfile = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist, numattr);
2N/A if (crlcheck == B_TRUE && certfile == NULL) {
2N/A return (KMF_ERR_BAD_CERTFILE);
2N/A }
2N/A
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A incrl = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR, attrlist, numattr);
2N/A outcrl = kmf_get_attr_ptr(KMF_CRL_OUTFILE_ATTR, attrlist, numattr);
2N/A
2N/A crlfile = get_fullpath(dirpath, incrl);
2N/A
2N/A if (crlfile == NULL)
2N/A return (KMF_ERR_BAD_CRLFILE);
2N/A
2N/A outcrlfile = get_fullpath(dirpath, outcrl);
2N/A if (outcrlfile == NULL)
2N/A return (KMF_ERR_BAD_CRLFILE);
2N/A
2N/A if (isdir(outcrlfile)) {
2N/A free(outcrlfile);
2N/A return (KMF_ERR_BAD_CRLFILE);
2N/A }
2N/A
2N/A ret = kmf_is_crl_file(handle, crlfile, &format);
2N/A if (ret != KMF_OK) {
2N/A free(outcrlfile);
2N/A return (ret);
2N/A }
2N/A
2N/A in = BIO_new_file(crlfile, "rb");
2N/A if (in == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto end;
2N/A }
2N/A
2N/A if (format == KMF_FORMAT_ASN1) {
2N/A xcrl = d2i_X509_CRL_bio(in, NULL);
2N/A } else if (format == KMF_FORMAT_PEM) {
2N/A xcrl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
2N/A }
2N/A
2N/A if (xcrl == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_BAD_CRLFILE;
2N/A goto end;
2N/A }
2N/A
2N/A /* If bypasscheck is specified, no need to verify. */
2N/A if (crlcheck == B_FALSE)
2N/A goto output;
2N/A
2N/A ret = kmf_is_cert_file(handle, certfile, &format);
2N/A if (ret != KMF_OK)
2N/A goto end;
2N/A
2N/A /* Read in the CA cert file and convert to X509 */
2N/A if (BIO_read_filename(in, certfile) <= 0) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto end;
2N/A }
2N/A
2N/A if (format == KMF_FORMAT_ASN1) {
2N/A xcert = d2i_X509_bio(in, NULL);
2N/A } else if (format == KMF_FORMAT_PEM) {
2N/A xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
2N/A } else {
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A
2N/A if (xcert == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto end;
2N/A }
2N/A /* Now get the public key from the CA cert */
2N/A pkey = X509_get_pubkey(xcert);
2N/A if (pkey == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_BAD_CERTFILE;
2N/A goto end;
2N/A }
2N/A
2N/A /* Verify the CRL with the CA's public key */
2N/A openssl_ret = X509_CRL_verify(xcrl, pkey);
2N/A EVP_PKEY_free(pkey);
2N/A if (openssl_ret > 0) {
2N/A ret = KMF_OK; /* verify succeed */
2N/A } else {
2N/A SET_ERROR(kmfh, openssl_ret);
2N/A ret = KMF_ERR_BAD_CRLFILE;
2N/A }
2N/A
2N/Aoutput:
2N/A ret = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
2N/A &outformat, NULL);
2N/A if (ret != KMF_OK) {
2N/A ret = KMF_OK;
2N/A outformat = KMF_FORMAT_PEM;
2N/A }
2N/A
2N/A out = BIO_new_file(outcrlfile, "wb");
2N/A if (out == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto end;
2N/A }
2N/A
2N/A if (outformat == KMF_FORMAT_ASN1) {
2N/A openssl_ret = (int)i2d_X509_CRL_bio(out, xcrl);
2N/A } else if (outformat == KMF_FORMAT_PEM) {
2N/A openssl_ret = PEM_write_bio_X509_CRL(out, xcrl);
2N/A } else {
2N/A ret = KMF_ERR_BAD_PARAMETER;
2N/A goto end;
2N/A }
2N/A
2N/A if (openssl_ret <= 0) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_WRITE_FILE;
2N/A } else {
2N/A ret = KMF_OK;
2N/A }
2N/A
2N/Aend:
2N/A if (xcrl != NULL)
2N/A X509_CRL_free(xcrl);
2N/A
2N/A if (xcert != NULL)
2N/A X509_free(xcert);
2N/A
2N/A if (in != NULL)
2N/A (void) BIO_free(in);
2N/A
2N/A if (out != NULL)
2N/A (void) BIO_free(out);
2N/A
2N/A if (outcrlfile != NULL)
2N/A free(outcrlfile);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_ListCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A X509_CRL *x = NULL;
2N/A KMF_ENCODE_FORMAT format;
2N/A char *crlfile = NULL;
2N/A BIO *in = NULL;
2N/A BIO *mem = NULL;
2N/A long len;
2N/A char *memptr;
2N/A char *data = NULL;
2N/A char **crldata;
2N/A char *crlfilename, *dirpath;
2N/A
2N/A if (numattr == 0 || attrlist == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A crlfilename = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR,
2N/A attrlist, numattr);
2N/A if (crlfilename == NULL)
2N/A return (KMF_ERR_BAD_CRLFILE);
2N/A
2N/A crldata = (char **)kmf_get_attr_ptr(KMF_CRL_DATA_ATTR,
2N/A attrlist, numattr);
2N/A
2N/A if (crldata == NULL)
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A
2N/A crlfile = get_fullpath(dirpath, crlfilename);
2N/A
2N/A if (crlfile == NULL)
2N/A return (KMF_ERR_BAD_CRLFILE);
2N/A
2N/A if (isdir(crlfile)) {
2N/A free(crlfile);
2N/A return (KMF_ERR_BAD_CRLFILE);
2N/A }
2N/A
2N/A ret = kmf_is_crl_file(handle, crlfile, &format);
2N/A if (ret != KMF_OK) {
2N/A free(crlfile);
2N/A return (ret);
2N/A }
2N/A
2N/A if (bio_err == NULL)
2N/A bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
2N/A
2N/A in = BIO_new_file(crlfile, "rb");
2N/A if (in == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto end;
2N/A }
2N/A
2N/A if (format == KMF_FORMAT_ASN1) {
2N/A x = d2i_X509_CRL_bio(in, NULL);
2N/A } else if (format == KMF_FORMAT_PEM) {
2N/A x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
2N/A }
2N/A
2N/A if (x == NULL) { /* should not happen */
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto end;
2N/A }
2N/A
2N/A mem = BIO_new(BIO_s_mem());
2N/A if (mem == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A
2N/A (void) X509_CRL_print(mem, x);
2N/A len = BIO_get_mem_data(mem, &memptr);
2N/A if (len <= 0) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A
2N/A data = malloc(len + 1);
2N/A if (data == NULL) {
2N/A ret = KMF_ERR_MEMORY;
2N/A goto end;
2N/A }
2N/A
2N/A (void) memcpy(data, memptr, len);
2N/A data[len] = '\0';
2N/A *crldata = data;
2N/A
2N/Aend:
2N/A if (x != NULL)
2N/A X509_CRL_free(x);
2N/A
2N/A if (crlfile != NULL)
2N/A free(crlfile);
2N/A
2N/A if (in != NULL)
2N/A (void) BIO_free(in);
2N/A
2N/A if (mem != NULL)
2N/A (void) BIO_free(mem);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_DeleteCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A KMF_ENCODE_FORMAT format;
2N/A char *crlfile = NULL;
2N/A BIO *in = NULL;
2N/A char *crlfilename, *dirpath;
2N/A
2N/A if (numattr == 0 || attrlist == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A crlfilename = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR,
2N/A attrlist, numattr);
2N/A
2N/A if (crlfilename == NULL)
2N/A return (KMF_ERR_BAD_CRLFILE);
2N/A
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A
2N/A crlfile = get_fullpath(dirpath, crlfilename);
2N/A
2N/A if (crlfile == NULL)
2N/A return (KMF_ERR_BAD_CRLFILE);
2N/A
2N/A if (isdir(crlfile)) {
2N/A ret = KMF_ERR_BAD_CRLFILE;
2N/A goto end;
2N/A }
2N/A
2N/A ret = kmf_is_crl_file(handle, crlfile, &format);
2N/A if (ret != KMF_OK)
2N/A goto end;
2N/A
2N/A if (unlink(crlfile) != 0) {
2N/A SET_SYS_ERROR(kmfh, errno);
2N/A ret = KMF_ERR_INTERNAL;
2N/A goto end;
2N/A }
2N/A
2N/Aend:
2N/A if (in != NULL)
2N/A (void) BIO_free(in);
2N/A if (crlfile != NULL)
2N/A free(crlfile);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_FindCertInCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A KMF_ENCODE_FORMAT format;
2N/A BIO *in = NULL;
2N/A X509 *xcert = NULL;
2N/A X509_CRL *xcrl = NULL;
2N/A STACK_OF(X509_REVOKED) *revoke_stack = NULL;
2N/A X509_REVOKED *revoke;
2N/A int i;
2N/A char *crlfilename, *crlfile, *dirpath, *certfile;
2N/A
2N/A if (numattr == 0 || attrlist == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A crlfilename = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR,
2N/A attrlist, numattr);
2N/A
2N/A if (crlfilename == NULL)
2N/A return (KMF_ERR_BAD_CRLFILE);
2N/A
2N/A certfile = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist, numattr);
2N/A if (certfile == NULL)
2N/A return (KMF_ERR_BAD_CRLFILE);
2N/A
2N/A dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2N/A
2N/A crlfile = get_fullpath(dirpath, crlfilename);
2N/A
2N/A if (crlfile == NULL)
2N/A return (KMF_ERR_BAD_CRLFILE);
2N/A
2N/A if (isdir(crlfile)) {
2N/A ret = KMF_ERR_BAD_CRLFILE;
2N/A goto end;
2N/A }
2N/A
2N/A ret = kmf_is_crl_file(handle, crlfile, &format);
2N/A if (ret != KMF_OK)
2N/A goto end;
2N/A
2N/A /* Read the CRL file and load it into a X509_CRL structure */
2N/A in = BIO_new_file(crlfilename, "rb");
2N/A if (in == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto end;
2N/A }
2N/A
2N/A if (format == KMF_FORMAT_ASN1) {
2N/A xcrl = d2i_X509_CRL_bio(in, NULL);
2N/A } else if (format == KMF_FORMAT_PEM) {
2N/A xcrl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
2N/A }
2N/A
2N/A if (xcrl == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_BAD_CRLFILE;
2N/A goto end;
2N/A }
2N/A (void) BIO_free(in);
2N/A
2N/A /* Read the Certificate file and load it into a X509 structure */
2N/A ret = kmf_is_cert_file(handle, certfile, &format);
2N/A if (ret != KMF_OK)
2N/A goto end;
2N/A
2N/A in = BIO_new_file(certfile, "rb");
2N/A if (in == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto end;
2N/A }
2N/A
2N/A if (format == KMF_FORMAT_ASN1) {
2N/A xcert = d2i_X509_bio(in, NULL);
2N/A } else if (format == KMF_FORMAT_PEM) {
2N/A xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
2N/A }
2N/A
2N/A if (xcert == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_BAD_CERTFILE;
2N/A goto end;
2N/A }
2N/A
2N/A /* Check if the certificate and the CRL have same issuer */
2N/A if (X509_NAME_cmp(xcert->cert_info->issuer, xcrl->crl->issuer) != 0) {
2N/A ret = KMF_ERR_ISSUER;
2N/A goto end;
2N/A }
2N/A
2N/A /* Check to see if the certificate serial number is revoked */
2N/A revoke_stack = X509_CRL_get_REVOKED(xcrl);
2N/A if (sk_X509_REVOKED_num(revoke_stack) <= 0) {
2N/A /* No revoked certificates in the CRL file */
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_EMPTY_CRL;
2N/A goto end;
2N/A }
2N/A
2N/A for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) {
2N/A#if OPENSSL_VERSION_NUMBER < 0x10000000L
2N/A /* LINTED E_BAD_PTR_CAST_ALIGN */
2N/A revoke = sk_X509_REVOKED_value(revoke_stack, i);
2N/A#else
2N/A revoke = sk_X509_REVOKED_value(revoke_stack, i);
2N/A#endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */
2N/A if (ASN1_INTEGER_cmp(xcert->cert_info->serialNumber,
2N/A revoke->serialNumber) == 0) {
2N/A break;
2N/A }
2N/A }
2N/A
2N/A if (i < sk_X509_REVOKED_num(revoke_stack)) {
2N/A ret = KMF_OK;
2N/A } else {
2N/A ret = KMF_ERR_NOT_REVOKED;
2N/A }
2N/A
2N/Aend:
2N/A if (in != NULL)
2N/A (void) BIO_free(in);
2N/A if (xcrl != NULL)
2N/A X509_CRL_free(xcrl);
2N/A if (xcert != NULL)
2N/A X509_free(xcert);
2N/A
2N/A return (ret);
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_VerifyCRLFile(KMF_HANDLE_T handle, char *crlname, KMF_DATA *tacert)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A BIO *bcrl = NULL;
2N/A X509_CRL *xcrl = NULL;
2N/A X509 *xcert = NULL;
2N/A EVP_PKEY *pkey;
2N/A int sslret;
2N/A KMF_ENCODE_FORMAT crl_format;
2N/A unsigned char *p;
2N/A long len;
2N/A
2N/A if (handle == NULL || crlname == NULL || tacert == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A ret = kmf_get_file_format(crlname, &crl_format);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A bcrl = BIO_new_file(crlname, "rb");
2N/A if (bcrl == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto cleanup;
2N/A }
2N/A
2N/A if (crl_format == KMF_FORMAT_ASN1) {
2N/A xcrl = d2i_X509_CRL_bio(bcrl, NULL);
2N/A } else if (crl_format == KMF_FORMAT_PEM) {
2N/A xcrl = PEM_read_bio_X509_CRL(bcrl, NULL, NULL, NULL);
2N/A } else {
2N/A ret = KMF_ERR_BAD_PARAMETER;
2N/A goto cleanup;
2N/A }
2N/A
2N/A if (xcrl == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_BAD_CRLFILE;
2N/A goto cleanup;
2N/A }
2N/A
2N/A p = tacert->Data;
2N/A len = tacert->Length;
2N/A xcert = d2i_X509(NULL, (const uchar_t **)&p, len);
2N/A
2N/A if (xcert == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_BAD_CERTFILE;
2N/A goto cleanup;
2N/A }
2N/A
2N/A /* Get issuer certificate public key */
2N/A pkey = X509_get_pubkey(xcert);
2N/A if (pkey == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_BAD_CERT_FORMAT;
2N/A goto cleanup;
2N/A }
2N/A
2N/A /* Verify CRL signature */
2N/A sslret = X509_CRL_verify(xcrl, pkey);
2N/A EVP_PKEY_free(pkey);
2N/A if (sslret > 0) {
2N/A ret = KMF_OK;
2N/A } else {
2N/A SET_ERROR(kmfh, sslret);
2N/A ret = KMF_ERR_BAD_CRLFILE;
2N/A }
2N/A
2N/Acleanup:
2N/A if (bcrl != NULL)
2N/A (void) BIO_free(bcrl);
2N/A
2N/A if (xcrl != NULL)
2N/A X509_CRL_free(xcrl);
2N/A
2N/A if (xcert != NULL)
2N/A X509_free(xcert);
2N/A
2N/A return (ret);
2N/A
2N/A}
2N/A
2N/AKMF_RETURN
2N/AOpenSSL_CheckCRLDate(KMF_HANDLE_T handle, char *crlname)
2N/A{
2N/A KMF_RETURN ret = KMF_OK;
2N/A KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2N/A KMF_ENCODE_FORMAT crl_format;
2N/A BIO *bcrl = NULL;
2N/A X509_CRL *xcrl = NULL;
2N/A int i;
2N/A
2N/A if (handle == NULL || crlname == NULL) {
2N/A return (KMF_ERR_BAD_PARAMETER);
2N/A }
2N/A
2N/A ret = kmf_is_crl_file(handle, crlname, &crl_format);
2N/A if (ret != KMF_OK)
2N/A return (ret);
2N/A
2N/A bcrl = BIO_new_file(crlname, "rb");
2N/A if (bcrl == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_OPEN_FILE;
2N/A goto cleanup;
2N/A }
2N/A
2N/A if (crl_format == KMF_FORMAT_ASN1)
2N/A xcrl = d2i_X509_CRL_bio(bcrl, NULL);
2N/A else if (crl_format == KMF_FORMAT_PEM)
2N/A xcrl = PEM_read_bio_X509_CRL(bcrl, NULL, NULL, NULL);
2N/A
2N/A if (xcrl == NULL) {
2N/A SET_ERROR(kmfh, ERR_get_error());
2N/A ret = KMF_ERR_BAD_CRLFILE;
2N/A goto cleanup;
2N/A }
2N/A i = X509_cmp_time(X509_CRL_get_lastUpdate(xcrl), NULL);
2N/A if (i >= 0) {
2N/A ret = KMF_ERR_VALIDITY_PERIOD;
2N/A goto cleanup;
2N/A }
2N/A if (X509_CRL_get_nextUpdate(xcrl)) {
2N/A i = X509_cmp_time(X509_CRL_get_nextUpdate(xcrl), NULL);
2N/A
2N/A if (i <= 0) {
2N/A ret = KMF_ERR_VALIDITY_PERIOD;
2N/A goto cleanup;
2N/A }
2N/A }
2N/A
2N/A ret = KMF_OK;
2N/A
2N/Acleanup:
2N/A if (bcrl != NULL)
2N/A (void) BIO_free(bcrl);
2N/A
2N/A if (xcrl != NULL)
2N/A X509_CRL_free(xcrl);
2N/A
2N/A return (ret);
2N/A}