2N/A * ==================================================================== 2N/A * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 2N/A * Redistribution and use in source and binary forms, with or without 2N/A * modification, are permitted provided that the following conditions 2N/A * 1. Redistributions of source code must retain the above copyright 2N/A * notice, this list of conditions and the following disclaimer. 2N/A * 2. Redistributions in binary form must reproduce the above copyright 2N/A * notice, this list of conditions and the following disclaimer in 2N/A * the documentation and/or other materials provided with the 2N/A * 3. All advertising materials mentioning features or use of this 2N/A * software must display the following acknowledgment: 2N/A * "This product includes software developed by the OpenSSL Project 2N/A * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 2N/A * endorse or promote products derived from this software without 2N/A * prior written permission. For written permission, please contact 2N/A * licensing@OpenSSL.org. 2N/A * 5. Products derived from this software may not be called "OpenSSL" 2N/A * nor may "OpenSSL" appear in their names without prior written 2N/A * permission of the OpenSSL Project. 2N/A * 6. Redistributions of any form whatsoever must retain the following 2N/A * "This product includes software developed by the OpenSSL Project 2N/A * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 2N/A * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2N/A * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 2N/A * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 2N/A * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 2N/A * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 2N/A * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 2N/A * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2N/A * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 2N/A * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 2N/A * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 2N/A * OF THE POSSIBILITY OF SUCH DAMAGE. 2N/A * ==================================================================== 2N/A * This product includes cryptographic software written by Eric Young 2N/A * (eay@cryptsoft.com). This product includes software written by Tim 2N/A * Hudson (tjh@cryptsoft.com). 2N/A * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A * OpenSSL provides a framework for pushing error codes onto a stack. 2N/A * When an error occurs, the consumer may use the framework to 2N/A * pop the errors off the stack and provide a trace of where the 2N/A * Our PKCS12 code plugs into this framework by calling 2N/A * ERR_load_SUNW_strings(). To push an error (which by the way, consists 2N/A * of a function code and an error code) onto the stack our PKCS12 code 2N/A * Consumers of our PKCS12 code can then call the OpenSSL error routines 2N/A * when an error occurs and retrieve the stack of errors. 2N/A/* Function codes and their matching strings */ 2N/A/* Error codes and their matching strings */ 2N/A * The library name that our module will be known as. This name 2N/A * may be retrieved via OpenSSLs error APIs. 2N/A * The value of this variable (initialized by a call to 2N/A * ERR_load_SUNW_strings()) is what identifies our errors 2N/A * to OpenSSL as being ours. 2N/A * ---------------------------------------------------------------------------- 2N/A * ---------------------------------------------------------------------------- 2N/A * sunw_PKCS12_parse - Parse a PKCS12 structure and break it into its parts. 2N/A * Parse and decrypt a PKCS#12 structure returning user key, user cert and/or 2N/A * other (CA) certs. Note either ca should be NULL, *ca should be NULL, 2N/A * or it should point to a valid STACK_OF(X509) structure. pkey and cert can 2N/A * be passed uninitialized. 2N/A * p12 - Structure with pkcs12 info to be parsed 2N/A * pass - Pass phrase for the private key (possibly empty) or NULL if 2N/A * matchty - Info about which certs/keys to return if many are in the file. 2N/A * keyid - If private key localkeyids friendlynames are to match a 2N/A * predetermined value, the value to match. This value should 2N/A * be an octet string. 2N/A * keyid_len- Length of the keyid byte string. 2N/A * name_str - If friendlynames are to match a predetermined value, the value 2N/A * to match. This value should be a NULL terminated string. 2N/A * pkey - Points to location pointing to the private key returned. 2N/A * cert - Points to locaiton which points to the client cert returned 2N/A * ca - Points to location that points to a stack of 'certificate 2N/A * Match based on the value of 'matchty' and the contents of 'keyid' 2N/A * and/or 'name_str', as appropriate. Go through the lists of certs and 2N/A * private keys which were taken from the pkcs12 structure, looking for 2N/A * matches of the requested type. This function only searches the lists of 2N/A * matching private keys and client certificates. Kinds of matches allowed, 2N/A * and the order in which they will be checked, are: 2N/A * 1) Find the key and/or cert whose localkeyid attributes matches 2N/A * 2) Find the key and/or cert whose friendlyname attributes matches 2N/A * 3) Return the first matching key/cert pair found. 2N/A * 4) Return the last matching key/cert pair found. 2N/A * 5) Return whatever cert and/or key are available, even unmatching. 2N/A * Append to the CA list, the certs which do not have matching private 2N/A * keys and which were not selected. 2N/A * If none of the bits are set, no client certs or private keys will be 2N/A * returned. CA (aka trust anchor) certs can be. 2N/A * Notes: If #3 is selected, then #4 will never occur. CA certs will be 2N/A * < 0 - An error returned. Call ERR_get_error() to get errors information. 2N/A * Where possible, memory has been freed. 2N/A * >= 0 - Objects were found and returned. Which objects are indicated by 2N/A * which bits are set (FOUND_PKEY, FOUND_CERT, FOUND_CA_CERTS). 2N/A /* If NULL PKCS12 structure, this is an error */ 2N/A /* Set up arguments.... These will be allocated if needed */ 2N/A * If there is already a ca list, use it. Otherwise, allocate one 2N/A * and free is later if an error occurs or whatever.) 2N/A * If password is zero length or NULL then try verifying both cases 2N/A * to determine which password is correct. The reason for this is that 2N/A * under PKCS#12 password based encryption no password and a zero 2N/A * length password are two different things. If the password has a 2N/A * non-zero length and is not NULL then call PKCS12_verify_mac() with 2N/A * a length of '-1' and let it use strlen() to figure out the length 2N/A * sunw_PEM_contents() parses a PEM file and returns component parts found 2N/A * Parse and decrypt a PEM file, returning any user keys and certs. 2N/A * There are some limits to this function. It will ignore the following: 2N/A * - certificates identified by "TRUSTED CERTIFICATE" 2N/A * - CERTIFICATE REQUEST and NEW CERTIFICATE REQUEST records. 2N/A * - PRIVATE KEY or ENCRYPTED PRIVATE KEY (PKCS 8) 2N/A * fp - File pointer for file containing PEM data. 2N/A * pass - Pass phrase for the private key or NULL if there is none. 2N/A * pkeys - Points to address of a stack of private keys to return. 2N/A * certs - Points to address of a stack of client certs to return. 2N/A * The pointers to stacks should either be NULL or their contents should 2N/A * either be NULL or should point to a valid STACK_OF(X509) structure. 2N/A * If the stacks contain information, corresponding information from the 2N/A * file will be appended to the original contents. 2N/A * Note: Client certs and and their matching private keys will be in any 2N/A * Certs which have no matching private key are assumed to be ca certs. 2N/A * < 0 - An error returned. Call ERR_get_error() to get errors information. 2N/A * Where possible, memory has been freed. 2N/A * >= 0 - Objects were found and returned. Which objects are indicated by 2N/A * which bits are set (FOUND_PKEY, FOUND_CERT) 2N/A * Allocate the working stacks for private key and for the 2N/A /* Error strings are set within the following. */ 2N/A /* on error, set_results() returns an error on the stack */ 2N/A * sunw_PKCS12_contents() parses a pkcs#12 structure and returns component 2N/A * parts found, without evaluation. 2N/A * Parse and decrypt a PKCS#12 structure returning any user keys and/or 2N/A * various certs. Note these should either be NULL, *whatever should 2N/A * be NULL, or it should point to a valid STACK_OF(X509) structure. 2N/A * p12 - Structure with pkcs12 info to be parsed 2N/A * pass - Pass phrase for the private key and entire pkcs12 wad (possibly 2N/A * empty) or NULL if there is none. 2N/A * pkeys - Points to address of a stack of private keys to return. 2N/A * certs - Points to address of a stack of client certs return. 2N/A * Note: The certs and keys being returned are in random order. 2N/A * < 0 - An error returned. Call ERR_get_error() to get errors information. 2N/A * Where possible, memory has been freed. 2N/A * >= 0 - Objects were found and returned. Which objects are indicated by 2N/A * which bits are set (FOUND_PKEY or FOUND_CERT) 2N/A * Allocate the working stacks for private key and for the 2N/A * Error already on stack 2N/A /* on error, set_results() returns an error on the stack */ 2N/A * sunw_split_certs() - Given a list of certs and a list of private keys, 2N/A * moves certs which match one of the keys to a different stack. 2N/A * allkeys - Points to a stack of private keys to search. 2N/A * allcerts - Points to a stack of certs to be searched. 2N/A * keycerts - Points to address of a stack of certs with matching private 2N/A * keys. They are moved from 'allcerts'. This may not be NULL 2N/A * when called. If *keycerts is NULL upon entry, a new stack will 2N/A * be allocated. Otherwise, it must be a valid STACK_OF(509). 2N/A * nocerts - Points to address of a stack for keys which have no matching 2N/A * certs. Keys are moved from 'allkeys' here when they have no 2N/A * matching certs. If this is NULL, matchless keys will be 2N/A * Notes: If an error occurs while moving certs, the cert being move may be 2N/A * lost. 'keycerts' may only contain part of the matching certs. The number 2N/A * of certs successfully moved can be found by checking sk_X509_num(keycerts). 2N/A * If there is a key which does not have a matching cert, it is moved to 2N/A * If all certs are removed from 'certs' and/or 'pkeys', it will be the 2N/A * caller's responsibility to free the empty stacks. 2N/A * < 0 - An error returned. Call ERR_get_error() to get errors information. 2N/A * Where possible, memory has been freed. 2N/A * >= 0 - The number of certs moved from 'cert' to 'pkcerts'. 2N/A * Found a match - keep the key & check out the next 2N/A * No cert matching this key. Move the key if 2N/A * possible or discard it. Don't increment the 2N/A * sunw_PKCS12_create() creates a pkcs#12 structure and given component parts. 2N/A * Given one or more of user private key, user cert and/or other (CA) certs, 2N/A * return an encrypted PKCS12 structure containing them. 2N/A * pass - Pass phrase for the pkcs12 structure and private key (possibly 2N/A * empty) or NULL if there is none. It will be used to encrypt 2N/A * both the private key(s) and as the pass phrase for the whole 2N/A * pkeys - Points to stack of private keys. 2N/A * certs - Points to stack of client (public ke) certs 2N/A * cacerts - Points to stack of 'certificate authority' certs (or trust 2N/A * Note that any of these may be NULL. 2N/A * NULL - An error occurred. 2N/A * != NULL - Address of PKCS12 structure. The user is responsible for 2N/A * freeing the memory when done. 2N/A /* Add user certificate */ 2N/A * Error already on stack 2N/A /* Put all certs in structure */ 2N/A * Error already on stack 2N/A /* Turn certbags into encrypted authsafe */ 2N/A /* Make a shrouded key bag */ 2N/A /* Turn into unencrypted authsafe */ 2N/A * Note that safes is copied by the following. Therefore, it needs 2N/A * to be freed whether or not the following succeeds. 2N/A /* Fallthrough is intentional */ 2N/A * sunw_evp_pkey_free() Given an EVP_PKEY structure, free any attributes 2N/A * that are attached. Then free the EVP_PKEY itself. 2N/A * This is a replacement for EVP_PKEY_free() for the sunw stuff. 2N/A * It should be used in places where EVP_PKEY_free would be used, 2N/A * including calls to sk_EVP_PKEY_pop_free(). 2N/A * pkey - Entry which potentially has attributes to be freed. 2N/A * sunw_set_localkeyid() sets the localkeyid in a cert, a private key or 2N/A * both. Any existing localkeyid will be discarded. 2N/A * keyid_str- A byte string with the localkeyid to set 2N/A * keyid_len- Length of the keyid byte string. 2N/A * pkey - Points to a private key to set the keyidstr in. 2N/A * cert - Points to a cert to set the keyidstr in. 2N/A * Note that setting a keyid into a cert which will not be written out as 2N/A * a PKCS12 cert is pointless since it will be lost. 2N/A * < 0 - An error occurred. It was probably an error in allocating 2N/A * memory. The error will be set in the error stack. Call 2N/A * ERR_get_error() to get specific information. 2N/A * Error already on stack 2N/A * sunw_get_pkey_localkeyid() gets the localkeyid from a private key. It can 2N/A * optionally remove the value found. 2N/A * dowhat - What to do with the attributes (remove them or copy them). 2N/A * pkey - Points to a private key to set the keyidstr in. 2N/A * keyid_str- Points to a location which will receive the pointer to 2N/A * a byte string containing the binary localkeyid. Note that 2N/A * this is a copy, and the caller must free it. 2N/A * keyid_len- Length of keyid_str. 2N/A * >= 0 - The number of characters in the keyid returned. 2N/A * < 0 - An error occurred. It was probably an error in allocating 2N/A * memory. The error will be set in the error stack. Call 2N/A * ERR_get_error() to get specific information. 2N/A * sunw_get_pkey_fname() gets the friendlyName from a private key. It can 2N/A * optionally remove the value found. 2N/A * dowhat - What to do with the attributes (remove them or copy them). 2N/A * pkey - Points to a private key to get the frientlyname from 2N/A * fname - Points to a location which will receive the pointer to a 2N/A * byte string with the ASCII friendlyname 2N/A * >= 0 - The number of characters in the frienlyname returned. 2N/A * < 0 - An error occurred. It was probably an error in allocating 2N/A * memory. The error will be set in the error stack. Call 2N/A * ERR_get_error() to get specific information. 2N/A#
endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */ 2N/A * sunw_find_localkeyid() searches stacks of certs and private keys, 2N/A * Look for a keyid in a stack of certs. if 'certs' is NULL and 'pkeys' is 2N/A * not NULL, search the list of private keys. Move the matching cert to 2N/A * 'matching_cert' and its matching private key to 'matching_pkey'. If no 2N/A * cert or keys match, no match occurred. 2N/A * keyid_str- A byte string with the localkeyid to match 2N/A * keyid_len- Length of the keyid byte string. 2N/A * pkeys - Points to a stack of private keys which match the certs. 2N/A * This may be NULL, in which case no keys are returned. 2N/A * certs - Points to a stack of certs to search. If NULL, search the 2N/A * stack of keys instead. 2N/A * - Pointer to receive address of first matching pkey found. 2N/A * 'matching_pkey' must not be NULL; '*matching_pkey' will be 2N/A * - Pointer to receive address of first matching cert found. 2N/A * 'matching_cert' must not be NULL; '*matching_cert' will be 2N/A * < 0 - An error returned. Call ERR_get_error() to get errors information. 2N/A * Where possible, memory has been freed. 2N/A * >= 0 - Objects were found and returned. Which objects are indicated by 2N/A * which bits are set (FOUND_PKEY and/or FOUND_CERT). 2N/A /* If NULL arguments, this is an error */ 2N/A * sunw_find_fname() searches stacks of certs and private keys for one with 2N/A * Look for a friendlyname in a stack of certs. if 'certs' is NULL and 'pkeys' 2N/A * is not NULL, search the list of private keys. Move the matching cert to 2N/A * 'matching_cert' and its matching private key to 'matching_pkey'. If no 2N/A * cert or keys match, no match occurred. 2N/A * fname - Friendlyname to find (NULL-terminated ASCII string). 2N/A * pkeys - Points to a stack of private keys which match the certs. 2N/A * This may be NULL, in which case no keys are returned. 2N/A * certs - Points to a stack of certs to search. If NULL, search the 2N/A * stack of keys instead. 2N/A * - Pointer to receive address of first matching pkey found. 2N/A * - Pointer to receive address of first matching cert found. 2N/A * < 0 - An error returned. Call ERR_get_error() to get errors information. 2N/A * Where possible, memory has been freed. 2N/A * >= 0 - Objects were found and returned. Which objects are indicated by 2N/A * which bits are set (FOUND_PKEY and/or FOUND_CERT). 2N/A /* If NULL arguments, this is an error */ 2N/A * Error already on stack 2N/A * sunw_get_cert_fname() gets the fiendlyname from a cert. It can 2N/A * optionally remove the value found. 2N/A * dowhat - What to do with the attributes (remove them or copy them). 2N/A * cert - Points to a cert to get the friendlyName from. 2N/A * fname - Points to a location which will receive the pointer to a 2N/A * byte string with the ASCII friendlyname 2N/A * >= 0 - The number of characters in the friendlyname returned. 2N/A * < 0 - An error occurred. It was probably an error in allocating 2N/A * memory. The error will be set in the error stack. Call 2N/A * ERR_get_error() to get specific information. 2N/A /* Delete the entry */ 2N/A * Error already on stack 2N/A * sunw_set_fname() sets the friendlyName in a cert, a private key or 2N/A * both. Any existing friendlyname will be discarded. 2N/A * ascname - An ASCII string with the friendlyName to set 2N/A * pkey - Points to a private key to set the fname in. 2N/A * cert - Points to a cert to set the fname in. 2N/A * Note that setting a friendlyName into a cert which will not be written out 2N/A * as a PKCS12 cert is pointless since it will be lost. 2N/A * <0 - An error occurred. It was probably an error in allocating 2N/A * memory. The error will be set in the error stack. Call 2N/A * ERR_get_error() to get specific information. 2N/A * Error already on stack 2N/A * Error already on stack 2N/A * sunw_check_keys() compares the public key in the certificate and a 2N/A * private key to ensure that they match. 2N/A * cert - Points to a certificate. 2N/A * pkey - Points to a private key. 2N/A * == 0 - These do not match. 2N/A * != 0 - The cert's public key and the private key match. 2N/A * sunw_check_cert_times() compares the time fields in a certificate 2N/A * Compare the 'not before' and the 'not after' times in the cert 2N/A * to the current time. Return the results of the comparison (bad time formats, 2N/A * cert not yet in force, cert expired or in range) 2N/A * dowhat - what field(s) to check. 2N/A * cert - Points to a cert to check 2N/A * Results of the comparison. 2N/A * ---------------------------------------------------------------------------- 2N/A * ---------------------------------------------------------------------------- 2N/A * parse_pkcs12 - Oversee parsing of the pkcs12 structure. Get it 2N/A * parsed. After that either return what's found directly, or 2N/A * do any required matching. 2N/A * p12 - Structure with pkcs12 info to be parsed 2N/A * pass - Pass phrase for the private key (possibly empty) or NULL if 2N/A * matchty - Info about which certs/keys to return if many are in the file. 2N/A * keyid - If private key localkeyids friendlynames are to match a 2N/A * predetermined value, the value to match. This value should 2N/A * be an octet string. 2N/A * keyid_len- Length of the keyid byte string. 2N/A * name_str - If friendlynames are to match a predetermined value, the value 2N/A * to match. This value should be a NULL terminated string. 2N/A * pkey - Points to location pointing to the private key returned. 2N/A * cert - Points to locaiton which points to the client cert returned 2N/A * ca - Points to location that points to a stack of 'certificate 2N/A * Note about error codes: This function is an internal function, and the 2N/A * place where it is called sets error codes. Therefore only set an error 2N/A * code if it is something that is unique or if the function which detected 2N/A * the error doesn't set one. 2N/A * == -1 - An error occurred. Call ERR_get_error() to get error information. 2N/A * Where possible, memory has been freed. 2N/A * == 0 - No matching returns were found. 2N/A * > 0 - This is the aithmetic 'or' of the FOUND_* bits that indicate which 2N/A * of the requested entries were found. 2N/A * Not really an error here - its just that nothing was found. 2N/A * Go through the lists of certs and private keys which were 2N/A * returned, looking for matches of the appropriate type. Do these 2N/A * in the order described above. 2N/A /* See if string matches localkeyid's */ 2N/A /* See if string matches friendly names */ 2N/A /* Find the first cert and private key and return them */ 2N/A * Find the last matching cert and private key and return 2N/A * them. Since keys which don't have matching client certs 2N/A * are at the end of the list of keys, use the number of 2N/A * client certs to compute the position of the last private 2N/A * key which matches a client cert. 2N/A /* Find the first cert and private key and return them */ 2N/A /* If no errors, terminate normally */ 2N/A /* Fallthrough is intentional in error cases. */ 2N/A * parse_outer - Unpack the outer PKCS#12 structure and go through the 2N/A * individual bags. Return stacks of certs, private keys found and 2N/A * Note about error codes: This function is an internal function, and the 2N/A * place where it is called sets error codes. 2N/A * 0 - An error returned. Call ERR_get_error() to get errors information. 2N/A * Where possible, memory has been freed. 2N/A * 1 - PKCS12 data object was parsed and lists of certs and private keys 2N/A * A length of '-1' means strlen() can be used 2N/A * to determine the password length. 2N/A * parse_all_bags - go through the stack of bags, parsing each. 2N/A * Note about error codes: This function is an internal function, and the 2N/A * place where it is called sets error codes. 2N/A * 0 - An error returned. Call ERR_get_error() to get errors information. 2N/A * Where possible, memory has been freed. 2N/A * 1 - Stack of safebags was parsed and lists of certs and private keys 2N/A * parse_one_bag - Parse an individual bag 2N/A * i = parse_one_bag(bag, pass, kl, cl); 2N/A * bag - pkcs12 safebag to parse. 2N/A * pass - password for use in decryption of shrouded keybag 2N/A * kl - Stack of private keys found so far. New private keys will 2N/A * be added here if found. 2N/A * cl - Stack of certs found so far. New certificates will be 2N/A * added here if found. 2N/A * 0 - An error returned. Call ERR_get_error() to get errors information. 2N/A * Where possible, memory has been freed. 2N/A * 1 - one safebag was parsed. If it contained a cert or private key, it 2N/A * was added to the stack of certs or private keys found, respectively. 2N/A * localKeyId or friendlyName attributes are returned with the 2N/A * private key or certificate. 2N/A * A length of '-1' means strlen() can be used 2N/A * to determine the password length. 2N/A * Error already on stack 2N/A * Error already on stack 2N/A * Error already on stack 2N/A /* Save the private key */ 2N/A * This function uses the only function that reads PEM files, regardless of 2N/A * the kinds of information included (private keys, public keys, cert requests, 2N/A * certs). Other interfaces that read files require that the application 2N/A * specifically know what kinds of things to read next, and call different 2N/A * interfaces for the different kinds of entities. 2N/A * There is only one aspect of this function that's a bit problematic. 2N/A * If it finds an encrypted private key, it does not decrypt it. It returns 2N/A * the encrypted data and other information needed to decrypt it. The caller 2N/A * must do the decryption. This function does the decoding. 2N/A * Allocate the working stacks for private key(s) and for the cert(s). 2N/A * Go through the entries in the info structure. 2N/A * If the key was encrypted, PEM_X509_INFO_read does 2N/A * not decrypt it. If that is the case, the 'enc_pkey' 2N/A * field is set to point to the unencrypted key data. 2N/A * Go through the additional steps to decode it before 2N/A /* If error occurs, then error already on stack */ 2N/A * sunw_append_keys - Given two stacks of private keys, remove the keys from 2N/A * the second stack and append them to the first. Both stacks must exist 2N/A * dst - the stack to receive the keys from 'src' 2N/A * src - the stack whose keys are to be moved. 2N/A * -1 - An error occurred. The error status is set. 2N/A * >= 0 - The number of keys that were copied. 2N/A * move_certs - Given two stacks of certs, remove the certs from 2N/A * the second stack and append them to the first. 2N/A * dst - the stack to receive the certs from 'src' 2N/A * src - the stack whose certs are to be moved. 2N/A * -1 - An error occurred. The error status is set. 2N/A * >= 0 - The number of certs that were copied. 2N/A * get_key_cert - Get a cert and its matching key from the stacks of certs 2N/A * and keys. They are removed from the stacks. 2N/A * n - Offset of the entries to return. 2N/A * kl - Points to a stack of private keys that matches the list of 2N/A * pkey - Points at location where the address of the matching private 2N/A * key will be stored. 2N/A * cl - Points to a stack of client certs with matching private keys. 2N/A * cert - Points to locaiton where the address of the matching client cert 2N/A * The assumption is that the stacks of keys and certs contain key/cert pairs, 2N/A * with entries in the same order and hence at the same offset. Provided 2N/A * the key and cert selected match, each will be removed from its stack and 2N/A * A stack of certs can be passed in without a stack of private keys, and vise 2N/A * versa. In that case, the indicated key/cert will be returned. 2N/A * 0 - No matches were found. 2N/A * > 0 - Bits set based on FOUND_* definitions, indicating what is returned. 2N/A * This can be FOUND_PKEY, FOUND_CERT or (FOUND_PKEY | FOUND_CERT). 2N/A * asc2bmpstring - Convert a regular C ASCII string to an ASn1_STRING in 2N/A * ASN1_BMPSTRING format. 2N/A * str - String to be convered. 2N/A * len - Length of the string. 2N/A * == NULL - An error occurred. Error information (accessible by 2N/A * ERR_get_error()) is set. 2N/A * != NULL - Points to an ASN1_BMPSTRING structure with the converted 2N/A * string as a value. 2N/A /* Convert the character to the bmp format. */ 2N/A#
endif /* OPENSSL_VERSION_NUMBER < 0x10000000L */ 2N/A * Adjust for possible pair of NULL bytes at the end because 2N/A * asc2uni() returns a doubly null terminated string. 2N/A /* Construct comparison string with correct format */ 2N/A * utf82ascstr - Convert a UTF8STRING string to a regular C ASCII string. 2N/A * This goes through an intermediate step with a ASN1_STRING type of 2N/A * IA5STRING (International Alphabet 5, which is the same as ASCII). 2N/A * str - UTF8STRING to be converted. 2N/A * == NULL - An error occurred. Error information (accessible by 2N/A * ERR_get_error()) is set. 2N/A * != NULL - Points to a NULL-termianted ASCII string. The caller must 2N/A * type2attrib - Given a ASN1_TYPE, return a X509_ATTRIBUTE of the type 2N/A * specified by the given NID. 2N/A * ty - Type structure to be made into an attribute 2N/A * nid - NID of the attribute 2N/A * NULL An error occurred. 2N/A * != NULL An X509_ATTRIBUTE structure. 2N/A * attrib2type - Given a X509_ATTRIBUTE, return pointer to the ASN1_TYPE 2N/A * attr - Attribute structure containing a type. 2N/A * NULL An error occurred. 2N/A * != NULL An ASN1_TYPE structure. 2N/A * find_attr_by_nid - Given a ASN1_TYPE, return the offset of a X509_ATTRIBUTE 2N/A * of the type specified by the given NID. 2N/A * attrs - Stack of attributes to search 2N/A * nid - NID of the attribute being searched for 2N/A * != -1 Offset of the matching attribute. 2N/A * Called by our PKCS12 code to read our function and error codes 2N/A * into memory so that the OpenSSL framework can retrieve them. 2N/A * Have OpenSSL provide us with a unique ID. 2N/A * The SUNWerr macro resolves to this routine. So when we need 2N/A * to push an error, this routine does it for us. Notice that 2N/A * the SUNWerr macro provides a filename and line #. 2N/A * check_time - Given an indication of the which time(s) to check, check 2N/A * that time or those times against the current time and return the 2N/A * chkwhat - What kind of check to do. 2N/A * cert - The cert to check. 2N/A /* The current time is after the 'not before' time */ 2N/A * find_attr - Look for a given attribute of the type associated with the NID. 2N/A * nid - NID for the attribute to be found (either NID_friendlyName or 2N/A * str - ASN1_STRING-type structure containing the value to be found, 2N/A * FriendlyName expects a ASN1_BMPSTRING and localKeyID uses a 2N/A * kl - Points to a stack of private keys. 2N/A * pkey - Points at a location where the address of the matching private 2N/A * key will be stored. 2N/A * cl - Points to a stack of client certs with matching private keys. 2N/A * cert - Points to locaiton where the address of the matching client cert 2N/A * This function is designed to process lists of certs and private keys. 2N/A * This is made complex because these the attributes are stored differently 2N/A * for certs and for keys. For certs, only a few attributes are retained. 2N/A * FriendlyName is stored in the aux structure, under the name 'alias'. 2N/A * LocalKeyId is also stored in the aux structure, under the name 'keyid'. 2N/A * A pkey structure has a stack of attributes. 2N/A * The basic approach is: 2N/A * - If there there is no stack of certs but a stack of private keys exists, 2N/A * search the stack of keys for a match. Alternately, if there is a stack 2N/A * of certs and no private keys, search the certs. 2N/A * - If there are both certs and keys, assume that the matching certs and 2N/A * keys are in their respective stacks, with matching entries in the same 2N/A * order. Search for the name or keyid in the stack of certs. If it is 2N/A * not found, then this function returns 0 (nothing found). 2N/A * - Once a cert is found, verify that the key actually matches by 2N/A * comparing the private key with the public key (in the cert). 2N/A * If they don't match, return an error. 2N/A * A pointer to cert and/or pkey which matches the name or keyid is stored 2N/A * in the return arguments. 2N/A * 0 - No matches were found. 2N/A * > 0 - Bits set based on FOUND_* definitions, indicating what was found. 2N/A * This can be FOUND_PKEY, FOUND_CERT or (FOUND_PKEY | FOUND_CERT). 2N/A * Looking for pkey to match a cert? If so, assume that 2N/A * lists of certs and their matching pkeys are in the same 2N/A * order. Call X509_check_private_key() to verify this 2N/A * set_results - Given two pointers to stacks of private keys, certs or CA 2N/A * CA certs, either copy the second stack to the first, or append the 2N/A * contents of the second to the first. 2N/A * pkeys - Points to stack of pkeys 2N/A * work_kl - Points to working stack of pkeys 2N/A * certs - Points to stack of certs 2N/A * work_cl - Points to working stack of certs 2N/A * cacerts - Points to stack of CA certs 2N/A * work_ca - Points to working stack of CA certs 2N/A * xtrakeys - Points to stack of unmatcned pkeys 2N/A * work_xl - Points to working stack of unmatcned pkeys 2N/A * The arguments are in pairs. The first of each pair points to a stack 2N/A * of keys or certs. The second of the pair points at a 'working stack' 2N/A * of the same type of entities. Actions taken are as follows: 2N/A * - If either the first or second argument is NULL, or if there are no 2N/A * members in the second stack, there is nothing to do. 2N/A * - If the first argument points to a pointer which is NULL, then there 2N/A * is no existing stack for the first argument. Copy the stack pointer 2N/A * from the second argument to the first argument and NULL out the stack 2N/A * pointer for the second. 2N/A * - Otherwise, go through the elements of the second stack, removing each 2N/A * and adding it to the first stack. 2N/A * == -1 - An error occurred. Call ERR_get_error() to get error information. 2N/A * == 0 - No matching returns were found. 2N/A * > 0 - This is the arithmetic 'or' of the FOUND_* bits that indicate which 2N/A * of the requested entries were manipulated.