Print this page
8982 Support building with OpenSSL 1.1
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c
+++ new/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c
1 1 /*
2 2 * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
3 3 *
4 4 * Use is subject to license terms.
5 5 */
6 6 /*
7 7 * Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved.
8 + * Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
8 9 */
9 10 /*
10 11 * Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
11 12 * project 2000.
12 13 */
13 14 /*
14 15 * ====================================================================
15 16 * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
16 17 *
17 18 * Redistribution and use in source and binary forms, with or without
18 19 * modification, are permitted provided that the following conditions
19 20 * are met:
20 21 *
21 22 * 1. Redistributions of source code must retain the above copyright
22 23 * notice, this list of conditions and the following disclaimer.
23 24 *
24 25 * 2. Redistributions in binary form must reproduce the above copyright
25 26 * notice, this list of conditions and the following disclaimer in
26 27 * the documentation and/or other materials provided with the
27 28 * distribution.
28 29 *
29 30 * 3. All advertising materials mentioning features or use of this
30 31 * software must display the following acknowledgment:
31 32 * "This product includes software developed by the OpenSSL Project
32 33 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
33 34 *
34 35 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
35 36 * endorse or promote products derived from this software without
36 37 * prior written permission. For written permission, please contact
37 38 * licensing@OpenSSL.org.
38 39 *
39 40 * 5. Products derived from this software may not be called "OpenSSL"
40 41 * nor may "OpenSSL" appear in their names without prior written
41 42 * permission of the OpenSSL Project.
42 43 *
43 44 * 6. Redistributions of any form whatsoever must retain the following
44 45 * acknowledgment:
45 46 * "This product includes software developed by the OpenSSL Project
46 47 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
47 48 *
48 49 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
49 50 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50 51 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
51 52 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
52 53 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
53 54 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
54 55 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
55 56 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
56 57 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
57 58 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
58 59 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
59 60 * OF THE POSSIBILITY OF SUCH DAMAGE.
60 61 * ====================================================================
61 62 *
62 63 * This product includes cryptographic software written by Eric Young
63 64 * (eay@cryptsoft.com). This product includes software written by Tim
64 65 * Hudson (tjh@cryptsoft.com).
65 66 *
66 67 */
67 68
68 69 #include <stdlib.h>
69 70 #include <kmfapiP.h>
70 71 #include <ber_der.h>
71 72 #include <fcntl.h>
72 73 #include <sys/stat.h>
|
↓ open down ↓ |
55 lines elided |
↑ open up ↑ |
73 74 #include <dirent.h>
74 75 #include <cryptoutil.h>
75 76 #include <synch.h>
76 77 #include <thread.h>
77 78
78 79 /* OPENSSL related headers */
79 80 #include <openssl/bio.h>
80 81 #include <openssl/bn.h>
81 82 #include <openssl/asn1.h>
82 83 #include <openssl/err.h>
83 -#include <openssl/bn.h>
84 84 #include <openssl/x509.h>
85 85 #include <openssl/rsa.h>
86 86 #include <openssl/dsa.h>
87 87 #include <openssl/x509v3.h>
88 88 #include <openssl/objects.h>
89 89 #include <openssl/pem.h>
90 90 #include <openssl/pkcs12.h>
91 91 #include <openssl/ocsp.h>
92 92 #include <openssl/des.h>
93 93 #include <openssl/rand.h>
94 +#include "compat.h"
94 95
95 96 #define PRINT_ANY_EXTENSION (\
96 97 KMF_X509_EXT_KEY_USAGE |\
97 98 KMF_X509_EXT_CERT_POLICIES |\
98 99 KMF_X509_EXT_SUBJALTNAME |\
99 100 KMF_X509_EXT_BASIC_CONSTRAINTS |\
100 101 KMF_X509_EXT_NAME_CONSTRAINTS |\
101 102 KMF_X509_EXT_POLICY_CONSTRAINTS |\
102 103 KMF_X509_EXT_EXT_KEY_USAGE |\
103 104 KMF_X509_EXT_INHIBIT_ANY_POLICY |\
104 105 KMF_X509_EXT_AUTH_KEY_ID |\
105 106 KMF_X509_EXT_SUBJ_KEY_ID |\
106 107 KMF_X509_EXT_POLICY_MAPPING)
107 108
108 109 static uchar_t P[] = { 0x00, 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76,
109 110 0xaa, 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69,
110 111 0xcb, 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c,
111 112 0xf7, 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82,
112 113 0xe5, 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e,
113 114 0xaf, 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a,
114 115 0xac, 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24,
115 116 0xc2, 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02,
116 117 0x91 };
117 118
118 119 static uchar_t Q[] = { 0x00, 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8,
119 120 0xee, 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4,
120 121 0x8e, 0xda, 0xce, 0x91, 0x5f };
121 122
122 123 static uchar_t G[] = { 0x00, 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a,
123 124 0x13, 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5,
124 125 0x00, 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef,
125 126 0xcb, 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c,
126 127 0x2e, 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba,
127 128 0xbf, 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c,
128 129 0x9c, 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08,
129 130 0x8c, 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88,
|
↓ open down ↓ |
26 lines elided |
↑ open up ↑ |
130 131 0x02 };
131 132
132 133 #define SET_ERROR(h, c) h->lasterr.kstype = KMF_KEYSTORE_OPENSSL; \
133 134 h->lasterr.errcode = c;
134 135
135 136 #define SET_SYS_ERROR(h, c) h->lasterr.kstype = -1; h->lasterr.errcode = c;
136 137
137 138 /*
138 139 * Declare some new macros for managing stacks of EVP_PKEYS.
139 140 */
141 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
140 142 DECLARE_STACK_OF(EVP_PKEY)
141 143
142 144 #define sk_EVP_PKEY_new_null() SKM_sk_new_null(EVP_PKEY)
143 145 #define sk_EVP_PKEY_free(st) SKM_sk_free(EVP_PKEY, (st))
144 146 #define sk_EVP_PKEY_num(st) SKM_sk_num(EVP_PKEY, (st))
145 147 #define sk_EVP_PKEY_value(st, i) SKM_sk_value(EVP_PKEY, (st), (i))
146 148 #define sk_EVP_PKEY_push(st, val) SKM_sk_push(EVP_PKEY, (st), (val))
147 149 #define sk_EVP_PKEY_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY, (st), \
148 150 (free_func))
149 151
152 +#else
153 +/* LINTED E_STATIC_UNUSED */
154 +DEFINE_STACK_OF(EVP_PKEY)
155 +#endif
156 +
150 157 mutex_t init_lock = DEFAULTMUTEX;
151 158 static int ssl_initialized = 0;
152 159 static BIO *bio_err = NULL;
153 160
154 161 static int
155 162 test_for_file(char *, mode_t);
156 163 static KMF_RETURN
157 164 openssl_parse_bag(PKCS12_SAFEBAG *, char *, int,
158 165 STACK_OF(EVP_PKEY) *, STACK_OF(X509) *);
159 166
160 167 static KMF_RETURN
161 168 local_export_pk12(KMF_HANDLE_T, KMF_CREDENTIAL *, int, KMF_X509_DER_CERT *,
162 169 int, KMF_KEY_HANDLE *, char *);
163 170
164 171 static KMF_RETURN set_pkey_attrib(EVP_PKEY *, ASN1_TYPE *, int);
165 172
166 173 static KMF_RETURN
167 174 extract_pem(KMF_HANDLE *, char *, char *, KMF_BIGINT *, char *,
168 175 CK_UTF8CHAR *, CK_ULONG, EVP_PKEY **, KMF_DATA **, int *);
169 176
170 177 static KMF_RETURN
171 178 kmf_load_cert(KMF_HANDLE *, char *, char *, KMF_BIGINT *, KMF_CERT_VALIDITY,
172 179 char *, KMF_DATA *);
173 180
174 181 static KMF_RETURN
175 182 load_certs(KMF_HANDLE *, char *, char *, KMF_BIGINT *, KMF_CERT_VALIDITY,
176 183 char *, KMF_DATA **, uint32_t *);
177 184
178 185 static KMF_RETURN
179 186 sslBN2KMFBN(BIGNUM *, KMF_BIGINT *);
180 187
181 188 static EVP_PKEY *
182 189 ImportRawRSAKey(KMF_RAW_RSA_KEY *);
183 190
184 191 static KMF_RETURN
185 192 convertToRawKey(EVP_PKEY *, KMF_RAW_KEY_DATA *);
186 193
187 194 KMF_RETURN
188 195 OpenSSL_FindCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
189 196
190 197 void
191 198 OpenSSL_FreeKMFCert(KMF_HANDLE_T, KMF_X509_DER_CERT *);
192 199
193 200 KMF_RETURN
194 201 OpenSSL_StoreCert(KMF_HANDLE_T handle, int, KMF_ATTRIBUTE *);
195 202
196 203 KMF_RETURN
197 204 OpenSSL_DeleteCert(KMF_HANDLE_T handle, int, KMF_ATTRIBUTE *);
198 205
199 206 KMF_RETURN
200 207 OpenSSL_CreateKeypair(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
201 208
202 209 KMF_RETURN
203 210 OpenSSL_StoreKey(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
204 211
205 212 KMF_RETURN
206 213 OpenSSL_EncodePubKeyData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_DATA *);
207 214
208 215 KMF_RETURN
209 216 OpenSSL_SignData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
210 217 KMF_DATA *, KMF_DATA *);
211 218
212 219 KMF_RETURN
213 220 OpenSSL_DeleteKey(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
214 221
215 222 KMF_RETURN
216 223 OpenSSL_ImportCRL(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
217 224
218 225 KMF_RETURN
219 226 OpenSSL_DeleteCRL(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
220 227
221 228 KMF_RETURN
222 229 OpenSSL_ListCRL(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
223 230
224 231 KMF_RETURN
225 232 OpenSSL_FindCertInCRL(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
226 233
227 234 KMF_RETURN
228 235 OpenSSL_CertGetPrintable(KMF_HANDLE_T, const KMF_DATA *,
229 236 KMF_PRINTABLE_ITEM, char *);
230 237
231 238 KMF_RETURN
232 239 OpenSSL_GetErrorString(KMF_HANDLE_T, char **);
233 240
234 241 KMF_RETURN
235 242 OpenSSL_FindPrikeyByCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
236 243
237 244 KMF_RETURN
238 245 OpenSSL_DecryptData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
239 246 KMF_DATA *, KMF_DATA *);
240 247
241 248 KMF_RETURN
242 249 OpenSSL_CreateOCSPRequest(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
243 250
244 251 KMF_RETURN
245 252 OpenSSL_GetOCSPStatusForCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
246 253
247 254 KMF_RETURN
248 255 OpenSSL_FindKey(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
249 256
250 257 KMF_RETURN
251 258 OpenSSL_ExportPK12(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
252 259
253 260 KMF_RETURN
254 261 OpenSSL_CreateSymKey(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
255 262
256 263 KMF_RETURN
257 264 OpenSSL_GetSymKeyValue(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_RAW_SYM_KEY *);
258 265
259 266 KMF_RETURN
260 267 OpenSSL_VerifyCRLFile(KMF_HANDLE_T, char *, KMF_DATA *);
261 268
262 269 KMF_RETURN
263 270 OpenSSL_CheckCRLDate(KMF_HANDLE_T, char *);
264 271
265 272 static
266 273 KMF_PLUGIN_FUNCLIST openssl_plugin_table =
267 274 {
268 275 1, /* Version */
269 276 NULL, /* ConfigureKeystore */
270 277 OpenSSL_FindCert,
271 278 OpenSSL_FreeKMFCert,
272 279 OpenSSL_StoreCert,
273 280 NULL, /* ImportCert */
274 281 OpenSSL_ImportCRL,
275 282 OpenSSL_DeleteCert,
276 283 OpenSSL_DeleteCRL,
277 284 OpenSSL_CreateKeypair,
278 285 OpenSSL_FindKey,
279 286 OpenSSL_EncodePubKeyData,
280 287 OpenSSL_SignData,
281 288 OpenSSL_DeleteKey,
282 289 OpenSSL_ListCRL,
283 290 NULL, /* FindCRL */
284 291 OpenSSL_FindCertInCRL,
285 292 OpenSSL_GetErrorString,
|
↓ open down ↓ |
126 lines elided |
↑ open up ↑ |
286 293 OpenSSL_FindPrikeyByCert,
287 294 OpenSSL_DecryptData,
288 295 OpenSSL_ExportPK12,
289 296 OpenSSL_CreateSymKey,
290 297 OpenSSL_GetSymKeyValue,
291 298 NULL, /* SetTokenPin */
292 299 OpenSSL_StoreKey,
293 300 NULL /* Finalize */
294 301 };
295 302
303 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
296 304 static mutex_t *lock_cs;
297 305 static long *lock_count;
298 306
299 307 static void
300 308 /* ARGSUSED1 */
301 309 locking_cb(int mode, int type, char *file, int line)
302 310 {
303 311 if (mode & CRYPTO_LOCK) {
304 312 (void) mutex_lock(&(lock_cs[type]));
305 313 lock_count[type]++;
306 314 } else {
307 315 (void) mutex_unlock(&(lock_cs[type]));
308 316 }
309 317 }
310 318
311 319 static unsigned long
312 320 thread_id()
313 321 {
314 322 return ((unsigned long)thr_self());
315 323 }
324 +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
316 325
317 326 KMF_PLUGIN_FUNCLIST *
318 327 KMF_Plugin_Initialize()
319 328 {
329 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
320 330 int i;
331 +#endif
321 332
322 333 (void) mutex_lock(&init_lock);
323 334 if (!ssl_initialized) {
324 335 /*
325 336 * Add support for extension OIDs that are not yet in the
326 337 * openssl default set.
327 338 */
328 339 (void) OBJ_create("2.5.29.30", "nameConstraints",
329 340 "X509v3 Name Constraints");
330 341 (void) OBJ_create("2.5.29.33", "policyMappings",
331 342 "X509v3 Policy Mappings");
332 343 (void) OBJ_create("2.5.29.36", "policyConstraints",
333 344 "X509v3 Policy Constraints");
334 345 (void) OBJ_create("2.5.29.46", "freshestCRL",
335 346 "X509v3 Freshest CRL");
336 347 (void) OBJ_create("2.5.29.54", "inhibitAnyPolicy",
337 348 "X509v3 Inhibit Any-Policy");
349 +
350 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
338 351 /*
339 352 * Set up for thread-safe operation.
353 + * This is not required for OpenSSL 1.1
340 354 */
341 355 lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof (mutex_t));
342 356 if (lock_cs == NULL) {
343 357 (void) mutex_unlock(&init_lock);
344 358 return (NULL);
345 359 }
346 360
347 361 lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof (long));
348 362 if (lock_count == NULL) {
349 363 OPENSSL_free(lock_cs);
350 364 (void) mutex_unlock(&init_lock);
351 365 return (NULL);
352 366 }
|
↓ open down ↓ |
3 lines elided |
↑ open up ↑ |
353 367
354 368 for (i = 0; i < CRYPTO_num_locks(); i++) {
355 369 lock_count[i] = 0;
356 370 (void) mutex_init(&lock_cs[i], USYNC_THREAD, NULL);
357 371 }
358 372
359 373 CRYPTO_set_id_callback((unsigned long (*)())thread_id);
360 374 if (CRYPTO_get_locking_callback() == NULL)
361 375 CRYPTO_set_locking_callback((void (*)())locking_cb);
362 376
363 - OpenSSL_add_all_algorithms();
377 + (void) OpenSSL_add_all_algorithms();
364 378
365 379 /* Enable error strings for reporting */
366 - ERR_load_crypto_strings();
380 + (void) ERR_load_crypto_strings();
381 +#endif
367 382
368 383 ssl_initialized = 1;
369 384 }
370 385 (void) mutex_unlock(&init_lock);
371 386
372 387 return (&openssl_plugin_table);
373 388 }
389 +
374 390 /*
375 391 * Convert an SSL DN to a KMF DN.
376 392 */
377 393 static KMF_RETURN
378 394 get_x509_dn(X509_NAME *sslDN, KMF_X509_NAME *kmfDN)
379 395 {
380 396 KMF_DATA derdata;
381 397 KMF_RETURN rv = KMF_OK;
382 398 uchar_t *tmp;
383 399
384 400 /* Convert to raw DER format */
385 401 derdata.Length = i2d_X509_NAME(sslDN, NULL);
386 402 if ((tmp = derdata.Data = (uchar_t *)OPENSSL_malloc(derdata.Length))
387 403 == NULL) {
388 404 return (KMF_ERR_MEMORY);
389 405 }
390 406 (void) i2d_X509_NAME(sslDN, &tmp);
391 407
392 408 /* Decode to KMF format */
393 409 rv = DerDecodeName(&derdata, kmfDN);
394 410 if (rv != KMF_OK) {
395 411 rv = KMF_ERR_BAD_CERT_FORMAT;
396 412 }
397 413 OPENSSL_free(derdata.Data);
398 414
399 415 return (rv);
400 416 }
401 417
402 418 int
403 419 isdir(char *path)
404 420 {
405 421 struct stat s;
406 422
407 423 if (stat(path, &s) == -1)
408 424 return (0);
409 425
410 426 return ((s.st_mode & S_IFMT) == S_IFDIR);
411 427 }
412 428
413 429 static KMF_RETURN
414 430 ssl_cert2KMFDATA(KMF_HANDLE *kmfh, X509 *x509cert, KMF_DATA *cert)
415 431 {
416 432 KMF_RETURN rv = KMF_OK;
417 433 unsigned char *buf = NULL, *p;
418 434 int len;
419 435
420 436 /*
421 437 * Convert the X509 internal struct to DER encoded data
422 438 */
423 439 if ((len = i2d_X509(x509cert, NULL)) < 0) {
424 440 SET_ERROR(kmfh, ERR_get_error());
425 441 rv = KMF_ERR_BAD_CERT_FORMAT;
426 442 goto cleanup;
427 443 }
428 444 if ((buf = malloc(len)) == NULL) {
429 445 SET_SYS_ERROR(kmfh, errno);
430 446 rv = KMF_ERR_MEMORY;
431 447 goto cleanup;
432 448 }
433 449
434 450 /*
435 451 * i2d_X509 will increment the buf pointer so that we need to
436 452 * save it.
437 453 */
438 454 p = buf;
439 455 if ((len = i2d_X509(x509cert, &p)) < 0) {
440 456 SET_ERROR(kmfh, ERR_get_error());
441 457 free(buf);
442 458 rv = KMF_ERR_BAD_CERT_FORMAT;
443 459 goto cleanup;
444 460 }
445 461
446 462 /* caller's responsibility to free it */
447 463 cert->Data = buf;
448 464 cert->Length = len;
449 465
450 466 cleanup:
451 467 if (rv != KMF_OK) {
452 468 if (buf)
453 469 free(buf);
454 470 cert->Data = NULL;
455 471 cert->Length = 0;
456 472 }
457 473
458 474 return (rv);
459 475 }
460 476
461 477
462 478 static KMF_RETURN
463 479 check_cert(X509 *xcert, char *issuer, char *subject, KMF_BIGINT *serial,
464 480 boolean_t *match)
465 481 {
466 482 KMF_RETURN rv = KMF_OK;
467 483 boolean_t findIssuer = FALSE;
468 484 boolean_t findSubject = FALSE;
469 485 boolean_t findSerial = FALSE;
470 486 KMF_X509_NAME issuerDN, subjectDN;
471 487 KMF_X509_NAME certIssuerDN, certSubjectDN;
472 488
473 489 *match = FALSE;
474 490 if (xcert == NULL) {
475 491 return (KMF_ERR_BAD_PARAMETER);
476 492 }
477 493
|
↓ open down ↓ |
94 lines elided |
↑ open up ↑ |
478 494 (void) memset(&issuerDN, 0, sizeof (KMF_X509_NAME));
479 495 (void) memset(&subjectDN, 0, sizeof (KMF_X509_NAME));
480 496 (void) memset(&certIssuerDN, 0, sizeof (KMF_X509_NAME));
481 497 (void) memset(&certSubjectDN, 0, sizeof (KMF_X509_NAME));
482 498
483 499 if (issuer != NULL && strlen(issuer)) {
484 500 rv = kmf_dn_parser(issuer, &issuerDN);
485 501 if (rv != KMF_OK)
486 502 return (KMF_ERR_BAD_PARAMETER);
487 503
488 - rv = get_x509_dn(xcert->cert_info->issuer, &certIssuerDN);
504 + rv = get_x509_dn(X509_get_issuer_name(xcert), &certIssuerDN);
489 505 if (rv != KMF_OK) {
490 506 kmf_free_dn(&issuerDN);
491 507 return (KMF_ERR_BAD_PARAMETER);
492 508 }
493 509
494 510 findIssuer = TRUE;
495 511 }
496 512 if (subject != NULL && strlen(subject)) {
497 513 rv = kmf_dn_parser(subject, &subjectDN);
498 514 if (rv != KMF_OK) {
499 515 rv = KMF_ERR_BAD_PARAMETER;
500 516 goto cleanup;
501 517 }
502 518
503 - rv = get_x509_dn(xcert->cert_info->subject, &certSubjectDN);
519 + rv = get_x509_dn(X509_get_subject_name(xcert), &certSubjectDN);
504 520 if (rv != KMF_OK) {
505 521 rv = KMF_ERR_BAD_PARAMETER;
506 522 goto cleanup;
507 523 }
508 524 findSubject = TRUE;
509 525 }
510 526 if (serial != NULL && serial->val != NULL)
511 527 findSerial = TRUE;
512 528
513 529 if (findSerial) {
514 530 BIGNUM *bn;
515 531
516 532 /* Comparing BIGNUMs is a pain! */
517 - bn = ASN1_INTEGER_to_BN(xcert->cert_info->serialNumber, NULL);
533 + bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(xcert), NULL);
518 534 if (bn != NULL) {
519 535 int bnlen = BN_num_bytes(bn);
520 536
521 537 if (bnlen == serial->len) {
522 538 uchar_t *a = malloc(bnlen);
523 539 if (a == NULL) {
524 540 rv = KMF_ERR_MEMORY;
525 541 BN_free(bn);
526 542 goto cleanup;
527 543 }
528 544 bnlen = BN_bn2bin(bn, a);
529 545 *match = (memcmp(a, serial->val, serial->len) ==
530 546 0);
531 547 rv = KMF_OK;
532 548 free(a);
533 549 }
534 550 BN_free(bn);
535 551 if (!(*match))
536 552 goto cleanup;
537 553 } else {
538 554 rv = KMF_OK;
539 555 goto cleanup;
540 556 }
541 557 }
542 558 if (findIssuer) {
543 559 *match = (kmf_compare_rdns(&issuerDN, &certIssuerDN) == 0);
544 560 if ((*match) == B_FALSE) {
545 561 /* stop checking and bail */
546 562 rv = KMF_OK;
547 563 goto cleanup;
548 564 }
549 565 }
550 566 if (findSubject) {
551 567 *match = (kmf_compare_rdns(&subjectDN, &certSubjectDN) == 0);
552 568 if ((*match) == B_FALSE) {
553 569 /* stop checking and bail */
554 570 rv = KMF_OK;
555 571 goto cleanup;
556 572 }
557 573 }
558 574
559 575 *match = TRUE;
560 576 cleanup:
561 577 if (findIssuer) {
562 578 kmf_free_dn(&issuerDN);
563 579 kmf_free_dn(&certIssuerDN);
564 580 }
565 581 if (findSubject) {
566 582 kmf_free_dn(&subjectDN);
567 583 kmf_free_dn(&certSubjectDN);
568 584 }
569 585
570 586 return (rv);
571 587 }
572 588
573 589
574 590 /*
575 591 * This function loads a certificate file into an X509 data structure, and
576 592 * checks if its issuer, subject or the serial number matches with those
577 593 * values. If it matches, then return the X509 data structure.
578 594 */
579 595 static KMF_RETURN
580 596 load_X509cert(KMF_HANDLE *kmfh,
581 597 char *issuer, char *subject, KMF_BIGINT *serial,
582 598 char *pathname, X509 **outcert)
583 599 {
584 600 KMF_RETURN rv = KMF_OK;
585 601 X509 *xcert = NULL;
586 602 BIO *bcert = NULL;
587 603 boolean_t match = FALSE;
588 604 KMF_ENCODE_FORMAT format;
589 605
590 606 /*
591 607 * auto-detect the file format, regardless of what
592 608 * the 'format' parameters in the params say.
593 609 */
594 610 rv = kmf_get_file_format(pathname, &format);
595 611 if (rv != KMF_OK) {
596 612 if (rv == KMF_ERR_OPEN_FILE)
597 613 rv = KMF_ERR_CERT_NOT_FOUND;
598 614 return (rv);
599 615 }
600 616
601 617 /* Not ASN1(DER) format */
602 618 if ((bcert = BIO_new_file(pathname, "rb")) == NULL) {
603 619 SET_ERROR(kmfh, ERR_get_error());
604 620 rv = KMF_ERR_OPEN_FILE;
605 621 goto cleanup;
606 622 }
607 623
608 624 if (format == KMF_FORMAT_PEM)
609 625 xcert = PEM_read_bio_X509_AUX(bcert, NULL, NULL, NULL);
610 626 else if (format == KMF_FORMAT_ASN1)
611 627 xcert = d2i_X509_bio(bcert, NULL);
612 628 else if (format == KMF_FORMAT_PKCS12) {
613 629 PKCS12 *p12 = d2i_PKCS12_bio(bcert, NULL);
614 630 if (p12 != NULL) {
615 631 (void) PKCS12_parse(p12, NULL, NULL, &xcert, NULL);
616 632 PKCS12_free(p12);
617 633 p12 = NULL;
618 634 } else {
619 635 SET_ERROR(kmfh, ERR_get_error());
620 636 rv = KMF_ERR_BAD_CERT_FORMAT;
621 637 }
622 638 } else {
623 639 rv = KMF_ERR_BAD_PARAMETER;
624 640 goto cleanup;
625 641 }
626 642
627 643 if (xcert == NULL) {
628 644 SET_ERROR(kmfh, ERR_get_error());
629 645 rv = KMF_ERR_BAD_CERT_FORMAT;
630 646 goto cleanup;
631 647 }
632 648
633 649 if (check_cert(xcert, issuer, subject, serial, &match) != KMF_OK ||
634 650 match == FALSE) {
635 651 rv = KMF_ERR_CERT_NOT_FOUND;
636 652 goto cleanup;
637 653 }
638 654
639 655 if (outcert != NULL) {
640 656 *outcert = xcert;
641 657 }
642 658
643 659 cleanup:
644 660 if (bcert != NULL) (void) BIO_free(bcert);
645 661 if (rv != KMF_OK && xcert != NULL)
646 662 X509_free(xcert);
647 663
648 664 return (rv);
649 665 }
650 666
651 667 static int
652 668 datacmp(const void *a, const void *b)
653 669 {
654 670 KMF_DATA *adata = (KMF_DATA *)a;
655 671 KMF_DATA *bdata = (KMF_DATA *)b;
656 672 if (adata->Length > bdata->Length)
657 673 return (-1);
658 674 if (adata->Length < bdata->Length)
659 675 return (1);
660 676 return (0);
661 677 }
662 678
663 679 static KMF_RETURN
664 680 load_certs(KMF_HANDLE *kmfh, char *issuer, char *subject, KMF_BIGINT *serial,
665 681 KMF_CERT_VALIDITY validity, char *pathname,
666 682 KMF_DATA **certlist, uint32_t *numcerts)
667 683 {
668 684 KMF_RETURN rv = KMF_OK;
669 685 int i;
670 686 KMF_DATA *certs = NULL;
671 687 int nc = 0;
672 688 int hits = 0;
673 689 KMF_ENCODE_FORMAT format;
674 690
675 691 rv = kmf_get_file_format(pathname, &format);
676 692 if (rv != KMF_OK) {
677 693 if (rv == KMF_ERR_OPEN_FILE)
678 694 rv = KMF_ERR_CERT_NOT_FOUND;
679 695 return (rv);
680 696 }
681 697 if (format == KMF_FORMAT_ASN1) {
682 698 /* load a single certificate */
683 699 certs = (KMF_DATA *)malloc(sizeof (KMF_DATA));
684 700 if (certs == NULL)
685 701 return (KMF_ERR_MEMORY);
686 702 certs->Data = NULL;
687 703 certs->Length = 0;
688 704 rv = kmf_load_cert(kmfh, issuer, subject, serial, validity,
689 705 pathname, certs);
690 706 if (rv == KMF_OK) {
691 707 *certlist = certs;
692 708 *numcerts = 1;
693 709 } else {
694 710 kmf_free_data(certs);
695 711 free(certs);
696 712 certs = NULL;
697 713 }
698 714 return (rv);
699 715 } else if (format == KMF_FORMAT_PKCS12) {
700 716 /* We need a credential to access a PKCS#12 file */
701 717 rv = KMF_ERR_BAD_CERT_FORMAT;
702 718 } else if (format == KMF_FORMAT_PEM ||
703 719 format != KMF_FORMAT_PEM_KEYPAIR) {
704 720
705 721 /* This function only works on PEM files */
706 722 rv = extract_pem(kmfh, issuer, subject, serial, pathname,
707 723 (uchar_t *)NULL, 0, NULL, &certs, &nc);
708 724 } else {
709 725 return (KMF_ERR_ENCODING);
710 726 }
711 727
712 728 if (rv != KMF_OK)
713 729 return (rv);
714 730
715 731 for (i = 0; i < nc; i++) {
716 732 if (validity == KMF_NONEXPIRED_CERTS) {
717 733 rv = kmf_check_cert_date(kmfh, &certs[i]);
718 734 } else if (validity == KMF_EXPIRED_CERTS) {
719 735 rv = kmf_check_cert_date(kmfh, &certs[i]);
720 736 if (rv == KMF_OK)
721 737 rv = KMF_ERR_CERT_NOT_FOUND;
722 738 if (rv == KMF_ERR_VALIDITY_PERIOD)
723 739 rv = KMF_OK;
724 740 }
725 741 if (rv != KMF_OK) {
726 742 /* Remove this cert from the list by clearing it. */
727 743 kmf_free_data(&certs[i]);
728 744 } else {
729 745 hits++; /* count valid certs found */
730 746 }
731 747 rv = KMF_OK;
732 748 }
733 749 if (rv == KMF_OK && hits > 0) {
734 750 /*
735 751 * Sort the list of certs by length to put the cleared ones
736 752 * at the end so they don't get accessed by the caller.
737 753 */
738 754 qsort((void *)certs, nc, sizeof (KMF_DATA), datacmp);
739 755 *certlist = certs;
740 756
741 757 /* since we sorted the list, just return the number of hits */
742 758 *numcerts = hits;
743 759 } else {
744 760 if (rv == KMF_OK && hits == 0)
745 761 rv = KMF_ERR_CERT_NOT_FOUND;
746 762 if (certs != NULL) {
747 763 free(certs);
748 764 certs = NULL;
749 765 }
750 766 }
751 767 return (rv);
752 768 }
753 769
754 770 static KMF_RETURN
755 771 kmf_load_cert(KMF_HANDLE *kmfh,
756 772 char *issuer, char *subject, KMF_BIGINT *serial,
757 773 KMF_CERT_VALIDITY validity,
758 774 char *pathname,
759 775 KMF_DATA *cert)
760 776 {
761 777 KMF_RETURN rv = KMF_OK;
762 778 X509 *x509cert = NULL;
763 779
764 780 rv = load_X509cert(kmfh, issuer, subject, serial, pathname, &x509cert);
765 781 if (rv == KMF_OK && x509cert != NULL && cert != NULL) {
766 782 rv = ssl_cert2KMFDATA(kmfh, x509cert, cert);
767 783 if (rv != KMF_OK) {
768 784 goto cleanup;
769 785 }
770 786 if (validity == KMF_NONEXPIRED_CERTS) {
771 787 rv = kmf_check_cert_date(kmfh, cert);
772 788 } else if (validity == KMF_EXPIRED_CERTS) {
773 789 rv = kmf_check_cert_date(kmfh, cert);
774 790 if (rv == KMF_OK) {
775 791 /*
776 792 * This is a valid cert so skip it.
777 793 */
778 794 rv = KMF_ERR_CERT_NOT_FOUND;
779 795 }
780 796 if (rv == KMF_ERR_VALIDITY_PERIOD) {
781 797 /*
782 798 * We want to return success when we
783 799 * find an invalid cert.
784 800 */
785 801 rv = KMF_OK;
786 802 goto cleanup;
787 803 }
788 804 }
789 805 }
790 806 cleanup:
791 807 if (x509cert != NULL)
792 808 X509_free(x509cert);
793 809
794 810 return (rv);
795 811 }
796 812
797 813 static KMF_RETURN
798 814 readAltFormatPrivateKey(KMF_DATA *filedata, EVP_PKEY **pkey)
799 815 {
800 816 KMF_RETURN ret = KMF_OK;
801 817 KMF_RAW_RSA_KEY rsa;
802 818 BerElement *asn1 = NULL;
803 819 BerValue filebuf;
804 820 BerValue OID = { NULL, 0 };
805 821 BerValue *Mod = NULL, *PubExp = NULL;
806 822 BerValue *PriExp = NULL, *Prime1 = NULL, *Prime2 = NULL;
807 823 BerValue *Coef = NULL;
808 824 BIGNUM *D = NULL, *P = NULL, *Q = NULL, *COEF = NULL;
809 825 BIGNUM *Exp1 = NULL, *Exp2 = NULL, *pminus1 = NULL;
810 826 BIGNUM *qminus1 = NULL;
811 827 BN_CTX *ctx = NULL;
812 828
813 829 *pkey = NULL;
814 830
815 831 filebuf.bv_val = (char *)filedata->Data;
816 832 filebuf.bv_len = filedata->Length;
817 833
818 834 asn1 = kmfder_init(&filebuf);
819 835 if (asn1 == NULL) {
820 836 ret = KMF_ERR_MEMORY;
821 837 goto out;
822 838 }
823 839
824 840 if (kmfber_scanf(asn1, "{{Dn{IIIIII}}}",
825 841 &OID, &Mod, &PubExp, &PriExp, &Prime1,
826 842 &Prime2, &Coef) == -1) {
827 843 ret = KMF_ERR_ENCODING;
828 844 goto out;
829 845 }
830 846
831 847 /*
832 848 * We have to derive the 2 Exponents using Bignumber math.
833 849 * Exp1 = PriExp mod (Prime1 - 1)
834 850 * Exp2 = PriExp mod (Prime2 - 1)
835 851 */
836 852
837 853 /* D = PrivateExponent */
838 854 D = BN_bin2bn((const uchar_t *)PriExp->bv_val, PriExp->bv_len, D);
839 855 if (D == NULL) {
840 856 ret = KMF_ERR_MEMORY;
841 857 goto out;
842 858 }
843 859
844 860 /* P = Prime1 (first prime factor of Modulus) */
845 861 P = BN_bin2bn((const uchar_t *)Prime1->bv_val, Prime1->bv_len, P);
846 862 if (D == NULL) {
847 863 ret = KMF_ERR_MEMORY;
848 864 goto out;
849 865 }
850 866
851 867 /* Q = Prime2 (second prime factor of Modulus) */
852 868 Q = BN_bin2bn((const uchar_t *)Prime2->bv_val, Prime2->bv_len, Q);
853 869
854 870 if ((ctx = BN_CTX_new()) == NULL) {
855 871 ret = KMF_ERR_MEMORY;
856 872 goto out;
857 873 }
858 874
859 875 /* Compute (P - 1) */
860 876 pminus1 = BN_new();
861 877 (void) BN_sub(pminus1, P, BN_value_one());
862 878
863 879 /* Exponent1 = D mod (P - 1) */
864 880 Exp1 = BN_new();
865 881 (void) BN_mod(Exp1, D, pminus1, ctx);
866 882
867 883 /* Compute (Q - 1) */
868 884 qminus1 = BN_new();
869 885 (void) BN_sub(qminus1, Q, BN_value_one());
870 886
871 887 /* Exponent2 = D mod (Q - 1) */
872 888 Exp2 = BN_new();
873 889 (void) BN_mod(Exp2, D, qminus1, ctx);
874 890
875 891 /* Coef = (Inverse Q) mod P */
876 892 COEF = BN_new();
877 893 (void) BN_mod_inverse(COEF, Q, P, ctx);
878 894
879 895 /* Convert back to KMF format */
880 896 (void) memset(&rsa, 0, sizeof (rsa));
881 897
882 898 if ((ret = sslBN2KMFBN(Exp1, &rsa.exp1)) != KMF_OK)
883 899 goto out;
884 900 if ((ret = sslBN2KMFBN(Exp2, &rsa.exp2)) != KMF_OK)
885 901 goto out;
886 902 if ((ret = sslBN2KMFBN(COEF, &rsa.coef)) != KMF_OK)
887 903 goto out;
888 904
889 905 rsa.mod.val = (uchar_t *)Mod->bv_val;
890 906 rsa.mod.len = Mod->bv_len;
891 907
892 908 rsa.pubexp.val = (uchar_t *)PubExp->bv_val;
893 909 rsa.pubexp.len = PubExp->bv_len;
894 910
895 911 rsa.priexp.val = (uchar_t *)PriExp->bv_val;
896 912 rsa.priexp.len = PriExp->bv_len;
897 913
898 914 rsa.prime1.val = (uchar_t *)Prime1->bv_val;
899 915 rsa.prime1.len = Prime1->bv_len;
900 916
901 917 rsa.prime2.val = (uchar_t *)Prime2->bv_val;
902 918 rsa.prime2.len = Prime2->bv_len;
903 919
904 920 *pkey = ImportRawRSAKey(&rsa);
905 921 out:
906 922 if (asn1 != NULL)
907 923 kmfber_free(asn1, 1);
908 924
909 925 if (OID.bv_val) {
910 926 free(OID.bv_val);
911 927 }
912 928 if (PriExp)
913 929 free(PriExp);
914 930
915 931 if (Mod)
916 932 free(Mod);
917 933
918 934 if (PubExp)
919 935 free(PubExp);
920 936
921 937 if (Coef) {
922 938 (void) memset(Coef->bv_val, 0, Coef->bv_len);
923 939 free(Coef->bv_val);
924 940 free(Coef);
925 941 }
926 942 if (Prime1)
927 943 free(Prime1);
928 944 if (Prime2)
929 945 free(Prime2);
930 946
931 947 if (ctx != NULL)
932 948 BN_CTX_free(ctx);
933 949
934 950 if (D)
935 951 BN_clear_free(D);
936 952 if (P)
937 953 BN_clear_free(P);
938 954 if (Q)
939 955 BN_clear_free(Q);
940 956 if (pminus1)
941 957 BN_clear_free(pminus1);
942 958 if (qminus1)
943 959 BN_clear_free(qminus1);
944 960 if (Exp1)
945 961 BN_clear_free(Exp1);
946 962 if (Exp2)
947 963 BN_clear_free(Exp2);
948 964
949 965 return (ret);
950 966
951 967 }
952 968
953 969 static EVP_PKEY *
954 970 openssl_load_key(KMF_HANDLE_T handle, const char *file)
955 971 {
956 972 BIO *keyfile = NULL;
957 973 EVP_PKEY *pkey = NULL;
958 974 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
959 975 KMF_ENCODE_FORMAT format;
960 976 KMF_RETURN rv;
961 977 KMF_DATA filedata;
962 978
963 979 if (file == NULL) {
964 980 return (NULL);
965 981 }
966 982
967 983 if (kmf_get_file_format((char *)file, &format) != KMF_OK)
968 984 return (NULL);
969 985
970 986 keyfile = BIO_new_file(file, "rb");
971 987 if (keyfile == NULL) {
972 988 goto end;
973 989 }
974 990
975 991 if (format == KMF_FORMAT_ASN1) {
976 992 pkey = d2i_PrivateKey_bio(keyfile, NULL);
977 993 if (pkey == NULL) {
978 994
979 995 (void) BIO_free(keyfile);
980 996 keyfile = NULL;
981 997 /* Try odd ASN.1 variations */
982 998 rv = kmf_read_input_file(kmfh, (char *)file,
983 999 &filedata);
984 1000 if (rv == KMF_OK) {
985 1001 (void) readAltFormatPrivateKey(&filedata,
986 1002 &pkey);
987 1003 kmf_free_data(&filedata);
988 1004 }
989 1005 }
990 1006 } else if (format == KMF_FORMAT_PEM ||
991 1007 format == KMF_FORMAT_PEM_KEYPAIR) {
992 1008 pkey = PEM_read_bio_PrivateKey(keyfile, NULL, NULL, NULL);
993 1009 if (pkey == NULL) {
994 1010 KMF_DATA derdata;
995 1011 /*
996 1012 * Check if this is the alt. format
997 1013 * RSA private key file.
998 1014 */
999 1015 rv = kmf_read_input_file(kmfh, (char *)file,
1000 1016 &filedata);
1001 1017 if (rv == KMF_OK) {
1002 1018 uchar_t *d = NULL;
1003 1019 int len;
1004 1020 rv = kmf_pem_to_der(filedata.Data,
1005 1021 filedata.Length, &d, &len);
1006 1022 if (rv == KMF_OK && d != NULL) {
1007 1023 derdata.Data = d;
1008 1024 derdata.Length = (size_t)len;
1009 1025 (void) readAltFormatPrivateKey(
1010 1026 &derdata, &pkey);
1011 1027 free(d);
1012 1028 }
1013 1029 kmf_free_data(&filedata);
1014 1030 }
1015 1031 }
1016 1032 }
1017 1033
1018 1034 end:
1019 1035 if (pkey == NULL)
1020 1036 SET_ERROR(kmfh, ERR_get_error());
1021 1037
1022 1038 if (keyfile != NULL)
1023 1039 (void) BIO_free(keyfile);
1024 1040
1025 1041 return (pkey);
1026 1042 }
1027 1043
1028 1044 KMF_RETURN
1029 1045 OpenSSL_FindCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
1030 1046 {
1031 1047 KMF_RETURN rv = KMF_OK;
1032 1048 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
1033 1049 int i, n;
1034 1050 uint32_t maxcerts = 0;
1035 1051 uint32_t *num_certs;
1036 1052 KMF_X509_DER_CERT *kmf_cert = NULL;
1037 1053 char *dirpath = NULL;
1038 1054 char *filename = NULL;
1039 1055 char *fullpath = NULL;
1040 1056 char *issuer = NULL;
1041 1057 char *subject = NULL;
1042 1058 KMF_BIGINT *serial = NULL;
1043 1059 KMF_CERT_VALIDITY validity;
1044 1060
1045 1061 num_certs = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
1046 1062 if (num_certs == NULL)
1047 1063 return (KMF_ERR_BAD_PARAMETER);
1048 1064
1049 1065 /* num_certs should reference the size of kmf_cert */
1050 1066 maxcerts = *num_certs;
1051 1067 if (maxcerts == 0)
1052 1068 maxcerts = 0xFFFFFFFF;
1053 1069 *num_certs = 0;
1054 1070
1055 1071 /* Get the optional returned certificate list */
1056 1072 kmf_cert = kmf_get_attr_ptr(KMF_X509_DER_CERT_ATTR, attrlist,
1057 1073 numattr);
1058 1074
1059 1075 /*
1060 1076 * The dirpath attribute and the filename attribute can not be NULL
1061 1077 * at the same time.
1062 1078 */
1063 1079 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
1064 1080 filename = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist,
1065 1081 numattr);
1066 1082
1067 1083 fullpath = get_fullpath(dirpath, filename);
1068 1084 if (fullpath == NULL)
1069 1085 return (KMF_ERR_BAD_PARAMETER);
1070 1086
1071 1087 /* Get optional search criteria attributes */
1072 1088 issuer = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist, numattr);
1073 1089 subject = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist, numattr);
1074 1090 serial = kmf_get_attr_ptr(KMF_BIGINT_ATTR, attrlist, numattr);
1075 1091 rv = kmf_get_attr(KMF_CERT_VALIDITY_ATTR, attrlist, numattr,
1076 1092 &validity, NULL);
1077 1093 if (rv != KMF_OK) {
1078 1094 validity = KMF_ALL_CERTS;
1079 1095 rv = KMF_OK;
1080 1096 }
1081 1097
1082 1098 if (isdir(fullpath)) {
1083 1099 DIR *dirp;
1084 1100 struct dirent *dp;
1085 1101
1086 1102 n = 0;
1087 1103 /* open all files in the directory and attempt to read them */
1088 1104 if ((dirp = opendir(fullpath)) == NULL) {
1089 1105 return (KMF_ERR_BAD_PARAMETER);
1090 1106 }
1091 1107 while ((dp = readdir(dirp)) != NULL) {
1092 1108 char *fname;
1093 1109 KMF_DATA *certlist = NULL;
1094 1110 uint32_t loaded_certs = 0;
1095 1111
1096 1112 if (strcmp(dp->d_name, ".") == 0 ||
1097 1113 strcmp(dp->d_name, "..") == 0)
1098 1114 continue;
1099 1115
1100 1116 fname = get_fullpath(fullpath, (char *)&dp->d_name);
1101 1117
1102 1118 rv = load_certs(kmfh, issuer, subject, serial,
1103 1119 validity, fname, &certlist, &loaded_certs);
1104 1120
1105 1121 if (rv != KMF_OK) {
1106 1122 free(fname);
1107 1123 if (certlist != NULL) {
1108 1124 for (i = 0; i < loaded_certs; i++)
1109 1125 kmf_free_data(&certlist[i]);
1110 1126 free(certlist);
1111 1127 }
1112 1128 continue;
1113 1129 }
1114 1130
1115 1131 /* If load succeeds, add certdata to the list */
1116 1132 if (kmf_cert != NULL) {
1117 1133 for (i = 0; i < loaded_certs &&
1118 1134 n < maxcerts; i++) {
1119 1135 kmf_cert[n].certificate.Data =
1120 1136 certlist[i].Data;
1121 1137 kmf_cert[n].certificate.Length =
1122 1138 certlist[i].Length;
1123 1139
1124 1140 kmf_cert[n].kmf_private.keystore_type =
1125 1141 KMF_KEYSTORE_OPENSSL;
1126 1142 kmf_cert[n].kmf_private.flags =
1127 1143 KMF_FLAG_CERT_VALID;
1128 1144 kmf_cert[n].kmf_private.label =
1129 1145 strdup(fname);
1130 1146 n++;
1131 1147 }
1132 1148 /*
1133 1149 * If maxcerts < loaded_certs, clean up the
1134 1150 * certs that were not used.
1135 1151 */
1136 1152 for (; i < loaded_certs; i++)
1137 1153 kmf_free_data(&certlist[i]);
1138 1154 } else {
1139 1155 for (i = 0; i < loaded_certs; i++)
1140 1156 kmf_free_data(&certlist[i]);
1141 1157 n += loaded_certs;
1142 1158 }
1143 1159 free(certlist);
1144 1160 free(fname);
1145 1161 }
1146 1162 (*num_certs) = n;
1147 1163 if (*num_certs == 0)
1148 1164 rv = KMF_ERR_CERT_NOT_FOUND;
1149 1165 if (*num_certs > 0)
1150 1166 rv = KMF_OK;
1151 1167 exit:
1152 1168 (void) closedir(dirp);
1153 1169 } else {
1154 1170 KMF_DATA *certlist = NULL;
1155 1171 uint32_t loaded_certs = 0;
1156 1172
1157 1173 rv = load_certs(kmfh, issuer, subject, serial, validity,
1158 1174 fullpath, &certlist, &loaded_certs);
1159 1175 if (rv != KMF_OK) {
1160 1176 free(fullpath);
1161 1177 return (rv);
1162 1178 }
1163 1179
1164 1180 n = 0;
1165 1181 if (kmf_cert != NULL && certlist != NULL) {
1166 1182 for (i = 0; i < loaded_certs && i < maxcerts; i++) {
1167 1183 kmf_cert[n].certificate.Data =
1168 1184 certlist[i].Data;
1169 1185 kmf_cert[n].certificate.Length =
1170 1186 certlist[i].Length;
1171 1187 kmf_cert[n].kmf_private.keystore_type =
1172 1188 KMF_KEYSTORE_OPENSSL;
1173 1189 kmf_cert[n].kmf_private.flags =
1174 1190 KMF_FLAG_CERT_VALID;
1175 1191 kmf_cert[n].kmf_private.label =
1176 1192 strdup(fullpath);
1177 1193 n++;
1178 1194 }
1179 1195 /* If maxcerts < loaded_certs, clean up */
1180 1196 for (; i < loaded_certs; i++)
1181 1197 kmf_free_data(&certlist[i]);
1182 1198 } else if (certlist != NULL) {
1183 1199 for (i = 0; i < loaded_certs; i++)
1184 1200 kmf_free_data(&certlist[i]);
1185 1201 n = loaded_certs;
1186 1202 }
1187 1203 if (certlist != NULL)
1188 1204 free(certlist);
1189 1205 *num_certs = n;
1190 1206 }
1191 1207
1192 1208 free(fullpath);
1193 1209
1194 1210 return (rv);
1195 1211 }
1196 1212
1197 1213 void
1198 1214 /*ARGSUSED*/
1199 1215 OpenSSL_FreeKMFCert(KMF_HANDLE_T handle,
1200 1216 KMF_X509_DER_CERT *kmf_cert)
1201 1217 {
1202 1218 if (kmf_cert != NULL) {
1203 1219 if (kmf_cert->certificate.Data != NULL) {
1204 1220 kmf_free_data(&kmf_cert->certificate);
1205 1221 }
1206 1222 if (kmf_cert->kmf_private.label)
1207 1223 free(kmf_cert->kmf_private.label);
1208 1224 }
1209 1225 }
1210 1226
1211 1227 /*ARGSUSED*/
1212 1228 KMF_RETURN
1213 1229 OpenSSL_StoreCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
1214 1230 {
1215 1231 KMF_RETURN ret = KMF_OK;
1216 1232 KMF_DATA *cert = NULL;
1217 1233 char *outfilename = NULL;
1218 1234 char *dirpath = NULL;
1219 1235 char *fullpath = NULL;
1220 1236 KMF_ENCODE_FORMAT format;
1221 1237
1222 1238 /* Get the cert data */
1223 1239 cert = kmf_get_attr_ptr(KMF_CERT_DATA_ATTR, attrlist, numattr);
1224 1240 if (cert == NULL || cert->Data == NULL)
1225 1241 return (KMF_ERR_BAD_PARAMETER);
1226 1242
1227 1243 /* Check the output filename and directory attributes. */
1228 1244 outfilename = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist,
1229 1245 numattr);
1230 1246 if (outfilename == NULL)
1231 1247 return (KMF_ERR_BAD_PARAMETER);
1232 1248
1233 1249 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
1234 1250 fullpath = get_fullpath(dirpath, outfilename);
1235 1251 if (fullpath == NULL)
1236 1252 return (KMF_ERR_BAD_CERTFILE);
1237 1253
1238 1254 /* Check the optional format attribute */
1239 1255 ret = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
1240 1256 &format, NULL);
1241 1257 if (ret != KMF_OK) {
1242 1258 /* If there is no format attribute, then default to PEM */
1243 1259 format = KMF_FORMAT_PEM;
1244 1260 ret = KMF_OK;
1245 1261 } else if (format != KMF_FORMAT_ASN1 && format != KMF_FORMAT_PEM) {
1246 1262 ret = KMF_ERR_BAD_CERT_FORMAT;
1247 1263 goto out;
1248 1264 }
1249 1265
1250 1266 /* Store the certificate in the file with the specified format */
1251 1267 ret = kmf_create_cert_file(cert, format, fullpath);
1252 1268
1253 1269 out:
1254 1270 if (fullpath != NULL)
1255 1271 free(fullpath);
1256 1272
1257 1273 return (ret);
1258 1274 }
1259 1275
1260 1276
1261 1277 KMF_RETURN
1262 1278 OpenSSL_DeleteCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
1263 1279 {
1264 1280 KMF_RETURN rv;
1265 1281 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
1266 1282 KMF_DATA certdata = { 0, NULL };
1267 1283 char *dirpath = NULL;
1268 1284 char *filename = NULL;
1269 1285 char *fullpath = NULL;
1270 1286 char *issuer = NULL;
1271 1287 char *subject = NULL;
1272 1288 KMF_BIGINT *serial = NULL;
1273 1289 KMF_CERT_VALIDITY validity;
1274 1290
1275 1291 /*
1276 1292 * Get the DIRPATH and CERT_FILENAME attributes. They can not be
1277 1293 * NULL at the same time.
1278 1294 */
1279 1295 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
1280 1296 filename = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist,
1281 1297 numattr);
1282 1298 fullpath = get_fullpath(dirpath, filename);
1283 1299 if (fullpath == NULL)
1284 1300 return (KMF_ERR_BAD_PARAMETER);
1285 1301
1286 1302 /* Get optional search criteria attributes */
1287 1303 issuer = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist, numattr);
1288 1304 subject = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist, numattr);
1289 1305 serial = kmf_get_attr_ptr(KMF_BIGINT_ATTR, attrlist, numattr);
1290 1306 rv = kmf_get_attr(KMF_CERT_VALIDITY_ATTR, attrlist, numattr,
1291 1307 &validity, NULL);
1292 1308 if (rv != KMF_OK) {
1293 1309 validity = KMF_ALL_CERTS;
1294 1310 rv = KMF_OK;
1295 1311 }
1296 1312
1297 1313 if (isdir(fullpath)) {
1298 1314 DIR *dirp;
1299 1315 struct dirent *dp;
1300 1316
1301 1317 /* open all files in the directory and attempt to read them */
1302 1318 if ((dirp = opendir(fullpath)) == NULL) {
1303 1319 return (KMF_ERR_BAD_PARAMETER);
1304 1320 }
1305 1321
1306 1322 while ((dp = readdir(dirp)) != NULL) {
1307 1323 if (strcmp(dp->d_name, ".") != 0 &&
1308 1324 strcmp(dp->d_name, "..") != 0) {
1309 1325 char *fname;
1310 1326
1311 1327 fname = get_fullpath(fullpath,
1312 1328 (char *)&dp->d_name);
1313 1329
1314 1330 if (fname == NULL) {
1315 1331 rv = KMF_ERR_MEMORY;
1316 1332 break;
1317 1333 }
1318 1334
1319 1335 rv = kmf_load_cert(kmfh, issuer, subject,
1320 1336 serial, validity, fname, &certdata);
1321 1337
1322 1338 if (rv == KMF_ERR_CERT_NOT_FOUND) {
1323 1339 free(fname);
1324 1340 kmf_free_data(&certdata);
1325 1341 rv = KMF_OK;
1326 1342 continue;
1327 1343 } else if (rv != KMF_OK) {
1328 1344 free(fname);
1329 1345 break;
1330 1346 }
1331 1347
1332 1348 if (unlink(fname) != 0) {
1333 1349 SET_SYS_ERROR(kmfh, errno);
1334 1350 rv = KMF_ERR_INTERNAL;
1335 1351 free(fname);
1336 1352 break;
1337 1353 }
1338 1354 free(fname);
1339 1355 kmf_free_data(&certdata);
1340 1356 }
1341 1357 }
1342 1358 (void) closedir(dirp);
1343 1359 } else {
1344 1360 /* Just try to load a single certificate */
1345 1361 rv = kmf_load_cert(kmfh, issuer, subject, serial, validity,
1346 1362 fullpath, &certdata);
1347 1363 if (rv == KMF_OK) {
1348 1364 if (unlink(fullpath) != 0) {
1349 1365 SET_SYS_ERROR(kmfh, errno);
1350 1366 rv = KMF_ERR_INTERNAL;
1351 1367 }
1352 1368 }
1353 1369 }
1354 1370
1355 1371 out:
1356 1372 if (fullpath != NULL)
1357 1373 free(fullpath);
1358 1374
1359 1375 kmf_free_data(&certdata);
1360 1376
1361 1377 return (rv);
1362 1378 }
1363 1379
1364 1380 KMF_RETURN
1365 1381 OpenSSL_EncodePubKeyData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
1366 1382 KMF_DATA *keydata)
1367 1383 {
1368 1384 KMF_RETURN rv = KMF_OK;
1369 1385 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
1370 1386 int n;
1371 1387
1372 1388 if (key == NULL || keydata == NULL ||
1373 1389 key->keyp == NULL)
1374 1390 return (KMF_ERR_BAD_PARAMETER);
1375 1391
1376 1392 if (key->keyalg == KMF_RSA) {
1377 1393 RSA *pubkey = EVP_PKEY_get1_RSA(key->keyp);
1378 1394
1379 1395 if (!(n = i2d_RSA_PUBKEY(pubkey, &keydata->Data))) {
1380 1396 SET_ERROR(kmfh, ERR_get_error());
1381 1397 return (KMF_ERR_ENCODING);
1382 1398 }
1383 1399 RSA_free(pubkey);
1384 1400 } else if (key->keyalg == KMF_DSA) {
1385 1401 DSA *pubkey = EVP_PKEY_get1_DSA(key->keyp);
1386 1402
1387 1403 if (!(n = i2d_DSA_PUBKEY(pubkey, &keydata->Data))) {
1388 1404 SET_ERROR(kmfh, ERR_get_error());
1389 1405 return (KMF_ERR_ENCODING);
1390 1406 }
1391 1407 DSA_free(pubkey);
1392 1408 } else {
1393 1409 return (KMF_ERR_BAD_PARAMETER);
1394 1410 }
1395 1411 keydata->Length = n;
1396 1412
1397 1413 cleanup:
1398 1414 if (rv != KMF_OK) {
1399 1415 if (keydata->Data)
1400 1416 free(keydata->Data);
1401 1417 keydata->Data = NULL;
1402 1418 keydata->Length = 0;
1403 1419 }
1404 1420
1405 1421 return (rv);
1406 1422 }
1407 1423
1408 1424 static KMF_RETURN
1409 1425 ssl_write_key(KMF_HANDLE *kmfh, KMF_ENCODE_FORMAT format, BIO *out,
1410 1426 KMF_CREDENTIAL *cred, EVP_PKEY *pkey, boolean_t private)
1411 1427 {
1412 1428 int rv = 0;
|
↓ open down ↓ |
885 lines elided |
↑ open up ↑ |
1413 1429 RSA *rsa;
1414 1430 DSA *dsa;
1415 1431
1416 1432 if (pkey == NULL || out == NULL)
1417 1433 return (KMF_ERR_BAD_PARAMETER);
1418 1434
1419 1435 switch (format) {
1420 1436 case KMF_FORMAT_RAWKEY:
1421 1437 /* same as ASN.1 */
1422 1438 case KMF_FORMAT_ASN1:
1423 - if (pkey->type == EVP_PKEY_RSA) {
1424 - rsa = EVP_PKEY_get1_RSA(pkey);
1439 + if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) {
1425 1440 if (private)
1426 1441 rv = i2d_RSAPrivateKey_bio(out, rsa);
1427 1442 else
1428 1443 rv = i2d_RSAPublicKey_bio(out, rsa);
1429 - RSA_free(rsa);
1430 - } else if (pkey->type == EVP_PKEY_DSA) {
1431 - dsa = EVP_PKEY_get1_DSA(pkey);
1444 + } else if ((dsa = EVP_PKEY_get0_DSA(pkey)) != NULL) {
1432 1445 rv = i2d_DSAPrivateKey_bio(out, dsa);
1433 - DSA_free(dsa);
1434 1446 }
1435 1447 if (rv == 1) {
1436 1448 rv = KMF_OK;
1437 1449 } else {
1438 1450 SET_ERROR(kmfh, rv);
1439 1451 }
1440 1452 break;
1441 1453 case KMF_FORMAT_PEM:
1442 - if (pkey->type == EVP_PKEY_RSA) {
1443 - rsa = EVP_PKEY_get1_RSA(pkey);
1454 + if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) {
1444 1455 if (private)
1445 1456 rv = PEM_write_bio_RSAPrivateKey(out,
1446 1457 rsa, NULL, NULL, 0, NULL,
1447 1458 (cred != NULL ? cred->cred : NULL));
1448 1459 else
1449 1460 rv = PEM_write_bio_RSAPublicKey(out,
1450 1461 rsa);
1451 - RSA_free(rsa);
1452 - } else if (pkey->type == EVP_PKEY_DSA) {
1453 - dsa = EVP_PKEY_get1_DSA(pkey);
1462 + } else if ((dsa = EVP_PKEY_get0_DSA(pkey)) != NULL) {
1454 1463 rv = PEM_write_bio_DSAPrivateKey(out,
1455 1464 dsa, NULL, NULL, 0, NULL,
1456 1465 (cred != NULL ? cred->cred : NULL));
1457 - DSA_free(dsa);
1458 1466 }
1459 1467
1460 1468 if (rv == 1) {
1461 1469 rv = KMF_OK;
1462 1470 } else {
1463 1471 SET_ERROR(kmfh, rv);
1464 1472 }
1465 1473 break;
1466 1474
1467 1475 default:
1468 1476 rv = KMF_ERR_BAD_PARAMETER;
1469 1477 }
|
↓ open down ↓ |
2 lines elided |
↑ open up ↑ |
1470 1478
1471 1479 return (rv);
1472 1480 }
1473 1481
1474 1482 KMF_RETURN
1475 1483 OpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr,
1476 1484 KMF_ATTRIBUTE *attrlist)
1477 1485 {
1478 1486 KMF_RETURN rv = KMF_OK;
1479 1487 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
1480 - uint32_t eValue = 0x010001;
1488 + uint32_t eValue = RSA_F4;
1489 + BIGNUM *eValue_bn = NULL;
1481 1490 RSA *sslPrivKey = NULL;
1482 1491 DSA *sslDSAKey = NULL;
1483 1492 EVP_PKEY *eprikey = NULL;
1484 1493 EVP_PKEY *epubkey = NULL;
1485 1494 BIO *out = NULL;
1486 1495 KMF_KEY_HANDLE *pubkey = NULL, *privkey = NULL;
1487 1496 uint32_t keylen = 1024;
1488 1497 uint32_t keylen_size = sizeof (uint32_t);
1489 1498 boolean_t storekey = TRUE;
1490 1499 KMF_KEY_ALG keytype = KMF_RSA;
1491 1500
1501 + eValue_bn = BN_new();
1502 + if (eValue_bn == NULL)
1503 + return (KMF_ERR_MEMORY);
1504 + if (BN_set_word(eValue_bn, eValue) == 0) {
1505 + rv = KMF_ERR_KEYGEN_FAILED;
1506 + goto cleanup;
1507 + }
1508 +
1492 1509 rv = kmf_get_attr(KMF_STOREKEY_BOOL_ATTR, attrlist, numattr,
1493 1510 &storekey, NULL);
1494 1511 if (rv != KMF_OK) {
1495 1512 /* "storekey" is optional. Default is TRUE */
1496 1513 rv = KMF_OK;
1497 1514 }
1498 1515
1499 1516 rv = kmf_get_attr(KMF_KEYALG_ATTR, attrlist, numattr,
1500 1517 (void *)&keytype, NULL);
1501 1518 if (rv != KMF_OK)
1502 1519 /* keytype is optional. KMF_RSA is default */
1503 1520 rv = KMF_OK;
1504 1521
1505 1522 pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attrlist, numattr);
1506 - if (pubkey == NULL)
1507 - return (KMF_ERR_BAD_PARAMETER);
1523 + if (pubkey == NULL) {
1524 + rv = KMF_ERR_BAD_PARAMETER;
1525 + goto cleanup;
1526 + }
1508 1527
1509 1528 privkey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attrlist, numattr);
1510 - if (privkey == NULL)
1511 - return (KMF_ERR_BAD_PARAMETER);
1529 + if (privkey == NULL) {
1530 + rv = KMF_ERR_BAD_PARAMETER;
1531 + goto cleanup;
1532 + }
1512 1533
1513 1534 (void) memset(pubkey, 0, sizeof (KMF_KEY_HANDLE));
1514 1535 (void) memset(privkey, 0, sizeof (KMF_KEY_HANDLE));
1515 1536
1516 1537 eprikey = EVP_PKEY_new();
1517 1538 if (eprikey == NULL) {
1518 1539 SET_ERROR(kmfh, ERR_get_error());
1519 1540 rv = KMF_ERR_KEYGEN_FAILED;
1520 1541 goto cleanup;
1521 1542 }
1522 1543 epubkey = EVP_PKEY_new();
1523 1544 if (epubkey == NULL) {
1524 1545 SET_ERROR(kmfh, ERR_get_error());
1525 1546 rv = KMF_ERR_KEYGEN_FAILED;
1526 1547 goto cleanup;
1527 1548 }
|
↓ open down ↓ |
6 lines elided |
↑ open up ↑ |
1528 1549 if (keytype == KMF_RSA) {
1529 1550 KMF_BIGINT *rsaexp = NULL;
1530 1551
1531 1552 rsaexp = kmf_get_attr_ptr(KMF_RSAEXP_ATTR, attrlist, numattr);
1532 1553 if (rsaexp != NULL) {
1533 1554 if (rsaexp->len > 0 &&
1534 1555 rsaexp->len <= sizeof (eValue) &&
1535 1556 rsaexp->val != NULL) {
1536 1557 /* LINTED E_BAD_PTR_CAST_ALIGN */
1537 1558 eValue = *(uint32_t *)rsaexp->val;
1559 + if (BN_set_word(eValue_bn, eValue) == 0) {
1560 + rv = KMF_ERR_BAD_PARAMETER;
1561 + goto cleanup;
1562 + }
1538 1563 } else {
1539 1564 rv = KMF_ERR_BAD_PARAMETER;
1540 1565 goto cleanup;
1541 1566 }
1542 1567 } else {
1543 1568 /* RSA Exponent is optional. Default is 0x10001 */
1544 1569 rv = KMF_OK;
1545 1570 }
1546 1571
1547 1572 rv = kmf_get_attr(KMF_KEYLENGTH_ATTR, attrlist, numattr,
1548 1573 &keylen, &keylen_size);
1549 1574 if (rv == KMF_ERR_ATTR_NOT_FOUND)
1550 1575 /* keylen is optional, default is 1024 */
1551 1576 rv = KMF_OK;
1552 1577 if (rv != KMF_OK) {
1553 1578 rv = KMF_ERR_BAD_PARAMETER;
1554 1579 goto cleanup;
1555 1580 }
1556 1581
1557 - sslPrivKey = RSA_generate_key(keylen, eValue, NULL, NULL);
1558 - if (sslPrivKey == NULL) {
1582 + sslPrivKey = RSA_new();
1583 + if (sslPrivKey == NULL ||
1584 + RSA_generate_key_ex(sslPrivKey, keylen, eValue_bn, NULL)
1585 + == 0) {
1559 1586 SET_ERROR(kmfh, ERR_get_error());
1560 1587 rv = KMF_ERR_KEYGEN_FAILED;
1561 1588 } else {
1562 1589 (void) EVP_PKEY_set1_RSA(eprikey, sslPrivKey);
1563 1590 privkey->kstype = KMF_KEYSTORE_OPENSSL;
1564 1591 privkey->keyalg = KMF_RSA;
1565 1592 privkey->keyclass = KMF_ASYM_PRI;
1566 1593 privkey->israw = FALSE;
1567 1594 privkey->keyp = (void *)eprikey;
1568 1595
1569 1596 /* OpenSSL derives the public key from the private */
1570 1597 (void) EVP_PKEY_set1_RSA(epubkey, sslPrivKey);
1571 1598 pubkey->kstype = KMF_KEYSTORE_OPENSSL;
1572 1599 pubkey->keyalg = KMF_RSA;
1573 1600 pubkey->israw = FALSE;
1574 1601 pubkey->keyclass = KMF_ASYM_PUB;
1575 1602 pubkey->keyp = (void *)epubkey;
1576 1603 }
1577 1604 } else if (keytype == KMF_DSA) {
1578 - DSA *dp;
1605 + BIGNUM *p, *q, *g;
1606 +
1579 1607 sslDSAKey = DSA_new();
1580 1608 if (sslDSAKey == NULL) {
1581 1609 SET_ERROR(kmfh, ERR_get_error());
1582 1610 return (KMF_ERR_MEMORY);
1583 1611 }
1584 1612
1585 - if ((sslDSAKey->p = BN_bin2bn(P, sizeof (P), sslDSAKey->p)) ==
1586 - NULL) {
1613 + p = BN_bin2bn(P, sizeof (P), NULL);
1614 + q = BN_bin2bn(Q, sizeof (Q), NULL);
1615 + g = BN_bin2bn(G, sizeof (G), NULL);
1616 + if (p == NULL || q == NULL || g == NULL) {
1617 + BN_free(p);
1618 + BN_free(q);
1619 + BN_free(g);
1587 1620 SET_ERROR(kmfh, ERR_get_error());
1588 1621 rv = KMF_ERR_KEYGEN_FAILED;
1589 1622 goto cleanup;
1590 1623 }
1591 - if ((sslDSAKey->q = BN_bin2bn(Q, sizeof (Q), sslDSAKey->q)) ==
1592 - NULL) {
1624 +
1625 + if (DSA_set0_pqg(sslDSAKey, p, q, g) == 0) {
1593 1626 SET_ERROR(kmfh, ERR_get_error());
1594 1627 rv = KMF_ERR_KEYGEN_FAILED;
1595 1628 goto cleanup;
1596 1629 }
1597 - if ((sslDSAKey->g = BN_bin2bn(G, sizeof (G), sslDSAKey->g)) ==
1598 - NULL) {
1599 - SET_ERROR(kmfh, ERR_get_error());
1600 - rv = KMF_ERR_KEYGEN_FAILED;
1601 - goto cleanup;
1602 - }
1603 1630
1604 1631 if (!DSA_generate_key(sslDSAKey)) {
1605 1632 SET_ERROR(kmfh, ERR_get_error());
1606 1633 rv = KMF_ERR_KEYGEN_FAILED;
1607 1634 goto cleanup;
1608 1635 }
1609 1636
1610 1637 privkey->kstype = KMF_KEYSTORE_OPENSSL;
1611 1638 privkey->keyalg = KMF_DSA;
1612 1639 privkey->keyclass = KMF_ASYM_PRI;
1613 1640 privkey->israw = FALSE;
1614 1641 if (EVP_PKEY_set1_DSA(eprikey, sslDSAKey)) {
1615 1642 privkey->keyp = (void *)eprikey;
1616 1643 } else {
1617 1644 SET_ERROR(kmfh, ERR_get_error());
1618 1645 rv = KMF_ERR_KEYGEN_FAILED;
1619 1646 goto cleanup;
1620 1647 }
1621 - dp = DSA_new();
1622 - /* Make a copy for the public key */
1623 - if (dp != NULL) {
1624 - if ((dp->p = BN_new()) == NULL) {
1625 - SET_ERROR(kmfh, ERR_get_error());
1626 - rv = KMF_ERR_MEMORY;
1627 - DSA_free(dp);
1628 - goto cleanup;
1629 - }
1630 - if ((dp->q = BN_new()) == NULL) {
1631 - SET_ERROR(kmfh, ERR_get_error());
1632 - rv = KMF_ERR_MEMORY;
1633 - BN_free(dp->p);
1634 - DSA_free(dp);
1635 - goto cleanup;
1636 - }
1637 - if ((dp->g = BN_new()) == NULL) {
1638 - SET_ERROR(kmfh, ERR_get_error());
1639 - rv = KMF_ERR_MEMORY;
1640 - BN_free(dp->q);
1641 - BN_free(dp->p);
1642 - DSA_free(dp);
1643 - goto cleanup;
1644 - }
1645 - if ((dp->pub_key = BN_new()) == NULL) {
1646 - SET_ERROR(kmfh, ERR_get_error());
1647 - rv = KMF_ERR_MEMORY;
1648 - BN_free(dp->q);
1649 - BN_free(dp->p);
1650 - BN_free(dp->g);
1651 - DSA_free(dp);
1652 - goto cleanup;
1653 - }
1654 - (void) BN_copy(dp->p, sslDSAKey->p);
1655 - (void) BN_copy(dp->q, sslDSAKey->q);
1656 - (void) BN_copy(dp->g, sslDSAKey->g);
1657 - (void) BN_copy(dp->pub_key, sslDSAKey->pub_key);
1658 1648
1659 - pubkey->kstype = KMF_KEYSTORE_OPENSSL;
1660 - pubkey->keyalg = KMF_DSA;
1661 - pubkey->keyclass = KMF_ASYM_PUB;
1662 - pubkey->israw = FALSE;
1649 + pubkey->kstype = KMF_KEYSTORE_OPENSSL;
1650 + pubkey->keyalg = KMF_DSA;
1651 + pubkey->keyclass = KMF_ASYM_PUB;
1652 + pubkey->israw = FALSE;
1663 1653
1664 - if (EVP_PKEY_set1_DSA(epubkey, sslDSAKey)) {
1665 - pubkey->keyp = (void *)epubkey;
1666 - } else {
1667 - SET_ERROR(kmfh, ERR_get_error());
1668 - rv = KMF_ERR_KEYGEN_FAILED;
1669 - goto cleanup;
1670 - }
1654 + if (EVP_PKEY_set1_DSA(epubkey, sslDSAKey)) {
1655 + pubkey->keyp = (void *)epubkey;
1656 + } else {
1657 + SET_ERROR(kmfh, ERR_get_error());
1658 + rv = KMF_ERR_KEYGEN_FAILED;
1659 + goto cleanup;
1671 1660 }
1672 1661 }
1673 1662
1674 1663 if (rv != KMF_OK) {
1675 1664 goto cleanup;
1676 1665 }
1677 1666
1678 1667 if (storekey) {
1679 1668 KMF_ATTRIBUTE storeattrs[4]; /* max. 4 attributes needed */
1680 1669 int i = 0;
1681 1670 char *keyfile = NULL, *dirpath = NULL;
1682 1671 KMF_ENCODE_FORMAT format;
1683 1672 /*
1684 1673 * Construct a new attribute arrray and call openssl_store_key
1685 1674 */
1686 1675 kmf_set_attr_at_index(storeattrs, i, KMF_PRIVKEY_HANDLE_ATTR,
1687 1676 privkey, sizeof (privkey));
1688 1677 i++;
1689 1678
1690 1679 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
1691 1680 if (dirpath != NULL) {
1692 1681 storeattrs[i].type = KMF_DIRPATH_ATTR;
1693 1682 storeattrs[i].pValue = dirpath;
1694 1683 storeattrs[i].valueLen = strlen(dirpath);
1695 1684 i++;
1696 1685 } else {
1697 1686 rv = KMF_OK; /* DIRPATH is optional */
1698 1687 }
1699 1688 keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR,
1700 1689 attrlist, numattr);
1701 1690 if (keyfile != NULL) {
1702 1691 storeattrs[i].type = KMF_KEY_FILENAME_ATTR;
1703 1692 storeattrs[i].pValue = keyfile;
1704 1693 storeattrs[i].valueLen = strlen(keyfile);
1705 1694 i++;
1706 1695 } else {
1707 1696 goto cleanup; /* KEYFILE is required */
1708 1697 }
1709 1698 rv = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
1710 1699 (void *)&format, NULL);
1711 1700 if (rv == KMF_OK) {
|
↓ open down ↓ |
31 lines elided |
↑ open up ↑ |
1712 1701 storeattrs[i].type = KMF_ENCODE_FORMAT_ATTR;
1713 1702 storeattrs[i].pValue = &format;
1714 1703 storeattrs[i].valueLen = sizeof (format);
1715 1704 i++;
1716 1705 }
1717 1706
1718 1707 rv = OpenSSL_StoreKey(handle, i, storeattrs);
1719 1708 }
1720 1709
1721 1710 cleanup:
1711 + if (eValue_bn != NULL)
1712 + BN_free(eValue_bn);
1713 +
1722 1714 if (rv != KMF_OK) {
1723 1715 if (eprikey != NULL)
1724 1716 EVP_PKEY_free(eprikey);
1725 1717
1726 1718 if (epubkey != NULL)
1727 1719 EVP_PKEY_free(epubkey);
1728 1720
1729 1721 if (pubkey->keylabel) {
1730 1722 free(pubkey->keylabel);
1731 1723 pubkey->keylabel = NULL;
1732 1724 }
1733 1725
1734 1726 if (privkey->keylabel) {
1735 1727 free(privkey->keylabel);
1736 1728 privkey->keylabel = NULL;
1737 1729 }
1738 1730
1739 1731 pubkey->keyp = NULL;
1740 1732 privkey->keyp = NULL;
1741 1733 }
1742 1734
1743 1735 if (sslPrivKey)
1744 1736 RSA_free(sslPrivKey);
1745 1737
1746 1738 if (sslDSAKey)
1747 1739 DSA_free(sslDSAKey);
1748 1740
1749 1741 if (out != NULL)
1750 1742 (void) BIO_free(out);
1751 1743
|
↓ open down ↓ |
20 lines elided |
↑ open up ↑ |
1752 1744 return (rv);
1753 1745 }
1754 1746
1755 1747 /*
1756 1748 * Make sure the BN conversion is properly padded with 0x00
1757 1749 * bytes. If not, signature verification for DSA signatures
1758 1750 * may fail in the case where the bignum value does not use
1759 1751 * all of the bits.
1760 1752 */
1761 1753 static int
1762 -fixbnlen(BIGNUM *bn, unsigned char *buf, int len) {
1754 +fixbnlen(const BIGNUM *bn, unsigned char *buf, int len) {
1763 1755 int bytes = len - BN_num_bytes(bn);
1764 1756
1765 1757 /* prepend with leading 0x00 if necessary */
1766 1758 while (bytes-- > 0)
1767 1759 *buf++ = 0;
1768 1760
1769 1761 (void) BN_bn2bin(bn, buf);
1770 1762 /*
1771 1763 * Return the desired length since we prepended it
1772 1764 * with the necessary 0x00 padding.
1773 1765 */
|
↓ open down ↓ |
1 lines elided |
↑ open up ↑ |
1774 1766 return (len);
1775 1767 }
1776 1768
1777 1769 KMF_RETURN
1778 1770 OpenSSL_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
1779 1771 KMF_OID *AlgOID, KMF_DATA *tobesigned, KMF_DATA *output)
1780 1772 {
1781 1773 KMF_RETURN ret = KMF_OK;
1782 1774 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
1783 1775 KMF_ALGORITHM_INDEX AlgId;
1784 - EVP_MD_CTX ctx;
1776 + EVP_MD_CTX *ctx;
1785 1777 const EVP_MD *md;
1786 1778
1787 1779 if (key == NULL || AlgOID == NULL ||
1788 1780 tobesigned == NULL || output == NULL ||
1789 1781 tobesigned->Data == NULL ||
1790 1782 output->Data == NULL)
1791 1783 return (KMF_ERR_BAD_PARAMETER);
1792 1784
1793 1785 /* Map the OID to an OpenSSL algorithm */
1794 1786 AlgId = x509_algoid_to_algid(AlgOID);
1795 1787 if (AlgId == KMF_ALGID_NONE)
1796 1788 return (KMF_ERR_BAD_ALGORITHM);
1797 1789
1798 1790 if (key->keyalg == KMF_RSA) {
1799 1791 EVP_PKEY *pkey = (EVP_PKEY *)key->keyp;
1800 1792 uchar_t *p;
1801 1793 int len;
1802 1794 if (AlgId == KMF_ALGID_MD5WithRSA)
1803 1795 md = EVP_md5();
1804 1796 else if (AlgId == KMF_ALGID_SHA1WithRSA)
1805 1797 md = EVP_sha1();
1806 1798 else if (AlgId == KMF_ALGID_SHA256WithRSA)
1807 1799 md = EVP_sha256();
1808 1800 else if (AlgId == KMF_ALGID_SHA384WithRSA)
1809 1801 md = EVP_sha384();
1810 1802 else if (AlgId == KMF_ALGID_SHA512WithRSA)
1811 1803 md = EVP_sha512();
1812 1804 else if (AlgId == KMF_ALGID_RSA)
1813 1805 md = NULL;
1814 1806 else
1815 1807 return (KMF_ERR_BAD_ALGORITHM);
1816 1808
1817 1809 if ((md == NULL) && (AlgId == KMF_ALGID_RSA)) {
1818 1810 RSA *rsa = EVP_PKEY_get1_RSA((EVP_PKEY *)pkey);
|
↓ open down ↓ |
24 lines elided |
↑ open up ↑ |
1819 1811
1820 1812 p = output->Data;
1821 1813 if ((len = RSA_private_encrypt(tobesigned->Length,
1822 1814 tobesigned->Data, p, rsa,
1823 1815 RSA_PKCS1_PADDING)) <= 0) {
1824 1816 SET_ERROR(kmfh, ERR_get_error());
1825 1817 ret = KMF_ERR_INTERNAL;
1826 1818 }
1827 1819 output->Length = len;
1828 1820 } else {
1829 - (void) EVP_MD_CTX_init(&ctx);
1830 - (void) EVP_SignInit_ex(&ctx, md, NULL);
1831 - (void) EVP_SignUpdate(&ctx, tobesigned->Data,
1821 + if ((ctx = EVP_MD_CTX_new()) == NULL)
1822 + return (KMF_ERR_MEMORY);
1823 + (void) EVP_SignInit_ex(ctx, md, NULL);
1824 + (void) EVP_SignUpdate(ctx, tobesigned->Data,
1832 1825 (uint32_t)tobesigned->Length);
1833 1826 len = (uint32_t)output->Length;
1834 1827 p = output->Data;
1835 - if (!EVP_SignFinal(&ctx, p, (uint32_t *)&len, pkey)) {
1828 + if (!EVP_SignFinal(ctx, p, (uint32_t *)&len, pkey)) {
1836 1829 SET_ERROR(kmfh, ERR_get_error());
1837 1830 len = 0;
1838 1831 ret = KMF_ERR_INTERNAL;
1839 1832 }
1840 1833 output->Length = len;
1841 - (void) EVP_MD_CTX_cleanup(&ctx);
1834 + EVP_MD_CTX_free(ctx);
1842 1835 }
1843 1836 } else if (key->keyalg == KMF_DSA) {
1844 1837 DSA *dsa = EVP_PKEY_get1_DSA(key->keyp);
1845 1838
1846 1839 uchar_t hash[EVP_MAX_MD_SIZE];
1847 1840 uint32_t hashlen;
1848 1841 DSA_SIG *dsasig;
1849 1842
1850 1843 if (AlgId == KMF_ALGID_DSA ||
1851 1844 AlgId == KMF_ALGID_SHA1WithDSA)
1852 1845 md = EVP_sha1();
1853 1846 else if (AlgId == KMF_ALGID_SHA256WithDSA)
1854 1847 md = EVP_sha256();
1855 1848 else /* Bad algorithm */
|
↓ open down ↓ |
4 lines elided |
↑ open up ↑ |
1856 1849 return (KMF_ERR_BAD_ALGORITHM);
1857 1850
1858 1851 /*
1859 1852 * OpenSSL EVP_Sign operation automatically converts to
1860 1853 * ASN.1 output so we do the operations separately so we
1861 1854 * are assured of NOT getting ASN.1 output returned.
1862 1855 * KMF does not want ASN.1 encoded results because
1863 1856 * not all mechanisms return ASN.1 encodings (PKCS#11
1864 1857 * and NSS return raw signature data).
1865 1858 */
1866 - EVP_MD_CTX_init(&ctx);
1867 - (void) EVP_DigestInit_ex(&ctx, md, NULL);
1868 - (void) EVP_DigestUpdate(&ctx, tobesigned->Data,
1859 + if ((ctx = EVP_MD_CTX_new()) == NULL)
1860 + return (KMF_ERR_MEMORY);
1861 + (void) EVP_DigestInit_ex(ctx, md, NULL);
1862 + (void) EVP_DigestUpdate(ctx, tobesigned->Data,
1869 1863 tobesigned->Length);
1870 - (void) EVP_DigestFinal_ex(&ctx, hash, &hashlen);
1864 + (void) EVP_DigestFinal_ex(ctx, hash, &hashlen);
1871 1865
1872 1866 /* Only sign first 20 bytes for SHA2 */
1873 1867 if (AlgId == KMF_ALGID_SHA256WithDSA)
1874 1868 hashlen = 20;
1875 1869 dsasig = DSA_do_sign(hash, hashlen, dsa);
1876 1870 if (dsasig != NULL) {
1877 1871 int i;
1878 - output->Length = i = fixbnlen(dsasig->r, output->Data,
1872 + const BIGNUM *r, *s;
1873 +
1874 + DSA_SIG_get0(dsasig, &r, &s);
1875 + output->Length = i = fixbnlen(r, output->Data,
1879 1876 hashlen);
1880 1877
1881 - output->Length += fixbnlen(dsasig->s, &output->Data[i],
1878 + output->Length += fixbnlen(s, &output->Data[i],
1882 1879 hashlen);
1883 1880
1884 1881 DSA_SIG_free(dsasig);
1885 1882 } else {
1886 1883 SET_ERROR(kmfh, ERR_get_error());
1887 1884 }
1888 - (void) EVP_MD_CTX_cleanup(&ctx);
1885 + EVP_MD_CTX_free(ctx);
1889 1886 } else {
1890 1887 return (KMF_ERR_BAD_PARAMETER);
1891 1888 }
1892 1889 cleanup:
1893 1890 return (ret);
1894 1891 }
1895 1892
1896 1893 KMF_RETURN
1897 1894 /*ARGSUSED*/
1898 1895 OpenSSL_DeleteKey(KMF_HANDLE_T handle,
1899 1896 int numattr, KMF_ATTRIBUTE *attrlist)
1900 1897 {
1901 1898 KMF_RETURN rv = KMF_OK;
1902 1899 KMF_KEY_HANDLE *key;
1903 1900 boolean_t destroy = B_TRUE;
1904 1901
1905 1902 key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
1906 1903 if (key == NULL || key->keyp == NULL)
1907 1904 return (KMF_ERR_BAD_PARAMETER);
1908 1905
1909 1906 rv = kmf_get_attr(KMF_DESTROY_BOOL_ATTR, attrlist, numattr,
1910 1907 (void *)&destroy, NULL);
1911 1908 if (rv != KMF_OK) {
1912 1909 /* "destroy" is optional. Default is TRUE */
1913 1910 rv = KMF_OK;
1914 1911 }
1915 1912
1916 1913 if (key->keyclass != KMF_ASYM_PUB &&
1917 1914 key->keyclass != KMF_ASYM_PRI &&
1918 1915 key->keyclass != KMF_SYMMETRIC)
1919 1916 return (KMF_ERR_BAD_KEY_CLASS);
1920 1917
1921 1918 if (key->keyclass == KMF_SYMMETRIC) {
1922 1919 kmf_free_raw_sym_key((KMF_RAW_SYM_KEY *)key->keyp);
1923 1920 key->keyp = NULL;
1924 1921 } else {
1925 1922 if (key->keyp != NULL) {
1926 1923 EVP_PKEY_free(key->keyp);
1927 1924 key->keyp = NULL;
1928 1925 }
1929 1926 }
1930 1927
1931 1928 if (key->keylabel != NULL) {
1932 1929 EVP_PKEY *pkey = NULL;
1933 1930 /* If the file exists, make sure it is a proper key. */
1934 1931 pkey = openssl_load_key(handle, key->keylabel);
1935 1932 if (pkey == NULL) {
1936 1933 if (key->keylabel != NULL) {
1937 1934 free(key->keylabel);
1938 1935 key->keylabel = NULL;
1939 1936 }
1940 1937 return (KMF_ERR_KEY_NOT_FOUND);
1941 1938 }
1942 1939 EVP_PKEY_free(pkey);
1943 1940
1944 1941 if (destroy) {
1945 1942 if (unlink(key->keylabel) != 0) {
1946 1943 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
1947 1944 SET_SYS_ERROR(kmfh, errno);
1948 1945 rv = KMF_ERR_INTERNAL;
1949 1946 }
1950 1947 }
1951 1948 if (key->keylabel != NULL) {
1952 1949 free(key->keylabel);
1953 1950 key->keylabel = NULL;
1954 1951 }
1955 1952 }
1956 1953 return (rv);
1957 1954 }
1958 1955
1959 1956 KMF_RETURN
1960 1957 OpenSSL_GetErrorString(KMF_HANDLE_T handle, char **msgstr)
1961 1958 {
1962 1959 KMF_RETURN ret = KMF_OK;
1963 1960 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
1964 1961 char str[256]; /* OpenSSL needs at least 120 byte buffer */
1965 1962
1966 1963 ERR_error_string_n(kmfh->lasterr.errcode, str, sizeof (str));
1967 1964 if (strlen(str)) {
1968 1965 *msgstr = (char *)strdup(str);
1969 1966 if ((*msgstr) == NULL)
1970 1967 ret = KMF_ERR_MEMORY;
1971 1968 } else {
1972 1969 *msgstr = NULL;
1973 1970 }
1974 1971
1975 1972 return (ret);
1976 1973 }
1977 1974
1978 1975 static int
1979 1976 ext2NID(int kmfext)
1980 1977 {
1981 1978 switch (kmfext) {
1982 1979 case KMF_X509_EXT_KEY_USAGE:
1983 1980 return (NID_key_usage);
1984 1981 case KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD:
1985 1982 return (NID_private_key_usage_period);
1986 1983 case KMF_X509_EXT_CERT_POLICIES:
1987 1984 return (NID_certificate_policies);
1988 1985 case KMF_X509_EXT_SUBJ_ALTNAME:
1989 1986 return (NID_subject_alt_name);
1990 1987 case KMF_X509_EXT_ISSUER_ALTNAME:
1991 1988 return (NID_issuer_alt_name);
1992 1989 case KMF_X509_EXT_BASIC_CONSTRAINTS:
1993 1990 return (NID_basic_constraints);
1994 1991 case KMF_X509_EXT_EXT_KEY_USAGE:
1995 1992 return (NID_ext_key_usage);
1996 1993 case KMF_X509_EXT_AUTH_KEY_ID:
1997 1994 return (NID_authority_key_identifier);
1998 1995 case KMF_X509_EXT_CRL_DIST_POINTS:
1999 1996 return (NID_crl_distribution_points);
2000 1997 case KMF_X509_EXT_SUBJ_KEY_ID:
2001 1998 return (NID_subject_key_identifier);
2002 1999 case KMF_X509_EXT_POLICY_MAPPINGS:
2003 2000 return (OBJ_sn2nid("policyMappings"));
2004 2001 case KMF_X509_EXT_NAME_CONSTRAINTS:
2005 2002 return (OBJ_sn2nid("nameConstraints"));
2006 2003 case KMF_X509_EXT_POLICY_CONSTRAINTS:
2007 2004 return (OBJ_sn2nid("policyConstraints"));
2008 2005 case KMF_X509_EXT_INHIBIT_ANY_POLICY:
2009 2006 return (OBJ_sn2nid("inhibitAnyPolicy"));
2010 2007 case KMF_X509_EXT_FRESHEST_CRL:
2011 2008 return (OBJ_sn2nid("freshestCRL"));
2012 2009 default:
2013 2010 return (NID_undef);
2014 2011 }
2015 2012 }
|
↓ open down ↓ |
117 lines elided |
↑ open up ↑ |
2016 2013
2017 2014 KMF_RETURN
2018 2015 OpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert,
2019 2016 KMF_PRINTABLE_ITEM flag, char *resultStr)
2020 2017 {
2021 2018 KMF_RETURN ret = KMF_OK;
2022 2019 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2023 2020 X509 *xcert = NULL;
2024 2021 unsigned char *outbuf = NULL;
2025 2022 unsigned char *outbuf_p;
2026 - char *tmpstr = NULL;
2027 2023 int j;
2028 2024 int ext_index, nid, len;
2029 2025 BIO *mem = NULL;
2030 -#if OPENSSL_VERSION_NUMBER < 0x10000000L
2031 - STACK *emlst = NULL;
2032 -#else
2033 2026 STACK_OF(OPENSSL_STRING) *emlst = NULL;
2034 -#endif
2035 2027 X509_EXTENSION *ex;
2036 - X509_CINF *ci;
2037 2028
2038 2029 if (pcert == NULL || pcert->Data == NULL || pcert->Length == 0) {
2039 2030 return (KMF_ERR_BAD_PARAMETER);
2040 2031 }
2041 2032
2042 2033 /* copy cert data to outbuf */
2043 2034 outbuf = malloc(pcert->Length);
2044 2035 if (outbuf == NULL) {
2045 2036 return (KMF_ERR_MEMORY);
2046 2037 }
2047 2038 (void) memcpy(outbuf, pcert->Data, pcert->Length);
2048 2039
2049 2040 outbuf_p = outbuf; /* use a temp pointer; required by openssl */
2050 2041 xcert = d2i_X509(NULL, (const uchar_t **)&outbuf_p, pcert->Length);
2051 2042 if (xcert == NULL) {
2052 2043 SET_ERROR(kmfh, ERR_get_error());
2053 2044 ret = KMF_ERR_ENCODING;
2054 2045 goto out;
2055 2046 }
2056 2047
2057 2048 mem = BIO_new(BIO_s_mem());
2058 2049 if (mem == NULL) {
2059 2050 SET_ERROR(kmfh, ERR_get_error());
2060 2051 ret = KMF_ERR_MEMORY;
2061 2052 goto out;
2062 2053 }
2063 2054
2064 2055 switch (flag) {
2065 2056 case KMF_CERT_ISSUER:
2066 2057 (void) X509_NAME_print_ex(mem, X509_get_issuer_name(xcert), 0,
2067 2058 XN_FLAG_SEP_CPLUS_SPC);
|
↓ open down ↓ |
21 lines elided |
↑ open up ↑ |
2068 2059 len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2069 2060 break;
2070 2061
2071 2062 case KMF_CERT_SUBJECT:
2072 2063 (void) X509_NAME_print_ex(mem, X509_get_subject_name(xcert), 0,
2073 2064 XN_FLAG_SEP_CPLUS_SPC);
2074 2065 len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2075 2066 break;
2076 2067
2077 2068 case KMF_CERT_VERSION:
2078 - tmpstr = i2s_ASN1_INTEGER(NULL, xcert->cert_info->version);
2079 - (void) strncpy(resultStr, tmpstr, KMF_CERT_PRINTABLE_LEN);
2080 - OPENSSL_free(tmpstr);
2069 + (void) snprintf(resultStr, KMF_CERT_PRINTABLE_LEN,
2070 + "%ld", X509_get_version(xcert));
2081 2071 len = strlen(resultStr);
2082 2072 break;
2083 2073
2084 2074 case KMF_CERT_SERIALNUM:
2085 2075 if (i2a_ASN1_INTEGER(mem, X509_get_serialNumber(xcert)) > 0) {
2086 2076 (void) strcpy(resultStr, "0x");
2087 2077 len = BIO_gets(mem, &resultStr[2],
2088 2078 KMF_CERT_PRINTABLE_LEN - 2);
2089 2079 }
2090 2080 break;
2091 2081
2092 2082 case KMF_CERT_NOTBEFORE:
2093 - (void) ASN1_TIME_print(mem, X509_get_notBefore(xcert));
2083 + (void) ASN1_TIME_print(mem, X509_getm_notBefore(xcert));
2094 2084 len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2095 2085 break;
2096 2086
2097 2087 case KMF_CERT_NOTAFTER:
2098 - (void) ASN1_TIME_print(mem, X509_get_notAfter(xcert));
2088 + (void) ASN1_TIME_print(mem, X509_getm_notAfter(xcert));
2099 2089 len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2100 2090 break;
2101 2091
2102 2092 case KMF_CERT_PUBKEY_DATA:
2103 2093 {
2094 + RSA *rsa;
2095 + DSA *dsa;
2096 +
2104 2097 EVP_PKEY *pkey = X509_get_pubkey(xcert);
2105 2098 if (pkey == NULL) {
2106 2099 SET_ERROR(kmfh, ERR_get_error());
2107 2100 ret = KMF_ERR_ENCODING;
2108 2101 goto out;
2109 2102 }
2110 2103
2111 - if (pkey->type == EVP_PKEY_RSA) {
2104 + if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) {
2112 2105 (void) BIO_printf(mem,
2113 2106 "RSA Public Key: (%d bit)\n",
2114 - BN_num_bits(pkey->pkey.rsa->n));
2115 - (void) RSA_print(mem, pkey->pkey.rsa, 0);
2116 - } else if (pkey->type == EVP_PKEY_DSA) {
2107 + RSA_bits(rsa));
2108 + (void) RSA_print(mem, rsa, 0);
2109 +
2110 + } else if ((dsa = EVP_PKEY_get0_DSA(pkey)) != NULL) {
2117 2111 (void) BIO_printf(mem,
2118 2112 "%12sDSA Public Key:\n", "");
2119 - (void) DSA_print(mem, pkey->pkey.dsa, 0);
2113 + (void) DSA_print(mem, dsa, 0);
2120 2114 } else {
2121 2115 (void) BIO_printf(mem,
2122 2116 "%12sUnknown Public Key:\n", "");
2123 2117 }
2124 2118 (void) BIO_printf(mem, "\n");
2125 2119 EVP_PKEY_free(pkey);
2126 2120 }
2127 2121 len = BIO_read(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2128 2122 break;
2129 2123 case KMF_CERT_SIGNATURE_ALG:
2130 2124 case KMF_CERT_PUBKEY_ALG:
2131 - if (flag == KMF_CERT_SIGNATURE_ALG) {
2132 - len = i2a_ASN1_OBJECT(mem,
2133 - xcert->sig_alg->algorithm);
2134 - } else {
2135 - len = i2a_ASN1_OBJECT(mem,
2136 - xcert->cert_info->key->algor->algorithm);
2137 - }
2125 + {
2126 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
2127 + ASN1_OBJECT *alg = NULL;
2128 +#else
2129 + const ASN1_OBJECT *alg = NULL;
2130 +#endif
2138 2131
2139 - if (len > 0) {
2140 - len = BIO_read(mem, resultStr,
2141 - KMF_CERT_PRINTABLE_LEN);
2132 + if (flag == KMF_CERT_SIGNATURE_ALG) {
2133 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
2134 + alg = xcert->sig_alg->algorithm;
2135 +#else
2136 + const X509_ALGOR *sig_alg = NULL;
2137 +
2138 + X509_get0_signature(NULL, &sig_alg, xcert);
2139 + if (sig_alg != NULL)
2140 + X509_ALGOR_get0(&alg, NULL, NULL,
2141 + sig_alg);
2142 +#endif
2143 + } else {
2144 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
2145 + alg = xcert->cert_info->key->algor->algorithm;
2146 +#else
2147 + X509_PUBKEY *key = X509_get_X509_PUBKEY(xcert);
2148 +
2149 + if (key != NULL)
2150 + (void) X509_PUBKEY_get0_param(
2151 + (ASN1_OBJECT **)&alg, NULL, 0,
2152 + NULL, key);
2153 +#endif
2154 + }
2155 +
2156 + if (alg == NULL)
2157 + len = -1;
2158 + else if ((len = i2a_ASN1_OBJECT(mem, alg)) > 0)
2159 + len = BIO_read(mem, resultStr,
2160 + KMF_CERT_PRINTABLE_LEN);
2142 2161 }
2143 2162 break;
2144 2163
2145 2164 case KMF_CERT_EMAIL:
2146 2165 emlst = X509_get1_email(xcert);
2147 -#if OPENSSL_VERSION_NUMBER < 0x10000000L
2148 - for (j = 0; j < sk_num(emlst); j++)
2149 - (void) BIO_printf(mem, "%s\n", sk_value(emlst, j));
2150 -#else
2151 2166 for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
2152 2167 (void) BIO_printf(mem, "%s\n",
2153 2168 sk_OPENSSL_STRING_value(emlst, j));
2154 -#endif
2155 2169
2156 2170 len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2157 2171 X509_email_free(emlst);
2158 2172 break;
2159 2173 case KMF_X509_EXT_ISSUER_ALTNAME:
2160 2174 case KMF_X509_EXT_SUBJ_ALTNAME:
2161 2175 case KMF_X509_EXT_KEY_USAGE:
2162 2176 case KMF_X509_EXT_PRIV_KEY_USAGE_PERIOD:
2163 2177 case KMF_X509_EXT_CERT_POLICIES:
2164 2178 case KMF_X509_EXT_BASIC_CONSTRAINTS:
2165 2179 case KMF_X509_EXT_NAME_CONSTRAINTS:
2166 2180 case KMF_X509_EXT_POLICY_CONSTRAINTS:
2167 2181 case KMF_X509_EXT_EXT_KEY_USAGE:
2168 2182 case KMF_X509_EXT_INHIBIT_ANY_POLICY:
|
↓ open down ↓ |
4 lines elided |
↑ open up ↑ |
2169 2183 case KMF_X509_EXT_AUTH_KEY_ID:
2170 2184 case KMF_X509_EXT_SUBJ_KEY_ID:
2171 2185 case KMF_X509_EXT_POLICY_MAPPINGS:
2172 2186 case KMF_X509_EXT_CRL_DIST_POINTS:
2173 2187 case KMF_X509_EXT_FRESHEST_CRL:
2174 2188 nid = ext2NID(flag);
2175 2189 if (nid == NID_undef) {
2176 2190 ret = KMF_ERR_EXTENSION_NOT_FOUND;
2177 2191 goto out;
2178 2192 }
2179 - ci = xcert->cert_info;
2180 2193
2181 - ext_index = X509v3_get_ext_by_NID(ci->extensions, nid, -1);
2194 + ext_index = X509_get_ext_by_NID(xcert, nid, -1);
2182 2195 if (ext_index == -1) {
2183 2196 SET_ERROR(kmfh, ERR_get_error());
2184 2197
2185 2198 ret = KMF_ERR_EXTENSION_NOT_FOUND;
2186 2199 goto out;
2187 2200 }
2188 - ex = X509v3_get_ext(ci->extensions, ext_index);
2201 + ex = X509_get_ext(xcert, ext_index);
2189 2202
2190 2203 (void) i2a_ASN1_OBJECT(mem, X509_EXTENSION_get_object(ex));
2191 2204
2192 2205 if (BIO_printf(mem, ": %s\n",
2193 2206 X509_EXTENSION_get_critical(ex) ? "critical" : "") <= 0) {
2194 2207 SET_ERROR(kmfh, ERR_get_error());
2195 2208 ret = KMF_ERR_ENCODING;
2196 2209 goto out;
2197 2210 }
2198 2211 if (!X509V3_EXT_print(mem, ex, X509V3_EXT_DUMP_UNKNOWN, 4)) {
2199 2212 (void) BIO_printf(mem, "%*s", 4, "");
2200 - (void) M_ASN1_OCTET_STRING_print(mem, ex->value);
2213 + (void) ASN1_STRING_print(mem,
2214 + X509_EXTENSION_get_data(ex));
2201 2215 }
2202 2216 if (BIO_write(mem, "\n", 1) <= 0) {
2203 2217 SET_ERROR(kmfh, ERR_get_error());
2204 2218 ret = KMF_ERR_ENCODING;
2205 2219 goto out;
2206 2220 }
2207 2221 len = BIO_read(mem, resultStr, KMF_CERT_PRINTABLE_LEN);
2208 2222 }
2209 2223 if (len <= 0) {
2210 2224 SET_ERROR(kmfh, ERR_get_error());
2211 2225 ret = KMF_ERR_ENCODING;
2212 2226 }
2213 2227
2214 2228 out:
2215 2229 if (outbuf != NULL) {
2216 2230 free(outbuf);
2217 2231 }
2218 2232
2219 2233 if (xcert != NULL) {
2220 2234 X509_free(xcert);
2221 2235 }
2222 2236
2223 2237 if (mem != NULL) {
2224 2238 (void) BIO_free(mem);
2225 2239 }
2226 2240
2227 2241 return (ret);
2228 2242 }
2229 2243
2230 2244 KMF_RETURN
2231 2245 /*ARGSUSED*/
2232 2246 OpenSSL_FindPrikeyByCert(KMF_HANDLE_T handle, int numattr,
2233 2247 KMF_ATTRIBUTE *attrlist)
2234 2248 {
2235 2249 KMF_RETURN rv = KMF_OK;
2236 2250 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
2237 2251 KMF_KEY_CLASS keyclass = KMF_ASYM_PRI;
2238 2252 KMF_KEY_HANDLE *key = NULL;
2239 2253 uint32_t numkeys = 1; /* 1 key only */
2240 2254 char *dirpath = NULL;
2241 2255 char *keyfile = NULL;
2242 2256 KMF_ATTRIBUTE new_attrlist[16];
2243 2257 int i = 0;
2244 2258
2245 2259 /*
2246 2260 * This is really just a FindKey operation, reuse the
2247 2261 * FindKey function.
2248 2262 */
2249 2263 kmf_set_attr_at_index(new_attrlist, i,
2250 2264 KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
2251 2265 i++;
2252 2266
2253 2267 kmf_set_attr_at_index(new_attrlist, i,
2254 2268 KMF_COUNT_ATTR, &numkeys, sizeof (uint32_t));
2255 2269 i++;
2256 2270
2257 2271 kmf_set_attr_at_index(new_attrlist, i,
2258 2272 KMF_KEYCLASS_ATTR, &keyclass, sizeof (keyclass));
2259 2273 i++;
2260 2274
2261 2275 key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
2262 2276 if (key == NULL) {
2263 2277 return (KMF_ERR_BAD_PARAMETER);
2264 2278 } else {
2265 2279 kmf_set_attr_at_index(new_attrlist, i,
2266 2280 KMF_KEY_HANDLE_ATTR, key, sizeof (KMF_KEY_HANDLE));
2267 2281 i++;
2268 2282 }
2269 2283
2270 2284 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2271 2285 if (dirpath != NULL) {
2272 2286 kmf_set_attr_at_index(new_attrlist, i,
2273 2287 KMF_DIRPATH_ATTR, dirpath, strlen(dirpath));
2274 2288 i++;
2275 2289 }
2276 2290
2277 2291 keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist, numattr);
2278 2292 if (keyfile == NULL)
2279 2293 return (KMF_ERR_BAD_PARAMETER);
2280 2294 else {
2281 2295 kmf_set_attr_at_index(new_attrlist, i,
2282 2296 KMF_KEY_FILENAME_ATTR, keyfile, strlen(keyfile));
2283 2297 i++;
2284 2298 }
2285 2299
2286 2300 rv = OpenSSL_FindKey(handle, i, new_attrlist);
2287 2301 return (rv);
2288 2302 }
2289 2303
2290 2304 KMF_RETURN
2291 2305 /*ARGSUSED*/
2292 2306 OpenSSL_DecryptData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
2293 2307 KMF_OID *AlgOID, KMF_DATA *ciphertext,
2294 2308 KMF_DATA *output)
2295 2309 {
2296 2310 KMF_RETURN ret = KMF_OK;
2297 2311 RSA *rsa = NULL;
2298 2312 unsigned int in_len = 0, out_len = 0;
2299 2313 unsigned int total_decrypted = 0, modulus_len = 0;
2300 2314 uint8_t *in_data, *out_data;
2301 2315 int i, blocks;
2302 2316
2303 2317 if (key == NULL || AlgOID == NULL ||
2304 2318 ciphertext == NULL || output == NULL ||
2305 2319 ciphertext->Data == NULL ||
2306 2320 output->Data == NULL)
2307 2321 return (KMF_ERR_BAD_PARAMETER);
2308 2322
2309 2323 if (key->keyalg == KMF_RSA) {
2310 2324 rsa = EVP_PKEY_get1_RSA((EVP_PKEY *)key->keyp);
2311 2325 modulus_len = RSA_size(rsa);
2312 2326 } else {
2313 2327 return (KMF_ERR_BAD_PARAMETER);
2314 2328 }
2315 2329
2316 2330 blocks = ciphertext->Length/modulus_len;
2317 2331 out_data = output->Data;
2318 2332 in_data = ciphertext->Data;
2319 2333 out_len = modulus_len - 11;
2320 2334 in_len = modulus_len;
2321 2335
2322 2336 for (i = 0; i < blocks; i++) {
2323 2337 out_len = RSA_private_decrypt(in_len,
2324 2338 in_data, out_data, rsa, RSA_PKCS1_PADDING);
2325 2339
2326 2340 if (out_len == 0) {
2327 2341 ret = KMF_ERR_INTERNAL;
2328 2342 goto cleanup;
2329 2343 }
2330 2344
2331 2345 out_data += out_len;
2332 2346 total_decrypted += out_len;
2333 2347 in_data += in_len;
2334 2348 }
2335 2349
2336 2350 output->Length = total_decrypted;
2337 2351
2338 2352 cleanup:
2339 2353 RSA_free(rsa);
2340 2354 if (ret != KMF_OK)
2341 2355 output->Length = 0;
2342 2356
2343 2357 return (ret);
2344 2358
2345 2359 }
2346 2360
2347 2361 /*
2348 2362 * This function will create a certid from issuer_cert and user_cert.
2349 2363 * The caller should use OCSP_CERTID_free(OCSP_CERTID *) to deallocate
2350 2364 * certid memory after use.
2351 2365 */
2352 2366 static KMF_RETURN
2353 2367 create_certid(KMF_HANDLE_T handle, const KMF_DATA *issuer_cert,
2354 2368 const KMF_DATA *user_cert, OCSP_CERTID **certid)
2355 2369 {
2356 2370 KMF_RETURN ret = KMF_OK;
2357 2371 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2358 2372 X509 *issuer = NULL;
2359 2373 X509 *cert = NULL;
2360 2374 unsigned char *ptmp;
2361 2375
2362 2376 if (issuer_cert == NULL || user_cert == NULL) {
2363 2377 return (KMF_ERR_BAD_PARAMETER);
2364 2378 }
2365 2379
2366 2380 /* convert the DER-encoded issuer cert to an internal X509 */
2367 2381 ptmp = issuer_cert->Data;
2368 2382 issuer = d2i_X509(NULL, (const uchar_t **)&ptmp,
2369 2383 issuer_cert->Length);
2370 2384 if (issuer == NULL) {
2371 2385 SET_ERROR(kmfh, ERR_get_error());
2372 2386 ret = KMF_ERR_OCSP_BAD_ISSUER;
2373 2387 goto end;
2374 2388 }
2375 2389
2376 2390 /* convert the DER-encoded user cert to an internal X509 */
2377 2391 ptmp = user_cert->Data;
2378 2392 cert = d2i_X509(NULL, (const uchar_t **)&ptmp,
2379 2393 user_cert->Length);
2380 2394 if (cert == NULL) {
2381 2395 SET_ERROR(kmfh, ERR_get_error());
2382 2396
2383 2397 ret = KMF_ERR_OCSP_BAD_CERT;
2384 2398 goto end;
2385 2399 }
2386 2400
2387 2401 /* create a CERTID */
2388 2402 *certid = OCSP_cert_to_id(NULL, cert, issuer);
2389 2403 if (*certid == NULL) {
2390 2404 SET_ERROR(kmfh, ERR_get_error());
2391 2405 ret = KMF_ERR_OCSP_CERTID;
2392 2406 goto end;
2393 2407 }
2394 2408
2395 2409 end:
2396 2410 if (issuer != NULL) {
2397 2411 X509_free(issuer);
2398 2412 }
2399 2413
2400 2414 if (cert != NULL) {
2401 2415 X509_free(cert);
2402 2416 }
2403 2417
2404 2418 return (ret);
2405 2419 }
2406 2420
2407 2421 KMF_RETURN
2408 2422 OpenSSL_CreateOCSPRequest(KMF_HANDLE_T handle,
2409 2423 int numattr, KMF_ATTRIBUTE *attrlist)
2410 2424 {
2411 2425 KMF_RETURN ret = KMF_OK;
2412 2426 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2413 2427 OCSP_CERTID *id = NULL;
2414 2428 OCSP_REQUEST *req = NULL;
2415 2429 BIO *derbio = NULL;
2416 2430 char *reqfile;
2417 2431 KMF_DATA *issuer_cert;
2418 2432 KMF_DATA *user_cert;
2419 2433
2420 2434 user_cert = kmf_get_attr_ptr(KMF_USER_CERT_DATA_ATTR,
2421 2435 attrlist, numattr);
2422 2436 if (user_cert == NULL)
2423 2437 return (KMF_ERR_BAD_PARAMETER);
2424 2438
2425 2439 issuer_cert = kmf_get_attr_ptr(KMF_ISSUER_CERT_DATA_ATTR,
2426 2440 attrlist, numattr);
2427 2441 if (issuer_cert == NULL)
2428 2442 return (KMF_ERR_BAD_PARAMETER);
2429 2443
2430 2444 reqfile = kmf_get_attr_ptr(KMF_OCSP_REQUEST_FILENAME_ATTR,
2431 2445 attrlist, numattr);
2432 2446 if (reqfile == NULL)
2433 2447 return (KMF_ERR_BAD_PARAMETER);
2434 2448
2435 2449 ret = create_certid(handle, issuer_cert, user_cert, &id);
2436 2450 if (ret != KMF_OK) {
2437 2451 return (ret);
2438 2452 }
2439 2453
2440 2454 /* Create an OCSP request */
2441 2455 req = OCSP_REQUEST_new();
2442 2456 if (req == NULL) {
2443 2457 SET_ERROR(kmfh, ERR_get_error());
2444 2458 ret = KMF_ERR_OCSP_CREATE_REQUEST;
2445 2459 goto end;
2446 2460 }
2447 2461
2448 2462 if (!OCSP_request_add0_id(req, id)) {
2449 2463 ret = KMF_ERR_OCSP_CREATE_REQUEST;
2450 2464 goto end;
2451 2465 }
2452 2466
2453 2467 /* Write the request to the output file with DER encoding */
2454 2468 derbio = BIO_new_file(reqfile, "wb");
2455 2469 if (!derbio) {
2456 2470 SET_ERROR(kmfh, ERR_get_error());
2457 2471 ret = KMF_ERR_OPEN_FILE;
2458 2472 goto end;
2459 2473 }
2460 2474 if (i2d_OCSP_REQUEST_bio(derbio, req) <= 0) {
2461 2475 ret = KMF_ERR_ENCODING;
2462 2476 }
2463 2477
2464 2478 end:
2465 2479 /*
2466 2480 * We don't need to free "id" explicitely, because OCSP_REQUEST_free()
2467 2481 * will also deallocate certid's space.
2468 2482 */
2469 2483 if (req != NULL) {
2470 2484 OCSP_REQUEST_free(req);
|
↓ open down ↓ |
260 lines elided |
↑ open up ↑ |
2471 2485 }
2472 2486
2473 2487 if (derbio != NULL) {
2474 2488 (void) BIO_free(derbio);
2475 2489 }
2476 2490
2477 2491 return (ret);
2478 2492 }
2479 2493
2480 2494 /* ocsp_find_signer_sk() is copied from openssl source */
2481 -static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
2495 +static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_BASICRESP *bs)
2482 2496 {
2483 2497 int i;
2484 2498 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
2499 + const ASN1_OCTET_STRING *pid;
2485 2500
2486 - /* Easy if lookup by name */
2501 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
2502 + OCSP_RESPID *id = bs->tbsResponseData->responderId;
2503 +
2487 2504 if (id->type == V_OCSP_RESPID_NAME)
2488 2505 return (X509_find_by_subject(certs, id->value.byName));
2489 2506
2507 + pid = id->value.byKey;
2508 +#else
2509 + const X509_NAME *pname;
2510 +
2511 + if (OCSP_resp_get0_id(bs, &pid, &pname) == 0)
2512 + return (NULL);
2513 +
2514 + if (pname != NULL)
2515 + return (X509_find_by_subject(certs, (X509_NAME *)pname));
2516 +#endif
2517 +
2490 2518 /* Lookup by key hash */
2491 2519
2492 2520 /* If key hash isn't SHA1 length then forget it */
2493 - if (id->value.byKey->length != SHA_DIGEST_LENGTH)
2521 + if (pid->length != SHA_DIGEST_LENGTH)
2494 2522 return (NULL);
2495 2523
2496 - keyhash = id->value.byKey->data;
2524 + keyhash = pid->data;
2497 2525 /* Calculate hash of each key and compare */
2498 2526 for (i = 0; i < sk_X509_num(certs); i++) {
2499 2527 /* LINTED E_BAD_PTR_CAST_ALIGN */
2500 2528 X509 *x = sk_X509_value(certs, i);
2501 2529 /* Use pubkey_digest to get the key ID value */
2502 2530 (void) X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
2503 2531 if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
2504 2532 return (x);
2505 2533 }
2506 2534 return (NULL);
2507 2535 }
2508 2536
2509 2537 /* ocsp_find_signer() is copied from openssl source */
2510 2538 /* ARGSUSED2 */
2511 2539 static int
2512 2540 ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
2513 2541 X509_STORE *st, unsigned long flags)
2514 2542 {
2515 2543 X509 *signer;
2516 - OCSP_RESPID *rid = bs->tbsResponseData->responderId;
2517 - if ((signer = ocsp_find_signer_sk(certs, rid))) {
2544 + if ((signer = ocsp_find_signer_sk(certs, bs))) {
2518 2545 *psigner = signer;
2519 2546 return (2);
2520 2547 }
2548 +
2521 2549 if (!(flags & OCSP_NOINTERN) &&
2522 - (signer = ocsp_find_signer_sk(bs->certs, rid))) {
2550 + (signer = ocsp_find_signer_sk(
2551 + (STACK_OF(X509) *)OCSP_resp_get0_certs(bs), bs))) {
2523 2552 *psigner = signer;
2524 2553 return (1);
2525 2554 }
2526 2555 /* Maybe lookup from store if by subject name */
2527 2556
2528 2557 *psigner = NULL;
2529 2558 return (0);
2530 2559 }
2531 2560
2532 2561 /*
2533 2562 * This function will verify the signature of a basic response, using
2534 2563 * the public key from the OCSP responder certificate.
|
↓ open down ↓ |
2 lines elided |
↑ open up ↑ |
2535 2564 */
2536 2565 static KMF_RETURN
2537 2566 check_response_signature(KMF_HANDLE_T handle, OCSP_BASICRESP *bs,
2538 2567 KMF_DATA *signer_cert, KMF_DATA *issuer_cert)
2539 2568 {
2540 2569 KMF_RETURN ret = KMF_OK;
2541 2570 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
2542 2571 STACK_OF(X509) *cert_stack = NULL;
2543 2572 X509 *signer = NULL;
2544 2573 X509 *issuer = NULL;
2574 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
2545 2575 EVP_PKEY *skey = NULL;
2576 +#else
2577 + STACK_OF(X509) *cert_stack2 = NULL;
2578 +#endif
2546 2579 unsigned char *ptmp;
2547 2580
2548 -
2549 2581 if (bs == NULL || issuer_cert == NULL)
2550 2582 return (KMF_ERR_BAD_PARAMETER);
2551 2583
2552 2584 /*
2553 2585 * Find the certificate that signed the basic response.
2554 2586 *
2555 2587 * If signer_cert is not NULL, we will use that as the signer cert.
2556 2588 * Otherwise, we will check if the issuer cert is actually the signer.
2557 2589 * If we still do not find a signer, we will look for it from the
2558 2590 * certificate list came with the response file.
2559 2591 */
2560 2592 if (signer_cert != NULL) {
2561 2593 ptmp = signer_cert->Data;
2562 2594 signer = d2i_X509(NULL, (const uchar_t **)&ptmp,
2563 2595 signer_cert->Length);
2564 2596 if (signer == NULL) {
2565 2597 SET_ERROR(kmfh, ERR_get_error());
2566 2598 ret = KMF_ERR_OCSP_BAD_SIGNER;
2567 2599 goto end;
2568 2600 }
2569 2601 } else {
2570 2602 /*
2571 2603 * Convert the issuer cert into X509 and push it into a
2572 2604 * stack to be used by ocsp_find_signer().
2573 2605 */
2574 2606 ptmp = issuer_cert->Data;
2575 2607 issuer = d2i_X509(NULL, (const uchar_t **)&ptmp,
2576 2608 issuer_cert->Length);
2577 2609 if (issuer == NULL) {
2578 2610 SET_ERROR(kmfh, ERR_get_error());
2579 2611 ret = KMF_ERR_OCSP_BAD_ISSUER;
2580 2612 goto end;
2581 2613 }
2582 2614
2583 2615 if ((cert_stack = sk_X509_new_null()) == NULL) {
2584 2616 ret = KMF_ERR_INTERNAL;
2585 2617 goto end;
2586 2618 }
2587 2619
2588 2620 if (sk_X509_push(cert_stack, issuer) == NULL) {
2589 2621 ret = KMF_ERR_INTERNAL;
2590 2622 goto end;
2591 2623 }
|
↓ open down ↓ |
33 lines elided |
↑ open up ↑ |
2592 2624
2593 2625 ret = ocsp_find_signer(&signer, bs, cert_stack, NULL, 0);
2594 2626 if (!ret) {
2595 2627 /* can not find the signer */
2596 2628 ret = KMF_ERR_OCSP_BAD_SIGNER;
2597 2629 goto end;
2598 2630 }
2599 2631 }
2600 2632
2601 2633 /* Verify the signature of the response */
2634 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
2602 2635 skey = X509_get_pubkey(signer);
2603 2636 if (skey == NULL) {
2604 2637 ret = KMF_ERR_OCSP_BAD_SIGNER;
2605 2638 goto end;
2606 2639 }
2607 2640
2608 2641 ret = OCSP_BASICRESP_verify(bs, skey, 0);
2642 +#else
2643 + /*
2644 + * Technique based on
2645 + * https://mta.openssl.org/pipermail/openssl-users/
2646 + * 2017-October/006814.html
2647 + */
2648 + if ((cert_stack2 = sk_X509_new_null()) == NULL) {
2649 + ret = KMF_ERR_INTERNAL;
2650 + goto end;
2651 + }
2652 +
2653 + if (sk_X509_push(cert_stack2, signer) == NULL) {
2654 + ret = KMF_ERR_INTERNAL;
2655 + goto end;
2656 + }
2657 +
2658 + ret = OCSP_basic_verify(bs, cert_stack2, NULL, OCSP_NOVERIFY);
2659 +#endif
2660 +
2609 2661 if (ret == 0) {
2610 2662 ret = KMF_ERR_OCSP_RESPONSE_SIGNATURE;
2611 2663 goto end;
2612 2664 }
2613 2665
2614 2666 end:
2615 2667 if (issuer != NULL) {
2616 2668 X509_free(issuer);
2617 2669 }
2618 2670
2619 2671 if (signer != NULL) {
2620 2672 X509_free(signer);
2621 2673 }
2622 2674
2675 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
2623 2676 if (skey != NULL) {
2624 2677 EVP_PKEY_free(skey);
2625 2678 }
2679 +#else
2680 + if (cert_stack2 != NULL) {
2681 + sk_X509_free(cert_stack2);
2682 + }
2683 +#endif
2626 2684
2627 2685 if (cert_stack != NULL) {
2628 2686 sk_X509_free(cert_stack);
2629 2687 }
2630 2688
2631 2689 return (ret);
2632 2690 }
2633 2691
2634 -
2635 -
2636 2692 KMF_RETURN
2637 2693 OpenSSL_GetOCSPStatusForCert(KMF_HANDLE_T handle,
2638 2694 int numattr, KMF_ATTRIBUTE *attrlist)
2639 2695 {
2640 2696 KMF_RETURN ret = KMF_OK;
2641 2697 BIO *derbio = NULL;
2642 2698 OCSP_RESPONSE *resp = NULL;
2643 2699 OCSP_BASICRESP *bs = NULL;
2644 2700 OCSP_CERTID *id = NULL;
2645 2701 OCSP_SINGLERESP *single = NULL;
2646 2702 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
2647 2703 int index, status, reason;
2648 2704 KMF_DATA *issuer_cert;
2649 2705 KMF_DATA *user_cert;
2650 2706 KMF_DATA *signer_cert;
2651 2707 KMF_DATA *response;
2652 2708 int *response_reason, *response_status, *cert_status;
2653 2709 boolean_t ignore_response_sign = B_FALSE; /* default is FALSE */
2654 2710 uint32_t response_lifetime;
2655 2711
2656 2712 issuer_cert = kmf_get_attr_ptr(KMF_ISSUER_CERT_DATA_ATTR,
2657 2713 attrlist, numattr);
2658 2714 if (issuer_cert == NULL)
2659 2715 return (KMF_ERR_BAD_PARAMETER);
2660 2716
2661 2717 user_cert = kmf_get_attr_ptr(KMF_USER_CERT_DATA_ATTR,
2662 2718 attrlist, numattr);
2663 2719 if (user_cert == NULL)
2664 2720 return (KMF_ERR_BAD_PARAMETER);
2665 2721
2666 2722 response = kmf_get_attr_ptr(KMF_OCSP_RESPONSE_DATA_ATTR,
2667 2723 attrlist, numattr);
2668 2724 if (response == NULL)
2669 2725 return (KMF_ERR_BAD_PARAMETER);
2670 2726
2671 2727 response_status = kmf_get_attr_ptr(KMF_OCSP_RESPONSE_STATUS_ATTR,
2672 2728 attrlist, numattr);
2673 2729 if (response_status == NULL)
2674 2730 return (KMF_ERR_BAD_PARAMETER);
2675 2731
2676 2732 response_reason = kmf_get_attr_ptr(KMF_OCSP_RESPONSE_REASON_ATTR,
2677 2733 attrlist, numattr);
2678 2734 if (response_reason == NULL)
2679 2735 return (KMF_ERR_BAD_PARAMETER);
2680 2736
2681 2737 cert_status = kmf_get_attr_ptr(KMF_OCSP_RESPONSE_CERT_STATUS_ATTR,
2682 2738 attrlist, numattr);
2683 2739 if (cert_status == NULL)
2684 2740 return (KMF_ERR_BAD_PARAMETER);
2685 2741
2686 2742 /* Read in the response */
2687 2743 derbio = BIO_new_mem_buf(response->Data, response->Length);
2688 2744 if (!derbio) {
2689 2745 ret = KMF_ERR_MEMORY;
2690 2746 return (ret);
2691 2747 }
2692 2748
2693 2749 resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
2694 2750 if (resp == NULL) {
2695 2751 ret = KMF_ERR_OCSP_MALFORMED_RESPONSE;
2696 2752 goto end;
2697 2753 }
2698 2754
2699 2755 /* Check the response status */
2700 2756 status = OCSP_response_status(resp);
2701 2757 *response_status = status;
2702 2758 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
2703 2759 ret = KMF_ERR_OCSP_RESPONSE_STATUS;
2704 2760 goto end;
2705 2761 }
2706 2762
2707 2763 #ifdef DEBUG
2708 2764 printf("Successfully checked the response file status.\n");
2709 2765 #endif /* DEBUG */
2710 2766
2711 2767 /* Extract basic response */
2712 2768 bs = OCSP_response_get1_basic(resp);
2713 2769 if (bs == NULL) {
2714 2770 ret = KMF_ERR_OCSP_NO_BASIC_RESPONSE;
2715 2771 goto end;
2716 2772 }
2717 2773
2718 2774 #ifdef DEBUG
2719 2775 printf("Successfully retrieved the basic response.\n");
2720 2776 #endif /* DEBUG */
2721 2777
2722 2778 /* Check the basic response signature if required */
2723 2779 ret = kmf_get_attr(KMF_IGNORE_RESPONSE_SIGN_ATTR, attrlist, numattr,
2724 2780 (void *)&ignore_response_sign, NULL);
2725 2781 if (ret != KMF_OK)
2726 2782 ret = KMF_OK;
2727 2783
2728 2784 signer_cert = kmf_get_attr_ptr(KMF_SIGNER_CERT_DATA_ATTR,
2729 2785 attrlist, numattr);
2730 2786
2731 2787 if (ignore_response_sign == B_FALSE) {
2732 2788 ret = check_response_signature(handle, bs,
2733 2789 signer_cert, issuer_cert);
2734 2790 if (ret != KMF_OK)
2735 2791 goto end;
2736 2792 }
2737 2793
2738 2794 #ifdef DEBUG
2739 2795 printf("Successfully verified the response signature.\n");
2740 2796 #endif /* DEBUG */
2741 2797
2742 2798 /* Create a certid for the certificate in question */
2743 2799 ret = create_certid(handle, issuer_cert, user_cert, &id);
2744 2800 if (ret != KMF_OK) {
2745 2801 ret = KMF_ERR_OCSP_CERTID;
2746 2802 goto end;
2747 2803 }
2748 2804
2749 2805 #ifdef DEBUG
2750 2806 printf("successfully created a certid for the cert.\n");
2751 2807 #endif /* DEBUG */
2752 2808
2753 2809 /* Find the index of the single response for the certid */
2754 2810 index = OCSP_resp_find(bs, id, -1);
2755 2811 if (index < 0) {
2756 2812 /* cound not find this certificate in the response */
2757 2813 ret = KMF_ERR_OCSP_UNKNOWN_CERT;
2758 2814 goto end;
2759 2815 }
2760 2816
2761 2817 #ifdef DEBUG
2762 2818 printf("Successfully found the single response index for the cert.\n");
2763 2819 #endif /* DEBUG */
2764 2820
2765 2821 /* Retrieve the single response and get the cert status */
2766 2822 single = OCSP_resp_get0(bs, index);
2767 2823 status = OCSP_single_get0_status(single, &reason, &rev, &thisupd,
2768 2824 &nextupd);
2769 2825 if (status == V_OCSP_CERTSTATUS_GOOD) {
2770 2826 *cert_status = OCSP_GOOD;
2771 2827 } else if (status == V_OCSP_CERTSTATUS_UNKNOWN) {
2772 2828 *cert_status = OCSP_UNKNOWN;
2773 2829 } else { /* revoked */
2774 2830 *cert_status = OCSP_REVOKED;
2775 2831 *response_reason = reason;
2776 2832 }
2777 2833 ret = KMF_OK;
2778 2834
2779 2835 /* resp. time is optional, so we don't care about the return code. */
2780 2836 (void) kmf_get_attr(KMF_RESPONSE_LIFETIME_ATTR, attrlist, numattr,
2781 2837 (void *)&response_lifetime, NULL);
2782 2838
2783 2839 if (!OCSP_check_validity(thisupd, nextupd, 300,
2784 2840 response_lifetime)) {
2785 2841 ret = KMF_ERR_OCSP_STATUS_TIME_INVALID;
2786 2842 goto end;
2787 2843 }
2788 2844
2789 2845 #ifdef DEBUG
2790 2846 printf("Successfully verify the time.\n");
2791 2847 #endif /* DEBUG */
2792 2848
2793 2849 end:
2794 2850 if (derbio != NULL)
2795 2851 (void) BIO_free(derbio);
2796 2852
2797 2853 if (resp != NULL)
2798 2854 OCSP_RESPONSE_free(resp);
2799 2855
2800 2856 if (bs != NULL)
2801 2857 OCSP_BASICRESP_free(bs);
2802 2858
2803 2859 if (id != NULL)
2804 2860 OCSP_CERTID_free(id);
2805 2861
2806 2862 return (ret);
2807 2863 }
2808 2864
2809 2865 static KMF_RETURN
2810 2866 fetch_key(KMF_HANDLE_T handle, char *path,
2811 2867 KMF_KEY_CLASS keyclass, KMF_KEY_HANDLE *key)
2812 2868 {
2813 2869 KMF_RETURN rv = KMF_OK;
|
↓ open down ↓ |
168 lines elided |
↑ open up ↑ |
2814 2870 EVP_PKEY *pkey = NULL;
2815 2871 KMF_RAW_SYM_KEY *rkey = NULL;
2816 2872
2817 2873 if (keyclass == KMF_ASYM_PRI ||
2818 2874 keyclass == KMF_ASYM_PUB) {
2819 2875 pkey = openssl_load_key(handle, path);
2820 2876 if (pkey == NULL) {
2821 2877 return (KMF_ERR_KEY_NOT_FOUND);
2822 2878 }
2823 2879 if (key != NULL) {
2824 - if (pkey->type == EVP_PKEY_RSA)
2880 + if (EVP_PKEY_get0_RSA(pkey) != NULL)
2825 2881 key->keyalg = KMF_RSA;
2826 - else if (pkey->type == EVP_PKEY_DSA)
2882 + else if (EVP_PKEY_get0_DSA(pkey) != NULL)
2827 2883 key->keyalg = KMF_DSA;
2828 2884
2829 2885 key->kstype = KMF_KEYSTORE_OPENSSL;
2830 2886 key->keyclass = keyclass;
2831 2887 key->keyp = (void *)pkey;
2832 2888 key->israw = FALSE;
2833 2889 if (path != NULL &&
2834 2890 ((key->keylabel = strdup(path)) == NULL)) {
2835 2891 EVP_PKEY_free(pkey);
2836 2892 return (KMF_ERR_MEMORY);
2837 2893 }
2838 2894 } else {
2839 2895 EVP_PKEY_free(pkey);
2840 2896 pkey = NULL;
2841 2897 }
2842 2898 } else if (keyclass == KMF_SYMMETRIC) {
2843 2899 KMF_ENCODE_FORMAT fmt;
2844 2900 /*
2845 2901 * If the file is a recognized format,
2846 2902 * then it is NOT a symmetric key.
2847 2903 */
2848 2904 rv = kmf_get_file_format(path, &fmt);
2849 2905 if (rv == KMF_OK || fmt != 0) {
2850 2906 return (KMF_ERR_KEY_NOT_FOUND);
2851 2907 } else if (rv == KMF_ERR_ENCODING) {
2852 2908 /*
2853 2909 * If we don't know the encoding,
2854 2910 * it is probably a symmetric key.
2855 2911 */
2856 2912 rv = KMF_OK;
2857 2913 } else if (rv == KMF_ERR_OPEN_FILE) {
2858 2914 return (KMF_ERR_KEY_NOT_FOUND);
2859 2915 }
2860 2916
2861 2917 if (key != NULL) {
2862 2918 KMF_DATA keyvalue;
2863 2919 rkey = malloc(sizeof (KMF_RAW_SYM_KEY));
2864 2920 if (rkey == NULL) {
2865 2921 rv = KMF_ERR_MEMORY;
2866 2922 goto out;
2867 2923 }
2868 2924
2869 2925 (void) memset(rkey, 0, sizeof (KMF_RAW_SYM_KEY));
2870 2926 rv = kmf_read_input_file(handle, path, &keyvalue);
2871 2927 if (rv != KMF_OK)
2872 2928 goto out;
2873 2929
2874 2930 rkey->keydata.len = keyvalue.Length;
2875 2931 rkey->keydata.val = keyvalue.Data;
2876 2932
2877 2933 key->kstype = KMF_KEYSTORE_OPENSSL;
2878 2934 key->keyclass = keyclass;
2879 2935 key->israw = TRUE;
2880 2936 key->keyp = (void *)rkey;
2881 2937 if (path != NULL &&
2882 2938 ((key->keylabel = strdup(path)) == NULL)) {
2883 2939 rv = KMF_ERR_MEMORY;
2884 2940 }
2885 2941 }
2886 2942 }
2887 2943 out:
2888 2944 if (rv != KMF_OK) {
2889 2945 if (rkey != NULL) {
2890 2946 kmf_free_raw_sym_key(rkey);
2891 2947 }
2892 2948 if (pkey != NULL)
2893 2949 EVP_PKEY_free(pkey);
2894 2950
2895 2951 if (key != NULL) {
2896 2952 key->keyalg = KMF_KEYALG_NONE;
2897 2953 key->keyclass = KMF_KEYCLASS_NONE;
2898 2954 key->keyp = NULL;
2899 2955 }
2900 2956 }
2901 2957
2902 2958 return (rv);
2903 2959 }
2904 2960
2905 2961 KMF_RETURN
2906 2962 OpenSSL_FindKey(KMF_HANDLE_T handle,
2907 2963 int numattr, KMF_ATTRIBUTE *attrlist)
2908 2964 {
2909 2965 KMF_RETURN rv = KMF_OK;
2910 2966 char *fullpath = NULL;
2911 2967 uint32_t maxkeys;
2912 2968 KMF_KEY_HANDLE *key;
2913 2969 uint32_t *numkeys;
2914 2970 KMF_KEY_CLASS keyclass;
2915 2971 KMF_RAW_KEY_DATA *rawkey;
2916 2972 char *dirpath;
2917 2973 char *keyfile;
2918 2974
2919 2975 if (handle == NULL)
2920 2976 return (KMF_ERR_BAD_PARAMETER);
2921 2977
2922 2978 numkeys = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
2923 2979 if (numkeys == NULL)
2924 2980 return (KMF_ERR_BAD_PARAMETER);
2925 2981
2926 2982 rv = kmf_get_attr(KMF_KEYCLASS_ATTR, attrlist, numattr,
2927 2983 (void *)&keyclass, NULL);
2928 2984 if (rv != KMF_OK)
2929 2985 return (KMF_ERR_BAD_PARAMETER);
2930 2986
2931 2987 if (keyclass != KMF_ASYM_PUB &&
2932 2988 keyclass != KMF_ASYM_PRI &&
2933 2989 keyclass != KMF_SYMMETRIC)
2934 2990 return (KMF_ERR_BAD_KEY_CLASS);
2935 2991
2936 2992 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
2937 2993 keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist, numattr);
2938 2994
2939 2995 fullpath = get_fullpath(dirpath, keyfile);
2940 2996
2941 2997 if (fullpath == NULL)
2942 2998 return (KMF_ERR_BAD_PARAMETER);
2943 2999
2944 3000 maxkeys = *numkeys;
2945 3001 if (maxkeys == 0)
2946 3002 maxkeys = 0xFFFFFFFF;
2947 3003 *numkeys = 0;
2948 3004
2949 3005 key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
2950 3006 /* it is okay to have "keys" contains NULL */
2951 3007
2952 3008 /*
2953 3009 * The caller may want a list of the raw key data as well.
2954 3010 * Useful for importing keys from a file into other keystores.
2955 3011 */
2956 3012 rawkey = kmf_get_attr_ptr(KMF_RAW_KEY_ATTR, attrlist, numattr);
2957 3013
2958 3014 if (isdir(fullpath)) {
2959 3015 DIR *dirp;
2960 3016 struct dirent *dp;
2961 3017 int n = 0;
2962 3018
2963 3019 /* open all files in the directory and attempt to read them */
2964 3020 if ((dirp = opendir(fullpath)) == NULL) {
2965 3021 return (KMF_ERR_BAD_PARAMETER);
2966 3022 }
2967 3023 rewinddir(dirp);
2968 3024 while ((dp = readdir(dirp)) != NULL && n < maxkeys) {
2969 3025 if (strcmp(dp->d_name, ".") &&
2970 3026 strcmp(dp->d_name, "..")) {
2971 3027 char *fname;
2972 3028
2973 3029 fname = get_fullpath(fullpath,
2974 3030 (char *)&dp->d_name);
2975 3031
2976 3032 rv = fetch_key(handle, fname,
2977 3033 keyclass, key ? &key[n] : NULL);
2978 3034
2979 3035 if (rv == KMF_OK) {
2980 3036 if (key != NULL && rawkey != NULL)
2981 3037 rv = convertToRawKey(
2982 3038 key[n].keyp, &rawkey[n]);
2983 3039 n++;
2984 3040 }
2985 3041
2986 3042 if (rv != KMF_OK || key == NULL)
2987 3043 free(fname);
2988 3044 }
2989 3045 }
2990 3046 (void) closedir(dirp);
2991 3047 free(fullpath);
2992 3048 (*numkeys) = n;
2993 3049 } else {
2994 3050 rv = fetch_key(handle, fullpath, keyclass, key);
2995 3051 if (rv == KMF_OK)
2996 3052 (*numkeys) = 1;
2997 3053
2998 3054 if (rv != KMF_OK || key == NULL)
2999 3055 free(fullpath);
3000 3056
3001 3057 if (rv == KMF_OK && key != NULL && rawkey != NULL) {
3002 3058 rv = convertToRawKey(key->keyp, rawkey);
3003 3059 }
3004 3060 }
3005 3061
3006 3062 if (rv == KMF_OK && (*numkeys) == 0)
3007 3063 rv = KMF_ERR_KEY_NOT_FOUND;
3008 3064 else if (rv == KMF_ERR_KEY_NOT_FOUND && (*numkeys) > 0)
3009 3065 rv = KMF_OK;
3010 3066
3011 3067 return (rv);
3012 3068 }
|
↓ open down ↓ |
176 lines elided |
↑ open up ↑ |
3013 3069
3014 3070 #define HANDLE_PK12_ERROR { \
3015 3071 SET_ERROR(kmfh, ERR_get_error()); \
3016 3072 rv = KMF_ERR_ENCODING; \
3017 3073 goto out; \
3018 3074 }
3019 3075
3020 3076 static int
3021 3077 add_alias_to_bag(PKCS12_SAFEBAG *bag, X509 *xcert)
3022 3078 {
3023 - if (xcert != NULL && xcert->aux != NULL &&
3024 - xcert->aux->alias != NULL) {
3079 + unsigned char *alias;
3080 + int len;
3081 +
3082 + if (xcert != NULL && (alias = X509_alias_get0(xcert, &len)) != NULL) {
3025 3083 if (PKCS12_add_friendlyname_asc(bag,
3026 - (const char *)xcert->aux->alias->data,
3027 - xcert->aux->alias->length) == 0)
3084 + (const char *)alias, len) == 0)
3028 3085 return (0);
3029 3086 }
3030 3087 return (1);
3031 3088 }
3032 3089
3033 3090 static PKCS7 *
3034 3091 add_cert_to_safe(X509 *sslcert, KMF_CREDENTIAL *cred,
3035 3092 uchar_t *keyid, unsigned int keyidlen)
3036 3093 {
3037 3094 PKCS12_SAFEBAG *bag = NULL;
3038 3095 PKCS7 *cert_authsafe = NULL;
3039 3096 STACK_OF(PKCS12_SAFEBAG) *bag_stack;
3040 3097
3041 3098 bag_stack = sk_PKCS12_SAFEBAG_new_null();
3042 3099 if (bag_stack == NULL)
3043 3100 return (NULL);
3044 3101
3045 3102 /* Convert cert from X509 struct to PKCS#12 bag */
3046 - bag = PKCS12_x5092certbag(sslcert);
3103 + bag = PKCS12_SAFEBAG_create_cert(sslcert);
3047 3104 if (bag == NULL) {
3048 3105 goto out;
3049 3106 }
3050 3107
3051 3108 /* Add the key id to the certificate bag. */
3052 3109 if (keyidlen > 0 && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) {
3053 3110 goto out;
3054 3111 }
3055 3112
3056 3113 if (!add_alias_to_bag(bag, sslcert))
3057 3114 goto out;
3058 3115
3059 3116 /* Pile it on the bag_stack. */
3060 3117 if (!sk_PKCS12_SAFEBAG_push(bag_stack, bag)) {
3061 3118 goto out;
3062 3119 }
3063 3120 /* Turn bag_stack of certs into encrypted authsafe. */
3064 3121 cert_authsafe = PKCS12_pack_p7encdata(
3065 3122 NID_pbe_WithSHA1And40BitRC2_CBC,
3066 3123 cred->cred, cred->credlen, NULL, 0,
3067 3124 PKCS12_DEFAULT_ITER, bag_stack);
3068 3125
3069 3126 out:
3070 3127 if (bag_stack != NULL)
3071 3128 sk_PKCS12_SAFEBAG_pop_free(bag_stack, PKCS12_SAFEBAG_free);
3072 3129
3073 3130 return (cert_authsafe);
3074 3131 }
3075 3132
3076 3133 static PKCS7 *
3077 3134 add_key_to_safe(EVP_PKEY *pkey, KMF_CREDENTIAL *cred,
3078 3135 uchar_t *keyid, unsigned int keyidlen,
3079 3136 char *label, int label_len)
3080 3137 {
|
↓ open down ↓ |
24 lines elided |
↑ open up ↑ |
3081 3138 PKCS8_PRIV_KEY_INFO *p8 = NULL;
3082 3139 STACK_OF(PKCS12_SAFEBAG) *bag_stack = NULL;
3083 3140 PKCS12_SAFEBAG *bag = NULL;
3084 3141 PKCS7 *key_authsafe = NULL;
3085 3142
3086 3143 p8 = EVP_PKEY2PKCS8(pkey);
3087 3144 if (p8 == NULL) {
3088 3145 return (NULL);
3089 3146 }
3090 3147 /* Put the shrouded key into a PKCS#12 bag. */
3091 - bag = PKCS12_MAKE_SHKEYBAG(
3148 + bag = PKCS12_SAFEBAG_create_pkcs8_encrypt(
3092 3149 NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
3093 3150 cred->cred, cred->credlen,
3094 3151 NULL, 0, PKCS12_DEFAULT_ITER, p8);
3095 3152
3096 3153 /* Clean up the PKCS#8 shrouded key, don't need it now. */
3097 3154 PKCS8_PRIV_KEY_INFO_free(p8);
3098 3155 p8 = NULL;
3099 3156
3100 3157 if (bag == NULL) {
3101 3158 return (NULL);
3102 3159 }
3103 3160 if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen))
3104 3161 goto out;
3105 3162 if (label != NULL && !PKCS12_add_friendlyname(bag, label, label_len))
3106 3163 goto out;
3107 3164
3108 3165 /* Start a PKCS#12 safebag container for the private key. */
3109 3166 bag_stack = sk_PKCS12_SAFEBAG_new_null();
3110 3167 if (bag_stack == NULL)
3111 3168 goto out;
3112 3169
3113 3170 /* Pile on the private key on the bag_stack. */
3114 3171 if (!sk_PKCS12_SAFEBAG_push(bag_stack, bag))
3115 3172 goto out;
3116 3173
3117 3174 key_authsafe = PKCS12_pack_p7data(bag_stack);
3118 3175
3119 3176 out:
|
↓ open down ↓ |
18 lines elided |
↑ open up ↑ |
3120 3177 if (bag_stack != NULL)
3121 3178 sk_PKCS12_SAFEBAG_pop_free(bag_stack, PKCS12_SAFEBAG_free);
3122 3179 bag_stack = NULL;
3123 3180 return (key_authsafe);
3124 3181 }
3125 3182
3126 3183 static EVP_PKEY *
3127 3184 ImportRawRSAKey(KMF_RAW_RSA_KEY *key)
3128 3185 {
3129 3186 RSA *rsa = NULL;
3130 - EVP_PKEY *newkey = NULL;
3187 + EVP_PKEY *newkey = NULL;
3188 + BIGNUM *n = NULL, *e = NULL, *d = NULL,
3189 + *p = NULL, *q = NULL,
3190 + *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
3131 3191
3132 3192 if ((rsa = RSA_new()) == NULL)
3133 - return (NULL);
3193 + goto cleanup;
3134 3194
3135 - if ((rsa->n = BN_bin2bn(key->mod.val, key->mod.len, rsa->n)) == NULL)
3136 - return (NULL);
3195 + if ((n = BN_bin2bn(key->mod.val, key->mod.len, NULL)) == NULL)
3196 + goto cleanup;
3137 3197
3138 - if ((rsa->e = BN_bin2bn(key->pubexp.val, key->pubexp.len, rsa->e)) ==
3139 - NULL)
3140 - return (NULL);
3198 + if ((e = BN_bin2bn(key->pubexp.val, key->pubexp.len, NULL)) == NULL)
3199 + goto cleanup;
3141 3200
3142 - if (key->priexp.val != NULL)
3143 - if ((rsa->d = BN_bin2bn(key->priexp.val, key->priexp.len,
3144 - rsa->d)) == NULL)
3145 - return (NULL);
3201 + if (key->priexp.val != NULL &&
3202 + (d = BN_bin2bn(key->priexp.val, key->priexp.len, NULL)) == NULL)
3203 + goto cleanup;
3146 3204
3147 - if (key->prime1.val != NULL)
3148 - if ((rsa->p = BN_bin2bn(key->prime1.val, key->prime1.len,
3149 - rsa->p)) == NULL)
3150 - return (NULL);
3205 + if (key->prime1.val != NULL &&
3206 + (p = BN_bin2bn(key->prime1.val, key->prime1.len, NULL)) == NULL)
3207 + goto cleanup;
3151 3208
3152 - if (key->prime2.val != NULL)
3153 - if ((rsa->q = BN_bin2bn(key->prime2.val, key->prime2.len,
3154 - rsa->q)) == NULL)
3155 - return (NULL);
3209 + if (key->prime2.val != NULL &&
3210 + (q = BN_bin2bn(key->prime2.val, key->prime2.len, NULL)) == NULL)
3211 + goto cleanup;
3156 3212
3157 - if (key->exp1.val != NULL)
3158 - if ((rsa->dmp1 = BN_bin2bn(key->exp1.val, key->exp1.len,
3159 - rsa->dmp1)) == NULL)
3160 - return (NULL);
3213 + if (key->exp1.val != NULL &&
3214 + (dmp1 = BN_bin2bn(key->exp1.val, key->exp1.len, NULL)) == NULL)
3215 + goto cleanup;
3161 3216
3162 - if (key->exp2.val != NULL)
3163 - if ((rsa->dmq1 = BN_bin2bn(key->exp2.val, key->exp2.len,
3164 - rsa->dmq1)) == NULL)
3165 - return (NULL);
3217 + if (key->exp2.val != NULL &&
3218 + (dmq1 = BN_bin2bn(key->exp2.val, key->exp2.len, NULL)) == NULL)
3219 + goto cleanup;
3166 3220
3167 - if (key->coef.val != NULL)
3168 - if ((rsa->iqmp = BN_bin2bn(key->coef.val, key->coef.len,
3169 - rsa->iqmp)) == NULL)
3170 - return (NULL);
3221 + if (key->coef.val != NULL &&
3222 + (iqmp = BN_bin2bn(key->coef.val, key->coef.len, NULL)) == NULL)
3223 + goto cleanup;
3171 3224
3225 + if (RSA_set0_key(rsa, n, e, d) == 0)
3226 + goto cleanup;
3227 + n = e = d = NULL;
3228 + if (RSA_set0_factors(rsa, p, q) == 0)
3229 + goto cleanup;
3230 + p = q = NULL;
3231 + if (RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp) == 0)
3232 + goto cleanup;
3233 + dmp1 = dmq1 = iqmp = NULL;
3234 +
3172 3235 if ((newkey = EVP_PKEY_new()) == NULL)
3173 - return (NULL);
3236 + goto cleanup;
3174 3237
3175 3238 (void) EVP_PKEY_set1_RSA(newkey, rsa);
3176 3239
3240 +cleanup:
3177 3241 /* The original key must be freed once here or it leaks memory */
3178 - RSA_free(rsa);
3242 + if (rsa)
3243 + RSA_free(rsa);
3244 + BN_free(n);
3245 + BN_free(e);
3246 + BN_free(d);
3247 + BN_free(p);
3248 + BN_free(q);
3249 + BN_free(dmp1);
3250 + BN_free(dmq1);
3251 + BN_free(iqmp);
3179 3252
3180 3253 return (newkey);
3181 3254 }
3182 3255
3183 3256 static EVP_PKEY *
3184 3257 ImportRawDSAKey(KMF_RAW_DSA_KEY *key)
3185 3258 {
3186 3259 DSA *dsa = NULL;
3187 - EVP_PKEY *newkey = NULL;
3260 + EVP_PKEY *newkey = NULL;
3261 + BIGNUM *p = NULL, *q = NULL, *g = NULL,
3262 + *priv_key = NULL, *pub_key = NULL;
3188 3263
3189 3264 if ((dsa = DSA_new()) == NULL)
3190 - return (NULL);
3265 + goto cleanup;
3191 3266
3192 - if ((dsa->p = BN_bin2bn(key->prime.val, key->prime.len,
3193 - dsa->p)) == NULL)
3194 - return (NULL);
3267 + if ((p = BN_bin2bn(key->prime.val, key->prime.len, NULL)) == NULL)
3268 + goto cleanup;
3195 3269
3196 - if ((dsa->q = BN_bin2bn(key->subprime.val, key->subprime.len,
3197 - dsa->q)) == NULL)
3198 - return (NULL);
3270 + if ((q = BN_bin2bn(key->subprime.val, key->subprime.len, NULL)) == NULL)
3271 + goto cleanup;
3199 3272
3200 - if ((dsa->g = BN_bin2bn(key->base.val, key->base.len,
3201 - dsa->g)) == NULL)
3202 - return (NULL);
3273 + if ((g = BN_bin2bn(key->base.val, key->base.len, NULL)) == NULL)
3274 + goto cleanup;
3203 3275
3204 - if ((dsa->priv_key = BN_bin2bn(key->value.val, key->value.len,
3205 - dsa->priv_key)) == NULL)
3206 - return (NULL);
3276 + if ((priv_key = BN_bin2bn(key->value.val, key->value.len,
3277 + NULL)) == NULL)
3278 + goto cleanup;
3207 3279
3208 - if (key->pubvalue.val != NULL) {
3209 - if ((dsa->pub_key = BN_bin2bn(key->pubvalue.val,
3210 - key->pubvalue.len, dsa->pub_key)) == NULL)
3211 - return (NULL);
3212 - }
3280 + if (key->pubvalue.val != NULL && (pub_key =
3281 + BN_bin2bn(key->pubvalue.val, key->pubvalue.len, NULL)) == NULL)
3282 + goto cleanup;
3213 3283
3284 + if (DSA_set0_pqg(dsa, p, q, g) == 0)
3285 + goto cleanup;
3286 + p = q = g = NULL;
3287 + if (DSA_set0_key(dsa, pub_key, priv_key) == 0)
3288 + goto cleanup;
3289 + pub_key = priv_key = 0;
3290 +
3214 3291 if ((newkey = EVP_PKEY_new()) == NULL)
3215 - return (NULL);
3292 + goto cleanup;
3216 3293
3217 3294 (void) EVP_PKEY_set1_DSA(newkey, dsa);
3218 3295
3296 +cleanup:
3219 3297 /* The original key must be freed once here or it leaks memory */
3220 - DSA_free(dsa);
3298 + if (dsa)
3299 + DSA_free(dsa);
3300 + BN_free(p);
3301 + BN_free(q);
3302 + BN_free(g);
3303 + BN_free(priv_key);
3304 + BN_free(pub_key);
3305 +
3221 3306 return (newkey);
3222 3307 }
3223 3308
3224 3309 static EVP_PKEY *
3225 3310 raw_key_to_pkey(KMF_KEY_HANDLE *key)
3226 3311 {
3227 3312 EVP_PKEY *pkey = NULL;
3228 3313 KMF_RAW_KEY_DATA *rawkey;
3229 3314 ASN1_TYPE *attr = NULL;
3230 3315 KMF_RETURN ret;
3231 3316
3232 3317 if (key == NULL || !key->israw)
3233 3318 return (NULL);
3234 3319
3235 3320 rawkey = (KMF_RAW_KEY_DATA *)key->keyp;
3236 3321 if (rawkey->keytype == KMF_RSA) {
3237 3322 pkey = ImportRawRSAKey(&rawkey->rawdata.rsa);
3238 3323 } else if (rawkey->keytype == KMF_DSA) {
3239 3324 pkey = ImportRawDSAKey(&rawkey->rawdata.dsa);
3240 3325 } else if (rawkey->keytype == KMF_ECDSA) {
3241 3326 /*
3242 3327 * OpenSSL in Solaris does not support EC for
3243 3328 * legal reasons
3244 3329 */
3245 3330 return (NULL);
3246 3331 } else {
3247 3332 /* wrong kind of key */
3248 3333 return (NULL);
3249 3334 }
3250 3335
3251 3336 if (rawkey->label != NULL) {
3252 3337 if ((attr = ASN1_TYPE_new()) == NULL) {
3253 3338 EVP_PKEY_free(pkey);
3254 3339 return (NULL);
3255 3340 }
3256 3341 attr->value.bmpstring = ASN1_STRING_type_new(V_ASN1_BMPSTRING);
3257 3342 (void) ASN1_STRING_set(attr->value.bmpstring, rawkey->label,
3258 3343 strlen(rawkey->label));
3259 3344 attr->type = V_ASN1_BMPSTRING;
3260 3345 attr->value.ptr = (char *)attr->value.bmpstring;
3261 3346 ret = set_pkey_attrib(pkey, attr, NID_friendlyName);
3262 3347 if (ret != KMF_OK) {
3263 3348 EVP_PKEY_free(pkey);
3264 3349 ASN1_TYPE_free(attr);
3265 3350 return (NULL);
3266 3351 }
3267 3352 }
3268 3353 if (rawkey->id.Data != NULL) {
3269 3354 if ((attr = ASN1_TYPE_new()) == NULL) {
3270 3355 EVP_PKEY_free(pkey);
3271 3356 return (NULL);
3272 3357 }
3273 3358 attr->value.octet_string =
3274 3359 ASN1_STRING_type_new(V_ASN1_OCTET_STRING);
3275 3360 attr->type = V_ASN1_OCTET_STRING;
3276 3361 (void) ASN1_STRING_set(attr->value.octet_string,
3277 3362 rawkey->id.Data, rawkey->id.Length);
3278 3363 attr->value.ptr = (char *)attr->value.octet_string;
3279 3364 ret = set_pkey_attrib(pkey, attr, NID_localKeyID);
3280 3365 if (ret != KMF_OK) {
3281 3366 EVP_PKEY_free(pkey);
3282 3367 ASN1_TYPE_free(attr);
3283 3368 return (NULL);
3284 3369 }
3285 3370 }
3286 3371 return (pkey);
3287 3372 }
3288 3373
3289 3374 /*
3290 3375 * Search a list of private keys to find one that goes with the certificate.
3291 3376 */
3292 3377 static EVP_PKEY *
3293 3378 find_matching_key(X509 *xcert, int numkeys, KMF_KEY_HANDLE *keylist)
3294 3379 {
3295 3380 int i;
3296 3381 EVP_PKEY *pkey = NULL;
3297 3382
3298 3383 if (numkeys == 0 || keylist == NULL || xcert == NULL)
3299 3384 return (NULL);
3300 3385 for (i = 0; i < numkeys; i++) {
3301 3386 if (keylist[i].israw)
3302 3387 pkey = raw_key_to_pkey(&keylist[i]);
3303 3388 else
3304 3389 pkey = (EVP_PKEY *)keylist[i].keyp;
3305 3390 if (pkey != NULL) {
3306 3391 if (X509_check_private_key(xcert, pkey)) {
3307 3392 return (pkey);
3308 3393 } else {
3309 3394 EVP_PKEY_free(pkey);
3310 3395 pkey = NULL;
3311 3396 }
3312 3397 }
3313 3398 }
3314 3399 return (pkey);
3315 3400 }
3316 3401
3317 3402 static KMF_RETURN
3318 3403 local_export_pk12(KMF_HANDLE_T handle,
3319 3404 KMF_CREDENTIAL *cred,
3320 3405 int numcerts, KMF_X509_DER_CERT *certlist,
3321 3406 int numkeys, KMF_KEY_HANDLE *keylist,
3322 3407 char *filename)
3323 3408 {
3324 3409 KMF_RETURN rv = KMF_OK;
3325 3410 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
3326 3411 BIO *bio = NULL;
3327 3412 PKCS7 *cert_authsafe = NULL;
3328 3413 PKCS7 *key_authsafe = NULL;
3329 3414 STACK_OF(PKCS7) *authsafe_stack = NULL;
3330 3415 PKCS12 *p12_elem = NULL;
3331 3416 int i;
3332 3417
3333 3418 if (numcerts == 0 && numkeys == 0)
3334 3419 return (KMF_ERR_BAD_PARAMETER);
3335 3420
3336 3421 /*
3337 3422 * Open the output file.
3338 3423 */
3339 3424 if ((bio = BIO_new_file(filename, "wb")) == NULL) {
3340 3425 SET_ERROR(kmfh, ERR_get_error());
3341 3426 rv = KMF_ERR_OPEN_FILE;
3342 3427 goto cleanup;
3343 3428 }
3344 3429
3345 3430 /* Start a PKCS#7 stack. */
3346 3431 authsafe_stack = sk_PKCS7_new_null();
3347 3432 if (authsafe_stack == NULL) {
3348 3433 rv = KMF_ERR_MEMORY;
3349 3434 goto cleanup;
3350 3435 }
3351 3436 if (numcerts > 0) {
3352 3437 for (i = 0; rv == KMF_OK && i < numcerts; i++) {
3353 3438 const uchar_t *p = certlist[i].certificate.Data;
3354 3439 long len = certlist[i].certificate.Length;
3355 3440 X509 *xcert = NULL;
3356 3441 EVP_PKEY *pkey = NULL;
3357 3442 unsigned char keyid[EVP_MAX_MD_SIZE];
3358 3443 unsigned int keyidlen = 0;
3359 3444
3360 3445 xcert = d2i_X509(NULL, &p, len);
3361 3446 if (xcert == NULL) {
3362 3447 SET_ERROR(kmfh, ERR_get_error());
3363 3448 rv = KMF_ERR_ENCODING;
3364 3449 }
3365 3450 if (certlist[i].kmf_private.label != NULL) {
3366 3451 /* Set alias attribute */
3367 3452 (void) X509_alias_set1(xcert,
3368 3453 (uchar_t *)certlist[i].kmf_private.label,
3369 3454 strlen(certlist[i].kmf_private.label));
3370 3455 }
3371 3456 /* Check if there is a key corresponding to this cert */
3372 3457 pkey = find_matching_key(xcert, numkeys, keylist);
3373 3458
3374 3459 /*
3375 3460 * If key is found, get fingerprint and create a
3376 3461 * safebag.
3377 3462 */
3378 3463 if (pkey != NULL) {
3379 3464 (void) X509_digest(xcert, EVP_sha1(),
3380 3465 keyid, &keyidlen);
3381 3466 key_authsafe = add_key_to_safe(pkey, cred,
3382 3467 keyid, keyidlen,
3383 3468 certlist[i].kmf_private.label,
3384 3469 (certlist[i].kmf_private.label ?
3385 3470 strlen(certlist[i].kmf_private.label) : 0));
3386 3471
3387 3472 if (key_authsafe == NULL) {
3388 3473 X509_free(xcert);
3389 3474 EVP_PKEY_free(pkey);
3390 3475 goto cleanup;
3391 3476 }
3392 3477 /* Put the key safe into the Auth Safe */
3393 3478 if (!sk_PKCS7_push(authsafe_stack,
3394 3479 key_authsafe)) {
3395 3480 X509_free(xcert);
3396 3481 EVP_PKEY_free(pkey);
3397 3482 goto cleanup;
3398 3483 }
3399 3484 }
3400 3485
3401 3486 /* create a certificate safebag */
3402 3487 cert_authsafe = add_cert_to_safe(xcert, cred, keyid,
3403 3488 keyidlen);
3404 3489 if (cert_authsafe == NULL) {
3405 3490 X509_free(xcert);
3406 3491 EVP_PKEY_free(pkey);
3407 3492 goto cleanup;
3408 3493 }
3409 3494 if (!sk_PKCS7_push(authsafe_stack, cert_authsafe)) {
3410 3495 X509_free(xcert);
3411 3496 EVP_PKEY_free(pkey);
3412 3497 goto cleanup;
3413 3498 }
3414 3499
3415 3500 X509_free(xcert);
3416 3501 if (pkey)
3417 3502 EVP_PKEY_free(pkey);
3418 3503 }
3419 3504 } else if (numcerts == 0 && numkeys > 0) {
3420 3505 /*
3421 3506 * If only adding keys to the file.
3422 3507 */
3423 3508 for (i = 0; i < numkeys; i++) {
3424 3509 EVP_PKEY *pkey = NULL;
3425 3510
3426 3511 if (keylist[i].israw)
3427 3512 pkey = raw_key_to_pkey(&keylist[i]);
3428 3513 else
3429 3514 pkey = (EVP_PKEY *)keylist[i].keyp;
3430 3515
3431 3516 if (pkey == NULL)
3432 3517 continue;
3433 3518
3434 3519 key_authsafe = add_key_to_safe(pkey, cred,
3435 3520 NULL, 0, NULL, 0);
3436 3521
3437 3522 if (key_authsafe == NULL) {
3438 3523 EVP_PKEY_free(pkey);
3439 3524 goto cleanup;
3440 3525 }
3441 3526 if (!sk_PKCS7_push(authsafe_stack, key_authsafe)) {
3442 3527 EVP_PKEY_free(pkey);
3443 3528 goto cleanup;
3444 3529 }
3445 3530 }
3446 3531 }
3447 3532 p12_elem = PKCS12_init(NID_pkcs7_data);
3448 3533 if (p12_elem == NULL) {
3449 3534 goto cleanup;
3450 3535 }
3451 3536
3452 3537 /* Put the PKCS#7 stack into the PKCS#12 element. */
3453 3538 if (!PKCS12_pack_authsafes(p12_elem, authsafe_stack)) {
3454 3539 goto cleanup;
3455 3540 }
3456 3541
3457 3542 /* Set the integrity MAC on the PKCS#12 element. */
3458 3543 if (!PKCS12_set_mac(p12_elem, cred->cred, cred->credlen,
3459 3544 NULL, 0, PKCS12_DEFAULT_ITER, NULL)) {
3460 3545 goto cleanup;
3461 3546 }
3462 3547
3463 3548 /* Write the PKCS#12 element to the export file. */
3464 3549 if (!i2d_PKCS12_bio(bio, p12_elem)) {
3465 3550 goto cleanup;
3466 3551 }
3467 3552 PKCS12_free(p12_elem);
3468 3553
3469 3554 cleanup:
3470 3555 /* Clear away the PKCS#7 stack, we're done with it. */
3471 3556 if (authsafe_stack)
3472 3557 sk_PKCS7_pop_free(authsafe_stack, PKCS7_free);
3473 3558
3474 3559 if (bio != NULL)
3475 3560 (void) BIO_free_all(bio);
3476 3561
3477 3562 return (rv);
3478 3563 }
3479 3564
3480 3565 KMF_RETURN
3481 3566 openssl_build_pk12(KMF_HANDLE_T handle, int numcerts,
3482 3567 KMF_X509_DER_CERT *certlist, int numkeys, KMF_KEY_HANDLE *keylist,
3483 3568 KMF_CREDENTIAL *p12cred, char *filename)
3484 3569 {
3485 3570 KMF_RETURN rv;
3486 3571
3487 3572 if (certlist == NULL && keylist == NULL)
3488 3573 return (KMF_ERR_BAD_PARAMETER);
3489 3574
3490 3575 rv = local_export_pk12(handle, p12cred, numcerts, certlist,
3491 3576 numkeys, keylist, filename);
3492 3577
3493 3578 return (rv);
3494 3579 }
3495 3580
3496 3581 KMF_RETURN
3497 3582 OpenSSL_ExportPK12(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
3498 3583 {
3499 3584 KMF_RETURN rv;
3500 3585 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
3501 3586 char *fullpath = NULL;
3502 3587 char *dirpath = NULL;
3503 3588 char *certfile = NULL;
3504 3589 char *keyfile = NULL;
3505 3590 char *filename = NULL;
3506 3591 KMF_CREDENTIAL *p12cred = NULL;
3507 3592 KMF_X509_DER_CERT certdata;
3508 3593 KMF_KEY_HANDLE key;
3509 3594 int gotkey = 0;
3510 3595 int gotcert = 0;
3511 3596
3512 3597 if (handle == NULL)
3513 3598 return (KMF_ERR_BAD_PARAMETER);
3514 3599
3515 3600 /*
3516 3601 * First, find the certificate.
3517 3602 */
3518 3603 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
3519 3604 certfile = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist, numattr);
3520 3605 if (certfile != NULL) {
3521 3606 fullpath = get_fullpath(dirpath, certfile);
3522 3607 if (fullpath == NULL)
3523 3608 return (KMF_ERR_BAD_PARAMETER);
3524 3609
3525 3610 if (isdir(fullpath)) {
3526 3611 free(fullpath);
3527 3612 return (KMF_ERR_AMBIGUOUS_PATHNAME);
3528 3613 }
3529 3614
3530 3615 (void) memset(&certdata, 0, sizeof (certdata));
3531 3616 rv = kmf_load_cert(kmfh, NULL, NULL, NULL, NULL,
3532 3617 fullpath, &certdata.certificate);
3533 3618 if (rv != KMF_OK)
3534 3619 goto end;
3535 3620
3536 3621 gotcert++;
3537 3622 certdata.kmf_private.keystore_type = KMF_KEYSTORE_OPENSSL;
3538 3623 free(fullpath);
3539 3624 }
3540 3625
3541 3626 /*
3542 3627 * Now find the private key.
3543 3628 */
3544 3629 keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist, numattr);
3545 3630 if (keyfile != NULL) {
3546 3631 fullpath = get_fullpath(dirpath, keyfile);
3547 3632 if (fullpath == NULL)
3548 3633 return (KMF_ERR_BAD_PARAMETER);
3549 3634
3550 3635 if (isdir(fullpath)) {
3551 3636 free(fullpath);
3552 3637 return (KMF_ERR_AMBIGUOUS_PATHNAME);
3553 3638 }
3554 3639
3555 3640 (void) memset(&key, 0, sizeof (KMF_KEY_HANDLE));
3556 3641 rv = fetch_key(handle, fullpath, KMF_ASYM_PRI, &key);
3557 3642 if (rv != KMF_OK)
3558 3643 goto end;
3559 3644 gotkey++;
3560 3645 }
3561 3646
3562 3647 /*
3563 3648 * Open the output file.
3564 3649 */
3565 3650 filename = kmf_get_attr_ptr(KMF_OUTPUT_FILENAME_ATTR, attrlist,
3566 3651 numattr);
3567 3652 if (filename == NULL) {
3568 3653 rv = KMF_ERR_BAD_PARAMETER;
3569 3654 goto end;
3570 3655 }
3571 3656
3572 3657 /* Stick the key and the cert into a PKCS#12 file */
3573 3658 p12cred = kmf_get_attr_ptr(KMF_PK12CRED_ATTR, attrlist, numattr);
3574 3659 if (p12cred == NULL) {
3575 3660 rv = KMF_ERR_BAD_PARAMETER;
3576 3661 goto end;
3577 3662 }
3578 3663
3579 3664 rv = local_export_pk12(handle, p12cred, 1, &certdata,
3580 3665 1, &key, filename);
3581 3666
3582 3667 end:
3583 3668 if (fullpath)
3584 3669 free(fullpath);
3585 3670
3586 3671 if (gotcert)
3587 3672 kmf_free_kmf_cert(handle, &certdata);
3588 3673 if (gotkey)
3589 3674 kmf_free_kmf_key(handle, &key);
3590 3675 return (rv);
3591 3676 }
3592 3677
3593 3678 /*
3594 3679 * Helper function to extract keys and certificates from
3595 3680 * a single PEM file. Typically the file should contain a
3596 3681 * private key and an associated public key wrapped in an x509 cert.
3597 3682 * However, the file may be just a list of X509 certs with no keys.
3598 3683 */
3599 3684 static KMF_RETURN
3600 3685 extract_pem(KMF_HANDLE *kmfh,
3601 3686 char *issuer, char *subject, KMF_BIGINT *serial,
3602 3687 char *filename, CK_UTF8CHAR *pin,
3603 3688 CK_ULONG pinlen, EVP_PKEY **priv_key, KMF_DATA **certs,
3604 3689 int *numcerts)
3605 3690 /* ARGSUSED6 */
3606 3691 {
3607 3692 KMF_RETURN rv = KMF_OK;
3608 3693 FILE *fp;
3609 3694 STACK_OF(X509_INFO) *x509_info_stack = NULL;
3610 3695 int i, ncerts = 0, matchcerts = 0;
3611 3696 EVP_PKEY *pkey = NULL;
3612 3697 X509_INFO *info;
3613 3698 X509 *x;
3614 3699 X509_INFO **cert_infos = NULL;
3615 3700 KMF_DATA *certlist = NULL;
3616 3701
3617 3702 if (priv_key)
3618 3703 *priv_key = NULL;
3619 3704 if (certs)
3620 3705 *certs = NULL;
3621 3706 fp = fopen(filename, "r");
3622 3707 if (fp == NULL)
3623 3708 return (KMF_ERR_OPEN_FILE);
3624 3709
3625 3710 x509_info_stack = PEM_X509_INFO_read(fp, NULL, NULL, pin);
3626 3711 if (x509_info_stack == NULL) {
3627 3712 (void) fclose(fp);
3628 3713 return (KMF_ERR_ENCODING);
3629 3714 }
3630 3715 cert_infos = (X509_INFO **)malloc(sk_X509_INFO_num(x509_info_stack) *
3631 3716 sizeof (X509_INFO *));
3632 3717 if (cert_infos == NULL) {
3633 3718 (void) fclose(fp);
3634 3719 rv = KMF_ERR_MEMORY;
3635 3720 goto err;
3636 3721 }
3637 3722
3638 3723 for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
3639 3724 /* LINTED E_BAD_PTR_CAST_ALIGN */
3640 3725 cert_infos[ncerts] = sk_X509_INFO_value(x509_info_stack, i);
3641 3726 ncerts++;
3642 3727 }
3643 3728
3644 3729 if (ncerts == 0) {
3645 3730 (void) fclose(fp);
3646 3731 rv = KMF_ERR_CERT_NOT_FOUND;
3647 3732 goto err;
3648 3733 }
3649 3734
3650 3735 if (priv_key != NULL) {
3651 3736 rewind(fp);
3652 3737 pkey = PEM_read_PrivateKey(fp, NULL, NULL, pin);
3653 3738 }
3654 3739 (void) fclose(fp);
3655 3740
3656 3741 x = cert_infos[ncerts - 1]->x509;
3657 3742 /*
3658 3743 * Make sure the private key matchs the last cert in the file.
3659 3744 */
3660 3745 if (pkey != NULL && !X509_check_private_key(x, pkey)) {
3661 3746 EVP_PKEY_free(pkey);
3662 3747 rv = KMF_ERR_KEY_MISMATCH;
3663 3748 goto err;
3664 3749 }
3665 3750
3666 3751 certlist = (KMF_DATA *)calloc(ncerts, sizeof (KMF_DATA));
3667 3752 if (certlist == NULL) {
3668 3753 if (pkey != NULL)
3669 3754 EVP_PKEY_free(pkey);
3670 3755 rv = KMF_ERR_MEMORY;
3671 3756 goto err;
3672 3757 }
3673 3758
3674 3759 /*
3675 3760 * Convert all of the certs to DER format.
3676 3761 */
3677 3762 matchcerts = 0;
3678 3763 for (i = 0; rv == KMF_OK && certs != NULL && i < ncerts; i++) {
3679 3764 boolean_t match = FALSE;
3680 3765 info = cert_infos[ncerts - 1 - i];
3681 3766
3682 3767 rv = check_cert(info->x509, issuer, subject, serial, &match);
3683 3768 if (rv != KMF_OK || match != TRUE) {
3684 3769 rv = KMF_OK;
3685 3770 continue;
3686 3771 }
3687 3772
3688 3773 rv = ssl_cert2KMFDATA(kmfh, info->x509,
3689 3774 &certlist[matchcerts++]);
3690 3775
3691 3776 if (rv != KMF_OK) {
3692 3777 int j;
3693 3778 for (j = 0; j < matchcerts; j++)
3694 3779 kmf_free_data(&certlist[j]);
3695 3780 free(certlist);
3696 3781 certlist = NULL;
3697 3782 ncerts = matchcerts = 0;
3698 3783 }
3699 3784 }
3700 3785
3701 3786 if (numcerts != NULL)
3702 3787 *numcerts = matchcerts;
3703 3788
3704 3789 if (certs != NULL)
3705 3790 *certs = certlist;
3706 3791 else if (certlist != NULL) {
3707 3792 for (i = 0; i < ncerts; i++)
3708 3793 kmf_free_data(&certlist[i]);
3709 3794 free(certlist);
3710 3795 certlist = NULL;
3711 3796 }
3712 3797
3713 3798 if (priv_key == NULL && pkey != NULL)
3714 3799 EVP_PKEY_free(pkey);
3715 3800 else if (priv_key != NULL && pkey != NULL)
3716 3801 *priv_key = pkey;
3717 3802
3718 3803 err:
3719 3804 /* Cleanup the stack of X509 info records */
3720 3805 for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
3721 3806 /* LINTED E_BAD_PTR_CAST_ALIGN */
3722 3807 info = (X509_INFO *)sk_X509_INFO_value(x509_info_stack, i);
3723 3808 X509_INFO_free(info);
3724 3809 }
|
↓ open down ↓ |
494 lines elided |
↑ open up ↑ |
3725 3810 if (x509_info_stack)
3726 3811 sk_X509_INFO_free(x509_info_stack);
3727 3812
3728 3813 if (cert_infos != NULL)
3729 3814 free(cert_infos);
3730 3815
3731 3816 return (rv);
3732 3817 }
3733 3818
3734 3819 static KMF_RETURN
3735 -openssl_parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
3820 +openssl_parse_bags(const STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
3736 3821 STACK_OF(EVP_PKEY) *keys, STACK_OF(X509) *certs)
3737 3822 {
3738 3823 KMF_RETURN ret;
3739 3824 int i;
3740 3825
3741 3826 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
3742 3827 /* LINTED E_BAD_PTR_CAST_ALIGN */
3743 3828 PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(bags, i);
3744 3829 ret = openssl_parse_bag(bag, pin, (pin ? strlen(pin) : 0),
3745 3830 keys, certs);
3746 3831
3747 3832 if (ret != KMF_OK)
3748 3833 return (ret);
3749 3834 }
3750 3835
3751 3836 return (ret);
|
↓ open down ↓ |
6 lines elided |
↑ open up ↑ |
3752 3837 }
3753 3838
3754 3839 static KMF_RETURN
3755 3840 set_pkey_attrib(EVP_PKEY *pkey, ASN1_TYPE *attrib, int nid)
3756 3841 {
3757 3842 X509_ATTRIBUTE *attr = NULL;
3758 3843
3759 3844 if (pkey == NULL || attrib == NULL)
3760 3845 return (KMF_ERR_BAD_PARAMETER);
3761 3846
3762 - if (pkey->attributes == NULL) {
3763 - pkey->attributes = sk_X509_ATTRIBUTE_new_null();
3764 - if (pkey->attributes == NULL)
3765 - return (KMF_ERR_MEMORY);
3766 - }
3767 3847 attr = X509_ATTRIBUTE_create(nid, attrib->type, attrib->value.ptr);
3768 3848 if (attr != NULL) {
3769 3849 int i;
3770 - X509_ATTRIBUTE *a;
3771 - for (i = 0;
3772 - i < sk_X509_ATTRIBUTE_num(pkey->attributes); i++) {
3773 - /* LINTED E_BAD_PTR_CASE_ALIGN */
3774 - a = sk_X509_ATTRIBUTE_value(pkey->attributes, i);
3775 - if (OBJ_obj2nid(a->object) == nid) {
3776 - X509_ATTRIBUTE_free(a);
3777 - /* LINTED E_BAD_PTR_CAST_ALIGN */
3778 - (void) sk_X509_ATTRIBUTE_set(pkey->attributes,
3779 - i, attr);
3780 - return (KMF_OK);
3781 - }
3782 - }
3783 - if (sk_X509_ATTRIBUTE_push(pkey->attributes, attr) == NULL) {
3850 +
3851 + if ((i = EVP_PKEY_get_attr_by_NID(pkey, nid, -1)) != -1)
3852 + (void) EVP_PKEY_delete_attr(pkey, i);
3853 + if (EVP_PKEY_add1_attr(pkey, attr) == 0) {
3784 3854 X509_ATTRIBUTE_free(attr);
3785 3855 return (KMF_ERR_MEMORY);
3786 3856 }
3787 3857 } else {
3788 3858 return (KMF_ERR_MEMORY);
3789 3859 }
3790 3860
3791 3861 return (KMF_OK);
3792 3862 }
3793 3863
3794 3864 static KMF_RETURN
3795 3865 openssl_parse_bag(PKCS12_SAFEBAG *bag, char *pass, int passlen,
3796 3866 STACK_OF(EVP_PKEY) *keylist, STACK_OF(X509) *certlist)
3797 3867 {
3798 3868 KMF_RETURN ret = KMF_OK;
3799 3869 PKCS8_PRIV_KEY_INFO *p8 = NULL;
3800 3870 EVP_PKEY *pkey = NULL;
3801 3871 X509 *xcert = NULL;
3802 - ASN1_TYPE *keyid = NULL;
3803 - ASN1_TYPE *fname = NULL;
3872 + const ASN1_TYPE *keyid = NULL;
3873 + const ASN1_TYPE *fname = NULL;
3804 3874 uchar_t *data = NULL;
3805 3875
3806 - keyid = PKCS12_get_attr(bag, NID_localKeyID);
3807 - fname = PKCS12_get_attr(bag, NID_friendlyName);
3876 + keyid = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID);
3877 + fname = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName);
3808 3878
3809 - switch (M_PKCS12_bag_type(bag)) {
3879 + switch (PKCS12_SAFEBAG_get_nid(bag)) {
3810 3880 case NID_keyBag:
3811 3881 if (keylist == NULL)
3812 3882 goto end;
3813 - pkey = EVP_PKCS82PKEY(bag->value.keybag);
3883 + pkey = EVP_PKCS82PKEY(
3884 + PKCS12_SAFEBAG_get0_p8inf(bag));
3814 3885 if (pkey == NULL)
3815 3886 ret = KMF_ERR_PKCS12_FORMAT;
3816 3887
3817 3888 break;
3818 3889 case NID_pkcs8ShroudedKeyBag:
3819 3890 if (keylist == NULL)
3820 3891 goto end;
3821 - p8 = M_PKCS12_decrypt_skey(bag, pass, passlen);
3892 + p8 = PKCS12_decrypt_skey(bag, pass, passlen);
3822 3893 if (p8 == NULL)
3823 3894 return (KMF_ERR_AUTH_FAILED);
3824 3895 pkey = EVP_PKCS82PKEY(p8);
3825 3896 PKCS8_PRIV_KEY_INFO_free(p8);
3826 3897 if (pkey == NULL)
3827 3898 ret = KMF_ERR_PKCS12_FORMAT;
3828 3899 break;
3829 3900 case NID_certBag:
3830 3901 if (certlist == NULL)
3831 3902 goto end;
3832 - if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
3903 + if (PKCS12_SAFEBAG_get_bag_nid(bag) !=
3904 + NID_x509Certificate)
3833 3905 return (KMF_ERR_PKCS12_FORMAT);
3834 - xcert = M_PKCS12_certbag2x509(bag);
3906 + xcert = PKCS12_SAFEBAG_get1_cert(bag);
3835 3907 if (xcert == NULL) {
3836 3908 ret = KMF_ERR_PKCS12_FORMAT;
3837 3909 goto end;
3838 3910 }
3839 3911 if (keyid != NULL) {
3840 3912 if (X509_keyid_set1(xcert,
3841 3913 keyid->value.octet_string->data,
3842 3914 keyid->value.octet_string->length) == 0) {
3843 3915 ret = KMF_ERR_PKCS12_FORMAT;
3844 3916 goto end;
3845 3917 }
3846 3918 }
3847 3919 if (fname != NULL) {
3848 3920 int len, r;
3849 3921 len = ASN1_STRING_to_UTF8(&data,
3850 3922 fname->value.asn1_string);
3851 3923 if (len > 0 && data != NULL) {
3852 3924 r = X509_alias_set1(xcert, data, len);
3853 3925 if (r == NULL) {
3854 3926 ret = KMF_ERR_PKCS12_FORMAT;
3855 3927 goto end;
3856 3928 }
3857 3929 } else {
|
↓ open down ↓ |
13 lines elided |
↑ open up ↑ |
3858 3930 ret = KMF_ERR_PKCS12_FORMAT;
3859 3931 goto end;
3860 3932 }
3861 3933 }
3862 3934 if (sk_X509_push(certlist, xcert) == 0)
3863 3935 ret = KMF_ERR_MEMORY;
3864 3936 else
3865 3937 xcert = NULL;
3866 3938 break;
3867 3939 case NID_safeContentsBag:
3868 - return (openssl_parse_bags(bag->value.safes, pass,
3869 - keylist, certlist));
3940 + return (openssl_parse_bags(
3941 + PKCS12_SAFEBAG_get0_safes(bag),
3942 + pass, keylist, certlist));
3870 3943 default:
3871 3944 ret = KMF_ERR_PKCS12_FORMAT;
3872 3945 break;
3873 3946 }
3874 3947
3875 3948 /*
3876 3949 * Set the ID and/or FriendlyName attributes on the key.
3877 3950 * If converting to PKCS11 objects, these can translate to CKA_ID
3878 3951 * and CKA_LABEL values.
3879 3952 */
3880 3953 if (pkey != NULL && ret == KMF_OK) {
3881 3954 ASN1_TYPE *attr = NULL;
3882 3955 if (keyid != NULL && keyid->type == V_ASN1_OCTET_STRING) {
3883 3956 if ((attr = ASN1_TYPE_new()) == NULL)
3884 3957 return (KMF_ERR_MEMORY);
3885 3958 attr->value.octet_string =
3886 3959 ASN1_STRING_dup(keyid->value.octet_string);
3887 3960 attr->type = V_ASN1_OCTET_STRING;
3888 3961 attr->value.ptr = (char *)attr->value.octet_string;
3889 3962 ret = set_pkey_attrib(pkey, attr, NID_localKeyID);
3890 3963 OPENSSL_free(attr);
3891 3964 }
3892 3965
3893 3966 if (ret == KMF_OK && fname != NULL &&
3894 3967 fname->type == V_ASN1_BMPSTRING) {
3895 3968 if ((attr = ASN1_TYPE_new()) == NULL)
3896 3969 return (KMF_ERR_MEMORY);
3897 3970 attr->value.bmpstring =
3898 3971 ASN1_STRING_dup(fname->value.bmpstring);
3899 3972 attr->type = V_ASN1_BMPSTRING;
3900 3973 attr->value.ptr = (char *)attr->value.bmpstring;
3901 3974 ret = set_pkey_attrib(pkey, attr, NID_friendlyName);
3902 3975 OPENSSL_free(attr);
3903 3976 }
3904 3977
3905 3978 if (ret == KMF_OK && keylist != NULL &&
3906 3979 sk_EVP_PKEY_push(keylist, pkey) == 0)
3907 3980 ret = KMF_ERR_MEMORY;
3908 3981 }
3909 3982 if (ret == KMF_OK && keylist != NULL)
3910 3983 pkey = NULL;
3911 3984 end:
3912 3985 if (pkey != NULL)
3913 3986 EVP_PKEY_free(pkey);
3914 3987 if (xcert != NULL)
3915 3988 X509_free(xcert);
3916 3989 if (data != NULL)
3917 3990 OPENSSL_free(data);
3918 3991
3919 3992 return (ret);
3920 3993 }
3921 3994
3922 3995 static KMF_RETURN
3923 3996 openssl_pkcs12_parse(PKCS12 *p12, char *pin,
3924 3997 STACK_OF(EVP_PKEY) *keys,
3925 3998 STACK_OF(X509) *certs,
3926 3999 STACK_OF(X509) *ca)
3927 4000 /* ARGSUSED3 */
3928 4001 {
3929 4002 KMF_RETURN ret = KMF_OK;
3930 4003 STACK_OF(PKCS7) *asafes = NULL;
3931 4004 STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
3932 4005 int i, bagnid;
3933 4006 PKCS7 *p7;
3934 4007
3935 4008 if (p12 == NULL || (keys == NULL && certs == NULL))
3936 4009 return (KMF_ERR_BAD_PARAMETER);
3937 4010
3938 4011 if (pin == NULL || *pin == NULL) {
3939 4012 if (PKCS12_verify_mac(p12, NULL, 0)) {
3940 4013 pin = NULL;
3941 4014 } else if (PKCS12_verify_mac(p12, "", 0)) {
3942 4015 pin = "";
3943 4016 } else {
3944 4017 return (KMF_ERR_AUTH_FAILED);
3945 4018 }
3946 4019 } else if (!PKCS12_verify_mac(p12, pin, -1)) {
3947 4020 return (KMF_ERR_AUTH_FAILED);
3948 4021 }
3949 4022
3950 4023 if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL)
3951 4024 return (KMF_ERR_PKCS12_FORMAT);
3952 4025
3953 4026 for (i = 0; ret == KMF_OK && i < sk_PKCS7_num(asafes); i++) {
3954 4027 bags = NULL;
3955 4028 /* LINTED E_BAD_PTR_CAST_ALIGN */
3956 4029 p7 = sk_PKCS7_value(asafes, i);
3957 4030 bagnid = OBJ_obj2nid(p7->type);
3958 4031
3959 4032 if (bagnid == NID_pkcs7_data) {
3960 4033 bags = PKCS12_unpack_p7data(p7);
3961 4034 } else if (bagnid == NID_pkcs7_encrypted) {
3962 4035 bags = PKCS12_unpack_p7encdata(p7, pin,
3963 4036 (pin ? strlen(pin) : 0));
3964 4037 } else {
3965 4038 continue;
3966 4039 }
3967 4040 if (bags == NULL) {
3968 4041 ret = KMF_ERR_PKCS12_FORMAT;
3969 4042 goto out;
3970 4043 }
3971 4044
3972 4045 if (openssl_parse_bags(bags, pin, keys, certs) != KMF_OK)
3973 4046 ret = KMF_ERR_PKCS12_FORMAT;
3974 4047
3975 4048 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
3976 4049 }
3977 4050 out:
3978 4051 if (asafes != NULL)
3979 4052 sk_PKCS7_pop_free(asafes, PKCS7_free);
3980 4053
3981 4054 return (ret);
3982 4055 }
3983 4056
3984 4057 /*
3985 4058 * Helper function to decrypt and parse PKCS#12 import file.
3986 4059 */
3987 4060 static KMF_RETURN
3988 4061 extract_pkcs12(BIO *fbio, CK_UTF8CHAR *pin, CK_ULONG pinlen,
3989 4062 STACK_OF(EVP_PKEY) **priv_key, STACK_OF(X509) **certs,
3990 4063 STACK_OF(X509) **ca)
3991 4064 /* ARGSUSED2 */
3992 4065 {
3993 4066 PKCS12 *pk12, *pk12_tmp;
3994 4067 STACK_OF(EVP_PKEY) *pkeylist = NULL;
3995 4068 STACK_OF(X509) *xcertlist = NULL;
3996 4069 STACK_OF(X509) *cacertlist = NULL;
3997 4070
3998 4071 if ((pk12 = PKCS12_new()) == NULL) {
3999 4072 return (KMF_ERR_MEMORY);
4000 4073 }
4001 4074
4002 4075 if ((pk12_tmp = d2i_PKCS12_bio(fbio, &pk12)) == NULL) {
4003 4076 /* This is ok; it seems to mean there is no more to read. */
4004 4077 if (ERR_GET_LIB(ERR_peek_error()) == ERR_LIB_ASN1 &&
4005 4078 ERR_GET_REASON(ERR_peek_error()) == ASN1_R_HEADER_TOO_LONG)
4006 4079 goto end_extract_pkcs12;
4007 4080
4008 4081 PKCS12_free(pk12);
4009 4082 return (KMF_ERR_PKCS12_FORMAT);
4010 4083 }
4011 4084 pk12 = pk12_tmp;
4012 4085
4013 4086 xcertlist = sk_X509_new_null();
4014 4087 if (xcertlist == NULL) {
4015 4088 PKCS12_free(pk12);
4016 4089 return (KMF_ERR_MEMORY);
4017 4090 }
4018 4091 pkeylist = sk_EVP_PKEY_new_null();
4019 4092 if (pkeylist == NULL) {
4020 4093 sk_X509_pop_free(xcertlist, X509_free);
4021 4094 PKCS12_free(pk12);
4022 4095 return (KMF_ERR_MEMORY);
4023 4096 }
4024 4097
4025 4098 if (openssl_pkcs12_parse(pk12, (char *)pin, pkeylist, xcertlist,
4026 4099 cacertlist) != KMF_OK) {
4027 4100 sk_X509_pop_free(xcertlist, X509_free);
4028 4101 sk_EVP_PKEY_pop_free(pkeylist, EVP_PKEY_free);
4029 4102 PKCS12_free(pk12);
4030 4103 return (KMF_ERR_PKCS12_FORMAT);
4031 4104 }
4032 4105
4033 4106 if (priv_key && pkeylist)
4034 4107 *priv_key = pkeylist;
4035 4108 else if (pkeylist)
4036 4109 sk_EVP_PKEY_pop_free(pkeylist, EVP_PKEY_free);
4037 4110 if (certs && xcertlist)
4038 4111 *certs = xcertlist;
4039 4112 else if (xcertlist)
4040 4113 sk_X509_pop_free(xcertlist, X509_free);
4041 4114 if (ca && cacertlist)
4042 4115 *ca = cacertlist;
4043 4116 else if (cacertlist)
4044 4117 sk_X509_pop_free(cacertlist, X509_free);
4045 4118
4046 4119 end_extract_pkcs12:
4047 4120
4048 4121 PKCS12_free(pk12);
4049 4122 return (KMF_OK);
4050 4123 }
4051 4124
4052 4125 static KMF_RETURN
4053 4126 sslBN2KMFBN(BIGNUM *from, KMF_BIGINT *to)
4054 4127 {
4055 4128 KMF_RETURN rv = KMF_OK;
4056 4129 uint32_t sz;
4057 4130
4058 4131 sz = BN_num_bytes(from);
4059 4132 to->val = (uchar_t *)malloc(sz);
4060 4133 if (to->val == NULL)
4061 4134 return (KMF_ERR_MEMORY);
4062 4135
4063 4136 if ((to->len = BN_bn2bin(from, to->val)) != sz) {
4064 4137 free(to->val);
4065 4138 to->val = NULL;
4066 4139 to->len = 0;
4067 4140 rv = KMF_ERR_MEMORY;
4068 4141 }
|
↓ open down ↓ |
189 lines elided |
↑ open up ↑ |
4069 4142
4070 4143 return (rv);
4071 4144 }
4072 4145
4073 4146 static KMF_RETURN
4074 4147 exportRawRSAKey(RSA *rsa, KMF_RAW_KEY_DATA *key)
4075 4148 {
4076 4149 KMF_RETURN rv;
4077 4150 KMF_RAW_RSA_KEY *kmfkey = &key->rawdata.rsa;
4078 4151
4152 + const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmpq, *iqmp;
4153 +
4154 + RSA_get0_key(rsa, &n, &e, &d);
4155 + RSA_get0_factors(rsa, &p, &q);
4156 + RSA_get0_crt_params(rsa, &dmp1, &dmpq, &iqmp);
4157 +
4079 4158 (void) memset(kmfkey, 0, sizeof (KMF_RAW_RSA_KEY));
4080 - if ((rv = sslBN2KMFBN(rsa->n, &kmfkey->mod)) != KMF_OK)
4159 + if ((rv = sslBN2KMFBN((BIGNUM *)n, &kmfkey->mod)) != KMF_OK)
4081 4160 goto cleanup;
4082 4161
4083 - if ((rv = sslBN2KMFBN(rsa->e, &kmfkey->pubexp)) != KMF_OK)
4162 + if ((rv = sslBN2KMFBN((BIGNUM *)e, &kmfkey->pubexp)) != KMF_OK)
4084 4163 goto cleanup;
4085 4164
4086 - if (rsa->d != NULL)
4087 - if ((rv = sslBN2KMFBN(rsa->d, &kmfkey->priexp)) != KMF_OK)
4165 + if (d != NULL)
4166 + if ((rv = sslBN2KMFBN((BIGNUM *)d, &kmfkey->priexp)) != KMF_OK)
4088 4167 goto cleanup;
4089 4168
4090 - if (rsa->p != NULL)
4091 - if ((rv = sslBN2KMFBN(rsa->p, &kmfkey->prime1)) != KMF_OK)
4169 + if (p != NULL)
4170 + if ((rv = sslBN2KMFBN((BIGNUM *)p, &kmfkey->prime1)) != KMF_OK)
4092 4171 goto cleanup;
4093 4172
4094 - if (rsa->q != NULL)
4095 - if ((rv = sslBN2KMFBN(rsa->q, &kmfkey->prime2)) != KMF_OK)
4173 + if (q != NULL)
4174 + if ((rv = sslBN2KMFBN((BIGNUM *)q, &kmfkey->prime2)) != KMF_OK)
4096 4175 goto cleanup;
4097 4176
4098 - if (rsa->dmp1 != NULL)
4099 - if ((rv = sslBN2KMFBN(rsa->dmp1, &kmfkey->exp1)) != KMF_OK)
4177 + if (dmp1 != NULL)
4178 + if ((rv = sslBN2KMFBN((BIGNUM *)dmp1, &kmfkey->exp1)) != KMF_OK)
4100 4179 goto cleanup;
4101 4180
4102 - if (rsa->dmq1 != NULL)
4103 - if ((rv = sslBN2KMFBN(rsa->dmq1, &kmfkey->exp2)) != KMF_OK)
4181 + if (dmpq != NULL)
4182 + if ((rv = sslBN2KMFBN((BIGNUM *)dmpq, &kmfkey->exp2)) != KMF_OK)
4104 4183 goto cleanup;
4105 4184
4106 - if (rsa->iqmp != NULL)
4107 - if ((rv = sslBN2KMFBN(rsa->iqmp, &kmfkey->coef)) != KMF_OK)
4185 + if (iqmp != NULL)
4186 + if ((rv = sslBN2KMFBN((BIGNUM *)iqmp, &kmfkey->coef)) != KMF_OK)
4108 4187 goto cleanup;
4109 4188 cleanup:
4110 4189 if (rv != KMF_OK)
4111 4190 kmf_free_raw_key(key);
4112 4191 else
4113 4192 key->keytype = KMF_RSA;
4114 4193
4115 4194 /*
4116 4195 * Free the reference to this key, SSL will not actually free
4117 4196 * the memory until the refcount == 0, so this is safe.
4118 4197 */
|
↓ open down ↓ |
1 lines elided |
↑ open up ↑ |
4119 4198 RSA_free(rsa);
4120 4199
4121 4200 return (rv);
4122 4201 }
4123 4202
4124 4203 static KMF_RETURN
4125 4204 exportRawDSAKey(DSA *dsa, KMF_RAW_KEY_DATA *key)
4126 4205 {
4127 4206 KMF_RETURN rv;
4128 4207 KMF_RAW_DSA_KEY *kmfkey = &key->rawdata.dsa;
4208 + const BIGNUM *p, *q, *g, *priv_key;
4129 4209
4210 + DSA_get0_pqg(dsa, &p, &q, &g);
4211 + DSA_get0_key(dsa, NULL, &priv_key);
4212 +
4130 4213 (void) memset(kmfkey, 0, sizeof (KMF_RAW_DSA_KEY));
4131 - if ((rv = sslBN2KMFBN(dsa->p, &kmfkey->prime)) != KMF_OK)
4214 + if ((rv = sslBN2KMFBN((BIGNUM *)p, &kmfkey->prime)) != KMF_OK)
4132 4215 goto cleanup;
4133 4216
4134 - if ((rv = sslBN2KMFBN(dsa->q, &kmfkey->subprime)) != KMF_OK)
4217 + if ((rv = sslBN2KMFBN((BIGNUM *)q, &kmfkey->subprime)) != KMF_OK)
4135 4218 goto cleanup;
4136 4219
4137 - if ((rv = sslBN2KMFBN(dsa->g, &kmfkey->base)) != KMF_OK)
4220 + if ((rv = sslBN2KMFBN((BIGNUM *)g, &kmfkey->base)) != KMF_OK)
4138 4221 goto cleanup;
4139 4222
4140 - if ((rv = sslBN2KMFBN(dsa->priv_key, &kmfkey->value)) != KMF_OK)
4223 + if ((rv = sslBN2KMFBN((BIGNUM *)priv_key, &kmfkey->value)) != KMF_OK)
4141 4224 goto cleanup;
4142 4225
4143 4226 cleanup:
4144 4227 if (rv != KMF_OK)
4145 4228 kmf_free_raw_key(key);
4146 4229 else
4147 4230 key->keytype = KMF_DSA;
4148 4231
4149 4232 /*
4150 4233 * Free the reference to this key, SSL will not actually free
4151 4234 * the memory until the refcount == 0, so this is safe.
4152 4235 */
4153 4236 DSA_free(dsa);
4154 4237
4155 4238 return (rv);
4156 4239 }
4157 4240
4158 4241 static KMF_RETURN
4159 4242 add_cert_to_list(KMF_HANDLE *kmfh, X509 *sslcert,
4160 4243 KMF_X509_DER_CERT **certlist, int *ncerts)
4161 4244 {
4162 4245 KMF_RETURN rv = KMF_OK;
4163 4246 KMF_X509_DER_CERT *list = (*certlist);
4164 4247 KMF_X509_DER_CERT cert;
4165 4248 int n = (*ncerts);
4166 4249
4167 4250 if (list == NULL) {
4168 4251 list = (KMF_X509_DER_CERT *)malloc(sizeof (KMF_X509_DER_CERT));
4169 4252 } else {
4170 4253 list = (KMF_X509_DER_CERT *)realloc(list,
4171 4254 sizeof (KMF_X509_DER_CERT) * (n + 1));
4172 4255 }
4173 4256
4174 4257 if (list == NULL)
4175 4258 return (KMF_ERR_MEMORY);
4176 4259
4177 4260 (void) memset(&cert, 0, sizeof (cert));
4178 4261 rv = ssl_cert2KMFDATA(kmfh, sslcert, &cert.certificate);
4179 4262 if (rv == KMF_OK) {
4180 4263 int len = 0;
4181 4264 /* Get the alias name for the cert if there is one */
4182 4265 char *a = (char *)X509_alias_get0(sslcert, &len);
4183 4266 if (a != NULL)
4184 4267 cert.kmf_private.label = strdup(a);
4185 4268 cert.kmf_private.keystore_type = KMF_KEYSTORE_OPENSSL;
4186 4269
4187 4270 list[n] = cert;
4188 4271 (*ncerts) = n + 1;
4189 4272
4190 4273 *certlist = list;
4191 4274 } else {
4192 4275 free(list);
4193 4276 }
4194 4277
4195 4278 return (rv);
4196 4279 }
4197 4280
4198 4281 static KMF_RETURN
4199 4282 add_key_to_list(KMF_RAW_KEY_DATA **keylist,
4200 4283 KMF_RAW_KEY_DATA *newkey, int *nkeys)
4201 4284 {
4202 4285 KMF_RAW_KEY_DATA *list = (*keylist);
4203 4286 int n = (*nkeys);
4204 4287
4205 4288 if (list == NULL) {
4206 4289 list = (KMF_RAW_KEY_DATA *)malloc(sizeof (KMF_RAW_KEY_DATA));
4207 4290 } else {
4208 4291 list = (KMF_RAW_KEY_DATA *)realloc(list,
4209 4292 sizeof (KMF_RAW_KEY_DATA) * (n + 1));
4210 4293 }
4211 4294
4212 4295 if (list == NULL)
|
↓ open down ↓ |
62 lines elided |
↑ open up ↑ |
4213 4296 return (KMF_ERR_MEMORY);
4214 4297
4215 4298 list[n] = *newkey;
4216 4299 (*nkeys) = n + 1;
4217 4300
4218 4301 *keylist = list;
4219 4302
4220 4303 return (KMF_OK);
4221 4304 }
4222 4305
4223 -static X509_ATTRIBUTE *
4224 -find_attr(STACK_OF(X509_ATTRIBUTE) *attrs, int nid)
4225 -{
4226 - X509_ATTRIBUTE *a;
4227 - int i;
4228 -
4229 - if (attrs == NULL)
4230 - return (NULL);
4231 -
4232 - for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
4233 - /* LINTED E_BAD_PTR_CAST_ALIGN */
4234 - a = sk_X509_ATTRIBUTE_value(attrs, i);
4235 - if (OBJ_obj2nid(a->object) == nid)
4236 - return (a);
4237 - }
4238 - return (NULL);
4239 -}
4240 -
4241 4306 static KMF_RETURN
4242 4307 convertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key)
4243 4308 {
4244 4309 KMF_RETURN rv = KMF_OK;
4245 4310 X509_ATTRIBUTE *attr;
4311 + RSA *rsa;
4312 + DSA *dsa;
4313 + int loc;
4246 4314
4247 4315 if (pkey == NULL || key == NULL)
4248 4316 return (KMF_ERR_BAD_PARAMETER);
4249 4317 /* Convert SSL key to raw key */
4250 - switch (pkey->type) {
4251 - case EVP_PKEY_RSA:
4252 - rv = exportRawRSAKey(EVP_PKEY_get1_RSA(pkey),
4253 - key);
4254 - if (rv != KMF_OK)
4255 - return (rv);
4256 - break;
4257 - case EVP_PKEY_DSA:
4258 - rv = exportRawDSAKey(EVP_PKEY_get1_DSA(pkey),
4259 - key);
4260 - if (rv != KMF_OK)
4261 - return (rv);
4262 - break;
4263 - default:
4264 - return (KMF_ERR_BAD_PARAMETER);
4265 - }
4318 + if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) {
4319 + rv = exportRawRSAKey(rsa, key);
4320 + if (rv != KMF_OK)
4321 + return (rv);
4322 + } else if ((dsa = EVP_PKEY_get1_DSA(pkey)) != NULL) {
4323 + rv = exportRawDSAKey(dsa, key);
4324 + if (rv != KMF_OK)
4325 + return (rv);
4326 + } else
4327 + return (KMF_ERR_BAD_PARAMETER);
4328 +
4266 4329 /*
4267 4330 * If friendlyName, add it to record.
4268 4331 */
4269 - attr = find_attr(pkey->attributes, NID_friendlyName);
4270 - if (attr != NULL) {
4332 +
4333 + if ((loc = EVP_PKEY_get_attr_by_NID(pkey,
4334 + NID_friendlyName, -1)) != -1 &&
4335 + (attr = EVP_PKEY_get_attr(pkey, loc))) {
4271 4336 ASN1_TYPE *ty = NULL;
4272 - int numattr = sk_ASN1_TYPE_num(attr->value.set);
4273 - if (attr->single == 0 && numattr > 0) {
4274 - /* LINTED E_BAD_PTR_CAST_ALIGN */
4275 - ty = sk_ASN1_TYPE_value(attr->value.set, 0);
4337 + int numattr = X509_ATTRIBUTE_count(attr);
4338 + if (numattr > 0) {
4339 + ty = X509_ATTRIBUTE_get0_type(attr, 0);
4276 4340 }
4277 4341 if (ty != NULL) {
4278 -#if OPENSSL_VERSION_NUMBER < 0x10000000L
4279 - key->label = uni2asc(ty->value.bmpstring->data,
4280 - ty->value.bmpstring->length);
4281 -#else
4282 4342 key->label = OPENSSL_uni2asc(ty->value.bmpstring->data,
4283 4343 ty->value.bmpstring->length);
4284 -#endif
4285 4344 }
4286 4345 } else {
4287 4346 key->label = NULL;
4288 4347 }
4289 4348
4290 4349 /*
4291 4350 * If KeyID, add it to record as a KMF_DATA object.
4292 4351 */
4293 - attr = find_attr(pkey->attributes, NID_localKeyID);
4294 - if (attr != NULL) {
4352 + if ((loc = EVP_PKEY_get_attr_by_NID(pkey,
4353 + NID_localKeyID, -1)) != -1 &&
4354 + (attr = EVP_PKEY_get_attr(pkey, loc)) != NULL) {
4295 4355 ASN1_TYPE *ty = NULL;
4296 - int numattr = sk_ASN1_TYPE_num(attr->value.set);
4297 - if (attr->single == 0 && numattr > 0) {
4298 - /* LINTED E_BAD_PTR_CAST_ALIGN */
4299 - ty = sk_ASN1_TYPE_value(attr->value.set, 0);
4300 - }
4356 + int numattr = X509_ATTRIBUTE_count(attr);
4357 + if (numattr > 0)
4358 + ty = X509_ATTRIBUTE_get0_type(attr, 0);
4301 4359 key->id.Data = (uchar_t *)malloc(
4302 4360 ty->value.octet_string->length);
4303 4361 if (key->id.Data == NULL)
4304 4362 return (KMF_ERR_MEMORY);
4305 4363 (void) memcpy(key->id.Data, ty->value.octet_string->data,
4306 4364 ty->value.octet_string->length);
4307 4365 key->id.Length = ty->value.octet_string->length;
4308 4366 } else {
4309 4367 (void) memset(&key->id, 0, sizeof (KMF_DATA));
4310 4368 }
4311 4369
4312 4370 return (rv);
4313 4371 }
4314 4372
4315 4373 static KMF_RETURN
4316 4374 convertPK12Objects(
4317 4375 KMF_HANDLE *kmfh,
4318 4376 STACK_OF(EVP_PKEY) *sslkeys,
4319 4377 STACK_OF(X509) *sslcert,
4320 4378 STACK_OF(X509) *sslcacerts,
4321 4379 KMF_RAW_KEY_DATA **keylist, int *nkeys,
4322 4380 KMF_X509_DER_CERT **certlist, int *ncerts)
4323 4381 {
4324 4382 KMF_RETURN rv = KMF_OK;
4325 4383 KMF_RAW_KEY_DATA key;
4326 4384 int i;
4327 4385
4328 4386 for (i = 0; sslkeys != NULL && i < sk_EVP_PKEY_num(sslkeys); i++) {
4329 4387 /* LINTED E_BAD_PTR_CAST_ALIGN */
4330 4388 EVP_PKEY *pkey = sk_EVP_PKEY_value(sslkeys, i);
4331 4389 rv = convertToRawKey(pkey, &key);
4332 4390 if (rv == KMF_OK)
4333 4391 rv = add_key_to_list(keylist, &key, nkeys);
4334 4392
4335 4393 if (rv != KMF_OK)
4336 4394 return (rv);
4337 4395 }
4338 4396
4339 4397 /* Now add the certificate to the certlist */
4340 4398 for (i = 0; sslcert != NULL && i < sk_X509_num(sslcert); i++) {
4341 4399 /* LINTED E_BAD_PTR_CAST_ALIGN */
4342 4400 X509 *cert = sk_X509_value(sslcert, i);
4343 4401 rv = add_cert_to_list(kmfh, cert, certlist, ncerts);
4344 4402 if (rv != KMF_OK)
4345 4403 return (rv);
4346 4404 }
4347 4405
4348 4406 /* Also add any included CA certs to the list */
4349 4407 for (i = 0; sslcacerts != NULL && i < sk_X509_num(sslcacerts); i++) {
4350 4408 X509 *c;
4351 4409 /*
4352 4410 * sk_X509_value() is macro that embeds a cast to (X509 *).
4353 4411 * Here it translates into ((X509 *)sk_value((ca), (i))).
4354 4412 * Lint is complaining about the embedded casting, and
4355 4413 * to fix it, you need to fix openssl header files.
4356 4414 */
4357 4415 /* LINTED E_BAD_PTR_CAST_ALIGN */
4358 4416 c = sk_X509_value(sslcacerts, i);
4359 4417
4360 4418 /* Now add the ca cert to the certlist */
4361 4419 rv = add_cert_to_list(kmfh, c, certlist, ncerts);
4362 4420 if (rv != KMF_OK)
4363 4421 return (rv);
4364 4422 }
4365 4423 return (rv);
4366 4424 }
4367 4425
4368 4426 KMF_RETURN
4369 4427 openssl_import_objects(KMF_HANDLE *kmfh,
4370 4428 char *filename, KMF_CREDENTIAL *cred,
4371 4429 KMF_X509_DER_CERT **certlist, int *ncerts,
4372 4430 KMF_RAW_KEY_DATA **keylist, int *nkeys)
4373 4431 {
4374 4432 KMF_RETURN rv = KMF_OK;
4375 4433 KMF_ENCODE_FORMAT format;
4376 4434 BIO *bio = NULL;
4377 4435 STACK_OF(EVP_PKEY) *privkeys = NULL;
4378 4436 STACK_OF(X509) *certs = NULL;
4379 4437 STACK_OF(X509) *cacerts = NULL;
4380 4438
4381 4439 /*
4382 4440 * auto-detect the file format, regardless of what
4383 4441 * the 'format' parameters in the params say.
4384 4442 */
4385 4443 rv = kmf_get_file_format(filename, &format);
4386 4444 if (rv != KMF_OK) {
4387 4445 return (rv);
4388 4446 }
4389 4447
4390 4448 /* This function only works for PEM or PKCS#12 files */
4391 4449 if (format != KMF_FORMAT_PEM &&
4392 4450 format != KMF_FORMAT_PEM_KEYPAIR &&
4393 4451 format != KMF_FORMAT_PKCS12)
4394 4452 return (KMF_ERR_ENCODING);
4395 4453
4396 4454 *certlist = NULL;
4397 4455 *keylist = NULL;
4398 4456 *ncerts = 0;
4399 4457 *nkeys = 0;
4400 4458
4401 4459 if (format == KMF_FORMAT_PKCS12) {
4402 4460 bio = BIO_new_file(filename, "rb");
4403 4461 if (bio == NULL) {
4404 4462 SET_ERROR(kmfh, ERR_get_error());
4405 4463 rv = KMF_ERR_OPEN_FILE;
4406 4464 goto end;
4407 4465 }
4408 4466
4409 4467 rv = extract_pkcs12(bio, (uchar_t *)cred->cred,
4410 4468 (uint32_t)cred->credlen, &privkeys, &certs, &cacerts);
4411 4469
4412 4470 if (rv == KMF_OK)
4413 4471 /* Convert keys and certs to exportable format */
4414 4472 rv = convertPK12Objects(kmfh, privkeys, certs, cacerts,
4415 4473 keylist, nkeys, certlist, ncerts);
4416 4474 } else {
4417 4475 EVP_PKEY *pkey;
4418 4476 KMF_DATA *certdata = NULL;
4419 4477 KMF_X509_DER_CERT *kmfcerts = NULL;
4420 4478 int i;
4421 4479 rv = extract_pem(kmfh, NULL, NULL, NULL, filename,
4422 4480 (uchar_t *)cred->cred, (uint32_t)cred->credlen,
4423 4481 &pkey, &certdata, ncerts);
4424 4482
4425 4483 /* Reached end of import file? */
4426 4484 if (rv == KMF_OK && pkey != NULL) {
4427 4485 privkeys = sk_EVP_PKEY_new_null();
4428 4486 if (privkeys == NULL) {
4429 4487 rv = KMF_ERR_MEMORY;
4430 4488 goto end;
4431 4489 }
4432 4490 (void) sk_EVP_PKEY_push(privkeys, pkey);
4433 4491 /* convert the certificate list here */
4434 4492 if (*ncerts > 0 && certlist != NULL) {
4435 4493 kmfcerts = (KMF_X509_DER_CERT *)calloc(*ncerts,
4436 4494 sizeof (KMF_X509_DER_CERT));
4437 4495 if (kmfcerts == NULL) {
4438 4496 rv = KMF_ERR_MEMORY;
4439 4497 goto end;
4440 4498 }
4441 4499 for (i = 0; i < *ncerts; i++) {
4442 4500 kmfcerts[i].certificate = certdata[i];
4443 4501 kmfcerts[i].kmf_private.keystore_type =
4444 4502 KMF_KEYSTORE_OPENSSL;
4445 4503 }
4446 4504 *certlist = kmfcerts;
4447 4505 }
4448 4506 /*
4449 4507 * Convert keys to exportable format, the certs
4450 4508 * are already OK.
4451 4509 */
4452 4510 rv = convertPK12Objects(kmfh, privkeys, NULL, NULL,
4453 4511 keylist, nkeys, NULL, NULL);
4454 4512 }
4455 4513 }
4456 4514 end:
4457 4515 if (bio != NULL)
4458 4516 (void) BIO_free(bio);
4459 4517
4460 4518 if (privkeys)
4461 4519 sk_EVP_PKEY_pop_free(privkeys, EVP_PKEY_free);
4462 4520 if (certs)
4463 4521 sk_X509_pop_free(certs, X509_free);
4464 4522 if (cacerts)
4465 4523 sk_X509_pop_free(cacerts, X509_free);
4466 4524
4467 4525 return (rv);
4468 4526 }
4469 4527
4470 4528 static KMF_RETURN
4471 4529 create_deskey(DES_cblock **deskey)
4472 4530 {
4473 4531 DES_cblock *key;
4474 4532
4475 4533 key = (DES_cblock *) malloc(sizeof (DES_cblock));
4476 4534 if (key == NULL) {
4477 4535 return (KMF_ERR_MEMORY);
4478 4536 }
4479 4537
4480 4538 if (DES_random_key(key) == 0) {
4481 4539 free(key);
4482 4540 return (KMF_ERR_KEYGEN_FAILED);
4483 4541 }
4484 4542
4485 4543 *deskey = key;
4486 4544 return (KMF_OK);
4487 4545 }
4488 4546
4489 4547 #define KEYGEN_RETRY 3
4490 4548 #define DES3_KEY_SIZE 24
4491 4549
4492 4550 static KMF_RETURN
4493 4551 create_des3key(unsigned char **des3key)
4494 4552 {
4495 4553 KMF_RETURN ret = KMF_OK;
4496 4554 DES_cblock *deskey1 = NULL;
4497 4555 DES_cblock *deskey2 = NULL;
4498 4556 DES_cblock *deskey3 = NULL;
4499 4557 unsigned char *newkey = NULL;
4500 4558 int retry;
4501 4559
4502 4560 if ((newkey = malloc(DES3_KEY_SIZE)) == NULL) {
4503 4561 return (KMF_ERR_MEMORY);
4504 4562 }
4505 4563
4506 4564 /* create the 1st DES key */
4507 4565 if ((ret = create_deskey(&deskey1)) != KMF_OK) {
4508 4566 goto out;
4509 4567 }
4510 4568
4511 4569 /*
4512 4570 * Create the 2nd DES key and make sure its value is different
4513 4571 * from the 1st DES key.
4514 4572 */
4515 4573 retry = 0;
4516 4574 do {
4517 4575 if (deskey2 != NULL) {
4518 4576 free(deskey2);
4519 4577 deskey2 = NULL;
4520 4578 }
4521 4579
4522 4580 if ((ret = create_deskey(&deskey2)) != KMF_OK) {
4523 4581 goto out;
4524 4582 }
4525 4583
4526 4584 if (memcmp((const void *) deskey1, (const void *) deskey2, 8)
4527 4585 == 0) {
4528 4586 ret = KMF_ERR_KEYGEN_FAILED;
4529 4587 retry++;
4530 4588 }
4531 4589 } while (ret == KMF_ERR_KEYGEN_FAILED && retry < KEYGEN_RETRY);
4532 4590
4533 4591 if (ret != KMF_OK) {
4534 4592 goto out;
4535 4593 }
4536 4594
4537 4595 /*
4538 4596 * Create the 3rd DES key and make sure its value is different
4539 4597 * from the 2nd DES key.
4540 4598 */
4541 4599 retry = 0;
4542 4600 do {
4543 4601 if (deskey3 != NULL) {
4544 4602 free(deskey3);
4545 4603 deskey3 = NULL;
4546 4604 }
4547 4605
4548 4606 if ((ret = create_deskey(&deskey3)) != KMF_OK) {
4549 4607 goto out;
4550 4608 }
4551 4609
4552 4610 if (memcmp((const void *)deskey2, (const void *)deskey3, 8)
4553 4611 == 0) {
4554 4612 ret = KMF_ERR_KEYGEN_FAILED;
4555 4613 retry++;
4556 4614 }
4557 4615 } while (ret == KMF_ERR_KEYGEN_FAILED && retry < KEYGEN_RETRY);
4558 4616
4559 4617 if (ret != KMF_OK) {
4560 4618 goto out;
4561 4619 }
4562 4620
4563 4621 /* Concatenate 3 DES keys into a DES3 key */
4564 4622 (void) memcpy((void *)newkey, (const void *)deskey1, 8);
4565 4623 (void) memcpy((void *)(newkey + 8), (const void *)deskey2, 8);
4566 4624 (void) memcpy((void *)(newkey + 16), (const void *)deskey3, 8);
4567 4625 *des3key = newkey;
4568 4626
4569 4627 out:
4570 4628 if (deskey1 != NULL)
4571 4629 free(deskey1);
4572 4630
4573 4631 if (deskey2 != NULL)
4574 4632 free(deskey2);
4575 4633
4576 4634 if (deskey3 != NULL)
4577 4635 free(deskey3);
4578 4636
4579 4637 if (ret != KMF_OK && newkey != NULL)
4580 4638 free(newkey);
4581 4639
4582 4640 return (ret);
4583 4641 }
4584 4642
4585 4643 KMF_RETURN
4586 4644 OpenSSL_CreateSymKey(KMF_HANDLE_T handle,
4587 4645 int numattr, KMF_ATTRIBUTE *attrlist)
4588 4646 {
4589 4647 KMF_RETURN ret = KMF_OK;
4590 4648 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
4591 4649 char *fullpath = NULL;
4592 4650 KMF_RAW_SYM_KEY *rkey = NULL;
4593 4651 DES_cblock *deskey = NULL;
4594 4652 unsigned char *des3key = NULL;
4595 4653 unsigned char *random = NULL;
4596 4654 int fd = -1;
4597 4655 KMF_KEY_HANDLE *symkey;
4598 4656 KMF_KEY_ALG keytype;
4599 4657 uint32_t keylen;
4600 4658 uint32_t keylen_size = sizeof (keylen);
4601 4659 char *dirpath;
4602 4660 char *keyfile;
4603 4661
4604 4662 if (kmfh == NULL)
4605 4663 return (KMF_ERR_UNINITIALIZED);
4606 4664
4607 4665 symkey = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
4608 4666 if (symkey == NULL)
4609 4667 return (KMF_ERR_BAD_PARAMETER);
4610 4668
4611 4669 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
4612 4670
4613 4671 keyfile = kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist, numattr);
4614 4672 if (keyfile == NULL)
4615 4673 return (KMF_ERR_BAD_PARAMETER);
4616 4674
4617 4675 ret = kmf_get_attr(KMF_KEYALG_ATTR, attrlist, numattr,
4618 4676 (void *)&keytype, NULL);
4619 4677 if (ret != KMF_OK)
4620 4678 return (KMF_ERR_BAD_PARAMETER);
4621 4679
4622 4680 ret = kmf_get_attr(KMF_KEYLENGTH_ATTR, attrlist, numattr,
4623 4681 &keylen, &keylen_size);
4624 4682 if (ret == KMF_ERR_ATTR_NOT_FOUND &&
4625 4683 (keytype == KMF_DES || keytype == KMF_DES3))
4626 4684 /* keylength is not required for DES and 3DES */
4627 4685 ret = KMF_OK;
4628 4686 if (ret != KMF_OK)
4629 4687 return (KMF_ERR_BAD_PARAMETER);
4630 4688
4631 4689 fullpath = get_fullpath(dirpath, keyfile);
4632 4690 if (fullpath == NULL)
4633 4691 return (KMF_ERR_BAD_PARAMETER);
4634 4692
4635 4693 /* If the requested file exists, return an error */
4636 4694 if (test_for_file(fullpath, 0400) == 1) {
4637 4695 free(fullpath);
4638 4696 return (KMF_ERR_DUPLICATE_KEYFILE);
4639 4697 }
4640 4698
4641 4699 fd = open(fullpath, O_CREAT|O_TRUNC|O_RDWR, 0400);
4642 4700 if (fd == -1) {
4643 4701 ret = KMF_ERR_OPEN_FILE;
4644 4702 goto out;
4645 4703 }
4646 4704
4647 4705 rkey = malloc(sizeof (KMF_RAW_SYM_KEY));
4648 4706 if (rkey == NULL) {
4649 4707 ret = KMF_ERR_MEMORY;
4650 4708 goto out;
4651 4709 }
4652 4710 (void) memset(rkey, 0, sizeof (KMF_RAW_SYM_KEY));
4653 4711
4654 4712 if (keytype == KMF_DES) {
4655 4713 if ((ret = create_deskey(&deskey)) != KMF_OK) {
4656 4714 goto out;
4657 4715 }
4658 4716 rkey->keydata.val = (uchar_t *)deskey;
4659 4717 rkey->keydata.len = 8;
4660 4718
4661 4719 symkey->keyalg = KMF_DES;
4662 4720
4663 4721 } else if (keytype == KMF_DES3) {
4664 4722 if ((ret = create_des3key(&des3key)) != KMF_OK) {
4665 4723 goto out;
4666 4724 }
4667 4725 rkey->keydata.val = (uchar_t *)des3key;
4668 4726 rkey->keydata.len = DES3_KEY_SIZE;
4669 4727 symkey->keyalg = KMF_DES3;
4670 4728
4671 4729 } else if (keytype == KMF_AES || keytype == KMF_RC4 ||
4672 4730 keytype == KMF_GENERIC_SECRET) {
4673 4731 int bytes;
4674 4732
4675 4733 if (keylen % 8 != 0) {
4676 4734 ret = KMF_ERR_BAD_KEY_SIZE;
4677 4735 goto out;
4678 4736 }
4679 4737
4680 4738 if (keytype == KMF_AES) {
4681 4739 if (keylen != 128 &&
4682 4740 keylen != 192 &&
4683 4741 keylen != 256) {
4684 4742 ret = KMF_ERR_BAD_KEY_SIZE;
4685 4743 goto out;
4686 4744 }
4687 4745 }
4688 4746
4689 4747 bytes = keylen/8;
4690 4748 random = malloc(bytes);
4691 4749 if (random == NULL) {
4692 4750 ret = KMF_ERR_MEMORY;
4693 4751 goto out;
4694 4752 }
4695 4753 if (RAND_bytes(random, bytes) != 1) {
4696 4754 ret = KMF_ERR_KEYGEN_FAILED;
4697 4755 goto out;
4698 4756 }
4699 4757
4700 4758 rkey->keydata.val = (uchar_t *)random;
4701 4759 rkey->keydata.len = bytes;
4702 4760 symkey->keyalg = keytype;
4703 4761
4704 4762 } else {
4705 4763 ret = KMF_ERR_BAD_KEY_TYPE;
4706 4764 goto out;
4707 4765 }
4708 4766
4709 4767 (void) write(fd, (const void *) rkey->keydata.val, rkey->keydata.len);
4710 4768
4711 4769 symkey->kstype = KMF_KEYSTORE_OPENSSL;
4712 4770 symkey->keyclass = KMF_SYMMETRIC;
4713 4771 symkey->keylabel = (char *)fullpath;
4714 4772 symkey->israw = TRUE;
4715 4773 symkey->keyp = rkey;
4716 4774
4717 4775 out:
4718 4776 if (fd != -1)
4719 4777 (void) close(fd);
4720 4778
4721 4779 if (ret != KMF_OK && fullpath != NULL) {
4722 4780 free(fullpath);
4723 4781 }
4724 4782 if (ret != KMF_OK) {
4725 4783 kmf_free_raw_sym_key(rkey);
4726 4784 symkey->keyp = NULL;
4727 4785 symkey->keyalg = KMF_KEYALG_NONE;
4728 4786 }
4729 4787
4730 4788 return (ret);
4731 4789 }
4732 4790
4733 4791 /*
4734 4792 * Check a file to see if it is a CRL file with PEM or DER format.
4735 4793 * If success, return its format in the "pformat" argument.
4736 4794 */
4737 4795 KMF_RETURN
4738 4796 OpenSSL_IsCRLFile(KMF_HANDLE_T handle, char *filename, int *pformat)
4739 4797 {
4740 4798 KMF_RETURN ret = KMF_OK;
4741 4799 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
4742 4800 BIO *bio = NULL;
4743 4801 X509_CRL *xcrl = NULL;
4744 4802
4745 4803 if (filename == NULL) {
4746 4804 return (KMF_ERR_BAD_PARAMETER);
4747 4805 }
4748 4806
4749 4807 bio = BIO_new_file(filename, "rb");
4750 4808 if (bio == NULL) {
4751 4809 SET_ERROR(kmfh, ERR_get_error());
4752 4810 ret = KMF_ERR_OPEN_FILE;
4753 4811 goto out;
4754 4812 }
4755 4813
4756 4814 if ((xcrl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL)) != NULL) {
4757 4815 *pformat = KMF_FORMAT_PEM;
4758 4816 goto out;
4759 4817 }
4760 4818 (void) BIO_free(bio);
4761 4819
4762 4820 /*
4763 4821 * Now try to read it as raw DER data.
4764 4822 */
4765 4823 bio = BIO_new_file(filename, "rb");
4766 4824 if (bio == NULL) {
4767 4825 SET_ERROR(kmfh, ERR_get_error());
4768 4826 ret = KMF_ERR_OPEN_FILE;
4769 4827 goto out;
4770 4828 }
4771 4829
4772 4830 if ((xcrl = d2i_X509_CRL_bio(bio, NULL)) != NULL) {
4773 4831 *pformat = KMF_FORMAT_ASN1;
4774 4832 } else {
4775 4833 ret = KMF_ERR_BAD_CRLFILE;
4776 4834 }
4777 4835
4778 4836 out:
4779 4837 if (bio != NULL)
4780 4838 (void) BIO_free(bio);
4781 4839
4782 4840 if (xcrl != NULL)
4783 4841 X509_CRL_free(xcrl);
4784 4842
4785 4843 return (ret);
4786 4844 }
4787 4845
4788 4846 KMF_RETURN
4789 4847 OpenSSL_GetSymKeyValue(KMF_HANDLE_T handle, KMF_KEY_HANDLE *symkey,
4790 4848 KMF_RAW_SYM_KEY *rkey)
4791 4849 {
4792 4850 KMF_RETURN rv = KMF_OK;
4793 4851 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
4794 4852 KMF_DATA keyvalue;
4795 4853
4796 4854 if (kmfh == NULL)
4797 4855 return (KMF_ERR_UNINITIALIZED);
4798 4856
4799 4857 if (symkey == NULL || rkey == NULL)
4800 4858 return (KMF_ERR_BAD_PARAMETER);
4801 4859 else if (symkey->keyclass != KMF_SYMMETRIC)
4802 4860 return (KMF_ERR_BAD_KEY_CLASS);
4803 4861
4804 4862 if (symkey->israw) {
4805 4863 KMF_RAW_SYM_KEY *rawkey = (KMF_RAW_SYM_KEY *)symkey->keyp;
4806 4864
4807 4865 if (rawkey == NULL ||
4808 4866 rawkey->keydata.val == NULL ||
4809 4867 rawkey->keydata.len == 0)
4810 4868 return (KMF_ERR_BAD_KEYHANDLE);
4811 4869
4812 4870 rkey->keydata.len = rawkey->keydata.len;
4813 4871 if ((rkey->keydata.val = malloc(rkey->keydata.len)) == NULL)
4814 4872 return (KMF_ERR_MEMORY);
4815 4873 (void) memcpy(rkey->keydata.val, rawkey->keydata.val,
4816 4874 rkey->keydata.len);
4817 4875 } else {
4818 4876 rv = kmf_read_input_file(handle, symkey->keylabel, &keyvalue);
4819 4877 if (rv != KMF_OK)
4820 4878 return (rv);
4821 4879 rkey->keydata.len = keyvalue.Length;
4822 4880 rkey->keydata.val = keyvalue.Data;
4823 4881 }
4824 4882
4825 4883 return (rv);
4826 4884 }
4827 4885
4828 4886 /*
4829 4887 * substitute for the unsafe access(2) function.
4830 4888 * If the file in question already exists, return 1.
4831 4889 * else 0. If an error occurs during testing (other
4832 4890 * than EEXIST), return -1.
4833 4891 */
4834 4892 static int
4835 4893 test_for_file(char *filename, mode_t mode)
4836 4894 {
4837 4895 int fd;
4838 4896
4839 4897 /*
4840 4898 * Try to create the file with the EXCL flag.
4841 4899 * The call should fail if the file exists.
4842 4900 */
4843 4901 fd = open(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
4844 4902 if (fd == -1 && errno == EEXIST)
4845 4903 return (1);
4846 4904 else if (fd == -1) /* some other error */
4847 4905 return (-1);
4848 4906
4849 4907 /* The file did NOT exist. Delete the testcase. */
4850 4908 (void) close(fd);
4851 4909 (void) unlink(filename);
4852 4910 return (0);
4853 4911 }
4854 4912
4855 4913 KMF_RETURN
4856 4914 OpenSSL_StoreKey(KMF_HANDLE_T handle, int numattr,
4857 4915 KMF_ATTRIBUTE *attrlist)
4858 4916 {
4859 4917 KMF_RETURN rv = KMF_OK;
4860 4918 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
4861 4919 KMF_KEY_HANDLE *pubkey = NULL, *prikey = NULL;
4862 4920 KMF_RAW_KEY_DATA *rawkey;
4863 4921 EVP_PKEY *pkey = NULL;
4864 4922 KMF_ENCODE_FORMAT format = KMF_FORMAT_PEM;
4865 4923 KMF_CREDENTIAL cred = { NULL, 0 };
4866 4924 BIO *out = NULL;
4867 4925 int keys = 0;
4868 4926 char *fullpath = NULL;
4869 4927 char *keyfile = NULL;
4870 4928 char *dirpath = NULL;
4871 4929
4872 4930 pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attrlist, numattr);
4873 4931 if (pubkey != NULL)
4874 4932 keys++;
4875 4933
4876 4934 prikey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attrlist, numattr);
4877 4935 if (prikey != NULL)
4878 4936 keys++;
4879 4937
4880 4938 rawkey = kmf_get_attr_ptr(KMF_RAW_KEY_ATTR, attrlist, numattr);
4881 4939 if (rawkey != NULL)
4882 4940 keys++;
4883 4941
4884 4942 /*
4885 4943 * Exactly 1 type of key must be passed to this function.
4886 4944 */
4887 4945 if (keys != 1)
4888 4946 return (KMF_ERR_BAD_PARAMETER);
4889 4947
4890 4948 keyfile = (char *)kmf_get_attr_ptr(KMF_KEY_FILENAME_ATTR, attrlist,
4891 4949 numattr);
4892 4950 if (keyfile == NULL)
4893 4951 return (KMF_ERR_BAD_PARAMETER);
4894 4952
4895 4953 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
4896 4954
4897 4955 fullpath = get_fullpath(dirpath, keyfile);
4898 4956
4899 4957 /* Once we have the full path, we don't need the pieces */
4900 4958 if (fullpath == NULL)
4901 4959 return (KMF_ERR_BAD_PARAMETER);
4902 4960
4903 4961 /* If the requested file exists, return an error */
4904 4962 if (test_for_file(fullpath, 0400) == 1) {
4905 4963 free(fullpath);
4906 4964 return (KMF_ERR_DUPLICATE_KEYFILE);
4907 4965 }
4908 4966
4909 4967 rv = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
4910 4968 &format, NULL);
4911 4969 if (rv != KMF_OK)
4912 4970 /* format is optional. */
4913 4971 rv = KMF_OK;
4914 4972
4915 4973 /* CRED is not required for OpenSSL files */
4916 4974 (void) kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
4917 4975 &cred, NULL);
4918 4976
4919 4977 /* Store the private key to the keyfile */
4920 4978 out = BIO_new_file(fullpath, "wb");
4921 4979 if (out == NULL) {
4922 4980 SET_ERROR(kmfh, ERR_get_error());
4923 4981 rv = KMF_ERR_OPEN_FILE;
4924 4982 goto end;
4925 4983 }
4926 4984
4927 4985 if (prikey != NULL && prikey->keyp != NULL) {
4928 4986 if (prikey->keyalg == KMF_RSA ||
4929 4987 prikey->keyalg == KMF_DSA) {
4930 4988 pkey = (EVP_PKEY *)prikey->keyp;
4931 4989
4932 4990 rv = ssl_write_key(kmfh, format,
4933 4991 out, &cred, pkey, TRUE);
4934 4992
4935 4993 if (rv == KMF_OK && prikey->keylabel == NULL) {
4936 4994 prikey->keylabel = strdup(fullpath);
4937 4995 if (prikey->keylabel == NULL)
4938 4996 rv = KMF_ERR_MEMORY;
4939 4997 }
4940 4998 }
4941 4999 } else if (pubkey != NULL && pubkey->keyp != NULL) {
4942 5000 if (pubkey->keyalg == KMF_RSA ||
4943 5001 pubkey->keyalg == KMF_DSA) {
4944 5002 pkey = (EVP_PKEY *)pubkey->keyp;
4945 5003
4946 5004 rv = ssl_write_key(kmfh, format,
4947 5005 out, &cred, pkey, FALSE);
4948 5006
4949 5007 if (rv == KMF_OK && pubkey->keylabel == NULL) {
4950 5008 pubkey->keylabel = strdup(fullpath);
4951 5009 if (pubkey->keylabel == NULL)
4952 5010 rv = KMF_ERR_MEMORY;
4953 5011 }
4954 5012 }
4955 5013 } else if (rawkey != NULL) {
4956 5014 if (rawkey->keytype == KMF_RSA) {
4957 5015 pkey = ImportRawRSAKey(&rawkey->rawdata.rsa);
4958 5016 } else if (rawkey->keytype == KMF_DSA) {
4959 5017 pkey = ImportRawDSAKey(&rawkey->rawdata.dsa);
4960 5018 } else {
4961 5019 rv = KMF_ERR_BAD_PARAMETER;
4962 5020 }
4963 5021 if (pkey != NULL) {
4964 5022 KMF_KEY_CLASS kclass = KMF_ASYM_PRI;
4965 5023
4966 5024 rv = kmf_get_attr(KMF_KEYCLASS_ATTR, attrlist, numattr,
4967 5025 (void *)&kclass, NULL);
4968 5026 if (rv != KMF_OK)
4969 5027 rv = KMF_OK;
4970 5028 rv = ssl_write_key(kmfh, format, out,
4971 5029 &cred, pkey, (kclass == KMF_ASYM_PRI));
4972 5030 EVP_PKEY_free(pkey);
4973 5031 }
4974 5032 }
4975 5033
4976 5034 end:
4977 5035
4978 5036 if (out)
4979 5037 (void) BIO_free(out);
4980 5038
4981 5039
4982 5040 if (rv == KMF_OK)
4983 5041 (void) chmod(fullpath, 0400);
4984 5042
4985 5043 free(fullpath);
4986 5044 return (rv);
4987 5045 }
4988 5046
4989 5047 KMF_RETURN
4990 5048 OpenSSL_ImportCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
4991 5049 {
4992 5050 KMF_RETURN ret = KMF_OK;
4993 5051 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
4994 5052 X509_CRL *xcrl = NULL;
4995 5053 X509 *xcert = NULL;
4996 5054 EVP_PKEY *pkey;
4997 5055 KMF_ENCODE_FORMAT format;
4998 5056 BIO *in = NULL, *out = NULL;
4999 5057 int openssl_ret = 0;
5000 5058 KMF_ENCODE_FORMAT outformat;
5001 5059 boolean_t crlcheck = FALSE;
5002 5060 char *certfile, *dirpath, *crlfile, *incrl, *outcrl, *outcrlfile;
5003 5061
5004 5062 if (numattr == 0 || attrlist == NULL) {
5005 5063 return (KMF_ERR_BAD_PARAMETER);
5006 5064 }
5007 5065
5008 5066 /* CRL check is optional */
5009 5067 (void) kmf_get_attr(KMF_CRL_CHECK_ATTR, attrlist, numattr,
5010 5068 &crlcheck, NULL);
5011 5069
5012 5070 certfile = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist, numattr);
5013 5071 if (crlcheck == B_TRUE && certfile == NULL) {
5014 5072 return (KMF_ERR_BAD_CERTFILE);
5015 5073 }
5016 5074
5017 5075 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
5018 5076 incrl = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR, attrlist, numattr);
5019 5077 outcrl = kmf_get_attr_ptr(KMF_CRL_OUTFILE_ATTR, attrlist, numattr);
5020 5078
5021 5079 crlfile = get_fullpath(dirpath, incrl);
5022 5080
5023 5081 if (crlfile == NULL)
5024 5082 return (KMF_ERR_BAD_CRLFILE);
5025 5083
5026 5084 outcrlfile = get_fullpath(dirpath, outcrl);
5027 5085 if (outcrlfile == NULL)
5028 5086 return (KMF_ERR_BAD_CRLFILE);
5029 5087
5030 5088 if (isdir(outcrlfile)) {
5031 5089 free(outcrlfile);
5032 5090 return (KMF_ERR_BAD_CRLFILE);
5033 5091 }
5034 5092
5035 5093 ret = kmf_is_crl_file(handle, crlfile, &format);
5036 5094 if (ret != KMF_OK) {
5037 5095 free(outcrlfile);
5038 5096 return (ret);
5039 5097 }
5040 5098
5041 5099 in = BIO_new_file(crlfile, "rb");
5042 5100 if (in == NULL) {
5043 5101 SET_ERROR(kmfh, ERR_get_error());
5044 5102 ret = KMF_ERR_OPEN_FILE;
5045 5103 goto end;
5046 5104 }
5047 5105
5048 5106 if (format == KMF_FORMAT_ASN1) {
5049 5107 xcrl = d2i_X509_CRL_bio(in, NULL);
5050 5108 } else if (format == KMF_FORMAT_PEM) {
5051 5109 xcrl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
5052 5110 }
5053 5111
5054 5112 if (xcrl == NULL) {
5055 5113 SET_ERROR(kmfh, ERR_get_error());
5056 5114 ret = KMF_ERR_BAD_CRLFILE;
5057 5115 goto end;
5058 5116 }
5059 5117
5060 5118 /* If bypasscheck is specified, no need to verify. */
5061 5119 if (crlcheck == B_FALSE)
5062 5120 goto output;
5063 5121
5064 5122 ret = kmf_is_cert_file(handle, certfile, &format);
5065 5123 if (ret != KMF_OK)
5066 5124 goto end;
5067 5125
5068 5126 /* Read in the CA cert file and convert to X509 */
5069 5127 if (BIO_read_filename(in, certfile) <= 0) {
5070 5128 SET_ERROR(kmfh, ERR_get_error());
5071 5129 ret = KMF_ERR_OPEN_FILE;
5072 5130 goto end;
5073 5131 }
5074 5132
5075 5133 if (format == KMF_FORMAT_ASN1) {
5076 5134 xcert = d2i_X509_bio(in, NULL);
5077 5135 } else if (format == KMF_FORMAT_PEM) {
5078 5136 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
5079 5137 } else {
5080 5138 ret = KMF_ERR_BAD_CERT_FORMAT;
5081 5139 goto end;
5082 5140 }
5083 5141
5084 5142 if (xcert == NULL) {
5085 5143 SET_ERROR(kmfh, ERR_get_error());
5086 5144 ret = KMF_ERR_BAD_CERT_FORMAT;
5087 5145 goto end;
5088 5146 }
5089 5147 /* Now get the public key from the CA cert */
5090 5148 pkey = X509_get_pubkey(xcert);
5091 5149 if (pkey == NULL) {
5092 5150 SET_ERROR(kmfh, ERR_get_error());
5093 5151 ret = KMF_ERR_BAD_CERTFILE;
5094 5152 goto end;
5095 5153 }
5096 5154
5097 5155 /* Verify the CRL with the CA's public key */
5098 5156 openssl_ret = X509_CRL_verify(xcrl, pkey);
5099 5157 EVP_PKEY_free(pkey);
5100 5158 if (openssl_ret > 0) {
5101 5159 ret = KMF_OK; /* verify succeed */
5102 5160 } else {
5103 5161 SET_ERROR(kmfh, openssl_ret);
5104 5162 ret = KMF_ERR_BAD_CRLFILE;
5105 5163 }
5106 5164
5107 5165 output:
5108 5166 ret = kmf_get_attr(KMF_ENCODE_FORMAT_ATTR, attrlist, numattr,
5109 5167 &outformat, NULL);
5110 5168 if (ret != KMF_OK) {
5111 5169 ret = KMF_OK;
5112 5170 outformat = KMF_FORMAT_PEM;
5113 5171 }
5114 5172
5115 5173 out = BIO_new_file(outcrlfile, "wb");
5116 5174 if (out == NULL) {
5117 5175 SET_ERROR(kmfh, ERR_get_error());
5118 5176 ret = KMF_ERR_OPEN_FILE;
5119 5177 goto end;
5120 5178 }
5121 5179
5122 5180 if (outformat == KMF_FORMAT_ASN1) {
5123 5181 openssl_ret = (int)i2d_X509_CRL_bio(out, xcrl);
5124 5182 } else if (outformat == KMF_FORMAT_PEM) {
5125 5183 openssl_ret = PEM_write_bio_X509_CRL(out, xcrl);
5126 5184 } else {
5127 5185 ret = KMF_ERR_BAD_PARAMETER;
5128 5186 goto end;
5129 5187 }
5130 5188
5131 5189 if (openssl_ret <= 0) {
5132 5190 SET_ERROR(kmfh, ERR_get_error());
5133 5191 ret = KMF_ERR_WRITE_FILE;
5134 5192 } else {
5135 5193 ret = KMF_OK;
5136 5194 }
5137 5195
5138 5196 end:
5139 5197 if (xcrl != NULL)
5140 5198 X509_CRL_free(xcrl);
5141 5199
5142 5200 if (xcert != NULL)
5143 5201 X509_free(xcert);
5144 5202
5145 5203 if (in != NULL)
5146 5204 (void) BIO_free(in);
5147 5205
5148 5206 if (out != NULL)
5149 5207 (void) BIO_free(out);
5150 5208
5151 5209 if (outcrlfile != NULL)
5152 5210 free(outcrlfile);
5153 5211
5154 5212 return (ret);
5155 5213 }
5156 5214
5157 5215 KMF_RETURN
5158 5216 OpenSSL_ListCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
5159 5217 {
5160 5218 KMF_RETURN ret = KMF_OK;
5161 5219 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
5162 5220 X509_CRL *x = NULL;
5163 5221 KMF_ENCODE_FORMAT format;
5164 5222 char *crlfile = NULL;
5165 5223 BIO *in = NULL;
5166 5224 BIO *mem = NULL;
5167 5225 long len;
5168 5226 char *memptr;
5169 5227 char *data = NULL;
5170 5228 char **crldata;
5171 5229 char *crlfilename, *dirpath;
5172 5230
5173 5231 if (numattr == 0 || attrlist == NULL) {
5174 5232 return (KMF_ERR_BAD_PARAMETER);
5175 5233 }
5176 5234 crlfilename = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR,
5177 5235 attrlist, numattr);
5178 5236 if (crlfilename == NULL)
5179 5237 return (KMF_ERR_BAD_CRLFILE);
5180 5238
5181 5239 crldata = (char **)kmf_get_attr_ptr(KMF_CRL_DATA_ATTR,
5182 5240 attrlist, numattr);
5183 5241
5184 5242 if (crldata == NULL)
5185 5243 return (KMF_ERR_BAD_PARAMETER);
5186 5244
5187 5245 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
5188 5246
5189 5247 crlfile = get_fullpath(dirpath, crlfilename);
5190 5248
5191 5249 if (crlfile == NULL)
5192 5250 return (KMF_ERR_BAD_CRLFILE);
5193 5251
5194 5252 if (isdir(crlfile)) {
5195 5253 free(crlfile);
5196 5254 return (KMF_ERR_BAD_CRLFILE);
5197 5255 }
5198 5256
5199 5257 ret = kmf_is_crl_file(handle, crlfile, &format);
5200 5258 if (ret != KMF_OK) {
5201 5259 free(crlfile);
5202 5260 return (ret);
5203 5261 }
5204 5262
5205 5263 if (bio_err == NULL)
5206 5264 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
5207 5265
5208 5266 in = BIO_new_file(crlfile, "rb");
5209 5267 if (in == NULL) {
5210 5268 SET_ERROR(kmfh, ERR_get_error());
5211 5269 ret = KMF_ERR_OPEN_FILE;
5212 5270 goto end;
5213 5271 }
5214 5272
5215 5273 if (format == KMF_FORMAT_ASN1) {
5216 5274 x = d2i_X509_CRL_bio(in, NULL);
5217 5275 } else if (format == KMF_FORMAT_PEM) {
5218 5276 x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
5219 5277 }
5220 5278
5221 5279 if (x == NULL) { /* should not happen */
5222 5280 SET_ERROR(kmfh, ERR_get_error());
5223 5281 ret = KMF_ERR_OPEN_FILE;
5224 5282 goto end;
5225 5283 }
5226 5284
5227 5285 mem = BIO_new(BIO_s_mem());
5228 5286 if (mem == NULL) {
5229 5287 SET_ERROR(kmfh, ERR_get_error());
5230 5288 ret = KMF_ERR_MEMORY;
5231 5289 goto end;
5232 5290 }
5233 5291
5234 5292 (void) X509_CRL_print(mem, x);
5235 5293 len = BIO_get_mem_data(mem, &memptr);
5236 5294 if (len <= 0) {
5237 5295 SET_ERROR(kmfh, ERR_get_error());
5238 5296 ret = KMF_ERR_MEMORY;
5239 5297 goto end;
5240 5298 }
5241 5299
5242 5300 data = malloc(len + 1);
5243 5301 if (data == NULL) {
5244 5302 ret = KMF_ERR_MEMORY;
5245 5303 goto end;
5246 5304 }
5247 5305
5248 5306 (void) memcpy(data, memptr, len);
5249 5307 data[len] = '\0';
5250 5308 *crldata = data;
5251 5309
5252 5310 end:
5253 5311 if (x != NULL)
5254 5312 X509_CRL_free(x);
5255 5313
5256 5314 if (crlfile != NULL)
5257 5315 free(crlfile);
5258 5316
5259 5317 if (in != NULL)
5260 5318 (void) BIO_free(in);
5261 5319
5262 5320 if (mem != NULL)
5263 5321 (void) BIO_free(mem);
5264 5322
5265 5323 return (ret);
5266 5324 }
5267 5325
5268 5326 KMF_RETURN
5269 5327 OpenSSL_DeleteCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
5270 5328 {
5271 5329 KMF_RETURN ret = KMF_OK;
5272 5330 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
5273 5331 KMF_ENCODE_FORMAT format;
5274 5332 char *crlfile = NULL;
5275 5333 BIO *in = NULL;
5276 5334 char *crlfilename, *dirpath;
5277 5335
5278 5336 if (numattr == 0 || attrlist == NULL) {
5279 5337 return (KMF_ERR_BAD_PARAMETER);
5280 5338 }
5281 5339
5282 5340 crlfilename = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR,
5283 5341 attrlist, numattr);
5284 5342
5285 5343 if (crlfilename == NULL)
5286 5344 return (KMF_ERR_BAD_CRLFILE);
5287 5345
5288 5346 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
5289 5347
5290 5348 crlfile = get_fullpath(dirpath, crlfilename);
5291 5349
5292 5350 if (crlfile == NULL)
5293 5351 return (KMF_ERR_BAD_CRLFILE);
5294 5352
5295 5353 if (isdir(crlfile)) {
5296 5354 ret = KMF_ERR_BAD_CRLFILE;
5297 5355 goto end;
5298 5356 }
5299 5357
5300 5358 ret = kmf_is_crl_file(handle, crlfile, &format);
5301 5359 if (ret != KMF_OK)
5302 5360 goto end;
5303 5361
5304 5362 if (unlink(crlfile) != 0) {
5305 5363 SET_SYS_ERROR(kmfh, errno);
5306 5364 ret = KMF_ERR_INTERNAL;
5307 5365 goto end;
5308 5366 }
5309 5367
5310 5368 end:
5311 5369 if (in != NULL)
5312 5370 (void) BIO_free(in);
5313 5371 if (crlfile != NULL)
5314 5372 free(crlfile);
5315 5373
5316 5374 return (ret);
5317 5375 }
5318 5376
5319 5377 KMF_RETURN
5320 5378 OpenSSL_FindCertInCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
5321 5379 {
5322 5380 KMF_RETURN ret = KMF_OK;
5323 5381 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
5324 5382 KMF_ENCODE_FORMAT format;
5325 5383 BIO *in = NULL;
5326 5384 X509 *xcert = NULL;
5327 5385 X509_CRL *xcrl = NULL;
5328 5386 STACK_OF(X509_REVOKED) *revoke_stack = NULL;
5329 5387 X509_REVOKED *revoke;
5330 5388 int i;
5331 5389 char *crlfilename, *crlfile, *dirpath, *certfile;
5332 5390
5333 5391 if (numattr == 0 || attrlist == NULL) {
5334 5392 return (KMF_ERR_BAD_PARAMETER);
5335 5393 }
5336 5394
5337 5395 crlfilename = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR,
5338 5396 attrlist, numattr);
5339 5397
5340 5398 if (crlfilename == NULL)
5341 5399 return (KMF_ERR_BAD_CRLFILE);
5342 5400
5343 5401 certfile = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist, numattr);
5344 5402 if (certfile == NULL)
5345 5403 return (KMF_ERR_BAD_CRLFILE);
5346 5404
5347 5405 dirpath = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
5348 5406
5349 5407 crlfile = get_fullpath(dirpath, crlfilename);
5350 5408
5351 5409 if (crlfile == NULL)
5352 5410 return (KMF_ERR_BAD_CRLFILE);
5353 5411
5354 5412 if (isdir(crlfile)) {
5355 5413 ret = KMF_ERR_BAD_CRLFILE;
5356 5414 goto end;
5357 5415 }
5358 5416
5359 5417 ret = kmf_is_crl_file(handle, crlfile, &format);
5360 5418 if (ret != KMF_OK)
5361 5419 goto end;
5362 5420
5363 5421 /* Read the CRL file and load it into a X509_CRL structure */
5364 5422 in = BIO_new_file(crlfilename, "rb");
5365 5423 if (in == NULL) {
5366 5424 SET_ERROR(kmfh, ERR_get_error());
5367 5425 ret = KMF_ERR_OPEN_FILE;
5368 5426 goto end;
5369 5427 }
5370 5428
5371 5429 if (format == KMF_FORMAT_ASN1) {
5372 5430 xcrl = d2i_X509_CRL_bio(in, NULL);
5373 5431 } else if (format == KMF_FORMAT_PEM) {
5374 5432 xcrl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
5375 5433 }
5376 5434
5377 5435 if (xcrl == NULL) {
5378 5436 SET_ERROR(kmfh, ERR_get_error());
5379 5437 ret = KMF_ERR_BAD_CRLFILE;
5380 5438 goto end;
5381 5439 }
5382 5440 (void) BIO_free(in);
5383 5441
5384 5442 /* Read the Certificate file and load it into a X509 structure */
5385 5443 ret = kmf_is_cert_file(handle, certfile, &format);
5386 5444 if (ret != KMF_OK)
5387 5445 goto end;
5388 5446
5389 5447 in = BIO_new_file(certfile, "rb");
5390 5448 if (in == NULL) {
5391 5449 SET_ERROR(kmfh, ERR_get_error());
5392 5450 ret = KMF_ERR_OPEN_FILE;
5393 5451 goto end;
5394 5452 }
5395 5453
5396 5454 if (format == KMF_FORMAT_ASN1) {
5397 5455 xcert = d2i_X509_bio(in, NULL);
5398 5456 } else if (format == KMF_FORMAT_PEM) {
|
↓ open down ↓ |
1088 lines elided |
↑ open up ↑ |
5399 5457 xcert = PEM_read_bio_X509(in, NULL, NULL, NULL);
5400 5458 }
5401 5459
5402 5460 if (xcert == NULL) {
5403 5461 SET_ERROR(kmfh, ERR_get_error());
5404 5462 ret = KMF_ERR_BAD_CERTFILE;
5405 5463 goto end;
5406 5464 }
5407 5465
5408 5466 /* Check if the certificate and the CRL have same issuer */
5409 - if (X509_NAME_cmp(xcert->cert_info->issuer, xcrl->crl->issuer) != 0) {
5467 + if (X509_NAME_cmp(X509_get_issuer_name(xcert),
5468 + X509_CRL_get_issuer(xcrl)) != 0) {
5410 5469 ret = KMF_ERR_ISSUER;
5411 5470 goto end;
5412 5471 }
5413 5472
5414 5473 /* Check to see if the certificate serial number is revoked */
5415 5474 revoke_stack = X509_CRL_get_REVOKED(xcrl);
5416 5475 if (sk_X509_REVOKED_num(revoke_stack) <= 0) {
5417 5476 /* No revoked certificates in the CRL file */
5418 5477 SET_ERROR(kmfh, ERR_get_error());
5419 5478 ret = KMF_ERR_EMPTY_CRL;
5420 5479 goto end;
5421 5480 }
5422 5481
5423 5482 for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) {
5424 5483 /* LINTED E_BAD_PTR_CAST_ALIGN */
5425 5484 revoke = sk_X509_REVOKED_value(revoke_stack, i);
5426 - if (ASN1_INTEGER_cmp(xcert->cert_info->serialNumber,
5427 - revoke->serialNumber) == 0) {
5485 + if (ASN1_INTEGER_cmp(X509_get_serialNumber(xcert),
5486 + X509_REVOKED_get0_serialNumber(revoke)) == 0) {
5428 5487 break;
5429 5488 }
5430 5489 }
5431 5490
5432 5491 if (i < sk_X509_REVOKED_num(revoke_stack)) {
5433 5492 ret = KMF_OK;
5434 5493 } else {
5435 5494 ret = KMF_ERR_NOT_REVOKED;
5436 5495 }
5437 5496
5438 5497 end:
5439 5498 if (in != NULL)
5440 5499 (void) BIO_free(in);
5441 5500 if (xcrl != NULL)
5442 5501 X509_CRL_free(xcrl);
5443 5502 if (xcert != NULL)
5444 5503 X509_free(xcert);
5445 5504
5446 5505 return (ret);
5447 5506 }
5448 5507
5449 5508 KMF_RETURN
5450 5509 OpenSSL_VerifyCRLFile(KMF_HANDLE_T handle, char *crlname, KMF_DATA *tacert)
5451 5510 {
5452 5511 KMF_RETURN ret = KMF_OK;
5453 5512 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
5454 5513 BIO *bcrl = NULL;
5455 5514 X509_CRL *xcrl = NULL;
5456 5515 X509 *xcert = NULL;
5457 5516 EVP_PKEY *pkey;
5458 5517 int sslret;
5459 5518 KMF_ENCODE_FORMAT crl_format;
5460 5519 unsigned char *p;
5461 5520 long len;
5462 5521
5463 5522 if (handle == NULL || crlname == NULL || tacert == NULL) {
5464 5523 return (KMF_ERR_BAD_PARAMETER);
5465 5524 }
5466 5525
5467 5526 ret = kmf_get_file_format(crlname, &crl_format);
5468 5527 if (ret != KMF_OK)
5469 5528 return (ret);
5470 5529
5471 5530 bcrl = BIO_new_file(crlname, "rb");
5472 5531 if (bcrl == NULL) {
5473 5532 SET_ERROR(kmfh, ERR_get_error());
5474 5533 ret = KMF_ERR_OPEN_FILE;
5475 5534 goto cleanup;
5476 5535 }
5477 5536
5478 5537 if (crl_format == KMF_FORMAT_ASN1) {
5479 5538 xcrl = d2i_X509_CRL_bio(bcrl, NULL);
5480 5539 } else if (crl_format == KMF_FORMAT_PEM) {
5481 5540 xcrl = PEM_read_bio_X509_CRL(bcrl, NULL, NULL, NULL);
5482 5541 } else {
5483 5542 ret = KMF_ERR_BAD_PARAMETER;
5484 5543 goto cleanup;
5485 5544 }
5486 5545
5487 5546 if (xcrl == NULL) {
5488 5547 SET_ERROR(kmfh, ERR_get_error());
5489 5548 ret = KMF_ERR_BAD_CRLFILE;
5490 5549 goto cleanup;
5491 5550 }
5492 5551
5493 5552 p = tacert->Data;
5494 5553 len = tacert->Length;
5495 5554 xcert = d2i_X509(NULL, (const uchar_t **)&p, len);
5496 5555
5497 5556 if (xcert == NULL) {
5498 5557 SET_ERROR(kmfh, ERR_get_error());
5499 5558 ret = KMF_ERR_BAD_CERTFILE;
5500 5559 goto cleanup;
5501 5560 }
5502 5561
5503 5562 /* Get issuer certificate public key */
5504 5563 pkey = X509_get_pubkey(xcert);
5505 5564 if (pkey == NULL) {
5506 5565 SET_ERROR(kmfh, ERR_get_error());
5507 5566 ret = KMF_ERR_BAD_CERT_FORMAT;
5508 5567 goto cleanup;
5509 5568 }
5510 5569
5511 5570 /* Verify CRL signature */
5512 5571 sslret = X509_CRL_verify(xcrl, pkey);
5513 5572 EVP_PKEY_free(pkey);
5514 5573 if (sslret > 0) {
5515 5574 ret = KMF_OK;
5516 5575 } else {
5517 5576 SET_ERROR(kmfh, sslret);
5518 5577 ret = KMF_ERR_BAD_CRLFILE;
5519 5578 }
5520 5579
5521 5580 cleanup:
5522 5581 if (bcrl != NULL)
5523 5582 (void) BIO_free(bcrl);
5524 5583
5525 5584 if (xcrl != NULL)
5526 5585 X509_CRL_free(xcrl);
5527 5586
5528 5587 if (xcert != NULL)
5529 5588 X509_free(xcert);
5530 5589
5531 5590 return (ret);
5532 5591
5533 5592 }
5534 5593
5535 5594 KMF_RETURN
5536 5595 OpenSSL_CheckCRLDate(KMF_HANDLE_T handle, char *crlname)
5537 5596 {
5538 5597 KMF_RETURN ret = KMF_OK;
5539 5598 KMF_HANDLE *kmfh = (KMF_HANDLE *)handle;
5540 5599 KMF_ENCODE_FORMAT crl_format;
5541 5600 BIO *bcrl = NULL;
5542 5601 X509_CRL *xcrl = NULL;
5543 5602 int i;
5544 5603
5545 5604 if (handle == NULL || crlname == NULL) {
5546 5605 return (KMF_ERR_BAD_PARAMETER);
5547 5606 }
5548 5607
5549 5608 ret = kmf_is_crl_file(handle, crlname, &crl_format);
5550 5609 if (ret != KMF_OK)
5551 5610 return (ret);
5552 5611
5553 5612 bcrl = BIO_new_file(crlname, "rb");
5554 5613 if (bcrl == NULL) {
5555 5614 SET_ERROR(kmfh, ERR_get_error());
5556 5615 ret = KMF_ERR_OPEN_FILE;
5557 5616 goto cleanup;
5558 5617 }
5559 5618
|
↓ open down ↓ |
122 lines elided |
↑ open up ↑ |
5560 5619 if (crl_format == KMF_FORMAT_ASN1)
5561 5620 xcrl = d2i_X509_CRL_bio(bcrl, NULL);
5562 5621 else if (crl_format == KMF_FORMAT_PEM)
5563 5622 xcrl = PEM_read_bio_X509_CRL(bcrl, NULL, NULL, NULL);
5564 5623
5565 5624 if (xcrl == NULL) {
5566 5625 SET_ERROR(kmfh, ERR_get_error());
5567 5626 ret = KMF_ERR_BAD_CRLFILE;
5568 5627 goto cleanup;
5569 5628 }
5570 - i = X509_cmp_time(X509_CRL_get_lastUpdate(xcrl), NULL);
5629 + i = X509_cmp_time(X509_CRL_get0_lastUpdate(xcrl), NULL);
5571 5630 if (i >= 0) {
5572 5631 ret = KMF_ERR_VALIDITY_PERIOD;
5573 5632 goto cleanup;
5574 5633 }
5575 - if (X509_CRL_get_nextUpdate(xcrl)) {
5576 - i = X509_cmp_time(X509_CRL_get_nextUpdate(xcrl), NULL);
5634 + if (X509_CRL_get0_nextUpdate(xcrl)) {
5635 + i = X509_cmp_time(X509_CRL_get0_nextUpdate(xcrl), NULL);
5577 5636
5578 5637 if (i <= 0) {
5579 5638 ret = KMF_ERR_VALIDITY_PERIOD;
5580 5639 goto cleanup;
5581 5640 }
5582 5641 }
5583 5642
5584 5643 ret = KMF_OK;
5585 5644
5586 5645 cleanup:
5587 5646 if (bcrl != NULL)
5588 5647 (void) BIO_free(bcrl);
5589 5648
5590 5649 if (xcrl != NULL)
5591 5650 X509_CRL_free(xcrl);
5592 5651
5593 5652 return (ret);
5594 5653 }
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX