/* * ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ /* * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" #include #include #include #include #include #include #include #include #include #include #include /* * sunw_cryto_init() does crypto-specific initialization. * * Arguments: * None. * * Returns: * None. */ void sunw_crypto_init(void) { OpenSSL_add_all_algorithms(); SSL_load_error_strings(); ERR_load_SUNW_strings(); (void) SSL_library_init(); } /* * sunw_split_certs() - Given a list of certs and a list of private keys, * moves certs which match one of the keys to a different stack. * * Arguments: * allkeys - Points to a stack of private keys to search. * allcerts - Points to a stack of certs to be searched. * keycerts - Points to address of a stack of certs with matching private * keys. They are moved from 'allcerts'. This may not be NULL * when called. If *keycerts is NULL upon entry, a new stack will * be allocated. Otherwise, it must be a valid STACK_OF(509). * nocerts - Points to address of a stack for keys which have no matching * certs. Keys are moved from 'allkeys' here when they have no * matching certs. If this is NULL, matchless keys will be * discarded. * * Notes: If an error occurs while moving certs, the cert being move may be * lost. 'keycerts' may only contain part of the matching certs. The number * of certs successfully moved can be found by checking sk_X509_num(keycerts). * * If there is a key which does not have a matching cert, it is moved to * the list nocerts. * * If all certs are removed from 'certs' and/or 'pkeys', it will be the * caller's responsibility to free the empty stacks. * * Returns: * < 0 - An error returned. Call ERR_get_error() to get errors information. * Where possible, memory has been freed. * >= 0 - The number of certs moved from 'cert' to 'pkcerts'. */ int sunw_split_certs(STACK_OF(EVP_PKEY) *allkeys, STACK_OF(X509) *allcerts, STACK_OF(X509) **keycerts, STACK_OF(EVP_PKEY) **nocerts) { STACK_OF(X509) *matching; STACK_OF(EVP_PKEY) *nomatch; EVP_PKEY *tmpkey; X509 *tmpcert; int count = 0; int found; int res; int i; int k; *keycerts = NULL; if (nocerts != NULL) *nocerts = NULL; nomatch = NULL; if ((matching = sk_X509_new_null()) == NULL) { SUNWerr(SUNW_F_SPLIT_CERTS, SUNW_R_MEMORY_FAILURE); return (-1); } *keycerts = matching; k = 0; while (k < sk_EVP_PKEY_num(allkeys)) { found = 0; tmpkey = sk_EVP_PKEY_value(allkeys, k); for (i = 0; i < sk_X509_num(allcerts); i++) { tmpcert = sk_X509_value(allcerts, i); res = X509_check_private_key(tmpcert, tmpkey); if (res != 0) { count++; found = 1; tmpcert = sk_X509_delete(allcerts, i); if (sk_X509_push(matching, tmpcert) == 0) { X509_free(tmpcert); SUNWerr(SUNW_F_SPLIT_CERTS, SUNW_R_MEMORY_FAILURE); return (-1); } break; } } if (found != 0) { /* * Found a match - keep the key & check out the next * one. */ k++; } else { /* * No cert matching this key. Move the key if * possible or discard it. Don't increment the * index. */ if (nocerts == NULL) { tmpkey = sk_EVP_PKEY_delete(allkeys, k); sunw_evp_pkey_free(tmpkey); } else { if (*nocerts == NULL) { nomatch = sk_EVP_PKEY_new_null(); if (nomatch == NULL) { SUNWerr(SUNW_F_SPLIT_CERTS, SUNW_R_MEMORY_FAILURE); return (-1); } *nocerts = nomatch; } tmpkey = sk_EVP_PKEY_delete(allkeys, k); if (sk_EVP_PKEY_push(nomatch, tmpkey) == 0) { sunw_evp_pkey_free(tmpkey); SUNWerr(SUNW_F_SPLIT_CERTS, SUNW_R_MEMORY_FAILURE); return (-1); } } } } return (count); } /* * sunw_evp_pkey_free() Given an EVP_PKEY structure, free any attributes * that are attached. Then free the EVP_PKEY itself. * * This is a replacement for EVP_PKEY_free() for the sunw stuff. * It should be used in places where EVP_PKEY_free would be used, * including calls to sk_EVP_PKEY_pop_free(). * * Arguments: * pkey - Entry which potentially has attributes to be freed. * * Returns: * None. */ void sunw_evp_pkey_free(EVP_PKEY *pkey) { if (pkey != NULL) { if (pkey->attributes != NULL) { sk_X509_ATTRIBUTE_pop_free(pkey->attributes, X509_ATTRIBUTE_free); pkey->attributes = NULL; } EVP_PKEY_free(pkey); } } /* * sunw_set_localkeyid() sets the localkeyid in a cert, a private key or * both. Any existing localkeyid will be discarded. * * Arguments: * keyid_str- A byte string with the localkeyid to set * keyid_len- Length of the keyid byte string. * pkey - Points to a private key to set the keyidstr in. * cert - Points to a cert to set the keyidstr in. * * Note that setting a keyid into a cert which will not be written out as * a PKCS12 cert is pointless since it will be lost. * * Returns: * 0 - Success. * < 0 - An error occurred. It was probably an error in allocating * memory. The error will be set in the error stack. Call * ERR_get_error() to get specific information. */ int sunw_set_localkeyid(const char *keyid_str, int keyid_len, EVP_PKEY *pkey, X509 *cert) { X509_ATTRIBUTE *attr = NULL; ASN1_STRING *str = NULL; ASN1_TYPE *keyid = NULL; int retval = -1; int i; if (cert != NULL) { if (X509_keyid_set1(cert, (uchar_t *)keyid_str, keyid_len) == 0) { SUNWerr(SUNW_F_SET_LOCALKEYID, SUNW_R_SET_LKID_ERR); goto cleanup; } } if (pkey != NULL) { str = (ASN1_STRING *)M_ASN1_OCTET_STRING_new(); if (str == NULL || M_ASN1_OCTET_STRING_set(str, keyid_str, keyid_len) == 0 || (keyid = ASN1_TYPE_new()) == NULL) { SUNWerr(SUNW_F_SET_LOCALKEYID, SUNW_R_MEMORY_FAILURE); goto cleanup; } ASN1_TYPE_set(keyid, V_ASN1_OCTET_STRING, str); str = NULL; attr = type2attrib(keyid, NID_localKeyID); if (attr == NULL) { /* * Error already on stack */ goto cleanup; } keyid = NULL; if (pkey->attributes == NULL) { pkey->attributes = sk_X509_ATTRIBUTE_new_null(); if (pkey->attributes == NULL) { SUNWerr(SUNW_F_SET_LOCALKEYID, SUNW_R_MEMORY_FAILURE); goto cleanup; } } else { i = find_attr_by_nid(pkey->attributes, NID_localKeyID); if (i >= 0) sk_X509_ATTRIBUTE_delete(pkey->attributes, i); } if (sk_X509_ATTRIBUTE_push(pkey->attributes, attr) == 0) { SUNWerr(SUNW_F_SET_LOCALKEYID, SUNW_R_MEMORY_FAILURE); goto cleanup; } attr = NULL; } retval = 0; cleanup: if (str != NULL) ASN1_STRING_free(str); if (keyid != NULL) ASN1_TYPE_free(keyid); if (attr != NULL) X509_ATTRIBUTE_free(attr); return (retval); } /* * sunw_get_pkey_localkeyid() gets the localkeyid from a private key. It can * optionally remove the value found. * * Arguments: * dowhat - What to do with the attributes (remove them or copy them). * pkey - Points to a private key to set the keyidstr in. * keyid_str- Points to a location which will receive the pointer to * a byte string containing the binary localkeyid. Note that * this is a copy, and the caller must free it. * keyid_len- Length of keyid_str. * * Returns: * >= 0 - The number of characters in the keyid returned. * < 0 - An error occurred. It was probably an error in allocating * memory. The error will be set in the error stack. Call * ERR_get_error() to get specific information. */ int sunw_get_pkey_localkeyid(getdo_actions_t dowhat, EVP_PKEY *pkey, char **keyid_str, int *keyid_len) { X509_ATTRIBUTE *attr = NULL; ASN1_OCTET_STRING *str = NULL; ASN1_TYPE *ty = NULL; int len = 0; int i; if (keyid_str != NULL) *keyid_str = NULL; if (keyid_len != NULL) *keyid_len = 0; if (pkey == NULL || pkey->attributes == NULL) { return (0); } if ((i = find_attr_by_nid(pkey->attributes, NID_localKeyID)) < 0) { return (0); } attr = sk_X509_ATTRIBUTE_value(pkey->attributes, i); if ((ty = attrib2type(attr)) == NULL || ty->type != V_ASN1_OCTET_STRING) { return (0); } if (dowhat == GETDO_DEL) { attr = sk_X509_ATTRIBUTE_delete(pkey->attributes, i); if (attr != NULL) X509_ATTRIBUTE_free(attr); return (0); } str = ty->value.octet_string; len = str->length; if ((*keyid_str = malloc(len)) == NULL) { SUNWerr(SUNW_F_GET_LOCALKEYID, SUNW_R_MEMORY_FAILURE); return (-1); } (void) memcpy(*keyid_str, str->data, len); *keyid_len = len; return (len); } /* * sunw_get_pkey_fname() gets the friendlyName from a private key. It can * optionally remove the value found. * * Arguments: * dowhat - What to do with the attributes (remove them or copy them). * pkey - Points to a private key to get the frientlyname from * fname - Points to a location which will receive the pointer to a * byte string with the ASCII friendlyname * * Returns: * >= 0 - The number of characters in the frienlyname returned. * < 0 - An error occurred. It was probably an error in allocating * memory. The error will be set in the error stack. Call * ERR_get_error() to get specific information. */ int sunw_get_pkey_fname(getdo_actions_t dowhat, EVP_PKEY *pkey, char **fname) { X509_ATTRIBUTE *attr = NULL; ASN1_BMPSTRING *str = NULL; ASN1_TYPE *ty = NULL; int len = 0; int i; if (fname != NULL) *fname = NULL; if (pkey == NULL || pkey->attributes == NULL) { return (0); } if ((i = find_attr_by_nid(pkey->attributes, NID_friendlyName)) < 0) { return (0); } attr = sk_X509_ATTRIBUTE_value(pkey->attributes, i); if ((ty = attrib2type(attr)) == NULL || ty->type != V_ASN1_BMPSTRING) { return (0); } if (dowhat == GETDO_DEL) { attr = sk_X509_ATTRIBUTE_delete(pkey->attributes, i); if (attr != NULL) X509_ATTRIBUTE_free(attr); return (0); } str = ty->value.bmpstring; *fname = uni2asc(str->data, str->length); if (*fname == NULL) { SUNWerr(SUNW_F_GET_PKEY_FNAME, SUNW_R_MEMORY_FAILURE); return (-1); } len = strlen(*fname); return (len); } /* * sunw_find_localkeyid() searches stacks of certs and private keys, * and returns the first matching cert/private key found. * * Look for a keyid in a stack of certs. if 'certs' is NULL and 'pkeys' is * not NULL, search the list of private keys. Move the matching cert to * 'matching_cert' and its matching private key to 'matching_pkey'. If no * cert or keys match, no match occurred. * * Arguments: * keyid_str- A byte string with the localkeyid to match * keyid_len- Length of the keyid byte string. * pkeys - Points to a stack of private keys which match the certs. * This may be NULL, in which case no keys are returned. * certs - Points to a stack of certs to search. If NULL, search the * stack of keys instead. * matching_pkey * - Pointer to receive address of first matching pkey found. * 'matching_pkey' must not be NULL; '*matching_pkey' will be * reset. * matching_cert * - Pointer to receive address of first matching cert found. * 'matching_cert' must not be NULL; '*matching_cert' will be * reset. * * Returns: * < 0 - An error returned. Call ERR_get_error() to get errors information. * Where possible, memory has been freed. * >= 0 - Objects were found and returned. Which objects are indicated by * which bits are set (FOUND_PKEY and/or FOUND_CERT). */ int sunw_find_localkeyid(char *keyid_str, int len, STACK_OF(EVP_PKEY) *pkeys, STACK_OF(X509) *certs, EVP_PKEY **matching_pkey, X509 **matching_cert) { ASN1_STRING *cmpstr = NULL; EVP_PKEY *tmp_pkey = NULL; X509 *tmp_cert = NULL; int retval = 0; /* If NULL arguments, this is an error */ if (keyid_str == NULL || (pkeys == NULL || certs == NULL) || (pkeys != NULL && matching_pkey == NULL) || (certs != NULL && matching_cert == NULL)) { SUNWerr(SUNW_F_FIND_LOCALKEYID, SUNW_R_INVALID_ARG); return (-1); } if (matching_pkey != NULL) *matching_pkey = NULL; if (matching_cert != NULL) *matching_cert = NULL; cmpstr = (ASN1_STRING *)M_ASN1_OCTET_STRING_new(); if (cmpstr == NULL || M_ASN1_OCTET_STRING_set(cmpstr, keyid_str, len) == 0) { SUNWerr(SUNW_F_FIND_LOCALKEYID, SUNW_R_MEMORY_FAILURE); return (-1); } retval = find_attr(NID_localKeyID, cmpstr, pkeys, &tmp_pkey, certs, &tmp_cert); if (retval == 0) { ASN1_STRING_free(cmpstr); return (retval); } if (matching_pkey != NULL) *matching_pkey = tmp_pkey; if (matching_cert != NULL) *matching_cert = tmp_cert; return (retval); } /* * sunw_find_fname() searches stacks of certs and private keys for one with * a matching friendlyname and returns the first matching cert/private * key found. * * Look for a friendlyname in a stack of certs. if 'certs' is NULL and 'pkeys' * is not NULL, search the list of private keys. Move the matching cert to * 'matching_cert' and its matching private key to 'matching_pkey'. If no * cert or keys match, no match occurred. * * Arguments: * fname - Friendlyname to find (NULL-terminated ASCII string). * pkeys - Points to a stack of private keys which match the certs. * This may be NULL, in which case no keys are returned. * certs - Points to a stack of certs to search. If NULL, search the * stack of keys instead. * matching_pkey * - Pointer to receive address of first matching pkey found. * matching_cert * - Pointer to receive address of first matching cert found. * * Returns: * < 0 - An error returned. Call ERR_get_error() to get errors information. * Where possible, memory has been freed. * >= 0 - Objects were found and returned. Which objects are indicated by * which bits are set (FOUND_PKEY and/or FOUND_CERT). */ int sunw_find_fname(char *fname, STACK_OF(EVP_PKEY) *pkeys, STACK_OF(X509) *certs, EVP_PKEY **matching_pkey, X509 ** matching_cert) { ASN1_STRING *cmpstr = NULL; EVP_PKEY *tmp_pkey = NULL; X509 *tmp_cert = NULL; int retval = 0; /* If NULL arguments, this is an error */ if (fname == NULL || (pkeys == NULL || certs == NULL) || (pkeys != NULL && matching_pkey == NULL) || (certs != NULL && matching_cert == NULL)) { SUNWerr(SUNW_F_FIND_FNAME, SUNW_R_INVALID_ARG); return (-1); } if (matching_pkey != NULL) *matching_pkey = NULL; if (matching_cert != NULL) *matching_cert = NULL; cmpstr = (ASN1_STRING *)asc2bmpstring(fname, strlen(fname)); if (cmpstr == NULL) { /* * Error already on stack */ return (-1); } retval = find_attr(NID_friendlyName, cmpstr, pkeys, &tmp_pkey, certs, &tmp_cert); if (retval == 0) { ASN1_STRING_free(cmpstr); return (retval); } if (matching_pkey != NULL) *matching_pkey = tmp_pkey; if (matching_cert != NULL) *matching_cert = tmp_cert; return (retval); } /* * sunw_print_times() formats and prints cert times to the given file. * * The label is printed on one line. One or both dates are printed on * the following line or two, each with it's own indented label in the * format: * * label * 'not before' date: whatever * 'not after' date: whatever * * Arguments: * fp - file pointer for file to write to. * dowhat - what field(s) to print. * label - Label to use. If NULL, no line will be printed. * cert - Points to a client or CA certs to check * * Returns: * < 0 - An error occured. * >= 0 - Number of lines written. */ int sunw_print_times(FILE *fp, prnt_actions_t dowhat, char *label, X509 *cert) { int lines = 0; if (label != NULL) { (void) fprintf(fp, "%s\n", label); lines++; } if (dowhat == PRNT_NOT_BEFORE || dowhat == PRNT_BOTH) { (void) fprintf(fp, "'not before' date: "); (void) print_time(fp, X509_get_notBefore(cert)); (void) fprintf(fp, "\n"); lines++; } if (dowhat == PRNT_NOT_AFTER || dowhat == PRNT_BOTH) { (void) fprintf(fp, "'not after' date: "); (void) print_time(fp, X509_get_notAfter(cert)); (void) fprintf(fp, "\n"); lines++; } return (lines); } /* * sunw_check_keys() compares the public key in the certificate and a * private key to ensure that they match. * * Arguments: * cert - Points to a certificate. * pkey - Points to a private key. * * Returns: * == 0 - These do not match. * != 0 - The cert's public key and the private key match. */ int sunw_check_keys(X509 *cert, EVP_PKEY *pkey) { int retval = 0; if (pkey != NULL && cert != NULL) retval = X509_check_private_key(cert, pkey); return (retval); } /* * sunw_issuer_attrs - Given a cert, return the issuer-specific attributes * as one ASCII string. * * Arguments: * cert - Cert to process * buf - If non-NULL, buffer to receive string. If NULL, one will * be allocated and its value will be returned to the caller. * len - If 'buff' is non-null, the buffer's length. * * This returns an ASCII string with all issuer-related attributes in one * string separated by '/' characters. Each attribute begins with its name * and an equal sign. Two attributes (ATTR1 and Attr2) would have the * following form: * * ATTR1=attr_value/ATTR2=attr2_value * * Returns: * != NULL - Pointer to the ASCII string containing the issuer-related * attributes. If the 'buf' argument was NULL, this is a * dynamically-allocated buffer and the caller will have the * responsibility for freeing it. * NULL - Memory needed to be allocated but could not be. Errors * are set on the error stack. */ char * sunw_issuer_attrs(X509 *cert, char *buf, int len) { return (X509_NAME_oneline(X509_get_issuer_name(cert), buf, len)); } /* * sunw_subject_attrs - Given a cert, return the subject-specific attributes * as one ASCII string. * * Arguments: * cert - Cert to process * buf - If non-NULL, buffer to receive string. If NULL, one will * be allocated and its value will be returned to the caller. * len - If 'buff' is non-null, the buffer's length. * * This returns an ASCII string with all subject-related attributes in one * string separated by '/' characters. Each attribute begins with its name * and an equal sign. Two attributes (ATTR1 and Attr2) would have the * following form: * * ATTR1=attr_value/ATTR2=attr2_value * * Returns: * != NULL - Pointer to the ASCII string containing the subject-related * attributes. If the 'buf' argument was NULL, this is a * dynamically-allocated buffer and the caller will have the * responsibility for freeing it. * NULL - Memory needed to be allocated but could not be. Errors * are set on the error stack. */ char * sunw_subject_attrs(X509 *cert, char *buf, int len) { return (X509_NAME_oneline(X509_get_subject_name(cert), buf, len)); } /* * sunw_append_keys - Given two stacks of private keys, remove the keys from * the second stack and append them to the first. Both stacks must exist * at time of call. * * Arguments: * dst - the stack to receive the keys from 'src' * src - the stack whose keys are to be moved. * * Returns: * -1 - An error occurred. The error status is set. * >= 0 - The number of keys that were copied. */ int sunw_append_keys(STACK_OF(EVP_PKEY) *dst, STACK_OF(EVP_PKEY) *src) { EVP_PKEY *tmpk; int count = 0; while (sk_EVP_PKEY_num(src) > 0) { tmpk = sk_EVP_PKEY_delete(src, 0); if (sk_EVP_PKEY_push(dst, tmpk) == 0) { sunw_evp_pkey_free(tmpk); SUNWerr(SUNW_F_APPEND_KEYS, SUNW_R_MEMORY_FAILURE); return (-1); } count++; } return (count); }