static KMF_RETURN
gencsr_pkcs11(KMF_HANDLE_T kmfhandle,
char *token, char *subject, char *altname,
KMF_GENERALNAMECHOICES alttype, int altcrit,
char *certlabel, KMF_KEY_ALG keyAlg,
int keylen, uint16_t kubits, int kucrit,
KMF_ENCODE_FORMAT fmt, char *csrfile,
KMF_CREDENTIAL *tokencred, EKU_LIST *ekulist,
KMF_ALGORITHM_INDEX sigAlg, KMF_OID *curveoid)
{
KMF_RETURN kmfrv = KMF_OK;
KMF_KEY_HANDLE pubk, prik;
KMF_X509_NAME csrSubject;
KMF_CSR_DATA csr;
KMF_DATA signedCsr = {NULL, 0};
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
int numattr = 0;
KMF_ATTRIBUTE attrlist[16];
(void) memset(&csr, 0, sizeof (csr));
(void) memset(&csrSubject, 0, sizeof (csrSubject));
/* If the subject name cannot be parsed, flag it now and exit */
if ((kmfrv = kmf_dn_parser(subject, &csrSubject)) != KMF_OK)
return (kmfrv);
/* Select a PKCS11 token */
kmfrv = select_token(kmfhandle, token, FALSE);
if (kmfrv != KMF_OK)
return (kmfrv);
/*
* Share the "genkeypair" routine for creating the keypair.
*/
kmfrv = genkeypair_pkcs11(kmfhandle, token, certlabel,
keyAlg, keylen, tokencred, curveoid, &prik, &pubk);
if (kmfrv != KMF_OK)
return (kmfrv);
SET_VALUE(kmf_set_csr_pubkey(kmfhandle, &pubk, &csr), "keypair");
SET_VALUE(kmf_set_csr_version(&csr, 2), "version number");
SET_VALUE(kmf_set_csr_subject(&csr, &csrSubject), "subject name");
SET_VALUE(kmf_set_csr_sig_alg(&csr, sigAlg),
"SignatureAlgorithm");
if (altname != NULL) {
SET_VALUE(kmf_set_csr_subject_altname(&csr, altname, altcrit,
alttype), "SetCSRSubjectAltName");
}
if (kubits != 0) {
SET_VALUE(kmf_set_csr_ku(&csr, kucrit, kubits),
"SetCSRKeyUsage");
}
if (ekulist != NULL) {
int i;
for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) {
SET_VALUE(kmf_add_csr_eku(&csr,
&ekulist->ekulist[i],
ekulist->critlist[i]),
"Extended Key Usage");
}
}
if ((kmfrv = kmf_sign_csr(kmfhandle, &csr, &prik, &signedCsr)) ==
KMF_OK) {
kmfrv = kmf_create_csr_file(&signedCsr, fmt, csrfile);
}
cleanup:
(void) kmf_free_data(&signedCsr);
(void) kmf_free_signed_csr(&csr);
/* delete the public key */
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_PUBKEY_HANDLE_ATTR,
&pubk, sizeof (KMF_KEY_HANDLE));
numattr++;
if (tokencred != NULL && tokencred->cred != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
tokencred, sizeof (KMF_CREDENTIAL));
numattr++;
}
(void) kmf_delete_key_from_keystore(kmfhandle, numattr, attrlist);
/*
* If there is an error, then we need to remove the private key
* from the token.
*/
if (kmfrv != KMF_OK) {
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEY_HANDLE_ATTR, &prik, sizeof (KMF_KEY_HANDLE));
numattr++;
if (tokencred != NULL && tokencred->cred != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_CREDENTIAL_ATTR, tokencred,
sizeof (KMF_CREDENTIAL));
numattr++;
}
(void) kmf_delete_key_from_keystore(kmfhandle, numattr,
attrlist);
}
(void) kmf_free_kmf_key(kmfhandle, &prik);
return (kmfrv);
}
int
kc_create(int argc, char *argv[])
{
KMF_RETURN ret;
int rv = KC_OK;
int opt;
extern int optind_av;
extern char *optarg_av;
char *filename = NULL;
int ocsp_set_attr = 0;
boolean_t crl_set_attr = 0;
KMF_POLICY_RECORD plc;
(void) memset(&plc, 0, sizeof (KMF_POLICY_RECORD));
while ((opt = getopt_av(argc, argv,
"i:(dbfile)"
"p:(policy)"
"d:(ignore-date)"
"e:(ignore-unknown-eku)"
"a:(ignore-trust-anchor)"
"v:(validity-adjusttime)"
"t:(ta-name)"
"s:(ta-serial)"
"o:(ocsp-responder)"
"P:(ocsp-proxy)"
"r:(ocsp-use-cert-responder)"
"T:(ocsp-response-lifetime)"
"R:(ocsp-ignore-response-sign)"
"n:(ocsp-responder-cert-name)"
"A:(ocsp-responder-cert-serial)"
"c:(crl-basefilename)"
"I:(crl-directory)"
"g:(crl-get-crl-uri)"
"X:(crl-proxy)"
"S:(crl-ignore-crl-sign)"
"D:(crl-ignore-crl-date)"
"m:(mapper-name)"
"M:(mapper-directory)"
"Q:(mapper-pathname)"
"q:(mapper-options)"
"u:(keyusage)"
"E:(ekunames)"
"O:(ekuoids)")) != EOF) {
switch (opt) {
case 'i':
filename = get_string(optarg_av, &rv);
if (filename == NULL) {
(void) fprintf(stderr,
gettext("Error dbfile input.\n"));
}
break;
case 'p':
plc.name = get_string(optarg_av, &rv);
if (plc.name == NULL) {
(void) fprintf(stderr,
gettext("Error policy name.\n"));
}
break;
case 'd':
plc.ignore_date = get_boolean(optarg_av);
if (plc.ignore_date == -1) {
(void) fprintf(stderr,
gettext("Error boolean input.\n"));
rv = KC_ERR_USAGE;
}
break;
case 'e':
plc.ignore_unknown_ekus =
get_boolean(optarg_av);
if (plc.ignore_unknown_ekus == -1) {
(void) fprintf(stderr,
gettext("Error boolean input.\n"));
rv = KC_ERR_USAGE;
}
break;
case 'a':
plc.ignore_trust_anchor =
get_boolean(optarg_av);
if (plc.ignore_trust_anchor == -1) {
(void) fprintf(stderr,
gettext("Error boolean input.\n"));
rv = KC_ERR_USAGE;
}
break;
case 'v':
plc.validity_adjusttime =
get_string(optarg_av, &rv);
if (plc.validity_adjusttime == NULL) {
(void) fprintf(stderr,
gettext("Error time input.\n"));
} else {
uint32_t adj;
/* for syntax checking */
if (str2lifetime(
plc.validity_adjusttime,
&adj) < 0) {
(void) fprintf(stderr,
gettext("Error time "
"input.\n"));
rv = KC_ERR_USAGE;
}
}
break;
case 't':
plc.ta_name = get_string(optarg_av, &rv);
if (plc.ta_name == NULL) {
(void) fprintf(stderr,
gettext("Error name input.\n"));
} else if (strcasecmp(plc.ta_name,
"search") != 0) {
KMF_X509_NAME taDN;
/* for syntax checking */
if (kmf_dn_parser(plc.ta_name,
&taDN) != KMF_OK) {
(void) fprintf(stderr,
gettext("Error name "
"input.\n"));
rv = KC_ERR_USAGE;
} else {
kmf_free_dn(&taDN);
}
}
break;
case 's':
plc.ta_serial = get_string(optarg_av, &rv);
if (plc.ta_serial == NULL) {
(void) fprintf(stderr,
gettext("Error serial input.\n"));
} else {
uchar_t *bytes = NULL;
size_t bytelen;
ret = kmf_hexstr_to_bytes(
(uchar_t *)plc.ta_serial,
&bytes, &bytelen);
if (ret != KMF_OK || bytes == NULL) {
(void) fprintf(stderr,
gettext("serial number "
"must be specified as a "
"hex number "
"(ex: 0x0102030405"
"ffeeddee)\n"));
rv = KC_ERR_USAGE;
}
if (bytes != NULL)
free(bytes);
}
break;
case 'o':
plc.VAL_OCSP_RESPONDER_URI =
get_string(optarg_av, &rv);
if (plc.VAL_OCSP_RESPONDER_URI == NULL) {
(void) fprintf(stderr, gettext(
"Error responder input.\n"));
} else {
ocsp_set_attr++;
}
break;
case 'P':
plc.VAL_OCSP_PROXY =
get_string(optarg_av, &rv);
if (plc.VAL_OCSP_PROXY == NULL) {
(void) fprintf(stderr,
gettext("Error proxy input.\n"));
} else {
ocsp_set_attr++;
}
break;
case 'r':
plc.VAL_OCSP_URI_FROM_CERT =
get_boolean(optarg_av);
if (plc.VAL_OCSP_URI_FROM_CERT == -1) {
(void) fprintf(stderr,
gettext("Error boolean input.\n"));
rv = KC_ERR_USAGE;
} else {
ocsp_set_attr++;
}
break;
case 'T':
plc.VAL_OCSP_RESP_LIFETIME =
get_string(optarg_av, &rv);
if (plc.VAL_OCSP_RESP_LIFETIME == NULL) {
(void) fprintf(stderr,
gettext("Error time input.\n"));
} else {
uint32_t adj;
/* for syntax checking */
if (str2lifetime(
plc.VAL_OCSP_RESP_LIFETIME,
&adj) < 0) {
(void) fprintf(stderr,
gettext("Error time "
"input.\n"));
rv = KC_ERR_USAGE;
} else {
ocsp_set_attr++;
}
}
break;
case 'R':
plc.VAL_OCSP_IGNORE_RESP_SIGN =
get_boolean(optarg_av);
if (plc.VAL_OCSP_IGNORE_RESP_SIGN == -1) {
(void) fprintf(stderr,
gettext("Error boolean input.\n"));
rv = KC_ERR_USAGE;
} else {
ocsp_set_attr++;
}
break;
case 'n':
plc.VAL_OCSP_RESP_CERT_NAME =
get_string(optarg_av, &rv);
if (plc.VAL_OCSP_RESP_CERT_NAME == NULL) {
(void) fprintf(stderr,
gettext("Error name input.\n"));
} else {
KMF_X509_NAME respDN;
/* for syntax checking */
if (kmf_dn_parser(
plc.VAL_OCSP_RESP_CERT_NAME,
&respDN) != KMF_OK) {
(void) fprintf(stderr,
gettext("Error name "
"input.\n"));
rv = KC_ERR_USAGE;
} else {
kmf_free_dn(&respDN);
ocsp_set_attr++;
}
}
break;
case 'A':
plc.VAL_OCSP_RESP_CERT_SERIAL =
get_string(optarg_av, &rv);
if (plc.VAL_OCSP_RESP_CERT_SERIAL == NULL) {
(void) fprintf(stderr,
gettext("Error serial input.\n"));
} else {
uchar_t *bytes = NULL;
size_t bytelen;
ret = kmf_hexstr_to_bytes((uchar_t *)
plc.VAL_OCSP_RESP_CERT_SERIAL,
&bytes, &bytelen);
if (ret != KMF_OK || bytes == NULL) {
(void) fprintf(stderr,
gettext("serial number "
"must be specified as a "
"hex number "
"(ex: 0x0102030405"
"ffeeddee)\n"));
rv = KC_ERR_USAGE;
break;
}
if (bytes != NULL)
free(bytes);
ocsp_set_attr++;
}
break;
case 'c':
plc.VAL_CRL_BASEFILENAME =
get_string(optarg_av, &rv);
if (plc.VAL_CRL_BASEFILENAME == NULL) {
(void) fprintf(stderr,
gettext("Error boolean input.\n"));
} else {
crl_set_attr++;
}
break;
case 'I':
plc.VAL_CRL_DIRECTORY =
get_string(optarg_av, &rv);
if (plc.VAL_CRL_DIRECTORY == NULL) {
(void) fprintf(stderr,
gettext("Error boolean input.\n"));
} else {
crl_set_attr++;
}
break;
case 'g':
plc.VAL_CRL_GET_URI = get_boolean(optarg_av);
if (plc.VAL_CRL_GET_URI == -1) {
(void) fprintf(stderr,
gettext("Error boolean input.\n"));
rv = KC_ERR_USAGE;
} else {
crl_set_attr++;
}
break;
case 'X':
plc.VAL_CRL_PROXY = get_string(optarg_av, &rv);
if (plc.VAL_CRL_PROXY == NULL) {
(void) fprintf(stderr,
gettext("Error proxy input.\n"));
} else {
crl_set_attr++;
}
break;
case 'S':
plc.VAL_CRL_IGNORE_SIGN =
get_boolean(optarg_av);
if (plc.VAL_CRL_IGNORE_SIGN == -1) {
(void) fprintf(stderr,
gettext("Error boolean input.\n"));
rv = KC_ERR_USAGE;
} else {
crl_set_attr++;
}
break;
case 'D':
plc.VAL_CRL_IGNORE_DATE =
get_boolean(optarg_av);
if (plc.VAL_CRL_IGNORE_DATE == -1) {
(void) fprintf(stderr,
gettext("Error boolean input.\n"));
rv = KC_ERR_USAGE;
} else {
crl_set_attr++;
}
break;
case 'u':
plc.ku_bits = parseKUlist(optarg_av);
if (plc.ku_bits == 0) {
(void) fprintf(stderr, gettext(
"Error keyusage input.\n"));
rv = KC_ERR_USAGE;
}
break;
case 'E':
if (parseEKUNames(optarg_av, &plc) != 0) {
(void) fprintf(stderr,
gettext("Error EKU input.\n"));
rv = KC_ERR_USAGE;
}
break;
case 'O':
if (parseEKUOIDs(optarg_av, &plc) != 0) {
(void) fprintf(stderr,
gettext("Error EKU OID input.\n"));
rv = KC_ERR_USAGE;
}
break;
case 'm':
plc.mapper.mapname = get_string(optarg_av, &rv);
if (plc.mapper.mapname == NULL) {
(void) fprintf(stderr,
gettext("Error mapper-name "
"input.\n"));
}
break;
case 'M':
plc.mapper.dir = get_string(optarg_av, &rv);
if (plc.mapper.dir == NULL) {
(void) fprintf(stderr,
gettext("Error mapper-dir "
"input.\n"));
}
break;
case 'Q':
plc.mapper.pathname = get_string(optarg_av,
&rv);
if (plc.mapper.pathname == NULL) {
(void) fprintf(stderr,
gettext("Error mapper-pathname "
"input.\n"));
}
break;
case 'q':
plc.mapper.options = get_string(optarg_av, &rv);
if (plc.mapper.options == NULL) {
(void) fprintf(stderr,
gettext("Error mapper-options "
"input.\n"));
}
break;
default:
(void) fprintf(stderr,
gettext("Error input option.\n"));
rv = KC_ERR_USAGE;
break;
}
if (rv != KC_OK)
goto out;
}
/* No additional args allowed. */
argc -= optind_av;
if (argc) {
(void) fprintf(stderr,
gettext("Error input option\n"));
rv = KC_ERR_USAGE;
goto out;
}
if (filename == NULL) {
filename = strdup(KMF_DEFAULT_POLICY_FILE);
if (filename == NULL) {
rv = KC_ERR_MEMORY;
goto out;
}
}
/*
* Must have a policy name. The policy name can not be default
* if using the default policy file.
*/
if (plc.name == NULL) {
(void) fprintf(stderr,
gettext("You must specify a policy name\n"));
rv = KC_ERR_USAGE;
goto out;
} else if (strcmp(filename, KMF_DEFAULT_POLICY_FILE) == 0 &&
strcmp(plc.name, KMF_DEFAULT_POLICY_NAME) == 0) {
(void) fprintf(stderr,
gettext("Can not create a default policy in the default "
"policy file\n"));
rv = KC_ERR_USAGE;
goto out;
}
/*
* If the policy file exists and the policy is in the policy file
* already, we will not create it again.
*/
if (access(filename, R_OK) == 0) {
POLICY_LIST *plclist = NULL, *pnode;
int found = 0;
rv = load_policies(filename, &plclist);
if (rv != KMF_OK)
goto out;
pnode = plclist;
while (pnode != NULL && !found) {
if (strcmp(plc.name, pnode->plc.name) == 0)
found++;
pnode = pnode->next;
}
free_policy_list(plclist);
if (found) {
(void) fprintf(stderr,
gettext("Could not create policy \"%s\" - exists "
"already\n"), plc.name);
rv = KC_ERR_USAGE;
goto out;
}
}
/*
* If any OCSP attribute is set, turn on the OCSP checking flag.
* Also set "has_resp_cert" to be true, if the responder cert
* is provided.
*/
if (ocsp_set_attr > 0)
plc.revocation |= KMF_REVOCATION_METHOD_OCSP;
if (plc.VAL_OCSP_RESP_CERT.name != NULL &&
plc.VAL_OCSP_RESP_CERT.serial != NULL) {
plc.VAL_OCSP.has_resp_cert = B_TRUE;
}
/*
* Setting mapper-name (with optional mapper-dir) and mapper-pathname is
* mutually exclusive. Also, you cannot set options only, you need the
* name or pathname, and you can set the directory only with the name,
* not the pathname.
*/
if ((plc.mapper.mapname != NULL && plc.mapper.pathname != NULL) ||
(plc.mapper.dir != NULL && plc.mapper.pathname != NULL) ||
(plc.mapper.dir != NULL && plc.mapper.mapname == NULL) ||
(plc.mapper.options != NULL && plc.mapper.mapname == NULL &&
plc.mapper.pathname == NULL)) {
(void) fprintf(stderr,
gettext("Error in mapper input options\n"));
rv = KC_ERR_USAGE;
goto out;
}
/*
* If any CRL attribute is set, turn on the CRL checking flag.
*/
if (crl_set_attr > 0)
plc.revocation |= KMF_REVOCATION_METHOD_CRL;
/*
* Does a sanity check on the new policy.
*/
ret = kmf_verify_policy(&plc);
if (ret != KMF_OK) {
print_sanity_error(ret);
rv = KC_ERR_ADD_POLICY;
goto out;
}
/*
* Add to the DB.
*/
ret = kmf_add_policy_to_db(&plc, filename, B_FALSE);
if (ret != KMF_OK) {
(void) fprintf(stderr,
gettext("Error adding policy to database: 0x%04x\n"), ret);
rv = KC_ERR_ADD_POLICY;
}
out:
if (filename != NULL)
free(filename);
kmf_free_policy_record(&plc);
return (rv);
}
static KMF_RETURN
gencsr_nss(KMF_HANDLE_T kmfhandle,
char *token, char *subject, char *altname,
KMF_GENERALNAMECHOICES alttype, int altcrit,
char *nickname, char *dir, char *prefix,
KMF_KEY_ALG keyAlg, int keylen,
uint16_t kubits, int kucrit,
KMF_ENCODE_FORMAT fmt, char *csrfile,
KMF_CREDENTIAL *tokencred, EKU_LIST *ekulist,
KMF_ALGORITHM_INDEX sigAlg, KMF_OID *curveoid)
{
KMF_RETURN kmfrv;
KMF_KEY_HANDLE pubk, prik;
KMF_X509_NAME csrSubject;
KMF_CSR_DATA csr;
KMF_DATA signedCsr = {NULL, 0};
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
int numattr = 0;
KMF_ATTRIBUTE attrlist[16];
if (token == NULL)
token = DEFAULT_NSS_TOKEN;
kmfrv = configure_nss(kmfhandle, dir, prefix);
if (kmfrv != KMF_OK)
return (kmfrv);
(void) memset(&csr, 0, sizeof (csr));
(void) memset(&csrSubject, 0, sizeof (csrSubject));
(void) memset(&pubk, 0, sizeof (pubk));
(void) memset(&prik, 0, sizeof (prik));
/* If the subject name cannot be parsed, flag it now and exit */
if ((kmfrv = kmf_dn_parser(subject, &csrSubject)) != KMF_OK) {
return (kmfrv);
}
kmfrv = genkeypair_nss(kmfhandle, token, nickname, dir,
prefix, keyAlg, keylen, tokencred, curveoid,
&prik, &pubk);
if (kmfrv != KMF_OK)
return (kmfrv);
SET_VALUE(kmf_set_csr_pubkey(kmfhandle, &pubk, &csr),
"kmf_set_csr_pubkey");
SET_VALUE(kmf_set_csr_version(&csr, 2), "kmf_set_csr_version");
SET_VALUE(kmf_set_csr_subject(&csr, &csrSubject),
"kmf_set_csr_subject");
SET_VALUE(kmf_set_csr_sig_alg(&csr, sigAlg), "kmf_set_csr_sig_alg");
if (altname != NULL) {
SET_VALUE(kmf_set_csr_subject_altname(&csr, altname, altcrit,
alttype), "kmf_set_csr_subject_altname");
}
if (kubits != NULL) {
SET_VALUE(kmf_set_csr_ku(&csr, kucrit, kubits),
"kmf_set_csr_ku");
}
if (ekulist != NULL) {
int i;
for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) {
SET_VALUE(kmf_add_csr_eku(&csr,
&ekulist->ekulist[i],
ekulist->critlist[i]),
"Extended Key Usage");
}
}
if ((kmfrv = kmf_sign_csr(kmfhandle, &csr, &prik, &signedCsr)) ==
KMF_OK) {
kmfrv = kmf_create_csr_file(&signedCsr, fmt, csrfile);
}
cleanup:
(void) kmf_free_data(&signedCsr);
(void) kmf_free_kmf_key(kmfhandle, &prik);
/* delete the key */
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_PUBKEY_HANDLE_ATTR,
&pubk, sizeof (KMF_KEY_HANDLE));
numattr++;
if (tokencred != NULL && tokencred->credlen > 0) {
kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
tokencred, sizeof (KMF_CREDENTIAL));
numattr++;
}
if (token && strlen(token)) {
kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR,
token, strlen(token));
numattr++;
}
(void) kmf_delete_key_from_keystore(kmfhandle, numattr, attrlist);
(void) kmf_free_signed_csr(&csr);
return (kmfrv);
}
static KMF_RETURN
gencsr_file(KMF_HANDLE_T kmfhandle,
KMF_KEY_ALG keyAlg,
int keylen, KMF_ENCODE_FORMAT fmt,
char *subject, char *altname, KMF_GENERALNAMECHOICES alttype,
int altcrit, uint16_t kubits, int kucrit,
char *outcsr, char *outkey, EKU_LIST *ekulist,
KMF_ALGORITHM_INDEX sigAlg)
{
KMF_RETURN kmfrv;
KMF_KEY_HANDLE pubk, prik;
KMF_X509_NAME csrSubject;
KMF_CSR_DATA csr;
KMF_DATA signedCsr = {NULL, 0};
char *fullcsrpath = NULL;
char *fullkeypath = NULL;
(void) memset(&csr, 0, sizeof (csr));
(void) memset(&csrSubject, 0, sizeof (csrSubject));
if (EMPTYSTRING(outcsr) || EMPTYSTRING(outkey)) {
cryptoerror(LOG_STDERR,
gettext("No output file was specified for "
"the csr or key\n"));
return (KMF_ERR_BAD_PARAMETER);
}
fullcsrpath = strdup(outcsr);
if (verify_file(fullcsrpath)) {
cryptoerror(LOG_STDERR,
gettext("Cannot write the indicated output "
"certificate file (%s).\n"), fullcsrpath);
free(fullcsrpath);
return (PK_ERR_USAGE);
}
/* If the subject name cannot be parsed, flag it now and exit */
if ((kmfrv = kmf_dn_parser(subject, &csrSubject)) != KMF_OK) {
return (kmfrv);
}
/*
* Share the "genkeypair" routine for creating the keypair.
*/
kmfrv = genkeypair_file(kmfhandle, keyAlg, keylen,
fmt, outkey, &prik, &pubk);
if (kmfrv != KMF_OK)
return (kmfrv);
SET_VALUE(kmf_set_csr_pubkey(kmfhandle, &pubk, &csr),
"SetCSRPubKey");
SET_VALUE(kmf_set_csr_version(&csr, 2), "SetCSRVersion");
SET_VALUE(kmf_set_csr_subject(&csr, &csrSubject),
"kmf_set_csr_subject");
SET_VALUE(kmf_set_csr_sig_alg(&csr, sigAlg), "kmf_set_csr_sig_alg");
if (altname != NULL) {
SET_VALUE(kmf_set_csr_subject_altname(&csr, altname, altcrit,
alttype), "kmf_set_csr_subject_altname");
}
if (kubits != NULL) {
SET_VALUE(kmf_set_csr_ku(&csr, kucrit, kubits),
"kmf_set_csr_ku");
}
if (ekulist != NULL) {
int i;
for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) {
SET_VALUE(kmf_add_csr_eku(&csr,
&ekulist->ekulist[i],
ekulist->critlist[i]),
"Extended Key Usage");
}
}
if ((kmfrv = kmf_sign_csr(kmfhandle, &csr, &prik, &signedCsr)) ==
KMF_OK) {
kmfrv = kmf_create_csr_file(&signedCsr, fmt, fullcsrpath);
}
cleanup:
if (fullkeypath)
free(fullkeypath);
if (fullcsrpath)
free(fullcsrpath);
kmf_free_data(&signedCsr);
kmf_free_kmf_key(kmfhandle, &prik);
kmf_free_signed_csr(&csr);
return (kmfrv);
}
static int
gencert_pkcs11(KMF_HANDLE_T kmfhandle,
char *token, char *subject, char *altname,
KMF_GENERALNAMECHOICES alttype, int altcrit,
char *certlabel, KMF_KEY_ALG keyAlg,
KMF_ALGORITHM_INDEX sigAlg,
int keylen, uint32_t ltime, KMF_BIGINT *serial,
uint16_t kubits, int kucrit, KMF_CREDENTIAL *tokencred,
EKU_LIST *ekulist, KMF_OID *curveoid)
{
KMF_RETURN kmfrv = KMF_OK;
KMF_KEY_HANDLE pubk, prik;
KMF_X509_CERTIFICATE signedCert;
KMF_X509_NAME certSubject;
KMF_X509_NAME certIssuer;
KMF_DATA x509DER;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
KMF_ATTRIBUTE attrlist[16];
int numattr = 0;
KMF_KEY_ALG keytype;
uint32_t keylength;
(void) memset(&signedCert, 0, sizeof (signedCert));
(void) memset(&certSubject, 0, sizeof (certSubject));
(void) memset(&certIssuer, 0, sizeof (certIssuer));
(void) memset(&x509DER, 0, sizeof (x509DER));
/* If the subject name cannot be parsed, flag it now and exit */
if (kmf_dn_parser(subject, &certSubject) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed.\n"));
return (PK_ERR_USAGE);
}
/* For a self-signed cert, the issuser and subject are the same */
if (kmf_dn_parser(subject, &certIssuer) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed.\n"));
return (PK_ERR_USAGE);
}
keylength = keylen; /* bits */
keytype = keyAlg;
/* Select a PKCS11 token */
kmfrv = select_token(kmfhandle, token, FALSE);
if (kmfrv != KMF_OK) {
return (kmfrv);
}
/*
* Share the "genkeypair" routine for creating the keypair.
*/
kmfrv = genkeypair_pkcs11(kmfhandle, token, certlabel,
keytype, keylength, tokencred, curveoid, &prik, &pubk);
if (kmfrv != KMF_OK)
return (kmfrv);
SET_VALUE(kmf_set_cert_pubkey(kmfhandle, &pubk, &signedCert),
"keypair");
SET_VALUE(kmf_set_cert_version(&signedCert, 2), "version number");
SET_VALUE(kmf_set_cert_serial(&signedCert, serial),
"serial number");
SET_VALUE(kmf_set_cert_validity(&signedCert, NULL, ltime),
"validity time");
SET_VALUE(kmf_set_cert_sig_alg(&signedCert, sigAlg),
"signature algorithm");
SET_VALUE(kmf_set_cert_subject(&signedCert, &certSubject),
"subject name");
SET_VALUE(kmf_set_cert_issuer(&signedCert, &certIssuer),
"issuer name");
if (altname != NULL)
SET_VALUE(kmf_set_cert_subject_altname(&signedCert, altcrit,
alttype, altname), "subjectAltName");
if (kubits != 0)
SET_VALUE(kmf_set_cert_ku(&signedCert, kucrit, kubits),
"KeyUsage");
if (ekulist != NULL) {
int i;
for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) {
SET_VALUE(kmf_add_cert_eku(&signedCert,
&ekulist->ekulist[i], ekulist->critlist[i]),
"Extended Key Usage");
}
}
/*
* Construct attributes for the kmf_sign_cert operation.
*/
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
&prik, sizeof (KMF_KEY_HANDLE_ATTR));
numattr++;
/* cert data that is to be signed */
kmf_set_attr_at_index(attrlist, numattr, KMF_X509_CERTIFICATE_ATTR,
&signedCert, sizeof (KMF_X509_CERTIFICATE));
numattr++;
/* output buffer for the signed cert */
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&x509DER, sizeof (KMF_DATA));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_ALGORITHM_INDEX_ATTR,
&sigAlg, sizeof (sigAlg));
numattr++;
if ((kmfrv = kmf_sign_cert(kmfhandle, numattr, attrlist)) !=
KMF_OK) {
goto cleanup;
}
/*
* Store the cert in the DB.
*/
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&x509DER, sizeof (KMF_DATA));
numattr++;
if (certlabel != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR,
certlabel, strlen(certlabel));
numattr++;
}
kmfrv = kmf_store_cert(kmfhandle, numattr, attrlist);
cleanup:
kmf_free_data(&x509DER);
kmf_free_dn(&certSubject);
kmf_free_dn(&certIssuer);
/*
* If kmf_sign_cert or kmf_store_cert failed, then we need to clean up
* the key pair from the token.
*/
if (kmfrv != KMF_OK) {
/* delete the public key */
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEY_HANDLE_ATTR, &pubk, sizeof (KMF_KEY_HANDLE));
numattr++;
if (tokencred != NULL && tokencred->cred != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_CREDENTIAL_ATTR, tokencred,
sizeof (KMF_CREDENTIAL));
numattr++;
}
(void) kmf_delete_key_from_keystore(kmfhandle, numattr,
attrlist);
/* delete the private key */
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEY_HANDLE_ATTR, &prik, sizeof (KMF_KEY_HANDLE));
numattr++;
if (tokencred != NULL && tokencred->cred != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_CREDENTIAL_ATTR, tokencred,
sizeof (KMF_CREDENTIAL));
numattr++;
}
(void) kmf_delete_key_from_keystore(kmfhandle, numattr,
attrlist);
}
return (kmfrv);
}
static KMF_RETURN
gencert_nss(KMF_HANDLE_T kmfhandle,
char *token, char *subject, char *altname,
KMF_GENERALNAMECHOICES alttype, int altcrit,
char *nickname, char *dir, char *prefix,
KMF_KEY_ALG keyAlg,
KMF_ALGORITHM_INDEX sigAlg,
int keylen, char *trust,
uint32_t ltime, KMF_BIGINT *serial, uint16_t kubits,
int kucrit, KMF_CREDENTIAL *tokencred,
EKU_LIST *ekulist, KMF_OID *curveoid)
{
KMF_RETURN kmfrv;
KMF_KEY_HANDLE pubk, prik;
KMF_X509_CERTIFICATE signedCert;
KMF_X509_NAME certSubject;
KMF_X509_NAME certIssuer;
KMF_DATA x509DER;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
KMF_ATTRIBUTE attrlist[16];
int numattr = 0;
if (token == NULL)
token = DEFAULT_NSS_TOKEN;
kmfrv = configure_nss(kmfhandle, dir, prefix);
if (kmfrv != KMF_OK)
return (kmfrv);
(void) memset(&signedCert, 0, sizeof (signedCert));
(void) memset(&certSubject, 0, sizeof (certSubject));
(void) memset(&certIssuer, 0, sizeof (certIssuer));
(void) memset(&x509DER, 0, sizeof (x509DER));
/* If the subject name cannot be parsed, flag it now and exit */
if (kmf_dn_parser(subject, &certSubject) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed.\n"));
return (PK_ERR_USAGE);
}
/* For a self-signed cert, the issuser and subject are the same */
if (kmf_dn_parser(subject, &certIssuer) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed.\n"));
return (PK_ERR_USAGE);
}
kmfrv = genkeypair_nss(kmfhandle, token, nickname, dir,
prefix, keyAlg, keylen, tokencred, curveoid,
&prik, &pubk);
if (kmfrv != KMF_OK)
return (kmfrv);
SET_VALUE(kmf_set_cert_pubkey(kmfhandle, &pubk, &signedCert),
"keypair");
SET_VALUE(kmf_set_cert_version(&signedCert, 2), "version number");
SET_VALUE(kmf_set_cert_serial(&signedCert, serial),
"serial number");
SET_VALUE(kmf_set_cert_validity(&signedCert, NULL, ltime),
"validity time");
SET_VALUE(kmf_set_cert_sig_alg(&signedCert, sigAlg),
"signature algorithm");
SET_VALUE(kmf_set_cert_subject(&signedCert, &certSubject),
"subject name");
SET_VALUE(kmf_set_cert_issuer(&signedCert, &certIssuer),
"issuer name");
if (altname != NULL)
SET_VALUE(kmf_set_cert_subject_altname(&signedCert, altcrit,
alttype, altname), "subjectAltName");
if (kubits)
SET_VALUE(kmf_set_cert_ku(&signedCert, kucrit, kubits),
"subjectAltName");
if (ekulist != NULL) {
int i;
for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) {
SET_VALUE(kmf_add_cert_eku(&signedCert,
&ekulist->ekulist[i],
ekulist->critlist[i]), "Extended Key Usage");
}
}
/*
* Construct attributes for the kmf_sign_cert operation.
*/
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
&prik, sizeof (KMF_KEY_HANDLE_ATTR));
numattr++;
/* cert data that is to be signed */
kmf_set_attr_at_index(attrlist, numattr, KMF_X509_CERTIFICATE_ATTR,
&signedCert, sizeof (KMF_X509_CERTIFICATE));
numattr++;
/* output buffer for the signed cert */
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&x509DER, sizeof (KMF_DATA));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_ALGORITHM_INDEX_ATTR,
&sigAlg, sizeof (sigAlg));
numattr++;
if ((kmfrv = kmf_sign_cert(kmfhandle, numattr, attrlist)) !=
KMF_OK) {
goto cleanup;
}
/*
* Store the cert in the DB.
*/
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&x509DER, sizeof (KMF_DATA));
numattr++;
if (nickname != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR,
nickname, strlen(nickname));
numattr++;
}
if (trust != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_TRUSTFLAG_ATTR,
trust, strlen(trust));
numattr++;
}
if (token != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR,
token, strlen(token));
numattr++;
}
kmfrv = kmf_store_cert(kmfhandle, numattr, attrlist);
cleanup:
kmf_free_data(&x509DER);
kmf_free_dn(&certSubject);
kmf_free_dn(&certIssuer);
return (kmfrv);
}
static int
gencert_file(KMF_HANDLE_T kmfhandle,
KMF_KEY_ALG keyAlg, KMF_ALGORITHM_INDEX sigAlg,
int keylen, KMF_ENCODE_FORMAT fmt,
uint32_t ltime, char *subject, char *altname,
KMF_GENERALNAMECHOICES alttype, int altcrit,
KMF_BIGINT *serial, uint16_t kubits, int kucrit,
char *outcert, char *outkey,
EKU_LIST *ekulist)
{
KMF_RETURN kmfrv;
KMF_KEY_HANDLE pubk, prik;
KMF_X509_CERTIFICATE signedCert;
KMF_X509_NAME certSubject;
KMF_X509_NAME certIssuer;
KMF_DATA x509DER;
char *fullcertpath = NULL;
char *fullkeypath = NULL;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
KMF_ATTRIBUTE attrlist[10];
int numattr = 0;
(void) memset(&signedCert, 0, sizeof (signedCert));
(void) memset(&certSubject, 0, sizeof (certSubject));
(void) memset(&certIssuer, 0, sizeof (certIssuer));
(void) memset(&x509DER, 0, sizeof (x509DER));
if (EMPTYSTRING(outcert) || EMPTYSTRING(outkey)) {
cryptoerror(LOG_STDERR,
gettext("No output file was specified for "
"the cert or key\n"));
return (PK_ERR_USAGE);
}
fullcertpath = strdup(outcert);
if (verify_file(fullcertpath)) {
cryptoerror(LOG_STDERR,
gettext("Cannot write the indicated output "
"certificate file (%s).\n"), fullcertpath);
free(fullcertpath);
return (PK_ERR_USAGE);
}
/* If the subject name cannot be parsed, flag it now and exit */
if (kmf_dn_parser(subject, &certSubject) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed (%s)\n"), subject);
return (PK_ERR_USAGE);
}
/* For a self-signed cert, the issuser and subject are the same */
if (kmf_dn_parser(subject, &certIssuer) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed (%s)\n"), subject);
kmf_free_dn(&certSubject);
return (PK_ERR_USAGE);
}
/*
* Share the "genkeypair" routine for creating the keypair.
*/
kmfrv = genkeypair_file(kmfhandle, keyAlg, keylen,
fmt, outkey, &prik, &pubk);
if (kmfrv != KMF_OK)
return (kmfrv);
SET_VALUE(kmf_set_cert_pubkey(kmfhandle, &pubk, &signedCert),
"keypair");
SET_VALUE(kmf_set_cert_version(&signedCert, 2), "version number");
SET_VALUE(kmf_set_cert_serial(&signedCert, serial),
"serial number");
SET_VALUE(kmf_set_cert_validity(&signedCert, NULL, ltime),
"validity time");
SET_VALUE(kmf_set_cert_sig_alg(&signedCert, sigAlg),
"signature algorithm");
SET_VALUE(kmf_set_cert_subject(&signedCert, &certSubject),
"subject name");
SET_VALUE(kmf_set_cert_issuer(&signedCert, &certIssuer),
"issuer name");
if (altname != NULL)
SET_VALUE(kmf_set_cert_subject_altname(&signedCert, altcrit,
alttype, altname), "subjectAltName");
if (kubits != 0)
SET_VALUE(kmf_set_cert_ku(&signedCert, kucrit, kubits),
"KeyUsage");
if (ekulist != NULL) {
int i;
for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) {
SET_VALUE(kmf_add_cert_eku(&signedCert,
&ekulist->ekulist[i],
ekulist->critlist[i]), "Extended Key Usage");
}
}
/*
* Construct attributes for the kmf_sign_cert operation.
*/
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
&prik, sizeof (KMF_KEY_HANDLE_ATTR));
numattr++;
/* cert data that is to be signed */
kmf_set_attr_at_index(attrlist, numattr, KMF_X509_CERTIFICATE_ATTR,
&signedCert, sizeof (KMF_X509_CERTIFICATE));
numattr++;
/* output buffer for the signed cert */
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&x509DER, sizeof (KMF_DATA));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_ALGORITHM_INDEX_ATTR,
&sigAlg, sizeof (sigAlg));
numattr++;
if ((kmfrv = kmf_sign_cert(kmfhandle, numattr, attrlist)) !=
KMF_OK) {
goto cleanup;
}
/*
* Store the cert in the DB.
*/
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&x509DER, sizeof (KMF_DATA));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR,
fullcertpath, strlen(fullcertpath));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR,
&fmt, sizeof (fmt));
numattr++;
kmfrv = kmf_store_cert(kmfhandle, numattr, attrlist);
cleanup:
if (fullkeypath != NULL)
free(fullkeypath);
if (fullcertpath != NULL)
free(fullcertpath);
kmf_free_data(&x509DER);
kmf_free_dn(&certSubject);
kmf_free_dn(&certIssuer);
return (kmfrv);
}
