static KMF_RETURN
pk_delete_keys(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attlist, int numattr,
char *desc, int *keysdeleted)
{
KMF_RETURN rv = KMF_OK;
uint32_t numkeys = 0;
int num = numattr;
*keysdeleted = 0;
numkeys = 0;
kmf_set_attr_at_index(attlist, num,
KMF_COUNT_ATTR, &numkeys, sizeof (uint32_t));
num++;
rv = kmf_find_key(kmfhandle, num, attlist);
if (rv == KMF_OK && numkeys > 0) {
KMF_KEY_HANDLE *keys = NULL;
char prompt[1024];
(void) snprintf(prompt, sizeof (prompt),
gettext("%d %s key(s) found, do you want "
"to delete them (y/N) ?"), numkeys,
(desc != NULL ? desc : ""));
if (!yesno(prompt,
gettext("Respond with yes or no.\n"),
B_FALSE)) {
*keysdeleted = numkeys;
return (KMF_OK);
}
keys = (KMF_KEY_HANDLE *)malloc(numkeys *
sizeof (KMF_KEY_HANDLE));
if (keys == NULL)
return (KMF_ERR_MEMORY);
(void) memset(keys, 0, numkeys *
sizeof (KMF_KEY_HANDLE));
kmf_set_attr_at_index(attlist, num,
KMF_KEY_HANDLE_ATTR, keys, sizeof (KMF_KEY_HANDLE));
num++;
rv = kmf_find_key(kmfhandle, num, attlist);
if (rv == KMF_OK) {
rv = pk_destroy_keys(kmfhandle, attlist, num);
}
free(keys);
}
if (rv == KMF_ERR_KEY_NOT_FOUND) {
rv = KMF_OK;
}
*keysdeleted = numkeys;
return (rv);
}
static KMF_RETURN
pk_delete_certs(KMF_HANDLE_T kmfhandle, KMF_ATTRIBUTE *attlist, int numattr)
{
KMF_RETURN rv = KMF_OK;
uint32_t numcerts = 0;
int num = numattr;
kmf_set_attr_at_index(attlist, num,
KMF_COUNT_ATTR, &numcerts, sizeof (uint32_t));
num++;
rv = kmf_find_cert(kmfhandle, num, attlist);
if (rv == KMF_OK && numcerts > 0) {
char prompt[1024];
(void) snprintf(prompt, sizeof (prompt),
gettext("%d certificate(s) found, do you want "
"to delete them (y/N) ?"), numcerts);
if (!yesno(prompt,
gettext("Respond with yes or no.\n"),
B_FALSE)) {
return (KMF_OK);
}
/*
* Use numattr because delete cert does not require
* KMF_COUNT_ATTR attribute.
*/
rv = kmf_delete_cert_from_keystore(kmfhandle, numattr, attlist);
}
return (rv);
}
static KMF_RETURN
delete_pk11_keys(KMF_HANDLE_T kmfhandle,
char *token, int oclass, char *objlabel,
KMF_CREDENTIAL *tokencred)
{
KMF_RETURN rv = KMF_OK;
int nk, numkeys = 0;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
int numattr = 0;
KMF_ATTRIBUTE attrlist[16];
KMF_KEY_CLASS keyclass;
boolean_t token_bool = B_TRUE;
boolean_t private;
/*
* Symmetric keys and RSA/DSA private keys are always
* created with the "CKA_PRIVATE" field == TRUE, so
* make sure we search for them with it also set.
*/
if (oclass & (PK_SYMKEY_OBJ | PK_PRIKEY_OBJ))
oclass |= PK_PRIVATE_OBJ;
rv = select_token(kmfhandle, token, FALSE);
if (rv != KMF_OK) {
return (rv);
}
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
if (objlabel != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR,
objlabel, strlen(objlabel));
numattr++;
}
if (tokencred != NULL && tokencred->credlen > 0) {
kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
tokencred, sizeof (KMF_CREDENTIAL));
numattr++;
}
private = ((oclass & PK_PRIVATE_OBJ) > 0);
static KMF_RETURN
delete_nss_crl(void *kmfhandle,
char *dir, char *prefix, char *token,
char *issuer, char *subject)
{
KMF_RETURN rv = KMF_OK;
int numattr = 0;
KMF_ATTRIBUTE attrlist[8];
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
rv = configure_nss(kmfhandle, dir, prefix);
if (rv != KMF_OK)
return (rv);
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
if (token != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR,
token, strlen(token));
numattr++;
}
if (issuer != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_ISSUER_NAME_ATTR,
issuer, strlen(issuer));
numattr++;
}
if (subject != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_SUBJECT_NAME_ATTR,
subject, strlen(subject));
numattr++;
}
rv = kmf_delete_crl(kmfhandle, numattr, attrlist);
return (rv);
}
static KMF_RETURN
pk_destroy_keys(void *handle, KMF_ATTRIBUTE *attrlist, int numattr)
{
int i;
KMF_RETURN rv = KMF_OK;
uint32_t *numkeys;
KMF_KEY_HANDLE *keys = NULL;
int del_num = 0;
KMF_ATTRIBUTE delete_attlist[16];
KMF_KEYSTORE_TYPE kstype;
uint32_t len;
boolean_t destroy = B_TRUE;
KMF_CREDENTIAL cred;
char *slotlabel = NULL;
len = sizeof (kstype);
rv = kmf_get_attr(KMF_KEYSTORE_TYPE_ATTR, attrlist, numattr,
&kstype, &len);
if (rv != KMF_OK)
return (rv);
kmf_set_attr_at_index(delete_attlist, del_num,
KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
del_num++;
/* "destroy" is optional. Default is TRUE */
(void) kmf_get_attr(KMF_DESTROY_BOOL_ATTR, attrlist, numattr,
(void *)&destroy, NULL);
kmf_set_attr_at_index(delete_attlist, del_num,
KMF_DESTROY_BOOL_ATTR, &destroy, sizeof (boolean_t));
del_num++;
switch (kstype) {
case KMF_KEYSTORE_NSS:
rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
(void *)&cred, NULL);
if (rv == KMF_OK) {
if (cred.credlen > 0) {
kmf_set_attr_at_index(delete_attlist, del_num,
KMF_CREDENTIAL_ATTR, &cred,
sizeof (KMF_CREDENTIAL));
del_num++;
}
}
slotlabel = kmf_get_attr_ptr(KMF_TOKEN_LABEL_ATTR, attrlist,
numattr);
if (slotlabel != NULL) {
kmf_set_attr_at_index(delete_attlist, del_num,
KMF_TOKEN_LABEL_ATTR, slotlabel,
strlen(slotlabel));
del_num++;
}
break;
case KMF_KEYSTORE_OPENSSL:
break;
case KMF_KEYSTORE_PK11TOKEN:
rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
(void *)&cred, NULL);
if (rv == KMF_OK) {
if (cred.credlen > 0) {
kmf_set_attr_at_index(delete_attlist, del_num,
KMF_CREDENTIAL_ATTR, &cred,
sizeof (KMF_CREDENTIAL));
del_num++;
}
}
break;
default:
return (PK_ERR_USAGE);
}
numkeys = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
if (numkeys == NULL)
return (PK_ERR_USAGE);
keys = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
if (keys == NULL)
return (PK_ERR_USAGE);
for (i = 0; rv == KMF_OK && i < *numkeys; i++) {
int num = del_num;
kmf_set_attr_at_index(delete_attlist, num,
KMF_KEY_HANDLE_ATTR, &keys[i], sizeof (KMF_KEY_HANDLE));
num++;
rv = kmf_delete_key_from_keystore(handle, num, delete_attlist);
}
return (rv);
}
static KMF_RETURN
delete_nss_certs(KMF_HANDLE_T kmfhandle,
char *dir, char *prefix,
char *token, char *objlabel,
KMF_BIGINT *serno, char *issuer, char *subject,
KMF_CERT_VALIDITY find_criteria_flag)
{
KMF_RETURN rv = KMF_OK;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
int numattr = 0;
KMF_ATTRIBUTE attrlist[16];
rv = configure_nss(kmfhandle, dir, prefix);
if (rv != KMF_OK)
return (rv);
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
if (objlabel != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_CERT_LABEL_ATTR, objlabel,
strlen(objlabel));
numattr++;
}
if (issuer != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_ISSUER_NAME_ATTR, issuer,
strlen(issuer));
numattr++;
}
if (subject != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_SUBJECT_NAME_ATTR, subject,
strlen(subject));
numattr++;
}
if (serno != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_BIGINT_ATTR, serno,
sizeof (KMF_BIGINT));
numattr++;
}
kmf_set_attr_at_index(attrlist, numattr,
KMF_CERT_VALIDITY_ATTR, &find_criteria_flag,
sizeof (KMF_CERT_VALIDITY));
numattr++;
if (token != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_TOKEN_LABEL_ATTR, token,
strlen(token));
numattr++;
}
rv = pk_delete_certs(kmfhandle, attrlist, numattr);
return (rv);
}
static KMF_RETURN
delete_nss_keys(KMF_HANDLE_T kmfhandle, char *dir, char *prefix,
char *token, int oclass, char *objlabel,
KMF_CREDENTIAL *tokencred)
{
KMF_RETURN rv = KMF_OK;
char *keytype = NULL;
int nk, numkeys = 0;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
int numattr = 0;
KMF_ATTRIBUTE attrlist[16];
KMF_KEY_CLASS keyclass;
rv = configure_nss(kmfhandle, dir, prefix);
if (rv != KMF_OK)
return (rv);
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
if (objlabel != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR,
objlabel, strlen(objlabel));
numattr++;
}
if (tokencred->credlen > 0) {
kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
tokencred, sizeof (KMF_CREDENTIAL));
numattr++;
}
if (token && strlen(token)) {
kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR,
token, strlen(token));
numattr++;
}
if (oclass & PK_PRIKEY_OBJ) {
int num = numattr;
keyclass = KMF_ASYM_PRI;
kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
&keyclass, sizeof (keyclass));
num++;
keytype = "private";
rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
numkeys += nk;
if (rv == KMF_ERR_KEY_NOT_FOUND &&
oclass != PK_PRIKEY_OBJ)
rv = KMF_OK;
}
if (rv == KMF_OK && (oclass & PK_SYMKEY_OBJ)) {
int num = numattr;
keyclass = KMF_SYMMETRIC;
kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
&keyclass, sizeof (keyclass));
num++;
keytype = "symmetric";
rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
numkeys += nk;
if (rv == KMF_ERR_KEY_NOT_FOUND &&
oclass != PK_SYMKEY_OBJ)
rv = KMF_OK;
}
if (rv == KMF_OK && (oclass & PK_PUBKEY_OBJ)) {
int num = numattr;
keyclass = KMF_ASYM_PUB;
kmf_set_attr_at_index(attrlist, num, KMF_KEYCLASS_ATTR,
&keyclass, sizeof (keyclass));
num++;
keytype = "public";
rv = pk_delete_keys(kmfhandle, attrlist, num, keytype, &nk);
numkeys += nk;
if (rv == KMF_ERR_KEY_NOT_FOUND &&
oclass != PK_PUBKEY_OBJ)
rv = KMF_OK;
}
if (rv == KMF_OK && numkeys == 0)
rv = KMF_ERR_KEY_NOT_FOUND;
return (rv);
}
KMF_RETURN
genkeypair_pkcs11(KMF_HANDLE_T kmfhandle,
char *token, char *keylabel, KMF_KEY_ALG keyAlg,
int keylen, KMF_CREDENTIAL *tokencred, KMF_OID *curveoid,
KMF_KEY_HANDLE *outPriKey, KMF_KEY_HANDLE *outPubKey)
{
KMF_RETURN kmfrv = KMF_OK;
KMF_KEY_HANDLE pubk, prik;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
KMF_ATTRIBUTE attrlist[16];
int numattr = 0;
KMF_KEY_ALG keytype;
uint32_t keylength;
keylength = keylen; /* bits */
keytype = keyAlg;
/* Select a PKCS11 token */
kmfrv = select_token(kmfhandle, token, FALSE);
if (kmfrv != KMF_OK)
return (kmfrv);
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYSTORE_TYPE_ATTR, &kstype,
sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYALG_ATTR, &keytype,
sizeof (keytype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYLENGTH_ATTR, &keylength,
sizeof (keylength));
numattr++;
if (keylabel != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYLABEL_ATTR, keylabel,
strlen(keylabel));
numattr++;
}
if (tokencred != NULL && tokencred->cred != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_CREDENTIAL_ATTR, tokencred,
sizeof (KMF_CREDENTIAL));
numattr++;
}
kmf_set_attr_at_index(attrlist, numattr,
KMF_PRIVKEY_HANDLE_ATTR, &prik,
sizeof (KMF_KEY_HANDLE));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_PUBKEY_HANDLE_ATTR, &pubk,
sizeof (KMF_KEY_HANDLE));
numattr++;
if (keytype == KMF_ECDSA && curveoid != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_ECC_CURVE_OID_ATTR, curveoid,
sizeof (KMF_OID));
numattr++;
}
kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist);
if (kmfrv != KMF_OK) {
return (kmfrv);
}
cleanup:
if (kmfrv == KMF_OK) {
if (outPriKey != NULL)
*outPriKey = prik;
if (outPubKey != NULL)
*outPubKey = pubk;
}
return (kmfrv);
}
KMF_RETURN
genkeypair_nss(KMF_HANDLE_T kmfhandle,
char *token,
char *nickname, char *dir, char *prefix,
KMF_KEY_ALG keyAlg,
int keylen, KMF_CREDENTIAL *tokencred,
KMF_OID *curveoid,
KMF_KEY_HANDLE *outPriKey, KMF_KEY_HANDLE *outPubKey)
{
KMF_RETURN kmfrv;
KMF_KEY_HANDLE pubk, prik;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
KMF_ATTRIBUTE attrlist[16];
int numattr = 0;
KMF_KEY_ALG keytype;
uint32_t keylength;
if (token == NULL)
token = DEFAULT_NSS_TOKEN;
kmfrv = configure_nss(kmfhandle, dir, prefix);
if (kmfrv != KMF_OK)
return (kmfrv);
keylength = keylen; /* bits */
keytype = keyAlg;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYSTORE_TYPE_ATTR, &kstype,
sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYALG_ATTR, &keytype,
sizeof (keytype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYLENGTH_ATTR, &keylength,
sizeof (keylength));
numattr++;
if (nickname != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYLABEL_ATTR, nickname,
strlen(nickname));
numattr++;
}
if (tokencred != NULL && tokencred->cred != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_CREDENTIAL_ATTR, tokencred,
sizeof (KMF_CREDENTIAL));
numattr++;
}
if (token != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_TOKEN_LABEL_ATTR, token,
strlen(token));
numattr++;
}
kmf_set_attr_at_index(attrlist, numattr,
KMF_PRIVKEY_HANDLE_ATTR, &prik,
sizeof (KMF_KEY_HANDLE));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_PUBKEY_HANDLE_ATTR, &pubk,
sizeof (KMF_KEY_HANDLE));
numattr++;
if (keytype == KMF_ECDSA && curveoid != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_ECC_CURVE_OID_ATTR, curveoid,
sizeof (KMF_OID));
numattr++;
}
kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist);
if (kmfrv != KMF_OK) {
return (kmfrv);
}
cleanup:
if (kmfrv == KMF_OK) {
if (outPriKey != NULL)
*outPriKey = prik;
if (outPubKey != NULL)
*outPubKey = pubk;
}
return (kmfrv);
}
KMF_RETURN
genkeypair_file(KMF_HANDLE_T kmfhandle,
KMF_KEY_ALG keyAlg, int keylen, KMF_ENCODE_FORMAT fmt,
char *outkey,
KMF_KEY_HANDLE *outPriKey, KMF_KEY_HANDLE *outPubKey)
{
KMF_RETURN kmfrv;
KMF_KEY_HANDLE pubk, prik;
char *fullkeypath = NULL;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
KMF_ATTRIBUTE attrlist[10];
int numattr = 0;
KMF_KEY_ALG keytype;
uint32_t keylength;
KMF_ENCODE_FORMAT format;
if (EMPTYSTRING(outkey)) {
cryptoerror(LOG_STDERR,
gettext("No output file was specified for "
"the key\n"));
return (PK_ERR_USAGE);
}
fullkeypath = strdup(outkey);
if (verify_file(fullkeypath)) {
cryptoerror(LOG_STDERR,
gettext("Cannot write the indicated output "
"key file (%s).\n"), fullkeypath);
free(fullkeypath);
return (PK_ERR_USAGE);
}
keylength = keylen; /* bits */
keytype = keyAlg;
format = fmt;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYSTORE_TYPE_ATTR, &kstype,
sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYALG_ATTR, &keytype,
sizeof (keytype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYLENGTH_ATTR, &keylength,
sizeof (keylength));
numattr++;
if (fullkeypath != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEY_FILENAME_ATTR, fullkeypath,
strlen(fullkeypath));
numattr++;
}
kmf_set_attr_at_index(attrlist, numattr,
KMF_ENCODE_FORMAT_ATTR, &format,
sizeof (format));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_PRIVKEY_HANDLE_ATTR, &prik,
sizeof (KMF_KEY_HANDLE));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_PUBKEY_HANDLE_ATTR, &pubk,
sizeof (KMF_KEY_HANDLE));
numattr++;
kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist);
if (kmfrv != KMF_OK) {
goto cleanup;
}
cleanup:
if (fullkeypath != NULL)
free(fullkeypath);
if (kmfrv == KMF_OK) {
if (outPriKey != NULL)
*outPriKey = prik;
if (outPubKey != NULL)
*outPubKey = pubk;
}
return (kmfrv);
}
static int
get_pkcs11_key_value(libzfs_handle_t *hdl, zfs_cmd_t *zc,
zfs_crypto_zckey_t cmd, pkcs11_uri_t *p11uri,
char **keydata, size_t *keydatalen)
{
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
KMF_KEY_CLASS keyclass = KMF_SYMMETRIC;
KMF_ENCODE_FORMAT format = KMF_FORMAT_RAWKEY;
KMF_ATTRIBUTE attr[10];
KMF_KEY_HANDLE keys;
KMF_CREDENTIAL cred;
KMF_RAW_SYM_KEY rkey;
KMF_HANDLE_T kmfh;
KMF_RETURN err;
boolean_t true_val = B_TRUE;
CK_SLOT_ID slot;
CK_TOKEN_INFO info;
size_t n = 0;
uint32_t numkeys = 0; /* Ask for all of the named keys */
char *token = NULL;
if (kmf_initialize(&kmfh, NULL, NULL) != KMF_OK) {
errno = EINVAL;
return (-1);
}
kmf_set_attr_at_index(attr, n++, KMF_KEYSTORE_TYPE_ATTR, &kstype,
sizeof (kstype));
if (p11uri->token) {
token = strdup((const char *)p11uri->token);
} else {
/* If the token wasn't set we assume the metaslot */
token = strdup(METASLOT_TOKEN_LABEL);
}
kmf_set_attr_at_index(attr, n++, KMF_TOKEN_LABEL_ATTR,
token, strlen(token));
kmf_set_attr_at_index(attr, n++, KMF_READONLY_ATTR,
&true_val, sizeof (true_val));
kmf_set_attr_at_index(attr, n++, KMF_TOKEN_BOOL_ATTR,
&true_val, sizeof (true_val));
err = kmf_configure_keystore(kmfh, n, attr);
if (err != KMF_OK)
goto out;
if ((err = kmf_pk11_token_lookup(kmfh, token, &slot)) != KMF_OK ||
(err = C_GetTokenInfo(slot, &info)) != CKR_OK)
goto out;
/* Always prompt for PIN since the key is likey CKA_SENSITIVE */
if (prompt_pkcs11_pin(hdl, zc, cmd, p11uri, &cred.cred,
&cred.credlen) != 0)
goto out;
kmf_set_attr_at_index(attr, n++, KMF_CREDENTIAL_ATTR,
&cred, sizeof (KMF_CREDENTIAL));
kmf_set_attr_at_index(attr, n++, KMF_KEYLABEL_ATTR,
p11uri->object, strlen((const char *)p11uri->object));
kmf_set_attr_at_index(attr, n++, KMF_KEYCLASS_ATTR, &keyclass,
sizeof (keyclass));
kmf_set_attr_at_index(attr, n++, KMF_ENCODE_FORMAT_ATTR, &format,
sizeof (format));
kmf_set_attr_at_index(attr, n++, KMF_COUNT_ATTR,
&numkeys, sizeof (numkeys));
err = kmf_find_key(kmfh, n, attr);
if (err != KMF_OK || numkeys != 1)
goto out;
kmf_set_attr_at_index(attr, n++, KMF_KEY_HANDLE_ATTR, &keys,
sizeof (KMF_KEY_HANDLE));
err = kmf_find_key(kmfh, n, attr);
err = kmf_get_sym_key_value(kmfh, &keys, &rkey);
if (err != KMF_OK)
goto out;
if (rkey.keydata.len == *keydatalen) {
*keydata = zfs_alloc(hdl, rkey.keydata.len);
bcopy(rkey.keydata.val, *keydata, rkey.keydata.len);
}
*keydatalen = rkey.keydata.len;
kmf_free_bigint(&rkey.keydata);
out:
if (token != NULL)
free(token);
(void) kmf_finalize(kmfh);
if (numkeys == 1 && err == KMF_OK) {
return (0);
} else if (err == KMF_ERR_AUTH_FAILED) {
zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
"PKCS#11 token login failed."));
} else if (numkeys == 0) {
zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
"PKCS#11 token object not found."));
} else if (numkeys > 1) {
zfs_error_aux(hdl, dgettext(TEXT_DOMAIN,
"keysource points to multiple PKCS#11"
" objects"));
}
ASSERT(errno != 0);
return (-1);
}
static KMF_RETURN
gencsr_pkcs11(KMF_HANDLE_T kmfhandle,
char *token, char *subject, char *altname,
KMF_GENERALNAMECHOICES alttype, int altcrit,
char *certlabel, KMF_KEY_ALG keyAlg,
int keylen, uint16_t kubits, int kucrit,
KMF_ENCODE_FORMAT fmt, char *csrfile,
KMF_CREDENTIAL *tokencred, EKU_LIST *ekulist,
KMF_ALGORITHM_INDEX sigAlg, KMF_OID *curveoid)
{
KMF_RETURN kmfrv = KMF_OK;
KMF_KEY_HANDLE pubk, prik;
KMF_X509_NAME csrSubject;
KMF_CSR_DATA csr;
KMF_DATA signedCsr = {NULL, 0};
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
int numattr = 0;
KMF_ATTRIBUTE attrlist[16];
(void) memset(&csr, 0, sizeof (csr));
(void) memset(&csrSubject, 0, sizeof (csrSubject));
/* If the subject name cannot be parsed, flag it now and exit */
if ((kmfrv = kmf_dn_parser(subject, &csrSubject)) != KMF_OK)
return (kmfrv);
/* Select a PKCS11 token */
kmfrv = select_token(kmfhandle, token, FALSE);
if (kmfrv != KMF_OK)
return (kmfrv);
/*
* Share the "genkeypair" routine for creating the keypair.
*/
kmfrv = genkeypair_pkcs11(kmfhandle, token, certlabel,
keyAlg, keylen, tokencred, curveoid, &prik, &pubk);
if (kmfrv != KMF_OK)
return (kmfrv);
SET_VALUE(kmf_set_csr_pubkey(kmfhandle, &pubk, &csr), "keypair");
SET_VALUE(kmf_set_csr_version(&csr, 2), "version number");
SET_VALUE(kmf_set_csr_subject(&csr, &csrSubject), "subject name");
SET_VALUE(kmf_set_csr_sig_alg(&csr, sigAlg),
"SignatureAlgorithm");
if (altname != NULL) {
SET_VALUE(kmf_set_csr_subject_altname(&csr, altname, altcrit,
alttype), "SetCSRSubjectAltName");
}
if (kubits != 0) {
SET_VALUE(kmf_set_csr_ku(&csr, kucrit, kubits),
"SetCSRKeyUsage");
}
if (ekulist != NULL) {
int i;
for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) {
SET_VALUE(kmf_add_csr_eku(&csr,
&ekulist->ekulist[i],
ekulist->critlist[i]),
"Extended Key Usage");
}
}
if ((kmfrv = kmf_sign_csr(kmfhandle, &csr, &prik, &signedCsr)) ==
KMF_OK) {
kmfrv = kmf_create_csr_file(&signedCsr, fmt, csrfile);
}
cleanup:
(void) kmf_free_data(&signedCsr);
(void) kmf_free_signed_csr(&csr);
/* delete the public key */
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_PUBKEY_HANDLE_ATTR,
&pubk, sizeof (KMF_KEY_HANDLE));
numattr++;
if (tokencred != NULL && tokencred->cred != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
tokencred, sizeof (KMF_CREDENTIAL));
numattr++;
}
(void) kmf_delete_key_from_keystore(kmfhandle, numattr, attrlist);
/*
* If there is an error, then we need to remove the private key
* from the token.
*/
if (kmfrv != KMF_OK) {
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEY_HANDLE_ATTR, &prik, sizeof (KMF_KEY_HANDLE));
numattr++;
if (tokencred != NULL && tokencred->cred != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_CREDENTIAL_ATTR, tokencred,
sizeof (KMF_CREDENTIAL));
numattr++;
}
(void) kmf_delete_key_from_keystore(kmfhandle, numattr,
attrlist);
}
(void) kmf_free_kmf_key(kmfhandle, &prik);
return (kmfrv);
}
static KMF_RETURN
gencsr_nss(KMF_HANDLE_T kmfhandle,
char *token, char *subject, char *altname,
KMF_GENERALNAMECHOICES alttype, int altcrit,
char *nickname, char *dir, char *prefix,
KMF_KEY_ALG keyAlg, int keylen,
uint16_t kubits, int kucrit,
KMF_ENCODE_FORMAT fmt, char *csrfile,
KMF_CREDENTIAL *tokencred, EKU_LIST *ekulist,
KMF_ALGORITHM_INDEX sigAlg, KMF_OID *curveoid)
{
KMF_RETURN kmfrv;
KMF_KEY_HANDLE pubk, prik;
KMF_X509_NAME csrSubject;
KMF_CSR_DATA csr;
KMF_DATA signedCsr = {NULL, 0};
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
int numattr = 0;
KMF_ATTRIBUTE attrlist[16];
if (token == NULL)
token = DEFAULT_NSS_TOKEN;
kmfrv = configure_nss(kmfhandle, dir, prefix);
if (kmfrv != KMF_OK)
return (kmfrv);
(void) memset(&csr, 0, sizeof (csr));
(void) memset(&csrSubject, 0, sizeof (csrSubject));
(void) memset(&pubk, 0, sizeof (pubk));
(void) memset(&prik, 0, sizeof (prik));
/* If the subject name cannot be parsed, flag it now and exit */
if ((kmfrv = kmf_dn_parser(subject, &csrSubject)) != KMF_OK) {
return (kmfrv);
}
kmfrv = genkeypair_nss(kmfhandle, token, nickname, dir,
prefix, keyAlg, keylen, tokencred, curveoid,
&prik, &pubk);
if (kmfrv != KMF_OK)
return (kmfrv);
SET_VALUE(kmf_set_csr_pubkey(kmfhandle, &pubk, &csr),
"kmf_set_csr_pubkey");
SET_VALUE(kmf_set_csr_version(&csr, 2), "kmf_set_csr_version");
SET_VALUE(kmf_set_csr_subject(&csr, &csrSubject),
"kmf_set_csr_subject");
SET_VALUE(kmf_set_csr_sig_alg(&csr, sigAlg), "kmf_set_csr_sig_alg");
if (altname != NULL) {
SET_VALUE(kmf_set_csr_subject_altname(&csr, altname, altcrit,
alttype), "kmf_set_csr_subject_altname");
}
if (kubits != NULL) {
SET_VALUE(kmf_set_csr_ku(&csr, kucrit, kubits),
"kmf_set_csr_ku");
}
if (ekulist != NULL) {
int i;
for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) {
SET_VALUE(kmf_add_csr_eku(&csr,
&ekulist->ekulist[i],
ekulist->critlist[i]),
"Extended Key Usage");
}
}
if ((kmfrv = kmf_sign_csr(kmfhandle, &csr, &prik, &signedCsr)) ==
KMF_OK) {
kmfrv = kmf_create_csr_file(&signedCsr, fmt, csrfile);
}
cleanup:
(void) kmf_free_data(&signedCsr);
(void) kmf_free_kmf_key(kmfhandle, &prik);
/* delete the key */
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_PUBKEY_HANDLE_ATTR,
&pubk, sizeof (KMF_KEY_HANDLE));
numattr++;
if (tokencred != NULL && tokencred->credlen > 0) {
kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
tokencred, sizeof (KMF_CREDENTIAL));
numattr++;
}
if (token && strlen(token)) {
kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR,
token, strlen(token));
numattr++;
}
(void) kmf_delete_key_from_keystore(kmfhandle, numattr, attrlist);
(void) kmf_free_signed_csr(&csr);
return (kmfrv);
}
static int
gencert_pkcs11(KMF_HANDLE_T kmfhandle,
char *token, char *subject, char *altname,
KMF_GENERALNAMECHOICES alttype, int altcrit,
char *certlabel, KMF_KEY_ALG keyAlg,
KMF_ALGORITHM_INDEX sigAlg,
int keylen, uint32_t ltime, KMF_BIGINT *serial,
uint16_t kubits, int kucrit, KMF_CREDENTIAL *tokencred,
EKU_LIST *ekulist, KMF_OID *curveoid)
{
KMF_RETURN kmfrv = KMF_OK;
KMF_KEY_HANDLE pubk, prik;
KMF_X509_CERTIFICATE signedCert;
KMF_X509_NAME certSubject;
KMF_X509_NAME certIssuer;
KMF_DATA x509DER;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN;
KMF_ATTRIBUTE attrlist[16];
int numattr = 0;
KMF_KEY_ALG keytype;
uint32_t keylength;
(void) memset(&signedCert, 0, sizeof (signedCert));
(void) memset(&certSubject, 0, sizeof (certSubject));
(void) memset(&certIssuer, 0, sizeof (certIssuer));
(void) memset(&x509DER, 0, sizeof (x509DER));
/* If the subject name cannot be parsed, flag it now and exit */
if (kmf_dn_parser(subject, &certSubject) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed.\n"));
return (PK_ERR_USAGE);
}
/* For a self-signed cert, the issuser and subject are the same */
if (kmf_dn_parser(subject, &certIssuer) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed.\n"));
return (PK_ERR_USAGE);
}
keylength = keylen; /* bits */
keytype = keyAlg;
/* Select a PKCS11 token */
kmfrv = select_token(kmfhandle, token, FALSE);
if (kmfrv != KMF_OK) {
return (kmfrv);
}
/*
* Share the "genkeypair" routine for creating the keypair.
*/
kmfrv = genkeypair_pkcs11(kmfhandle, token, certlabel,
keytype, keylength, tokencred, curveoid, &prik, &pubk);
if (kmfrv != KMF_OK)
return (kmfrv);
SET_VALUE(kmf_set_cert_pubkey(kmfhandle, &pubk, &signedCert),
"keypair");
SET_VALUE(kmf_set_cert_version(&signedCert, 2), "version number");
SET_VALUE(kmf_set_cert_serial(&signedCert, serial),
"serial number");
SET_VALUE(kmf_set_cert_validity(&signedCert, NULL, ltime),
"validity time");
SET_VALUE(kmf_set_cert_sig_alg(&signedCert, sigAlg),
"signature algorithm");
SET_VALUE(kmf_set_cert_subject(&signedCert, &certSubject),
"subject name");
SET_VALUE(kmf_set_cert_issuer(&signedCert, &certIssuer),
"issuer name");
if (altname != NULL)
SET_VALUE(kmf_set_cert_subject_altname(&signedCert, altcrit,
alttype, altname), "subjectAltName");
if (kubits != 0)
SET_VALUE(kmf_set_cert_ku(&signedCert, kucrit, kubits),
"KeyUsage");
if (ekulist != NULL) {
int i;
for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) {
SET_VALUE(kmf_add_cert_eku(&signedCert,
&ekulist->ekulist[i], ekulist->critlist[i]),
"Extended Key Usage");
}
}
/*
* Construct attributes for the kmf_sign_cert operation.
*/
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
&prik, sizeof (KMF_KEY_HANDLE_ATTR));
numattr++;
/* cert data that is to be signed */
kmf_set_attr_at_index(attrlist, numattr, KMF_X509_CERTIFICATE_ATTR,
&signedCert, sizeof (KMF_X509_CERTIFICATE));
numattr++;
/* output buffer for the signed cert */
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&x509DER, sizeof (KMF_DATA));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_ALGORITHM_INDEX_ATTR,
&sigAlg, sizeof (sigAlg));
numattr++;
if ((kmfrv = kmf_sign_cert(kmfhandle, numattr, attrlist)) !=
KMF_OK) {
goto cleanup;
}
/*
* Store the cert in the DB.
*/
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&x509DER, sizeof (KMF_DATA));
numattr++;
if (certlabel != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR,
certlabel, strlen(certlabel));
numattr++;
}
kmfrv = kmf_store_cert(kmfhandle, numattr, attrlist);
cleanup:
kmf_free_data(&x509DER);
kmf_free_dn(&certSubject);
kmf_free_dn(&certIssuer);
/*
* If kmf_sign_cert or kmf_store_cert failed, then we need to clean up
* the key pair from the token.
*/
if (kmfrv != KMF_OK) {
/* delete the public key */
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEY_HANDLE_ATTR, &pubk, sizeof (KMF_KEY_HANDLE));
numattr++;
if (tokencred != NULL && tokencred->cred != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_CREDENTIAL_ATTR, tokencred,
sizeof (KMF_CREDENTIAL));
numattr++;
}
(void) kmf_delete_key_from_keystore(kmfhandle, numattr,
attrlist);
/* delete the private key */
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr,
KMF_KEY_HANDLE_ATTR, &prik, sizeof (KMF_KEY_HANDLE));
numattr++;
if (tokencred != NULL && tokencred->cred != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_CREDENTIAL_ATTR, tokencred,
sizeof (KMF_CREDENTIAL));
numattr++;
}
(void) kmf_delete_key_from_keystore(kmfhandle, numattr,
attrlist);
}
return (kmfrv);
}
static KMF_RETURN
gencert_nss(KMF_HANDLE_T kmfhandle,
char *token, char *subject, char *altname,
KMF_GENERALNAMECHOICES alttype, int altcrit,
char *nickname, char *dir, char *prefix,
KMF_KEY_ALG keyAlg,
KMF_ALGORITHM_INDEX sigAlg,
int keylen, char *trust,
uint32_t ltime, KMF_BIGINT *serial, uint16_t kubits,
int kucrit, KMF_CREDENTIAL *tokencred,
EKU_LIST *ekulist, KMF_OID *curveoid)
{
KMF_RETURN kmfrv;
KMF_KEY_HANDLE pubk, prik;
KMF_X509_CERTIFICATE signedCert;
KMF_X509_NAME certSubject;
KMF_X509_NAME certIssuer;
KMF_DATA x509DER;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS;
KMF_ATTRIBUTE attrlist[16];
int numattr = 0;
if (token == NULL)
token = DEFAULT_NSS_TOKEN;
kmfrv = configure_nss(kmfhandle, dir, prefix);
if (kmfrv != KMF_OK)
return (kmfrv);
(void) memset(&signedCert, 0, sizeof (signedCert));
(void) memset(&certSubject, 0, sizeof (certSubject));
(void) memset(&certIssuer, 0, sizeof (certIssuer));
(void) memset(&x509DER, 0, sizeof (x509DER));
/* If the subject name cannot be parsed, flag it now and exit */
if (kmf_dn_parser(subject, &certSubject) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed.\n"));
return (PK_ERR_USAGE);
}
/* For a self-signed cert, the issuser and subject are the same */
if (kmf_dn_parser(subject, &certIssuer) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed.\n"));
return (PK_ERR_USAGE);
}
kmfrv = genkeypair_nss(kmfhandle, token, nickname, dir,
prefix, keyAlg, keylen, tokencred, curveoid,
&prik, &pubk);
if (kmfrv != KMF_OK)
return (kmfrv);
SET_VALUE(kmf_set_cert_pubkey(kmfhandle, &pubk, &signedCert),
"keypair");
SET_VALUE(kmf_set_cert_version(&signedCert, 2), "version number");
SET_VALUE(kmf_set_cert_serial(&signedCert, serial),
"serial number");
SET_VALUE(kmf_set_cert_validity(&signedCert, NULL, ltime),
"validity time");
SET_VALUE(kmf_set_cert_sig_alg(&signedCert, sigAlg),
"signature algorithm");
SET_VALUE(kmf_set_cert_subject(&signedCert, &certSubject),
"subject name");
SET_VALUE(kmf_set_cert_issuer(&signedCert, &certIssuer),
"issuer name");
if (altname != NULL)
SET_VALUE(kmf_set_cert_subject_altname(&signedCert, altcrit,
alttype, altname), "subjectAltName");
if (kubits)
SET_VALUE(kmf_set_cert_ku(&signedCert, kucrit, kubits),
"subjectAltName");
if (ekulist != NULL) {
int i;
for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) {
SET_VALUE(kmf_add_cert_eku(&signedCert,
&ekulist->ekulist[i],
ekulist->critlist[i]), "Extended Key Usage");
}
}
/*
* Construct attributes for the kmf_sign_cert operation.
*/
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
&prik, sizeof (KMF_KEY_HANDLE_ATTR));
numattr++;
/* cert data that is to be signed */
kmf_set_attr_at_index(attrlist, numattr, KMF_X509_CERTIFICATE_ATTR,
&signedCert, sizeof (KMF_X509_CERTIFICATE));
numattr++;
/* output buffer for the signed cert */
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&x509DER, sizeof (KMF_DATA));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_ALGORITHM_INDEX_ATTR,
&sigAlg, sizeof (sigAlg));
numattr++;
if ((kmfrv = kmf_sign_cert(kmfhandle, numattr, attrlist)) !=
KMF_OK) {
goto cleanup;
}
/*
* Store the cert in the DB.
*/
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&x509DER, sizeof (KMF_DATA));
numattr++;
if (nickname != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR,
nickname, strlen(nickname));
numattr++;
}
if (trust != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_TRUSTFLAG_ATTR,
trust, strlen(trust));
numattr++;
}
if (token != NULL) {
kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR,
token, strlen(token));
numattr++;
}
kmfrv = kmf_store_cert(kmfhandle, numattr, attrlist);
cleanup:
kmf_free_data(&x509DER);
kmf_free_dn(&certSubject);
kmf_free_dn(&certIssuer);
return (kmfrv);
}
static int
gencert_file(KMF_HANDLE_T kmfhandle,
KMF_KEY_ALG keyAlg, KMF_ALGORITHM_INDEX sigAlg,
int keylen, KMF_ENCODE_FORMAT fmt,
uint32_t ltime, char *subject, char *altname,
KMF_GENERALNAMECHOICES alttype, int altcrit,
KMF_BIGINT *serial, uint16_t kubits, int kucrit,
char *outcert, char *outkey,
EKU_LIST *ekulist)
{
KMF_RETURN kmfrv;
KMF_KEY_HANDLE pubk, prik;
KMF_X509_CERTIFICATE signedCert;
KMF_X509_NAME certSubject;
KMF_X509_NAME certIssuer;
KMF_DATA x509DER;
char *fullcertpath = NULL;
char *fullkeypath = NULL;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
KMF_ATTRIBUTE attrlist[10];
int numattr = 0;
(void) memset(&signedCert, 0, sizeof (signedCert));
(void) memset(&certSubject, 0, sizeof (certSubject));
(void) memset(&certIssuer, 0, sizeof (certIssuer));
(void) memset(&x509DER, 0, sizeof (x509DER));
if (EMPTYSTRING(outcert) || EMPTYSTRING(outkey)) {
cryptoerror(LOG_STDERR,
gettext("No output file was specified for "
"the cert or key\n"));
return (PK_ERR_USAGE);
}
fullcertpath = strdup(outcert);
if (verify_file(fullcertpath)) {
cryptoerror(LOG_STDERR,
gettext("Cannot write the indicated output "
"certificate file (%s).\n"), fullcertpath);
free(fullcertpath);
return (PK_ERR_USAGE);
}
/* If the subject name cannot be parsed, flag it now and exit */
if (kmf_dn_parser(subject, &certSubject) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed (%s)\n"), subject);
return (PK_ERR_USAGE);
}
/* For a self-signed cert, the issuser and subject are the same */
if (kmf_dn_parser(subject, &certIssuer) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed (%s)\n"), subject);
kmf_free_dn(&certSubject);
return (PK_ERR_USAGE);
}
/*
* Share the "genkeypair" routine for creating the keypair.
*/
kmfrv = genkeypair_file(kmfhandle, keyAlg, keylen,
fmt, outkey, &prik, &pubk);
if (kmfrv != KMF_OK)
return (kmfrv);
SET_VALUE(kmf_set_cert_pubkey(kmfhandle, &pubk, &signedCert),
"keypair");
SET_VALUE(kmf_set_cert_version(&signedCert, 2), "version number");
SET_VALUE(kmf_set_cert_serial(&signedCert, serial),
"serial number");
SET_VALUE(kmf_set_cert_validity(&signedCert, NULL, ltime),
"validity time");
SET_VALUE(kmf_set_cert_sig_alg(&signedCert, sigAlg),
"signature algorithm");
SET_VALUE(kmf_set_cert_subject(&signedCert, &certSubject),
"subject name");
SET_VALUE(kmf_set_cert_issuer(&signedCert, &certIssuer),
"issuer name");
if (altname != NULL)
SET_VALUE(kmf_set_cert_subject_altname(&signedCert, altcrit,
alttype, altname), "subjectAltName");
if (kubits != 0)
SET_VALUE(kmf_set_cert_ku(&signedCert, kucrit, kubits),
"KeyUsage");
if (ekulist != NULL) {
int i;
for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) {
SET_VALUE(kmf_add_cert_eku(&signedCert,
&ekulist->ekulist[i],
ekulist->critlist[i]), "Extended Key Usage");
}
}
/*
* Construct attributes for the kmf_sign_cert operation.
*/
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
&prik, sizeof (KMF_KEY_HANDLE_ATTR));
numattr++;
/* cert data that is to be signed */
kmf_set_attr_at_index(attrlist, numattr, KMF_X509_CERTIFICATE_ATTR,
&signedCert, sizeof (KMF_X509_CERTIFICATE));
numattr++;
/* output buffer for the signed cert */
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&x509DER, sizeof (KMF_DATA));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_ALGORITHM_INDEX_ATTR,
&sigAlg, sizeof (sigAlg));
numattr++;
if ((kmfrv = kmf_sign_cert(kmfhandle, numattr, attrlist)) !=
KMF_OK) {
goto cleanup;
}
/*
* Store the cert in the DB.
*/
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&x509DER, sizeof (KMF_DATA));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR,
fullcertpath, strlen(fullcertpath));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR,
&fmt, sizeof (fmt));
numattr++;
kmfrv = kmf_store_cert(kmfhandle, numattr, attrlist);
cleanup:
if (fullkeypath != NULL)
free(fullkeypath);
if (fullcertpath != NULL)
free(fullcertpath);
kmf_free_data(&x509DER);
kmf_free_dn(&certSubject);
kmf_free_dn(&certIssuer);
return (kmfrv);
}