/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END * * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved. */ /* * This file contains the functions that are shared among * the various services this tool will ultimately provide. * The functions in this file return PKCS#11 CK_RV errors. * Only one session and one login per token is supported * at this time. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <tzfile.h> #include <cryptoutil.h> #include <security/cryptoki.h> #include <kmfapi.h> #include "common.h" /* Local status variables. */ static boolean_t initialized = B_FALSE; static boolean_t session_opened = B_FALSE; static boolean_t logged_in = B_FALSE; /* Supporting structures and global variables for getopt_av(). */ typedef struct av_opts_s { int shortnm; /* short name character */ char *longnm; /* long name string, NOT terminated */ int longnm_len; /* length of long name string */ boolean_t has_arg; /* takes optional argument */ } av_opts; static av_opts *opts_av = NULL; static const char *_save_optstr = NULL; static int _save_numopts = 0; int optind_av = 1; char *optarg_av = NULL; static void close_sess(CK_SESSION_HANDLE); static void logout_token(CK_SESSION_HANDLE); struct oid_table_entry { const KMF_OID *oid; char *name; }; struct oid_table_entry oid_table[] = { { &KMFOID_ECC_secp112r1, "secp112r1"}, { &KMFOID_ECC_secp112r2, "secp112r2"}, { &KMFOID_ECC_secp128r1, "secp128r1"}, { &KMFOID_ECC_secp128r2, "secp128r2"}, { &KMFOID_ECC_secp160k1, "secp160k1"}, { &KMFOID_ECC_secp160r1, "secp160r1"}, { &KMFOID_ECC_secp160r2, "secp160r2"}, { &KMFOID_ECC_secp192k1, "secp192k1"}, { &KMFOID_ECC_secp192r1, "secp192r1"}, { &KMFOID_ECC_secp224k1, "secp224k1"}, { &KMFOID_ECC_secp224r1, "secp224r1"}, { &KMFOID_ECC_secp256k1, "secp256k1"}, { &KMFOID_ECC_secp256r1, "secp256r1"}, { &KMFOID_ECC_secp384r1, "secp384r1"}, { &KMFOID_ECC_secp521r1, "secp521r1"}, { &KMFOID_ECC_sect113r1, "sect113r1"}, { &KMFOID_ECC_sect113r2, "sect113r2"}, { &KMFOID_ECC_sect131r1, "sect131r1"}, { &KMFOID_ECC_sect131r2, "sect131r2"}, { &KMFOID_ECC_sect163k1, "sect163k1"}, { &KMFOID_ECC_sect163r1, "sect163r1"}, { &KMFOID_ECC_sect163r2, "sect163r2"}, { &KMFOID_ECC_sect193r1, "sect193r1"}, { &KMFOID_ECC_sect193r2, "sect193r2"}, { &KMFOID_ECC_sect233k1, "sect233k1"}, { &KMFOID_ECC_sect233r1, "sect233r1"}, { &KMFOID_ECC_sect239k1, "sect239k1"}, { &KMFOID_ECC_sect283k1, "sect283k1"}, { &KMFOID_ECC_sect283r1, "sect283r1"}, { &KMFOID_ECC_sect409k1, "sect409k1"}, { &KMFOID_ECC_sect409r1, "sect409r1"}, { &KMFOID_ECC_sect571k1, "sect571k1"}, { &KMFOID_ECC_sect571r1, "sect571r1"}, { &KMFOID_ECC_c2pnb163v1, "c2pnb163v1"}, { &KMFOID_ECC_c2pnb163v2, "c2pnb163v2"}, { &KMFOID_ECC_c2pnb163v3, "c2pnb163v3"}, { &KMFOID_ECC_c2pnb176v1, "c2pnb176v1"}, { &KMFOID_ECC_c2tnb191v1, "c2tnb191v1"}, { &KMFOID_ECC_c2tnb191v2, "c2tnb191v2"}, { &KMFOID_ECC_c2tnb191v3, "c2tnb191v3"}, { &KMFOID_ECC_c2pnb208w1, "c2pnb208w1"}, { &KMFOID_ECC_c2tnb239v1, "c2tnb239v1"}, { &KMFOID_ECC_c2tnb239v2, "c2tnb239v2"}, { &KMFOID_ECC_c2tnb239v3, "c2tnb239v3"}, { &KMFOID_ECC_c2pnb272w1, "c2pnb272w1"}, { &KMFOID_ECC_c2pnb304w1, "c2pnb304w1"}, { &KMFOID_ECC_c2tnb359v1, "c2tnb359v1"}, { &KMFOID_ECC_c2pnb368w1, "c2pnb368w1"}, { &KMFOID_ECC_c2tnb431r1, "c2tnb431r1"}, { &KMFOID_ECC_prime192v2, "prime192v2"}, { &KMFOID_ECC_prime192v3, "prime192v3"}, { &KMFOID_MD5, "md5"}, { &KMFOID_SHA1, "sha1"}, { &KMFOID_SHA256, "sha256"}, { &KMFOID_SHA384, "sha384"}, { &KMFOID_SHA512, "sha512"} }; int number_of_oids = sizeof (oid_table) / sizeof (struct oid_table_entry); #define number_of_curves (number_of_oids - 5) /* * Perform PKCS#11 setup here. Currently only C_Initialize is required, * along with setting/resetting state variables. */ static CK_RV init_pkcs11(void) { CK_RV rv = CKR_OK; /* If C_Initialize() already called, nothing to do here. */ if (initialized == B_TRUE) return (CKR_OK); /* Reset state variables because C_Initialize() not yet done. */ session_opened = B_FALSE; logged_in = B_FALSE; /* Initialize PKCS#11 library. */ if ((rv = C_Initialize(NULL_PTR)) != CKR_OK && rv != CKR_CRYPTOKI_ALREADY_INITIALIZED) { return (rv); } initialized = B_TRUE; return (CKR_OK); } /* * Finalize PKCS#11 library and reset state variables. Open sessions, * if any, are closed, and thereby any logins are logged out also. */ void final_pk11(CK_SESSION_HANDLE sess) { /* If the library wasn't initialized, nothing to do here. */ if (!initialized) return; /* Make sure the sesion is closed first. */ close_sess(sess); (void) C_Finalize(NULL); initialized = B_FALSE; } /* * Close PKCS#11 session and reset state variables. Any logins are * logged out. */ static void close_sess(CK_SESSION_HANDLE sess) { if (sess == 0) { return; } /* If session is already closed, nothing to do here. */ if (!session_opened) return; /* Make sure user is logged out of token. */ logout_token(sess); (void) C_CloseSession(sess); session_opened = B_FALSE; } /* * Log user out of token and reset status variable. */ static void logout_token(CK_SESSION_HANDLE sess) { if (sess == 0) { return; } /* If already logged out, nothing to do here. */ if (!logged_in) return; (void) C_Logout(sess); logged_in = B_FALSE; } /* * Gets PIN from user. Caller needs to free the returned PIN when done. * If two prompts are given, the PIN is confirmed with second prompt. * Note that getphassphrase() may return data in static memory area. */ CK_RV get_pin(char *prompt1, char *prompt2, CK_UTF8CHAR_PTR *pin, CK_ULONG *pinlen) { char *save_phrase, *phrase1, *phrase2; /* Prompt user for a PIN. */ if (prompt1 == NULL) { return (CKR_ARGUMENTS_BAD); } if ((phrase1 = getpassphrase(prompt1)) == NULL) { return (CKR_FUNCTION_FAILED); } /* Duplicate 1st PIN in separate chunk of memory. */ if ((save_phrase = strdup(phrase1)) == NULL) return (CKR_HOST_MEMORY); /* If second prompt given, PIN confirmation is requested. */ if (prompt2 != NULL) { if ((phrase2 = getpassphrase(prompt2)) == NULL) { free(save_phrase); return (CKR_FUNCTION_FAILED); } if (strcmp(save_phrase, phrase2) != 0) { free(save_phrase); return (CKR_PIN_INCORRECT); } } *pin = (CK_UTF8CHAR_PTR)save_phrase; *pinlen = strlen(save_phrase); return (CKR_OK); } int yn_to_int(char *ynstr) { char *y = gettext("yes"); char *n = gettext("no"); if (ynstr == NULL) return (-1); if (strncasecmp(ynstr, y, 1) == 0) return (1); else if (strncasecmp(ynstr, n, 1) == 0) return (0); else return (-1); } /* * Gets yes/no response from user. If either no prompt is supplied, a * default prompt is used. If not message for invalid input is supplied, * a default will not be provided. If the user provides no response, * the input default B_TRUE == yes, B_FALSE == no is returned. * Otherwise, B_TRUE is returned for yes, and B_FALSE for no. */ boolean_t yesno(char *prompt, char *invalid, boolean_t dflt) { char *response, buf[1024]; int ans; if (prompt == NULL) prompt = gettext("Enter (y)es or (n)o? "); for (;;) { /* Prompt user. */ (void) printf("%s", prompt); (void) fflush(stdout); /* Get the response. */ if ((response = fgets(buf, sizeof (buf), stdin)) == NULL) break; /* go to default response */ /* Skip any leading white space. */ while (isspace(*response)) response++; if (*response == '\0') break; /* go to default response */ ans = yn_to_int(response); if (ans == 1) return (B_TRUE); else if (ans == 0) return (B_FALSE); /* Indicate invalid input, and try again. */ if (invalid != NULL) (void) printf("%s", invalid); } return (dflt); } /* * Gets the list of slots which have tokens in them. Keeps adjusting * the size of the slot list buffer until the call is successful or an * irrecoverable error occurs. */ CK_RV get_token_slots(CK_SLOT_ID_PTR *slot_list, CK_ULONG *slot_count) { CK_ULONG tmp_count = 0; CK_SLOT_ID_PTR tmp_list = NULL_PTR, tmp2_list = NULL_PTR; int rv = CKR_OK; if (!initialized) if ((rv = init_pkcs11()) != CKR_OK) return (rv); /* * Get the slot count first because we don't know how many * slots there are and how many of those slots even have tokens. * Don't specify an arbitrary buffer size for the slot list; * it may be too small (see section 11.5 of PKCS#11 spec). * Also select only those slots that have tokens in them, * because this tool has no need to know about empty slots. */ if ((rv = C_GetSlotList(1, NULL_PTR, &tmp_count)) != CKR_OK) return (rv); if (tmp_count == 0) { *slot_list = NULL_PTR; *slot_count = 0; return (CKR_OK); } /* Allocate initial space for the slot list. */ if ((tmp_list = (CK_SLOT_ID_PTR) malloc(tmp_count * sizeof (CK_SLOT_ID))) == NULL) return (CKR_HOST_MEMORY); /* Then get the slot list itself. */ for (;;) { if ((rv = C_GetSlotList(1, tmp_list, &tmp_count)) == CKR_OK) { *slot_list = tmp_list; *slot_count = tmp_count; break; } if (rv != CKR_BUFFER_TOO_SMALL) { free(tmp_list); break; } /* If the number of slots grew, try again. */ if ((tmp2_list = (CK_SLOT_ID_PTR) realloc(tmp_list, tmp_count * sizeof (CK_SLOT_ID))) == NULL) { free(tmp_list); rv = CKR_HOST_MEMORY; break; } tmp_list = tmp2_list; } return (rv); } /* * Breaks out the getopt-style option string into a structure that can be * traversed later for calls to getopt_av(). Option string is NOT altered, * but the struct fields point to locations within option string. */ static int populate_opts(char *optstring) { int i; av_opts *temp; char *marker; if (optstring == NULL || *optstring == '\0') return (0); /* * This tries to imitate getopt(3c) Each option must conform to: * <short name char> [ ':' ] [ '(' <long name string> ')' ] * If long name is missing, the short name is used for long name. */ for (i = 0; *optstring != '\0'; i++) { if ((temp = (av_opts *)((i == 0) ? malloc(sizeof (av_opts)) : realloc(opts_av, (i+1) * sizeof (av_opts)))) == NULL) { if (opts_av != NULL) free(opts_av); opts_av = NULL; return (0); } else { opts_av = (av_opts *)temp; } (void) memset(&opts_av[i], 0, sizeof (av_opts)); marker = optstring; /* may need optstring later */ opts_av[i].shortnm = *marker++; /* set short name */ if (*marker == ':') { /* check for opt arg */ marker++; opts_av[i].has_arg = B_TRUE; } if (*marker == '(') { /* check and set long name */ marker++; opts_av[i].longnm = marker; opts_av[i].longnm_len = strcspn(marker, ")"); optstring = marker + opts_av[i].longnm_len + 1; } else { /* use short name option character */ opts_av[i].longnm = optstring; opts_av[i].longnm_len = 1; optstring = marker; } } return (i); } /* * getopt_av() is very similar to getopt(3c) in that the takes an option * string, compares command line arguments for matches, and returns a single * letter option when a match is found. However, getopt_av() differs from * getopt(3c) by requiring that only longname options and values be found * on the command line and all leading dashes are omitted. In other words, * it tries to enforce only longname "option=value" arguments on the command * line. Boolean options are not allowed either. */ int getopt_av(int argc, char * const *argv, const char *optstring) { int i; int len; char *cur_option; if (optind_av >= argc) return (EOF); /* First time or when optstring changes from previous one */ if (_save_optstr != optstring) { if (opts_av != NULL) free(opts_av); opts_av = NULL; _save_optstr = optstring; _save_numopts = populate_opts((char *)optstring); } for (i = 0; i < _save_numopts; i++) { cur_option = argv[optind_av]; if (strcmp(cur_option, "--") == 0) { optind_av++; break; } if (cur_option[0] == '-' && strlen(cur_option) == 2) { len = 1; cur_option++; /* remove "-" */ } else { len = strcspn(cur_option, "="); } if (len == opts_av[i].longnm_len && strncmp(cur_option, opts_av[i].longnm, opts_av[i].longnm_len) == 0) { /* matched */ if (!opts_av[i].has_arg) { optind_av++; return (opts_av[i].shortnm); } /* needs optarg */ if (cur_option[len] == '=') { optarg_av = &(cur_option[len+1]); optind_av++; return (opts_av[i].shortnm); } optarg_av = NULL; optind_av++; return ((int)'?'); } } return (EOF); } KMF_KEYSTORE_TYPE KS2Int(char *keystore_str) { if (keystore_str == NULL) return (0); if (strcasecmp(keystore_str, "pkcs11") == 0) return (KMF_KEYSTORE_PK11TOKEN); else if (strcasecmp(keystore_str, "nss") == 0) return (KMF_KEYSTORE_NSS); else if (strcasecmp(keystore_str, "file") == 0) return (KMF_KEYSTORE_OPENSSL); else return (0); } /* * compare_oids * return 1 if equal */ boolean_t compare_oids(KMF_OID *oid1, const KMF_OID *oid2) { return ((oid1->Length == oid2->Length) && !memcmp(oid1->Data, oid2->Data, oid1->Length)); } int Str2KeyType(char *algm, KMF_OID *hashoid, KMF_KEY_ALG *ktype, KMF_ALGORITHM_INDEX *sigAlg) { if (algm == NULL) { /* Default to SHA1+RSA */ *sigAlg = KMF_ALGID_SHA1WithRSA; *ktype = KMF_RSA; } else if (strcasecmp(algm, "DSA") == 0) { if (hashoid == NULL || compare_oids(hashoid, &KMFOID_SHA1)) *sigAlg = KMF_ALGID_SHA1WithDSA; else if (compare_oids(hashoid, &KMFOID_SHA256)) *sigAlg = KMF_ALGID_SHA256WithDSA; else return (-1); /* unsupported hash/key combo */ *ktype = KMF_DSA; } else if (strcasecmp(algm, "RSA") == 0) { if (hashoid == NULL || compare_oids(hashoid, &KMFOID_SHA1)) *sigAlg = KMF_ALGID_SHA1WithRSA; else if (compare_oids(hashoid, &KMFOID_SHA256)) *sigAlg = KMF_ALGID_SHA256WithRSA; else if (compare_oids(hashoid, &KMFOID_SHA384)) *sigAlg = KMF_ALGID_SHA384WithRSA; else if (compare_oids(hashoid, &KMFOID_SHA512)) *sigAlg = KMF_ALGID_SHA512WithRSA; else if (compare_oids(hashoid, &KMFOID_MD5)) *sigAlg = KMF_ALGID_MD5WithRSA; else return (-1); /* unsupported hash/key combo */ *ktype = KMF_RSA; } else if (strcasecmp(algm, "EC") == 0) { /* EC keys may be used with some SHA2 hashes */ if (hashoid == NULL || compare_oids(hashoid, &KMFOID_SHA1)) *sigAlg = KMF_ALGID_SHA1WithECDSA; else if (compare_oids(hashoid, &KMFOID_SHA256)) *sigAlg = KMF_ALGID_SHA256WithECDSA; else if (compare_oids(hashoid, &KMFOID_SHA384)) *sigAlg = KMF_ALGID_SHA384WithECDSA; else if (compare_oids(hashoid, &KMFOID_SHA512)) *sigAlg = KMF_ALGID_SHA512WithECDSA; else return (-1); /* unsupported hash/key combo */ *ktype = KMF_ECDSA; } else { return (-1); } return (0); } int Str2SymKeyType(char *algm, KMF_KEY_ALG *ktype) { if (algm == NULL) *ktype = KMF_AES; else if (strcasecmp(algm, "aes") == 0) *ktype = KMF_AES; else if (strcasecmp(algm, "arcfour") == 0) *ktype = KMF_RC4; else if (strcasecmp(algm, "des") == 0) *ktype = KMF_DES; else if (strcasecmp(algm, "3des") == 0) *ktype = KMF_DES3; else if (strcasecmp(algm, "generic") == 0) *ktype = KMF_GENERIC_SECRET; else return (-1); return (0); } int Str2Lifetime(char *ltimestr, uint32_t *ltime) { int num; char timetok[6]; if (ltimestr == NULL || strlen(ltimestr) == 0) { /* default to 1 year lifetime */ *ltime = SECSPERDAY * DAYSPERNYEAR; return (0); } (void) memset(timetok, 0, sizeof (timetok)); if (sscanf(ltimestr, "%d-%06s", &num, timetok) != 2) return (-1); if (strcasecmp(timetok, "day") == 0|| strcasecmp(timetok, "days") == 0) { *ltime = num * SECSPERDAY; } else if (strcasecmp(timetok, "hour") == 0|| strcasecmp(timetok, "hours") == 0) { *ltime = num * SECSPERHOUR; } else if (strcasecmp(timetok, "year") == 0 || strcasecmp(timetok, "years") == 0) { *ltime = num * SECSPERDAY * DAYSPERNYEAR; } else { *ltime = 0; return (-1); } return (0); } int OT2Int(char *objclass) { char *c = NULL; int retval = 0; if (objclass == NULL) return (-1); c = strchr(objclass, ':'); if (c != NULL) { if (strcasecmp(c, ":private") == 0) retval = PK_PRIVATE_OBJ; else if (strcasecmp(c, ":public") == 0) retval = PK_PUBLIC_OBJ; else if (strcasecmp(c, ":both") == 0) retval = PK_PRIVATE_OBJ | PK_PUBLIC_OBJ; else /* unrecognized option */ return (-1); *c = '\0'; } if (strcasecmp(objclass, "public") == 0) { if (retval) return (-1); return (retval | PK_PUBLIC_OBJ | PK_CERT_OBJ | PK_PUBKEY_OBJ); } else if (strcasecmp(objclass, "private") == 0) { if (retval) return (-1); return (retval | PK_PRIKEY_OBJ | PK_PRIVATE_OBJ); } else if (strcasecmp(objclass, "both") == 0) { if (retval) return (-1); return (PK_KEY_OBJ | PK_PUBLIC_OBJ | PK_PRIVATE_OBJ); } else if (strcasecmp(objclass, "cert") == 0) { return (retval | PK_CERT_OBJ); } else if (strcasecmp(objclass, "key") == 0) { if (retval == 0) /* return all keys */ return (retval | PK_KEY_OBJ); else if (retval == (PK_PRIVATE_OBJ | PK_PUBLIC_OBJ)) /* return all keys */ return (retval | PK_KEY_OBJ); else if (retval & PK_PUBLIC_OBJ) /* Only return public keys */ return (retval | PK_PUBKEY_OBJ); else if (retval & PK_PRIVATE_OBJ) /* Only return private keys */ return (retval | PK_PRIKEY_OBJ); } else if (strcasecmp(objclass, "crl") == 0) { if (retval) return (-1); return (retval | PK_CRL_OBJ); } if (retval == 0) /* No matches found */ retval = -1; return (retval); } KMF_ENCODE_FORMAT Str2Format(char *formstr) { if (formstr == NULL || strcasecmp(formstr, "der") == 0) return (KMF_FORMAT_ASN1); if (strcasecmp(formstr, "pem") == 0) return (KMF_FORMAT_PEM); if (strcasecmp(formstr, "pkcs12") == 0) return (KMF_FORMAT_PKCS12); if (strcasecmp(formstr, "raw") == 0) return (KMF_FORMAT_RAWKEY); return (KMF_FORMAT_UNDEF); } KMF_RETURN select_token(void *kmfhandle, char *token, int readonly) { KMF_ATTRIBUTE attlist[10]; int i = 0; KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; KMF_RETURN rv = KMF_OK; if (token == NULL) return (KMF_ERR_BAD_PARAMETER); kmf_set_attr_at_index(attlist, i, KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); i++; if (token) { kmf_set_attr_at_index(attlist, i, KMF_TOKEN_LABEL_ATTR, token, strlen(token)); i++; } kmf_set_attr_at_index(attlist, i, KMF_READONLY_ATTR, &readonly, sizeof (readonly)); i++; rv = kmf_configure_keystore(kmfhandle, i, attlist); if (rv == KMF_ERR_TOKEN_SELECTED) rv = KMF_OK; return (rv); } KMF_RETURN configure_nss(void *kmfhandle, char *dir, char *prefix) { KMF_ATTRIBUTE attlist[10]; int i = 0; KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; KMF_RETURN rv = KMF_OK; kmf_set_attr_at_index(attlist, i, KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); i++; if (dir) { kmf_set_attr_at_index(attlist, i, KMF_DIRPATH_ATTR, dir, strlen(dir)); i++; } if (prefix) { kmf_set_attr_at_index(attlist, i, KMF_CERTPREFIX_ATTR, prefix, strlen(prefix)); i++; kmf_set_attr_at_index(attlist, i, KMF_KEYPREFIX_ATTR, prefix, strlen(prefix)); i++; } rv = kmf_configure_keystore(kmfhandle, i, attlist); if (rv == KMF_KEYSTORE_ALREADY_INITIALIZED) rv = KMF_OK; return (rv); } KMF_RETURN get_pk12_password(KMF_CREDENTIAL *cred) { KMF_RETURN rv = KMF_OK; char prompt[1024]; /* * Get the password to use for the PK12 encryption. */ (void) strlcpy(prompt, gettext("Enter password to use for " "accessing the PKCS12 file: "), sizeof (prompt)); if (get_pin(prompt, NULL, (uchar_t **)&cred->cred, (ulong_t *)&cred->credlen) != CKR_OK) { cred->cred = NULL; cred->credlen = 0; } return (rv); } #define FILENAME_PROMPT gettext("Filename:") #define FILENAME_MINLEN 1 #define FILENAME_MAXLEN MAXPATHLEN #define COUNTRY_PROMPT gettext("Country Name (2 letter code) [US]:") #define STATE_PROMPT gettext("State or Province Name (full name) " \ "[Some-State]:") #define LOCALITY_PROMPT gettext("Locality Name (eg, city) []:") #define ORG_PROMPT gettext("Organization Name (eg, company) []:") #define UNIT_PROMPT gettext("Organizational Unit Name (eg, section) []:") #define NAME_PROMPT gettext("Common Name (eg, YOUR name) []:") #define EMAIL_PROMPT gettext("Email Address []:") #define SERNO_PROMPT gettext("Serial Number (hex value, example: " \ "0x01020304):") #define SERNO_MINLEN 3 #define SERNO_MAXLEN 42 #define LABEL_PROMPT gettext("Enter a label for the certificate:") #define LABEL_MINLEN 1 #define LABEL_MAXLEN 1024 #define COUNTRY_DEFAULT "US" #define STATE_DEFAULT NULL #define INVALID_INPUT gettext("Invalid input; please re-enter ...") #define SUBNAMESIZ 1024 #define RDN_MIN 1 #define RDN_MAX 64 #define COUNTRYNAME_MIN 2 #define COUNTRYNAME_MAX 2 static char * get_input_string(char *prompt, char *default_str, int min_len, int max_len) { char buf[1024]; char *response = NULL; char *ret = NULL; int len; for (;;) { (void) printf("\t%s", prompt); (void) fflush(stdout); response = fgets(buf, sizeof (buf), stdin); if (response == NULL) { if (default_str != NULL) { ret = strdup(default_str); } break; } /* Skip any leading white space. */ while (isspace(*response)) response++; if (*response == '\0') { if (default_str != NULL) { ret = strdup(default_str); } break; } len = strlen(response); response[len-1] = '\0'; /* get rid of "LF" */ len--; if (len >= min_len && len <= max_len) { ret = strdup(response); break; } (void) printf("%s\n", INVALID_INPUT); } return (ret); } int get_filename(char *txt, char **result) { char prompt[1024]; char *fname = NULL; (void) snprintf(prompt, sizeof (prompt), gettext("Enter filename for the %s: "), txt); fname = get_input_string(prompt, NULL, FILENAME_MINLEN, FILENAME_MAXLEN); *result = fname; return (0); } int get_certlabel(char **result) { char *label = NULL; label = get_input_string(LABEL_PROMPT, NULL, LABEL_MINLEN, LABEL_MAXLEN); *result = label; return (0); } int get_serial(char **result) { char *serial = NULL; serial = get_input_string(SERNO_PROMPT, NULL, SERNO_MINLEN, SERNO_MAXLEN); *result = serial; return (0); } int get_subname(char **result) { char *country = NULL; char *state = NULL; char *locality = NULL; char *org = NULL; char *unit = NULL; char *name = NULL; char *email = NULL; char *subname = NULL; (void) printf("Entering following fields for subject (a DN) ...\n"); country = get_input_string(COUNTRY_PROMPT, COUNTRY_DEFAULT, COUNTRYNAME_MIN, COUNTRYNAME_MAX); if (country == NULL) return (-1); state = get_input_string(STATE_PROMPT, STATE_DEFAULT, RDN_MIN, RDN_MAX); locality = get_input_string(LOCALITY_PROMPT, NULL, RDN_MIN, RDN_MAX); org = get_input_string(ORG_PROMPT, NULL, RDN_MIN, RDN_MAX); unit = get_input_string(UNIT_PROMPT, NULL, RDN_MIN, RDN_MAX); name = get_input_string(NAME_PROMPT, NULL, RDN_MIN, RDN_MAX); email = get_input_string(EMAIL_PROMPT, NULL, RDN_MIN, RDN_MAX); /* Now create a subject name from the input strings */ if ((subname = malloc(SUBNAMESIZ)) == NULL) goto out; (void) memset(subname, 0, SUBNAMESIZ); (void) strlcpy(subname, "C=", SUBNAMESIZ); (void) strlcat(subname, country, SUBNAMESIZ); if (state != NULL) { (void) strlcat(subname, ", ST=", SUBNAMESIZ); (void) strlcat(subname, state, SUBNAMESIZ); } if (locality != NULL) { (void) strlcat(subname, ", L=", SUBNAMESIZ); (void) strlcat(subname, locality, SUBNAMESIZ); } if (org != NULL) { (void) strlcat(subname, ", O=", SUBNAMESIZ); (void) strlcat(subname, org, SUBNAMESIZ); } if (unit != NULL) { (void) strlcat(subname, ", OU=", SUBNAMESIZ); (void) strlcat(subname, unit, SUBNAMESIZ); } if (name != NULL) { (void) strlcat(subname, ", CN=", SUBNAMESIZ); (void) strlcat(subname, name, SUBNAMESIZ); } if (email != NULL) { (void) strlcat(subname, ", E=", SUBNAMESIZ); (void) strlcat(subname, email, SUBNAMESIZ); } out: if (country) free(country); if (state) free(state); if (locality) free(locality); if (org) free(org); if (unit) free(unit); if (name) free(name); if (email) free(email); if (subname == NULL) return (-1); else { *result = subname; return (0); } } /* * Parse a string of KeyUsage values and convert * them to the correct KU Bits. * The field may be marked "critical" by prepending * "critical:" to the list. * EX: critical:digitialSignature,keyEncipherment */ KMF_RETURN verify_keyusage(char *kustr, uint16_t *kubits, int *critical) { KMF_RETURN ret = KMF_OK; uint16_t kuval; char *k; *kubits = 0; if (kustr == NULL || strlen(kustr) == 0) return (KMF_ERR_BAD_PARAMETER); /* Check to see if this is critical */ if (strncasecmp(kustr, "critical:", strlen("critical:")) == 0) { *critical = TRUE; kustr += strlen("critical:"); } else { *critical = FALSE; } k = strtok(kustr, ","); while (k != NULL) { kuval = kmf_string_to_ku(k); if (kuval == 0) { *kubits = 0; return (KMF_ERR_BAD_PARAMETER); } *kubits |= kuval; k = strtok(NULL, ","); } return (ret); } /* * Verify the alternate subject label is real or invalid. * * The field may be marked "critical" by prepending * "critical:" to the list. * EX: "critical:IP=1.2.3.4" */ KMF_RETURN verify_altname(char *arg, KMF_GENERALNAMECHOICES *type, int *critical) { char *p; KMF_RETURN rv = KMF_OK; /* Check to see if this is critical */ if (strncasecmp(arg, "critical:", strlen("critical:")) == 0) { *critical = TRUE; arg += strlen("critical:"); } else { *critical = FALSE; } /* Make sure there is an "=" sign */ p = strchr(arg, '='); if (p == NULL) return (KMF_ERR_BAD_PARAMETER); p[0] = '\0'; if (strcmp(arg, "IP") == 0) *type = GENNAME_IPADDRESS; else if (strcmp(arg, "DNS") == 0) *type = GENNAME_DNSNAME; else if (strcmp(arg, "EMAIL") == 0) *type = GENNAME_RFC822NAME; else if (strcmp(arg, "URI") == 0) *type = GENNAME_URI; else if (strcmp(arg, "DN") == 0) *type = GENNAME_DIRECTORYNAME; else if (strcmp(arg, "RID") == 0) *type = GENNAME_REGISTEREDID; else if (strcmp(arg, "KRB") == 0) *type = GENNAME_KRB5PRINC; else if (strcmp(arg, "UPN") == 0) *type = GENNAME_SCLOGON_UPN; else rv = KMF_ERR_BAD_PARAMETER; p[0] = '='; return (rv); } int get_token_password(KMF_KEYSTORE_TYPE kstype, char *token_spec, KMF_CREDENTIAL *cred) { char prompt[1024]; char temptoken[32]; char *p = NULL; char *t = NULL; int len; (void) memset(temptoken, 0, sizeof (temptoken)); if (kstype == KMF_KEYSTORE_PK11TOKEN) { p = strchr(token_spec, ':'); if (p != NULL) *p = 0; } len = strlen(token_spec); if (len > sizeof (temptoken)) len = sizeof (temptoken); (void) strncpy(temptoken, token_spec, len); /* * Strip trailing whitespace */ t = temptoken + (len - 1); while (isspace(*t) && t >= temptoken) { *t = 0x00; t--; } /* * Login to the token first. */ (void) snprintf(prompt, sizeof (prompt), gettext(DEFAULT_TOKEN_PROMPT), temptoken); if (get_pin(prompt, NULL, (uchar_t **)&cred->cred, (ulong_t *)&cred->credlen) != CKR_OK) { cred->cred = NULL; cred->credlen = 0; } if (kstype == KMF_KEYSTORE_PK11TOKEN && p != NULL) *p = ':'; return (KMF_OK); } KMF_RETURN verify_file(char *filename) { KMF_RETURN ret = KMF_OK; int fd; /* * Attempt to open with the EXCL flag so that if * it already exists, the open will fail. It will * also fail if the file cannot be created due to * permissions on the parent directory, or if the * parent directory itself does not exist. */ fd = open(filename, O_CREAT | O_EXCL, 0600); if (fd == -1) { if (errno == EEXIST) return (KMF_ERR_OPEN_FILE); else return (KMF_ERR_WRITE_FILE); } /* If we were able to create it, delete it. */ (void) close(fd); (void) unlink(filename); return (ret); } void display_error(void *handle, KMF_RETURN errcode, char *prefix) { KMF_RETURN rv1, rv2; char *plugin_errmsg = NULL; char *kmf_errmsg = NULL; rv1 = kmf_get_plugin_error_str(handle, &plugin_errmsg); rv2 = kmf_get_kmf_error_str(errcode, &kmf_errmsg); cryptoerror(LOG_STDERR, "%s:", prefix); if (rv1 == KMF_OK && plugin_errmsg) { cryptoerror(LOG_STDERR, gettext("keystore error: %s"), plugin_errmsg); kmf_free_str(plugin_errmsg); } if (rv2 == KMF_OK && kmf_errmsg) { cryptoerror(LOG_STDERR, gettext("libkmf error: %s"), kmf_errmsg); kmf_free_str(kmf_errmsg); } if (rv1 != KMF_OK && rv2 != KMF_OK) cryptoerror(LOG_STDERR, gettext("<unknown error>\n")); } static KMF_RETURN addToEKUList(EKU_LIST *ekus, int critical, KMF_OID *newoid) { if (newoid != NULL && ekus != NULL) { ekus->eku_count++; ekus->critlist = realloc(ekus->critlist, ekus->eku_count * sizeof (int)); if (ekus->critlist != NULL) ekus->critlist[ekus->eku_count-1] = critical; else return (KMF_ERR_MEMORY); ekus->ekulist = realloc( ekus->ekulist, ekus->eku_count * sizeof (KMF_OID)); if (ekus->ekulist != NULL) ekus->ekulist[ekus->eku_count-1] = *newoid; else return (KMF_ERR_MEMORY); } return (KMF_OK); } void free_eku_list(EKU_LIST *ekus) { if (ekus != NULL && ekus->eku_count > 0) { int i; for (i = 0; i < ekus->eku_count; i++) { kmf_free_data(&ekus->ekulist[i]); } free(ekus->ekulist); free(ekus->critlist); free(ekus); } } static KMF_RETURN parse_ekus(char *ekustr, EKU_LIST *ekus) { KMF_RETURN rv = KMF_OK; KMF_OID *newoid; int critical; if (strncasecmp(ekustr, "critical:", strlen("critical:")) == 0) { critical = TRUE; ekustr += strlen("critical:"); } else { critical = FALSE; } newoid = kmf_ekuname_to_oid(ekustr); if (newoid != NULL) { rv = addToEKUList(ekus, critical, newoid); free(newoid); } else { rv = PK_ERR_USAGE; } return (rv); } KMF_RETURN verify_ekunames(char *ekuliststr, EKU_LIST **ekulist) { KMF_RETURN rv = KMF_OK; char *p; EKU_LIST *ekus = NULL; if (ekuliststr == NULL || strlen(ekuliststr) == 0) return (0); ekus = calloc(sizeof (EKU_LIST), 1); if (ekus == NULL) return (KMF_ERR_MEMORY); /* * The list should be comma separated list of EKU Names. */ p = strtok(ekuliststr, ","); /* If no tokens found, then maybe it's just a single EKU value */ if (p == NULL) { rv = parse_ekus(ekuliststr, ekus); } while (p != NULL) { rv = parse_ekus(p, ekus); if (rv != KMF_OK) break; p = strtok(NULL, ","); } if (rv != KMF_OK) free_eku_list(ekus); else *ekulist = ekus; return (rv); } KMF_RETURN token_auth_needed(KMF_HANDLE_T handle, char *tokenlabel, int *auth) { CK_TOKEN_INFO info; CK_SLOT_ID slot; CK_RV ckrv; KMF_RETURN rv; *auth = 0; rv = kmf_pk11_token_lookup(handle, tokenlabel, &slot); if (rv != KMF_OK) return (rv); ckrv = C_GetTokenInfo(slot, &info); if (ckrv != KMF_OK) return (KMF_ERR_INTERNAL); *auth = (info.flags & CKF_LOGIN_REQUIRED); return (KMF_OK); } void show_ecc_curves() { int i; (void) printf(gettext("Supported ECC curve names:\n")); for (i = 0; i < number_of_curves; i++) { (void) printf("%s", oid_table[i].name); if (i > 0 && ((i+1) % 5) == 0) (void) printf("\n"); else if (i+1 < number_of_curves) (void) printf(", "); } (void) printf("\n"); } KMF_OID * ecc_name_to_oid(char *name) { int i; for (i = 0; i < number_of_oids; i++) { if (strcasecmp(name, oid_table[i].name) == 0) return ((KMF_OID *)oid_table[i].oid); } return (NULL); }