/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2009 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #include <stdio.h> #include <limits.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <pkglocs.h> #include <locale.h> #include <libintl.h> #include <signal.h> #include <sys/stat.h> #include <sys/statvfs.h> #include <sys/types.h> #include <fcntl.h> #include <libintl.h> #include <dirent.h> #include <openssl/err.h> #include <openssl/pkcs7.h> #include <openssl/pkcs12.h> #include <openssl/x509.h> #include <openssl/pem.h> #include <openssl/x509v3.h> #include <pkglib.h> #include <p12lib.h> #include <install.h> #include <libadm.h> #include <libinst.h> #include "pkgadm.h" #include "pkgadm_msgs.h" /* * Function: load_cert_and_key * Description: Loads a public key certificate and associated private key * from a stream. * Parameters: err - Where to write errors to for underlying library calls * incert - File to read certs and keys from * format - The format of the file * passarg - How to collect password if needed to decrypt file * key - Location to store resulting key if found * cert - Location to store resulting cert if found. * * Returns: f one or more certificates are found in the file, * and one or more keys are found, then the first * certificate is used, and the keys are searched for a * match. If no key matches the cert, then only the cert * is returned. If no certs are found, but one or more * keys are found, then the first key is returned. */ int load_cert_and_key(PKG_ERR *err, FILE *incert, keystore_encoding_format_t format, char *passarg, EVP_PKEY **key, X509 **cert) { X509 *tmpcert = NULL; EVP_PKEY *tmpkey = NULL; STACK_OF(EVP_PKEY) *keys = NULL; STACK_OF(X509) *certs = NULL; int i, ret = 0; keystore_passphrase_data data; unsigned long crypto_err; if (key) *key = NULL; if (cert) *cert = NULL; switch (format) { case KEYSTORE_FORMAT_DER: /* first try to load a DER cert, which cannot contain a key */ if ((tmpcert = d2i_X509_fp(incert, NULL)) == NULL) { log_msg(LOG_MSG_ERR, MSG_PARSE); ret = 1; } break; case KEYSTORE_FORMAT_PEM: default: data.err = err; set_passphrase_passarg(passarg); set_passphrase_prompt(gettext("Enter PEM passphrase:")); if (sunw_PEM_contents(incert, pkg_passphrase_cb, &data, &keys, &certs) < 0) { /* print out openssl-generated PEM errors */ while ((crypto_err = ERR_get_error()) != 0) { log_msg(LOG_MSG_ERR, ERR_reason_error_string(crypto_err)); } ret = 1; goto cleanup; } /* take the first cert in the file, if any */ if (cert && (certs != NULL)) { if (sk_X509_num(certs) != 1) { log_msg(LOG_MSG_ERR, MSG_MULTIPLE_CERTS); ret = 1; goto cleanup; } else { tmpcert = sk_X509_value(certs, 0); } } if (key && (keys != NULL)) { if (tmpcert != NULL) { /* * if we found a cert and some keys, * only return the key that * matches the cert */ for (i = 0; i < sk_EVP_PKEY_num(keys); i++) { if (X509_check_private_key(tmpcert, sk_EVP_PKEY_value(keys, i))) { tmpkey = sk_EVP_PKEY_value(keys, i); break; } } } else { if (sk_EVP_PKEY_num(keys) > 0) { tmpkey = sk_EVP_PKEY_value(keys, 0); } } } break; } /* set results */ if (key && tmpkey) { *key = tmpkey; tmpkey = NULL; } if (cert && tmpcert) { *cert = tmpcert; tmpcert = NULL; } cleanup: if (tmpcert != NULL) { X509_free(tmpcert); } if (tmpkey != NULL) { sunw_evp_pkey_free(tmpkey); } return (ret); } /* * Function: load_all_certs * Description: Loads alll certificates from a stream. * Parameters: err - Where to write errors to for underlying library calls * incert - File to read certs and keys from * format - The format of the file * passarg - How to collect password if needed to decrypt file * certs - Location to store resulting cert if found. * * Returns: 0 - success, all certs placed in ''certs' * non-zero failure, errors in 'err' */ int load_all_certs(PKG_ERR *err, FILE *incert, keystore_encoding_format_t format, char *passarg, STACK_OF(X509) **certs) { X509 *tmpcert = NULL; STACK_OF(X509) *tmpcerts = NULL; int ret = 0; keystore_passphrase_data data; unsigned long crypto_err; if (certs) *certs = NULL; switch (format) { case KEYSTORE_FORMAT_DER: /* first try to load a DER cert, which cannot contain a key */ if ((tmpcert = d2i_X509_fp(incert, NULL)) == NULL) { log_msg(LOG_MSG_ERR, MSG_PARSE); ret = 1; goto cleanup; } if ((tmpcerts = sk_X509_new_null()) == NULL) { log_msg(LOG_MSG_ERR, MSG_MEM); ret = 1; goto cleanup; } sk_X509_push(tmpcerts, tmpcert); break; case KEYSTORE_FORMAT_PEM: default: data.err = err; set_passphrase_prompt(MSG_PEM_PASSPROMPT); set_passphrase_passarg(passarg); if (sunw_PEM_contents(incert, pkg_passphrase_cb, &data, NULL, &tmpcerts) < 0) { /* print out openssl-generated PEM errors */ while ((crypto_err = ERR_get_error()) != 0) { log_msg(LOG_MSG_ERR, ERR_reason_error_string(crypto_err)); } } break; } /* set results */ if (certs && tmpcerts) { *certs = tmpcerts; tmpcerts = NULL; } cleanup: if (tmpcerts != NULL) { sk_X509_free(tmpcerts); } return (ret); }