/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2002-2003 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static boolean_t verbose = B_FALSE; /* When nonzero, do in verbose mode */ /* The following match/cert values require PKCS12 */ static int matchty; /* Type of matching do to on input */ static char *k_matchval; /* localkeyid value to match */ static uint_t k_len; /* length of k_matchval */ #define IO_KEYFILE 1 /* Have a separate key file or data */ #define IO_CERTFILE 2 /* Have a separate cert file or data */ #define IO_TRUSTFILE 4 /* Have a separate trustanchor file */ static char *input = NULL; /* Consolidated input file */ static char *key_out = NULL; /* Key file to be output */ static char *cert_out = NULL; /* Cert file to be output */ static char *trust_out = NULL; /* Trust anchor file to be output */ static uint_t outfiles; /* What files are there for output */ static char *progname; /* Returns from time_check */ typedef enum { CHK_TIME_OK = 0, /* Cert in effect and not expired */ CHK_TIME_BEFORE_BAD, /* not_before field is invalid */ CHK_TIME_AFTER_BAD, /* not_after field is invalid */ CHK_TIME_IS_BEFORE, /* Cert not yet in force */ CHK_TIME_HAS_EXPIRED /* Cert has expired */ } time_errs_t; static int parse_keyid(const char *); static int do_certs(void); static int read_files(STACK_OF(X509) **, X509 **, EVP_PKEY **); static void check_certs(STACK_OF(X509) *, X509 **); static time_errs_t time_check_print(X509 *); static time_errs_t time_check(X509 *); static int write_files(STACK_OF(X509) *, X509 *, EVP_PKEY *); static int get_ifile(char *, char *, EVP_PKEY **, X509 **, STACK_OF(X509) **); static int do_ofile(char *, EVP_PKEY *, X509 *, STACK_OF(X509) *); static void usage(void); static const char *cryptoerr(void); int main(int argc, char **argv) { int i; /* * Do the necessary magic for localization support. */ (void) setlocale(LC_ALL, ""); #if !defined(TEXT_DOMAIN) #define TEXT_DOMAIN "SYS_TEST" #endif (void) textdomain(TEXT_DOMAIN); progname = strrchr(argv[0], '/'); if (progname != NULL) progname++; else progname = argv[0]; wbku_errinit(progname); matchty = DO_FIRST_PAIR; while ((i = getopt(argc, argv, "vc:i:k:l:t:")) != -1) { switch (i) { case 'v': verbose = B_TRUE; break; case 'l': if (parse_keyid(optarg) < 0) return (EXIT_FAILURE); matchty = DO_FIND_KEYID; break; case 'c': cert_out = optarg; outfiles |= IO_CERTFILE; break; case 'k': key_out = optarg; outfiles |= IO_KEYFILE; break; case 't': trust_out = optarg; outfiles |= IO_TRUSTFILE; break; case 'i': input = optarg; break; default: usage(); } } if (input == NULL) { wbku_printerr("no input file specified\n"); usage(); } /* * Need output files. */ if (outfiles == 0) { wbku_printerr("at least one output file must be specified\n"); usage(); } if (do_certs() < 0) return (EXIT_FAILURE); return (EXIT_SUCCESS); } static int parse_keyid(const char *keystr) { const char *rp; char *wp; char *nkeystr; uint_t nkeystrlen; /* * In the worst case, we'll need one additional character in our * output string -- e.g. "A\0" -> "0A\0" */ nkeystrlen = strlen(keystr) + 2; k_len = (nkeystrlen + 1) / 2; nkeystr = malloc(nkeystrlen); k_matchval = malloc(k_len); if (nkeystr == NULL || k_matchval == NULL) { free(nkeystr); free(k_matchval); wbku_printerr("cannot allocate keyid"); return (-1); } /* * For convenience, we allow the user to put spaces between each digit * when entering it on the command line. As a result, we need to * process it into a format that hexascii_to_octet() can handle. Note * that we're careful to map strings like "AA B CC D" to "AA0BCC0D". */ for (rp = keystr, wp = nkeystr; *rp != '\0'; rp++) { if (*rp == ' ') continue; if (rp[1] == ' ' || rp[1] == '\0') { *wp++ = '0'; /* one character sequence; prepend 0 */ *wp++ = *rp; } else { *wp++ = *rp++; *wp++ = *rp; } } *wp = '\0'; if (hexascii_to_octet(nkeystr, wp - nkeystr, k_matchval, &k_len) != 0) { free(nkeystr); free(k_matchval); wbku_printerr("invalid keyid `%s'\n", keystr); return (-1); } free(nkeystr); return (0); } static int do_certs(void) { char *bufp; STACK_OF(X509) *ta_in = NULL; EVP_PKEY *pkey_in = NULL; X509 *xcert_in = NULL; sunw_crypto_init(); if (read_files(&ta_in, &xcert_in, &pkey_in) < 0) return (-1); if (verbose) { if (xcert_in != NULL) { (void) printf(gettext("\nMain cert:\n")); /* * sunw_subject_attrs() returns a pointer to * memory allocated on our behalf. The same * behavior is exhibited by sunw_issuer_attrs(). */ bufp = sunw_subject_attrs(xcert_in, NULL, 0); if (bufp != NULL) { (void) printf(gettext(" Subject: %s\n"), bufp); OPENSSL_free(bufp); } bufp = sunw_issuer_attrs(xcert_in, NULL, 0); if (bufp != NULL) { (void) printf(gettext(" Issuer: %s\n"), bufp); OPENSSL_free(bufp); } (void) sunw_print_times(stdout, PRNT_BOTH, NULL, xcert_in); } if (ta_in != NULL) { X509 *x; int i; for (i = 0; i < sk_X509_num(ta_in); i++) { x = sk_X509_value(ta_in, i); (void) printf( gettext("\nTrust Anchor cert %d:\n"), i); /* * sunw_subject_attrs() returns a pointer to * memory allocated on our behalf. We get the * same behavior from sunw_issuer_attrs(). */ bufp = sunw_subject_attrs(x, NULL, 0); if (bufp != NULL) { (void) printf( gettext(" Subject: %s\n"), bufp); OPENSSL_free(bufp); } bufp = sunw_issuer_attrs(x, NULL, 0); if (bufp != NULL) { (void) printf( gettext(" Issuer: %s\n"), bufp); OPENSSL_free(bufp); } (void) sunw_print_times(stdout, PRNT_BOTH, NULL, x); } } } check_certs(ta_in, &xcert_in); if (xcert_in != NULL && pkey_in != NULL) { if (sunw_check_keys(xcert_in, pkey_in) == 0) { wbku_printerr("warning: key and certificate do " "not match\n"); } } return (write_files(ta_in, xcert_in, pkey_in)); } static int read_files(STACK_OF(X509) **t_in, X509 **c_in, EVP_PKEY **k_in) { char *i_pass; i_pass = getpassphrase(gettext("Enter key password: ")); if (get_ifile(input, i_pass, k_in, c_in, t_in) < 0) return (-1); /* * If we are only interested in getting a trust anchor, and if there * is no trust anchor but is a regular cert, use it instead. Do this * to handle the insanity with openssl, which requires a matching cert * and key in order to write a PKCS12 file. */ if (outfiles == IO_TRUSTFILE) { if (c_in != NULL && *c_in != NULL && t_in != NULL) { if (*t_in == NULL) { if ((*t_in = sk_X509_new_null()) == NULL) { wbku_printerr("out of memory\n"); return (-1); } } if (sk_X509_num(*t_in) == 0) { if (sk_X509_push(*t_in, *c_in) == 0) { wbku_printerr("out of memory\n"); return (-1); } *c_in = NULL; } } } if ((outfiles & IO_KEYFILE) && *k_in == NULL) { wbku_printerr("no matching key found\n"); return (-1); } if ((outfiles & IO_CERTFILE) && *c_in == NULL) { wbku_printerr("no matching certificate found\n"); return (-1); } if ((outfiles & IO_TRUSTFILE) && *t_in == NULL) { wbku_printerr("no matching trust anchor found\n"); return (-1); } return (0); } static void check_certs(STACK_OF(X509) *ta_in, X509 **c_in) { X509 *curr; time_errs_t ret; int i; int del_expired = (outfiles != 0); if (c_in != NULL && *c_in != NULL) { ret = time_check_print(*c_in); if ((ret != CHK_TIME_OK && ret != CHK_TIME_IS_BEFORE) && del_expired) { (void) fprintf(stderr, gettext(" Removing cert\n")); X509_free(*c_in); *c_in = NULL; } } if (ta_in == NULL) return; for (i = 0; i < sk_X509_num(ta_in); ) { curr = sk_X509_value(ta_in, i); ret = time_check_print(curr); if ((ret != CHK_TIME_OK && ret != CHK_TIME_IS_BEFORE) && del_expired) { (void) fprintf(stderr, gettext(" Removing cert\n")); curr = sk_X509_delete(ta_in, i); X509_free(curr); continue; } i++; } } static time_errs_t time_check_print(X509 *cert) { char buf[256]; int ret; ret = time_check(cert); if (ret == CHK_TIME_OK) return (CHK_TIME_OK); (void) fprintf(stderr, gettext(" Subject: %s"), sunw_subject_attrs(cert, buf, sizeof (buf))); (void) fprintf(stderr, gettext(" Issuer: %s"), sunw_issuer_attrs(cert, buf, sizeof (buf))); switch (ret) { case CHK_TIME_BEFORE_BAD: (void) fprintf(stderr, gettext("\n Invalid cert 'not before' field\n")); break; case CHK_TIME_AFTER_BAD: (void) fprintf(stderr, gettext("\n Invalid cert 'not after' field\n")); break; case CHK_TIME_HAS_EXPIRED: (void) sunw_print_times(stderr, PRNT_NOT_AFTER, gettext("\n Cert has expired\n"), cert); break; case CHK_TIME_IS_BEFORE: (void) sunw_print_times(stderr, PRNT_NOT_BEFORE, gettext("\n Warning: cert not yet valid\n"), cert); break; default: break; } return (ret); } static time_errs_t time_check(X509 *cert) { int i; i = X509_cmp_time(X509_get_notBefore(cert), NULL); if (i == 0) return (CHK_TIME_BEFORE_BAD); if (i > 0) return (CHK_TIME_IS_BEFORE); /* After 'not before' time */ i = X509_cmp_time(X509_get_notAfter(cert), NULL); if (i == 0) return (CHK_TIME_AFTER_BAD); if (i < 0) return (CHK_TIME_HAS_EXPIRED); return (CHK_TIME_OK); } static int write_files(STACK_OF(X509) *t_out, X509 *c_out, EVP_PKEY *k_out) { if (key_out != NULL) { if (verbose) (void) printf(gettext("%s: writing key\n"), progname); if (do_ofile(key_out, k_out, NULL, NULL) < 0) return (-1); } if (cert_out != NULL) { if (verbose) (void) printf(gettext("%s: writing cert\n"), progname); if (do_ofile(cert_out, NULL, c_out, NULL) < 0) return (-1); } if (trust_out != NULL) { if (verbose) (void) printf(gettext("%s: writing trust\n"), progname); if (do_ofile(trust_out, NULL, NULL, t_out) < 0) return (-1); } return (0); } static int get_ifile(char *name, char *pass, EVP_PKEY **tmp_k, X509 **tmp_c, STACK_OF(X509) **tmp_t) { PKCS12 *p12; FILE *fp; int ret; struct stat sbuf; if (stat(name, &sbuf) == 0 && !S_ISREG(sbuf.st_mode)) { wbku_printerr("%s is not a regular file\n", name); return (-1); } if ((fp = fopen(name, "r")) == NULL) { wbku_printerr("cannot open input file %s", name); return (-1); } p12 = d2i_PKCS12_fp(fp, NULL); if (p12 == NULL) { wbku_printerr("cannot read file %s: %s\n", name, cryptoerr()); (void) fclose(fp); return (-1); } (void) fclose(fp); ret = sunw_PKCS12_parse(p12, pass, matchty, k_matchval, k_len, NULL, tmp_k, tmp_c, tmp_t); if (ret <= 0) { if (ret == 0) wbku_printerr("cannot find matching cert and key\n"); else wbku_printerr("cannot parse %s: %s\n", name, cryptoerr()); PKCS12_free(p12); return (-1); } return (0); } static int do_ofile(char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ta) { STACK_OF(EVP_PKEY) *klist = NULL; STACK_OF(X509) *clist = NULL; PKCS12 *p12 = NULL; int ret = 0; FILE *fp; struct stat sbuf; if (stat(name, &sbuf) == 0 && !S_ISREG(sbuf.st_mode)) { wbku_printerr("%s is not a regular file\n", name); return (-1); } if ((fp = fopen(name, "w")) == NULL) { wbku_printerr("cannot open output file %s", name); return (-1); } if ((clist = sk_X509_new_null()) == NULL || (klist = sk_EVP_PKEY_new_null()) == NULL) { wbku_printerr("out of memory\n"); ret = -1; goto cleanup; } if (cert != NULL && sk_X509_push(clist, cert) == 0) { wbku_printerr("out of memory\n"); ret = -1; goto cleanup; } if (pkey != NULL && sk_EVP_PKEY_push(klist, pkey) == 0) { wbku_printerr("out of memory\n"); ret = -1; goto cleanup; } p12 = sunw_PKCS12_create(WANBOOT_PASSPHRASE, klist, clist, ta); if (p12 == NULL) { wbku_printerr("cannot create %s: %s\n", name, cryptoerr()); ret = -1; goto cleanup; } if (i2d_PKCS12_fp(fp, p12) == 0) { wbku_printerr("cannot write %s: %s\n", name, cryptoerr()); ret = -1; goto cleanup; } cleanup: (void) fclose(fp); if (p12 != NULL) PKCS12_free(p12); /* * Put the cert and pkey off of the stack so that they won't * be freed two times. (If they get left in the stack then * they will be freed with the stack.) */ if (clist != NULL) { if (cert != NULL && sk_X509_num(clist) == 1) { (void) sk_X509_delete(clist, 0); } sk_X509_pop_free(clist, X509_free); } if (klist != NULL) { if (pkey != NULL && sk_EVP_PKEY_num(klist) == 1) { (void) sk_EVP_PKEY_delete(klist, 0); } sk_EVP_PKEY_pop_free(klist, sunw_evp_pkey_free); } return (ret); } static void usage(void) { (void) fprintf(stderr, gettext("usage:\n" " %s -i -c -k -t [-l -v]\n" "\n"), progname); (void) fprintf(stderr, gettext(" where:\n" " -i - input file to be split into component parts and put in\n" " files given by -c, -k and -t\n" " -c - output file for the client certificate\n" " -k - output file for the client private key\n" " -t - output file for the remaining certificates (assumed\n" " to be trust anchors)\n" "\n Files are assumed to be pkcs12-format files.\n\n" " -v - verbose\n" " -l - value of 'localkeyid' attribute in client cert and\n" " private key to be selected from the input file.\n\n")); exit(EXIT_FAILURE); } /* * Return a pointer to a static buffer that contains a listing of crypto * errors. We presume that the user doesn't want more than 8KB of error * messages :-) */ static const char * cryptoerr(void) { static char errbuf[8192]; ulong_t err; const char *pfile; int line; unsigned int nerr = 0; errbuf[0] = '\0'; while ((err = ERR_get_error_line(&pfile, &line)) != 0) { if (++nerr > 1) (void) strlcat(errbuf, "\n\t", sizeof (errbuf)); if (err == (ulong_t)-1) { (void) strlcat(errbuf, strerror(errno), sizeof (errbuf)); break; } (void) strlcat(errbuf, ERR_reason_error_string(err), sizeof (errbuf)); } return (errbuf); }