1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * Developer command for adding the signature section to an ELF object 28 * PSARC 2001/488 29 * 30 * DEBUG Information: 31 * This command uses the cryptodebug() function from libcryptoutil. 32 * Set SUNW_CRYPTO_DEBUG to stderr or syslog for all debug to go to auth.debug 33 */ 34 35 #include <stdio.h> 36 #include <stdlib.h> 37 #include <stdarg.h> 38 #include <limits.h> 39 #include <time.h> 40 #include <unistd.h> 41 #include <sys/types.h> 42 #include <sys/stat.h> 43 #include <fcntl.h> 44 #include <libintl.h> 45 #include <locale.h> 46 #include <errno.h> 47 #include <strings.h> 48 49 #include <cryptoutil.h> 50 #include <sys/crypto/elfsign.h> 51 #include <libelfsign.h> 52 53 #include <kmfapi.h> 54 55 #define SIGN "sign" 56 #define SIGN_OPTS "c:e:F:k:P:T:v" 57 #define VERIFY "verify" 58 #define VERIFY_OPTS "c:e:v" 59 #define REQUEST "request" 60 #define REQUEST_OPTS "i:k:r:T:" 61 #define LIST "list" 62 #define LIST_OPTS "c:e:f:" 63 64 enum cmd_e { 65 ES_SIGN, 66 ES_VERIFY, 67 ES_REQUEST, 68 ES_LIST 69 }; 70 71 enum field_e { 72 FLD_UNKNOWN, 73 FLD_SUBJECT, 74 FLD_ISSUER, 75 FLD_FORMAT, 76 FLD_SIGNER, 77 FLD_TIME 78 }; 79 80 #define MIN_ARGS 3 /* The minimum # args to do anything */ 81 #define ES_DEFAULT_KEYSIZE 1024 82 83 static struct { 84 enum cmd_e cmd; /* sub command: sign | verify | request */ 85 char *cert; /* -c <certificate_file> | */ 86 /* -r <certificate_request_file> */ 87 char **elfobj; /* -e <elf_object> */ 88 int elfcnt; 89 enum ES_ACTION es_action; 90 ELFsign_t ess; /* libelfsign opaque "state" */ 91 int extracnt; 92 enum field_e field; /* -f <field> */ 93 char internal_req; /* Sun internal certificate request */ 94 char *pinpath; /* -P <pin> */ 95 char *privpath; /* -k <private_key> */ 96 char *token_label; /* -T <token_label> */ 97 boolean_t verbose; /* chatty output */ 98 } cmd_info; 99 100 enum ret_e { 101 EXIT_OKAY, 102 EXIT_INVALID_ARG, 103 EXIT_VERIFY_FAILED, 104 EXIT_CANT_OPEN_ELF_OBJECT, 105 EXIT_BAD_CERT, 106 EXIT_BAD_PRIVATEKEY, 107 EXIT_SIGN_FAILED, 108 EXIT_VERIFY_FAILED_UNSIGNED, 109 EXIT_CSR_FAILED, 110 EXIT_MEMORY_ERROR 111 }; 112 113 struct field_s { 114 char *name; 115 enum field_e field; 116 } fields[] = { 117 { "subject", FLD_SUBJECT }, 118 { "issuer", FLD_ISSUER }, 119 { "format", FLD_FORMAT }, 120 { "signer", FLD_SIGNER }, 121 { "time", FLD_TIME }, 122 NULL, 0 123 }; 124 125 typedef enum ret_e ret_t; 126 127 static void usage(void); 128 static ret_t getelfobj(char *); 129 static char *getpin(void); 130 static ret_t do_sign(char *); 131 static ret_t do_verify(char *); 132 static ret_t do_cert_request(char *); 133 static ret_t do_list(char *); 134 static void es_error(const char *fmt, ...); 135 static char *time_str(time_t t); 136 static void sig_info_print(struct ELFsign_sig_info *esip); 137 138 int 139 main(int argc, char **argv) 140 { 141 extern char *optarg; 142 char *scmd = NULL; 143 char *opts; /* The set of flags for cmd */ 144 int errflag = 0; /* We had an options parse error */ 145 char c; /* current getopts flag */ 146 ret_t (*action)(char *); /* Function pointer for the action */ 147 ret_t ret; 148 149 (void) setlocale(LC_ALL, ""); 150 #if !defined(TEXT_DOMAIN) /* Should be defiend by cc -D */ 151 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it weren't */ 152 #endif 153 (void) textdomain(TEXT_DOMAIN); 154 155 cryptodebug_init("elfsign"); 156 157 if (argc < MIN_ARGS) { 158 es_error(gettext("invalid number of arguments")); 159 usage(); 160 return (EXIT_INVALID_ARG); 161 } 162 163 scmd = argv[1]; 164 cmd_info.cert = NULL; 165 cmd_info.elfobj = NULL; 166 cmd_info.elfcnt = 0; 167 cmd_info.es_action = ES_GET; 168 cmd_info.ess = NULL; 169 cmd_info.extracnt = 0; 170 cmd_info.field = FLD_UNKNOWN; 171 cmd_info.internal_req = '\0'; 172 cmd_info.pinpath = NULL; 173 cmd_info.privpath = NULL; 174 cmd_info.token_label = NULL; 175 cmd_info.verbose = B_FALSE; 176 177 if (strcmp(scmd, SIGN) == 0) { 178 cmd_info.cmd = ES_SIGN; 179 opts = SIGN_OPTS; 180 cryptodebug("cmd=sign opts=%s", opts); 181 action = do_sign; 182 cmd_info.es_action = ES_UPDATE_RSA_SHA1; 183 } else if (strcmp(scmd, VERIFY) == 0) { 184 cmd_info.cmd = ES_VERIFY; 185 opts = VERIFY_OPTS; 186 cryptodebug("cmd=verify opts=%s", opts); 187 action = do_verify; 188 } else if (strcmp(scmd, REQUEST) == 0) { 189 cmd_info.cmd = ES_REQUEST; 190 opts = REQUEST_OPTS; 191 cryptodebug("cmd=request opts=%s", opts); 192 action = do_cert_request; 193 } else if (strcmp(scmd, LIST) == 0) { 194 cmd_info.cmd = ES_LIST; 195 opts = LIST_OPTS; 196 cryptodebug("cmd=list opts=%s", opts); 197 action = do_list; 198 } else { 199 es_error(gettext("Unknown sub-command: %s"), 200 scmd); 201 usage(); 202 return (EXIT_INVALID_ARG); 203 } 204 205 /* 206 * Note: There is no need to check that optarg isn't NULL 207 * because getopt does that for us. 208 */ 209 while (!errflag && (c = getopt(argc - 1, argv + 1, opts)) != EOF) { 210 if (strchr("ceFihkPTr", c) != NULL) 211 cryptodebug("c=%c, '%s'", c, optarg); 212 else 213 cryptodebug("c=%c", c); 214 215 switch (c) { 216 case 'c': 217 cmd_info.cert = optarg; 218 break; 219 case 'e': 220 cmd_info.elfcnt++; 221 cmd_info.elfobj = (char **)realloc(cmd_info.elfobj, 222 sizeof (char *) * cmd_info.elfcnt); 223 if (cmd_info.elfobj == NULL) { 224 es_error(gettext( 225 "Too many elf objects specified.")); 226 return (EXIT_INVALID_ARG); 227 } 228 cmd_info.elfobj[cmd_info.elfcnt - 1] = optarg; 229 break; 230 case 'f': 231 { 232 struct field_s *fp; 233 cmd_info.field = FLD_UNKNOWN; 234 for (fp = fields; fp->name != NULL; fp++) { 235 if (strcasecmp(optarg, fp->name) == 0) { 236 cmd_info.field = fp->field; 237 break; 238 } 239 } 240 if (cmd_info.field == FLD_UNKNOWN) { 241 cryptodebug("Invalid field option"); 242 errflag++; 243 } 244 } 245 break; 246 case 'F': 247 if (strcasecmp(optarg, ES_FMT_RSA_MD5_SHA1) == 0) 248 cmd_info.es_action = ES_UPDATE_RSA_MD5_SHA1; 249 else if (strcasecmp(optarg, ES_FMT_RSA_SHA1) == 0) 250 cmd_info.es_action = ES_UPDATE_RSA_SHA1; 251 else { 252 cryptodebug("Invalid format option"); 253 errflag++; 254 } 255 break; 256 case 'i': /* Undocumented internal Sun use only */ 257 cmd_info.internal_req = *optarg; 258 break; 259 case 'k': 260 cmd_info.privpath = optarg; 261 if (cmd_info.token_label != NULL || 262 cmd_info.pinpath != NULL) 263 errflag++; 264 break; 265 case 'P': 266 cmd_info.pinpath = optarg; 267 if (cmd_info.privpath != NULL) 268 errflag++; 269 break; 270 case 'r': 271 cmd_info.cert = optarg; 272 break; 273 case 'T': 274 cmd_info.token_label = optarg; 275 if (cmd_info.privpath != NULL) 276 errflag++; 277 break; 278 case 'v': 279 cmd_info.verbose = B_TRUE; 280 break; 281 default: 282 errflag++; 283 } 284 } 285 286 optind++; /* we skipped over subcommand */ 287 cmd_info.extracnt = argc - optind; 288 289 if (cmd_info.extracnt != 0 && 290 cmd_info.cmd != ES_SIGN && cmd_info.cmd != ES_VERIFY) { 291 cryptodebug("Extra arguments, optind=%d, argc=%d", 292 optind, argc); 293 errflag++; 294 } 295 296 switch (cmd_info.cmd) { 297 case ES_VERIFY: 298 if (cmd_info.elfcnt + argc - optind == 0) { 299 cryptodebug("Missing elfobj"); 300 errflag++; 301 } 302 break; 303 304 case ES_SIGN: 305 if (((cmd_info.privpath == NULL) && 306 (cmd_info.token_label == NULL)) || 307 (cmd_info.cert == NULL) || 308 (cmd_info.elfcnt + argc - optind == 0)) { 309 cryptodebug("Missing privpath|token_label/cert/elfobj"); 310 errflag++; 311 } 312 break; 313 314 case ES_REQUEST: 315 if (((cmd_info.privpath == NULL) && 316 (cmd_info.token_label == NULL)) || 317 (cmd_info.cert == NULL)) { 318 cryptodebug("Missing privpath|token_label/certreq"); 319 errflag++; 320 } 321 break; 322 case ES_LIST: 323 if ((cmd_info.cert != NULL) == (cmd_info.elfcnt > 0)) { 324 cryptodebug("Neither or both of cert/elfobj"); 325 errflag++; 326 } 327 break; 328 } 329 330 if (errflag) { 331 usage(); 332 return (EXIT_INVALID_ARG); 333 } 334 335 switch (cmd_info.cmd) { 336 case ES_REQUEST: 337 case ES_LIST: 338 ret = action(NULL); 339 break; 340 default: 341 { 342 int i; 343 ret_t iret; 344 345 ret = EXIT_OKAY; 346 iret = EXIT_OKAY; 347 for (i = 0; i < cmd_info.elfcnt && 348 (ret == EXIT_OKAY || cmd_info.cmd != ES_SIGN); i++) { 349 iret = action(cmd_info.elfobj[i]); 350 if (iret > ret) 351 ret = iret; 352 } 353 for (i = optind; i < argc && 354 (ret == EXIT_OKAY || cmd_info.cmd != ES_SIGN); i++) { 355 iret = action(argv[i]); 356 if (iret > ret) 357 ret = iret; 358 } 359 break; 360 } 361 } 362 363 if (cmd_info.elfobj != NULL) 364 free(cmd_info.elfobj); 365 366 return (ret); 367 } 368 369 370 static void 371 usage(void) 372 { 373 /* BEGIN CSTYLED */ 374 (void) fprintf(stderr, gettext( 375 "usage:\n" 376 "\telfsign sign [-v] [-e <elf_object>] -c <certificate_file>\n" 377 "\t\t[-F <format>] -k <private_key_file> [elf_object]..." 378 "\n" 379 "\telfsign sign [-v] [-e <elf_object>] -c <certificate_file>\n" 380 "\t\t[-F <format>] -T <token_label> [-P <pin_file>] [elf_object]..." 381 "\n\n" 382 "\telfsign verify [-v] [-c <certificate_file>] [-e <elf_object>]\n" 383 "\t\t[elf_object]..." 384 "\n\n" 385 "\telfsign request -r <certificate_request_file> -k <private_key_file>" 386 "\n" 387 "\telfsign request -r <certificate_request_file> -T <token_label>" 388 "\n\n" 389 "\telfsign list -f field -c <certificate_file>" 390 "\n" 391 "\telfsign list -f field -e <elf_object>" 392 "\n")); 393 /* END CSTYLED */ 394 } 395 396 static ret_t 397 getelfobj(char *elfpath) 398 { 399 ELFsign_status_t estatus; 400 ret_t ret = EXIT_SIGN_FAILED; 401 402 estatus = elfsign_begin(elfpath, cmd_info.es_action, &(cmd_info.ess)); 403 switch (estatus) { 404 case ELFSIGN_SUCCESS: 405 ret = EXIT_OKAY; 406 break; 407 case ELFSIGN_INVALID_ELFOBJ: 408 es_error(gettext( 409 "Unable to open %s as an ELF object."), 410 elfpath); 411 ret = EXIT_CANT_OPEN_ELF_OBJECT; 412 break; 413 default: 414 es_error(gettext("unexpected failure: %d"), estatus); 415 if (cmd_info.cmd == ES_SIGN) { 416 ret = EXIT_SIGN_FAILED; 417 } else if (cmd_info.cmd == ES_VERIFY) { 418 ret = EXIT_VERIFY_FAILED; 419 } 420 } 421 422 return (ret); 423 } 424 425 static ret_t 426 setcertpath(void) 427 { 428 ELFsign_status_t estatus; 429 ret_t ret = EXIT_SIGN_FAILED; 430 431 if (cmd_info.cert == NULL) 432 return (EXIT_OKAY); 433 estatus = elfsign_setcertpath(cmd_info.ess, cmd_info.cert); 434 switch (estatus) { 435 case ELFSIGN_SUCCESS: 436 ret = EXIT_OKAY; 437 break; 438 case ELFSIGN_INVALID_CERTPATH: 439 if (cmd_info.cert != NULL) { 440 es_error(gettext("Unable to open %s as a certificate."), 441 cmd_info.cert); 442 } 443 ret = EXIT_BAD_CERT; 444 break; 445 default: 446 es_error(gettext("unusable certificate: %s"), cmd_info.cert); 447 if (cmd_info.cmd == ES_SIGN) { 448 ret = EXIT_SIGN_FAILED; 449 } else if (cmd_info.cmd == ES_VERIFY) { 450 ret = EXIT_VERIFY_FAILED; 451 } 452 } 453 454 return (ret); 455 } 456 457 /* 458 * getpin - return pointer to token PIN in static storage 459 */ 460 static char * 461 getpin(void) 462 { 463 static char pinbuf[PASS_MAX + 1]; 464 char *pp; 465 FILE *pinfile; 466 467 if (cmd_info.pinpath == NULL) 468 return (getpassphrase( 469 gettext("Enter PIN for PKCS#11 token: "))); 470 if ((pinfile = fopen(cmd_info.pinpath, "r")) == NULL) { 471 es_error(gettext("failed to open %s."), 472 cmd_info.pinpath); 473 return (NULL); 474 } 475 476 pp = fgets(pinbuf, sizeof (pinbuf), pinfile); 477 (void) fclose(pinfile); 478 if (pp == NULL) { 479 es_error(gettext("failed to read PIN from %s."), 480 cmd_info.pinpath); 481 return (NULL); 482 } 483 pp = &pinbuf[strlen(pinbuf) - 1]; 484 if (*pp == '\n') 485 *pp = '\0'; 486 return (pinbuf); 487 } 488 489 /* 490 * Add the .SUNW_signature sections for the ELF signature 491 */ 492 static ret_t 493 do_sign(char *object) 494 { 495 ret_t ret; 496 ELFsign_status_t elfstat; 497 struct filesignatures *fssp = NULL; 498 size_t fs_len; 499 uchar_t sig[SIG_MAX_LENGTH]; 500 size_t sig_len = SIG_MAX_LENGTH; 501 uchar_t hash[SIG_MAX_LENGTH]; 502 size_t hash_len = SIG_MAX_LENGTH; 503 ELFCert_t cert = NULL; 504 char *dn; 505 size_t dn_len; 506 507 cryptodebug("do_sign"); 508 if ((ret = getelfobj(object)) != EXIT_OKAY) 509 return (ret); 510 511 if (cmd_info.token_label && 512 !elfcertlib_settoken(cmd_info.ess, cmd_info.token_label)) { 513 es_error(gettext("Unable to access token: %s"), 514 cmd_info.token_label); 515 ret = EXIT_SIGN_FAILED; 516 goto cleanup; 517 } 518 519 if ((ret = setcertpath()) != EXIT_OKAY) 520 goto cleanup; 521 522 if (!elfcertlib_getcert(cmd_info.ess, cmd_info.cert, NULL, &cert, 523 cmd_info.es_action)) { 524 es_error(gettext("Unable to load certificate: %s"), 525 cmd_info.cert); 526 ret = EXIT_BAD_CERT; 527 goto cleanup; 528 } 529 530 if (cmd_info.privpath != NULL) { 531 if (!elfcertlib_loadprivatekey(cmd_info.ess, cert, 532 cmd_info.privpath)) { 533 es_error(gettext("Unable to load private key: %s"), 534 cmd_info.privpath); 535 ret = EXIT_BAD_PRIVATEKEY; 536 goto cleanup; 537 } 538 } else { 539 char *pin = getpin(); 540 if (pin == NULL) { 541 es_error(gettext("Unable to get PIN")); 542 ret = EXIT_BAD_PRIVATEKEY; 543 goto cleanup; 544 } 545 if (!elfcertlib_loadtokenkey(cmd_info.ess, cert, 546 cmd_info.token_label, pin)) { 547 es_error(gettext("Unable to access private key " 548 "in token %s"), cmd_info.token_label); 549 ret = EXIT_BAD_PRIVATEKEY; 550 goto cleanup; 551 } 552 } 553 554 /* 555 * Get the DN from the certificate. 556 */ 557 if ((dn = elfcertlib_getdn(cert)) == NULL) { 558 es_error(gettext("Unable to find DN in certificate %s"), 559 cmd_info.cert); 560 ret = EXIT_SIGN_FAILED; 561 goto cleanup; 562 } 563 dn_len = strlen(dn); 564 cryptodebug("DN = %s", dn); 565 566 elfstat = elfsign_signatures(cmd_info.ess, &fssp, &fs_len, ES_GET); 567 if (elfstat != ELFSIGN_SUCCESS) { 568 if (elfstat != ELFSIGN_NOTSIGNED) { 569 es_error(gettext("Unable to retrieve existing " 570 "signature block in %s"), object); 571 ret = EXIT_SIGN_FAILED; 572 goto cleanup; 573 } 574 fssp = NULL; 575 /* 576 * force creation and naming of signature section 577 * so the hash doesn't change 578 */ 579 if (elfsign_signatures(cmd_info.ess, &fssp, &fs_len, 580 cmd_info.es_action) != ELFSIGN_SUCCESS) { 581 es_error(gettext("Unable to insert " 582 "signature block into %s"), object); 583 ret = EXIT_SIGN_FAILED; 584 goto cleanup; 585 } 586 } 587 588 bzero(hash, sizeof (hash)); 589 if (elfsign_hash(cmd_info.ess, hash, &hash_len) != ELFSIGN_SUCCESS) { 590 es_error(gettext("Unable to calculate hash of ELF object %s"), 591 object); 592 ret = EXIT_SIGN_FAILED; 593 goto cleanup; 594 } 595 596 bzero(sig, sizeof (sig)); 597 if (!elfcertlib_sign(cmd_info.ess, cert, 598 hash, hash_len, sig, &sig_len)) { 599 es_error(gettext("Unable to sign %s using key from %s"), 600 object, cmd_info.privpath ? 601 cmd_info.privpath : cmd_info.token_label); 602 ret = EXIT_SIGN_FAILED; 603 goto cleanup; 604 } 605 606 { /* DEBUG START */ 607 const int sigstr_len = sizeof (char) * sig_len * 2 + 1; 608 char *sigstr = malloc(sigstr_len); 609 610 tohexstr(sig, sig_len, sigstr, sigstr_len); 611 cryptodebug("sig value is: %s", sigstr); 612 free(sigstr); 613 } /* DEBUG END */ 614 615 fssp = elfsign_insert_dso(cmd_info.ess, fssp, 616 dn, dn_len, sig, sig_len, NULL, 0); 617 if (fssp == NULL) { 618 es_error(gettext("Unable to prepare signature for %s"), 619 object); 620 ret = EXIT_SIGN_FAILED; 621 goto cleanup; 622 } 623 if (elfsign_signatures(cmd_info.ess, &fssp, &fs_len, 624 cmd_info.es_action) != ELFSIGN_SUCCESS) { 625 es_error(gettext("Unable to update %s: with signature"), 626 object); 627 ret = EXIT_SIGN_FAILED; 628 goto cleanup; 629 } 630 if (cmd_info.verbose || (cmd_info.elfcnt + cmd_info.extracnt) > 1) { 631 (void) fprintf(stdout, 632 gettext("elfsign: %s signed successfully.\n"), 633 object); 634 } 635 if (cmd_info.verbose) { 636 struct ELFsign_sig_info *esip; 637 638 if (elfsign_sig_info(fssp, &esip)) { 639 sig_info_print(esip); 640 elfsign_sig_info_free(esip); 641 } 642 } 643 644 ret = EXIT_OKAY; 645 646 cleanup: 647 free(fssp); 648 bzero(sig, sig_len); 649 bzero(hash, hash_len); 650 651 if (cert != NULL) 652 elfcertlib_releasecert(cmd_info.ess, cert); 653 if (cmd_info.ess != NULL) 654 elfsign_end(cmd_info.ess); 655 656 return (ret); 657 } 658 659 /* 660 * Verify the signature of the object 661 * This subcommand is intended to be used by developers during their build 662 * processes. Therefore we can not assume that the certificate is in 663 * /etc/crypto/certs so we must use the path we got from the commandline. 664 */ 665 static ret_t 666 do_verify(char *object) 667 { 668 ELFsign_status_t res; 669 struct ELFsign_sig_info *esip; 670 ret_t retval; 671 672 cryptodebug("do_verify"); 673 if ((retval = getelfobj(object)) != EXIT_OKAY) 674 return (retval); 675 676 if ((retval = setcertpath()) != EXIT_OKAY) { 677 elfsign_end(cmd_info.ess); 678 return (retval); 679 } 680 681 res = elfsign_verify_signature(cmd_info.ess, &esip); 682 switch (res) { 683 case ELFSIGN_SUCCESS: 684 (void) fprintf(stdout, 685 gettext("elfsign: verification of %s passed.\n"), 686 object); 687 if (cmd_info.verbose) 688 sig_info_print(esip); 689 retval = EXIT_OKAY; 690 break; 691 case ELFSIGN_FAILED: 692 case ELFSIGN_INVALID_CERTPATH: 693 es_error(gettext("verification of %s failed."), 694 object); 695 if (cmd_info.verbose) 696 sig_info_print(esip); 697 retval = EXIT_VERIFY_FAILED; 698 break; 699 case ELFSIGN_NOTSIGNED: 700 es_error(gettext("no signature found in %s."), 701 object); 702 retval = EXIT_VERIFY_FAILED_UNSIGNED; 703 break; 704 default: 705 es_error(gettext("unexpected failure attempting verification " 706 "of %s."), object); 707 retval = EXIT_VERIFY_FAILED_UNSIGNED; 708 break; 709 } 710 711 if (esip != NULL) 712 elfsign_sig_info_free(esip); 713 if (cmd_info.ess != NULL) 714 elfsign_end(cmd_info.ess); 715 return (retval); 716 } 717 718 #define SET_VALUE(f, s) \ 719 kmfrv = f; \ 720 if (kmfrv != KMF_OK) { \ 721 char *e = NULL; \ 722 (void) kmf_get_kmf_error_str(kmfrv, &e); \ 723 cryptoerror(LOG_STDERR, \ 724 gettext("Failed to %s: %s\n"), \ 725 s, (e ? e : "unknown error")); \ 726 if (e) free(e); \ 727 goto cleanup; \ 728 } 729 730 static KMF_RETURN 731 create_csr(char *dn) 732 { 733 KMF_RETURN kmfrv = KMF_OK; 734 KMF_HANDLE_T kmfhandle = NULL; 735 KMF_KEY_HANDLE pubk, prik; 736 KMF_X509_NAME csrSubject; 737 KMF_CSR_DATA csr; 738 KMF_ALGORITHM_INDEX sigAlg = KMF_ALGID_MD5WithRSA; 739 KMF_DATA signedCsr = { 0, NULL }; 740 char *err; 741 KMF_ATTRIBUTE attrlist[16]; 742 KMF_ENCODE_FORMAT format; 743 KMF_KEYSTORE_TYPE kstype; 744 KMF_KEY_ALG keytype; 745 uint32_t keylength; 746 KMF_CREDENTIAL cred; 747 char *pin = NULL; 748 int numattr; 749 750 if ((kmfrv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { 751 (void) kmf_get_kmf_error_str(kmfrv, &err); 752 cryptoerror(LOG_STDERR, 753 gettext("Error initializing KMF: %s\n"), 754 (err ? err : "unknown error")); 755 if (err) 756 free(err); 757 return (kmfrv); 758 } 759 (void) memset(&csr, 0, sizeof (csr)); 760 (void) memset(&csrSubject, 0, sizeof (csrSubject)); 761 762 if (cmd_info.privpath != NULL) { 763 kstype = KMF_KEYSTORE_OPENSSL; 764 format = KMF_FORMAT_ASN1; 765 } else { 766 boolean_t readonly; 767 /* args checking verified (cmd_info.token_label != NULL) */ 768 769 /* Get a PIN to store the private key in the token */ 770 pin = getpin(); 771 772 if (pin == NULL) { 773 (void) kmf_finalize(kmfhandle); 774 return (KMF_ERR_AUTH_FAILED); 775 } 776 777 kstype = KMF_KEYSTORE_PK11TOKEN; 778 readonly = B_FALSE; 779 780 numattr = 0; 781 kmf_set_attr_at_index(attrlist, numattr++, 782 KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); 783 kmf_set_attr_at_index(attrlist, numattr++, 784 KMF_TOKEN_LABEL_ATTR, cmd_info.token_label, 785 strlen(cmd_info.token_label)); 786 kmf_set_attr_at_index(attrlist, numattr++, 787 KMF_READONLY_ATTR, &readonly, sizeof (readonly)); 788 kmfrv = kmf_configure_keystore(kmfhandle, numattr, attrlist); 789 if (kmfrv != KMF_OK) { 790 goto cleanup; 791 } 792 } 793 794 /* Create the RSA keypair */ 795 keytype = KMF_RSA; 796 keylength = ES_DEFAULT_KEYSIZE; 797 (void) memset(&prik, 0, sizeof (prik)); 798 (void) memset(&pubk, 0, sizeof (pubk)); 799 800 numattr = 0; 801 kmf_set_attr_at_index(attrlist, numattr++, 802 KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype)); 803 kmf_set_attr_at_index(attrlist, numattr++, 804 KMF_KEYALG_ATTR, &keytype, sizeof (keytype)); 805 kmf_set_attr_at_index(attrlist, numattr++, 806 KMF_KEYLENGTH_ATTR, &keylength, sizeof (keylength)); 807 if (pin != NULL) { 808 cred.cred = pin; 809 cred.credlen = strlen(pin); 810 kmf_set_attr_at_index(attrlist, numattr++, 811 KMF_CREDENTIAL_ATTR, &cred, sizeof (KMF_CREDENTIAL)); 812 } 813 kmf_set_attr_at_index(attrlist, numattr++, 814 KMF_PRIVKEY_HANDLE_ATTR, &prik, sizeof (KMF_KEY_HANDLE)); 815 kmf_set_attr_at_index(attrlist, numattr++, 816 KMF_PUBKEY_HANDLE_ATTR, &pubk, sizeof (KMF_KEY_HANDLE)); 817 if (kstype == KMF_KEYSTORE_OPENSSL) { 818 kmf_set_attr_at_index(attrlist, numattr++, 819 KMF_KEY_FILENAME_ATTR, cmd_info.privpath, 820 strlen(cmd_info.privpath)); 821 kmf_set_attr_at_index(attrlist, numattr++, 822 KMF_ENCODE_FORMAT_ATTR, &format, sizeof (format)); 823 } 824 825 kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist); 826 if (kmfrv != KMF_OK) { 827 (void) kmf_get_kmf_error_str(kmfrv, &err); 828 cryptoerror(LOG_STDERR, 829 gettext("Create RSA keypair failed: %s"), 830 (err ? err : "unknown error")); 831 free(err); 832 goto cleanup; 833 } 834 835 kmfrv = kmf_dn_parser(dn, &csrSubject); 836 if (kmfrv != KMF_OK) { 837 (void) kmf_get_kmf_error_str(kmfrv, &err); 838 cryptoerror(LOG_STDERR, 839 gettext("Error parsing subject name: %s\n"), 840 (err ? err : "unknown error")); 841 free(err); 842 goto cleanup; 843 } 844 845 SET_VALUE(kmf_set_csr_pubkey(kmfhandle, &pubk, &csr), "keypair"); 846 847 SET_VALUE(kmf_set_csr_version(&csr, 2), "version number"); 848 849 SET_VALUE(kmf_set_csr_subject(&csr, &csrSubject), "subject name"); 850 851 SET_VALUE(kmf_set_csr_sig_alg(&csr, sigAlg), "SignatureAlgorithm"); 852 853 if ((kmfrv = kmf_sign_csr(kmfhandle, &csr, &prik, &signedCsr)) == 854 KMF_OK) { 855 kmfrv = kmf_create_csr_file(&signedCsr, KMF_FORMAT_PEM, 856 cmd_info.cert); 857 } 858 859 cleanup: 860 (void) kmf_free_kmf_key(kmfhandle, &prik); 861 (void) kmf_free_data(&signedCsr); 862 (void) kmf_free_signed_csr(&csr); 863 (void) kmf_finalize(kmfhandle); 864 865 return (kmfrv); 866 } 867 868 869 #define CN_MAX_LENGTH 64 /* Verisign implementation limit */ 870 /* 871 * Generate a certificate request into the file named cmd_info.cert 872 */ 873 /*ARGSUSED*/ 874 static ret_t 875 do_cert_request(char *object) 876 { 877 const char PartnerDNFMT[] = 878 "CN=%s, " 879 "OU=Class B, " 880 "OU=Solaris Cryptographic Framework, " 881 "OU=Partner Object Signing, " 882 "O=Sun Microsystems Inc"; 883 const char SunCDNFMT[] = 884 "CN=%s, " 885 "OU=Class B, " 886 "OU=Solaris Cryptographic Framework, " 887 "OU=Corporate Object Signing, " 888 "O=Sun Microsystems Inc"; 889 const char SunSDNFMT[] = 890 "CN=%s, " 891 "OU=Class B, " 892 "OU=Solaris Signed Execution, " 893 "OU=Corporate Object Signing, " 894 "O=Sun Microsystems Inc"; 895 const char *dnfmt = NULL; 896 char cn[CN_MAX_LENGTH + 1]; 897 char *dn = NULL; 898 size_t dn_len; 899 KMF_RETURN kmfret; 900 cryptodebug("do_cert_request"); 901 902 /* 903 * Get the DN prefix from the user 904 */ 905 switch (cmd_info.internal_req) { 906 case 'c': 907 dnfmt = SunCDNFMT; 908 (void) fprintf(stdout, gettext( 909 "Enter Sun Microsystems, Inc. Release name.\n" 910 "This will be the prefix of the Certificate DN: ")); 911 break; 912 case 's': 913 dnfmt = SunSDNFMT; 914 (void) fprintf(stdout, gettext( 915 "Enter Sun Microsystems, Inc. Release name.\n" 916 "This will be the prefix of the Certificate DN: ")); 917 break; 918 default: 919 dnfmt = PartnerDNFMT; 920 (void) fprintf(stdout, gettext( 921 "Enter Company Name / Stock Symbol" 922 " or some other globally unique identifier.\n" 923 "This will be the prefix of the Certificate DN: ")); 924 break; 925 } 926 if ((fgets(cn, sizeof (cn), stdin) == NULL) || (cn[0] == '\n')) { 927 es_error(gettext("you must specify a Certificate DN prefix")); 928 return (EXIT_INVALID_ARG); 929 } 930 931 if (cn[strlen(cn) - 1] == '\n') { 932 cn[strlen(cn) - 1] = '\0'; /* chop trailing \n */ 933 } else { 934 es_error(gettext("You must specify a Certificate DN prefix " 935 "of no more than %d characters"), CN_MAX_LENGTH); 936 return (EXIT_INVALID_ARG); 937 } 938 939 /* Update DN string */ 940 dn_len = strlen(cn) + strlen(dnfmt); 941 dn = malloc(dn_len + 1); 942 (void) snprintf(dn, dn_len, dnfmt, cn); 943 944 cryptodebug("Generating Certificate request for DN: %s", dn); 945 kmfret = create_csr(dn); 946 free(dn); 947 if (kmfret == KMF_OK) 948 return (EXIT_OKAY); 949 else 950 return (EXIT_CSR_FAILED); 951 } 952 953 static void 954 str_print(char *s) 955 { 956 if (s == NULL) 957 return; 958 (void) fprintf(stdout, "%s\n", s); 959 } 960 961 /*ARGSUSED*/ 962 static ret_t 963 do_list(char *object) 964 { 965 ret_t retval; 966 967 if (cmd_info.elfcnt > 0) { 968 ELFsign_status_t elfstat; 969 struct filesignatures *fssp = NULL; 970 size_t fs_len; 971 struct ELFsign_sig_info *esip; 972 973 if ((retval = getelfobj(cmd_info.elfobj[0])) != EXIT_OKAY) 974 return (retval); 975 elfstat = elfsign_signatures(cmd_info.ess, 976 &fssp, &fs_len, ES_GET); 977 if (elfstat == ELFSIGN_SUCCESS) { 978 retval = EXIT_OKAY; 979 if (elfsign_sig_info(fssp, &esip)) { 980 switch (cmd_info.field) { 981 case FLD_FORMAT: 982 str_print(esip->esi_format); 983 break; 984 case FLD_SIGNER: 985 str_print(esip->esi_signer); 986 break; 987 case FLD_TIME: 988 if (esip->esi_time == 0) 989 retval = EXIT_INVALID_ARG; 990 else 991 str_print(time_str( 992 esip->esi_time)); 993 break; 994 default: 995 retval = EXIT_INVALID_ARG; 996 } 997 elfsign_sig_info_free(esip); 998 } 999 free(fssp); 1000 } else 1001 retval = EXIT_VERIFY_FAILED_UNSIGNED; 1002 elfsign_end(cmd_info.ess); 1003 } else { 1004 ELFCert_t cert; 1005 /* 1006 * Initialize the ESS record here even though we are not 1007 * actually opening any ELF files. 1008 */ 1009 if (elfsign_begin(NULL, ES_GET, &(cmd_info.ess)) != 1010 ELFSIGN_SUCCESS) 1011 return (EXIT_MEMORY_ERROR); 1012 1013 if (elfcertlib_getcert(cmd_info.ess, cmd_info.cert, NULL, 1014 &cert, cmd_info.es_action)) { 1015 retval = EXIT_OKAY; 1016 switch (cmd_info.field) { 1017 case FLD_SUBJECT: 1018 str_print(elfcertlib_getdn(cert)); 1019 break; 1020 case FLD_ISSUER: 1021 str_print(elfcertlib_getissuer(cert)); 1022 break; 1023 default: 1024 retval = EXIT_INVALID_ARG; 1025 } 1026 elfcertlib_releasecert(cmd_info.ess, cert); 1027 } else 1028 retval = EXIT_BAD_CERT; 1029 elfsign_end(cmd_info.ess); 1030 } 1031 1032 return (retval); 1033 } 1034 1035 static void 1036 es_error(const char *fmt, ...) 1037 { 1038 char msgbuf[BUFSIZ]; 1039 va_list args; 1040 1041 va_start(args, fmt); 1042 (void) vsnprintf(msgbuf, sizeof (msgbuf), fmt, args); 1043 va_end(args); 1044 (void) fflush(stdout); 1045 cryptoerror(LOG_STDERR, "%s", msgbuf); 1046 (void) fflush(stderr); 1047 } 1048 1049 static char * 1050 time_str(time_t t) 1051 { 1052 static char buf[80]; 1053 char *bufp; 1054 1055 bufp = buf; 1056 if (strftime(buf, sizeof (buf), NULL, localtime(&t)) == 0) 1057 bufp = ctime(&t); 1058 return (bufp); 1059 } 1060 1061 static void 1062 sig_info_print(struct ELFsign_sig_info *esip) 1063 { 1064 if (esip == NULL) 1065 return; 1066 (void) fprintf(stdout, gettext("format: %s.\n"), esip->esi_format); 1067 (void) fprintf(stdout, gettext("signer: %s.\n"), esip->esi_signer); 1068 if (esip->esi_time == 0) 1069 return; 1070 (void) fprintf(stdout, gettext("signed on: %s.\n"), 1071 time_str(esip->esi_time)); 1072 } 1073