xref: /illumos-gate/usr/src/cmd/cmd-crypto/elfsign/elfsign.c (revision 5422785d352a2bb398daceab3d1898a8aa64d006)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*
27  * Developer command for adding the signature section to an ELF object
28  * PSARC 2001/488
29  *
30  * DEBUG Information:
31  * This command uses the cryptodebug() function from libcryptoutil.
32  * Set SUNW_CRYPTO_DEBUG to stderr or syslog for all debug to go to auth.debug
33  */
34 
35 #include <stdio.h>
36 #include <stdlib.h>
37 #include <stdarg.h>
38 #include <limits.h>
39 #include <time.h>
40 #include <unistd.h>
41 #include <sys/types.h>
42 #include <sys/stat.h>
43 #include <fcntl.h>
44 #include <libintl.h>
45 #include <locale.h>
46 #include <errno.h>
47 #include <strings.h>
48 
49 #include <cryptoutil.h>
50 #include <sys/crypto/elfsign.h>
51 #include <libelfsign.h>
52 
53 #include <kmfapi.h>
54 
55 #define	SIGN		"sign"
56 #define	SIGN_OPTS	"c:e:F:k:P:T:v"
57 #define	VERIFY		"verify"
58 #define	VERIFY_OPTS	"c:e:v"
59 #define	REQUEST		"request"
60 #define	REQUEST_OPTS	"i:k:r:T:"
61 #define	LIST		"list"
62 #define	LIST_OPTS	"c:e:f:"
63 
64 enum cmd_e {
65 	ES_SIGN,
66 	ES_VERIFY,
67 	ES_REQUEST,
68 	ES_LIST
69 };
70 
71 enum field_e {
72 	FLD_UNKNOWN,
73 	FLD_SUBJECT,
74 	FLD_ISSUER,
75 	FLD_FORMAT,
76 	FLD_SIGNER,
77 	FLD_TIME
78 };
79 
80 #define	MIN_ARGS	3	/* The minimum # args to do anything */
81 #define	ES_DEFAULT_KEYSIZE 1024
82 
83 static struct {
84 	enum cmd_e	cmd;	/* sub command: sign | verify | request */
85 	char	*cert;		/* -c <certificate_file> | */
86 				/* -r <certificate_request_file> */
87 	char	**elfobj;	/* -e <elf_object> */
88 	int	elfcnt;
89 	enum ES_ACTION	es_action;
90 	ELFsign_t	ess;	/* libelfsign opaque "state" */
91 	int	extracnt;
92 	enum field_e	field;	/* -f <field> */
93 	char internal_req;	/* Sun internal certificate request */
94 	char	*pinpath;	/* -P <pin> */
95 	char	*privpath;	/* -k <private_key> */
96 	char	*token_label;	/* -T <token_label> */
97 	boolean_t verbose;	/* chatty output */
98 } cmd_info;
99 
100 enum ret_e {
101 	EXIT_OKAY,
102 	EXIT_INVALID_ARG,
103 	EXIT_VERIFY_FAILED,
104 	EXIT_CANT_OPEN_ELF_OBJECT,
105 	EXIT_BAD_CERT,
106 	EXIT_BAD_PRIVATEKEY,
107 	EXIT_SIGN_FAILED,
108 	EXIT_VERIFY_FAILED_UNSIGNED,
109 	EXIT_CSR_FAILED,
110 	EXIT_MEMORY_ERROR
111 };
112 
113 struct field_s {
114 	char	*name;
115 	enum field_e	field;
116 } fields[] = {
117 	{ "subject", FLD_SUBJECT },
118 	{ "issuer", FLD_ISSUER },
119 	{ "format", FLD_FORMAT },
120 	{ "signer", FLD_SIGNER },
121 	{ "time", FLD_TIME },
122 	NULL, 0
123 };
124 
125 typedef enum ret_e ret_t;
126 
127 static void usage(void);
128 static ret_t getelfobj(char *);
129 static char *getpin(void);
130 static ret_t do_sign(char *);
131 static ret_t do_verify(char *);
132 static ret_t do_cert_request(char *);
133 static ret_t do_list(char *);
134 static void es_error(const char *fmt, ...);
135 static char *time_str(time_t t);
136 static void sig_info_print(struct ELFsign_sig_info *esip);
137 
138 int
139 main(int argc, char **argv)
140 {
141 	extern char *optarg;
142 	char *scmd = NULL;
143 	char *opts;		/* The set of flags for cmd */
144 	int errflag = 0;	/* We had an options parse error */
145 	char c;			/* current getopts flag */
146 	ret_t (*action)(char *);	/* Function pointer for the action */
147 	ret_t ret;
148 
149 	(void) setlocale(LC_ALL, "");
150 #if !defined(TEXT_DOMAIN)	/* Should be defiend by cc -D */
151 #define	TEXT_DOMAIN "SYS_TEST"	/* Use this only if it weren't */
152 #endif
153 	(void) textdomain(TEXT_DOMAIN);
154 
155 	cryptodebug_init("elfsign");
156 
157 	if (argc < MIN_ARGS) {
158 		es_error(gettext("invalid number of arguments"));
159 		usage();
160 		return (EXIT_INVALID_ARG);
161 	}
162 
163 	scmd = argv[1];
164 	cmd_info.cert = NULL;
165 	cmd_info.elfobj = NULL;
166 	cmd_info.elfcnt = 0;
167 	cmd_info.es_action = ES_GET;
168 	cmd_info.ess = NULL;
169 	cmd_info.extracnt = 0;
170 	cmd_info.field = FLD_UNKNOWN;
171 	cmd_info.internal_req = '\0';
172 	cmd_info.pinpath = NULL;
173 	cmd_info.privpath = NULL;
174 	cmd_info.token_label = NULL;
175 	cmd_info.verbose = B_FALSE;
176 
177 	if (strcmp(scmd, SIGN) == 0) {
178 		cmd_info.cmd = ES_SIGN;
179 		opts = SIGN_OPTS;
180 		cryptodebug("cmd=sign opts=%s", opts);
181 		action = do_sign;
182 		cmd_info.es_action = ES_UPDATE_RSA_SHA1;
183 	} else if (strcmp(scmd, VERIFY) == 0) {
184 		cmd_info.cmd = ES_VERIFY;
185 		opts = VERIFY_OPTS;
186 		cryptodebug("cmd=verify opts=%s", opts);
187 		action = do_verify;
188 	} else if (strcmp(scmd, REQUEST) == 0) {
189 		cmd_info.cmd = ES_REQUEST;
190 		opts = REQUEST_OPTS;
191 		cryptodebug("cmd=request opts=%s", opts);
192 		action = do_cert_request;
193 	} else if (strcmp(scmd, LIST) == 0) {
194 		cmd_info.cmd = ES_LIST;
195 		opts = LIST_OPTS;
196 		cryptodebug("cmd=list opts=%s", opts);
197 		action = do_list;
198 	} else {
199 		es_error(gettext("Unknown sub-command: %s"),
200 		    scmd);
201 		usage();
202 		return (EXIT_INVALID_ARG);
203 	}
204 
205 	/*
206 	 * Note:  There is no need to check that optarg isn't NULL
207 	 *	  because getopt does that for us.
208 	 */
209 	while (!errflag && (c = getopt(argc - 1, argv + 1, opts)) != EOF) {
210 		if (strchr("ceFihkPTr", c) != NULL)
211 			cryptodebug("c=%c, '%s'", c, optarg);
212 		else
213 			cryptodebug("c=%c", c);
214 
215 		switch (c) {
216 		case 'c':
217 			cmd_info.cert = optarg;
218 			break;
219 		case 'e':
220 			cmd_info.elfcnt++;
221 			cmd_info.elfobj = (char **)realloc(cmd_info.elfobj,
222 			    sizeof (char *) * cmd_info.elfcnt);
223 			if (cmd_info.elfobj == NULL) {
224 				es_error(gettext(
225 				    "Too many elf objects specified."));
226 				return (EXIT_INVALID_ARG);
227 			}
228 			cmd_info.elfobj[cmd_info.elfcnt - 1] = optarg;
229 			break;
230 		case 'f':
231 			{
232 				struct field_s	*fp;
233 				cmd_info.field = FLD_UNKNOWN;
234 				for (fp = fields; fp->name != NULL; fp++) {
235 					if (strcasecmp(optarg, fp->name) == 0) {
236 						cmd_info.field = fp->field;
237 						break;
238 					}
239 				}
240 				if (cmd_info.field == FLD_UNKNOWN) {
241 					cryptodebug("Invalid field option");
242 					errflag++;
243 				}
244 			}
245 			break;
246 		case 'F':
247 			if (strcasecmp(optarg, ES_FMT_RSA_MD5_SHA1) == 0)
248 				cmd_info.es_action = ES_UPDATE_RSA_MD5_SHA1;
249 			else if (strcasecmp(optarg, ES_FMT_RSA_SHA1) == 0)
250 				cmd_info.es_action = ES_UPDATE_RSA_SHA1;
251 			else {
252 				cryptodebug("Invalid format option");
253 				errflag++;
254 			}
255 			break;
256 		case 'i':	 /* Undocumented internal Sun use only */
257 			cmd_info.internal_req = *optarg;
258 			break;
259 		case 'k':
260 			cmd_info.privpath = optarg;
261 			if (cmd_info.token_label != NULL ||
262 			    cmd_info.pinpath != NULL)
263 				errflag++;
264 			break;
265 		case 'P':
266 			cmd_info.pinpath = optarg;
267 			if (cmd_info.privpath != NULL)
268 				errflag++;
269 			break;
270 		case 'r':
271 			cmd_info.cert = optarg;
272 			break;
273 		case 'T':
274 			cmd_info.token_label = optarg;
275 			if (cmd_info.privpath != NULL)
276 				errflag++;
277 			break;
278 		case 'v':
279 			cmd_info.verbose = B_TRUE;
280 			break;
281 		default:
282 			errflag++;
283 		}
284 	}
285 
286 	optind++;	/* we skipped over subcommand */
287 	cmd_info.extracnt = argc - optind;
288 
289 	if (cmd_info.extracnt != 0 &&
290 	    cmd_info.cmd != ES_SIGN && cmd_info.cmd != ES_VERIFY) {
291 		cryptodebug("Extra arguments, optind=%d, argc=%d",
292 		    optind, argc);
293 		errflag++;
294 	}
295 
296 	switch (cmd_info.cmd) {
297 	case ES_VERIFY:
298 		if (cmd_info.elfcnt + argc - optind == 0) {
299 			cryptodebug("Missing elfobj");
300 			errflag++;
301 		}
302 		break;
303 
304 	case ES_SIGN:
305 		if (((cmd_info.privpath == NULL) &&
306 		    (cmd_info.token_label == NULL)) ||
307 		    (cmd_info.cert == NULL) ||
308 		    (cmd_info.elfcnt + argc - optind == 0)) {
309 			cryptodebug("Missing privpath|token_label/cert/elfobj");
310 			errflag++;
311 		}
312 		break;
313 
314 	case ES_REQUEST:
315 		if (((cmd_info.privpath == NULL) &&
316 		    (cmd_info.token_label == NULL)) ||
317 		    (cmd_info.cert == NULL)) {
318 			cryptodebug("Missing privpath|token_label/certreq");
319 			errflag++;
320 		}
321 		break;
322 	case ES_LIST:
323 		if ((cmd_info.cert != NULL) == (cmd_info.elfcnt > 0)) {
324 			cryptodebug("Neither or both of cert/elfobj");
325 			errflag++;
326 		}
327 		break;
328 	}
329 
330 	if (errflag) {
331 		usage();
332 		return (EXIT_INVALID_ARG);
333 	}
334 
335 	switch (cmd_info.cmd) {
336 	case ES_REQUEST:
337 	case ES_LIST:
338 		ret = action(NULL);
339 		break;
340 	default:
341 		{
342 		int i;
343 		ret_t	iret;
344 
345 		ret = EXIT_OKAY;
346 		iret = EXIT_OKAY;
347 		for (i = 0; i < cmd_info.elfcnt &&
348 		    (ret == EXIT_OKAY || cmd_info.cmd != ES_SIGN); i++) {
349 			iret = action(cmd_info.elfobj[i]);
350 			if (iret > ret)
351 				ret = iret;
352 		}
353 		for (i = optind; i < argc &&
354 		    (ret == EXIT_OKAY || cmd_info.cmd != ES_SIGN); i++) {
355 			iret = action(argv[i]);
356 			if (iret > ret)
357 				ret = iret;
358 		}
359 		break;
360 		}
361 	}
362 
363 	if (cmd_info.elfobj != NULL)
364 		free(cmd_info.elfobj);
365 
366 	return (ret);
367 }
368 
369 
370 static void
371 usage(void)
372 {
373 /* BEGIN CSTYLED */
374 	(void) fprintf(stderr, gettext(
375  "usage:\n"
376  "\telfsign sign [-v] [-e <elf_object>] -c <certificate_file>\n"
377  "\t\t[-F <format>] -k <private_key_file> [elf_object]..."
378  "\n"
379  "\telfsign sign [-v] [-e <elf_object>] -c <certificate_file>\n"
380  "\t\t[-F <format>] -T <token_label> [-P <pin_file>] [elf_object]..."
381  "\n\n"
382  "\telfsign verify [-v] [-c <certificate_file>] [-e <elf_object>]\n"
383  "\t\t[elf_object]..."
384  "\n\n"
385  "\telfsign request -r <certificate_request_file> -k <private_key_file>"
386  "\n"
387  "\telfsign request -r <certificate_request_file> -T <token_label>"
388  "\n\n"
389  "\telfsign list -f field -c <certificate_file>"
390  "\n"
391  "\telfsign list -f field -e <elf_object>"
392  "\n"));
393 /* END CSTYLED */
394 }
395 
396 static ret_t
397 getelfobj(char *elfpath)
398 {
399 	ELFsign_status_t estatus;
400 	ret_t	ret = EXIT_SIGN_FAILED;
401 
402 	estatus = elfsign_begin(elfpath, cmd_info.es_action, &(cmd_info.ess));
403 	switch (estatus) {
404 	case ELFSIGN_SUCCESS:
405 		ret = EXIT_OKAY;
406 		break;
407 	case ELFSIGN_INVALID_ELFOBJ:
408 		es_error(gettext(
409 		    "Unable to open %s as an ELF object."),
410 		    elfpath);
411 		ret = EXIT_CANT_OPEN_ELF_OBJECT;
412 		break;
413 	default:
414 		es_error(gettext("unexpected failure: %d"), estatus);
415 		if (cmd_info.cmd == ES_SIGN) {
416 			ret = EXIT_SIGN_FAILED;
417 		} else if (cmd_info.cmd == ES_VERIFY) {
418 			ret = EXIT_VERIFY_FAILED;
419 		}
420 	}
421 
422 	return (ret);
423 }
424 
425 static ret_t
426 setcertpath(void)
427 {
428 	ELFsign_status_t estatus;
429 	ret_t	ret = EXIT_SIGN_FAILED;
430 
431 	if (cmd_info.cert == NULL)
432 		return (EXIT_OKAY);
433 	estatus = elfsign_setcertpath(cmd_info.ess, cmd_info.cert);
434 	switch (estatus) {
435 	case ELFSIGN_SUCCESS:
436 		ret = EXIT_OKAY;
437 		break;
438 	case ELFSIGN_INVALID_CERTPATH:
439 		if (cmd_info.cert != NULL) {
440 			es_error(gettext("Unable to open %s as a certificate."),
441 			    cmd_info.cert);
442 		}
443 		ret = EXIT_BAD_CERT;
444 		break;
445 	default:
446 		es_error(gettext("unusable certificate: %s"), cmd_info.cert);
447 		if (cmd_info.cmd == ES_SIGN) {
448 			ret = EXIT_SIGN_FAILED;
449 		} else if (cmd_info.cmd == ES_VERIFY) {
450 			ret = EXIT_VERIFY_FAILED;
451 		}
452 	}
453 
454 	return (ret);
455 }
456 
457 /*
458  * getpin - return pointer to token PIN in static storage
459  */
460 static char *
461 getpin(void)
462 {
463 	static char	pinbuf[PASS_MAX + 1];
464 	char	*pp;
465 	FILE	*pinfile;
466 
467 	if (cmd_info.pinpath == NULL)
468 		return (getpassphrase(
469 		    gettext("Enter PIN for PKCS#11 token: ")));
470 	if ((pinfile = fopen(cmd_info.pinpath, "r")) == NULL) {
471 		es_error(gettext("failed to open %s."),
472 		    cmd_info.pinpath);
473 		return (NULL);
474 	}
475 
476 	pp = fgets(pinbuf, sizeof (pinbuf), pinfile);
477 	(void) fclose(pinfile);
478 	if (pp == NULL) {
479 		es_error(gettext("failed to read PIN from %s."),
480 		    cmd_info.pinpath);
481 		return (NULL);
482 	}
483 	pp = &pinbuf[strlen(pinbuf) - 1];
484 	if (*pp == '\n')
485 		*pp = '\0';
486 	return (pinbuf);
487 }
488 
489 /*
490  * Add the .SUNW_signature sections for the ELF signature
491  */
492 static ret_t
493 do_sign(char *object)
494 {
495 	ret_t 	ret;
496 	ELFsign_status_t	elfstat;
497 	struct filesignatures	*fssp = NULL;
498 	size_t fs_len;
499 	uchar_t sig[SIG_MAX_LENGTH];
500 	size_t	sig_len = SIG_MAX_LENGTH;
501 	uchar_t	hash[SIG_MAX_LENGTH];
502 	size_t	hash_len = SIG_MAX_LENGTH;
503 	ELFCert_t	cert = NULL;
504 	char	*dn;
505 	size_t	dn_len;
506 
507 	cryptodebug("do_sign");
508 	if ((ret = getelfobj(object)) != EXIT_OKAY)
509 		return (ret);
510 
511 	if (cmd_info.token_label &&
512 	    !elfcertlib_settoken(cmd_info.ess, cmd_info.token_label)) {
513 		es_error(gettext("Unable to access token: %s"),
514 		    cmd_info.token_label);
515 		ret = EXIT_SIGN_FAILED;
516 		goto cleanup;
517 	}
518 
519 	if ((ret = setcertpath()) != EXIT_OKAY)
520 		goto cleanup;
521 
522 	if (!elfcertlib_getcert(cmd_info.ess, cmd_info.cert, NULL, &cert,
523 	    cmd_info.es_action)) {
524 		es_error(gettext("Unable to load certificate: %s"),
525 		    cmd_info.cert);
526 		ret = EXIT_BAD_CERT;
527 		goto cleanup;
528 	}
529 
530 	if (cmd_info.privpath != NULL) {
531 		if (!elfcertlib_loadprivatekey(cmd_info.ess, cert,
532 		    cmd_info.privpath)) {
533 			es_error(gettext("Unable to load private key: %s"),
534 			    cmd_info.privpath);
535 			ret = EXIT_BAD_PRIVATEKEY;
536 			goto cleanup;
537 		}
538 	} else {
539 		char *pin = getpin();
540 		if (pin == NULL) {
541 			es_error(gettext("Unable to get PIN"));
542 			ret = EXIT_BAD_PRIVATEKEY;
543 			goto cleanup;
544 		}
545 		if (!elfcertlib_loadtokenkey(cmd_info.ess, cert,
546 		    cmd_info.token_label, pin)) {
547 			es_error(gettext("Unable to access private key "
548 			    "in token %s"), cmd_info.token_label);
549 			ret = EXIT_BAD_PRIVATEKEY;
550 			goto cleanup;
551 		}
552 	}
553 
554 	/*
555 	 * Get the DN from the certificate.
556 	 */
557 	if ((dn = elfcertlib_getdn(cert)) == NULL) {
558 		es_error(gettext("Unable to find DN in certificate %s"),
559 		    cmd_info.cert);
560 		ret = EXIT_SIGN_FAILED;
561 		goto cleanup;
562 	}
563 	dn_len = strlen(dn);
564 	cryptodebug("DN = %s", dn);
565 
566 	elfstat = elfsign_signatures(cmd_info.ess, &fssp, &fs_len, ES_GET);
567 	if (elfstat != ELFSIGN_SUCCESS) {
568 		if (elfstat != ELFSIGN_NOTSIGNED) {
569 			es_error(gettext("Unable to retrieve existing "
570 			    "signature block in %s"), object);
571 			ret = EXIT_SIGN_FAILED;
572 			goto cleanup;
573 		}
574 		fssp = NULL;
575 		/*
576 		 * force creation and naming of signature section
577 		 * so the hash doesn't change
578 		 */
579 		if (elfsign_signatures(cmd_info.ess, &fssp, &fs_len,
580 		    cmd_info.es_action) != ELFSIGN_SUCCESS) {
581 			es_error(gettext("Unable to insert "
582 			    "signature block into %s"), object);
583 			ret = EXIT_SIGN_FAILED;
584 			goto cleanup;
585 		}
586 	}
587 
588 	bzero(hash, sizeof (hash));
589 	if (elfsign_hash(cmd_info.ess, hash, &hash_len) != ELFSIGN_SUCCESS) {
590 		es_error(gettext("Unable to calculate hash of ELF object %s"),
591 		    object);
592 		ret = EXIT_SIGN_FAILED;
593 		goto cleanup;
594 	}
595 
596 	bzero(sig, sizeof (sig));
597 	if (!elfcertlib_sign(cmd_info.ess, cert,
598 	    hash, hash_len, sig, &sig_len)) {
599 		es_error(gettext("Unable to sign %s using key from %s"),
600 		    object, cmd_info.privpath ?
601 		    cmd_info.privpath : cmd_info.token_label);
602 		ret = EXIT_SIGN_FAILED;
603 		goto cleanup;
604 	}
605 
606 	{ /* DEBUG START */
607 		const int sigstr_len = sizeof (char) * sig_len * 2 + 1;
608 		char *sigstr = malloc(sigstr_len);
609 
610 		tohexstr(sig, sig_len, sigstr, sigstr_len);
611 		cryptodebug("sig value is: %s", sigstr);
612 		free(sigstr);
613 	} /* DEBUG END */
614 
615 	fssp = elfsign_insert_dso(cmd_info.ess, fssp,
616 	    dn, dn_len, sig, sig_len, NULL, 0);
617 	if (fssp == NULL) {
618 		es_error(gettext("Unable to prepare signature for %s"),
619 		    object);
620 		ret = EXIT_SIGN_FAILED;
621 		goto cleanup;
622 	}
623 	if (elfsign_signatures(cmd_info.ess, &fssp, &fs_len,
624 	    cmd_info.es_action) != ELFSIGN_SUCCESS) {
625 		es_error(gettext("Unable to update %s: with signature"),
626 		    object);
627 		ret = EXIT_SIGN_FAILED;
628 		goto cleanup;
629 	}
630 	if (cmd_info.verbose || (cmd_info.elfcnt + cmd_info.extracnt) > 1) {
631 		(void) fprintf(stdout,
632 		    gettext("elfsign: %s signed successfully.\n"),
633 		    object);
634 	}
635 	if (cmd_info.verbose) {
636 		struct ELFsign_sig_info *esip;
637 
638 		if (elfsign_sig_info(fssp, &esip)) {
639 			sig_info_print(esip);
640 			elfsign_sig_info_free(esip);
641 		}
642 	}
643 
644 	ret = EXIT_OKAY;
645 
646 cleanup:
647 	free(fssp);
648 	bzero(sig, sig_len);
649 	bzero(hash, hash_len);
650 
651 	if (cert != NULL)
652 		elfcertlib_releasecert(cmd_info.ess, cert);
653 	if (cmd_info.ess != NULL)
654 		elfsign_end(cmd_info.ess);
655 
656 	return (ret);
657 }
658 
659 /*
660  * Verify the signature of the object
661  * This subcommand is intended to be used by developers during their build
662  * processes.  Therefore we can not assume that the certificate is in
663  * /etc/crypto/certs so we must use the path we got from the commandline.
664  */
665 static ret_t
666 do_verify(char *object)
667 {
668 	ELFsign_status_t res;
669 	struct ELFsign_sig_info	*esip;
670 	ret_t	retval;
671 
672 	cryptodebug("do_verify");
673 	if ((retval = getelfobj(object)) != EXIT_OKAY)
674 		return (retval);
675 
676 	if ((retval = setcertpath()) != EXIT_OKAY) {
677 		elfsign_end(cmd_info.ess);
678 		return (retval);
679 	}
680 
681 	res = elfsign_verify_signature(cmd_info.ess, &esip);
682 	switch (res) {
683 	case ELFSIGN_SUCCESS:
684 		(void) fprintf(stdout,
685 		    gettext("elfsign: verification of %s passed.\n"),
686 		    object);
687 		if (cmd_info.verbose)
688 			sig_info_print(esip);
689 		retval = EXIT_OKAY;
690 		break;
691 	case ELFSIGN_FAILED:
692 	case ELFSIGN_INVALID_CERTPATH:
693 		es_error(gettext("verification of %s failed."),
694 		    object);
695 		if (cmd_info.verbose)
696 			sig_info_print(esip);
697 		retval = EXIT_VERIFY_FAILED;
698 		break;
699 	case ELFSIGN_NOTSIGNED:
700 		es_error(gettext("no signature found in %s."),
701 		    object);
702 		retval = EXIT_VERIFY_FAILED_UNSIGNED;
703 		break;
704 	default:
705 		es_error(gettext("unexpected failure attempting verification "
706 		    "of %s."), object);
707 		retval = EXIT_VERIFY_FAILED_UNSIGNED;
708 		break;
709 	}
710 
711 	if (esip != NULL)
712 		elfsign_sig_info_free(esip);
713 	if (cmd_info.ess != NULL)
714 		elfsign_end(cmd_info.ess);
715 	return (retval);
716 }
717 
718 #define	SET_VALUE(f, s) \
719 	kmfrv = f; \
720 	if (kmfrv != KMF_OK) { \
721 		char *e = NULL; \
722 		(void) kmf_get_kmf_error_str(kmfrv, &e); \
723 		cryptoerror(LOG_STDERR, \
724 			gettext("Failed to %s: %s\n"), \
725 			s, (e ? e : "unknown error")); \
726 		if (e) free(e); \
727 		goto cleanup; \
728 	}
729 
730 static KMF_RETURN
731 create_csr(char *dn)
732 {
733 	KMF_RETURN kmfrv = KMF_OK;
734 	KMF_HANDLE_T kmfhandle = NULL;
735 	KMF_KEY_HANDLE pubk, prik;
736 	KMF_X509_NAME csrSubject;
737 	KMF_CSR_DATA csr;
738 	KMF_ALGORITHM_INDEX sigAlg = KMF_ALGID_MD5WithRSA;
739 	KMF_DATA signedCsr = { NULL, 0 };
740 	char *err;
741 	KMF_ATTRIBUTE	attrlist[16];
742 	KMF_ENCODE_FORMAT	format;
743 	KMF_KEYSTORE_TYPE	kstype;
744 	KMF_KEY_ALG	keytype;
745 	uint32_t	keylength;
746 	KMF_CREDENTIAL	cred;
747 	char	*pin = NULL;
748 	int	numattr;
749 
750 	if ((kmfrv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) {
751 		(void) kmf_get_kmf_error_str(kmfrv, &err);
752 		cryptoerror(LOG_STDERR,
753 		    gettext("Error initializing KMF: %s\n"),
754 		    (err ? err : "unknown error"));
755 		if (err)
756 			free(err);
757 		return (kmfrv);
758 	}
759 	(void) memset(&csr, 0, sizeof (csr));
760 	(void) memset(&csrSubject, 0, sizeof (csrSubject));
761 
762 	if (cmd_info.privpath != NULL) {
763 		kstype = KMF_KEYSTORE_OPENSSL;
764 		format = KMF_FORMAT_ASN1;
765 	} else {
766 		boolean_t	readonly;
767 		/* args checking verified (cmd_info.token_label != NULL) */
768 
769 		/* Get a PIN to store the private key in the token */
770 		pin = getpin();
771 
772 		if (pin == NULL) {
773 			(void) kmf_finalize(kmfhandle);
774 			return (KMF_ERR_AUTH_FAILED);
775 		}
776 
777 		kstype = KMF_KEYSTORE_PK11TOKEN;
778 		readonly = B_FALSE;
779 
780 		numattr = 0;
781 		kmf_set_attr_at_index(attrlist, numattr++,
782 		    KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
783 		kmf_set_attr_at_index(attrlist, numattr++,
784 		    KMF_TOKEN_LABEL_ATTR, cmd_info.token_label,
785 		    strlen(cmd_info.token_label));
786 		kmf_set_attr_at_index(attrlist, numattr++,
787 		    KMF_READONLY_ATTR, &readonly, sizeof (readonly));
788 		kmfrv = kmf_configure_keystore(kmfhandle, numattr, attrlist);
789 		if (kmfrv != KMF_OK) {
790 			goto cleanup;
791 		}
792 	}
793 
794 	/* Create the RSA keypair */
795 	keytype = KMF_RSA;
796 	keylength = ES_DEFAULT_KEYSIZE;
797 	(void) memset(&prik, 0, sizeof (prik));
798 	(void) memset(&pubk, 0, sizeof (pubk));
799 
800 	numattr = 0;
801 	kmf_set_attr_at_index(attrlist, numattr++,
802 	    KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
803 	kmf_set_attr_at_index(attrlist, numattr++,
804 	    KMF_KEYALG_ATTR, &keytype, sizeof (keytype));
805 	kmf_set_attr_at_index(attrlist, numattr++,
806 	    KMF_KEYLENGTH_ATTR, &keylength, sizeof (keylength));
807 	if (pin != NULL) {
808 		cred.cred = pin;
809 		cred.credlen = strlen(pin);
810 		kmf_set_attr_at_index(attrlist, numattr++,
811 		    KMF_CREDENTIAL_ATTR, &cred, sizeof (KMF_CREDENTIAL));
812 	}
813 	kmf_set_attr_at_index(attrlist, numattr++,
814 	    KMF_PRIVKEY_HANDLE_ATTR, &prik, sizeof (KMF_KEY_HANDLE));
815 	kmf_set_attr_at_index(attrlist, numattr++,
816 	    KMF_PUBKEY_HANDLE_ATTR, &pubk, sizeof (KMF_KEY_HANDLE));
817 	if (kstype == KMF_KEYSTORE_OPENSSL) {
818 		kmf_set_attr_at_index(attrlist, numattr++,
819 		    KMF_KEY_FILENAME_ATTR, cmd_info.privpath,
820 		    strlen(cmd_info.privpath));
821 		kmf_set_attr_at_index(attrlist, numattr++,
822 		    KMF_ENCODE_FORMAT_ATTR, &format, sizeof (format));
823 	}
824 
825 	kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist);
826 	if (kmfrv != KMF_OK) {
827 		(void) kmf_get_kmf_error_str(kmfrv, &err);
828 		cryptoerror(LOG_STDERR,
829 		    gettext("Create RSA keypair failed: %s"),
830 		    (err ? err : "unknown error"));
831 		free(err);
832 		goto cleanup;
833 	}
834 
835 	kmfrv = kmf_dn_parser(dn, &csrSubject);
836 	if (kmfrv != KMF_OK) {
837 		(void) kmf_get_kmf_error_str(kmfrv, &err);
838 		cryptoerror(LOG_STDERR,
839 		    gettext("Error parsing subject name: %s\n"),
840 		    (err ? err : "unknown error"));
841 		free(err);
842 		goto cleanup;
843 	}
844 
845 	SET_VALUE(kmf_set_csr_pubkey(kmfhandle, &pubk, &csr), "keypair");
846 
847 	SET_VALUE(kmf_set_csr_version(&csr, 2), "version number");
848 
849 	SET_VALUE(kmf_set_csr_subject(&csr, &csrSubject), "subject name");
850 
851 	SET_VALUE(kmf_set_csr_sig_alg(&csr, sigAlg), "SignatureAlgorithm");
852 
853 	if ((kmfrv = kmf_sign_csr(kmfhandle, &csr, &prik, &signedCsr)) ==
854 	    KMF_OK) {
855 		kmfrv = kmf_create_csr_file(&signedCsr, KMF_FORMAT_PEM,
856 		    cmd_info.cert);
857 	}
858 
859 cleanup:
860 	(void) kmf_free_kmf_key(kmfhandle, &prik);
861 	(void) kmf_free_data(&signedCsr);
862 	(void) kmf_free_signed_csr(&csr);
863 	(void) kmf_finalize(kmfhandle);
864 
865 	return (kmfrv);
866 }
867 
868 
869 #define	CN_MAX_LENGTH	64	/* Verisign implementation limit */
870 /*
871  * Generate a certificate request into the file named cmd_info.cert
872  */
873 /*ARGSUSED*/
874 static ret_t
875 do_cert_request(char *object)
876 {
877 	const char	 PartnerDNFMT[] =
878 	    "CN=%s, "
879 	    "OU=Class B, "
880 	    "OU=Solaris Cryptographic Framework, "
881 	    "OU=Partner Object Signing, "
882 	    "O=Sun Microsystems Inc";
883 	const char	 SunCDNFMT[] =
884 	    "CN=%s, "
885 	    "OU=Class B, "
886 	    "OU=Solaris Cryptographic Framework, "
887 	    "OU=Corporate Object Signing, "
888 	    "O=Sun Microsystems Inc";
889 	const char	 SunSDNFMT[] =
890 	    "CN=%s, "
891 	    "OU=Class B, "
892 	    "OU=Solaris Signed Execution, "
893 	    "OU=Corporate Object Signing, "
894 	    "O=Sun Microsystems Inc";
895 	const char	 *dnfmt = NULL;
896 	char	cn[CN_MAX_LENGTH + 1];
897 	char	*dn = NULL;
898 	size_t	dn_len;
899 	KMF_RETURN   kmfret;
900 	cryptodebug("do_cert_request");
901 
902 	/*
903 	 * Get the DN prefix from the user
904 	 */
905 	switch (cmd_info.internal_req) {
906 	case 'c':
907 		dnfmt = SunCDNFMT;
908 		(void) fprintf(stdout, gettext(
909 		    "Enter Sun Microsystems, Inc. Release name.\n"
910 		    "This will be the prefix of the Certificate DN: "));
911 		break;
912 	case 's':
913 		dnfmt = SunSDNFMT;
914 		(void) fprintf(stdout, gettext(
915 		    "Enter Sun Microsystems, Inc. Release name.\n"
916 		    "This will be the prefix of the Certificate DN: "));
917 		break;
918 	default:
919 		dnfmt = PartnerDNFMT;
920 		(void) fprintf(stdout, gettext(
921 		    "Enter Company Name / Stock Symbol"
922 		    " or some other globally unique identifier.\n"
923 		    "This will be the prefix of the Certificate DN: "));
924 		break;
925 	}
926 	if ((fgets(cn, sizeof (cn), stdin) == NULL) || (cn[0] == '\n')) {
927 		es_error(gettext("you must specify a Certificate DN prefix"));
928 		return (EXIT_INVALID_ARG);
929 	}
930 
931 	if (cn[strlen(cn) - 1] == '\n') {
932 		cn[strlen(cn) - 1] = '\0';	/* chop trailing \n */
933 	} else {
934 		es_error(gettext("You must specify a Certificate DN prefix "
935 		    "of no more than %d characters"), CN_MAX_LENGTH);
936 		return (EXIT_INVALID_ARG);
937 	}
938 
939 	/* Update DN string */
940 	dn_len = strlen(cn) + strlen(dnfmt);
941 	dn = malloc(dn_len + 1);
942 	(void) snprintf(dn, dn_len, dnfmt, cn);
943 
944 	cryptodebug("Generating Certificate request for DN: %s", dn);
945 	kmfret = create_csr(dn);
946 	free(dn);
947 	if (kmfret == KMF_OK)
948 		return (EXIT_OKAY);
949 	else
950 		return (EXIT_CSR_FAILED);
951 }
952 
953 static void
954 str_print(char *s)
955 {
956 	if (s == NULL)
957 		return;
958 	(void) fprintf(stdout, "%s\n", s);
959 }
960 
961 /*ARGSUSED*/
962 static ret_t
963 do_list(char *object)
964 {
965 	ret_t	retval;
966 
967 	if (cmd_info.elfcnt > 0) {
968 		ELFsign_status_t	elfstat;
969 		struct filesignatures	*fssp = NULL;
970 		size_t fs_len;
971 		struct ELFsign_sig_info	*esip;
972 
973 		if ((retval = getelfobj(cmd_info.elfobj[0])) != EXIT_OKAY)
974 			return (retval);
975 		elfstat = elfsign_signatures(cmd_info.ess,
976 		    &fssp, &fs_len, ES_GET);
977 		if (elfstat == ELFSIGN_SUCCESS) {
978 			retval = EXIT_OKAY;
979 			if (elfsign_sig_info(fssp, &esip)) {
980 				switch (cmd_info.field) {
981 				case FLD_FORMAT:
982 					str_print(esip->esi_format);
983 					break;
984 				case FLD_SIGNER:
985 					str_print(esip->esi_signer);
986 					break;
987 				case FLD_TIME:
988 					if (esip->esi_time == 0)
989 						retval = EXIT_INVALID_ARG;
990 					else
991 						str_print(time_str(
992 						    esip->esi_time));
993 					break;
994 				default:
995 					retval = EXIT_INVALID_ARG;
996 				}
997 				elfsign_sig_info_free(esip);
998 			}
999 			free(fssp);
1000 		} else
1001 			retval = EXIT_VERIFY_FAILED_UNSIGNED;
1002 		elfsign_end(cmd_info.ess);
1003 	} else {
1004 		ELFCert_t	cert;
1005 		/*
1006 		 * Initialize the ESS record here even though we are not
1007 		 * actually opening any ELF files.
1008 		 */
1009 		if (elfsign_begin(NULL, ES_GET, &(cmd_info.ess)) !=
1010 		    ELFSIGN_SUCCESS)
1011 			return (EXIT_MEMORY_ERROR);
1012 
1013 		if (elfcertlib_getcert(cmd_info.ess, cmd_info.cert, NULL,
1014 		    &cert, cmd_info.es_action)) {
1015 			retval = EXIT_OKAY;
1016 			switch (cmd_info.field) {
1017 			case FLD_SUBJECT:
1018 				str_print(elfcertlib_getdn(cert));
1019 				break;
1020 			case FLD_ISSUER:
1021 				str_print(elfcertlib_getissuer(cert));
1022 				break;
1023 			default:
1024 				retval = EXIT_INVALID_ARG;
1025 			}
1026 			elfcertlib_releasecert(cmd_info.ess, cert);
1027 		} else
1028 			retval = EXIT_BAD_CERT;
1029 		elfsign_end(cmd_info.ess);
1030 	}
1031 
1032 	return (retval);
1033 }
1034 
1035 static void
1036 es_error(const char *fmt, ...)
1037 {
1038 	char msgbuf[BUFSIZ];
1039 	va_list	args;
1040 
1041 	va_start(args, fmt);
1042 	(void) vsnprintf(msgbuf, sizeof (msgbuf), fmt, args);
1043 	va_end(args);
1044 	(void) fflush(stdout);
1045 	cryptoerror(LOG_STDERR, "%s", msgbuf);
1046 	(void) fflush(stderr);
1047 }
1048 
1049 static char *
1050 time_str(time_t t)
1051 {
1052 	static char	buf[80];
1053 	char		*bufp;
1054 
1055 	bufp = buf;
1056 	if (strftime(buf, sizeof (buf), NULL, localtime(&t)) == 0)
1057 		bufp = ctime(&t);
1058 	return (bufp);
1059 }
1060 
1061 static void
1062 sig_info_print(struct ELFsign_sig_info *esip)
1063 {
1064 	if (esip == NULL)
1065 		return;
1066 	(void) fprintf(stdout, gettext("format: %s.\n"), esip->esi_format);
1067 	(void) fprintf(stdout, gettext("signer: %s.\n"), esip->esi_signer);
1068 	if (esip->esi_time == 0)
1069 		return;
1070 	(void) fprintf(stdout, gettext("signed on: %s.\n"),
1071 	    time_str(esip->esi_time));
1072 }
1073