xref: /titanic_41/usr/src/cmd/svr4pkg/pkgadm/addcert.c (revision 581cede61ac9c14d8d4ea452562a567189eead78)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 
28 #include <stdio.h>
29 #include <stdarg.h>
30 #include <stdlib.h>
31 #include <string.h>
32 #include <sys/types.h>
33 #include <unistd.h>
34 #include <signal.h>
35 #include <locale.h>
36 #include <sys/param.h>
37 #include <openssl/bio.h>
38 #include <openssl/x509v3.h>
39 #include <openssl/ui.h>
40 
41 #include <pkglib.h>
42 #include <libinst.h>
43 #include <pkgerr.h>
44 #include <keystore.h>
45 #include "pkgadm.h"
46 #include "pkgadm_msgs.h"
47 
48 typedef enum {
49 	VerifyFailed,
50 	Accept,
51 	Reject
52 } VerifyStatus;
53 
54 static VerifyStatus	verify_trust(X509 *);
55 static boolean_t	is_ca_cert(X509 *);
56 
57 /*
58  * Name:	addcert
59  * Desc:  	Imports a user certificate into the keystore, along with a
60  *		private key.
61  * Returns:	0 on success, non-zero otherwise.
62  */
63 int
64 addcert(int argc, char **argv)
65 {
66 	int i;
67 	char	keystore_file[MAXPATHLEN] = "";
68 	char	*keystore_base = NULL;
69 	char	*homedir;
70 	char	*passarg = NULL;
71 	char	*import_passarg = NULL;
72 	char	*altroot = NULL;
73 	char	*prog = NULL;
74 	char	*alias = NULL;
75 	char	*infile = NULL;
76 	char	*inkeyfile = NULL;
77 	keystore_encoding_format_t	informat = NULL;
78 	char	*informat_str = NULL;
79 	int	ret = 1;
80 	boolean_t	trusted = B_FALSE;
81 	boolean_t	implicit_trust = B_FALSE;
82 
83 	FILE	*certfile = NULL;
84 	FILE	*keyfile = NULL;
85 	X509	*cert = NULL;
86 	STACK_OF(X509) *trustcerts = NULL;
87 	EVP_PKEY *key = NULL;
88 	PKG_ERR	*err = NULL;
89 	keystore_handle_t	keystore = NULL;
90 
91 	while ((i = getopt(argc, argv, ":a:k:e:f:n:P:p:R:ty")) != EOF) {
92 		switch (i) {
93 		case 'a':
94 			prog = optarg;
95 			break;
96 		case 'k':
97 			keystore_base = optarg;
98 			break;
99 		case 'e':
100 			inkeyfile = optarg;
101 			break;
102 		case 'f':
103 			informat_str = optarg;
104 			break;
105 		case 'n':
106 			alias = optarg;
107 			break;
108 		case 'P':
109 			passarg = optarg;
110 			break;
111 		case 'p':
112 			import_passarg = optarg;
113 			break;
114 		case 'R':
115 			altroot = optarg;
116 			break;
117 		case 't':
118 			trusted = B_TRUE;
119 			break;
120 		case 'y':
121 			implicit_trust = B_TRUE;
122 			break;
123 		case ':':
124 			log_msg(LOG_MSG_ERR, MSG_MISSING_OPERAND, optopt);
125 			/* LINTED fallthrough intentional */
126 		case '?':
127 		default:
128 			log_msg(LOG_MSG_ERR, MSG_USAGE);
129 			goto cleanup;
130 		}
131 	}
132 
133 	if (!trusted && alias == NULL) {
134 		/* for untrusted (user) certs, we require a name */
135 		log_msg(LOG_MSG_ERR, MSG_USER_NAME);
136 		log_msg(LOG_MSG_ERR, MSG_USAGE);
137 		goto cleanup;
138 	} else if (trusted && alias != NULL) {
139 		/* for trusted certs, we cannot have a name */
140 		log_msg(LOG_MSG_ERR, MSG_TRUSTED_NAME);
141 		log_msg(LOG_MSG_ERR, MSG_USAGE);
142 		goto cleanup;
143 	}
144 
145 	if (trusted && inkeyfile != NULL) {
146 		/* for trusted certs, we cannot have a private key */
147 		log_msg(LOG_MSG_ERR, MSG_TRUSTED_KEY);
148 		log_msg(LOG_MSG_ERR, MSG_USAGE);
149 		goto cleanup;
150 	}
151 
152 	/* last argument should be the path to the certificate */
153 	if ((argc-optind) > 1) {
154 	    log_msg(LOG_MSG_ERR, MSG_USAGE);
155 	    goto cleanup;
156 	} else if ((argc-optind) < 1) {
157 		infile = "stdin";
158 		certfile = stdin;
159 		log_msg(LOG_MSG_DEBUG, "Loading stdin certificate");
160 	} else {
161 		infile = argv[optind];
162 		log_msg(LOG_MSG_DEBUG, "Loading <%s> certificate",
163 		    argv[optind]);
164 		if ((certfile = fopen(infile, "r")) == NULL) {
165 			log_msg(LOG_MSG_ERR, MSG_OPEN, infile);
166 			goto cleanup;
167 		}
168 	}
169 
170 	/*
171 	 * if specific key file supplied, open it, otherwise open
172 	 * default (stdin)
173 	 */
174 	if (inkeyfile != NULL) {
175 		if ((keyfile = fopen(inkeyfile, "r")) == NULL) {
176 			log_msg(LOG_MSG_ERR, MSG_OPEN, inkeyfile);
177 			goto cleanup;
178 		}
179 	} else {
180 		inkeyfile = "stdin";
181 		keyfile = stdin;
182 	}
183 
184 	/* set up proper keystore */
185 	if (altroot != NULL) {
186 	    if (strlcpy(keystore_file, altroot, MAXPATHLEN) >= MAXPATHLEN) {
187 		log_msg(LOG_MSG_ERR, MSG_TOO_LONG, altroot);
188 		goto cleanup;
189 	    }
190 
191 	    if (strlcat(keystore_file, "/", MAXPATHLEN) >= MAXPATHLEN) {
192 		log_msg(LOG_MSG_ERR, MSG_TOO_LONG, altroot);
193 		goto cleanup;
194 	    }
195 	}
196 
197 	if (keystore_base == NULL) {
198 		if (geteuid() == 0 || altroot != NULL) {
199 				/*
200 				 * If we have an alternate
201 				 * root, then we have no choice but to use
202 				 * root's keystore on that alternate root,
203 				 * since there is no way to resolve a
204 				 * user's home dir given an alternate root
205 				 */
206 			if (strlcat(keystore_file, PKGSEC,
207 			    MAXPATHLEN) >= MAXPATHLEN) {
208 				log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
209 				    keystore_file);
210 				goto cleanup;
211 			}
212 		} else {
213 			if ((homedir = getenv("HOME")) == NULL) {
214 				/*
215 				 * not superuser, but no home dir, so
216 				 * use superuser's keystore
217 				 */
218 				if (strlcat(keystore_file, PKGSEC,
219 				    MAXPATHLEN) >= MAXPATHLEN) {
220 					log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
221 					    keystore_file);
222 					goto cleanup;
223 				}
224 			} else {
225 				if (strlcat(keystore_file, homedir,
226 				    MAXPATHLEN) >= MAXPATHLEN) {
227 					log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
228 					    homedir);
229 					goto cleanup;
230 				}
231 				if (strlcat(keystore_file, "/.pkg/security",
232 				    MAXPATHLEN) >= MAXPATHLEN) {
233 					log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
234 					    keystore_file);
235 					goto cleanup;
236 				}
237 			}
238 		}
239 	} else {
240 		if (strlcat(keystore_file, keystore_base,
241 		    MAXPATHLEN) >= MAXPATHLEN) {
242 		    log_msg(LOG_MSG_ERR, MSG_TOO_LONG,
243 			keystore_base);
244 		    goto cleanup;
245 		}
246 	}
247 
248 	/* figure out input format */
249 	if (informat_str == NULL) {
250 		informat = KEYSTORE_FORMAT_PEM;
251 	} else {
252 		if (ci_streq(informat_str, "pem")) {
253 			informat = KEYSTORE_FORMAT_PEM;
254 		} else if (ci_streq(informat_str, "der")) {
255 			informat = KEYSTORE_FORMAT_DER;
256 		} else {
257 			log_msg(LOG_MSG_ERR, MSG_BAD_FORMAT, informat_str);
258 			goto cleanup;
259 		}
260 	}
261 
262 	err = pkgerr_new();
263 
264 	if (trusted) {
265 		/* load all possible certs */
266 		if (load_all_certs(err, certfile, informat, import_passarg,
267 		    &trustcerts) != 0) {
268 			log_pkgerr(LOG_MSG_ERR, err);
269 			log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
270 			goto cleanup;
271 		}
272 
273 		/* we must have gotten at least one cert, if not, fail */
274 		if (sk_X509_num(trustcerts) < 1) {
275 			log_msg(LOG_MSG_ERR, MSG_NO_CERTS, infile);
276 			goto cleanup;
277 		}
278 	} else {
279 		/* first, try to load user certificate and key */
280 		if (load_cert_and_key(err, certfile, informat, import_passarg,
281 		    &key, &cert) != 0) {
282 			log_pkgerr(LOG_MSG_ERR, err);
283 			log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
284 			goto cleanup;
285 		}
286 
287 		/* we must have gotten a cert, if not, fail */
288 		if (cert == NULL) {
289 			log_msg(LOG_MSG_ERR, MSG_NO_CERTS, infile);
290 			goto cleanup;
291 		}
292 
293 		if (key == NULL) {
294 			/*
295 			 * if we are importing a user cert, and did not get
296 			 * a key, try to load it from the key file
297 			 */
298 			if (keyfile == NULL) {
299 				log_msg(LOG_MSG_ERR, MSG_NEED_KEY, infile);
300 				goto cleanup;
301 			} else {
302 				log_msg(LOG_MSG_DEBUG,
303 				    "Loading private key <%s>", inkeyfile);
304 				if (load_cert_and_key(err, keyfile, informat,
305 				    import_passarg,
306 				    &key, NULL) != 0) {
307 					log_pkgerr(LOG_MSG_ERR, err);
308 					log_msg(LOG_MSG_ERR,
309 					    MSG_NO_ADDKEY, inkeyfile);
310 					goto cleanup;
311 				}
312 
313 				if (key == NULL) {
314 					log_msg(LOG_MSG_ERR, MSG_NO_PRIVKEY,
315 					    inkeyfile);
316 					log_msg(LOG_MSG_ERR,
317 					    MSG_NO_ADDKEY, inkeyfile);
318 					goto cleanup;
319 				}
320 			}
321 		}
322 	}
323 
324 	if (trusted) {
325 		/* check validity date of all certificates */
326 		for (i = 0; i < sk_X509_num(trustcerts); i++) {
327 			/* LINTED pointer cast may result in improper algnmnt */
328 			cert = sk_X509_value(trustcerts, i);
329 			if (check_cert(err, cert) != 0) {
330 				log_pkgerr(LOG_MSG_ERR, err);
331 				log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT,
332 				    infile);
333 				goto cleanup;
334 			}
335 		}
336 	} else {
337 		/* check validity date of user certificate */
338 		if (check_cert_and_key(err, cert, key) != 0) {
339 			log_pkgerr(LOG_MSG_ERR, err);
340 			log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
341 			goto cleanup;
342 		}
343 	}
344 
345 	if (trusted && !implicit_trust) {
346 		/*
347 		 * if importing more than one cert, must use implicit trust,
348 		 * because we can't ask the user to individually trust
349 		 * each one, since there may be many
350 		 */
351 		if (sk_X509_num(trustcerts) != 1) {
352 			log_pkgerr(LOG_MSG_ERR, err);
353 			log_msg(LOG_MSG_ERR, MSG_MULTIPLE_TRUST, infile, "-y");
354 			goto cleanup;
355 		} else {
356 			/* LINTED pointer cast may result in improper algnmnt */
357 			cert = sk_X509_value(trustcerts, 0);
358 		}
359 
360 		/* ask the user */
361 		switch (verify_trust(cert)) {
362 		case Accept:
363 			/* user accepted */
364 			break;
365 		case Reject:
366 			/* user aborted operation */
367 			log_msg(LOG_MSG_ERR, MSG_ADDCERT_ABORT);
368 			goto cleanup;
369 		case VerifyFailed:
370 		default:
371 			log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
372 			goto cleanup;
373 		}
374 	}
375 
376 	/* now load the key store */
377 	log_msg(LOG_MSG_DEBUG, "Loading keystore <%s>", keystore_file);
378 
379 	set_passphrase_prompt(MSG_KEYSTORE_PASSPROMPT);
380 	set_passphrase_passarg(passarg);
381 	if (open_keystore(err, keystore_file, prog, pkg_passphrase_cb,
382 	    KEYSTORE_ACCESS_READWRITE | KEYSTORE_PATH_HARD, &keystore) != 0) {
383 		log_pkgerr(LOG_MSG_ERR, err);
384 		log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
385 		goto cleanup;
386 	}
387 
388 	/* now merge the new cert into the keystore */
389 	log_msg(LOG_MSG_DEBUG, "Merging certificate <%s>",
390 	    get_subject_display_name(cert));
391 	if (trusted) {
392 		/* merge all trusted certs found */
393 		for (i = 0; i < sk_X509_num(trustcerts); i++) {
394 			/* LINTED pointer cast may result in improper algnmnt */
395 			cert = sk_X509_value(trustcerts, i);
396 			if (merge_ca_cert(err, cert, keystore) != 0) {
397 				log_pkgerr(LOG_MSG_ERR, err);
398 				log_msg(LOG_MSG_ERR,
399 				    MSG_NO_ADDCERT, infile);
400 				goto cleanup;
401 
402 			} else {
403 				log_msg(LOG_MSG_INFO, MSG_TRUSTING,
404 				    get_subject_display_name(cert));
405 			}
406 		}
407 	} else {
408 		/* merge user cert */
409 		if (merge_cert_and_key(err, cert, key, alias, keystore) != 0) {
410 			log_pkgerr(LOG_MSG_ERR, err);
411 			log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
412 			goto cleanup;
413 		}
414 	}
415 
416 	/* now write it back out */
417 	log_msg(LOG_MSG_DEBUG, "Closing keystore");
418 	set_passphrase_prompt(MSG_KEYSTORE_PASSOUTPROMPT);
419 	set_passphrase_passarg(passarg);
420 	if (close_keystore(err, keystore, pkg_passphrase_cb) != 0) {
421 		log_pkgerr(LOG_MSG_ERR, err);
422 		log_msg(LOG_MSG_ERR, MSG_NO_ADDCERT, infile);
423 		goto cleanup;
424 	}
425 
426 	if (trusted) {
427 		log_msg(LOG_MSG_INFO, MSG_TRUSTED, infile);
428 	} else {
429 		log_msg(LOG_MSG_INFO, MSG_ADDED, infile, alias);
430 	}
431 
432 	ret = 0;
433 
434 	/* fallthrough intentional */
435 cleanup:
436 	if (err != NULL)
437 		pkgerr_free(err);
438 
439 	if (certfile != NULL)
440 		(void) fclose(certfile);
441 
442 	if (keyfile != NULL)
443 		(void) fclose(keyfile);
444 
445 	return (ret);
446 	}
447 
448 /* Asks user to verify certificate data before proceeding */
449 static VerifyStatus verify_trust(X509 *cert)
450 {
451 	char		vfy_trust = 'y';
452 	VerifyStatus	ret = Accept;
453 	PKG_ERR		*err;
454 	UI		*ui = NULL;
455 
456 	err = pkgerr_new();
457 	/* print cert data */
458 	if (print_cert(err, cert, KEYSTORE_FORMAT_TEXT,
459 	    get_subject_display_name(cert), B_TRUE, stdout) != 0) {
460 		log_pkgerr(LOG_MSG_ERR, err);
461 		ret = VerifyFailed;
462 		goto cleanup;
463 	}
464 
465 	if ((ui = UI_new()) == NULL) {
466 		log_msg(LOG_MSG_ERR, MSG_MEM);
467 		ret = VerifyFailed;
468 		goto cleanup;
469 	}
470 
471 	/*
472 	 * The prompt is internationalized, but the valid
473 	 * response values are fixed, to avoid any complex
474 	 * multibyte processing that results in bugs
475 	 */
476 	if (UI_add_input_boolean(ui, MSG_VERIFY_TRUST,
477 	    "",
478 	    "yY", "nN",
479 	    UI_INPUT_FLAG_ECHO, &vfy_trust) <= 0) {
480 		log_msg(LOG_MSG_ERR, MSG_MEM);
481 		ret = VerifyFailed;
482 		goto cleanup;
483 	}
484 
485 	if (UI_process(ui) != 0) {
486 		log_msg(LOG_MSG_ERR, MSG_MEM);
487 		ret = VerifyFailed;
488 		goto cleanup;
489 	}
490 
491 	if (vfy_trust != 'y') {
492 		ret = Reject;
493 		goto cleanup;
494 	}
495 
496 	/*
497 	 * if the cert does not appear to be a CA cert
498 	 * r is not self-signed, verify that as well
499 	 */
500 	if (!is_ca_cert(cert)) {
501 		UI_free(ui);
502 		if ((ui = UI_new()) == NULL) {
503 			log_msg(LOG_MSG_ERR, MSG_MEM);
504 			ret = VerifyFailed;
505 			goto cleanup;
506 		}
507 
508 		if (UI_add_input_boolean(ui,
509 		    MSG_VERIFY_NOT_CA,
510 		    "",
511 		    "yY", "nN",
512 		    UI_INPUT_FLAG_ECHO, &vfy_trust) <= 0) {
513 			ret = VerifyFailed;
514 			goto cleanup;
515 		}
516 
517 		if (UI_process(ui) != 0) {
518 			log_msg(LOG_MSG_ERR, MSG_MEM);
519 			ret = VerifyFailed;
520 			goto cleanup;
521 		}
522 
523 		if (vfy_trust != 'y') {
524 			ret = Reject;
525 			goto cleanup;
526 		}
527 	}
528 
529 cleanup:
530 	if (ui != NULL)
531 		UI_free(ui);
532 
533 	if (err != NULL)
534 		pkgerr_free(err);
535 
536 	return (ret);
537 }
538 /*
539  *	Name:	is_ca_cert
540  *	Desc:	Determines if a given certificate has the attributes
541  *		of a CA certificate
542  *	Returns: B_TRUE if certificate has attributes of a CA cert
543  *		B_FALSE otherwise
544  */
545 static boolean_t
546 is_ca_cert(X509 *x)
547 {
548 
549 	/*
550 	 * X509_check_purpose causes the extensions that we
551 	 * care about to be decoded and stored in the X509
552 	 * structure, so we must call it first
553 	 * before checking for CA extensions in the X509
554 	 * structure
555 	 */
556 	(void) X509_check_purpose(x, X509_PURPOSE_ANY, 0);
557 
558 	/* keyUsage if present should allow cert signing */
559 	if ((x->ex_flags & EXFLAG_KUSAGE) &&
560 	    !(x->ex_kusage & KU_KEY_CERT_SIGN)) {
561 		return (B_FALSE);
562 	}
563 
564 	/* If basicConstraints says not a CA then say so */
565 	if (x->ex_flags & EXFLAG_BCONS) {
566 		if (!(x->ex_flags & EXFLAG_CA)) {
567 			return (B_FALSE);
568 		}
569 	}
570 
571 	/* no explicit not-a-CA flags set, so assume that it is */
572 	return (B_TRUE);
573 }
574