1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START 3*7c478bd9Sstevel@tonic-gate * 4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*7c478bd9Sstevel@tonic-gate * with the License. 8*7c478bd9Sstevel@tonic-gate * 9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 12*7c478bd9Sstevel@tonic-gate * and limitations under the License. 13*7c478bd9Sstevel@tonic-gate * 14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END 21*7c478bd9Sstevel@tonic-gate */ 22*7c478bd9Sstevel@tonic-gate /* 23*7c478bd9Sstevel@tonic-gate * Copyright 2002, 2003 Sun Microsystems, Inc. All rights reserved. 24*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 25*7c478bd9Sstevel@tonic-gate */ 26*7c478bd9Sstevel@tonic-gate 27*7c478bd9Sstevel@tonic-gate #ifndef _P12AUX_H 28*7c478bd9Sstevel@tonic-gate #define _P12AUX_H 29*7c478bd9Sstevel@tonic-gate 30*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 31*7c478bd9Sstevel@tonic-gate 32*7c478bd9Sstevel@tonic-gate #include <openssl/pkcs12.h> 33*7c478bd9Sstevel@tonic-gate 34*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 35*7c478bd9Sstevel@tonic-gate extern "C" { 36*7c478bd9Sstevel@tonic-gate #endif 37*7c478bd9Sstevel@tonic-gate 38*7c478bd9Sstevel@tonic-gate /* 39*7c478bd9Sstevel@tonic-gate * I really hate to do this. It's pretty gross, but go ahead and use the 40*7c478bd9Sstevel@tonic-gate * macros and functions already defined to provide new EVP_PKEY-specific 41*7c478bd9Sstevel@tonic-gate * macros, for use within this file only. 42*7c478bd9Sstevel@tonic-gate * 43*7c478bd9Sstevel@tonic-gate * My apologies. 44*7c478bd9Sstevel@tonic-gate */ 45*7c478bd9Sstevel@tonic-gate DECLARE_STACK_OF(EVP_PKEY) 46*7c478bd9Sstevel@tonic-gate 47*7c478bd9Sstevel@tonic-gate #define sk_EVP_PKEY_new_null() SKM_sk_new_null(EVP_PKEY) 48*7c478bd9Sstevel@tonic-gate #define sk_EVP_PKEY_free(st) SKM_sk_free(EVP_PKEY, (st)) 49*7c478bd9Sstevel@tonic-gate #define sk_EVP_PKEY_num(st) SKM_sk_num(EVP_PKEY, (st)) 50*7c478bd9Sstevel@tonic-gate #define sk_EVP_PKEY_value(st, i) SKM_sk_value(EVP_PKEY, (st), (i)) 51*7c478bd9Sstevel@tonic-gate #define sk_EVP_PKEY_push(st, val) SKM_sk_push(EVP_PKEY, (st), (val)) 52*7c478bd9Sstevel@tonic-gate #define sk_EVP_PKEY_find(st, val) SKM_sk_find(EVP_PKEY, (st), (val)) 53*7c478bd9Sstevel@tonic-gate #define sk_EVP_PKEY_delete(st, i) SKM_sk_delete(EVP_PKEY, (st), (i)) 54*7c478bd9Sstevel@tonic-gate #define sk_EVP_PKEY_delete_ptr(st, ptr) SKM_sk_delete_ptr(EVP_PKEY, (st), (ptr)) 55*7c478bd9Sstevel@tonic-gate #define sk_EVP_PKEY_insert(st, val, i) SKM_sk_insert(EVP_PKEY, (st), (val), (i)) 56*7c478bd9Sstevel@tonic-gate #define sk_EVP_PKEY_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY, (st), \ 57*7c478bd9Sstevel@tonic-gate (free_func)) 58*7c478bd9Sstevel@tonic-gate #define sk_EVP_PKEY_pop(st) SKM_sk_pop(EVP_PKEY, (st)) 59*7c478bd9Sstevel@tonic-gate 60*7c478bd9Sstevel@tonic-gate /* 61*7c478bd9Sstevel@tonic-gate * This type indicates what to do with an attribute being returned. 62*7c478bd9Sstevel@tonic-gate */ 63*7c478bd9Sstevel@tonic-gate typedef enum { 64*7c478bd9Sstevel@tonic-gate GETDO_COPY = 1, /* Simply return the value of the attribute */ 65*7c478bd9Sstevel@tonic-gate GETDO_DEL /* Delete the attribute at the same time. */ 66*7c478bd9Sstevel@tonic-gate } getdo_actions_t; 67*7c478bd9Sstevel@tonic-gate 68*7c478bd9Sstevel@tonic-gate /* 69*7c478bd9Sstevel@tonic-gate * The following is used to call the sunw_print_times function which is 70*7c478bd9Sstevel@tonic-gate * described at the bottom of the page. 71*7c478bd9Sstevel@tonic-gate */ 72*7c478bd9Sstevel@tonic-gate typedef enum { 73*7c478bd9Sstevel@tonic-gate PRNT_NOT_BEFORE = 1, /* Print 'not before' date */ 74*7c478bd9Sstevel@tonic-gate PRNT_NOT_AFTER, /* Print 'not after' date */ 75*7c478bd9Sstevel@tonic-gate PRNT_BOTH /* Prints both dates */ 76*7c478bd9Sstevel@tonic-gate } prnt_actions_t; 77*7c478bd9Sstevel@tonic-gate 78*7c478bd9Sstevel@tonic-gate /* 79*7c478bd9Sstevel@tonic-gate * For sunw_pkcs12_parse, the following are values for bits that indicate 80*7c478bd9Sstevel@tonic-gate * various types of searches/matching to do. Any of these values can be 81*7c478bd9Sstevel@tonic-gate * OR'd together. However, the order in which an attempt will be made 82*7c478bd9Sstevel@tonic-gate * to satisfy them is the order in which they are listed below. The 83*7c478bd9Sstevel@tonic-gate * exception is DO_NONE. It should not be OR'd with any other value. 84*7c478bd9Sstevel@tonic-gate */ 85*7c478bd9Sstevel@tonic-gate #define DO_NONE 0x00 /* Don't even try to match */ 86*7c478bd9Sstevel@tonic-gate #define DO_FIND_KEYID 0x01 /* 1st cert, key with matching localkeyid */ 87*7c478bd9Sstevel@tonic-gate #define DO_FIND_FN 0x02 /* 1st cert, key with matching friendlyname */ 88*7c478bd9Sstevel@tonic-gate #define DO_FIRST_PAIR 0x04 /* Return first matching cert/key pair found */ 89*7c478bd9Sstevel@tonic-gate #define DO_LAST_PAIR 0x08 /* Return last matching cert/key pair found */ 90*7c478bd9Sstevel@tonic-gate #define DO_UNMATCHING 0x10 /* Return first cert and/or key */ 91*7c478bd9Sstevel@tonic-gate 92*7c478bd9Sstevel@tonic-gate /* Bits returned, which indicate what values were found. */ 93*7c478bd9Sstevel@tonic-gate #define FOUND_PKEY 0x01 /* Found one or more private key */ 94*7c478bd9Sstevel@tonic-gate #define FOUND_CERT 0x02 /* Found one or more client certificate */ 95*7c478bd9Sstevel@tonic-gate #define FOUND_CA_CERTS 0x04 /* Added at least one cert to the CA list */ 96*7c478bd9Sstevel@tonic-gate #define FOUND_XPKEY 0x08 /* Found at least one private key which does */ 97*7c478bd9Sstevel@tonic-gate /* not match a certificate in the certs list */ 98*7c478bd9Sstevel@tonic-gate 99*7c478bd9Sstevel@tonic-gate /* 100*7c478bd9Sstevel@tonic-gate * sunw_cryto_init() does crypto-specific initialization. 101*7c478bd9Sstevel@tonic-gate * 102*7c478bd9Sstevel@tonic-gate * Arguments: 103*7c478bd9Sstevel@tonic-gate * None. 104*7c478bd9Sstevel@tonic-gate * 105*7c478bd9Sstevel@tonic-gate * Returns: 106*7c478bd9Sstevel@tonic-gate * None. 107*7c478bd9Sstevel@tonic-gate */ 108*7c478bd9Sstevel@tonic-gate void sunw_crypto_init(void); 109*7c478bd9Sstevel@tonic-gate 110*7c478bd9Sstevel@tonic-gate /* 111*7c478bd9Sstevel@tonic-gate * sunw_PKCS12_parse() parses a pkcs#12 structure and returns component parts. 112*7c478bd9Sstevel@tonic-gate * 113*7c478bd9Sstevel@tonic-gate * Parse and decrypt a PKCS#12 structure returning user key, user cert and/or 114*7c478bd9Sstevel@tonic-gate * other (CA) certs. Note either ca should be NULL, *ca should be NULL, 115*7c478bd9Sstevel@tonic-gate * or it should point to a valid STACK_OF(X509) structure. pkey and cert can 116*7c478bd9Sstevel@tonic-gate * be passed uninitialized. 117*7c478bd9Sstevel@tonic-gate * 118*7c478bd9Sstevel@tonic-gate * Arguments: 119*7c478bd9Sstevel@tonic-gate * p12 - Structure with pkcs12 info to be parsed 120*7c478bd9Sstevel@tonic-gate * pass - Pass phrase for the private key and entire pkcs12 wad (possibly 121*7c478bd9Sstevel@tonic-gate * empty) or NULL if there is none. 122*7c478bd9Sstevel@tonic-gate * matchty - Info about which certs/keys to return if many are in the file. 123*7c478bd9Sstevel@tonic-gate * keyid_str- If private key localkeyids are to match a predetermined value, 124*7c478bd9Sstevel@tonic-gate * the value to match. 125*7c478bd9Sstevel@tonic-gate * keyid_len- Length of the keyid byte string. 126*7c478bd9Sstevel@tonic-gate * name_str - If friendlynames are to match a predetermined value, the value 127*7c478bd9Sstevel@tonic-gate * to match. 128*7c478bd9Sstevel@tonic-gate * pkey - Points to location pointing to the private key returned. 129*7c478bd9Sstevel@tonic-gate * cert - Points to locaiton which points to the client cert returned 130*7c478bd9Sstevel@tonic-gate * ca - Points to location that points to a stack of 'certificate 131*7c478bd9Sstevel@tonic-gate * authority' certs (possibly including trust anchors). 132*7c478bd9Sstevel@tonic-gate * 133*7c478bd9Sstevel@tonic-gate * Match based on the value of 'matchty' and the contents of 'keyid_str' 134*7c478bd9Sstevel@tonic-gate * and/or 'name_str', as appropriate. Go through the lists of certs and 135*7c478bd9Sstevel@tonic-gate * private keys which were taken from the pkcs12 structure, looking for 136*7c478bd9Sstevel@tonic-gate * matches of the requested type. This function only searches the lists of 137*7c478bd9Sstevel@tonic-gate * matching private keys and client certificates. Kinds of matches allowed, 138*7c478bd9Sstevel@tonic-gate * and the order in which they will be checked, are: 139*7c478bd9Sstevel@tonic-gate * 140*7c478bd9Sstevel@tonic-gate * 1) Find the key and/or cert whose localkeyid attributes matches 'cmpstr' 141*7c478bd9Sstevel@tonic-gate * 2) Find the key and/or cert whose friendlyname attributes matches 'cmpstr' 142*7c478bd9Sstevel@tonic-gate * 3) Return the first matching key/cert pair found. 143*7c478bd9Sstevel@tonic-gate * 4) Return the last matching key/cert pair found. 144*7c478bd9Sstevel@tonic-gate * 5) Return whatever cert and/or key are available, even unmatching. 145*7c478bd9Sstevel@tonic-gate * 146*7c478bd9Sstevel@tonic-gate * Append the certs which do not have matching private keys and which were 147*7c478bd9Sstevel@tonic-gate * not selected to the CA list. 148*7c478bd9Sstevel@tonic-gate * 149*7c478bd9Sstevel@tonic-gate * If none of the bits are set, no client certs or private keys will be 150*7c478bd9Sstevel@tonic-gate * returned. CA (aka trust anchor) certs can be. 151*7c478bd9Sstevel@tonic-gate * 152*7c478bd9Sstevel@tonic-gate * Notes: If #3 is selected, then #4 will never occur. CA certs will be 153*7c478bd9Sstevel@tonic-gate * selected after a cert/key pairs are isolated. 154*7c478bd9Sstevel@tonic-gate * 155*7c478bd9Sstevel@tonic-gate * Returns: 156*7c478bd9Sstevel@tonic-gate * < 0 - An error returned. Call ERR_get_error() to get errors information. 157*7c478bd9Sstevel@tonic-gate * Where possible, memory has been freed. 158*7c478bd9Sstevel@tonic-gate * >= 0 - Objects were found and returned. Which objects are indicated by 159*7c478bd9Sstevel@tonic-gate * which bits are set (FOUND_PKEY, FOUND_CERT, FOUND_CA_CERTS). 160*7c478bd9Sstevel@tonic-gate */ 161*7c478bd9Sstevel@tonic-gate int sunw_PKCS12_parse(PKCS12 *, const char *, int, char *, int, char *, 162*7c478bd9Sstevel@tonic-gate EVP_PKEY **, X509 **, STACK_OF(X509) **); 163*7c478bd9Sstevel@tonic-gate 164*7c478bd9Sstevel@tonic-gate 165*7c478bd9Sstevel@tonic-gate /* 166*7c478bd9Sstevel@tonic-gate * sunw_PKCS12_create() creates a pkcs#12 structure and given component parts. 167*7c478bd9Sstevel@tonic-gate * 168*7c478bd9Sstevel@tonic-gate * Given one or more of user private key, user cert and/or other (CA) certs, 169*7c478bd9Sstevel@tonic-gate * return an encrypted PKCS12 structure containing them. 170*7c478bd9Sstevel@tonic-gate * 171*7c478bd9Sstevel@tonic-gate * Arguments: 172*7c478bd9Sstevel@tonic-gate * pass - Pass phrase for the pkcs12 structure and private key (possibly 173*7c478bd9Sstevel@tonic-gate * empty) or NULL if there is none. It will be used to encrypt 174*7c478bd9Sstevel@tonic-gate * both the private key(s) and as the pass phrase for the whole 175*7c478bd9Sstevel@tonic-gate * pkcs12 wad. 176*7c478bd9Sstevel@tonic-gate * pkey - Points to stack of private keys. 177*7c478bd9Sstevel@tonic-gate * cert - Points to stack of client (public ke) certs 178*7c478bd9Sstevel@tonic-gate * ca - Points to stack of 'certificate authority' certs (or trust 179*7c478bd9Sstevel@tonic-gate * anchors). 180*7c478bd9Sstevel@tonic-gate * 181*7c478bd9Sstevel@tonic-gate * Note that any of these may be NULL. 182*7c478bd9Sstevel@tonic-gate * 183*7c478bd9Sstevel@tonic-gate * Returns: 184*7c478bd9Sstevel@tonic-gate * NULL - An error occurred. 185*7c478bd9Sstevel@tonic-gate * != NULL - Address of PKCS12 structure. The user is responsible for 186*7c478bd9Sstevel@tonic-gate * freeing the memory when done. 187*7c478bd9Sstevel@tonic-gate */ 188*7c478bd9Sstevel@tonic-gate PKCS12 *sunw_PKCS12_create(const char *, STACK_OF(EVP_PKEY) *, STACK_OF(X509) *, 189*7c478bd9Sstevel@tonic-gate STACK_OF(X509) *); 190*7c478bd9Sstevel@tonic-gate 191*7c478bd9Sstevel@tonic-gate 192*7c478bd9Sstevel@tonic-gate /* 193*7c478bd9Sstevel@tonic-gate * sunw_split_certs() - Given a list of certs and a list of private keys, 194*7c478bd9Sstevel@tonic-gate * moves certs which match one of the keys to a different stack. 195*7c478bd9Sstevel@tonic-gate * 196*7c478bd9Sstevel@tonic-gate * Arguments: 197*7c478bd9Sstevel@tonic-gate * allkeys - Points to a stack of private keys to search. 198*7c478bd9Sstevel@tonic-gate * allcerts - Points to a stack of certs to be searched. 199*7c478bd9Sstevel@tonic-gate * keycerts - Points to address of a stack of certs with matching private 200*7c478bd9Sstevel@tonic-gate * keys. They are moved from 'allcerts'. This may not be NULL 201*7c478bd9Sstevel@tonic-gate * when called. If *keycerts is NULL upon entry, a new stack will 202*7c478bd9Sstevel@tonic-gate * be allocated. Otherwise, it must be a valid STACK_OF(509). 203*7c478bd9Sstevel@tonic-gate * nocerts - Points to address of a stack for keys which have no matching 204*7c478bd9Sstevel@tonic-gate * certs. Keys are moved from 'allkeys' here when they have no 205*7c478bd9Sstevel@tonic-gate * matching certs. If this is NULL, matchless keys will be 206*7c478bd9Sstevel@tonic-gate * discarded. 207*7c478bd9Sstevel@tonic-gate * 208*7c478bd9Sstevel@tonic-gate * Notes: If an error occurs while moving certs, the cert being move may be 209*7c478bd9Sstevel@tonic-gate * lost. 'keycerts' may only contain part of the matching certs. The number 210*7c478bd9Sstevel@tonic-gate * of certs successfully moved can be found by checking sk_X509_num(keycerts). 211*7c478bd9Sstevel@tonic-gate * 212*7c478bd9Sstevel@tonic-gate * If there is a key which does not have a matching cert, it is moved to 213*7c478bd9Sstevel@tonic-gate * the list nocerts. 214*7c478bd9Sstevel@tonic-gate * 215*7c478bd9Sstevel@tonic-gate * If all certs are removed from 'certs' and/or 'pkeys', it will be the 216*7c478bd9Sstevel@tonic-gate * caller's responsibility to free the empty stacks. 217*7c478bd9Sstevel@tonic-gate * 218*7c478bd9Sstevel@tonic-gate * Returns: 219*7c478bd9Sstevel@tonic-gate * < 0 - An error returned. Call ERR_get_error() to get errors information. 220*7c478bd9Sstevel@tonic-gate * Where possible, memory has been freed. 221*7c478bd9Sstevel@tonic-gate * >= 0 - The number of certs moved from 'cert' to 'pkcerts'. 222*7c478bd9Sstevel@tonic-gate */ 223*7c478bd9Sstevel@tonic-gate int sunw_split_certs(STACK_OF(EVP_PKEY) *, STACK_OF(X509) *, STACK_OF(X509) **, 224*7c478bd9Sstevel@tonic-gate STACK_OF(EVP_PKEY) **); 225*7c478bd9Sstevel@tonic-gate 226*7c478bd9Sstevel@tonic-gate /* 227*7c478bd9Sstevel@tonic-gate * sunw_evp_pkey_free() Given an EVP_PKEY structure, free any attributes 228*7c478bd9Sstevel@tonic-gate * that are attached. Then free the EVP_PKEY itself. 229*7c478bd9Sstevel@tonic-gate * 230*7c478bd9Sstevel@tonic-gate * This is the replacement for EVP_PKEY_free() for the sunw stuff. 231*7c478bd9Sstevel@tonic-gate * It should be used in places where EVP_PKEY_free would be used, 232*7c478bd9Sstevel@tonic-gate * including calls to sk_EVP_PKEY_pop_free(). 233*7c478bd9Sstevel@tonic-gate * 234*7c478bd9Sstevel@tonic-gate * Arguments: 235*7c478bd9Sstevel@tonic-gate * pkey - Entry which potentially has attributes to be freed. 236*7c478bd9Sstevel@tonic-gate * 237*7c478bd9Sstevel@tonic-gate * Returns: 238*7c478bd9Sstevel@tonic-gate * None. 239*7c478bd9Sstevel@tonic-gate */ 240*7c478bd9Sstevel@tonic-gate void sunw_evp_pkey_free(EVP_PKEY *); 241*7c478bd9Sstevel@tonic-gate 242*7c478bd9Sstevel@tonic-gate /* 243*7c478bd9Sstevel@tonic-gate * sunw_set_localkeyid() sets the localkeyid in a cert, a private key or 244*7c478bd9Sstevel@tonic-gate * both. Any existing localkeyid will be discarded. 245*7c478bd9Sstevel@tonic-gate * 246*7c478bd9Sstevel@tonic-gate * Arguments: 247*7c478bd9Sstevel@tonic-gate * keyid_str- A byte string with the localkeyid to set 248*7c478bd9Sstevel@tonic-gate * keyid_len- Length of the keyid byte string. 249*7c478bd9Sstevel@tonic-gate * pkey - Points to a private key to set the keyidstr in. 250*7c478bd9Sstevel@tonic-gate * cert - Points to a cert to set the keyidstr in. 251*7c478bd9Sstevel@tonic-gate * 252*7c478bd9Sstevel@tonic-gate * Note that setting a keyid into a cert which will not be written out as 253*7c478bd9Sstevel@tonic-gate * a PKCS12 cert is pointless since it will be lost. 254*7c478bd9Sstevel@tonic-gate * 255*7c478bd9Sstevel@tonic-gate * Returns: 256*7c478bd9Sstevel@tonic-gate * 0 - Success. 257*7c478bd9Sstevel@tonic-gate * < 0 - An error occurred. It was probably an error in allocating 258*7c478bd9Sstevel@tonic-gate * memory. The error will be set in the error stack. Call 259*7c478bd9Sstevel@tonic-gate * ERR_get_error() to get specific information. 260*7c478bd9Sstevel@tonic-gate */ 261*7c478bd9Sstevel@tonic-gate int sunw_set_localkeyid(const char *, int, EVP_PKEY *, X509 *); 262*7c478bd9Sstevel@tonic-gate 263*7c478bd9Sstevel@tonic-gate 264*7c478bd9Sstevel@tonic-gate /* 265*7c478bd9Sstevel@tonic-gate * sunw_get_pkey_localkeyid() gets the localkeyid from a private key. It can 266*7c478bd9Sstevel@tonic-gate * optionally remove the value found. 267*7c478bd9Sstevel@tonic-gate * 268*7c478bd9Sstevel@tonic-gate * Arguments: 269*7c478bd9Sstevel@tonic-gate * dowhat - What to do with the attributes (remove them or copy them). 270*7c478bd9Sstevel@tonic-gate * pkey - Points to a private key to set the keyidstr in. 271*7c478bd9Sstevel@tonic-gate * keyid_str- Points to a location which will receive the pointer to 272*7c478bd9Sstevel@tonic-gate * a byte string containing the binary localkeyid. Note that 273*7c478bd9Sstevel@tonic-gate * this is a copy, and the caller must free it. 274*7c478bd9Sstevel@tonic-gate * keyid_len- Length of keyid_str. 275*7c478bd9Sstevel@tonic-gate * 276*7c478bd9Sstevel@tonic-gate * Returns: 277*7c478bd9Sstevel@tonic-gate * >= 0 - The number of characters in the keyid returned. 278*7c478bd9Sstevel@tonic-gate * < 0 - An error occurred. It was probably an error in allocating 279*7c478bd9Sstevel@tonic-gate * memory. The error will be set in the error stack. Call 280*7c478bd9Sstevel@tonic-gate * ERR_get_error() to get specific information. 281*7c478bd9Sstevel@tonic-gate */ 282*7c478bd9Sstevel@tonic-gate int sunw_get_pkey_localkeyid(getdo_actions_t, EVP_PKEY *, char **, int *); 283*7c478bd9Sstevel@tonic-gate 284*7c478bd9Sstevel@tonic-gate 285*7c478bd9Sstevel@tonic-gate /* 286*7c478bd9Sstevel@tonic-gate * sunw_get_pkey_fname() gets the friendlyName from a private key. It can 287*7c478bd9Sstevel@tonic-gate * optionally remove the value found. 288*7c478bd9Sstevel@tonic-gate * 289*7c478bd9Sstevel@tonic-gate * Arguments: 290*7c478bd9Sstevel@tonic-gate * dowhat - What to do with the attributes (remove them or just return 291*7c478bd9Sstevel@tonic-gate * them). 292*7c478bd9Sstevel@tonic-gate * pkey - Points to a private key to get the keyid from 293*7c478bd9Sstevel@tonic-gate * fname - Points to a location which will receive the pointer to a 294*7c478bd9Sstevel@tonic-gate * byte string with the ASCII friendlyname 295*7c478bd9Sstevel@tonic-gate * 296*7c478bd9Sstevel@tonic-gate * Returns: 297*7c478bd9Sstevel@tonic-gate * >= 0 - The number of characters in the keyid returned. 298*7c478bd9Sstevel@tonic-gate * < 0 - An error occurred. It was probably an error in allocating 299*7c478bd9Sstevel@tonic-gate * memory. The error will be set in the error stack. Call 300*7c478bd9Sstevel@tonic-gate * ERR_get_error() to get specific information. 301*7c478bd9Sstevel@tonic-gate */ 302*7c478bd9Sstevel@tonic-gate int sunw_get_pkey_fname(getdo_actions_t, EVP_PKEY *, char **); 303*7c478bd9Sstevel@tonic-gate 304*7c478bd9Sstevel@tonic-gate 305*7c478bd9Sstevel@tonic-gate /* 306*7c478bd9Sstevel@tonic-gate * sunw_find_localkeyid() searches stacks of certs and private keys, and 307*7c478bd9Sstevel@tonic-gate * returns the first matching cert/private key found. 308*7c478bd9Sstevel@tonic-gate * 309*7c478bd9Sstevel@tonic-gate * Look for a keyid in a stack of certs. if 'certs' is NULL and 'pkeys' is 310*7c478bd9Sstevel@tonic-gate * not NULL, search the list of private keys. Move the matching cert to 311*7c478bd9Sstevel@tonic-gate * 'matching_cert' and its matching private key to 'matching_pkey'. If no 312*7c478bd9Sstevel@tonic-gate * cert or keys match, no match occurred. 313*7c478bd9Sstevel@tonic-gate * 314*7c478bd9Sstevel@tonic-gate * Arguments: 315*7c478bd9Sstevel@tonic-gate * keyid_str- A byte string with the localkeyid to match 316*7c478bd9Sstevel@tonic-gate * keyid_len- Length of the keyid byte string. 317*7c478bd9Sstevel@tonic-gate * pkeys - Points to a stack of private keys which match the certs. 318*7c478bd9Sstevel@tonic-gate * This may be NULL, in which case no keys are returned. 319*7c478bd9Sstevel@tonic-gate * certs - Points to a stack of certs to search. If NULL, search the 320*7c478bd9Sstevel@tonic-gate * stack of keys instead. 321*7c478bd9Sstevel@tonic-gate * matching_pkey 322*7c478bd9Sstevel@tonic-gate * - Pointer to receive address of first matching pkey found. 323*7c478bd9Sstevel@tonic-gate * 'matching_pkey' must not be NULL; '*matching_pkey' will be 324*7c478bd9Sstevel@tonic-gate * reset. 325*7c478bd9Sstevel@tonic-gate * matching_cert 326*7c478bd9Sstevel@tonic-gate * - Pointer to receive address of first matching cert found. 327*7c478bd9Sstevel@tonic-gate * 'matching_cert' must not be NULL; '*matching_cert' will be 328*7c478bd9Sstevel@tonic-gate * reset. 329*7c478bd9Sstevel@tonic-gate * 330*7c478bd9Sstevel@tonic-gate * Returns: 331*7c478bd9Sstevel@tonic-gate * < 0 - An error returned. Call ERR_get_error() to get errors information. 332*7c478bd9Sstevel@tonic-gate * Where possible, memory has been freed. 333*7c478bd9Sstevel@tonic-gate * >= 0 - Objects were found and returned. Which objects are indicated by 334*7c478bd9Sstevel@tonic-gate * which bits are set (FOUND_PKEY and/or FOUND_CERT). 335*7c478bd9Sstevel@tonic-gate */ 336*7c478bd9Sstevel@tonic-gate int sunw_find_localkeyid(char *, int, STACK_OF(EVP_PKEY) *, STACK_OF(X509) *, 337*7c478bd9Sstevel@tonic-gate EVP_PKEY **, X509 **); 338*7c478bd9Sstevel@tonic-gate 339*7c478bd9Sstevel@tonic-gate 340*7c478bd9Sstevel@tonic-gate /* 341*7c478bd9Sstevel@tonic-gate * sunw_find_fname() searches stacks of certs and private keys for one with 342*7c478bd9Sstevel@tonic-gate * a matching friendlyname and returns the first matching cert/private 343*7c478bd9Sstevel@tonic-gate * key found. 344*7c478bd9Sstevel@tonic-gate * 345*7c478bd9Sstevel@tonic-gate * Look for a friendlyname in a stack of certs. if 'certs' is NULL and 'pkeys' 346*7c478bd9Sstevel@tonic-gate * is not NULL, search the list of private keys. Move the matching cert to 347*7c478bd9Sstevel@tonic-gate * 'matching_cert' and its matching private key to 'matching_pkey'. If no 348*7c478bd9Sstevel@tonic-gate * cert or keys match, no match occurred. 349*7c478bd9Sstevel@tonic-gate * 350*7c478bd9Sstevel@tonic-gate * Arguments: 351*7c478bd9Sstevel@tonic-gate * fname - Friendlyname to find (NULL-terminated ASCII string). 352*7c478bd9Sstevel@tonic-gate * pkeys - Points to a stack of private keys which match the certs. 353*7c478bd9Sstevel@tonic-gate * This may be NULL, in which case no keys are returned. 354*7c478bd9Sstevel@tonic-gate * certs - Points to a stack of certs to search. If NULL, search the 355*7c478bd9Sstevel@tonic-gate * stack of keys instead. 356*7c478bd9Sstevel@tonic-gate * matching_pkey 357*7c478bd9Sstevel@tonic-gate * - Pointer to receive address of first matching pkey found. 358*7c478bd9Sstevel@tonic-gate * matching_cert 359*7c478bd9Sstevel@tonic-gate * - Pointer to receive address of first matching cert found. 360*7c478bd9Sstevel@tonic-gate * 361*7c478bd9Sstevel@tonic-gate * Returns: 362*7c478bd9Sstevel@tonic-gate * < 0 - An error returned. Call ERR_get_error() to get errors information. 363*7c478bd9Sstevel@tonic-gate * Where possible, memory has been freed. 364*7c478bd9Sstevel@tonic-gate * >= 0 - Objects were found and returned. Which objects are indicated by 365*7c478bd9Sstevel@tonic-gate * which bits are set (FOUND_PKEY and/or FOUND_CERT). 366*7c478bd9Sstevel@tonic-gate */ 367*7c478bd9Sstevel@tonic-gate int sunw_find_fname(char *, STACK_OF(EVP_PKEY) *, STACK_OF(X509) *, EVP_PKEY **, 368*7c478bd9Sstevel@tonic-gate X509 **); 369*7c478bd9Sstevel@tonic-gate 370*7c478bd9Sstevel@tonic-gate 371*7c478bd9Sstevel@tonic-gate /* 372*7c478bd9Sstevel@tonic-gate * sunw_print_times() formats and prints cert times to the given file. 373*7c478bd9Sstevel@tonic-gate * 374*7c478bd9Sstevel@tonic-gate * The label is printed on one line. One or both dates are printed on 375*7c478bd9Sstevel@tonic-gate * the following line or two, each with it's own indented label in the 376*7c478bd9Sstevel@tonic-gate * format: 377*7c478bd9Sstevel@tonic-gate * 378*7c478bd9Sstevel@tonic-gate * label 379*7c478bd9Sstevel@tonic-gate * 'not before' date: whatever 380*7c478bd9Sstevel@tonic-gate * 'not after' date: whatever 381*7c478bd9Sstevel@tonic-gate * 382*7c478bd9Sstevel@tonic-gate * Arguments: 383*7c478bd9Sstevel@tonic-gate * fp - file pointer for file to write to. 384*7c478bd9Sstevel@tonic-gate * dowhat - what field(s) to print. 385*7c478bd9Sstevel@tonic-gate * label - Label to use. If NULL, no line will be printed. 386*7c478bd9Sstevel@tonic-gate * cert - Points to a client or CA cert to check 387*7c478bd9Sstevel@tonic-gate * 388*7c478bd9Sstevel@tonic-gate * Returns: 389*7c478bd9Sstevel@tonic-gate * < 0 - An error occured. 390*7c478bd9Sstevel@tonic-gate * >= 0 - Number of lines written. 391*7c478bd9Sstevel@tonic-gate */ 392*7c478bd9Sstevel@tonic-gate int sunw_print_times(FILE *, prnt_actions_t, char *, X509 *); 393*7c478bd9Sstevel@tonic-gate 394*7c478bd9Sstevel@tonic-gate 395*7c478bd9Sstevel@tonic-gate /* 396*7c478bd9Sstevel@tonic-gate * sunw_check_keys() compares the public key in the certificate and a 397*7c478bd9Sstevel@tonic-gate * private key to ensure that they match. 398*7c478bd9Sstevel@tonic-gate * 399*7c478bd9Sstevel@tonic-gate * Arguments: 400*7c478bd9Sstevel@tonic-gate * cert - Points to a certificate. 401*7c478bd9Sstevel@tonic-gate * pkey - Points to a private key. 402*7c478bd9Sstevel@tonic-gate * 403*7c478bd9Sstevel@tonic-gate * Returns: 404*7c478bd9Sstevel@tonic-gate * == 0 - These do not match. 405*7c478bd9Sstevel@tonic-gate * != 0 - The cert's public key and the private key match. 406*7c478bd9Sstevel@tonic-gate */ 407*7c478bd9Sstevel@tonic-gate int sunw_check_keys(X509 *, EVP_PKEY *); 408*7c478bd9Sstevel@tonic-gate 409*7c478bd9Sstevel@tonic-gate 410*7c478bd9Sstevel@tonic-gate /* 411*7c478bd9Sstevel@tonic-gate * sunw_issuer_attrs - Given a cert, return the issuer-specific attributes 412*7c478bd9Sstevel@tonic-gate * as one ASCII string. 413*7c478bd9Sstevel@tonic-gate * 414*7c478bd9Sstevel@tonic-gate * Arguments: 415*7c478bd9Sstevel@tonic-gate * cert - Cert to process 416*7c478bd9Sstevel@tonic-gate * buf - If non-NULL, buffer to receive string. If NULL, one will 417*7c478bd9Sstevel@tonic-gate * be allocated and its value will be returned to the caller. 418*7c478bd9Sstevel@tonic-gate * len - If 'buff' is non-null, the buffer's length. 419*7c478bd9Sstevel@tonic-gate * 420*7c478bd9Sstevel@tonic-gate * This returns an ASCII string with all issuer-related attributes in one 421*7c478bd9Sstevel@tonic-gate * string separated by '/' characters. Each attribute begins with its name 422*7c478bd9Sstevel@tonic-gate * and an equal sign. Two attributes (ATTR1 and Attr2) would have the 423*7c478bd9Sstevel@tonic-gate * following form: 424*7c478bd9Sstevel@tonic-gate * 425*7c478bd9Sstevel@tonic-gate * ATTR1=attr_value/ATTR2=attr2_value 426*7c478bd9Sstevel@tonic-gate * 427*7c478bd9Sstevel@tonic-gate * Returns: 428*7c478bd9Sstevel@tonic-gate * != NULL - Pointer to the ASCII string containing the issuer-related 429*7c478bd9Sstevel@tonic-gate * attributes. If the 'buf' argument was NULL, this is a 430*7c478bd9Sstevel@tonic-gate * dynamically-allocated buffer and the caller will have the 431*7c478bd9Sstevel@tonic-gate * responsibility for freeing it. 432*7c478bd9Sstevel@tonic-gate * NULL - Memory needed to be allocated but could not be. Errors 433*7c478bd9Sstevel@tonic-gate * are set on the error stack. 434*7c478bd9Sstevel@tonic-gate */ 435*7c478bd9Sstevel@tonic-gate char *sunw_issuer_attrs(X509 *cert, char *buf, int len); 436*7c478bd9Sstevel@tonic-gate 437*7c478bd9Sstevel@tonic-gate 438*7c478bd9Sstevel@tonic-gate /* 439*7c478bd9Sstevel@tonic-gate * sunw_subject_attrs - Given a cert, return the subject-specific attributes 440*7c478bd9Sstevel@tonic-gate * as one ASCII string. 441*7c478bd9Sstevel@tonic-gate * 442*7c478bd9Sstevel@tonic-gate * Arguments: 443*7c478bd9Sstevel@tonic-gate * cert - Cert to process 444*7c478bd9Sstevel@tonic-gate * buf - If non-NULL, buffer to receive string. If NULL, one will 445*7c478bd9Sstevel@tonic-gate * be allocated and its value will be returned to the caller. 446*7c478bd9Sstevel@tonic-gate * len - If 'buff' is non-null, the buffer's length. 447*7c478bd9Sstevel@tonic-gate * 448*7c478bd9Sstevel@tonic-gate * This returns an ASCII string with all subject-related attributes in one 449*7c478bd9Sstevel@tonic-gate * string separated by '/' characters. Each attribute begins with its name 450*7c478bd9Sstevel@tonic-gate * and an equal sign. Two attributes (ATTR1 and Attr2) would have the 451*7c478bd9Sstevel@tonic-gate * following form: 452*7c478bd9Sstevel@tonic-gate * 453*7c478bd9Sstevel@tonic-gate * ATTR1=attr_value/ATTR2=attr2_value 454*7c478bd9Sstevel@tonic-gate * 455*7c478bd9Sstevel@tonic-gate * Returns: 456*7c478bd9Sstevel@tonic-gate * != NULL - Pointer to the ASCII string containing the subject-related 457*7c478bd9Sstevel@tonic-gate * attributes. If the 'buf' argument was NULL, this is a 458*7c478bd9Sstevel@tonic-gate * dynamically-allocated buffer and the caller will have the 459*7c478bd9Sstevel@tonic-gate * responsibility for freeing it. 460*7c478bd9Sstevel@tonic-gate * NULL - Memory needed to be allocated but could not be. Errors 461*7c478bd9Sstevel@tonic-gate * are set on the error stack. 462*7c478bd9Sstevel@tonic-gate */ 463*7c478bd9Sstevel@tonic-gate char *sunw_subject_attrs(X509 *cert, char *buf, int len); 464*7c478bd9Sstevel@tonic-gate 465*7c478bd9Sstevel@tonic-gate /* 466*7c478bd9Sstevel@tonic-gate * sunw_append_keys - Given two stacks of private keys, remove the keys from 467*7c478bd9Sstevel@tonic-gate * the second stack and append them to the first. Both stacks must exist 468*7c478bd9Sstevel@tonic-gate * at time of call. 469*7c478bd9Sstevel@tonic-gate * 470*7c478bd9Sstevel@tonic-gate * Arguments: 471*7c478bd9Sstevel@tonic-gate * dst - the stack to receive the keys from 'src' 472*7c478bd9Sstevel@tonic-gate * src - the stack whose keys are to be moved. 473*7c478bd9Sstevel@tonic-gate * 474*7c478bd9Sstevel@tonic-gate * Returns: 475*7c478bd9Sstevel@tonic-gate * -1 - An error occurred. The error status is set. 476*7c478bd9Sstevel@tonic-gate * >= 0 - The number of keys that were copied. 477*7c478bd9Sstevel@tonic-gate */ 478*7c478bd9Sstevel@tonic-gate int sunw_append_keys(STACK_OF(EVP_PKEY) *, STACK_OF(EVP_PKEY) *); 479*7c478bd9Sstevel@tonic-gate 480*7c478bd9Sstevel@tonic-gate 481*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 482*7c478bd9Sstevel@tonic-gate } 483*7c478bd9Sstevel@tonic-gate #endif 484*7c478bd9Sstevel@tonic-gate 485*7c478bd9Sstevel@tonic-gate #endif /* _P12AUX_H */ 486