1 /* 2 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 /* 6 * Copyright (c) 1995-1999 Intel Corporation. All rights reserved. 7 */ 8 9 #pragma ident "%Z%%M% %I% %E% SMI" 10 11 #include <strings.h> 12 #include <kmftypes.h> 13 #include <ber_der.h> 14 #include <kmfapi.h> 15 #include <kmfapiP.h> 16 17 #include <stdio.h> 18 19 #define DSA_RAW_SIG_LEN 40 20 21 static uint8_t OID_ExtensionRequest[] = { OID_PKCS_9, 14 }; 22 const KMF_OID extension_request_oid = {OID_PKCS_9_LENGTH + 1, 23 OID_ExtensionRequest}; 24 25 static KMF_RETURN 26 encode_algoid(BerElement *asn1, KMF_X509_ALGORITHM_IDENTIFIER *algoid) 27 { 28 KMF_RETURN ret = KMF_OK; 29 30 if (kmfber_printf(asn1, "{D", &algoid->algorithm) == -1) { 31 ret = KMF_ERR_BAD_CERT_FORMAT; 32 } 33 if (algoid->parameters.Data == NULL || 34 algoid->parameters.Length == 0) { 35 if (kmfber_printf(asn1, "n}") == -1) 36 return (KMF_ERR_BAD_CERT_FORMAT); 37 } else { 38 /* 39 * The algorithm data can be anything, so we just write it 40 * straight into the buffer. It is already DER encoded. 41 */ 42 (void) kmfber_write(asn1, (char *)algoid->parameters.Data, 43 algoid->parameters.Length, 0); 44 if (kmfber_printf(asn1, "}") == -1) { 45 ret = KMF_ERR_BAD_CERT_FORMAT; 46 } 47 } 48 49 return (ret); 50 } 51 52 static void 53 free_data(KMF_DATA *data) 54 { 55 if (data == NULL || data->Data == NULL) 56 return; 57 58 free(data->Data); 59 data->Data = NULL; 60 data->Length = 0; 61 } 62 63 static void 64 free_algoid(KMF_X509_ALGORITHM_IDENTIFIER *algoid) 65 { 66 free_data(&algoid->algorithm); 67 free_data(&algoid->parameters); 68 } 69 70 static void 71 free_decoded_spki(KMF_X509_SPKI *spki) 72 { 73 if (spki != NULL) { 74 free_algoid(&spki->algorithm); 75 free_data(&spki->subjectPublicKey); 76 } 77 } 78 79 static void 80 free_rdn_data(KMF_X509_NAME *name) 81 { 82 KMF_X509_RDN *newrdn = NULL; 83 KMF_X509_TYPE_VALUE_PAIR *av = NULL; 84 int i, j; 85 86 if (name && name->numberOfRDNs) { 87 for (i = 0; i < name->numberOfRDNs; i++) { 88 newrdn = &name->RelativeDistinguishedName[i]; 89 for (j = 0; j < newrdn->numberOfPairs; j++) { 90 av = &newrdn->AttributeTypeAndValue[j]; 91 free_data(&av->type); 92 free_data(&av->value); 93 } 94 free(newrdn->AttributeTypeAndValue); 95 } 96 free(name->RelativeDistinguishedName); 97 name->numberOfRDNs = 0; 98 name->RelativeDistinguishedName = NULL; 99 } 100 } 101 102 static void 103 free_validity(KMF_X509_VALIDITY *validity) 104 { 105 free_data(&validity->notBefore.time); 106 free_data(&validity->notAfter.time); 107 } 108 109 static void 110 free_one_extension(KMF_X509_EXTENSION *exptr) 111 { 112 free_data(&exptr->extnId); 113 free_data(&exptr->BERvalue); 114 115 if (exptr->value.tagAndValue) { 116 free_data(&exptr->value.tagAndValue->value); 117 free(exptr->value.tagAndValue); 118 } 119 } 120 121 static void 122 free_extensions(KMF_X509_EXTENSIONS *extns) 123 { 124 int i; 125 KMF_X509_EXTENSION *exptr; 126 127 if (extns && extns->numberOfExtensions > 0) { 128 for (i = 0; i < extns->numberOfExtensions; i++) { 129 exptr = &extns->extensions[i]; 130 free_one_extension(exptr); 131 } 132 free(extns->extensions); 133 extns->numberOfExtensions = 0; 134 extns->extensions = NULL; 135 } 136 } 137 138 static void 139 free_tbscsr(KMF_TBS_CSR *tbscsr) 140 { 141 if (tbscsr) { 142 free_data(&tbscsr->version); 143 144 free_rdn_data(&tbscsr->subject); 145 146 free_decoded_spki(&tbscsr->subjectPublicKeyInfo); 147 148 free_extensions(&tbscsr->extensions); 149 } 150 } 151 152 153 static void 154 free_bigint(KMF_BIGINT *bn) 155 { 156 if (bn != NULL && bn->val != NULL) { 157 free(bn->val); 158 bn->val = NULL; 159 bn->len = 0; 160 } 161 } 162 163 static void 164 free_tbscert(KMF_X509_TBS_CERT *tbscert) 165 { 166 if (tbscert) { 167 free_data(&tbscert->version); 168 free_bigint(&tbscert->serialNumber); 169 free_algoid(&tbscert->signature); 170 171 free_rdn_data(&tbscert->issuer); 172 free_rdn_data(&tbscert->subject); 173 174 free_validity(&tbscert->validity); 175 176 free_data(&tbscert->issuerUniqueIdentifier); 177 free_data(&tbscert->subjectUniqueIdentifier); 178 free_decoded_spki(&tbscert->subjectPublicKeyInfo); 179 free_extensions(&tbscert->extensions); 180 181 free_data(&tbscert->issuerUniqueIdentifier); 182 free_data(&tbscert->subjectUniqueIdentifier); 183 } 184 } 185 186 static void 187 free_decoded_cert(KMF_X509_CERTIFICATE *certptr) 188 { 189 if (!certptr) 190 return; 191 192 free_tbscert(&certptr->certificate); 193 194 free_algoid(&certptr->signature.algorithmIdentifier); 195 free_data(&certptr->signature.encrypted); 196 } 197 198 static KMF_RETURN 199 get_algoid(BerElement *asn1, KMF_X509_ALGORITHM_IDENTIFIER *algoid) 200 { 201 KMF_RETURN ret = KMF_OK; 202 ber_tag_t tag, newtag; 203 ber_len_t size; 204 BerValue AlgOID = {NULL, 0}; 205 206 tag = kmfber_next_element(asn1, &size, NULL); 207 if (tag != BER_CONSTRUCTED_SEQUENCE) 208 return (KMF_ERR_BAD_CERT_FORMAT); 209 210 if ((tag = kmfber_scanf(asn1, "{Dt", &AlgOID, &newtag)) == -1) { 211 return (KMF_ERR_BAD_CERT_FORMAT); 212 } 213 algoid->algorithm.Data = (uchar_t *)AlgOID.bv_val; 214 algoid->algorithm.Length = AlgOID.bv_len; 215 216 if (newtag == BER_NULL) { 217 (void) kmfber_scanf(asn1, "n}"); 218 algoid->parameters.Data = NULL; 219 algoid->parameters.Length = 0; 220 } else { 221 /* Peek at the tag and length bytes */ 222 if ((kmfber_scanf(asn1, "tl", &tag, &size)) == -1) { 223 ret = KMF_ERR_BAD_CERT_FORMAT; 224 goto cleanup; 225 } 226 227 /* 228 * We need to read the tag and the length bytes too, 229 * so adjust the size. 230 */ 231 size += kmfber_calc_taglen(tag) + kmfber_calc_lenlen(size); 232 algoid->parameters.Data = malloc(size); 233 if (algoid->parameters.Data == NULL) { 234 ret = KMF_ERR_MEMORY; 235 goto cleanup; 236 } 237 /* read the raw data into the Algoritm params area. */ 238 if (kmfber_read(asn1, (char *)algoid->parameters.Data, 239 size) == -1) { 240 ret = KMF_ERR_BAD_CERT_FORMAT; 241 goto cleanup; 242 } 243 algoid->parameters.Length = size; 244 if ((tag = kmfber_scanf(asn1, "}")) == -1) { 245 ret = KMF_ERR_BAD_CERT_FORMAT; 246 } 247 } 248 cleanup: 249 if (ret != KMF_OK) { 250 free_algoid(algoid); 251 } 252 253 return (ret); 254 } 255 256 static KMF_RETURN 257 CopyData(KMF_DATA *src, KMF_DATA *dst) 258 { 259 if (src && dst && src->Data != NULL && src->Length > 0) { 260 dst->Length = src->Length; 261 dst->Data = malloc(sizeof (dst->Length)); 262 if (dst->Data == NULL) 263 return (KMF_ERR_MEMORY); 264 (void) memcpy(dst->Data, src->Data, src->Length); 265 } 266 return (KMF_OK); 267 } 268 269 static KMF_RETURN 270 encode_spki(BerElement *asn1, KMF_X509_SPKI *spki) 271 { 272 KMF_RETURN ret = KMF_OK; 273 274 if (kmfber_printf(asn1, "{") == -1) 275 return (KMF_ERR_BAD_CERT_FORMAT); 276 277 if ((ret = encode_algoid(asn1, &spki->algorithm)) != KMF_OK) 278 return (ret); 279 280 if (kmfber_printf(asn1, "B}", spki->subjectPublicKey.Data, 281 spki->subjectPublicKey.Length * 8) == -1) 282 return (KMF_ERR_BAD_CERT_FORMAT); 283 284 return (ret); 285 } 286 287 KMF_RETURN 288 DerEncodeSPKI(KMF_X509_SPKI *spki, KMF_DATA *EncodedSPKI) 289 { 290 KMF_RETURN ret = KMF_OK; 291 BerElement *asn1; 292 BerValue *result; 293 294 if (spki == NULL || EncodedSPKI == NULL) 295 return (KMF_ERR_BAD_PARAMETER); 296 297 if ((asn1 = kmfder_alloc()) == NULL) 298 return (KMF_ERR_MEMORY); 299 300 if ((ret = encode_spki(asn1, spki)) != KMF_OK) { 301 return (ret); 302 } 303 304 if (kmfber_flatten(asn1, &result) == -1) { 305 kmfber_free(asn1, 1); 306 return (KMF_ERR_ENCODING); 307 } 308 309 EncodedSPKI->Data = (uchar_t *)result->bv_val; 310 EncodedSPKI->Length = result->bv_len; 311 312 free(result); 313 kmfber_free(asn1, 1); 314 return (KMF_OK); 315 } 316 317 static KMF_RETURN 318 get_spki(BerElement *asn1, KMF_X509_SPKI *spki) 319 { 320 KMF_RETURN ret = KMF_OK; 321 char *bitstr = NULL; 322 ber_len_t size; 323 324 if (kmfber_scanf(asn1, "{") == -1) 325 return (KMF_ERR_BAD_CERT_FORMAT); 326 327 if ((ret = get_algoid(asn1, &spki->algorithm)) != KMF_OK) 328 return (ret); 329 330 if (kmfber_scanf(asn1, "B}", &bitstr, &size) == BER_BIT_STRING) { 331 spki->subjectPublicKey.Data = (uchar_t *)bitstr; 332 spki->subjectPublicKey.Length = size / 8; 333 } else { 334 ret = KMF_ERR_BAD_CERT_FORMAT; 335 goto cleanup; 336 } 337 cleanup: 338 if (ret != KMF_OK) { 339 if (bitstr != NULL) 340 free(bitstr); 341 spki->subjectPublicKey.Data = NULL; 342 spki->subjectPublicKey.Length = 0; 343 344 free_algoid(&spki->algorithm); 345 } 346 return (ret); 347 } 348 349 KMF_RETURN 350 DerEncodeDSASignature(KMF_DATA *rawdata, KMF_DATA *signature) 351 { 352 BerElement *asn1; 353 BerValue *buf; 354 int n; 355 356 if (rawdata == NULL || signature == NULL) 357 return (KMF_ERR_BAD_PARAMETER); 358 359 if (rawdata->Data == NULL || rawdata->Length != DSA_RAW_SIG_LEN) 360 return (KMF_ERR_BAD_PARAMETER); 361 362 asn1 = kmfder_alloc(); 363 if (asn1 == NULL) 364 return (KMF_ERR_MEMORY); 365 366 /* 367 * The DSA signature is the concatenation of 2 SHA-1 hashed 368 * bignum values. 369 */ 370 n = DSA_RAW_SIG_LEN/2; 371 if (kmfber_printf(asn1, "{II}", 372 rawdata->Data, n, 373 &rawdata->Data[n], n) == -1) { 374 kmfber_free(asn1, 1); 375 return (KMF_ERR_MEMORY); 376 } 377 378 if (kmfber_flatten(asn1, &buf) == -1) { 379 kmfber_free(asn1, 1); 380 return (KMF_ERR_ENCODING); 381 } 382 383 signature->Data = (uchar_t *)buf->bv_val; 384 signature->Length = buf->bv_len; 385 386 kmfber_free(asn1, 1); 387 free(buf); 388 389 return (KMF_OK); 390 } 391 392 KMF_RETURN 393 DerDecodeDSASignature(KMF_DATA *encoded, KMF_DATA *signature) 394 { 395 KMF_RETURN ret = KMF_OK; 396 BerElement *asn1 = NULL; 397 BerValue buf, *R = NULL, *S = NULL; 398 399 buf.bv_val = (char *)encoded->Data; 400 buf.bv_len = encoded->Length; 401 402 if (encoded == NULL || encoded->Data == NULL || 403 signature == NULL) 404 return (KMF_ERR_BAD_PARAMETER); 405 406 signature->Data = NULL; 407 signature->Length = 0; 408 409 if ((asn1 = kmfder_init(&buf)) == NULL) 410 return (KMF_ERR_MEMORY); 411 412 if (kmfber_scanf(asn1, "{II}", &R, &S) == -1) { 413 ret = KMF_ERR_BAD_PARAMETER; 414 goto cleanup; 415 } 416 signature->Length = R->bv_len + S->bv_len; 417 signature->Data = malloc(signature->Length); 418 if (signature->Data == NULL) { 419 ret = KMF_ERR_MEMORY; 420 goto cleanup; 421 } 422 (void) memcpy(signature->Data, R->bv_val, R->bv_len); 423 (void) memcpy(&signature->Data[R->bv_len], S->bv_val, S->bv_len); 424 425 cleanup: 426 if (R && R->bv_val) 427 free(R->bv_val); 428 if (S && S->bv_val) 429 free(S->bv_val); 430 431 if (S) free(S); 432 if (R) free(R); 433 434 if (asn1) kmfber_free(asn1, 1); 435 436 return (ret); 437 } 438 439 KMF_RETURN 440 DerDecodeSPKI(KMF_DATA *EncodedSPKI, KMF_X509_SPKI *spki) 441 { 442 KMF_RETURN ret = KMF_OK; 443 BerElement *asn1; 444 BerValue bv; 445 446 if (EncodedSPKI == NULL || EncodedSPKI->Data == NULL || 447 spki == NULL) 448 return (KMF_ERR_BAD_PARAMETER); 449 450 (void) memset(spki, 0, sizeof (KMF_X509_SPKI)); 451 452 bv.bv_val = (char *)EncodedSPKI->Data; 453 bv.bv_len = EncodedSPKI->Length; 454 455 if ((asn1 = kmfder_init(&bv)) == NULL) 456 return (KMF_ERR_MEMORY); 457 458 ret = get_spki(asn1, spki); 459 460 cleanup: 461 if (ret != KMF_OK) { 462 free_decoded_spki(spki); 463 } 464 kmfber_free(asn1, 1); 465 466 return (ret); 467 } 468 469 KMF_RETURN 470 CopySPKI(KMF_X509_SPKI *src, 471 KMF_X509_SPKI **dest) 472 { 473 KMF_RETURN ret = KMF_OK; 474 KMF_X509_SPKI *newspki; 475 476 *dest = NULL; 477 478 newspki = malloc(sizeof (KMF_X509_SPKI)); 479 if (newspki == NULL) 480 return (KMF_ERR_MEMORY); 481 (void) memset(newspki, 0, sizeof (KMF_X509_SPKI)); 482 483 ret = CopyData(&src->algorithm.algorithm, 484 &newspki->algorithm.algorithm); 485 if (ret != KMF_OK) 486 goto cleanup; 487 488 ret = CopyData(&src->algorithm.parameters, 489 &newspki->algorithm.parameters); 490 if (ret != KMF_OK) 491 goto cleanup; 492 493 ret = CopyData(&src->subjectPublicKey, 494 &newspki->subjectPublicKey); 495 if (ret != KMF_OK) 496 goto cleanup; 497 498 *dest = newspki; 499 cleanup: 500 if (ret != KMF_OK) { 501 if (newspki) 502 free_decoded_spki(newspki); 503 } 504 return (ret); 505 } 506 507 static KMF_RETURN 508 encode_validity(BerElement *asn1, KMF_X509_VALIDITY *validity) 509 { 510 int ret; 511 512 ret = kmfber_printf(asn1, "{tsts}", 513 validity->notBefore.timeType, 514 validity->notBefore.time.Data, 515 validity->notAfter.timeType, 516 validity->notAfter.time.Data); 517 518 if (ret == -1) 519 return (KMF_ERR_BAD_CERT_FORMAT); 520 521 return (KMF_OK); 522 } 523 524 static KMF_RETURN 525 get_validity(BerElement *asn1, KMF_X509_VALIDITY *validity) 526 { 527 KMF_RETURN ret = KMF_OK; 528 int tag; 529 int t1, t2; 530 ber_len_t size; 531 char *t1str, *t2str; 532 533 (void) memset(validity, 0, sizeof (KMF_X509_VALIDITY)); 534 535 tag = kmfber_next_element(asn1, &size, NULL); 536 if (tag != BER_CONSTRUCTED_SEQUENCE) { 537 return (KMF_ERR_BAD_CERT_FORMAT); 538 } 539 540 if (kmfber_scanf(asn1, "{tata}", &t1, &t1str, &t2, &t2str) == -1) { 541 return (KMF_ERR_BAD_CERT_FORMAT); 542 } 543 544 validity->notBefore.timeType = t1; 545 validity->notBefore.time.Data = (uchar_t *)t1str; 546 validity->notBefore.time.Length = strlen(t1str); 547 548 validity->notAfter.timeType = t2; 549 validity->notAfter.time.Data = (uchar_t *)t2str; 550 validity->notAfter.time.Length = strlen(t2str); 551 552 return (ret); 553 } 554 555 KMF_RETURN 556 AddRDN(KMF_X509_NAME *name, KMF_X509_RDN *newrdn) 557 { 558 KMF_RETURN ret = KMF_OK; 559 KMF_X509_RDN *rdnslot = NULL; 560 561 /* Add new RDN record to existing list */ 562 name->numberOfRDNs++; 563 name->RelativeDistinguishedName = 564 realloc(name->RelativeDistinguishedName, 565 name->numberOfRDNs * sizeof (KMF_X509_RDN)); 566 567 if (name->RelativeDistinguishedName == NULL) { 568 ret = KMF_ERR_MEMORY; 569 goto cleanup; 570 } 571 rdnslot = &name->RelativeDistinguishedName[name->numberOfRDNs-1]; 572 573 if (newrdn) { 574 (void) memcpy(rdnslot, newrdn, sizeof (KMF_X509_RDN)); 575 } else { 576 rdnslot->numberOfPairs = 0; 577 rdnslot->AttributeTypeAndValue = NULL; 578 } 579 580 cleanup: 581 /* No cleanup needed here */ 582 return (ret); 583 } 584 585 static KMF_RETURN 586 encode_rdn(BerElement *asn1, KMF_X509_NAME *name) 587 { 588 KMF_RETURN ret = KMF_OK; 589 KMF_X509_TYPE_VALUE_PAIR *attrtvpair = NULL; 590 int i; 591 KMF_X509_RDN *rdn; 592 593 if (kmfber_printf(asn1, "{") == -1) { 594 ret = KMF_ERR_MEMORY; 595 goto cleanup; 596 } 597 598 for (i = 0; i < name->numberOfRDNs; i++) { 599 if (kmfber_printf(asn1, "[") == -1) { 600 ret = KMF_ERR_MEMORY; 601 goto cleanup; 602 } 603 rdn = &name->RelativeDistinguishedName[i]; 604 attrtvpair = rdn->AttributeTypeAndValue; 605 606 if (rdn->numberOfPairs > 0) { 607 if (kmfber_printf(asn1, "{Dto}", 608 &attrtvpair->type, 609 attrtvpair->valueType, 610 attrtvpair->value.Data, 611 attrtvpair->value.Length) == -1) { 612 ret = KMF_ERR_MEMORY; 613 goto cleanup; 614 } 615 } 616 if (kmfber_printf(asn1, "]") == -1) { 617 ret = KMF_ERR_MEMORY; 618 goto cleanup; 619 } 620 } 621 622 if (kmfber_printf(asn1, "}") == -1) { 623 ret = KMF_ERR_MEMORY; 624 goto cleanup; 625 } 626 627 cleanup: 628 /* No cleanup needed here */ 629 630 return (ret); 631 } 632 633 634 KMF_RETURN 635 CopyRDN(KMF_X509_NAME *srcname, KMF_X509_NAME **destname) 636 { 637 KMF_RETURN ret = KMF_OK; 638 KMF_X509_NAME *newname = NULL; 639 KMF_X509_RDN *rdn, *dstrdn; 640 KMF_X509_TYPE_VALUE_PAIR *av = NULL; 641 KMF_X509_TYPE_VALUE_PAIR *srcav = NULL; 642 KMF_X509_TYPE_VALUE_PAIR *dstav = NULL; 643 int i, j; 644 645 newname = malloc(sizeof (KMF_X509_NAME)); 646 if (newname == NULL) 647 return (KMF_ERR_MEMORY); 648 (void) memset(newname, 0, sizeof (KMF_X509_NAME)); 649 650 newname->numberOfRDNs = srcname->numberOfRDNs; 651 newname->RelativeDistinguishedName = malloc(newname->numberOfRDNs * 652 sizeof (KMF_X509_RDN)); 653 if (newname->RelativeDistinguishedName == NULL) { 654 free(newname); 655 return (KMF_ERR_MEMORY); 656 } 657 /* Copy each RDN in the list */ 658 for (i = 0; i < newname->numberOfRDNs; i++) { 659 rdn = &srcname->RelativeDistinguishedName[i]; 660 661 dstrdn = &newname->RelativeDistinguishedName[i]; 662 (void) memset(dstrdn, 0, sizeof (KMF_X509_RDN)); 663 664 dstrdn->numberOfPairs = rdn->numberOfPairs; 665 if (dstrdn->numberOfPairs > 0) { 666 av = malloc(dstrdn->numberOfPairs * 667 sizeof (KMF_X509_TYPE_VALUE_PAIR)); 668 if (av == NULL) { 669 ret = KMF_ERR_MEMORY; 670 goto cleanup; 671 } 672 (void) memset(av, 0, dstrdn->numberOfPairs * 673 sizeof (KMF_X509_TYPE_VALUE_PAIR)); 674 675 dstrdn->AttributeTypeAndValue = av; 676 if (av == NULL) { 677 ret = KMF_ERR_MEMORY; 678 goto cleanup; 679 } 680 /* Copy each A/V pair in the list */ 681 for (j = 0; j < dstrdn->numberOfPairs; j++) { 682 srcav = &rdn->AttributeTypeAndValue[j]; 683 dstav = &dstrdn->AttributeTypeAndValue[j]; 684 if ((ret = CopyData(&srcav->type, 685 &dstav->type)) != KMF_OK) 686 goto cleanup; 687 dstav->valueType = srcav->valueType; 688 if ((ret = CopyData(&srcav->value, 689 &dstav->value)) != KMF_OK) 690 goto cleanup; 691 } 692 } else { 693 dstrdn->AttributeTypeAndValue = NULL; 694 } 695 } 696 *destname = newname; 697 698 cleanup: 699 if (ret != KMF_OK) { 700 if (newname) 701 free_rdn_data(newname); 702 703 free(newname); 704 *destname = NULL; 705 } 706 return (ret); 707 } 708 709 #define VALID_DIRECTORYSTRING_TAG(t) ( \ 710 (t == BER_UTF8_STRING) || \ 711 (t == BER_PRINTABLE_STRING) || \ 712 (t == BER_IA5STRING) || \ 713 (t == BER_T61STRING) || \ 714 (t == BER_BMP_STRING) || \ 715 (t == BER_UNIVERSAL_STRING)) 716 717 static KMF_RETURN 718 get_rdn(BerElement *asn1, KMF_X509_NAME *name) 719 { 720 KMF_RETURN ret = KMF_OK; 721 ber_len_t size; 722 char *end; 723 int tag; 724 BerValue AttrOID; 725 char *AttrValue = NULL; 726 KMF_X509_TYPE_VALUE_PAIR *newpair = NULL; 727 KMF_X509_RDN newrdn; 728 729 /* 730 * AttributeType ::= OBJECT IDENTIFIER 731 * AttributeValue ::= ANY 732 * 733 * AttributeTypeAndValue ::= SEQUENCE { 734 * type AttributeType, 735 * value AttributeValue } 736 * 737 * Name ::= CHOICE { -- only one possibility for now -- 738 * rdnSequence RDNSequence } 739 * 740 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName 741 * 742 * DistinguishedName ::= RDNSequence 743 * 744 * RelativeDistinguishedName ::= 745 * SET SIZE (1 .. MAX) OF AttributeTypeAndValue 746 * 747 */ 748 749 name->numberOfRDNs = 0; 750 name->RelativeDistinguishedName = NULL; 751 752 /* Get the beginning of the RDN Set and a ptr to the end */ 753 tag = kmfber_first_element(asn1, &size, &end); 754 if (tag != BER_CONSTRUCTED_SET) { 755 ret = KMF_ERR_BAD_CERT_FORMAT; 756 goto cleanup; 757 } 758 759 /* Walk through the individual SET items until the "end" is reached */ 760 while ((tag = kmfber_next_element(asn1, &size, end)) == 761 BER_CONSTRUCTED_SET) { 762 /* Skip over the SET tag */ 763 if (kmfber_scanf(asn1, "T", &tag) == -1) { 764 ret = KMF_ERR_BAD_CERT_FORMAT; 765 break; 766 } 767 768 /* An "empty" set member means we tack on an empty node */ 769 if (size == 0) { 770 if ((ret = AddRDN(name, NULL)) != KMF_OK) 771 goto cleanup; 772 continue; 773 } 774 775 /* Attr OID and peek at the next tag and field length */ 776 if (kmfber_scanf(asn1, "{Dtl", &AttrOID, &tag, &size) == -1) { 777 ret = KMF_ERR_BAD_CERT_FORMAT; 778 break; 779 } 780 781 if (!(VALID_DIRECTORYSTRING_TAG(tag))) { 782 ret = KMF_ERR_BAD_CERT_FORMAT; 783 break; 784 } 785 786 if (kmfber_scanf(asn1, "a}]", &AttrValue) == -1) { 787 ret = KMF_ERR_BAD_CERT_FORMAT; 788 break; 789 } 790 791 /* Allocate a new name/value pair record */ 792 newpair = malloc(sizeof (KMF_X509_TYPE_VALUE_PAIR)); 793 if (newpair == NULL) { 794 ret = KMF_ERR_MEMORY; 795 break; 796 } 797 (void) memset(newpair, 0, sizeof (KMF_X509_TYPE_VALUE_PAIR)); 798 newpair->type.Data = (uchar_t *)AttrOID.bv_val; 799 newpair->type.Length = AttrOID.bv_len; 800 newpair->valueType = tag; /* what kind of string is it? */ 801 newpair->value.Data = (uchar_t *)AttrValue; 802 newpair->value.Length = strlen(AttrValue); 803 804 (void) memset(&newrdn, 0, sizeof (KMF_X509_RDN)); 805 newrdn.numberOfPairs = 1; 806 newrdn.AttributeTypeAndValue = newpair; 807 808 if ((ret = AddRDN(name, &newrdn)) != KMF_OK) 809 break; 810 } 811 812 cleanup: 813 if (ret != KMF_OK) { 814 free_rdn_data(name); 815 } 816 return (ret); 817 } 818 819 static KMF_RETURN 820 set_der_integer(KMF_DATA *data, int value) 821 { 822 if (data == NULL) 823 return (KMF_ERR_BAD_PARAMETER); 824 825 data->Data = malloc(sizeof (int)); 826 if (data->Data == NULL) 827 return (KMF_ERR_MEMORY); 828 829 data->Length = sizeof (int); 830 (void) memcpy((void *)data->Data, (const void *)&value, sizeof (int)); 831 832 return (KMF_OK); 833 } 834 835 static KMF_RETURN 836 set_bigint(KMF_BIGINT *data, KMF_BIGINT *bigint) 837 { 838 if (data == NULL || bigint == NULL) 839 return (KMF_ERR_BAD_PARAMETER); 840 841 data->val = malloc(bigint->len); 842 if (data->val == NULL) 843 return (KMF_ERR_MEMORY); 844 845 data->len = bigint->len; 846 (void) memcpy((void *)data->val, (const void *)bigint->val, 847 bigint->len); 848 849 return (KMF_OK); 850 } 851 852 static KMF_RETURN 853 encode_uniqueid(BerElement *asn1, int tag, KMF_DATA *id) 854 { 855 KMF_RETURN ret = KMF_OK; 856 uint32_t len; 857 858 len = kmfber_calc_taglen(BER_BIT_STRING) + 859 kmfber_calc_lenlen(id->Length * 8) + id->Length; 860 if (kmfber_printf(asn1, "TlB", tag, len, 861 id->Data, id->Length * 8) == -1) 862 return (KMF_ERR_BAD_CERT_FORMAT); 863 864 return (ret); 865 } 866 867 static KMF_RETURN 868 encode_extension_list(BerElement *asn1, KMF_X509_EXTENSIONS *extns) 869 { 870 KMF_RETURN ret = KMF_OK; 871 int i; 872 873 for (i = 0; i < extns->numberOfExtensions; i++) { 874 BerValue v; 875 v.bv_val = (char *)extns->extensions[i].extnId.Data; 876 v.bv_len = extns->extensions[i].extnId.Length; 877 878 if (kmfber_printf(asn1, "{D", &v) == -1) { 879 ret = KMF_ERR_ENCODING; 880 goto cleanup; 881 } 882 883 if (extns->extensions[i].critical) { 884 if (kmfber_printf(asn1, "b", 885 extns->extensions[i].critical) == -1) { 886 ret = KMF_ERR_ENCODING; 887 goto cleanup; 888 } 889 } 890 891 if (kmfber_printf(asn1, "o}", 892 extns->extensions[i].BERvalue.Data, 893 extns->extensions[i].BERvalue.Length) == -1) { 894 ret = KMF_ERR_ENCODING; 895 goto cleanup; 896 } 897 } 898 cleanup: 899 return (ret); 900 } 901 902 static KMF_RETURN 903 encode_extensions(BerElement *asn1, KMF_X509_EXTENSIONS *extns) 904 { 905 KMF_RETURN ret = KMF_OK; 906 BerElement *extn = NULL; 907 BerValue *extnvalue = NULL; 908 909 extn = kmfder_alloc(); 910 if (extn == NULL) 911 return (KMF_ERR_MEMORY); 912 913 if (kmfber_printf(extn, "{") == -1) { 914 ret = KMF_ERR_ENCODING; 915 goto cleanup; 916 } 917 918 ret = encode_extension_list(extn, extns); 919 920 if (kmfber_printf(extn, "}") == -1) { 921 ret = KMF_ERR_ENCODING; 922 goto cleanup; 923 } 924 925 if (kmfber_flatten(extn, &extnvalue) == -1) { 926 ret = KMF_ERR_MEMORY; 927 goto cleanup; 928 } 929 930 if (kmfber_printf(asn1, "Tl", 0xA3, extnvalue->bv_len) == -1) { 931 ret = KMF_ERR_BAD_CERT_FORMAT; 932 goto cleanup; 933 } 934 935 if (kmfber_write(asn1, extnvalue->bv_val, extnvalue->bv_len, 0) == -1) { 936 ret = KMF_ERR_BAD_CERT_FORMAT; 937 goto cleanup; 938 } 939 940 cleanup: 941 kmfber_free(extn, 1); 942 if (extnvalue != NULL) 943 kmfber_bvfree(extnvalue); 944 945 return (ret); 946 } 947 948 static KMF_RETURN 949 get_one_extension(BerElement *asn1, KMF_X509_EXTENSION **retex, char *end) 950 { 951 KMF_RETURN ret = KMF_OK; 952 ber_len_t size; 953 int critical, tag; 954 KMF_X509_EXTENSION *ex = NULL; 955 BerValue extOID; 956 BerValue extValue; 957 BerElement *extnber = NULL; 958 959 if (kmfber_scanf(asn1, "T", &tag) == -1) { 960 ret = KMF_ERR_BAD_CERT_FORMAT; 961 goto cleanup; 962 } 963 964 tag = kmfber_next_element(asn1, &size, end); 965 if (tag != BER_OBJECT_IDENTIFIER) { 966 ret = KMF_ERR_BAD_CERT_FORMAT; 967 goto cleanup; 968 } 969 if (kmfber_scanf(asn1, "D", &extOID) == -1) { 970 ret = KMF_ERR_BAD_CERT_FORMAT; 971 goto cleanup; 972 } 973 974 tag = kmfber_next_element(asn1, &size, end); 975 if (tag != BER_BOOLEAN) { 976 critical = 0; 977 if (tag != BER_OCTET_STRING) 978 goto cleanup; 979 } else { 980 if (kmfber_scanf(asn1, "b", &critical) == -1) 981 goto cleanup; 982 } 983 984 tag = kmfber_next_element(asn1, &size, end); 985 if (tag != BER_OCTET_STRING) { 986 ret = KMF_ERR_BAD_CERT_FORMAT; 987 goto cleanup; 988 } 989 if (kmfber_scanf(asn1, "o", &extValue) == -1) { 990 ret = KMF_ERR_BAD_CERT_FORMAT; 991 goto cleanup; 992 } 993 994 /* allocate a new Extension record */ 995 ex = malloc(sizeof (KMF_X509_EXTENSION)); 996 if (ex == NULL) { 997 ret = KMF_ERR_MEMORY; 998 goto cleanup; 999 } 1000 (void) memset(ex, 0, sizeof (ex)); 1001 1002 ex->extnId.Data = (uchar_t *)extOID.bv_val; 1003 ex->extnId.Length = extOID.bv_len; 1004 ex->critical = critical; 1005 ex->format = KMF_X509_DATAFORMAT_ENCODED; 1006 ex->BERvalue.Data = (uchar_t *)extValue.bv_val; 1007 ex->BERvalue.Length = extValue.bv_len; 1008 1009 /* Tag and value is a little tricky */ 1010 ex->value.tagAndValue = malloc(sizeof (KMF_X509EXT_TAGandVALUE)); 1011 if (ex->value.tagAndValue == NULL) { 1012 ret = KMF_ERR_MEMORY; 1013 goto cleanup; 1014 } 1015 (void) memset(ex->value.tagAndValue, 0, 1016 sizeof (KMF_X509EXT_TAGandVALUE)); 1017 1018 /* Parse the Extension value field */ 1019 extnber = kmfder_init(&extValue); 1020 if (extnber == NULL) { 1021 ret = KMF_ERR_MEMORY; 1022 goto cleanup; 1023 } 1024 1025 /* Get the tag and length of the extension field */ 1026 if (kmfber_scanf(extnber, "tl", &tag, &size) == -1) { 1027 ret = KMF_ERR_BAD_CERT_FORMAT; 1028 goto cleanup; 1029 } 1030 1031 if (kmfber_scanf(extnber, "T", &tag) == -1) { 1032 ret = KMF_ERR_BAD_CERT_FORMAT; 1033 goto cleanup; 1034 } 1035 1036 ex->value.tagAndValue->value.Data = malloc(size); 1037 ex->value.tagAndValue->value.Length = size; 1038 size = kmfber_read(extnber, 1039 (char *)ex->value.tagAndValue->value.Data, size); 1040 if (size != ex->value.tagAndValue->value.Length) { 1041 ret = KMF_ERR_BAD_CERT_FORMAT; 1042 goto cleanup; 1043 } 1044 kmfber_free(extnber, 1); 1045 ex->value.tagAndValue->type = tag; 1046 1047 *retex = ex; 1048 cleanup: 1049 if (ret != KMF_OK) { 1050 if (ex != NULL) 1051 free_one_extension(ex); 1052 } 1053 1054 return (ret); 1055 } 1056 1057 static KMF_RETURN 1058 get_extensions(BerElement *asn1, KMF_X509_EXTENSIONS *extns) 1059 { 1060 KMF_RETURN ret = KMF_OK; 1061 ber_len_t size; 1062 char *end = NULL; 1063 KMF_X509_EXTENSION *ex = NULL; 1064 1065 /* 1066 * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension 1067 * 1068 * Extension ::= SEQUENCE { 1069 * extnID OBJECT IDENTIFIER, 1070 * critical BOOLEAN DEFAULT FALSE, 1071 * extnValue OCTET STRING } 1072 * 1073 * { {{D}Bo}, ... } 1074 */ 1075 if (kmfber_first_element(asn1, &size, &end) != 1076 BER_CONSTRUCTED_SEQUENCE) 1077 return (KMF_ERR_BAD_CERT_FORMAT); 1078 1079 while (kmfber_next_element(asn1, &size, end) == 1080 BER_CONSTRUCTED_SEQUENCE) { 1081 ret = get_one_extension(asn1, &ex, end); 1082 if (ret != KMF_OK) 1083 goto cleanup; 1084 1085 extns->numberOfExtensions++; 1086 extns->extensions = realloc(extns->extensions, 1087 extns->numberOfExtensions * 1088 sizeof (KMF_X509_EXTENSION)); 1089 if (extns->extensions == NULL) { 1090 ret = KMF_ERR_MEMORY; 1091 break; 1092 } 1093 1094 extns->extensions[extns->numberOfExtensions-1] = *ex; 1095 free(ex); 1096 } 1097 1098 cleanup: 1099 if (ret != KMF_OK) 1100 free_extensions(extns); 1101 1102 return (ret); 1103 } 1104 1105 KMF_RETURN 1106 decode_tbscert_data(BerElement *asn1, 1107 KMF_X509_TBS_CERT **signed_cert_ptr_ptr) 1108 { 1109 KMF_RETURN ret = KMF_OK; 1110 KMF_X509_TBS_CERT *tbscert = NULL; 1111 int tag, version; 1112 struct berval *bvserno = NULL; 1113 KMF_BIGINT serno; 1114 1115 if (kmfber_scanf(asn1, "{t", &tag) == -1) { 1116 ret = KMF_ERR_BAD_CERT_FORMAT; 1117 goto cleanup; 1118 } 1119 1120 /* Version number is optional */ 1121 if (tag == 0xA0) { 1122 if (kmfber_scanf(asn1, "Ti", &tag, &version) == -1) { 1123 ret = KMF_ERR_BAD_CERT_FORMAT; 1124 goto cleanup; 1125 } 1126 } else { 1127 version = 0; /* DEFAULT v1 (0) */ 1128 } 1129 1130 /* Now get the serial number, it is not optional */ 1131 if (kmfber_scanf(asn1, "I", &bvserno) == -1) { 1132 ret = KMF_ERR_BAD_CERT_FORMAT; 1133 goto cleanup; 1134 } else { 1135 serno.val = (uchar_t *)bvserno->bv_val; 1136 serno.len = bvserno->bv_len; 1137 } 1138 1139 tbscert = malloc(sizeof (KMF_X509_TBS_CERT)); 1140 if (!tbscert) { 1141 ret = KMF_ERR_MEMORY; 1142 goto cleanup; 1143 } 1144 1145 (void) memset(tbscert, 0, sizeof (KMF_X509_TBS_CERT)); 1146 1147 if ((ret = set_der_integer(&tbscert->version, version)) != KMF_OK) 1148 goto cleanup; 1149 1150 if ((ret = set_bigint(&tbscert->serialNumber, &serno)) != KMF_OK) 1151 goto cleanup; 1152 1153 if ((ret = get_algoid(asn1, &tbscert->signature)) != KMF_OK) 1154 goto cleanup; 1155 1156 if ((ret = get_rdn(asn1, &tbscert->issuer)) != KMF_OK) 1157 goto cleanup; 1158 1159 if ((ret = get_validity(asn1, &tbscert->validity)) != KMF_OK) 1160 goto cleanup; 1161 1162 if ((ret = get_rdn(asn1, &tbscert->subject)) != KMF_OK) 1163 goto cleanup; 1164 1165 if ((ret = get_spki(asn1, &tbscert->subjectPublicKeyInfo)) != KMF_OK) 1166 goto cleanup; 1167 1168 /* Check for the optional fields */ 1169 tbscert->extensions.numberOfExtensions = 0; 1170 tbscert->extensions.extensions = NULL; 1171 1172 while ((kmfber_scanf(asn1, "t", &tag)) != -1 && 1173 (tag == 0xA1 || tag == 0xA2 || tag == 0xA3)) { 1174 char *optfield; 1175 ber_len_t len; 1176 1177 /* consume the tag and length */ 1178 (void) kmfber_scanf(asn1, "T", &tag); 1179 switch (tag) { 1180 case 0xA1: 1181 if (kmfber_scanf(asn1, "B", &optfield, &len) != 1182 BER_BIT_STRING) { 1183 ret = KMF_ERR_BAD_CERT_FORMAT; 1184 goto cleanup; 1185 } 1186 tbscert->issuerUniqueIdentifier.Data = 1187 (uchar_t *)optfield; 1188 tbscert->issuerUniqueIdentifier.Length = 1189 len / 8; 1190 break; 1191 case 0xA2: 1192 if (kmfber_scanf(asn1, "B", &optfield, &len) != 1193 BER_BIT_STRING) { 1194 ret = KMF_ERR_BAD_CERT_FORMAT; 1195 goto cleanup; 1196 } 1197 tbscert->subjectUniqueIdentifier.Data = 1198 (uchar_t *)optfield; 1199 tbscert->subjectUniqueIdentifier.Length = 1200 len / 8; 1201 break; 1202 case 0xA3: 1203 ret = get_extensions(asn1, &tbscert->extensions); 1204 break; 1205 } 1206 } 1207 1208 *signed_cert_ptr_ptr = tbscert; 1209 1210 cleanup: 1211 if (bvserno != NULL) { 1212 free(bvserno->bv_val); 1213 free(bvserno); 1214 } 1215 if (ret != KMF_OK) { 1216 if (tbscert) { 1217 free_tbscert(tbscert); 1218 free(tbscert); 1219 } 1220 *signed_cert_ptr_ptr = NULL; 1221 } 1222 return (ret); 1223 } 1224 1225 KMF_RETURN 1226 DerDecodeTbsCertificate(const KMF_DATA *Value, 1227 KMF_X509_TBS_CERT **tbscert) 1228 { 1229 KMF_RETURN ret = KMF_OK; 1230 BerElement *asn1 = NULL; 1231 BerValue rawcert; 1232 KMF_X509_TBS_CERT *newcert = NULL; 1233 1234 if (!tbscert || !Value || !Value->Data || !Value->Length) 1235 return (KMF_ERR_BAD_PARAMETER); 1236 1237 rawcert.bv_val = (char *)Value->Data; 1238 rawcert.bv_len = Value->Length; 1239 1240 if ((asn1 = kmfder_init(&rawcert)) == NULL) 1241 return (KMF_ERR_MEMORY); 1242 1243 ret = decode_tbscert_data(asn1, &newcert); 1244 if (ret != KMF_OK) 1245 goto cleanup; 1246 1247 *tbscert = newcert; 1248 1249 cleanup: 1250 if (ret != KMF_OK) { 1251 if (newcert) 1252 free_tbscert(newcert); 1253 *tbscert = NULL; 1254 } 1255 kmfber_free(asn1, 1); 1256 1257 return (ret); 1258 } 1259 1260 /* 1261 * Name: DerDecodeSignedCertificate 1262 * 1263 * Description: 1264 * DER decodes the encoded X509 certificate 1265 * 1266 * Parameters: 1267 * Value (input): DER encoded object that shd be decoded 1268 * 1269 * signed_cert_ptr_ptr (output) : Decoded KMF_X509_CERTIFICATE object 1270 */ 1271 KMF_RETURN 1272 DerDecodeSignedCertificate(const KMF_DATA *Value, 1273 KMF_X509_CERTIFICATE **signed_cert_ptr_ptr) 1274 { 1275 KMF_RETURN ret = KMF_OK; 1276 BerElement *asn1 = NULL; 1277 BerValue rawcert; 1278 ber_tag_t tag; 1279 ber_len_t size; 1280 char *end = NULL; 1281 char *signature; 1282 KMF_X509_TBS_CERT *tbscert = NULL; 1283 KMF_X509_CERTIFICATE *certptr = NULL; 1284 1285 if (!signed_cert_ptr_ptr || !Value || !Value->Data || !Value->Length) 1286 return (KMF_ERR_BAD_PARAMETER); 1287 1288 rawcert.bv_val = (char *)Value->Data; 1289 rawcert.bv_len = Value->Length; 1290 1291 if ((asn1 = kmfder_init(&rawcert)) == NULL) 1292 return (KMF_ERR_MEMORY); 1293 1294 if (kmfber_first_element(asn1, &size, &end) != 1295 BER_CONSTRUCTED_SEQUENCE) { 1296 ret = KMF_ERR_BAD_CERT_FORMAT; 1297 goto cleanup; 1298 } 1299 1300 certptr = malloc(sizeof (KMF_X509_CERTIFICATE)); 1301 if (certptr == NULL) { 1302 ret = KMF_ERR_MEMORY; 1303 goto cleanup; 1304 } 1305 (void) memset(certptr, 0, sizeof (KMF_X509_CERTIFICATE)); 1306 1307 ret = decode_tbscert_data(asn1, &tbscert); 1308 if (ret != KMF_OK) 1309 goto cleanup; 1310 1311 certptr->certificate = *tbscert; 1312 free(tbscert); 1313 tbscert = NULL; 1314 1315 /* 1316 * The signature data my not be present yet. 1317 */ 1318 if ((ret = get_algoid(asn1, 1319 &certptr->signature.algorithmIdentifier)) == KMF_OK) { 1320 1321 /* Check to see if the cert has a signature yet */ 1322 if (kmfber_next_element(asn1, &size, end) == BER_BIT_STRING) { 1323 /* Finally, get the encrypted signature BITSTRING */ 1324 if (kmfber_scanf(asn1, "tl", &tag, &size) == -1) { 1325 ret = KMF_ERR_BAD_CERT_FORMAT; 1326 goto cleanup; 1327 } 1328 if (tag != BER_BIT_STRING) { 1329 ret = KMF_ERR_BAD_CERT_FORMAT; 1330 goto cleanup; 1331 } 1332 if (kmfber_scanf(asn1, "B}", &signature, &size) == -1) { 1333 ret = KMF_ERR_BAD_CERT_FORMAT; 1334 goto cleanup; 1335 } 1336 certptr->signature.encrypted.Data = 1337 (uchar_t *)signature; 1338 certptr->signature.encrypted.Length = size / 8; 1339 } else { 1340 certptr->signature.encrypted.Data = NULL; 1341 certptr->signature.encrypted.Length = 0; 1342 } 1343 } else { 1344 (void) memset(&certptr->signature, 0, 1345 sizeof (certptr->signature)); 1346 ret = KMF_OK; 1347 } 1348 1349 *signed_cert_ptr_ptr = certptr; 1350 cleanup: 1351 if (ret != KMF_OK) { 1352 if (certptr) { 1353 free_decoded_cert(certptr); 1354 free(certptr); 1355 } 1356 1357 *signed_cert_ptr_ptr = NULL; 1358 } 1359 if (asn1) 1360 kmfber_free(asn1, 1); 1361 1362 return (ret); 1363 1364 } 1365 1366 KMF_RETURN 1367 DerDecodeExtension(KMF_DATA *Data, KMF_X509_EXTENSION **extn) 1368 { 1369 KMF_RETURN ret = KMF_OK; 1370 BerElement *asn1 = NULL; 1371 BerValue bv; 1372 1373 bv.bv_val = (char *)Data->Data; 1374 bv.bv_len = Data->Length; 1375 1376 asn1 = kmfder_init(&bv); 1377 if (asn1 == NULL) 1378 return (KMF_ERR_MEMORY); 1379 1380 ret = get_one_extension(asn1, extn, NULL); 1381 1382 cleanup: 1383 if (ret != KMF_OK) { 1384 if (*extn != NULL) { 1385 free(*extn); 1386 } 1387 *extn = NULL; 1388 } 1389 1390 kmfber_free(asn1, 1); 1391 return (ret); 1392 } 1393 1394 KMF_RETURN 1395 DerDecodeName(KMF_DATA *encodedname, KMF_X509_NAME *name) 1396 { 1397 KMF_RETURN ret = KMF_OK; 1398 BerElement *asn1 = NULL; 1399 BerValue bv; 1400 1401 bv.bv_val = (char *)encodedname->Data; 1402 bv.bv_len = encodedname->Length; 1403 1404 asn1 = kmfder_init(&bv); 1405 if (asn1 == NULL) 1406 return (KMF_ERR_MEMORY); 1407 1408 (void) memset((void *)name, 0, sizeof (KMF_X509_NAME)); 1409 1410 if ((ret = get_rdn(asn1, name)) != KMF_OK) 1411 goto cleanup; 1412 1413 cleanup: 1414 if (asn1) 1415 kmfber_free(asn1, 1); 1416 return (ret); 1417 } 1418 1419 KMF_RETURN 1420 DerEncodeName(KMF_X509_NAME *name, KMF_DATA *encodedname) 1421 { 1422 KMF_RETURN ret = KMF_OK; 1423 BerElement *asn1 = NULL; 1424 BerValue *bv = NULL; 1425 1426 asn1 = kmfder_alloc(); 1427 if (asn1 == NULL) 1428 return (KMF_ERR_MEMORY); 1429 1430 if ((ret = encode_rdn(asn1, name)) != KMF_OK) 1431 goto cleanup; 1432 1433 if (kmfber_flatten(asn1, &bv) == -1) { 1434 ret = KMF_ERR_BAD_CERT_FORMAT; 1435 goto cleanup; 1436 } 1437 1438 encodedname->Data = (uchar_t *)bv->bv_val; 1439 encodedname->Length = bv->bv_len; 1440 1441 cleanup: 1442 if (bv) 1443 free(bv); 1444 1445 if (asn1) 1446 kmfber_free(asn1, 1); 1447 1448 return (ret); 1449 } 1450 1451 static KMF_RETURN 1452 encode_tbs_cert(BerElement *asn1, KMF_X509_TBS_CERT *tbscert) 1453 { 1454 KMF_RETURN ret = KMF_OK; 1455 uint32_t version; 1456 1457 /* version should be 4 bytes or less */ 1458 if (tbscert->version.Length > sizeof (int)) 1459 return (KMF_ERR_BAD_CERT_FORMAT); 1460 1461 (void) memcpy(&version, tbscert->version.Data, 1462 tbscert->version.Length); 1463 1464 /* Start the sequence and add the version */ 1465 if (kmfber_printf(asn1, "{Tli", 0xA0, 3, version) == -1) { 1466 ret = KMF_ERR_BAD_CERT_FORMAT; 1467 goto cleanup; 1468 } 1469 /* Write the serial number */ 1470 if (kmfber_printf(asn1, "I", 1471 (char *)tbscert->serialNumber.val, 1472 (size_t)tbscert->serialNumber.len) == -1) { 1473 ret = KMF_ERR_BAD_CERT_FORMAT; 1474 goto cleanup; 1475 } 1476 1477 if ((ret = encode_algoid(asn1, &tbscert->signature)) != KMF_OK) 1478 goto cleanup; 1479 1480 /* Encode the Issuer RDN */ 1481 if ((ret = encode_rdn(asn1, &tbscert->issuer)) != KMF_OK) 1482 goto cleanup; 1483 1484 /* Encode the Validity fields */ 1485 if ((ret = encode_validity(asn1, &tbscert->validity)) != KMF_OK) 1486 goto cleanup; 1487 1488 /* Encode the Subject RDN */ 1489 if ((ret = encode_rdn(asn1, &tbscert->subject)) != KMF_OK) 1490 goto cleanup; 1491 1492 /* Encode the Subject Public Key Info */ 1493 if ((ret = encode_spki(asn1, &tbscert->subjectPublicKeyInfo)) != KMF_OK) 1494 goto cleanup; 1495 1496 /* Optional field: issuer Unique ID */ 1497 if (tbscert->issuerUniqueIdentifier.Length > 0) { 1498 if ((ret = encode_uniqueid(asn1, 0xA1, 1499 &tbscert->issuerUniqueIdentifier)) != KMF_OK) 1500 goto cleanup; 1501 } 1502 1503 /* Optional field: Subject Unique ID */ 1504 if (tbscert->subjectUniqueIdentifier.Length > 0) { 1505 if ((ret = encode_uniqueid(asn1, 0xA2, 1506 &tbscert->subjectUniqueIdentifier)) != KMF_OK) 1507 goto cleanup; 1508 } 1509 1510 /* Optional field: Certificate Extensions */ 1511 if (tbscert->extensions.numberOfExtensions > 0) { 1512 if ((ret = encode_extensions(asn1, 1513 &tbscert->extensions)) != KMF_OK) 1514 goto cleanup; 1515 } 1516 1517 /* Close out the TBSCert sequence */ 1518 if (kmfber_printf(asn1, "}") == -1) { 1519 ret = KMF_ERR_BAD_CERT_FORMAT; 1520 goto cleanup; 1521 } 1522 1523 cleanup: 1524 /* 1525 * Memory cleanup is done in the caller or in the individual 1526 * encoding routines. 1527 */ 1528 1529 return (ret); 1530 } 1531 1532 KMF_RETURN 1533 DerEncodeTbsCertificate(KMF_X509_TBS_CERT *tbs_cert_ptr, 1534 KMF_DATA *enc_tbs_cert_ptr) 1535 { 1536 KMF_RETURN ret; 1537 BerElement *asn1 = NULL; 1538 BerValue *tbsdata = NULL; 1539 1540 asn1 = kmfder_alloc(); 1541 if (asn1 == NULL) 1542 return (KMF_ERR_MEMORY); 1543 1544 enc_tbs_cert_ptr->Data = NULL; 1545 enc_tbs_cert_ptr->Length = 0; 1546 1547 ret = encode_tbs_cert(asn1, tbs_cert_ptr); 1548 if (ret != KMF_OK) 1549 goto cleanup; 1550 1551 if (kmfber_flatten(asn1, &tbsdata) == -1) { 1552 ret = KMF_ERR_MEMORY; 1553 goto cleanup; 1554 } 1555 1556 enc_tbs_cert_ptr->Data = (uchar_t *)tbsdata->bv_val; 1557 enc_tbs_cert_ptr->Length = tbsdata->bv_len; 1558 1559 cleanup: 1560 if (ret != KMF_OK) 1561 free_data(enc_tbs_cert_ptr); 1562 1563 if (asn1 != NULL) 1564 kmfber_free(asn1, 1); 1565 1566 if (tbsdata) 1567 free(tbsdata); 1568 1569 return (ret); 1570 } 1571 1572 KMF_RETURN 1573 DerEncodeSignedCertificate(KMF_X509_CERTIFICATE *signed_cert_ptr, 1574 KMF_DATA *encodedcert) 1575 { 1576 KMF_RETURN ret = KMF_OK; 1577 KMF_X509_TBS_CERT *tbscert = NULL; 1578 KMF_X509_SIGNATURE *signature = NULL; 1579 BerElement *asn1 = NULL; 1580 BerValue *tbsdata = NULL; 1581 1582 if (signed_cert_ptr == NULL || encodedcert == NULL) 1583 return (KMF_ERR_BAD_PARAMETER); 1584 1585 encodedcert->Data = NULL; 1586 encodedcert->Length = 0; 1587 1588 tbscert = &signed_cert_ptr->certificate; 1589 signature = &signed_cert_ptr->signature; 1590 1591 asn1 = kmfder_alloc(); 1592 if (asn1 == NULL) 1593 return (KMF_ERR_MEMORY); 1594 1595 /* Start outer X509 Certificate SEQUENCE */ 1596 if (kmfber_printf(asn1, "{") == -1) { 1597 ret = KMF_ERR_BAD_CERT_FORMAT; 1598 goto cleanup; 1599 } 1600 1601 if ((ret = encode_tbs_cert(asn1, tbscert)) != KMF_OK) { 1602 ret = KMF_ERR_BAD_CERT_FORMAT; 1603 goto cleanup; 1604 } 1605 1606 /* Add the Algorithm & Signature Sequence */ 1607 if ((ret = encode_algoid(asn1, 1608 &signature->algorithmIdentifier)) != KMF_OK) 1609 goto cleanup; 1610 1611 if (signature->encrypted.Length > 0) { 1612 if (kmfber_printf(asn1, "B", signature->encrypted.Data, 1613 signature->encrypted.Length * 8) == -1) { 1614 ret = KMF_ERR_BAD_CERT_FORMAT; 1615 goto cleanup; 1616 } 1617 } 1618 1619 if (kmfber_printf(asn1, "}") == -1) { 1620 ret = KMF_ERR_BAD_CERT_FORMAT; 1621 goto cleanup; 1622 } 1623 1624 if (kmfber_flatten(asn1, &tbsdata) == -1) { 1625 ret = KMF_ERR_MEMORY; 1626 goto cleanup; 1627 } 1628 1629 encodedcert->Data = (uchar_t *)tbsdata->bv_val; 1630 encodedcert->Length = tbsdata->bv_len; 1631 1632 cleanup: 1633 if (ret != KMF_OK) 1634 free_data(encodedcert); 1635 1636 if (tbsdata) 1637 free(tbsdata); 1638 1639 if (asn1) 1640 kmfber_free(asn1, 1); 1641 1642 return (ret); 1643 } 1644 1645 KMF_RETURN 1646 ExtractX509CertParts(KMF_DATA *x509cert, KMF_DATA *tbscert, 1647 KMF_DATA *signature) 1648 { 1649 KMF_RETURN ret = KMF_OK; 1650 BerElement *der = NULL; 1651 BerValue x509; 1652 ber_tag_t tag; 1653 ber_len_t size; 1654 1655 if (tbscert == NULL || x509cert == NULL) 1656 return (KMF_ERR_BAD_PARAMETER); 1657 1658 x509.bv_val = (char *)x509cert->Data; 1659 x509.bv_len = x509cert->Length; 1660 1661 der = kmfder_init(&x509); 1662 if (der == NULL) 1663 return (KMF_ERR_MEMORY); 1664 1665 /* Skip over the overall Sequence tag to get at the TBS Cert data */ 1666 if (kmfber_scanf(der, "Tl", &tag, &size) == -1) { 1667 ret = KMF_ERR_BAD_CERT_FORMAT; 1668 goto cleanup; 1669 } 1670 if (tag != BER_CONSTRUCTED_SEQUENCE) { 1671 ret = KMF_ERR_BAD_CERT_FORMAT; 1672 goto cleanup; 1673 } 1674 1675 /* 1676 * Since we are extracting a copy of the ENCODED bytes, we 1677 * must make sure to also include the bytes for the tag and 1678 * the length fields for the CONSTRUCTED SEQUENCE (TBSCert). 1679 */ 1680 size += kmfber_calc_taglen(tag) + kmfber_calc_lenlen(size); 1681 1682 tbscert->Data = malloc(size); 1683 if (tbscert->Data == NULL) { 1684 ret = KMF_ERR_MEMORY; 1685 goto cleanup; 1686 } 1687 tbscert->Length = size; 1688 1689 /* The der data ptr is now set to the start of the TBS cert sequence */ 1690 size = kmfber_read(der, (char *)tbscert->Data, tbscert->Length); 1691 if (size != tbscert->Length) { 1692 ret = KMF_ERR_BAD_CERT_FORMAT; 1693 goto cleanup; 1694 } 1695 1696 if (signature != NULL) { 1697 KMF_X509_ALGORITHM_IDENTIFIER algoid; 1698 if ((ret = get_algoid(der, &algoid)) != KMF_OK) 1699 goto cleanup; 1700 free_algoid(&algoid); 1701 1702 if (kmfber_scanf(der, "tl", &tag, &size) != BER_BIT_STRING) { 1703 ret = KMF_ERR_BAD_CERT_FORMAT; 1704 goto cleanup; 1705 } 1706 /* Now get the signature data */ 1707 if (kmfber_scanf(der, "B", (char **)&signature->Data, 1708 (ber_len_t *)&signature->Length) == -1) { 1709 ret = KMF_ERR_BAD_CERT_FORMAT; 1710 goto cleanup; 1711 } 1712 /* convert bitstring length to bytes */ 1713 signature->Length = signature->Length / 8; 1714 } 1715 1716 cleanup: 1717 if (der) 1718 kmfber_free(der, 1); 1719 1720 if (ret != KMF_OK) 1721 free_data(tbscert); 1722 1723 return (ret); 1724 } 1725 1726 /* 1727 * Name: GetKeyFromSpki 1728 * 1729 * Description: 1730 * This function parses the KMF_X509_SPKI into its 1731 * key and parameter components based on the key generation algorithm. 1732 * NOTE: Currently, it only checks for the RSA and DSA algorithms. 1733 * The RSA algorithm is equivalent to the default behavior. 1734 * All other algorithms will default to the parameters = NULL and the 1735 * key data equal to whatever is in the CSSM_KEY structure for the key 1736 * 1737 * Parameters: 1738 * AlgId (input) : Algorithm identifier 1739 * SpkiPtr (input): SPKI structure that contains the key 1740 * key_ptr(output): The output key 1741 * 1742 */ 1743 KMF_RETURN 1744 GetKeyFromSpki(KMF_ALGORITHM_INDEX AlgId, 1745 KMF_X509_SPKI *SpkiPtr, 1746 KMF_DATA **key_ptr) 1747 { 1748 KMF_RETURN ret = KMF_OK; 1749 BerElement *asn1; 1750 BerValue *encodedkey = NULL; 1751 1752 if (!key_ptr || !SpkiPtr) { 1753 return (KMF_ERR_BAD_PARAMETER); 1754 } 1755 *key_ptr = NULL; 1756 1757 switch (AlgId) { 1758 case KMF_ALGID_DSA: 1759 asn1 = kmfder_alloc(); 1760 if (asn1 == NULL) { 1761 return (KMF_ERR_MEMORY); 1762 } 1763 1764 if ((ret = encode_spki(asn1, SpkiPtr)) != KMF_OK) { 1765 ret = KMF_ERR_MEMORY; 1766 goto cleanup; 1767 } 1768 1769 if (kmfber_flatten(asn1, &encodedkey) == -1) { 1770 ret = KMF_ERR_MEMORY; 1771 goto cleanup; 1772 } 1773 1774 *key_ptr = malloc(sizeof (KMF_DATA)); 1775 1776 if (!*key_ptr) { 1777 ret = KMF_ERR_MEMORY; 1778 goto cleanup; 1779 } 1780 1781 (*key_ptr)->Length = encodedkey->bv_len; 1782 (*key_ptr)->Data = (uchar_t *)encodedkey->bv_val; 1783 cleanup: 1784 kmfber_free(asn1, 1); 1785 if (encodedkey) 1786 free(encodedkey); 1787 break; 1788 default: /* RSA */ 1789 *key_ptr = malloc(sizeof (KMF_DATA)); 1790 1791 if (!*key_ptr) { 1792 return (KMF_ERR_MEMORY); 1793 } 1794 (*key_ptr)->Length = SpkiPtr->subjectPublicKey.Length; 1795 (*key_ptr)->Data = malloc((*key_ptr)->Length); 1796 1797 if (!(*key_ptr)->Data) { 1798 free(*key_ptr); 1799 *key_ptr = NULL; 1800 return (KMF_ERR_MEMORY); 1801 } 1802 (void) memcpy((*key_ptr)->Data, 1803 SpkiPtr->subjectPublicKey.Data, 1804 (*key_ptr)->Length); 1805 return (ret); 1806 } 1807 return (ret); 1808 } 1809 1810 static KMF_RETURN 1811 decode_csr_extensions(BerElement *asn1, KMF_X509_EXTENSIONS *extns) 1812 { 1813 KMF_RETURN ret = KMF_OK; 1814 BerValue oid; 1815 1816 if (kmfber_scanf(asn1, "{D", &oid) == -1) { 1817 return (KMF_ERR_UNKNOWN_CSR_ATTRIBUTE); 1818 } 1819 1820 /* We only understand extension requests in a CSR */ 1821 if (memcmp(oid.bv_val, extension_request_oid.Data, 1822 oid.bv_len) != 0) { 1823 return (KMF_ERR_UNKNOWN_CSR_ATTRIBUTE); 1824 } 1825 1826 if (kmfber_scanf(asn1, "[") == -1) { 1827 return (KMF_ERR_ENCODING); 1828 } 1829 ret = get_extensions(asn1, extns); 1830 1831 1832 return (ret); 1833 } 1834 1835 static KMF_RETURN 1836 decode_tbscsr_data(BerElement *asn1, 1837 KMF_TBS_CSR **signed_csr_ptr_ptr) 1838 { 1839 KMF_RETURN ret = KMF_OK; 1840 KMF_TBS_CSR *tbscsr = NULL; 1841 char *end = NULL; 1842 uint32_t version; 1843 ber_tag_t tag; 1844 ber_len_t size; 1845 1846 /* Now get the version number, it is not optional */ 1847 if (kmfber_scanf(asn1, "{i", &version) == -1) { 1848 ret = KMF_ERR_BAD_CERT_FORMAT; 1849 goto cleanup; 1850 } 1851 1852 tbscsr = malloc(sizeof (KMF_TBS_CSR)); 1853 if (!tbscsr) { 1854 ret = KMF_ERR_MEMORY; 1855 goto cleanup; 1856 } 1857 1858 (void) memset(tbscsr, 0, sizeof (KMF_TBS_CSR)); 1859 1860 if ((ret = set_der_integer(&tbscsr->version, version)) != KMF_OK) 1861 goto cleanup; 1862 1863 if ((ret = get_rdn(asn1, &tbscsr->subject)) != KMF_OK) 1864 goto cleanup; 1865 1866 if ((ret = get_spki(asn1, &tbscsr->subjectPublicKeyInfo)) != KMF_OK) 1867 goto cleanup; 1868 1869 /* Check for the optional fields (attributes) */ 1870 if (kmfber_next_element(asn1, &size, end) == 0xA0) { 1871 if (kmfber_scanf(asn1, "Tl", &tag, &size) == -1) { 1872 ret = KMF_ERR_ENCODING; 1873 goto cleanup; 1874 } 1875 1876 ret = decode_csr_extensions(asn1, &tbscsr->extensions); 1877 } 1878 if (ret == KMF_OK) 1879 *signed_csr_ptr_ptr = tbscsr; 1880 1881 cleanup: 1882 if (ret != KMF_OK) { 1883 if (tbscsr) { 1884 free_tbscsr(tbscsr); 1885 free(tbscsr); 1886 } 1887 *signed_csr_ptr_ptr = NULL; 1888 } 1889 return (ret); 1890 } 1891 1892 KMF_RETURN 1893 DerDecodeTbsCsr(const KMF_DATA *Value, 1894 KMF_TBS_CSR **tbscsr) 1895 { 1896 KMF_RETURN ret = KMF_OK; 1897 BerElement *asn1 = NULL; 1898 BerValue rawcsr; 1899 KMF_TBS_CSR *newcsr = NULL; 1900 1901 if (!tbscsr || !Value || !Value->Data || !Value->Length) 1902 return (KMF_ERR_BAD_PARAMETER); 1903 1904 rawcsr.bv_val = (char *)Value->Data; 1905 rawcsr.bv_len = Value->Length; 1906 1907 if ((asn1 = kmfder_init(&rawcsr)) == NULL) 1908 return (KMF_ERR_MEMORY); 1909 1910 ret = decode_tbscsr_data(asn1, &newcsr); 1911 if (ret != KMF_OK) 1912 goto cleanup; 1913 1914 *tbscsr = newcsr; 1915 1916 cleanup: 1917 if (ret != KMF_OK) { 1918 if (newcsr) 1919 free_tbscsr(newcsr); 1920 *tbscsr = NULL; 1921 } 1922 kmfber_free(asn1, 1); 1923 1924 return (ret); 1925 } 1926 1927 KMF_RETURN 1928 DerDecodeSignedCsr(const KMF_DATA *Value, 1929 KMF_CSR_DATA **signed_csr_ptr_ptr) 1930 { 1931 KMF_RETURN ret = KMF_OK; 1932 BerElement *asn1 = NULL; 1933 BerValue rawcsr; 1934 int tag; 1935 ber_len_t size; 1936 char *end = NULL; 1937 char *signature; 1938 KMF_TBS_CSR *tbscsr = NULL; 1939 KMF_CSR_DATA *csrptr = NULL; 1940 1941 if (!signed_csr_ptr_ptr || !Value || !Value->Data || !Value->Length) 1942 return (KMF_ERR_BAD_PARAMETER); 1943 1944 rawcsr.bv_val = (char *)Value->Data; 1945 rawcsr.bv_len = Value->Length; 1946 1947 if ((asn1 = kmfder_init(&rawcsr)) == NULL) 1948 return (KMF_ERR_MEMORY); 1949 1950 if (kmfber_first_element(asn1, &size, &end) != 1951 BER_CONSTRUCTED_SEQUENCE) { 1952 ret = KMF_ERR_BAD_CERT_FORMAT; 1953 goto cleanup; 1954 } 1955 1956 csrptr = malloc(sizeof (KMF_CSR_DATA)); 1957 if (csrptr == NULL) { 1958 ret = KMF_ERR_MEMORY; 1959 goto cleanup; 1960 } 1961 (void) memset(csrptr, 0, sizeof (KMF_CSR_DATA)); 1962 1963 ret = decode_tbscsr_data(asn1, &tbscsr); 1964 if (ret != KMF_OK) 1965 goto cleanup; 1966 1967 csrptr->csr = *tbscsr; 1968 free(tbscsr); 1969 tbscsr = NULL; 1970 1971 if ((ret = get_algoid(asn1, 1972 &csrptr->signature.algorithmIdentifier)) != KMF_OK) 1973 goto cleanup; 1974 1975 /* Check to see if the cert has a signature yet */ 1976 if (kmfber_next_element(asn1, &size, end) == BER_BIT_STRING) { 1977 /* Finally, get the encrypted signature BITSTRING */ 1978 if (kmfber_scanf(asn1, "tl", &tag, &size) == -1) { 1979 ret = KMF_ERR_BAD_CERT_FORMAT; 1980 goto cleanup; 1981 } 1982 if (tag != BER_BIT_STRING) { 1983 ret = KMF_ERR_BAD_CERT_FORMAT; 1984 goto cleanup; 1985 } 1986 if (kmfber_scanf(asn1, "B}", &signature, &size) == -1) { 1987 ret = KMF_ERR_BAD_CERT_FORMAT; 1988 goto cleanup; 1989 } 1990 csrptr->signature.encrypted.Data = (uchar_t *)signature; 1991 csrptr->signature.encrypted.Length = size / 8; 1992 } else { 1993 csrptr->signature.encrypted.Data = NULL; 1994 csrptr->signature.encrypted.Length = 0; 1995 } 1996 1997 *signed_csr_ptr_ptr = csrptr; 1998 cleanup: 1999 if (ret != KMF_OK) { 2000 free_tbscsr(&csrptr->csr); 2001 free_algoid(&csrptr->signature.algorithmIdentifier); 2002 if (csrptr->signature.encrypted.Data) 2003 free(csrptr->signature.encrypted.Data); 2004 2005 if (csrptr) 2006 free(csrptr); 2007 2008 *signed_csr_ptr_ptr = NULL; 2009 } 2010 if (asn1) 2011 kmfber_free(asn1, 1); 2012 2013 return (ret); 2014 2015 } 2016 2017 static KMF_RETURN 2018 encode_csr_extensions(BerElement *asn1, KMF_TBS_CSR *tbscsr) 2019 { 2020 KMF_RETURN ret = KMF_OK; 2021 int attlen = 0; 2022 BerElement *extnasn1 = NULL; 2023 BerValue *extnvalue = NULL; 2024 2025 /* Optional field: CSR attributes and extensions */ 2026 if (tbscsr->extensions.numberOfExtensions > 0) { 2027 if (kmfber_printf(asn1, "T", 0xA0) == -1) { 2028 ret = KMF_ERR_ENCODING; 2029 goto cleanup; 2030 } 2031 } else { 2032 /* No extensions or attributes to encode */ 2033 return (KMF_OK); 2034 } 2035 2036 /* 2037 * attributes [0] Attributes 2038 * Attributes := SET OF Attribute 2039 * Attribute := SEQUENCE { 2040 * { ATTRIBUTE ID 2041 * values SET SIZE(1..MAX) of ATTRIBUTE 2042 * } 2043 * 2044 * Ex: { ExtensionRequest OID [ { {extn1 } , {extn2 } } ] } 2045 */ 2046 2047 /* 2048 * Encode any extensions and add to the attributes section. 2049 */ 2050 if (tbscsr->extensions.numberOfExtensions > 0) { 2051 extnasn1 = kmfder_alloc(); 2052 if (extnasn1 == NULL) { 2053 ret = KMF_ERR_MEMORY; 2054 goto cleanup; 2055 } 2056 2057 if (kmfber_printf(extnasn1, "{D[{", 2058 &extension_request_oid) == -1) { 2059 ret = KMF_ERR_ENCODING; 2060 goto cleanup_1; 2061 } 2062 2063 if ((ret = encode_extension_list(extnasn1, 2064 &tbscsr->extensions)) != KMF_OK) { 2065 goto cleanup_1; 2066 } 2067 2068 if (kmfber_printf(extnasn1, "}]}") == -1) { 2069 ret = KMF_ERR_ENCODING; 2070 goto cleanup_1; 2071 } 2072 2073 if (kmfber_flatten(extnasn1, &extnvalue) == -1) { 2074 ret = KMF_ERR_MEMORY; 2075 goto cleanup_1; 2076 } 2077 cleanup_1: 2078 kmfber_free(extnasn1, 1); 2079 2080 if (ret == KMF_OK) 2081 /* Add 2 bytes to cover the tag and the length */ 2082 attlen = extnvalue->bv_len; 2083 } 2084 if (ret != KMF_OK) 2085 goto cleanup; 2086 2087 if (kmfber_printf(asn1, "l", attlen) == -1) { 2088 ret = KMF_ERR_ENCODING; 2089 goto cleanup; 2090 } 2091 2092 /* Write the actual encoded extensions */ 2093 if (extnvalue != NULL && extnvalue->bv_val != NULL) { 2094 if (kmfber_write(asn1, extnvalue->bv_val, 2095 extnvalue->bv_len, 0) == -1) { 2096 ret = KMF_ERR_ENCODING; 2097 goto cleanup; 2098 } 2099 } 2100 2101 cleanup: 2102 /* 2103 * Memory cleanup is done in the caller or in the individual 2104 * encoding routines. 2105 */ 2106 if (extnvalue) { 2107 if (extnvalue->bv_val) 2108 free(extnvalue->bv_val); 2109 free(extnvalue); 2110 } 2111 2112 return (ret); 2113 } 2114 2115 static KMF_RETURN 2116 encode_tbs_csr(BerElement *asn1, KMF_TBS_CSR *tbscsr) 2117 { 2118 KMF_RETURN ret = KMF_OK; 2119 uint32_t version; 2120 2121 /* Start the version */ 2122 (void) memcpy(&version, tbscsr->version.Data, 2123 tbscsr->version.Length); 2124 2125 if (kmfber_printf(asn1, "{i", &version) == -1) { 2126 ret = KMF_ERR_BAD_CERT_FORMAT; 2127 goto cleanup; 2128 } 2129 2130 /* Encode the Subject RDN */ 2131 if ((ret = encode_rdn(asn1, &tbscsr->subject)) != KMF_OK) 2132 goto cleanup; 2133 2134 /* Encode the Subject Public Key Info */ 2135 if ((ret = encode_spki(asn1, &tbscsr->subjectPublicKeyInfo)) != KMF_OK) 2136 goto cleanup; 2137 2138 2139 if ((ret = encode_csr_extensions(asn1, tbscsr)) != KMF_OK) 2140 goto cleanup; 2141 2142 /* Close out the TBSCert sequence */ 2143 if (kmfber_printf(asn1, "}") == -1) { 2144 ret = KMF_ERR_BAD_CERT_FORMAT; 2145 goto cleanup; 2146 } 2147 2148 cleanup: 2149 return (ret); 2150 } 2151 2152 KMF_RETURN 2153 DerEncodeDSAPrivateKey(KMF_DATA *encodedkey, KMF_RAW_DSA_KEY *dsa) 2154 { 2155 KMF_RETURN rv = KMF_OK; 2156 BerElement *asn1 = NULL; 2157 BerValue *dsadata = NULL; 2158 2159 asn1 = kmfder_alloc(); 2160 if (asn1 == NULL) 2161 return (KMF_ERR_MEMORY); 2162 2163 if (kmfber_printf(asn1, "I", 2164 dsa->value.val, dsa->value.len) == -1) { 2165 rv = KMF_ERR_MEMORY; 2166 goto cleanup; 2167 } 2168 2169 if (kmfber_flatten(asn1, &dsadata) == -1) { 2170 rv = KMF_ERR_MEMORY; 2171 goto cleanup; 2172 } 2173 2174 encodedkey->Data = (uchar_t *)dsadata->bv_val; 2175 encodedkey->Length = dsadata->bv_len; 2176 2177 free(dsadata); 2178 cleanup: 2179 kmfber_free(asn1, 1); 2180 return (rv); 2181 } 2182 2183 KMF_RETURN 2184 DerEncodeRSAPrivateKey(KMF_DATA *encodedkey, KMF_RAW_RSA_KEY *rsa) 2185 { 2186 KMF_RETURN rv = KMF_OK; 2187 BerElement *asn1 = NULL; 2188 uchar_t ver = 0; 2189 BerValue *rsadata = NULL; 2190 2191 asn1 = kmfder_alloc(); 2192 if (asn1 == NULL) 2193 return (KMF_ERR_MEMORY); 2194 2195 if (kmfber_printf(asn1, "{IIIIIIIII}", 2196 &ver, 1, 2197 rsa->mod.val, rsa->mod.len, 2198 rsa->pubexp.val, rsa->pubexp.len, 2199 rsa->priexp.val, rsa->priexp.len, 2200 rsa->prime1.val, rsa->prime1.len, 2201 rsa->prime2.val, rsa->prime2.len, 2202 rsa->exp1.val, rsa->exp1.len, 2203 rsa->exp2.val, rsa->exp2.len, 2204 rsa->coef.val, rsa->coef.len) == -1) 2205 goto cleanup; 2206 2207 if (kmfber_flatten(asn1, &rsadata) == -1) { 2208 rv = KMF_ERR_MEMORY; 2209 goto cleanup; 2210 } 2211 2212 encodedkey->Data = (uchar_t *)rsadata->bv_val; 2213 encodedkey->Length = rsadata->bv_len; 2214 2215 free(rsadata); 2216 cleanup: 2217 kmfber_free(asn1, 1); 2218 return (rv); 2219 } 2220 2221 2222 KMF_RETURN 2223 DerEncodeTbsCsr(KMF_TBS_CSR *tbs_csr_ptr, 2224 KMF_DATA *enc_tbs_csr_ptr) 2225 { 2226 KMF_RETURN ret; 2227 BerValue *tbsdata = NULL; 2228 BerElement *asn1 = NULL; 2229 2230 asn1 = kmfder_alloc(); 2231 2232 enc_tbs_csr_ptr->Data = NULL; 2233 enc_tbs_csr_ptr->Length = 0; 2234 2235 if (asn1 == NULL) 2236 return (KMF_ERR_MEMORY); 2237 2238 ret = encode_tbs_csr(asn1, tbs_csr_ptr); 2239 if (ret != KMF_OK) 2240 goto cleanup; 2241 2242 if (kmfber_flatten(asn1, &tbsdata) == -1) { 2243 ret = KMF_ERR_MEMORY; 2244 goto cleanup; 2245 } 2246 2247 enc_tbs_csr_ptr->Data = (uchar_t *)tbsdata->bv_val; 2248 enc_tbs_csr_ptr->Length = tbsdata->bv_len; 2249 2250 cleanup: 2251 if (ret != KMF_OK) 2252 free_data(enc_tbs_csr_ptr); 2253 2254 if (asn1 != NULL) 2255 kmfber_free(asn1, 1); 2256 2257 if (tbsdata) 2258 free(tbsdata); 2259 2260 return (ret); 2261 } 2262 2263 KMF_RETURN 2264 DerEncodeSignedCsr(KMF_CSR_DATA *signed_csr_ptr, 2265 KMF_DATA *encodedcsr) 2266 { 2267 KMF_RETURN ret = KMF_OK; 2268 KMF_TBS_CSR *tbscsr = NULL; 2269 KMF_X509_SIGNATURE *signature = NULL; 2270 BerElement *asn1 = NULL; 2271 BerValue *tbsdata = NULL; 2272 2273 if (signed_csr_ptr == NULL) 2274 return (KMF_ERR_BAD_PARAMETER); 2275 2276 tbscsr = &signed_csr_ptr->csr; 2277 signature = &signed_csr_ptr->signature; 2278 2279 asn1 = kmfder_alloc(); 2280 if (asn1 == NULL) 2281 return (KMF_ERR_MEMORY); 2282 2283 /* Start outer CSR SEQUENCE */ 2284 if (kmfber_printf(asn1, "{") == -1) { 2285 ret = KMF_ERR_BAD_CERT_FORMAT; 2286 goto cleanup; 2287 } 2288 2289 ret = encode_tbs_csr(asn1, tbscsr); 2290 2291 /* Add the Algorithm & Signature Sequence */ 2292 if ((ret = encode_algoid(asn1, 2293 &signature->algorithmIdentifier)) != KMF_OK) 2294 goto cleanup; 2295 2296 if (signature->encrypted.Length > 0) { 2297 if (kmfber_printf(asn1, "B", signature->encrypted.Data, 2298 signature->encrypted.Length * 8) == -1) { 2299 ret = KMF_ERR_BAD_CERT_FORMAT; 2300 goto cleanup; 2301 } 2302 } 2303 2304 if (kmfber_printf(asn1, "}") == -1) { 2305 ret = KMF_ERR_BAD_CERT_FORMAT; 2306 goto cleanup; 2307 } 2308 2309 if (kmfber_flatten(asn1, &tbsdata) == -1) { 2310 ret = KMF_ERR_MEMORY; 2311 goto cleanup; 2312 } 2313 2314 encodedcsr->Data = (uchar_t *)tbsdata->bv_val; 2315 encodedcsr->Length = tbsdata->bv_len; 2316 2317 cleanup: 2318 if (ret != KMF_OK) { 2319 free_data(encodedcsr); 2320 } 2321 2322 if (tbsdata) 2323 free(tbsdata); 2324 2325 if (asn1) 2326 kmfber_free(asn1, 1); 2327 return (ret); 2328 } 2329 2330 KMF_RETURN 2331 ExtractSPKIData( 2332 const KMF_X509_SPKI *pKey, 2333 KMF_ALGORITHM_INDEX AlgorithmId, 2334 KMF_DATA *pKeyParts, 2335 uint32_t *uNumKeyParts) 2336 { 2337 KMF_RETURN ret = KMF_OK; 2338 BerElement *asn1 = NULL; 2339 BerValue *P, *Q, *G, *Mod, *Exp, *PubKey; 2340 BerValue PubKeyParams, PubKeyData; 2341 2342 if (pKeyParts == NULL || uNumKeyParts == NULL || pKey == NULL) 2343 return (KMF_ERR_BAD_PARAMETER); 2344 2345 switch (AlgorithmId) { 2346 case KMF_ALGID_DSA: 2347 case KMF_ALGID_SHA1WithDSA: 2348 /* First, get the parameters from the algorithm definition */ 2349 PubKeyParams.bv_val = (char *)pKey->algorithm.parameters.Data; 2350 PubKeyParams.bv_len = pKey->algorithm.parameters.Length; 2351 if ((asn1 = kmfder_init(&PubKeyParams)) == NULL) 2352 return (KMF_ERR_MEMORY); 2353 2354 if (kmfber_scanf(asn1, "{III}", &P, &Q, &G) == -1) { 2355 kmfber_free(asn1, 1); 2356 return (KMF_ERR_BAD_KEY_FORMAT); 2357 } 2358 pKeyParts[KMF_DSA_PRIME].Data = (uchar_t *)P->bv_val; 2359 pKeyParts[KMF_DSA_PRIME].Length = P->bv_len; 2360 pKeyParts[KMF_DSA_SUB_PRIME].Data = (uchar_t *)Q->bv_val; 2361 pKeyParts[KMF_DSA_SUB_PRIME].Length = Q->bv_len; 2362 pKeyParts[KMF_DSA_BASE].Data = (uchar_t *)G->bv_val; 2363 pKeyParts[KMF_DSA_BASE].Length = G->bv_len; 2364 2365 free(P); 2366 free(Q); 2367 free(G); 2368 kmfber_free(asn1, 1); 2369 2370 /* Get the PubKey data */ 2371 PubKeyData.bv_val = (char *)pKey->subjectPublicKey.Data; 2372 PubKeyData.bv_len = pKey->subjectPublicKey.Length; 2373 if ((asn1 = kmfder_init(&PubKeyData)) == NULL) { 2374 ret = KMF_ERR_MEMORY; 2375 goto cleanup; 2376 } 2377 PubKey = NULL; 2378 if (kmfber_scanf(asn1, "I", &PubKey) == -1) { 2379 ret = KMF_ERR_BAD_KEY_FORMAT; 2380 goto cleanup; 2381 } 2382 pKeyParts[KMF_DSA_PUBLIC_VALUE].Data = 2383 (uchar_t *)PubKey->bv_val; 2384 pKeyParts[KMF_DSA_PUBLIC_VALUE].Length = PubKey->bv_len; 2385 2386 free(PubKey); 2387 2388 *uNumKeyParts = KMF_NUMBER_DSA_PUBLIC_KEY_PARTS; 2389 break; 2390 2391 case KMF_ALGID_RSA: 2392 case KMF_ALGID_MD2WithRSA: 2393 case KMF_ALGID_MD5WithRSA: 2394 case KMF_ALGID_SHA1WithRSA: 2395 PubKeyData.bv_val = (char *)pKey->subjectPublicKey.Data; 2396 PubKeyData.bv_len = pKey->subjectPublicKey.Length; 2397 if ((asn1 = kmfder_init(&PubKeyData)) == NULL) { 2398 ret = KMF_ERR_MEMORY; 2399 goto cleanup; 2400 } 2401 if (kmfber_scanf(asn1, "{II}", &Mod, &Exp) == -1) { 2402 ret = KMF_ERR_BAD_KEY_FORMAT; 2403 goto cleanup; 2404 } 2405 pKeyParts[KMF_RSA_MODULUS].Data = (uchar_t *)Mod->bv_val; 2406 pKeyParts[KMF_RSA_MODULUS].Length = Mod->bv_len; 2407 pKeyParts[KMF_RSA_PUBLIC_EXPONENT].Data = 2408 (uchar_t *)Exp->bv_val; 2409 pKeyParts[KMF_RSA_PUBLIC_EXPONENT].Length = Exp->bv_len; 2410 *uNumKeyParts = KMF_NUMBER_RSA_PUBLIC_KEY_PARTS; 2411 2412 free(Mod); 2413 free(Exp); 2414 break; 2415 default: 2416 return (KMF_ERR_BAD_PARAMETER); 2417 } 2418 cleanup: 2419 if (ret != KMF_OK) { 2420 int i; 2421 for (i = 0; i < *uNumKeyParts; i++) 2422 free_data(&pKeyParts[i]); 2423 } 2424 if (asn1 != NULL) { 2425 kmfber_free(asn1, 1); 2426 } 2427 2428 return (ret); 2429 } 2430