1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <stdio.h> 29 #include <string.h> 30 #include <ctype.h> 31 #include <malloc.h> 32 #include <libgen.h> 33 #include <errno.h> 34 #include <cryptoutil.h> 35 #include <security/cryptoki.h> 36 #include "common.h" 37 38 #include <kmfapi.h> 39 40 #define SET_VALUE(f, s) \ 41 kmfrv = f; \ 42 if (kmfrv != KMF_OK) { \ 43 cryptoerror(LOG_STDERR, \ 44 gettext("Failed to set %s: 0x%02x\n"), \ 45 s, kmfrv); \ 46 goto cleanup; \ 47 } 48 49 static int 50 gencert_pkcs11(KMF_HANDLE_T kmfhandle, 51 char *token, char *subject, char *altname, 52 KMF_GENERALNAMECHOICES alttype, int altcrit, 53 char *certlabel, KMF_KEY_ALG keyAlg, 54 KMF_ALGORITHM_INDEX sigAlg, 55 int keylen, uint32_t ltime, KMF_BIGINT *serial, 56 uint16_t kubits, int kucrit, KMF_CREDENTIAL *tokencred, 57 EKU_LIST *ekulist) 58 { 59 KMF_RETURN kmfrv = KMF_OK; 60 KMF_KEY_HANDLE pubk, prik; 61 KMF_X509_CERTIFICATE signedCert; 62 KMF_X509_NAME certSubject; 63 KMF_X509_NAME certIssuer; 64 KMF_DATA x509DER; 65 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_PK11TOKEN; 66 KMF_ATTRIBUTE attrlist[16]; 67 int numattr = 0; 68 KMF_KEY_ALG keytype; 69 uint32_t keylength; 70 71 (void) memset(&signedCert, 0, sizeof (signedCert)); 72 (void) memset(&certSubject, 0, sizeof (certSubject)); 73 (void) memset(&certIssuer, 0, sizeof (certIssuer)); 74 (void) memset(&x509DER, 0, sizeof (x509DER)); 75 76 /* If the subject name cannot be parsed, flag it now and exit */ 77 if (kmf_dn_parser(subject, &certSubject) != KMF_OK) { 78 cryptoerror(LOG_STDERR, 79 gettext("Subject name cannot be parsed.\n")); 80 return (PK_ERR_USAGE); 81 } 82 83 /* For a self-signed cert, the issuser and subject are the same */ 84 if (kmf_dn_parser(subject, &certIssuer) != KMF_OK) { 85 cryptoerror(LOG_STDERR, 86 gettext("Subject name cannot be parsed.\n")); 87 return (PK_ERR_USAGE); 88 } 89 90 keylength = keylen; /* bits */ 91 keytype = keyAlg; 92 93 /* Select a PKCS11 token */ 94 kmfrv = select_token(kmfhandle, token, FALSE); 95 96 if (kmfrv != KMF_OK) { 97 return (kmfrv); 98 } 99 100 kmf_set_attr_at_index(attrlist, numattr, 101 KMF_KEYSTORE_TYPE_ATTR, &kstype, 102 sizeof (kstype)); 103 numattr++; 104 105 kmf_set_attr_at_index(attrlist, numattr, 106 KMF_KEYALG_ATTR, &keytype, 107 sizeof (keytype)); 108 numattr++; 109 110 kmf_set_attr_at_index(attrlist, numattr, 111 KMF_KEYLENGTH_ATTR, &keylength, 112 sizeof (keylength)); 113 numattr++; 114 115 if (certlabel != NULL) { 116 kmf_set_attr_at_index(attrlist, numattr, 117 KMF_KEYLABEL_ATTR, certlabel, 118 strlen(certlabel)); 119 numattr++; 120 } 121 122 if (tokencred != NULL && tokencred->cred != NULL) { 123 kmf_set_attr_at_index(attrlist, numattr, 124 KMF_CREDENTIAL_ATTR, tokencred, 125 sizeof (KMF_CREDENTIAL)); 126 numattr++; 127 } 128 129 kmf_set_attr_at_index(attrlist, numattr, 130 KMF_PRIVKEY_HANDLE_ATTR, &prik, 131 sizeof (KMF_KEY_HANDLE)); 132 numattr++; 133 134 kmf_set_attr_at_index(attrlist, numattr, 135 KMF_PUBKEY_HANDLE_ATTR, &pubk, 136 sizeof (KMF_KEY_HANDLE)); 137 numattr++; 138 139 kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist); 140 if (kmfrv != KMF_OK) { 141 return (kmfrv); 142 } 143 144 SET_VALUE(kmf_set_cert_pubkey(kmfhandle, &pubk, &signedCert), 145 "keypair"); 146 147 SET_VALUE(kmf_set_cert_version(&signedCert, 2), "version number"); 148 149 SET_VALUE(kmf_set_cert_serial(&signedCert, serial), 150 "serial number"); 151 152 SET_VALUE(kmf_set_cert_validity(&signedCert, NULL, ltime), 153 "validity time"); 154 155 SET_VALUE(kmf_set_cert_sig_alg(&signedCert, sigAlg), 156 "signature algorithm"); 157 158 SET_VALUE(kmf_set_cert_subject(&signedCert, &certSubject), 159 "subject name"); 160 161 SET_VALUE(kmf_set_cert_issuer(&signedCert, &certIssuer), 162 "issuer name"); 163 164 if (altname != NULL) 165 SET_VALUE(kmf_set_cert_subject_altname(&signedCert, altcrit, 166 alttype, altname), "subjectAltName"); 167 168 if (kubits != 0) 169 SET_VALUE(kmf_set_cert_ku(&signedCert, kucrit, kubits), 170 "KeyUsage"); 171 172 if (ekulist != NULL) { 173 int i; 174 for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) { 175 SET_VALUE(kmf_add_cert_eku(&signedCert, 176 &ekulist->ekulist[i], ekulist->critlist[i]), 177 "Extended Key Usage"); 178 } 179 } 180 181 /* 182 * Construct attributes for the kmf_sign_cert operation. 183 */ 184 numattr = 0; 185 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 186 &kstype, sizeof (kstype)); 187 numattr++; 188 189 kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR, 190 &prik, sizeof (KMF_KEY_HANDLE_ATTR)); 191 numattr++; 192 193 /* cert data that is to be signed */ 194 kmf_set_attr_at_index(attrlist, numattr, KMF_X509_CERTIFICATE_ATTR, 195 &signedCert, sizeof (KMF_X509_CERTIFICATE)); 196 numattr++; 197 198 /* output buffer for the signed cert */ 199 kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR, 200 &x509DER, sizeof (KMF_DATA)); 201 numattr++; 202 203 if ((kmfrv = kmf_sign_cert(kmfhandle, numattr, attrlist)) != 204 KMF_OK) { 205 goto cleanup; 206 } 207 208 /* 209 * Store the cert in the DB. 210 */ 211 numattr = 0; 212 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 213 &kstype, sizeof (kstype)); 214 numattr++; 215 kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR, 216 &x509DER, sizeof (KMF_DATA)); 217 numattr++; 218 219 if (certlabel != NULL) { 220 kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR, 221 certlabel, strlen(certlabel)); 222 numattr++; 223 } 224 225 kmfrv = kmf_store_cert(kmfhandle, numattr, attrlist); 226 227 228 cleanup: 229 kmf_free_data(&x509DER); 230 kmf_free_dn(&certSubject); 231 kmf_free_dn(&certIssuer); 232 return (kmfrv); 233 } 234 235 static int 236 gencert_file(KMF_HANDLE_T kmfhandle, 237 KMF_KEY_ALG keyAlg, KMF_ALGORITHM_INDEX sigAlg, 238 int keylen, KMF_ENCODE_FORMAT fmt, 239 uint32_t ltime, char *subject, char *altname, 240 KMF_GENERALNAMECHOICES alttype, int altcrit, 241 KMF_BIGINT *serial, uint16_t kubits, int kucrit, 242 char *outcert, char *outkey, 243 EKU_LIST *ekulist) 244 { 245 KMF_RETURN kmfrv; 246 KMF_KEY_HANDLE pubk, prik; 247 KMF_X509_CERTIFICATE signedCert; 248 KMF_X509_NAME certSubject; 249 KMF_X509_NAME certIssuer; 250 KMF_DATA x509DER; 251 char *fullcertpath = NULL; 252 char *fullkeypath = NULL; 253 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL; 254 KMF_ATTRIBUTE attrlist[10]; 255 int numattr = 0; 256 KMF_KEY_ALG keytype; 257 uint32_t keylength; 258 KMF_ENCODE_FORMAT format; 259 260 (void) memset(&signedCert, 0, sizeof (signedCert)); 261 (void) memset(&certSubject, 0, sizeof (certSubject)); 262 (void) memset(&certIssuer, 0, sizeof (certIssuer)); 263 (void) memset(&x509DER, 0, sizeof (x509DER)); 264 265 if (EMPTYSTRING(outcert) || EMPTYSTRING(outkey)) { 266 cryptoerror(LOG_STDERR, 267 gettext("No output file was specified for " 268 "the cert or key\n")); 269 return (PK_ERR_USAGE); 270 } 271 fullcertpath = strdup(outcert); 272 if (verify_file(fullcertpath)) { 273 cryptoerror(LOG_STDERR, 274 gettext("Cannot write the indicated output " 275 "certificate file (%s).\n"), fullcertpath); 276 free(fullcertpath); 277 return (PK_ERR_USAGE); 278 } 279 280 fullkeypath = strdup(outkey); 281 if (verify_file(fullkeypath)) { 282 cryptoerror(LOG_STDERR, 283 gettext("Cannot write the indicated output " 284 "key file (%s).\n"), fullkeypath); 285 free(fullkeypath); 286 free(fullcertpath); 287 return (PK_ERR_USAGE); 288 } 289 290 /* If the subject name cannot be parsed, flag it now and exit */ 291 if (kmf_dn_parser(subject, &certSubject) != KMF_OK) { 292 cryptoerror(LOG_STDERR, 293 gettext("Subject name cannot be parsed (%s)\n"), subject); 294 return (PK_ERR_USAGE); 295 } 296 297 /* For a self-signed cert, the issuser and subject are the same */ 298 if (kmf_dn_parser(subject, &certIssuer) != KMF_OK) { 299 cryptoerror(LOG_STDERR, 300 gettext("Subject name cannot be parsed (%s)\n"), subject); 301 kmf_free_dn(&certSubject); 302 return (PK_ERR_USAGE); 303 } 304 305 keylength = keylen; /* bits */ 306 keytype = keyAlg; 307 format = fmt; 308 309 kmf_set_attr_at_index(attrlist, numattr, 310 KMF_KEYSTORE_TYPE_ATTR, &kstype, 311 sizeof (kstype)); 312 numattr++; 313 314 kmf_set_attr_at_index(attrlist, numattr, 315 KMF_KEYALG_ATTR, &keytype, 316 sizeof (keytype)); 317 numattr++; 318 319 kmf_set_attr_at_index(attrlist, numattr, 320 KMF_KEYLENGTH_ATTR, &keylength, 321 sizeof (keylength)); 322 numattr++; 323 324 if (fullkeypath != NULL) { 325 kmf_set_attr_at_index(attrlist, numattr, 326 KMF_KEY_FILENAME_ATTR, fullkeypath, 327 strlen(fullkeypath)); 328 numattr++; 329 } 330 331 kmf_set_attr_at_index(attrlist, numattr, 332 KMF_ENCODE_FORMAT_ATTR, &format, 333 sizeof (format)); 334 numattr++; 335 336 kmf_set_attr_at_index(attrlist, numattr, 337 KMF_PRIVKEY_HANDLE_ATTR, &prik, 338 sizeof (KMF_KEY_HANDLE)); 339 numattr++; 340 341 kmf_set_attr_at_index(attrlist, numattr, 342 KMF_PUBKEY_HANDLE_ATTR, &pubk, 343 sizeof (KMF_KEY_HANDLE)); 344 numattr++; 345 346 kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist); 347 if (kmfrv != KMF_OK) { 348 goto cleanup; 349 } 350 351 SET_VALUE(kmf_set_cert_pubkey(kmfhandle, &pubk, &signedCert), 352 "keypair"); 353 354 SET_VALUE(kmf_set_cert_version(&signedCert, 2), "version number"); 355 356 SET_VALUE(kmf_set_cert_serial(&signedCert, serial), 357 "serial number"); 358 359 SET_VALUE(kmf_set_cert_validity(&signedCert, NULL, ltime), 360 "validity time"); 361 362 SET_VALUE(kmf_set_cert_sig_alg(&signedCert, sigAlg), 363 "signature algorithm"); 364 365 SET_VALUE(kmf_set_cert_subject(&signedCert, &certSubject), 366 "subject name"); 367 368 SET_VALUE(kmf_set_cert_issuer(&signedCert, &certIssuer), 369 "issuer name"); 370 371 if (altname != NULL) 372 SET_VALUE(kmf_set_cert_subject_altname(&signedCert, altcrit, 373 alttype, altname), "subjectAltName"); 374 375 if (kubits != 0) 376 SET_VALUE(kmf_set_cert_ku(&signedCert, kucrit, kubits), 377 "KeyUsage"); 378 379 if (ekulist != NULL) { 380 int i; 381 for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) { 382 SET_VALUE(kmf_add_cert_eku(&signedCert, 383 &ekulist->ekulist[i], 384 ekulist->critlist[i]), "Extended Key Usage"); 385 } 386 } 387 /* 388 * Construct attributes for the kmf_sign_cert operation. 389 */ 390 numattr = 0; 391 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 392 &kstype, sizeof (kstype)); 393 numattr++; 394 395 kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR, 396 &prik, sizeof (KMF_KEY_HANDLE_ATTR)); 397 numattr++; 398 399 /* cert data that is to be signed */ 400 kmf_set_attr_at_index(attrlist, numattr, KMF_X509_CERTIFICATE_ATTR, 401 &signedCert, sizeof (KMF_X509_CERTIFICATE)); 402 numattr++; 403 404 /* output buffer for the signed cert */ 405 kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR, 406 &x509DER, sizeof (KMF_DATA)); 407 numattr++; 408 409 if ((kmfrv = kmf_sign_cert(kmfhandle, numattr, attrlist)) != 410 KMF_OK) { 411 goto cleanup; 412 } 413 414 /* 415 * Store the cert in the DB. 416 */ 417 numattr = 0; 418 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 419 &kstype, sizeof (kstype)); 420 numattr++; 421 kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR, 422 &x509DER, sizeof (KMF_DATA)); 423 numattr++; 424 kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_FILENAME_ATTR, 425 fullcertpath, strlen(fullcertpath)); 426 numattr++; 427 kmf_set_attr_at_index(attrlist, numattr, KMF_ENCODE_FORMAT_ATTR, 428 &fmt, sizeof (fmt)); 429 numattr++; 430 431 kmfrv = kmf_store_cert(kmfhandle, numattr, attrlist); 432 433 cleanup: 434 if (fullkeypath != NULL) 435 free(fullkeypath); 436 if (fullcertpath != NULL) 437 free(fullcertpath); 438 439 kmf_free_data(&x509DER); 440 kmf_free_dn(&certSubject); 441 kmf_free_dn(&certIssuer); 442 return (kmfrv); 443 } 444 445 static KMF_RETURN 446 gencert_nss(KMF_HANDLE_T kmfhandle, 447 char *token, char *subject, char *altname, 448 KMF_GENERALNAMECHOICES alttype, int altcrit, 449 char *nickname, char *dir, char *prefix, 450 KMF_KEY_ALG keyAlg, 451 KMF_ALGORITHM_INDEX sigAlg, 452 int keylen, char *trust, 453 uint32_t ltime, KMF_BIGINT *serial, uint16_t kubits, 454 int kucrit, KMF_CREDENTIAL *tokencred, 455 EKU_LIST *ekulist) 456 { 457 KMF_RETURN kmfrv; 458 KMF_KEY_HANDLE pubk, prik; 459 KMF_X509_CERTIFICATE signedCert; 460 KMF_X509_NAME certSubject; 461 KMF_X509_NAME certIssuer; 462 KMF_DATA x509DER; 463 KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_NSS; 464 KMF_ATTRIBUTE attrlist[16]; 465 int numattr = 0; 466 KMF_KEY_ALG keytype; 467 uint32_t keylength; 468 469 if (token == NULL) 470 token = DEFAULT_NSS_TOKEN; 471 472 kmfrv = configure_nss(kmfhandle, dir, prefix); 473 if (kmfrv != KMF_OK) 474 return (kmfrv); 475 476 (void) memset(&signedCert, 0, sizeof (signedCert)); 477 (void) memset(&certSubject, 0, sizeof (certSubject)); 478 (void) memset(&certIssuer, 0, sizeof (certIssuer)); 479 (void) memset(&x509DER, 0, sizeof (x509DER)); 480 481 /* If the subject name cannot be parsed, flag it now and exit */ 482 if (kmf_dn_parser(subject, &certSubject) != KMF_OK) { 483 cryptoerror(LOG_STDERR, 484 gettext("Subject name cannot be parsed.\n")); 485 return (PK_ERR_USAGE); 486 } 487 488 /* For a self-signed cert, the issuser and subject are the same */ 489 if (kmf_dn_parser(subject, &certIssuer) != KMF_OK) { 490 cryptoerror(LOG_STDERR, 491 gettext("Subject name cannot be parsed.\n")); 492 return (PK_ERR_USAGE); 493 } 494 495 keylength = keylen; /* bits */ 496 keytype = keyAlg; 497 498 kmf_set_attr_at_index(attrlist, numattr, 499 KMF_KEYSTORE_TYPE_ATTR, &kstype, 500 sizeof (kstype)); 501 numattr++; 502 503 kmf_set_attr_at_index(attrlist, numattr, 504 KMF_KEYALG_ATTR, &keytype, 505 sizeof (keytype)); 506 numattr++; 507 508 kmf_set_attr_at_index(attrlist, numattr, 509 KMF_KEYLENGTH_ATTR, &keylength, 510 sizeof (keylength)); 511 numattr++; 512 513 if (nickname != NULL) { 514 kmf_set_attr_at_index(attrlist, numattr, 515 KMF_KEYLABEL_ATTR, nickname, 516 strlen(nickname)); 517 numattr++; 518 } 519 520 if (tokencred != NULL && tokencred->cred != NULL) { 521 kmf_set_attr_at_index(attrlist, numattr, 522 KMF_CREDENTIAL_ATTR, tokencred, 523 sizeof (KMF_CREDENTIAL)); 524 numattr++; 525 } 526 527 if (token != NULL) { 528 kmf_set_attr_at_index(attrlist, numattr, 529 KMF_TOKEN_LABEL_ATTR, token, 530 strlen(token)); 531 numattr++; 532 } 533 534 kmf_set_attr_at_index(attrlist, numattr, 535 KMF_PRIVKEY_HANDLE_ATTR, &prik, 536 sizeof (KMF_KEY_HANDLE)); 537 numattr++; 538 539 kmf_set_attr_at_index(attrlist, numattr, 540 KMF_PUBKEY_HANDLE_ATTR, &pubk, 541 sizeof (KMF_KEY_HANDLE)); 542 numattr++; 543 544 kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist); 545 if (kmfrv != KMF_OK) { 546 return (kmfrv); 547 } 548 549 SET_VALUE(kmf_set_cert_pubkey(kmfhandle, &pubk, &signedCert), 550 "keypair"); 551 552 SET_VALUE(kmf_set_cert_version(&signedCert, 2), "version number"); 553 554 SET_VALUE(kmf_set_cert_serial(&signedCert, serial), 555 "serial number"); 556 557 SET_VALUE(kmf_set_cert_validity(&signedCert, NULL, ltime), 558 "validity time"); 559 560 SET_VALUE(kmf_set_cert_sig_alg(&signedCert, sigAlg), 561 "signature algorithm"); 562 563 SET_VALUE(kmf_set_cert_subject(&signedCert, &certSubject), 564 "subject name"); 565 566 SET_VALUE(kmf_set_cert_issuer(&signedCert, &certIssuer), 567 "issuer name"); 568 569 if (altname != NULL) 570 SET_VALUE(kmf_set_cert_subject_altname(&signedCert, altcrit, 571 alttype, altname), "subjectAltName"); 572 573 if (kubits) 574 SET_VALUE(kmf_set_cert_ku(&signedCert, kucrit, kubits), 575 "subjectAltName"); 576 577 if (ekulist != NULL) { 578 int i; 579 for (i = 0; kmfrv == KMF_OK && i < ekulist->eku_count; i++) { 580 SET_VALUE(kmf_add_cert_eku(&signedCert, 581 &ekulist->ekulist[i], 582 ekulist->critlist[i]), "Extended Key Usage"); 583 } 584 } 585 /* 586 * Construct attributes for the kmf_sign_cert operation. 587 */ 588 numattr = 0; 589 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 590 &kstype, sizeof (kstype)); 591 numattr++; 592 593 kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR, 594 &prik, sizeof (KMF_KEY_HANDLE_ATTR)); 595 numattr++; 596 597 /* cert data that is to be signed */ 598 kmf_set_attr_at_index(attrlist, numattr, KMF_X509_CERTIFICATE_ATTR, 599 &signedCert, sizeof (KMF_X509_CERTIFICATE)); 600 numattr++; 601 602 /* output buffer for the signed cert */ 603 kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR, 604 &x509DER, sizeof (KMF_DATA)); 605 numattr++; 606 607 if ((kmfrv = kmf_sign_cert(kmfhandle, numattr, attrlist)) != 608 KMF_OK) { 609 goto cleanup; 610 } 611 612 /* 613 * Store the cert in the DB. 614 */ 615 numattr = 0; 616 kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR, 617 &kstype, sizeof (kstype)); 618 numattr++; 619 620 kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR, 621 &x509DER, sizeof (KMF_DATA)); 622 numattr++; 623 624 if (nickname != NULL) { 625 kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_LABEL_ATTR, 626 nickname, strlen(nickname)); 627 numattr++; 628 } 629 630 if (trust != NULL) { 631 kmf_set_attr_at_index(attrlist, numattr, KMF_TRUSTFLAG_ATTR, 632 trust, strlen(trust)); 633 numattr++; 634 } 635 636 if (token != NULL) { 637 kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR, 638 token, strlen(token)); 639 numattr++; 640 } 641 642 kmfrv = kmf_store_cert(kmfhandle, numattr, attrlist); 643 644 cleanup: 645 kmf_free_data(&x509DER); 646 kmf_free_dn(&certSubject); 647 kmf_free_dn(&certIssuer); 648 return (kmfrv); 649 } 650 651 int 652 pk_gencert(int argc, char *argv[]) 653 { 654 int rv; 655 int opt; 656 extern int optind_av; 657 extern char *optarg_av; 658 KMF_KEYSTORE_TYPE kstype = 0; 659 char *subject = NULL; 660 char *tokenname = NULL; 661 char *dir = NULL; 662 char *prefix = NULL; 663 char *keytype = PK_DEFAULT_KEYTYPE; 664 int keylen = PK_DEFAULT_KEYLENGTH; 665 char *trust = NULL; 666 char *lifetime = NULL; 667 char *certlabel = NULL; 668 char *outcert = NULL; 669 char *outkey = NULL; 670 char *format = NULL; 671 char *serstr = NULL; 672 char *altname = NULL; 673 char *keyusagestr = NULL; 674 char *ekustr = NULL; 675 KMF_GENERALNAMECHOICES alttype = 0; 676 KMF_BIGINT serial = { NULL, 0 }; 677 uint32_t ltime; 678 KMF_HANDLE_T kmfhandle = NULL; 679 KMF_ENCODE_FORMAT fmt = KMF_FORMAT_ASN1; 680 KMF_KEY_ALG keyAlg = KMF_RSA; 681 KMF_ALGORITHM_INDEX sigAlg = KMF_ALGID_MD5WithRSA; 682 boolean_t interactive = B_FALSE; 683 char *subname = NULL; 684 KMF_CREDENTIAL tokencred = {NULL, 0}; 685 uint16_t kubits = 0; 686 int altcrit = 0, kucrit = 0; 687 EKU_LIST *ekulist = NULL; 688 689 while ((opt = getopt_av(argc, argv, 690 "ik:(keystore)s:(subject)n:(nickname)A:(altname)" 691 "T:(token)d:(dir)p:(prefix)t:(keytype)y:(keylen)" 692 "r:(trust)L:(lifetime)l:(label)c:(outcert)e:(eku)" 693 "K:(outkey)S:(serial)F:(format)u:(keyusage)")) != EOF) { 694 695 if (opt != 'i' && EMPTYSTRING(optarg_av)) 696 return (PK_ERR_USAGE); 697 698 switch (opt) { 699 case 'A': 700 altname = optarg_av; 701 break; 702 case 'i': 703 if (interactive || subject) 704 return (PK_ERR_USAGE); 705 else 706 interactive = B_TRUE; 707 break; 708 case 'k': 709 kstype = KS2Int(optarg_av); 710 if (kstype == 0) 711 return (PK_ERR_USAGE); 712 break; 713 case 's': 714 if (interactive || subject) 715 return (PK_ERR_USAGE); 716 else 717 subject = optarg_av; 718 break; 719 case 'l': 720 case 'n': 721 if (certlabel) 722 return (PK_ERR_USAGE); 723 certlabel = optarg_av; 724 break; 725 case 'T': 726 if (tokenname) 727 return (PK_ERR_USAGE); 728 tokenname = optarg_av; 729 break; 730 case 'd': 731 if (dir) 732 return (PK_ERR_USAGE); 733 dir = optarg_av; 734 break; 735 case 'p': 736 if (prefix) 737 return (PK_ERR_USAGE); 738 prefix = optarg_av; 739 break; 740 case 't': 741 keytype = optarg_av; 742 break; 743 case 'u': 744 keyusagestr = optarg_av; 745 break; 746 case 'y': 747 if (sscanf(optarg_av, "%d", 748 &keylen) != 1) { 749 cryptoerror(LOG_STDERR, 750 gettext("key length must be" 751 "a numeric value (%s)\n"), 752 optarg_av); 753 return (PK_ERR_USAGE); 754 } 755 break; 756 case 'r': 757 if (trust) 758 return (PK_ERR_USAGE); 759 trust = optarg_av; 760 break; 761 case 'L': 762 if (lifetime) 763 return (PK_ERR_USAGE); 764 lifetime = optarg_av; 765 break; 766 case 'c': 767 if (outcert) 768 return (PK_ERR_USAGE); 769 outcert = optarg_av; 770 break; 771 case 'K': 772 if (outkey) 773 return (PK_ERR_USAGE); 774 outkey = optarg_av; 775 break; 776 case 'S': 777 serstr = optarg_av; 778 break; 779 case 'F': 780 if (format) 781 return (PK_ERR_USAGE); 782 format = optarg_av; 783 break; 784 case 'e': 785 ekustr = optarg_av; 786 break; 787 default: 788 return (PK_ERR_USAGE); 789 } 790 } 791 792 /* No additional args allowed. */ 793 argc -= optind_av; 794 argv += optind_av; 795 if (argc) { 796 return (PK_ERR_USAGE); 797 } 798 799 if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) { 800 cryptoerror(LOG_STDERR, gettext("Error initializing KMF\n")); 801 return (PK_ERR_USAGE); 802 } 803 804 /* Assume keystore = PKCS#11 if not specified. */ 805 if (kstype == 0) 806 kstype = KMF_KEYSTORE_PK11TOKEN; 807 808 if ((kstype == KMF_KEYSTORE_NSS || kstype == KMF_KEYSTORE_PK11TOKEN)) { 809 if (interactive && EMPTYSTRING(certlabel)) { 810 (void) get_certlabel(&certlabel); 811 } 812 /* It better not be empty now */ 813 if (EMPTYSTRING(certlabel)) { 814 cryptoerror(LOG_STDERR, gettext("A label must be " 815 "specified to create a self-signed certificate." 816 "\n")); 817 return (PK_ERR_USAGE); 818 } 819 } else if (kstype == KMF_KEYSTORE_OPENSSL && EMPTYSTRING(outcert)) { 820 cryptoerror(LOG_STDERR, gettext("A certificate filename must " 821 "be specified to create a self-signed certificate.\n")); 822 return (PK_ERR_USAGE); 823 } 824 825 if (format && (fmt = Str2Format(format)) == KMF_FORMAT_UNDEF) { 826 cryptoerror(LOG_STDERR, 827 gettext("Error parsing format string (%s).\n"), 828 format); 829 return (PK_ERR_USAGE); 830 } 831 832 if (Str2Lifetime(lifetime, <ime) != 0) { 833 cryptoerror(LOG_STDERR, 834 gettext("Error parsing lifetime string\n")); 835 return (PK_ERR_USAGE); 836 } 837 838 if (Str2KeyType(keytype, &keyAlg, &sigAlg) != 0) { 839 cryptoerror(LOG_STDERR, gettext("Unrecognized keytype (%s).\n"), 840 keytype); 841 return (PK_ERR_USAGE); 842 } 843 844 /* 845 * Check the subject name. 846 * If interactive is true, get it now interactively. 847 */ 848 if (interactive) { 849 subname = NULL; 850 if (get_subname(&subname) != KMF_OK || subname == NULL) { 851 cryptoerror(LOG_STDERR, gettext("Failed to get the " 852 "subject name interactively.\n")); 853 return (PK_ERR_USAGE); 854 } 855 if (serstr == NULL) { 856 (void) get_serial(&serstr); 857 } 858 } else { 859 if (EMPTYSTRING(subject)) { 860 cryptoerror(LOG_STDERR, gettext("A subject name or " 861 "-i must be specified to create a self-signed " 862 "certificate.\n")); 863 return (PK_ERR_USAGE); 864 } else { 865 subname = strdup(subject); 866 if (subname == NULL) { 867 cryptoerror(LOG_STDERR, 868 gettext("Out of memory.\n")); 869 return (PK_ERR_SYSTEM); 870 } 871 } 872 } 873 874 if (serstr == NULL) { 875 (void) fprintf(stderr, gettext("A serial number " 876 "must be specified as a hex number when creating" 877 " a self-signed certificate " 878 "(ex: serial=0x0102030405feedface)\n")); 879 rv = PK_ERR_USAGE; 880 goto end; 881 } else { 882 uchar_t *bytes = NULL; 883 size_t bytelen; 884 885 rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen); 886 if (rv != KMF_OK || bytes == NULL) { 887 (void) fprintf(stderr, gettext("serial number " 888 "must be specified as a hex number " 889 "(ex: 0x0102030405ffeeddee)\n")); 890 rv = PK_ERR_USAGE; 891 goto end; 892 } 893 serial.val = bytes; 894 serial.len = bytelen; 895 } 896 897 if (altname != NULL) { 898 rv = verify_altname(altname, &alttype, &altcrit); 899 if (rv != KMF_OK) { 900 (void) fprintf(stderr, gettext("Subject AltName " 901 "must be specified as a name=value pair. " 902 "See the man page for details.\n")); 903 rv = PK_ERR_USAGE; 904 goto end; 905 } else { 906 /* advance the altname past the '=' sign */ 907 char *p = strchr(altname, '='); 908 if (p != NULL) 909 altname = p + 1; 910 } 911 } 912 913 if (keyusagestr != NULL) { 914 rv = verify_keyusage(keyusagestr, &kubits, &kucrit); 915 if (rv != KMF_OK) { 916 (void) fprintf(stderr, gettext("KeyUsage " 917 "must be specified as a comma-separated list. " 918 "See the man page for details.\n")); 919 rv = PK_ERR_USAGE; 920 goto end; 921 } 922 } 923 if (ekustr != NULL) { 924 rv = verify_ekunames(ekustr, &ekulist); 925 if (rv != KMF_OK) { 926 (void) fprintf(stderr, gettext("EKUs must " 927 "be specified as a comma-separated list. " 928 "See the man page for details.\n")); 929 rv = PK_ERR_USAGE; 930 goto end; 931 } 932 } 933 934 if (kstype == KMF_KEYSTORE_NSS || kstype == KMF_KEYSTORE_PK11TOKEN) { 935 if (tokenname == NULL || !strlen(tokenname)) { 936 if (kstype == KMF_KEYSTORE_NSS) { 937 tokenname = "internal"; 938 } else { 939 tokenname = PK_DEFAULT_PK11TOKEN; 940 } 941 } 942 943 (void) get_token_password(kstype, tokenname, &tokencred); 944 } 945 946 if (kstype == KMF_KEYSTORE_NSS) { 947 if (dir == NULL) 948 dir = PK_DEFAULT_DIRECTORY; 949 950 rv = gencert_nss(kmfhandle, 951 tokenname, subname, altname, alttype, altcrit, 952 certlabel, dir, prefix, keyAlg, sigAlg, keylen, 953 trust, ltime, &serial, kubits, kucrit, &tokencred, 954 ekulist); 955 956 } else if (kstype == KMF_KEYSTORE_PK11TOKEN) { 957 rv = gencert_pkcs11(kmfhandle, 958 tokenname, subname, altname, alttype, altcrit, 959 certlabel, keyAlg, sigAlg, keylen, ltime, 960 &serial, kubits, kucrit, &tokencred, ekulist); 961 962 } else if (kstype == KMF_KEYSTORE_OPENSSL) { 963 rv = gencert_file(kmfhandle, 964 keyAlg, sigAlg, keylen, fmt, 965 ltime, subname, altname, alttype, altcrit, 966 &serial, kubits, kucrit, outcert, outkey, 967 ekulist); 968 } 969 970 if (rv != KMF_OK) 971 display_error(kmfhandle, rv, 972 gettext("Error creating certificate and keypair")); 973 end: 974 if (ekulist != NULL) 975 free_eku_list(ekulist); 976 if (subname) 977 free(subname); 978 if (tokencred.cred != NULL) 979 free(tokencred.cred); 980 981 if (serial.val != NULL) 982 free(serial.val); 983 984 (void) kmf_finalize(kmfhandle); 985 return (rv); 986 } 987