xref: /titanic_50/usr/src/lib/libkmf/ber_der/common/clasn1.c (revision 3eae19d9cf3390cf5b75e10c9c1945fd36ad856a)
1 /*
2  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 /*
6  * Copyright (c) 1995-1999 Intel Corporation. All rights reserved.
7  */
8 
9 #pragma ident	"%Z%%M%	%I%	%E% SMI"
10 
11 #include <strings.h>
12 #include <kmftypes.h>
13 #include <ber_der.h>
14 #include <kmfapi.h>
15 #include <kmfapiP.h>
16 
17 #include <stdio.h>
18 
19 #define	DSA_RAW_SIG_LEN	40
20 
21 static uint8_t OID_ExtensionRequest[] = { OID_PKCS_9, 14 };
22 const KMF_OID extension_request_oid = {OID_PKCS_9_LENGTH + 1,
23 	OID_ExtensionRequest};
24 
25 static KMF_RETURN
26 encode_algoid(BerElement *asn1, KMF_X509_ALGORITHM_IDENTIFIER *algoid)
27 {
28 	KMF_RETURN ret = KMF_OK;
29 
30 	if (kmfber_printf(asn1, "{D", &algoid->algorithm) == -1) {
31 		ret = KMF_ERR_BAD_CERT_FORMAT;
32 	}
33 	if (algoid->parameters.Data == NULL ||
34 		algoid->parameters.Length == 0) {
35 		if (kmfber_printf(asn1, "n}") == -1)
36 			return (KMF_ERR_BAD_CERT_FORMAT);
37 	} else {
38 		/*
39 		 * The algorithm data can be anything, so we just write it
40 		 * straight into the buffer.  It is already DER encoded.
41 		 */
42 		(void) kmfber_write(asn1, (char *)algoid->parameters.Data,
43 			algoid->parameters.Length, 0);
44 		if (kmfber_printf(asn1, "}") == -1) {
45 			ret = KMF_ERR_BAD_CERT_FORMAT;
46 		}
47 	}
48 
49 	return (ret);
50 }
51 
52 static void
53 free_data(KMF_DATA *data)
54 {
55 	if (data == NULL || data->Data == NULL)
56 		return;
57 
58 	free(data->Data);
59 	data->Data = NULL;
60 	data->Length = 0;
61 }
62 
63 static void
64 free_algoid(KMF_X509_ALGORITHM_IDENTIFIER *algoid)
65 {
66 	free_data(&algoid->algorithm);
67 	free_data(&algoid->parameters);
68 }
69 
70 static void
71 free_decoded_spki(KMF_X509_SPKI *spki)
72 {
73 	if (spki != NULL) {
74 		free_algoid(&spki->algorithm);
75 		free_data(&spki->subjectPublicKey);
76 	}
77 }
78 
79 static void
80 free_rdn_data(KMF_X509_NAME *name)
81 {
82 	KMF_X509_RDN 		*newrdn = NULL;
83 	KMF_X509_TYPE_VALUE_PAIR *av = NULL;
84 	int i, j;
85 
86 	if (name && name->numberOfRDNs) {
87 		for (i = 0; i < name->numberOfRDNs; i++) {
88 			newrdn = &name->RelativeDistinguishedName[i];
89 			for (j = 0; j < newrdn->numberOfPairs; j++) {
90 				av = &newrdn->AttributeTypeAndValue[j];
91 				free_data(&av->type);
92 				free_data(&av->value);
93 			}
94 			free(newrdn->AttributeTypeAndValue);
95 		}
96 		free(name->RelativeDistinguishedName);
97 		name->numberOfRDNs = 0;
98 		name->RelativeDistinguishedName = NULL;
99 	}
100 }
101 
102 static void
103 free_validity(KMF_X509_VALIDITY *validity)
104 {
105 	free_data(&validity->notBefore.time);
106 	free_data(&validity->notAfter.time);
107 }
108 
109 static void
110 free_one_extension(KMF_X509_EXTENSION *exptr)
111 {
112 	free_data(&exptr->extnId);
113 	free_data(&exptr->BERvalue);
114 
115 	if (exptr->value.tagAndValue) {
116 		free_data(&exptr->value.tagAndValue->value);
117 		free(exptr->value.tagAndValue);
118 	}
119 }
120 
121 static void
122 free_extensions(KMF_X509_EXTENSIONS *extns)
123 {
124 	int i;
125 	KMF_X509_EXTENSION *exptr;
126 
127 	if (extns && extns->numberOfExtensions > 0) {
128 		for (i = 0; i < extns->numberOfExtensions; i++) {
129 			exptr = &extns->extensions[i];
130 			free_one_extension(exptr);
131 		}
132 		free(extns->extensions);
133 		extns->numberOfExtensions = 0;
134 		extns->extensions = NULL;
135 	}
136 }
137 
138 static void
139 free_tbscsr(KMF_TBS_CSR *tbscsr)
140 {
141 	if (tbscsr) {
142 		free_data(&tbscsr->version);
143 
144 		free_rdn_data(&tbscsr->subject);
145 
146 		free_decoded_spki(&tbscsr->subjectPublicKeyInfo);
147 
148 		free_extensions(&tbscsr->extensions);
149 	}
150 }
151 
152 
153 static void
154 free_bigint(KMF_BIGINT *bn)
155 {
156 	if (bn != NULL && bn->val != NULL) {
157 		free(bn->val);
158 		bn->val = NULL;
159 		bn->len = 0;
160 	}
161 }
162 
163 static void
164 free_tbscert(KMF_X509_TBS_CERT *tbscert)
165 {
166 	if (tbscert) {
167 		free_data(&tbscert->version);
168 		free_bigint(&tbscert->serialNumber);
169 		free_algoid(&tbscert->signature);
170 
171 		free_rdn_data(&tbscert->issuer);
172 		free_rdn_data(&tbscert->subject);
173 
174 		free_validity(&tbscert->validity);
175 
176 		free_data(&tbscert->issuerUniqueIdentifier);
177 		free_data(&tbscert->subjectUniqueIdentifier);
178 		free_decoded_spki(&tbscert->subjectPublicKeyInfo);
179 		free_extensions(&tbscert->extensions);
180 
181 		free_data(&tbscert->issuerUniqueIdentifier);
182 		free_data(&tbscert->subjectUniqueIdentifier);
183 	}
184 }
185 
186 static void
187 free_decoded_cert(KMF_X509_CERTIFICATE *certptr)
188 {
189 	if (!certptr)
190 		return;
191 
192 	free_tbscert(&certptr->certificate);
193 
194 	free_algoid(&certptr->signature.algorithmIdentifier);
195 	free_data(&certptr->signature.encrypted);
196 }
197 
198 static KMF_RETURN
199 get_algoid(BerElement *asn1, KMF_X509_ALGORITHM_IDENTIFIER *algoid)
200 {
201 	KMF_RETURN ret = KMF_OK;
202 	ber_tag_t tag, newtag;
203 	ber_len_t size;
204 	BerValue AlgOID = {NULL, 0};
205 
206 	tag = kmfber_next_element(asn1, &size, NULL);
207 	if (tag != BER_CONSTRUCTED_SEQUENCE)
208 		return (KMF_ERR_BAD_CERT_FORMAT);
209 
210 	if ((tag = kmfber_scanf(asn1, "{Dt", &AlgOID, &newtag)) == -1) {
211 		return (KMF_ERR_BAD_CERT_FORMAT);
212 	}
213 	algoid->algorithm.Data = (uchar_t *)AlgOID.bv_val;
214 	algoid->algorithm.Length = AlgOID.bv_len;
215 
216 	if (newtag == BER_NULL) {
217 		(void) kmfber_scanf(asn1, "n}");
218 		algoid->parameters.Data = NULL;
219 		algoid->parameters.Length = 0;
220 	} else {
221 		/* Peek at the tag and length bytes */
222 		if ((kmfber_scanf(asn1, "tl", &tag, &size)) == -1) {
223 			ret = KMF_ERR_BAD_CERT_FORMAT;
224 			goto cleanup;
225 		}
226 
227 		/*
228 		 * We need to read the tag and the length bytes too,
229 		 * so adjust the size.
230 		 */
231 		size += kmfber_calc_taglen(tag) + kmfber_calc_lenlen(size);
232 		algoid->parameters.Data = malloc(size);
233 		if (algoid->parameters.Data == NULL) {
234 			ret = KMF_ERR_MEMORY;
235 			goto cleanup;
236 		}
237 		/* read the raw data into the Algoritm params area. */
238 		if (kmfber_read(asn1, (char *)algoid->parameters.Data,
239 			size) == -1) {
240 			ret = KMF_ERR_BAD_CERT_FORMAT;
241 			goto cleanup;
242 		}
243 		algoid->parameters.Length = size;
244 		if ((tag = kmfber_scanf(asn1, "}")) == -1) {
245 			ret = KMF_ERR_BAD_CERT_FORMAT;
246 		}
247 	}
248 cleanup:
249 	if (ret != KMF_OK) {
250 		free_algoid(algoid);
251 	}
252 
253 	return (ret);
254 }
255 
256 static KMF_RETURN
257 CopyData(KMF_DATA *src, KMF_DATA *dst)
258 {
259 	if (src && dst && src->Data != NULL && src->Length > 0) {
260 		dst->Length = src->Length;
261 		dst->Data = malloc(dst->Length);
262 		if (dst->Data == NULL)
263 			return (KMF_ERR_MEMORY);
264 		(void) memcpy(dst->Data, src->Data, src->Length);
265 	}
266 	return (KMF_OK);
267 }
268 
269 static KMF_RETURN
270 encode_spki(BerElement *asn1, KMF_X509_SPKI *spki)
271 {
272 	KMF_RETURN ret = KMF_OK;
273 
274 	if (kmfber_printf(asn1, "{") == -1)
275 		return (KMF_ERR_BAD_CERT_FORMAT);
276 
277 	if ((ret = encode_algoid(asn1, &spki->algorithm)) != KMF_OK)
278 		return (ret);
279 
280 	if (kmfber_printf(asn1, "B}", spki->subjectPublicKey.Data,
281 				spki->subjectPublicKey.Length * 8) == -1)
282 		return (KMF_ERR_BAD_CERT_FORMAT);
283 
284 	return (ret);
285 }
286 
287 KMF_RETURN
288 DerEncodeSPKI(KMF_X509_SPKI *spki, KMF_DATA *EncodedSPKI)
289 {
290 	KMF_RETURN ret = KMF_OK;
291 	BerElement *asn1;
292 	BerValue *result;
293 
294 	if (spki == NULL || EncodedSPKI == NULL)
295 		return (KMF_ERR_BAD_PARAMETER);
296 
297 	if ((asn1 = kmfder_alloc()) == NULL)
298 		return (KMF_ERR_MEMORY);
299 
300 	if ((ret = encode_spki(asn1, spki)) != KMF_OK) {
301 		return (ret);
302 	}
303 
304 	if (kmfber_flatten(asn1, &result) == -1) {
305 		kmfber_free(asn1, 1);
306 		return (KMF_ERR_ENCODING);
307 	}
308 
309 	EncodedSPKI->Data = (uchar_t *)result->bv_val;
310 	EncodedSPKI->Length = result->bv_len;
311 
312 	free(result);
313 	kmfber_free(asn1, 1);
314 	return (KMF_OK);
315 }
316 
317 static KMF_RETURN
318 get_spki(BerElement *asn1, KMF_X509_SPKI *spki)
319 {
320 	KMF_RETURN ret = KMF_OK;
321 	char *bitstr = NULL;
322 	ber_len_t size;
323 
324 	if (kmfber_scanf(asn1, "{") == -1)
325 		return (KMF_ERR_BAD_CERT_FORMAT);
326 
327 	if ((ret = get_algoid(asn1, &spki->algorithm)) != KMF_OK)
328 		return (ret);
329 
330 	if (kmfber_scanf(asn1, "B}", &bitstr, &size) == BER_BIT_STRING) {
331 		spki->subjectPublicKey.Data = (uchar_t *)bitstr;
332 		spki->subjectPublicKey.Length = size / 8;
333 	} else {
334 		ret = KMF_ERR_BAD_CERT_FORMAT;
335 		goto cleanup;
336 	}
337 cleanup:
338 	if (ret != KMF_OK) {
339 		if (bitstr != NULL)
340 			free(bitstr);
341 		spki->subjectPublicKey.Data = NULL;
342 		spki->subjectPublicKey.Length = 0;
343 
344 		free_algoid(&spki->algorithm);
345 	}
346 	return (ret);
347 }
348 
349 KMF_RETURN
350 DerEncodeDSASignature(KMF_DATA *rawdata, KMF_DATA *signature)
351 {
352 	BerElement *asn1;
353 	BerValue *buf;
354 	int n;
355 
356 	if (rawdata == NULL || signature == NULL)
357 		return (KMF_ERR_BAD_PARAMETER);
358 
359 	if (rawdata->Data == NULL || rawdata->Length != DSA_RAW_SIG_LEN)
360 		return (KMF_ERR_BAD_PARAMETER);
361 
362 	asn1 = kmfder_alloc();
363 	if (asn1 == NULL)
364 		return (KMF_ERR_MEMORY);
365 
366 	/*
367 	 * The DSA signature is the concatenation of 2 SHA-1 hashed
368 	 * bignum values.
369 	 */
370 	n = DSA_RAW_SIG_LEN/2;
371 	if (kmfber_printf(asn1, "{II}",
372 			rawdata->Data, n,
373 			&rawdata->Data[n], n) == -1) {
374 		kmfber_free(asn1, 1);
375 		return (KMF_ERR_MEMORY);
376 	}
377 
378 	if (kmfber_flatten(asn1, &buf) == -1) {
379 		kmfber_free(asn1, 1);
380 		return (KMF_ERR_ENCODING);
381 	}
382 
383 	signature->Data = (uchar_t *)buf->bv_val;
384 	signature->Length = buf->bv_len;
385 
386 	kmfber_free(asn1, 1);
387 	free(buf);
388 
389 	return (KMF_OK);
390 }
391 
392 KMF_RETURN
393 DerDecodeDSASignature(KMF_DATA *encoded, KMF_DATA *signature)
394 {
395 	KMF_RETURN ret = KMF_OK;
396 	BerElement *asn1 = NULL;
397 	BerValue buf, *R = NULL, *S = NULL;
398 
399 	buf.bv_val = (char *)encoded->Data;
400 	buf.bv_len = encoded->Length;
401 
402 	if (encoded == NULL || encoded->Data == NULL ||
403 	    signature == NULL)
404 		return (KMF_ERR_BAD_PARAMETER);
405 
406 	signature->Data = NULL;
407 	signature->Length = 0;
408 
409 	if ((asn1 = kmfder_init(&buf)) == NULL)
410 		return (KMF_ERR_MEMORY);
411 
412 	if (kmfber_scanf(asn1, "{II}", &R, &S) == -1) {
413 		ret = KMF_ERR_BAD_PARAMETER;
414 		goto cleanup;
415 	}
416 	signature->Length = R->bv_len + S->bv_len;
417 	signature->Data = malloc(signature->Length);
418 	if (signature->Data == NULL)  {
419 		ret = KMF_ERR_MEMORY;
420 		goto cleanup;
421 	}
422 	(void) memcpy(signature->Data, R->bv_val, R->bv_len);
423 	(void) memcpy(&signature->Data[R->bv_len], S->bv_val, S->bv_len);
424 
425 cleanup:
426 	if (R && R->bv_val)
427 		free(R->bv_val);
428 	if (S && S->bv_val)
429 		free(S->bv_val);
430 
431 	if (S) free(S);
432 	if (R) free(R);
433 
434 	if (asn1) kmfber_free(asn1, 1);
435 
436 	return (ret);
437 }
438 
439 KMF_RETURN
440 DerDecodeSPKI(KMF_DATA *EncodedSPKI, KMF_X509_SPKI *spki)
441 {
442 	KMF_RETURN ret = KMF_OK;
443 	BerElement *asn1;
444 	BerValue bv;
445 
446 	if (EncodedSPKI == NULL || EncodedSPKI->Data == NULL ||
447 		spki == NULL)
448 		return (KMF_ERR_BAD_PARAMETER);
449 
450 	(void) memset(spki, 0, sizeof (KMF_X509_SPKI));
451 
452 	bv.bv_val = (char *)EncodedSPKI->Data;
453 	bv.bv_len = EncodedSPKI->Length;
454 
455 	if ((asn1 = kmfder_init(&bv)) == NULL)
456 		return (KMF_ERR_MEMORY);
457 
458 	ret = get_spki(asn1, spki);
459 
460 cleanup:
461 	if (ret != KMF_OK) {
462 		free_decoded_spki(spki);
463 	}
464 	kmfber_free(asn1, 1);
465 
466 	return (ret);
467 }
468 
469 KMF_RETURN
470 CopySPKI(KMF_X509_SPKI *src,
471 		KMF_X509_SPKI **dest)
472 {
473 	KMF_RETURN ret = KMF_OK;
474 	KMF_X509_SPKI *newspki;
475 
476 	*dest = NULL;
477 
478 	newspki = malloc(sizeof (KMF_X509_SPKI));
479 	if (newspki == NULL)
480 		return (KMF_ERR_MEMORY);
481 	(void) memset(newspki, 0, sizeof (KMF_X509_SPKI));
482 
483 	ret = CopyData(&src->algorithm.algorithm,
484 		&newspki->algorithm.algorithm);
485 	if (ret != KMF_OK)
486 		goto cleanup;
487 
488 	ret = CopyData(&src->algorithm.parameters,
489 			&newspki->algorithm.parameters);
490 	if (ret != KMF_OK)
491 		goto cleanup;
492 
493 	ret = CopyData(&src->subjectPublicKey,
494 		&newspki->subjectPublicKey);
495 	if (ret != KMF_OK)
496 		goto cleanup;
497 
498 	*dest = newspki;
499 cleanup:
500 	if (ret != KMF_OK) {
501 		if (newspki)
502 			free_decoded_spki(newspki);
503 	}
504 	return (ret);
505 }
506 
507 static KMF_RETURN
508 encode_validity(BerElement *asn1, KMF_X509_VALIDITY *validity)
509 {
510 	int ret;
511 
512 	ret = kmfber_printf(asn1, "{tsts}",
513 			validity->notBefore.timeType,
514 			validity->notBefore.time.Data,
515 			validity->notAfter.timeType,
516 			validity->notAfter.time.Data);
517 
518 	if (ret == -1)
519 		return (KMF_ERR_BAD_CERT_FORMAT);
520 
521 	return (KMF_OK);
522 }
523 
524 static KMF_RETURN
525 get_validity(BerElement *asn1, KMF_X509_VALIDITY *validity)
526 {
527 	KMF_RETURN ret = KMF_OK;
528 	int tag;
529 	int t1, t2;
530 	ber_len_t size;
531 	char *t1str, *t2str;
532 
533 	(void) memset(validity, 0, sizeof (KMF_X509_VALIDITY));
534 
535 	tag = kmfber_next_element(asn1, &size, NULL);
536 	if (tag != BER_CONSTRUCTED_SEQUENCE) {
537 		return (KMF_ERR_BAD_CERT_FORMAT);
538 	}
539 
540 	if (kmfber_scanf(asn1, "{tata}", &t1, &t1str, &t2, &t2str) == -1) {
541 		return (KMF_ERR_BAD_CERT_FORMAT);
542 	}
543 
544 	validity->notBefore.timeType = t1;
545 	validity->notBefore.time.Data = (uchar_t *)t1str;
546 	validity->notBefore.time.Length = strlen(t1str);
547 
548 	validity->notAfter.timeType = t2;
549 	validity->notAfter.time.Data = (uchar_t *)t2str;
550 	validity->notAfter.time.Length = strlen(t2str);
551 
552 	return (ret);
553 }
554 
555 KMF_RETURN
556 AddRDN(KMF_X509_NAME *name, KMF_X509_RDN *newrdn)
557 {
558 	KMF_RETURN ret = KMF_OK;
559 	KMF_X509_RDN *rdnslot = NULL;
560 
561 	/* Add new RDN record to existing list */
562 	name->numberOfRDNs++;
563 	name->RelativeDistinguishedName =
564 			realloc(name->RelativeDistinguishedName,
565 			name->numberOfRDNs * sizeof (KMF_X509_RDN));
566 
567 	if (name->RelativeDistinguishedName == NULL) {
568 		ret = KMF_ERR_MEMORY;
569 		goto cleanup;
570 	}
571 	rdnslot = &name->RelativeDistinguishedName[name->numberOfRDNs-1];
572 
573 	if (newrdn) {
574 		(void) memcpy(rdnslot, newrdn, sizeof (KMF_X509_RDN));
575 	} else {
576 		rdnslot->numberOfPairs = 0;
577 		rdnslot->AttributeTypeAndValue = NULL;
578 	}
579 
580 cleanup:
581 	/* No cleanup needed here */
582 	return (ret);
583 }
584 
585 static KMF_RETURN
586 encode_rdn(BerElement *asn1, KMF_X509_NAME *name)
587 {
588 	KMF_RETURN ret = KMF_OK;
589 	KMF_X509_TYPE_VALUE_PAIR *attrtvpair = NULL;
590 	int i;
591 	KMF_X509_RDN *rdn;
592 
593 	if (kmfber_printf(asn1, "{") == -1) {
594 		ret = KMF_ERR_MEMORY;
595 		goto cleanup;
596 	}
597 
598 	for (i = 0; i < name->numberOfRDNs; i++) {
599 		if (kmfber_printf(asn1, "[") == -1) {
600 			ret = KMF_ERR_MEMORY;
601 			goto cleanup;
602 		}
603 		rdn = &name->RelativeDistinguishedName[i];
604 		attrtvpair = rdn->AttributeTypeAndValue;
605 
606 		if (rdn->numberOfPairs > 0) {
607 			if (kmfber_printf(asn1, "{Dto}",
608 				&attrtvpair->type,
609 				attrtvpair->valueType,
610 				attrtvpair->value.Data,
611 				attrtvpair->value.Length) == -1) {
612 				ret = KMF_ERR_MEMORY;
613 				goto cleanup;
614 			}
615 		}
616 		if (kmfber_printf(asn1, "]") == -1) {
617 			ret = KMF_ERR_MEMORY;
618 			goto cleanup;
619 		}
620 	}
621 
622 	if (kmfber_printf(asn1, "}") == -1) {
623 		ret = KMF_ERR_MEMORY;
624 		goto cleanup;
625 	}
626 
627 cleanup:
628 	/* No cleanup needed here */
629 
630 	return (ret);
631 }
632 
633 
634 KMF_RETURN
635 CopyRDN(KMF_X509_NAME *srcname, KMF_X509_NAME **destname)
636 {
637 	KMF_RETURN ret = KMF_OK;
638 	KMF_X509_NAME 		*newname = NULL;
639 	KMF_X509_RDN 		*rdn, *dstrdn;
640 	KMF_X509_TYPE_VALUE_PAIR *av = NULL;
641 	KMF_X509_TYPE_VALUE_PAIR *srcav = NULL;
642 	KMF_X509_TYPE_VALUE_PAIR *dstav = NULL;
643 	int i, j;
644 
645 	newname = malloc(sizeof (KMF_X509_NAME));
646 	if (newname == NULL)
647 		return (KMF_ERR_MEMORY);
648 	(void) memset(newname, 0, sizeof (KMF_X509_NAME));
649 
650 	newname->numberOfRDNs = srcname->numberOfRDNs;
651 	newname->RelativeDistinguishedName = malloc(newname->numberOfRDNs *
652 			sizeof (KMF_X509_RDN));
653 	if (newname->RelativeDistinguishedName == NULL) {
654 		free(newname);
655 		return (KMF_ERR_MEMORY);
656 	}
657 	/* Copy each RDN in the list */
658 	for (i = 0; i < newname->numberOfRDNs; i++) {
659 		rdn = &srcname->RelativeDistinguishedName[i];
660 
661 		dstrdn = &newname->RelativeDistinguishedName[i];
662 		(void) memset(dstrdn, 0, sizeof (KMF_X509_RDN));
663 
664 		dstrdn->numberOfPairs = rdn->numberOfPairs;
665 		if (dstrdn->numberOfPairs > 0) {
666 			av = malloc(dstrdn->numberOfPairs *
667 				sizeof (KMF_X509_TYPE_VALUE_PAIR));
668 			if (av == NULL) {
669 				ret = KMF_ERR_MEMORY;
670 				goto cleanup;
671 			}
672 			(void) memset(av, 0, dstrdn->numberOfPairs *
673 				sizeof (KMF_X509_TYPE_VALUE_PAIR));
674 
675 			dstrdn->AttributeTypeAndValue = av;
676 			if (av == NULL) {
677 				ret = KMF_ERR_MEMORY;
678 				goto cleanup;
679 			}
680 			/* Copy each A/V pair in the list */
681 			for (j = 0; j < dstrdn->numberOfPairs; j++) {
682 				srcav = &rdn->AttributeTypeAndValue[j];
683 				dstav = &dstrdn->AttributeTypeAndValue[j];
684 				if ((ret = CopyData(&srcav->type,
685 					&dstav->type)) != KMF_OK)
686 					goto cleanup;
687 				dstav->valueType = srcav->valueType;
688 				if ((ret = CopyData(&srcav->value,
689 					&dstav->value)) != KMF_OK)
690 					goto cleanup;
691 			}
692 		} else {
693 			dstrdn->AttributeTypeAndValue = NULL;
694 		}
695 	}
696 	*destname = newname;
697 
698 cleanup:
699 	if (ret != KMF_OK) {
700 		if (newname)
701 			free_rdn_data(newname);
702 
703 		free(newname);
704 		*destname = NULL;
705 	}
706 	return (ret);
707 }
708 
709 #define	VALID_DIRECTORYSTRING_TAG(t) ( \
710 	(t == BER_UTF8_STRING) || \
711 	(t == BER_PRINTABLE_STRING) || \
712 	(t == BER_IA5STRING) || \
713 	(t == BER_T61STRING) || \
714 	(t == BER_BMP_STRING) || \
715 	(t == BER_UNIVERSAL_STRING))
716 
717 static KMF_RETURN
718 get_rdn(BerElement *asn1, KMF_X509_NAME *name)
719 {
720 	KMF_RETURN ret = KMF_OK;
721 	ber_len_t size;
722 	char *end;
723 	int tag;
724 	BerValue AttrOID;
725 	char *AttrValue = NULL;
726 	KMF_X509_TYPE_VALUE_PAIR *newpair = NULL;
727 	KMF_X509_RDN 		newrdn;
728 
729 	/*
730 	 * AttributeType	::=  OBJECT IDENTIFIER
731 	 * AttributeValue	::=  ANY
732 	 *
733 	 * AttributeTypeAndValue	::=  SEQUENCE {
734 	 *	type    AttributeType,
735 	 *	value   AttributeValue }
736 	 *
737 	 * Name ::= CHOICE { -- only one possibility for now --
738 	 * 		rdnSequence  RDNSequence }
739 	 *
740 	 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
741 	 *
742 	 * DistinguishedName ::=   RDNSequence
743 	 *
744 	 * RelativeDistinguishedName  ::=
745 	 *		 SET SIZE (1 .. MAX) OF AttributeTypeAndValue
746 	 *
747 	 */
748 
749 	name->numberOfRDNs = 0;
750 	name->RelativeDistinguishedName = NULL;
751 
752 	/* Get the beginning of the RDN Set and a ptr to the end */
753 	tag = kmfber_first_element(asn1, &size, &end);
754 	if (tag != BER_CONSTRUCTED_SET) {
755 		goto cleanup;
756 	}
757 
758 	/* Walk through the individual SET items until the "end" is reached */
759 	while ((tag = kmfber_next_element(asn1, &size, end)) ==
760 		BER_CONSTRUCTED_SET) {
761 		/* Skip over the SET tag */
762 		if (kmfber_scanf(asn1, "T", &tag) == -1) {
763 			ret = KMF_ERR_BAD_CERT_FORMAT;
764 			break;
765 		}
766 
767 		/* An "empty" set member means we tack on an empty node */
768 		if (size == 0) {
769 			if ((ret = AddRDN(name, NULL)) != KMF_OK)
770 				goto cleanup;
771 			continue;
772 		}
773 
774 		/* Attr OID and peek at the next tag and field length */
775 		if (kmfber_scanf(asn1, "{Dtl", &AttrOID, &tag, &size) == -1) {
776 			ret = KMF_ERR_BAD_CERT_FORMAT;
777 			break;
778 		}
779 
780 		if (!(VALID_DIRECTORYSTRING_TAG(tag))) {
781 			ret = KMF_ERR_BAD_CERT_FORMAT;
782 			break;
783 		}
784 
785 		if (kmfber_scanf(asn1, "a}]", &AttrValue) == -1) {
786 			ret = KMF_ERR_BAD_CERT_FORMAT;
787 			break;
788 		}
789 
790 		/* Allocate a new name/value pair record */
791 		newpair = malloc(sizeof (KMF_X509_TYPE_VALUE_PAIR));
792 		if (newpair == NULL) {
793 			ret = KMF_ERR_MEMORY;
794 			break;
795 		}
796 		(void) memset(newpair, 0, sizeof (KMF_X509_TYPE_VALUE_PAIR));
797 		newpair->type.Data = (uchar_t *)AttrOID.bv_val;
798 		newpair->type.Length = AttrOID.bv_len;
799 		newpair->valueType = tag; /* what kind of string is it? */
800 		newpair->value.Data = (uchar_t *)AttrValue;
801 		newpair->value.Length = strlen(AttrValue);
802 
803 		(void) memset(&newrdn, 0, sizeof (KMF_X509_RDN));
804 		newrdn.numberOfPairs = 1;
805 		newrdn.AttributeTypeAndValue = newpair;
806 
807 		if ((ret = AddRDN(name, &newrdn)) != KMF_OK)
808 			break;
809 	}
810 
811 cleanup:
812 	if (ret != KMF_OK) {
813 		free_rdn_data(name);
814 	}
815 	return (ret);
816 }
817 
818 static KMF_RETURN
819 set_der_integer(KMF_DATA *data, int value)
820 {
821 	if (data == NULL)
822 		return (KMF_ERR_BAD_PARAMETER);
823 
824 	data->Data = malloc(sizeof (int));
825 	if (data->Data == NULL)
826 		return (KMF_ERR_MEMORY);
827 
828 	data->Length = sizeof (int);
829 	(void) memcpy((void *)data->Data, (const void *)&value, sizeof (int));
830 
831 	return (KMF_OK);
832 }
833 
834 static KMF_RETURN
835 set_bigint(KMF_BIGINT *data, KMF_BIGINT *bigint)
836 {
837 	if (data == NULL || bigint == NULL)
838 		return (KMF_ERR_BAD_PARAMETER);
839 
840 	data->val = malloc(bigint->len);
841 	if (data->val == NULL)
842 		return (KMF_ERR_MEMORY);
843 
844 	data->len = bigint->len;
845 	(void) memcpy((void *)data->val, (const void *)bigint->val,
846 		bigint->len);
847 
848 	return (KMF_OK);
849 }
850 
851 static KMF_RETURN
852 encode_uniqueid(BerElement *asn1, int tag, KMF_DATA *id)
853 {
854 	KMF_RETURN ret = KMF_OK;
855 	uint32_t len;
856 
857 	len = kmfber_calc_taglen(BER_BIT_STRING) +
858 		kmfber_calc_lenlen(id->Length * 8) + id->Length;
859 	if (kmfber_printf(asn1, "TlB", tag, len,
860 		id->Data, id->Length * 8) == -1)
861 		return (KMF_ERR_BAD_CERT_FORMAT);
862 
863 	return (ret);
864 }
865 
866 static KMF_RETURN
867 encode_extension_list(BerElement *asn1, KMF_X509_EXTENSIONS *extns)
868 {
869 	KMF_RETURN ret = KMF_OK;
870 	int i;
871 
872 	for (i = 0; i < extns->numberOfExtensions; i++) {
873 		BerValue v;
874 		v.bv_val = (char *)extns->extensions[i].extnId.Data;
875 		v.bv_len = extns->extensions[i].extnId.Length;
876 
877 		if (kmfber_printf(asn1, "{D", &v) == -1)  {
878 			ret = KMF_ERR_ENCODING;
879 			goto cleanup;
880 		}
881 
882 		if (extns->extensions[i].critical) {
883 			if (kmfber_printf(asn1, "b",
884 				extns->extensions[i].critical) == -1) {
885 				ret = KMF_ERR_ENCODING;
886 				goto cleanup;
887 			}
888 		}
889 
890 		if (kmfber_printf(asn1, "o}",
891 			extns->extensions[i].BERvalue.Data,
892 			extns->extensions[i].BERvalue.Length) == -1) {
893 			ret = KMF_ERR_ENCODING;
894 			goto cleanup;
895 		}
896 	}
897 cleanup:
898 	return (ret);
899 }
900 
901 static KMF_RETURN
902 encode_extensions(BerElement *asn1, KMF_X509_EXTENSIONS *extns)
903 {
904 	KMF_RETURN ret = KMF_OK;
905 	BerElement *extn = NULL;
906 	BerValue *extnvalue = NULL;
907 
908 	extn = kmfder_alloc();
909 	if (extn == NULL)
910 		return (KMF_ERR_MEMORY);
911 
912 	if (kmfber_printf(extn, "{") == -1) {
913 		ret = KMF_ERR_ENCODING;
914 		goto cleanup;
915 	}
916 
917 	ret = encode_extension_list(extn, extns);
918 
919 	if (kmfber_printf(extn, "}") == -1) {
920 		ret = KMF_ERR_ENCODING;
921 		goto cleanup;
922 	}
923 
924 	if (kmfber_flatten(extn, &extnvalue) == -1) {
925 		ret = KMF_ERR_MEMORY;
926 		goto cleanup;
927 	}
928 
929 	if (kmfber_printf(asn1, "Tl", 0xA3, extnvalue->bv_len) == -1) {
930 		ret = KMF_ERR_BAD_CERT_FORMAT;
931 		goto cleanup;
932 	}
933 
934 	if (kmfber_write(asn1, extnvalue->bv_val, extnvalue->bv_len, 0) == -1) {
935 		ret = KMF_ERR_BAD_CERT_FORMAT;
936 		goto cleanup;
937 	}
938 
939 cleanup:
940 	kmfber_free(extn, 1);
941 	if (extnvalue != NULL)
942 		kmfber_bvfree(extnvalue);
943 
944 	return (ret);
945 }
946 
947 static KMF_RETURN
948 get_one_extension(BerElement *asn1, KMF_X509_EXTENSION **retex, char *end)
949 {
950 	KMF_RETURN ret = KMF_OK;
951 	ber_len_t size;
952 	int  critical, tag;
953 	KMF_X509_EXTENSION *ex = NULL;
954 	BerValue extOID;
955 	BerValue extValue;
956 	BerElement *extnber = NULL;
957 
958 	if (kmfber_scanf(asn1, "T", &tag) == -1) {
959 		ret = KMF_ERR_BAD_CERT_FORMAT;
960 		goto cleanup;
961 	}
962 
963 	tag = kmfber_next_element(asn1, &size, end);
964 	if (tag != BER_OBJECT_IDENTIFIER) {
965 		ret = KMF_ERR_BAD_CERT_FORMAT;
966 		goto cleanup;
967 	}
968 	if (kmfber_scanf(asn1, "D", &extOID) == -1) {
969 		ret = KMF_ERR_BAD_CERT_FORMAT;
970 		goto cleanup;
971 	}
972 
973 	tag = kmfber_next_element(asn1, &size, end);
974 	if (tag != BER_BOOLEAN) {
975 		critical = 0;
976 		if (tag != BER_OCTET_STRING)
977 			goto cleanup;
978 	} else {
979 		if (kmfber_scanf(asn1, "b", &critical) == -1)
980 			goto cleanup;
981 	}
982 
983 	tag = kmfber_next_element(asn1, &size, end);
984 	if (tag != BER_OCTET_STRING)  {
985 		ret = KMF_ERR_BAD_CERT_FORMAT;
986 		goto cleanup;
987 	}
988 	if (kmfber_scanf(asn1, "o", &extValue) == -1)  {
989 		ret = KMF_ERR_BAD_CERT_FORMAT;
990 		goto cleanup;
991 	}
992 
993 	/* allocate a new Extension record */
994 	ex = malloc(sizeof (KMF_X509_EXTENSION));
995 	if (ex == NULL) {
996 		ret = KMF_ERR_MEMORY;
997 		goto cleanup;
998 	}
999 	(void) memset(ex, 0, sizeof (ex));
1000 
1001 	ex->extnId.Data = (uchar_t *)extOID.bv_val;
1002 	ex->extnId.Length = extOID.bv_len;
1003 	ex->critical = critical;
1004 	ex->format = KMF_X509_DATAFORMAT_ENCODED;
1005 	ex->BERvalue.Data = (uchar_t *)extValue.bv_val;
1006 	ex->BERvalue.Length = extValue.bv_len;
1007 
1008 	/* Tag and value is a little tricky */
1009 	ex->value.tagAndValue = malloc(sizeof (KMF_X509EXT_TAGandVALUE));
1010 	if (ex->value.tagAndValue == NULL) {
1011 		ret = KMF_ERR_MEMORY;
1012 		goto cleanup;
1013 	}
1014 	(void) memset(ex->value.tagAndValue, 0,
1015 		sizeof (KMF_X509EXT_TAGandVALUE));
1016 
1017 	/* Parse the Extension value field */
1018 	extnber = kmfder_init(&extValue);
1019 	if (extnber == NULL) {
1020 		ret = KMF_ERR_MEMORY;
1021 		goto cleanup;
1022 	}
1023 
1024 	/* Get the tag and length of the extension field */
1025 	if (kmfber_scanf(extnber, "tl", &tag, &size) == -1) {
1026 		ret = KMF_ERR_BAD_CERT_FORMAT;
1027 		goto cleanup;
1028 	}
1029 
1030 	if (kmfber_scanf(extnber, "T", &tag) == -1) {
1031 		ret = KMF_ERR_BAD_CERT_FORMAT;
1032 		goto cleanup;
1033 	}
1034 
1035 	ex->value.tagAndValue->value.Data = malloc(size);
1036 	ex->value.tagAndValue->value.Length = size;
1037 	size = kmfber_read(extnber,
1038 		(char *)ex->value.tagAndValue->value.Data, size);
1039 	if (size != ex->value.tagAndValue->value.Length) {
1040 		ret = KMF_ERR_BAD_CERT_FORMAT;
1041 		goto cleanup;
1042 	}
1043 	kmfber_free(extnber, 1);
1044 	ex->value.tagAndValue->type = tag;
1045 
1046 	*retex = ex;
1047 cleanup:
1048 	if (ret != KMF_OK) {
1049 		if (ex != NULL)
1050 			free_one_extension(ex);
1051 	}
1052 
1053 	return (ret);
1054 }
1055 
1056 static KMF_RETURN
1057 get_extensions(BerElement *asn1, KMF_X509_EXTENSIONS *extns)
1058 {
1059 	KMF_RETURN ret = KMF_OK;
1060 	ber_len_t size;
1061 	char *end = NULL;
1062 	KMF_X509_EXTENSION *ex = NULL;
1063 
1064 	/*
1065 	 * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
1066 	 *
1067 	 * Extension  ::=  SEQUENCE  {
1068 	 *	extnID		OBJECT IDENTIFIER,
1069 	 *	critical	BOOLEAN DEFAULT FALSE,
1070 	 *	extnValue	OCTET STRING  }
1071 	 *
1072 	 * { {{D}Bo}, ... }
1073 	 */
1074 	if (kmfber_first_element(asn1, &size, &end) !=
1075 		BER_CONSTRUCTED_SEQUENCE)
1076 		return (KMF_ERR_BAD_CERT_FORMAT);
1077 
1078 	while (kmfber_next_element(asn1, &size, end) ==
1079 		BER_CONSTRUCTED_SEQUENCE) {
1080 		ret = get_one_extension(asn1, &ex, end);
1081 		if (ret != KMF_OK)
1082 			goto cleanup;
1083 
1084 		extns->numberOfExtensions++;
1085 		extns->extensions = realloc(extns->extensions,
1086 			extns->numberOfExtensions *
1087 			sizeof (KMF_X509_EXTENSION));
1088 		if (extns->extensions == NULL) {
1089 			ret = KMF_ERR_MEMORY;
1090 			break;
1091 		}
1092 
1093 		extns->extensions[extns->numberOfExtensions-1] = *ex;
1094 		free(ex);
1095 	}
1096 
1097 cleanup:
1098 	if (ret != KMF_OK)
1099 		free_extensions(extns);
1100 
1101 	return (ret);
1102 }
1103 
1104 KMF_RETURN
1105 decode_tbscert_data(BerElement *asn1,
1106 	KMF_X509_TBS_CERT **signed_cert_ptr_ptr)
1107 {
1108 	KMF_RETURN ret = KMF_OK;
1109 	KMF_X509_TBS_CERT	*tbscert = NULL;
1110 	int tag, version;
1111 	struct berval *bvserno = NULL;
1112 	KMF_BIGINT serno;
1113 
1114 	if (kmfber_scanf(asn1, "{t", &tag) == -1) {
1115 		ret = KMF_ERR_BAD_CERT_FORMAT;
1116 		goto cleanup;
1117 	}
1118 
1119 	/* Version number is optional */
1120 	if (tag == 0xA0) {
1121 		if (kmfber_scanf(asn1, "Ti", &tag, &version) == -1) {
1122 			ret = KMF_ERR_BAD_CERT_FORMAT;
1123 			goto cleanup;
1124 		}
1125 	} else {
1126 		version = 0; /* DEFAULT v1 (0) */
1127 	}
1128 
1129 	/* Now get the serial number, it is not optional */
1130 	if (kmfber_scanf(asn1, "I", &bvserno) == -1) {
1131 		ret = KMF_ERR_BAD_CERT_FORMAT;
1132 		goto cleanup;
1133 	} else {
1134 		serno.val = (uchar_t *)bvserno->bv_val;
1135 		serno.len = bvserno->bv_len;
1136 	}
1137 
1138 	tbscert = malloc(sizeof (KMF_X509_TBS_CERT));
1139 	if (!tbscert) {
1140 		ret = KMF_ERR_MEMORY;
1141 		goto cleanup;
1142 	}
1143 
1144 	(void) memset(tbscert, 0, sizeof (KMF_X509_TBS_CERT));
1145 
1146 	if ((ret = set_der_integer(&tbscert->version, version)) != KMF_OK)
1147 		goto cleanup;
1148 
1149 	if ((ret = set_bigint(&tbscert->serialNumber, &serno)) != KMF_OK)
1150 		goto cleanup;
1151 
1152 	if ((ret = get_algoid(asn1, &tbscert->signature)) != KMF_OK)
1153 		goto cleanup;
1154 
1155 	if ((ret = get_rdn(asn1, &tbscert->issuer)) != KMF_OK)
1156 		goto cleanup;
1157 
1158 	if ((ret = get_validity(asn1, &tbscert->validity)) != KMF_OK)
1159 		goto cleanup;
1160 
1161 	if ((ret = get_rdn(asn1, &tbscert->subject)) != KMF_OK)
1162 		goto cleanup;
1163 
1164 	if ((ret = get_spki(asn1, &tbscert->subjectPublicKeyInfo)) != KMF_OK)
1165 		goto cleanup;
1166 
1167 	/* Check for the optional fields */
1168 	tbscert->extensions.numberOfExtensions = 0;
1169 	tbscert->extensions.extensions = NULL;
1170 
1171 	while ((kmfber_scanf(asn1, "t", &tag)) != -1 &&
1172 			(tag == 0xA1 || tag == 0xA2 || tag == 0xA3)) {
1173 		char *optfield;
1174 		ber_len_t len;
1175 
1176 		/* consume the tag and length */
1177 		(void) kmfber_scanf(asn1, "T", &tag);
1178 		switch (tag) {
1179 			case 0xA1:
1180 				if (kmfber_scanf(asn1, "B", &optfield, &len) !=
1181 					BER_BIT_STRING) {
1182 					ret = KMF_ERR_BAD_CERT_FORMAT;
1183 					goto cleanup;
1184 				}
1185 				tbscert->issuerUniqueIdentifier.Data =
1186 					(uchar_t *)optfield;
1187 				tbscert->issuerUniqueIdentifier.Length =
1188 					len / 8;
1189 				break;
1190 			case 0xA2:
1191 				if (kmfber_scanf(asn1, "B", &optfield, &len) !=
1192 					BER_BIT_STRING) {
1193 					ret = KMF_ERR_BAD_CERT_FORMAT;
1194 					goto cleanup;
1195 				}
1196 				tbscert->subjectUniqueIdentifier.Data =
1197 					(uchar_t *)optfield;
1198 				tbscert->subjectUniqueIdentifier.Length =
1199 					len / 8;
1200 				break;
1201 			case 0xA3:
1202 			ret = get_extensions(asn1, &tbscert->extensions);
1203 			break;
1204 		}
1205 	}
1206 
1207 	*signed_cert_ptr_ptr = tbscert;
1208 
1209 cleanup:
1210 	if (bvserno != NULL) {
1211 		free(bvserno->bv_val);
1212 		free(bvserno);
1213 	}
1214 	if (ret != KMF_OK) {
1215 		if (tbscert) {
1216 			free_tbscert(tbscert);
1217 			free(tbscert);
1218 		}
1219 		*signed_cert_ptr_ptr = NULL;
1220 	}
1221 	return (ret);
1222 }
1223 
1224 KMF_RETURN
1225 DerDecodeTbsCertificate(const KMF_DATA *Value,
1226 	KMF_X509_TBS_CERT **tbscert)
1227 {
1228 	KMF_RETURN ret = KMF_OK;
1229 	BerElement *asn1 = NULL;
1230 	BerValue 	rawcert;
1231 	KMF_X509_TBS_CERT *newcert = NULL;
1232 
1233 	if (!tbscert || !Value || !Value->Data || !Value->Length)
1234 		return (KMF_ERR_BAD_PARAMETER);
1235 
1236 	rawcert.bv_val = (char *)Value->Data;
1237 	rawcert.bv_len = Value->Length;
1238 
1239 	if ((asn1 = kmfder_init(&rawcert)) == NULL)
1240 		return (KMF_ERR_MEMORY);
1241 
1242 	ret = decode_tbscert_data(asn1, &newcert);
1243 	if (ret != KMF_OK)
1244 		goto cleanup;
1245 
1246 	*tbscert = newcert;
1247 
1248 cleanup:
1249 	if (ret != KMF_OK) {
1250 		if (newcert)
1251 			free_tbscert(newcert);
1252 		*tbscert = NULL;
1253 	}
1254 	kmfber_free(asn1, 1);
1255 
1256 	return (ret);
1257 }
1258 
1259 /*
1260  * Name: DerDecodeSignedCertificate
1261  *
1262  * Description:
1263  * DER decodes the encoded X509 certificate
1264  *
1265  * Parameters:
1266  * Value (input): DER encoded object that shd be decoded
1267  *
1268  * signed_cert_ptr_ptr (output) : Decoded KMF_X509_CERTIFICATE object
1269  */
1270 KMF_RETURN
1271 DerDecodeSignedCertificate(const KMF_DATA *Value,
1272 	KMF_X509_CERTIFICATE **signed_cert_ptr_ptr)
1273 {
1274 	KMF_RETURN ret = KMF_OK;
1275 	BerElement *asn1 = NULL;
1276 	BerValue 	rawcert;
1277 	ber_tag_t	tag;
1278 	ber_len_t	size;
1279 	char		*end = NULL;
1280 	char		*signature;
1281 	KMF_X509_TBS_CERT	*tbscert = NULL;
1282 	KMF_X509_CERTIFICATE *certptr = NULL;
1283 
1284 	if (!signed_cert_ptr_ptr || !Value || !Value->Data || !Value->Length)
1285 		return (KMF_ERR_BAD_PARAMETER);
1286 
1287 	rawcert.bv_val = (char *)Value->Data;
1288 	rawcert.bv_len = Value->Length;
1289 
1290 	if ((asn1 = kmfder_init(&rawcert)) == NULL)
1291 		return (KMF_ERR_MEMORY);
1292 
1293 	if (kmfber_first_element(asn1, &size, &end) !=
1294 		BER_CONSTRUCTED_SEQUENCE) {
1295 		ret = KMF_ERR_BAD_CERT_FORMAT;
1296 		goto cleanup;
1297 	}
1298 
1299 	certptr = malloc(sizeof (KMF_X509_CERTIFICATE));
1300 	if (certptr == NULL) {
1301 		ret = KMF_ERR_MEMORY;
1302 		goto cleanup;
1303 	}
1304 	(void) memset(certptr, 0, sizeof (KMF_X509_CERTIFICATE));
1305 
1306 	ret = decode_tbscert_data(asn1, &tbscert);
1307 	if (ret != KMF_OK)
1308 		goto cleanup;
1309 
1310 	certptr->certificate = *tbscert;
1311 	free(tbscert);
1312 	tbscert = NULL;
1313 
1314 	/*
1315 	 * The signature data my not be present yet.
1316 	 */
1317 	if ((ret = get_algoid(asn1,
1318 		&certptr->signature.algorithmIdentifier)) == KMF_OK) {
1319 
1320 		/* Check to see if the cert has a signature yet */
1321 		if (kmfber_next_element(asn1, &size, end) == BER_BIT_STRING) {
1322 			/* Finally, get the encrypted signature BITSTRING */
1323 			if (kmfber_scanf(asn1, "tl", &tag, &size) == -1) {
1324 				ret = KMF_ERR_BAD_CERT_FORMAT;
1325 				goto cleanup;
1326 			}
1327 			if (tag != BER_BIT_STRING) {
1328 				ret = KMF_ERR_BAD_CERT_FORMAT;
1329 				goto cleanup;
1330 			}
1331 			if (kmfber_scanf(asn1, "B}", &signature, &size) == -1) {
1332 				ret = KMF_ERR_BAD_CERT_FORMAT;
1333 				goto cleanup;
1334 			}
1335 			certptr->signature.encrypted.Data =
1336 				(uchar_t *)signature;
1337 			certptr->signature.encrypted.Length = size / 8;
1338 		} else {
1339 			certptr->signature.encrypted.Data = NULL;
1340 			certptr->signature.encrypted.Length = 0;
1341 		}
1342 	} else {
1343 		(void) memset(&certptr->signature, 0,
1344 			sizeof (certptr->signature));
1345 		ret = KMF_OK;
1346 	}
1347 
1348 	*signed_cert_ptr_ptr = certptr;
1349 cleanup:
1350 	if (ret != KMF_OK) {
1351 		if (certptr) {
1352 			free_decoded_cert(certptr);
1353 			free(certptr);
1354 		}
1355 
1356 		*signed_cert_ptr_ptr = NULL;
1357 	}
1358 	if (asn1)
1359 		kmfber_free(asn1, 1);
1360 
1361 	return (ret);
1362 
1363 }
1364 
1365 KMF_RETURN
1366 DerDecodeExtension(KMF_DATA *Data, KMF_X509_EXTENSION **extn)
1367 {
1368 	KMF_RETURN ret = KMF_OK;
1369 	BerElement *asn1 = NULL;
1370 	BerValue bv;
1371 
1372 	bv.bv_val = (char *)Data->Data;
1373 	bv.bv_len = Data->Length;
1374 
1375 	asn1 = kmfder_init(&bv);
1376 	if (asn1 == NULL)
1377 		return (KMF_ERR_MEMORY);
1378 
1379 	ret = get_one_extension(asn1, extn, NULL);
1380 
1381 cleanup:
1382 	if (ret != KMF_OK) {
1383 		if (*extn != NULL) {
1384 			free(*extn);
1385 		}
1386 		*extn = NULL;
1387 	}
1388 
1389 	kmfber_free(asn1, 1);
1390 	return (ret);
1391 }
1392 
1393 KMF_RETURN
1394 DerDecodeName(KMF_DATA *encodedname, KMF_X509_NAME *name)
1395 {
1396 	KMF_RETURN ret = KMF_OK;
1397 	BerElement *asn1 = NULL;
1398 	BerValue  bv;
1399 
1400 	bv.bv_val = (char *)encodedname->Data;
1401 	bv.bv_len = encodedname->Length;
1402 
1403 	asn1 = kmfder_init(&bv);
1404 	if (asn1 == NULL)
1405 		return (KMF_ERR_MEMORY);
1406 
1407 	(void) memset((void *)name, 0, sizeof (KMF_X509_NAME));
1408 
1409 	if ((ret = get_rdn(asn1, name)) != KMF_OK)
1410 		goto cleanup;
1411 
1412 cleanup:
1413 	if (asn1)
1414 		kmfber_free(asn1, 1);
1415 	return (ret);
1416 }
1417 
1418 KMF_RETURN
1419 DerEncodeName(KMF_X509_NAME *name, KMF_DATA *encodedname)
1420 {
1421 	KMF_RETURN ret = KMF_OK;
1422 	BerElement *asn1 = NULL;
1423 	BerValue  *bv = NULL;
1424 
1425 	asn1 = kmfder_alloc();
1426 	if (asn1 == NULL)
1427 		return (KMF_ERR_MEMORY);
1428 
1429 	if ((ret = encode_rdn(asn1, name)) != KMF_OK)
1430 		goto cleanup;
1431 
1432 	if (kmfber_flatten(asn1, &bv) == -1) {
1433 		ret = KMF_ERR_BAD_CERT_FORMAT;
1434 		goto cleanup;
1435 	}
1436 
1437 	encodedname->Data = (uchar_t *)bv->bv_val;
1438 	encodedname->Length = bv->bv_len;
1439 
1440 cleanup:
1441 	if (bv)
1442 		free(bv);
1443 
1444 	if (asn1)
1445 		kmfber_free(asn1, 1);
1446 
1447 	return (ret);
1448 }
1449 
1450 static KMF_RETURN
1451 encode_tbs_cert(BerElement *asn1, KMF_X509_TBS_CERT *tbscert)
1452 {
1453 	KMF_RETURN ret = KMF_OK;
1454 	uint32_t version;
1455 
1456 	/* version should be 4 bytes or less */
1457 	if (tbscert->version.Length > sizeof (int))
1458 		return (KMF_ERR_BAD_CERT_FORMAT);
1459 
1460 	(void) memcpy(&version, tbscert->version.Data,
1461 		tbscert->version.Length);
1462 
1463 	/* Start the sequence and add the version */
1464 	if (kmfber_printf(asn1, "{Tli", 0xA0, 3, version) == -1) {
1465 		ret = KMF_ERR_BAD_CERT_FORMAT;
1466 		goto cleanup;
1467 	}
1468 	/* Write the serial number */
1469 	if (kmfber_printf(asn1, "I",
1470 		(char *)tbscert->serialNumber.val,
1471 		(size_t)tbscert->serialNumber.len) == -1) {
1472 		ret = KMF_ERR_BAD_CERT_FORMAT;
1473 		goto cleanup;
1474 	}
1475 
1476 	if ((ret = encode_algoid(asn1, &tbscert->signature)) != KMF_OK)
1477 		goto cleanup;
1478 
1479 	/* Encode the Issuer RDN */
1480 	if ((ret = encode_rdn(asn1, &tbscert->issuer)) != KMF_OK)
1481 		goto cleanup;
1482 
1483 	/* Encode the Validity fields */
1484 	if ((ret = encode_validity(asn1, &tbscert->validity)) != KMF_OK)
1485 		goto cleanup;
1486 
1487 	/* Encode the Subject RDN */
1488 	if ((ret = encode_rdn(asn1, &tbscert->subject)) != KMF_OK)
1489 		goto cleanup;
1490 
1491 	/* Encode the Subject Public Key Info */
1492 	if ((ret = encode_spki(asn1, &tbscert->subjectPublicKeyInfo)) != KMF_OK)
1493 		goto cleanup;
1494 
1495 	/* Optional field:  issuer Unique ID */
1496 	if (tbscert->issuerUniqueIdentifier.Length > 0) {
1497 		if ((ret = encode_uniqueid(asn1, 0xA1,
1498 			&tbscert->issuerUniqueIdentifier)) != KMF_OK)
1499 			goto cleanup;
1500 	}
1501 
1502 	/* Optional field:  Subject Unique ID */
1503 	if (tbscert->subjectUniqueIdentifier.Length > 0) {
1504 		if ((ret = encode_uniqueid(asn1, 0xA2,
1505 			&tbscert->subjectUniqueIdentifier)) != KMF_OK)
1506 			goto cleanup;
1507 	}
1508 
1509 	/* Optional field: Certificate Extensions */
1510 	if (tbscert->extensions.numberOfExtensions > 0) {
1511 		if ((ret = encode_extensions(asn1,
1512 			&tbscert->extensions)) != KMF_OK)
1513 			goto cleanup;
1514 	}
1515 
1516 	/* Close out the TBSCert sequence */
1517 	if (kmfber_printf(asn1, "}") == -1) {
1518 		ret = KMF_ERR_BAD_CERT_FORMAT;
1519 		goto cleanup;
1520 	}
1521 
1522 cleanup:
1523 	/*
1524 	 * Memory cleanup is done in the caller or in the individual
1525 	 * encoding routines.
1526 	 */
1527 
1528 	return (ret);
1529 }
1530 
1531 KMF_RETURN
1532 DerEncodeTbsCertificate(KMF_X509_TBS_CERT *tbs_cert_ptr,
1533 	KMF_DATA *enc_tbs_cert_ptr)
1534 {
1535 	KMF_RETURN ret;
1536 	BerElement *asn1 = NULL;
1537 	BerValue  *tbsdata = NULL;
1538 
1539 	asn1 = kmfder_alloc();
1540 	if (asn1 == NULL)
1541 		return (KMF_ERR_MEMORY);
1542 
1543 	enc_tbs_cert_ptr->Data = NULL;
1544 	enc_tbs_cert_ptr->Length = 0;
1545 
1546 	ret = encode_tbs_cert(asn1, tbs_cert_ptr);
1547 	if (ret != KMF_OK)
1548 		goto cleanup;
1549 
1550 	if (kmfber_flatten(asn1, &tbsdata) == -1) {
1551 		ret = KMF_ERR_MEMORY;
1552 		goto cleanup;
1553 	}
1554 
1555 	enc_tbs_cert_ptr->Data = (uchar_t *)tbsdata->bv_val;
1556 	enc_tbs_cert_ptr->Length = tbsdata->bv_len;
1557 
1558 cleanup:
1559 	if (ret != KMF_OK)
1560 		free_data(enc_tbs_cert_ptr);
1561 
1562 	if (asn1 != NULL)
1563 		kmfber_free(asn1, 1);
1564 
1565 	if (tbsdata)
1566 		free(tbsdata);
1567 
1568 	return (ret);
1569 }
1570 
1571 KMF_RETURN
1572 DerEncodeSignedCertificate(KMF_X509_CERTIFICATE *signed_cert_ptr,
1573 	KMF_DATA *encodedcert)
1574 {
1575 	KMF_RETURN ret = KMF_OK;
1576 	KMF_X509_TBS_CERT *tbscert = NULL;
1577 	KMF_X509_SIGNATURE		*signature = NULL;
1578 	BerElement	*asn1 = NULL;
1579 	BerValue 	*tbsdata = NULL;
1580 
1581 	if (signed_cert_ptr == NULL || encodedcert == NULL)
1582 		return (KMF_ERR_BAD_PARAMETER);
1583 
1584 	encodedcert->Data = NULL;
1585 	encodedcert->Length = 0;
1586 
1587 	tbscert = &signed_cert_ptr->certificate;
1588 	signature = &signed_cert_ptr->signature;
1589 
1590 	asn1 = kmfder_alloc();
1591 	if (asn1 == NULL)
1592 		return (KMF_ERR_MEMORY);
1593 
1594 	/* Start outer X509 Certificate SEQUENCE */
1595 	if (kmfber_printf(asn1, "{") == -1) {
1596 		ret = KMF_ERR_BAD_CERT_FORMAT;
1597 		goto cleanup;
1598 	}
1599 
1600 	if ((ret = encode_tbs_cert(asn1, tbscert)) != KMF_OK) {
1601 		ret = KMF_ERR_BAD_CERT_FORMAT;
1602 		goto cleanup;
1603 	}
1604 
1605 	/* Add the Algorithm & Signature Sequence */
1606 	if ((ret = encode_algoid(asn1,
1607 		&signature->algorithmIdentifier)) != KMF_OK)
1608 		goto cleanup;
1609 
1610 	if (signature->encrypted.Length > 0) {
1611 		if (kmfber_printf(asn1, "B", signature->encrypted.Data,
1612 			signature->encrypted.Length * 8) == -1) {
1613 			ret = KMF_ERR_BAD_CERT_FORMAT;
1614 			goto cleanup;
1615 		}
1616 	}
1617 
1618 	if (kmfber_printf(asn1, "}") == -1) {
1619 		ret = KMF_ERR_BAD_CERT_FORMAT;
1620 		goto cleanup;
1621 	}
1622 
1623 	if (kmfber_flatten(asn1, &tbsdata) == -1) {
1624 		ret = KMF_ERR_MEMORY;
1625 		goto cleanup;
1626 	}
1627 
1628 	encodedcert->Data = (uchar_t *)tbsdata->bv_val;
1629 	encodedcert->Length = tbsdata->bv_len;
1630 
1631 cleanup:
1632 	if (ret != KMF_OK)
1633 		free_data(encodedcert);
1634 
1635 	if (tbsdata)
1636 		free(tbsdata);
1637 
1638 	if (asn1)
1639 		kmfber_free(asn1, 1);
1640 
1641 	return (ret);
1642 }
1643 
1644 KMF_RETURN
1645 ExtractX509CertParts(KMF_DATA *x509cert, KMF_DATA *tbscert,
1646 		KMF_DATA *signature)
1647 {
1648 	KMF_RETURN ret = KMF_OK;
1649 	BerElement *der = NULL;
1650 	BerValue x509;
1651 	ber_tag_t tag;
1652 	ber_len_t size;
1653 
1654 	if (tbscert == NULL || x509cert == NULL)
1655 		return (KMF_ERR_BAD_PARAMETER);
1656 
1657 	x509.bv_val = (char *)x509cert->Data;
1658 	x509.bv_len = x509cert->Length;
1659 
1660 	der = kmfder_init(&x509);
1661 	if (der == NULL)
1662 		return (KMF_ERR_MEMORY);
1663 
1664 	/* Skip over the overall Sequence tag to get at the TBS Cert data */
1665 	if (kmfber_scanf(der, "Tl", &tag, &size) == -1) {
1666 		ret = KMF_ERR_BAD_CERT_FORMAT;
1667 		goto cleanup;
1668 	}
1669 	if (tag != BER_CONSTRUCTED_SEQUENCE) {
1670 		ret = KMF_ERR_BAD_CERT_FORMAT;
1671 		goto cleanup;
1672 	}
1673 
1674 	/*
1675 	 * Since we are extracting a copy of the ENCODED bytes, we
1676 	 * must make sure to also include the bytes for the tag and
1677 	 * the length fields for the CONSTRUCTED SEQUENCE (TBSCert).
1678 	 */
1679 	size += kmfber_calc_taglen(tag) + kmfber_calc_lenlen(size);
1680 
1681 	tbscert->Data = malloc(size);
1682 	if (tbscert->Data == NULL) {
1683 		ret = KMF_ERR_MEMORY;
1684 		goto cleanup;
1685 	}
1686 	tbscert->Length = size;
1687 
1688 	/* The der data ptr is now set to the start of the TBS cert sequence */
1689 	size = kmfber_read(der, (char *)tbscert->Data, tbscert->Length);
1690 	if (size != tbscert->Length) {
1691 		ret = KMF_ERR_BAD_CERT_FORMAT;
1692 		goto cleanup;
1693 	}
1694 
1695 	if (signature != NULL) {
1696 		KMF_X509_ALGORITHM_IDENTIFIER algoid;
1697 		if ((ret = get_algoid(der, &algoid)) != KMF_OK)
1698 			goto cleanup;
1699 		free_algoid(&algoid);
1700 
1701 		if (kmfber_scanf(der, "tl", &tag, &size) != BER_BIT_STRING) {
1702 			ret = KMF_ERR_BAD_CERT_FORMAT;
1703 			goto cleanup;
1704 		}
1705 		/* Now get the signature data */
1706 		if (kmfber_scanf(der, "B", (char **)&signature->Data,
1707 			(ber_len_t *)&signature->Length) == -1) {
1708 			ret = KMF_ERR_BAD_CERT_FORMAT;
1709 			goto cleanup;
1710 		}
1711 		/* convert bitstring length to bytes */
1712 		signature->Length = signature->Length / 8;
1713 	}
1714 
1715 cleanup:
1716 	if (der)
1717 		kmfber_free(der, 1);
1718 
1719 	if (ret != KMF_OK)
1720 		free_data(tbscert);
1721 
1722 	return (ret);
1723 }
1724 
1725 /*
1726  * Name: GetKeyFromSpki
1727  *
1728  * Description:
1729  * This function parses the KMF_X509_SPKI into its
1730  * key and parameter components based on the key generation algorithm.
1731  * NOTE:  Currently, it only checks for the RSA and DSA algorithms.
1732  *	The RSA algorithm is equivalent to the default behavior.
1733  *	All other algorithms will default to the parameters = NULL and the
1734  *	key data equal to whatever is in the CSSM_KEY structure for the key
1735  *
1736  * Parameters:
1737  * AlgId (input) : Algorithm identifier
1738  * SpkiPtr (input): SPKI structure that contains the key
1739  * key_ptr(output): The output key
1740  *
1741  */
1742 KMF_RETURN
1743 GetKeyFromSpki(KMF_ALGORITHM_INDEX AlgId,
1744 	KMF_X509_SPKI *SpkiPtr,
1745 	KMF_DATA **key_ptr)
1746 {
1747 	KMF_RETURN ret = KMF_OK;
1748 	BerElement *asn1;
1749 	BerValue *encodedkey = NULL;
1750 
1751 	if (!key_ptr || !SpkiPtr) {
1752 		return (KMF_ERR_BAD_PARAMETER);
1753 	}
1754 	*key_ptr = NULL;
1755 
1756 	switch (AlgId) {
1757 		case KMF_ALGID_DSA:
1758 			asn1 = kmfder_alloc();
1759 			if (asn1 == NULL) {
1760 				return (KMF_ERR_MEMORY);
1761 			}
1762 
1763 			if ((ret = encode_spki(asn1, SpkiPtr)) != KMF_OK) {
1764 				ret = KMF_ERR_MEMORY;
1765 				goto cleanup;
1766 			}
1767 
1768 			if (kmfber_flatten(asn1, &encodedkey) == -1) {
1769 				ret = KMF_ERR_MEMORY;
1770 				goto cleanup;
1771 			}
1772 
1773 			*key_ptr = malloc(sizeof (KMF_DATA));
1774 
1775 			if (!*key_ptr) {
1776 				ret = KMF_ERR_MEMORY;
1777 				goto cleanup;
1778 			}
1779 
1780 			(*key_ptr)->Length = encodedkey->bv_len;
1781 			(*key_ptr)->Data = (uchar_t *)encodedkey->bv_val;
1782 cleanup:
1783 			kmfber_free(asn1, 1);
1784 			if (encodedkey)
1785 				free(encodedkey);
1786 		break;
1787 		default: /* RSA */
1788 			*key_ptr = malloc(sizeof (KMF_DATA));
1789 
1790 			if (!*key_ptr) {
1791 				return (KMF_ERR_MEMORY);
1792 			}
1793 			(*key_ptr)->Length = SpkiPtr->subjectPublicKey.Length;
1794 			(*key_ptr)->Data = malloc((*key_ptr)->Length);
1795 
1796 			if (!(*key_ptr)->Data) {
1797 				free(*key_ptr);
1798 				*key_ptr = NULL;
1799 				return (KMF_ERR_MEMORY);
1800 			}
1801 			(void) memcpy((*key_ptr)->Data,
1802 				SpkiPtr->subjectPublicKey.Data,
1803 				(*key_ptr)->Length);
1804 			return (ret);
1805 	}
1806 	return (ret);
1807 }
1808 
1809 static KMF_RETURN
1810 decode_csr_extensions(BerElement *asn1, KMF_X509_EXTENSIONS *extns)
1811 {
1812 	KMF_RETURN ret = KMF_OK;
1813 	BerValue oid;
1814 
1815 	if (kmfber_scanf(asn1, "{D", &oid) == -1) {
1816 		return (KMF_ERR_UNKNOWN_CSR_ATTRIBUTE);
1817 	}
1818 
1819 	/* We only understand extension requests in a CSR */
1820 	if (memcmp(oid.bv_val, extension_request_oid.Data,
1821 		oid.bv_len) != 0) {
1822 		return (KMF_ERR_UNKNOWN_CSR_ATTRIBUTE);
1823 	}
1824 
1825 	if (kmfber_scanf(asn1, "[") == -1) {
1826 		return (KMF_ERR_ENCODING);
1827 	}
1828 	ret = get_extensions(asn1, extns);
1829 
1830 
1831 	return (ret);
1832 }
1833 
1834 static KMF_RETURN
1835 decode_tbscsr_data(BerElement *asn1,
1836 	KMF_TBS_CSR **signed_csr_ptr_ptr)
1837 {
1838 	KMF_RETURN ret = KMF_OK;
1839 	KMF_TBS_CSR	*tbscsr = NULL;
1840 	char *end = NULL;
1841 	uint32_t version;
1842 	ber_tag_t tag;
1843 	ber_len_t size;
1844 
1845 	/* Now get the version number, it is not optional */
1846 	if (kmfber_scanf(asn1, "{i", &version) == -1) {
1847 		ret = KMF_ERR_BAD_CERT_FORMAT;
1848 		goto cleanup;
1849 	}
1850 
1851 	tbscsr = malloc(sizeof (KMF_TBS_CSR));
1852 	if (!tbscsr) {
1853 		ret = KMF_ERR_MEMORY;
1854 		goto cleanup;
1855 	}
1856 
1857 	(void) memset(tbscsr, 0, sizeof (KMF_TBS_CSR));
1858 
1859 	if ((ret = set_der_integer(&tbscsr->version, version)) != KMF_OK)
1860 		goto cleanup;
1861 
1862 	if ((ret = get_rdn(asn1, &tbscsr->subject)) != KMF_OK)
1863 		goto cleanup;
1864 
1865 	if ((ret = get_spki(asn1, &tbscsr->subjectPublicKeyInfo)) != KMF_OK)
1866 		goto cleanup;
1867 
1868 	/* Check for the optional fields (attributes) */
1869 	if (kmfber_next_element(asn1, &size, end) == 0xA0) {
1870 		if (kmfber_scanf(asn1, "Tl", &tag, &size) == -1) {
1871 			ret = KMF_ERR_ENCODING;
1872 			goto cleanup;
1873 		}
1874 
1875 		ret = decode_csr_extensions(asn1, &tbscsr->extensions);
1876 	}
1877 	if (ret == KMF_OK)
1878 		*signed_csr_ptr_ptr = tbscsr;
1879 
1880 cleanup:
1881 	if (ret != KMF_OK) {
1882 		if (tbscsr) {
1883 			free_tbscsr(tbscsr);
1884 			free(tbscsr);
1885 		}
1886 		*signed_csr_ptr_ptr = NULL;
1887 	}
1888 	return (ret);
1889 }
1890 
1891 KMF_RETURN
1892 DerDecodeTbsCsr(const KMF_DATA *Value,
1893 	KMF_TBS_CSR **tbscsr)
1894 {
1895 	KMF_RETURN ret = KMF_OK;
1896 	BerElement *asn1 = NULL;
1897 	BerValue 	rawcsr;
1898 	KMF_TBS_CSR *newcsr = NULL;
1899 
1900 	if (!tbscsr || !Value || !Value->Data || !Value->Length)
1901 		return (KMF_ERR_BAD_PARAMETER);
1902 
1903 	rawcsr.bv_val = (char *)Value->Data;
1904 	rawcsr.bv_len = Value->Length;
1905 
1906 	if ((asn1 = kmfder_init(&rawcsr)) == NULL)
1907 		return (KMF_ERR_MEMORY);
1908 
1909 	ret = decode_tbscsr_data(asn1, &newcsr);
1910 	if (ret != KMF_OK)
1911 		goto cleanup;
1912 
1913 	*tbscsr = newcsr;
1914 
1915 cleanup:
1916 	if (ret != KMF_OK) {
1917 		if (newcsr)
1918 			free_tbscsr(newcsr);
1919 		*tbscsr = NULL;
1920 	}
1921 	kmfber_free(asn1, 1);
1922 
1923 	return (ret);
1924 }
1925 
1926 KMF_RETURN
1927 DerDecodeSignedCsr(const KMF_DATA *Value,
1928 	KMF_CSR_DATA **signed_csr_ptr_ptr)
1929 {
1930 	KMF_RETURN ret = KMF_OK;
1931 	BerElement *asn1 = NULL;
1932 	BerValue 	rawcsr;
1933 	int			tag;
1934 	ber_len_t	size;
1935 	char		*end = NULL;
1936 	char		*signature;
1937 	KMF_TBS_CSR	*tbscsr = NULL;
1938 	KMF_CSR_DATA *csrptr = NULL;
1939 
1940 	if (!signed_csr_ptr_ptr || !Value || !Value->Data || !Value->Length)
1941 		return (KMF_ERR_BAD_PARAMETER);
1942 
1943 	rawcsr.bv_val = (char *)Value->Data;
1944 	rawcsr.bv_len = Value->Length;
1945 
1946 	if ((asn1 = kmfder_init(&rawcsr)) == NULL)
1947 		return (KMF_ERR_MEMORY);
1948 
1949 	if (kmfber_first_element(asn1, &size, &end) !=
1950 		BER_CONSTRUCTED_SEQUENCE) {
1951 		ret = KMF_ERR_BAD_CERT_FORMAT;
1952 		goto cleanup;
1953 	}
1954 
1955 	csrptr = malloc(sizeof (KMF_CSR_DATA));
1956 	if (csrptr == NULL) {
1957 		ret = KMF_ERR_MEMORY;
1958 		goto cleanup;
1959 	}
1960 	(void) memset(csrptr, 0, sizeof (KMF_CSR_DATA));
1961 
1962 	ret = decode_tbscsr_data(asn1, &tbscsr);
1963 	if (ret != KMF_OK)
1964 		goto cleanup;
1965 
1966 	csrptr->csr = *tbscsr;
1967 	free(tbscsr);
1968 	tbscsr = NULL;
1969 
1970 	if ((ret = get_algoid(asn1,
1971 		&csrptr->signature.algorithmIdentifier)) != KMF_OK)
1972 		goto cleanup;
1973 
1974 	/* Check to see if the cert has a signature yet */
1975 	if (kmfber_next_element(asn1, &size, end) == BER_BIT_STRING) {
1976 		/* Finally, get the encrypted signature BITSTRING */
1977 		if (kmfber_scanf(asn1, "tl", &tag, &size) == -1) {
1978 			ret = KMF_ERR_BAD_CERT_FORMAT;
1979 			goto cleanup;
1980 		}
1981 		if (tag != BER_BIT_STRING) {
1982 			ret = KMF_ERR_BAD_CERT_FORMAT;
1983 			goto cleanup;
1984 		}
1985 		if (kmfber_scanf(asn1, "B}", &signature, &size) == -1) {
1986 			ret = KMF_ERR_BAD_CERT_FORMAT;
1987 			goto cleanup;
1988 		}
1989 		csrptr->signature.encrypted.Data = (uchar_t *)signature;
1990 		csrptr->signature.encrypted.Length = size / 8;
1991 	} else {
1992 		csrptr->signature.encrypted.Data = NULL;
1993 		csrptr->signature.encrypted.Length = 0;
1994 	}
1995 
1996 	*signed_csr_ptr_ptr = csrptr;
1997 cleanup:
1998 	if (ret != KMF_OK) {
1999 		free_tbscsr(&csrptr->csr);
2000 		free_algoid(&csrptr->signature.algorithmIdentifier);
2001 		if (csrptr->signature.encrypted.Data)
2002 			free(csrptr->signature.encrypted.Data);
2003 
2004 		if (csrptr)
2005 			free(csrptr);
2006 
2007 		*signed_csr_ptr_ptr = NULL;
2008 	}
2009 	if (asn1)
2010 		kmfber_free(asn1, 1);
2011 
2012 	return (ret);
2013 
2014 }
2015 
2016 static KMF_RETURN
2017 encode_csr_extensions(BerElement *asn1, KMF_TBS_CSR *tbscsr)
2018 {
2019 	KMF_RETURN ret = KMF_OK;
2020 	int attlen = 0;
2021 	BerElement *extnasn1 = NULL;
2022 	BerValue *extnvalue = NULL;
2023 
2024 	/* Optional field: CSR attributes and extensions */
2025 	if (tbscsr->extensions.numberOfExtensions > 0) {
2026 		if (kmfber_printf(asn1, "T", 0xA0) == -1) {
2027 			ret = KMF_ERR_ENCODING;
2028 			goto cleanup;
2029 		}
2030 	} else {
2031 		/* No extensions or attributes to encode */
2032 		return (KMF_OK);
2033 	}
2034 
2035 	/*
2036 	 * attributes [0] Attributes
2037 	 * Attributes := SET OF Attribute
2038 	 * Attribute  := SEQUENCE {
2039 	 *   { ATTRIBUTE ID
2040 	 *	values SET SIZE(1..MAX) of ATTRIBUTE
2041 	 *   }
2042 	 *
2043 	 * Ex: { ExtensionRequest OID [ { {extn1 } , {extn2 } } ] }
2044 	 */
2045 
2046 	/*
2047 	 * Encode any extensions and add to the attributes section.
2048 	 */
2049 	if (tbscsr->extensions.numberOfExtensions > 0) {
2050 		extnasn1 = kmfder_alloc();
2051 		if (extnasn1 == NULL) {
2052 			ret = KMF_ERR_MEMORY;
2053 			goto cleanup;
2054 		}
2055 
2056 		if (kmfber_printf(extnasn1, "{D[{",
2057 			&extension_request_oid) == -1) {
2058 			ret = KMF_ERR_ENCODING;
2059 			goto cleanup_1;
2060 		}
2061 
2062 		if ((ret = encode_extension_list(extnasn1,
2063 			&tbscsr->extensions)) != KMF_OK) {
2064 			goto cleanup_1;
2065 		}
2066 
2067 		if (kmfber_printf(extnasn1, "}]}") == -1) {
2068 			ret = KMF_ERR_ENCODING;
2069 			goto cleanup_1;
2070 		}
2071 
2072 		if (kmfber_flatten(extnasn1, &extnvalue) == -1) {
2073 			ret = KMF_ERR_MEMORY;
2074 			goto cleanup_1;
2075 		}
2076 cleanup_1:
2077 		kmfber_free(extnasn1, 1);
2078 
2079 		if (ret == KMF_OK)
2080 			/* Add 2 bytes to cover the tag and the length */
2081 			attlen = extnvalue->bv_len;
2082 	}
2083 	if (ret != KMF_OK)
2084 		goto cleanup;
2085 
2086 	if (kmfber_printf(asn1, "l", attlen) == -1) {
2087 		ret = KMF_ERR_ENCODING;
2088 		goto cleanup;
2089 	}
2090 
2091 	/* Write the actual encoded extensions */
2092 	if (extnvalue != NULL && extnvalue->bv_val != NULL) {
2093 		if (kmfber_write(asn1, extnvalue->bv_val,
2094 			extnvalue->bv_len, 0) == -1) {
2095 			ret = KMF_ERR_ENCODING;
2096 			goto cleanup;
2097 		}
2098 	}
2099 
2100 cleanup:
2101 	/*
2102 	 * Memory cleanup is done in the caller or in the individual
2103 	 * encoding routines.
2104 	 */
2105 	if (extnvalue) {
2106 		if (extnvalue->bv_val)
2107 			free(extnvalue->bv_val);
2108 		free(extnvalue);
2109 	}
2110 
2111 	return (ret);
2112 }
2113 
2114 static KMF_RETURN
2115 encode_tbs_csr(BerElement *asn1, KMF_TBS_CSR *tbscsr)
2116 {
2117 	KMF_RETURN ret = KMF_OK;
2118 	uint32_t version;
2119 
2120 	/* Start the version */
2121 	(void) memcpy(&version, tbscsr->version.Data,
2122 		tbscsr->version.Length);
2123 
2124 	if (kmfber_printf(asn1, "{i", version) == -1) {
2125 		ret = KMF_ERR_BAD_CERT_FORMAT;
2126 		goto cleanup;
2127 	}
2128 
2129 	/* Encode the Subject RDN */
2130 	if ((ret = encode_rdn(asn1, &tbscsr->subject)) != KMF_OK)
2131 		goto cleanup;
2132 
2133 	/* Encode the Subject Public Key Info */
2134 	if ((ret = encode_spki(asn1, &tbscsr->subjectPublicKeyInfo)) != KMF_OK)
2135 		goto cleanup;
2136 
2137 
2138 	if ((ret = encode_csr_extensions(asn1, tbscsr)) != KMF_OK)
2139 		goto cleanup;
2140 
2141 	/* Close out the TBSCert sequence */
2142 	if (kmfber_printf(asn1, "}") == -1) {
2143 		ret = KMF_ERR_BAD_CERT_FORMAT;
2144 		goto cleanup;
2145 	}
2146 
2147 cleanup:
2148 	return (ret);
2149 }
2150 
2151 KMF_RETURN
2152 DerEncodeDSAPrivateKey(KMF_DATA *encodedkey, KMF_RAW_DSA_KEY *dsa)
2153 {
2154 	KMF_RETURN rv = KMF_OK;
2155 	BerElement *asn1 = NULL;
2156 	BerValue  *dsadata = NULL;
2157 
2158 	asn1 = kmfder_alloc();
2159 	if (asn1 == NULL)
2160 		return (KMF_ERR_MEMORY);
2161 
2162 	if (kmfber_printf(asn1, "I",
2163 		dsa->value.val, dsa->value.len) == -1) {
2164 		rv = KMF_ERR_MEMORY;
2165 		goto cleanup;
2166 	}
2167 
2168 	if (kmfber_flatten(asn1, &dsadata) == -1) {
2169 		rv = KMF_ERR_MEMORY;
2170 		goto cleanup;
2171 	}
2172 
2173 	encodedkey->Data = (uchar_t *)dsadata->bv_val;
2174 	encodedkey->Length = dsadata->bv_len;
2175 
2176 	free(dsadata);
2177 cleanup:
2178 	kmfber_free(asn1, 1);
2179 	return (rv);
2180 }
2181 
2182 KMF_RETURN
2183 DerEncodeRSAPrivateKey(KMF_DATA *encodedkey, KMF_RAW_RSA_KEY *rsa)
2184 {
2185 	KMF_RETURN rv = KMF_OK;
2186 	BerElement *asn1 = NULL;
2187 	uchar_t ver = 0;
2188 	BerValue  *rsadata = NULL;
2189 
2190 	asn1 = kmfder_alloc();
2191 	if (asn1 == NULL)
2192 		return (KMF_ERR_MEMORY);
2193 
2194 	if (kmfber_printf(asn1, "{IIIIIIIII}",
2195 		&ver, 1,
2196 		rsa->mod.val, rsa->mod.len,
2197 		rsa->pubexp.val, rsa->pubexp.len,
2198 		rsa->priexp.val, rsa->priexp.len,
2199 		rsa->prime1.val, rsa->prime1.len,
2200 		rsa->prime2.val, rsa->prime2.len,
2201 		rsa->exp1.val, rsa->exp1.len,
2202 		rsa->exp2.val, rsa->exp2.len,
2203 		rsa->coef.val, rsa->coef.len) == -1)
2204 		goto cleanup;
2205 
2206 	if (kmfber_flatten(asn1, &rsadata) == -1) {
2207 		rv = KMF_ERR_MEMORY;
2208 		goto cleanup;
2209 	}
2210 
2211 	encodedkey->Data = (uchar_t *)rsadata->bv_val;
2212 	encodedkey->Length = rsadata->bv_len;
2213 
2214 	free(rsadata);
2215 cleanup:
2216 	kmfber_free(asn1, 1);
2217 	return (rv);
2218 }
2219 
2220 
2221 KMF_RETURN
2222 DerEncodeTbsCsr(KMF_TBS_CSR *tbs_csr_ptr,
2223 	KMF_DATA *enc_tbs_csr_ptr)
2224 {
2225 	KMF_RETURN ret;
2226 	BerValue  *tbsdata = NULL;
2227 	BerElement *asn1 = NULL;
2228 
2229 	asn1 = kmfder_alloc();
2230 
2231 	enc_tbs_csr_ptr->Data = NULL;
2232 	enc_tbs_csr_ptr->Length = 0;
2233 
2234 	if (asn1 == NULL)
2235 		return (KMF_ERR_MEMORY);
2236 
2237 	ret = encode_tbs_csr(asn1, tbs_csr_ptr);
2238 	if (ret != KMF_OK)
2239 		goto cleanup;
2240 
2241 	if (kmfber_flatten(asn1, &tbsdata) == -1) {
2242 		ret = KMF_ERR_MEMORY;
2243 		goto cleanup;
2244 	}
2245 
2246 	enc_tbs_csr_ptr->Data = (uchar_t *)tbsdata->bv_val;
2247 	enc_tbs_csr_ptr->Length = tbsdata->bv_len;
2248 
2249 cleanup:
2250 	if (ret != KMF_OK)
2251 		free_data(enc_tbs_csr_ptr);
2252 
2253 	if (asn1 != NULL)
2254 		kmfber_free(asn1, 1);
2255 
2256 	if (tbsdata)
2257 		free(tbsdata);
2258 
2259 	return (ret);
2260 }
2261 
2262 KMF_RETURN
2263 DerEncodeSignedCsr(KMF_CSR_DATA *signed_csr_ptr,
2264 	KMF_DATA *encodedcsr)
2265 {
2266 	KMF_RETURN ret = KMF_OK;
2267 	KMF_TBS_CSR *tbscsr = NULL;
2268 	KMF_X509_SIGNATURE		*signature = NULL;
2269 	BerElement	*asn1 = NULL;
2270 	BerValue 	*tbsdata = NULL;
2271 
2272 	if (signed_csr_ptr == NULL)
2273 		return (KMF_ERR_BAD_PARAMETER);
2274 
2275 	tbscsr = &signed_csr_ptr->csr;
2276 	signature = &signed_csr_ptr->signature;
2277 
2278 	asn1 = kmfder_alloc();
2279 	if (asn1 == NULL)
2280 		return (KMF_ERR_MEMORY);
2281 
2282 	/* Start outer CSR SEQUENCE */
2283 	if (kmfber_printf(asn1, "{") == -1) {
2284 		ret = KMF_ERR_BAD_CERT_FORMAT;
2285 		goto cleanup;
2286 	}
2287 
2288 	ret = encode_tbs_csr(asn1, tbscsr);
2289 
2290 	/* Add the Algorithm & Signature Sequence */
2291 	if ((ret = encode_algoid(asn1,
2292 		&signature->algorithmIdentifier)) != KMF_OK)
2293 		goto cleanup;
2294 
2295 	if (signature->encrypted.Length > 0) {
2296 		if (kmfber_printf(asn1, "B", signature->encrypted.Data,
2297 			signature->encrypted.Length * 8) == -1) {
2298 			ret = KMF_ERR_BAD_CERT_FORMAT;
2299 			goto cleanup;
2300 		}
2301 	}
2302 
2303 	if (kmfber_printf(asn1, "}") == -1) {
2304 		ret = KMF_ERR_BAD_CERT_FORMAT;
2305 		goto cleanup;
2306 	}
2307 
2308 	if (kmfber_flatten(asn1, &tbsdata) == -1) {
2309 		ret = KMF_ERR_MEMORY;
2310 		goto cleanup;
2311 	}
2312 
2313 	encodedcsr->Data = (uchar_t *)tbsdata->bv_val;
2314 	encodedcsr->Length = tbsdata->bv_len;
2315 
2316 cleanup:
2317 	if (ret != KMF_OK) {
2318 		free_data(encodedcsr);
2319 	}
2320 
2321 	if (tbsdata)
2322 		free(tbsdata);
2323 
2324 	if (asn1)
2325 		kmfber_free(asn1, 1);
2326 	return (ret);
2327 }
2328 
2329 KMF_RETURN
2330 ExtractSPKIData(
2331 	const KMF_X509_SPKI *pKey,
2332 	KMF_ALGORITHM_INDEX AlgorithmId,
2333 	KMF_DATA *pKeyParts,
2334 	uint32_t *uNumKeyParts)
2335 {
2336 	KMF_RETURN ret = KMF_OK;
2337 	BerElement *asn1 = NULL;
2338 	BerValue 	*P, *Q, *G, *Mod, *Exp, *PubKey;
2339 	BerValue	PubKeyParams, PubKeyData;
2340 
2341 	if (pKeyParts == NULL || uNumKeyParts == NULL || pKey == NULL)
2342 		return (KMF_ERR_BAD_PARAMETER);
2343 
2344 	switch (AlgorithmId) {
2345 	    case KMF_ALGID_DSA:
2346 	    case KMF_ALGID_SHA1WithDSA:
2347 		/* First, get the parameters from the algorithm definition */
2348 		PubKeyParams.bv_val = (char *)pKey->algorithm.parameters.Data;
2349 		PubKeyParams.bv_len = pKey->algorithm.parameters.Length;
2350 		if ((asn1 = kmfder_init(&PubKeyParams)) == NULL)
2351 			return (KMF_ERR_MEMORY);
2352 
2353 		if (kmfber_scanf(asn1, "{III}", &P, &Q, &G) == -1) {
2354 			kmfber_free(asn1, 1);
2355 			return (KMF_ERR_BAD_KEY_FORMAT);
2356 		}
2357 		pKeyParts[KMF_DSA_PRIME].Data = (uchar_t *)P->bv_val;
2358 		pKeyParts[KMF_DSA_PRIME].Length = P->bv_len;
2359 		pKeyParts[KMF_DSA_SUB_PRIME].Data = (uchar_t *)Q->bv_val;
2360 		pKeyParts[KMF_DSA_SUB_PRIME].Length = Q->bv_len;
2361 		pKeyParts[KMF_DSA_BASE].Data = (uchar_t *)G->bv_val;
2362 		pKeyParts[KMF_DSA_BASE].Length = G->bv_len;
2363 
2364 		free(P);
2365 		free(Q);
2366 		free(G);
2367 		kmfber_free(asn1, 1);
2368 
2369 		/* Get the PubKey data */
2370 		PubKeyData.bv_val = (char *)pKey->subjectPublicKey.Data;
2371 		PubKeyData.bv_len = pKey->subjectPublicKey.Length;
2372 		if ((asn1 = kmfder_init(&PubKeyData)) == NULL) {
2373 			ret = KMF_ERR_MEMORY;
2374 			goto cleanup;
2375 		}
2376 		PubKey = NULL;
2377 		if (kmfber_scanf(asn1, "I", &PubKey) == -1) {
2378 			ret = KMF_ERR_BAD_KEY_FORMAT;
2379 			goto cleanup;
2380 		}
2381 		pKeyParts[KMF_DSA_PUBLIC_VALUE].Data =
2382 			(uchar_t *)PubKey->bv_val;
2383 		pKeyParts[KMF_DSA_PUBLIC_VALUE].Length = PubKey->bv_len;
2384 
2385 		free(PubKey);
2386 
2387 		*uNumKeyParts = KMF_NUMBER_DSA_PUBLIC_KEY_PARTS;
2388 		break;
2389 
2390 	    case KMF_ALGID_RSA:
2391 	    case KMF_ALGID_MD2WithRSA:
2392 	    case KMF_ALGID_MD5WithRSA:
2393 	    case KMF_ALGID_SHA1WithRSA:
2394 		PubKeyData.bv_val = (char *)pKey->subjectPublicKey.Data;
2395 		PubKeyData.bv_len = pKey->subjectPublicKey.Length;
2396 		if ((asn1 = kmfder_init(&PubKeyData)) == NULL) {
2397 			ret = KMF_ERR_MEMORY;
2398 			goto cleanup;
2399 		}
2400 		if (kmfber_scanf(asn1, "{II}", &Mod, &Exp) == -1) {
2401 			ret = KMF_ERR_BAD_KEY_FORMAT;
2402 			goto cleanup;
2403 		}
2404 		pKeyParts[KMF_RSA_MODULUS].Data = (uchar_t *)Mod->bv_val;
2405 		pKeyParts[KMF_RSA_MODULUS].Length = Mod->bv_len;
2406 		pKeyParts[KMF_RSA_PUBLIC_EXPONENT].Data =
2407 			(uchar_t *)Exp->bv_val;
2408 		pKeyParts[KMF_RSA_PUBLIC_EXPONENT].Length = Exp->bv_len;
2409 		*uNumKeyParts = KMF_NUMBER_RSA_PUBLIC_KEY_PARTS;
2410 
2411 		free(Mod);
2412 		free(Exp);
2413 		break;
2414 	    default:
2415 		return (KMF_ERR_BAD_PARAMETER);
2416 	}
2417 cleanup:
2418 	if (ret != KMF_OK) {
2419 		int i;
2420 		for (i = 0; i < *uNumKeyParts; i++)
2421 			free_data(&pKeyParts[i]);
2422 	}
2423 	if (asn1 != NULL) {
2424 		kmfber_free(asn1, 1);
2425 	}
2426 
2427 	return (ret);
2428 }
2429