xref: /titanic_50/usr/src/lib/libkmf/ber_der/common/clasn1.c (revision b02e9a2d4d2071d770e5aa9ae8f83f2bbe1f2ced)
1 /*
2  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 /*
6  * Copyright (c) 1995-1999 Intel Corporation. All rights reserved.
7  */
8 
9 #pragma ident	"%Z%%M%	%I%	%E% SMI"
10 
11 #include <strings.h>
12 #include <kmftypes.h>
13 #include <ber_der.h>
14 #include <kmfapi.h>
15 #include <kmfapiP.h>
16 
17 #include <stdio.h>
18 
19 #define	DSA_RAW_SIG_LEN	40
20 
21 static uint8_t OID_ExtensionRequest[] = { OID_PKCS_9, 14 };
22 const KMF_OID extension_request_oid = {OID_PKCS_9_LENGTH + 1,
23 	OID_ExtensionRequest};
24 
25 static KMF_RETURN
26 encode_algoid(BerElement *asn1, KMF_X509_ALGORITHM_IDENTIFIER *algoid)
27 {
28 	KMF_RETURN ret = KMF_OK;
29 
30 	if (kmfber_printf(asn1, "{D", &algoid->algorithm) == -1) {
31 		ret = KMF_ERR_BAD_CERT_FORMAT;
32 	}
33 	if (algoid->parameters.Data == NULL ||
34 	    algoid->parameters.Length == 0) {
35 		if (kmfber_printf(asn1, "n}") == -1)
36 			return (KMF_ERR_BAD_CERT_FORMAT);
37 	} else {
38 		/*
39 		 * The algorithm data can be anything, so we just write it
40 		 * straight into the buffer.  It is already DER encoded.
41 		 */
42 		(void) kmfber_write(asn1, (char *)algoid->parameters.Data,
43 		    algoid->parameters.Length, 0);
44 		if (kmfber_printf(asn1, "}") == -1) {
45 			ret = KMF_ERR_BAD_CERT_FORMAT;
46 		}
47 	}
48 
49 	return (ret);
50 }
51 
52 static void
53 free_data(KMF_DATA *data)
54 {
55 	if (data == NULL || data->Data == NULL)
56 		return;
57 
58 	free(data->Data);
59 	data->Data = NULL;
60 	data->Length = 0;
61 }
62 
63 static void
64 free_algoid(KMF_X509_ALGORITHM_IDENTIFIER *algoid)
65 {
66 	free_data(&algoid->algorithm);
67 	free_data(&algoid->parameters);
68 }
69 
70 static void
71 free_decoded_spki(KMF_X509_SPKI *spki)
72 {
73 	if (spki != NULL) {
74 		free_algoid(&spki->algorithm);
75 		free_data(&spki->subjectPublicKey);
76 	}
77 }
78 
79 static void
80 free_rdn_data(KMF_X509_NAME *name)
81 {
82 	KMF_X509_RDN 		*newrdn = NULL;
83 	KMF_X509_TYPE_VALUE_PAIR *av = NULL;
84 	int i, j;
85 
86 	if (name && name->numberOfRDNs) {
87 		for (i = 0; i < name->numberOfRDNs; i++) {
88 			newrdn = &name->RelativeDistinguishedName[i];
89 			for (j = 0; j < newrdn->numberOfPairs; j++) {
90 				av = &newrdn->AttributeTypeAndValue[j];
91 				free_data(&av->type);
92 				free_data(&av->value);
93 			}
94 			free(newrdn->AttributeTypeAndValue);
95 		}
96 		free(name->RelativeDistinguishedName);
97 		name->numberOfRDNs = 0;
98 		name->RelativeDistinguishedName = NULL;
99 	}
100 }
101 
102 static void
103 free_validity(KMF_X509_VALIDITY *validity)
104 {
105 	free_data(&validity->notBefore.time);
106 	free_data(&validity->notAfter.time);
107 }
108 
109 static void
110 free_one_extension(KMF_X509_EXTENSION *exptr)
111 {
112 	free_data(&exptr->extnId);
113 	free_data(&exptr->BERvalue);
114 
115 	if (exptr->value.tagAndValue) {
116 		free_data(&exptr->value.tagAndValue->value);
117 		free(exptr->value.tagAndValue);
118 	}
119 }
120 
121 static void
122 free_extensions(KMF_X509_EXTENSIONS *extns)
123 {
124 	int i;
125 	KMF_X509_EXTENSION *exptr;
126 
127 	if (extns && extns->numberOfExtensions > 0) {
128 		for (i = 0; i < extns->numberOfExtensions; i++) {
129 			exptr = &extns->extensions[i];
130 			free_one_extension(exptr);
131 		}
132 		free(extns->extensions);
133 		extns->numberOfExtensions = 0;
134 		extns->extensions = NULL;
135 	}
136 }
137 
138 static void
139 free_tbscsr(KMF_TBS_CSR *tbscsr)
140 {
141 	if (tbscsr) {
142 		free_data(&tbscsr->version);
143 
144 		free_rdn_data(&tbscsr->subject);
145 
146 		free_decoded_spki(&tbscsr->subjectPublicKeyInfo);
147 
148 		free_extensions(&tbscsr->extensions);
149 	}
150 }
151 
152 
153 static void
154 free_bigint(KMF_BIGINT *bn)
155 {
156 	if (bn != NULL && bn->val != NULL) {
157 		free(bn->val);
158 		bn->val = NULL;
159 		bn->len = 0;
160 	}
161 }
162 
163 static void
164 free_tbscert(KMF_X509_TBS_CERT *tbscert)
165 {
166 	if (tbscert) {
167 		free_data(&tbscert->version);
168 		free_bigint(&tbscert->serialNumber);
169 		free_algoid(&tbscert->signature);
170 
171 		free_rdn_data(&tbscert->issuer);
172 		free_rdn_data(&tbscert->subject);
173 
174 		free_validity(&tbscert->validity);
175 
176 		free_data(&tbscert->issuerUniqueIdentifier);
177 		free_data(&tbscert->subjectUniqueIdentifier);
178 		free_decoded_spki(&tbscert->subjectPublicKeyInfo);
179 		free_extensions(&tbscert->extensions);
180 
181 		free_data(&tbscert->issuerUniqueIdentifier);
182 		free_data(&tbscert->subjectUniqueIdentifier);
183 	}
184 }
185 
186 static void
187 free_decoded_cert(KMF_X509_CERTIFICATE *certptr)
188 {
189 	if (!certptr)
190 		return;
191 
192 	free_tbscert(&certptr->certificate);
193 
194 	free_algoid(&certptr->signature.algorithmIdentifier);
195 	free_data(&certptr->signature.encrypted);
196 }
197 
198 static KMF_RETURN
199 get_algoid(BerElement *asn1, KMF_X509_ALGORITHM_IDENTIFIER *algoid)
200 {
201 	KMF_RETURN ret = KMF_OK;
202 	ber_tag_t tag, newtag;
203 	ber_len_t size;
204 	BerValue AlgOID = {NULL, 0};
205 
206 	tag = kmfber_next_element(asn1, &size, NULL);
207 	if (tag != BER_CONSTRUCTED_SEQUENCE)
208 		return (KMF_ERR_BAD_CERT_FORMAT);
209 
210 	if ((tag = kmfber_scanf(asn1, "{Dt", &AlgOID, &newtag)) == -1) {
211 		return (KMF_ERR_BAD_CERT_FORMAT);
212 	}
213 	algoid->algorithm.Data = (uchar_t *)AlgOID.bv_val;
214 	algoid->algorithm.Length = AlgOID.bv_len;
215 
216 	if (newtag == BER_NULL) {
217 		(void) kmfber_scanf(asn1, "n}");
218 		algoid->parameters.Data = NULL;
219 		algoid->parameters.Length = 0;
220 	} else {
221 		/* Peek at the tag and length bytes */
222 		if ((kmfber_scanf(asn1, "tl", &tag, &size)) == -1) {
223 			ret = KMF_ERR_BAD_CERT_FORMAT;
224 			goto cleanup;
225 		}
226 
227 		/*
228 		 * We need to read the tag and the length bytes too,
229 		 * so adjust the size.
230 		 */
231 		size += kmfber_calc_taglen(tag) + kmfber_calc_lenlen(size);
232 		algoid->parameters.Data = malloc(size);
233 		if (algoid->parameters.Data == NULL) {
234 			ret = KMF_ERR_MEMORY;
235 			goto cleanup;
236 		}
237 		/* read the raw data into the Algoritm params area. */
238 		if (kmfber_read(asn1, (char *)algoid->parameters.Data,
239 		    size) == -1) {
240 			ret = KMF_ERR_BAD_CERT_FORMAT;
241 			goto cleanup;
242 		}
243 		algoid->parameters.Length = size;
244 		if ((tag = kmfber_scanf(asn1, "}")) == -1) {
245 			ret = KMF_ERR_BAD_CERT_FORMAT;
246 		}
247 	}
248 cleanup:
249 	if (ret != KMF_OK) {
250 		free_algoid(algoid);
251 	}
252 
253 	return (ret);
254 }
255 
256 static KMF_RETURN
257 CopyData(KMF_DATA *src, KMF_DATA *dst)
258 {
259 	if (src && dst && src->Data != NULL && src->Length > 0) {
260 		dst->Length = src->Length;
261 		dst->Data = malloc(dst->Length);
262 		if (dst->Data == NULL)
263 			return (KMF_ERR_MEMORY);
264 		(void) memcpy(dst->Data, src->Data, src->Length);
265 	}
266 	return (KMF_OK);
267 }
268 
269 static KMF_RETURN
270 encode_spki(BerElement *asn1, KMF_X509_SPKI *spki)
271 {
272 	KMF_RETURN ret = KMF_OK;
273 
274 	if (kmfber_printf(asn1, "{") == -1)
275 		return (KMF_ERR_BAD_CERT_FORMAT);
276 
277 	if ((ret = encode_algoid(asn1, &spki->algorithm)) != KMF_OK)
278 		return (ret);
279 
280 	if (kmfber_printf(asn1, "B}", spki->subjectPublicKey.Data,
281 	    spki->subjectPublicKey.Length * 8) == -1)
282 		return (KMF_ERR_BAD_CERT_FORMAT);
283 
284 	return (ret);
285 }
286 
287 KMF_RETURN
288 DerEncodeSPKI(KMF_X509_SPKI *spki, KMF_DATA *EncodedSPKI)
289 {
290 	KMF_RETURN ret = KMF_OK;
291 	BerElement *asn1;
292 	BerValue *result;
293 
294 	if (spki == NULL || EncodedSPKI == NULL)
295 		return (KMF_ERR_BAD_PARAMETER);
296 
297 	if ((asn1 = kmfder_alloc()) == NULL)
298 		return (KMF_ERR_MEMORY);
299 
300 	if ((ret = encode_spki(asn1, spki)) != KMF_OK) {
301 		return (ret);
302 	}
303 
304 	if (kmfber_flatten(asn1, &result) == -1) {
305 		kmfber_free(asn1, 1);
306 		return (KMF_ERR_ENCODING);
307 	}
308 
309 	EncodedSPKI->Data = (uchar_t *)result->bv_val;
310 	EncodedSPKI->Length = result->bv_len;
311 
312 	free(result);
313 	kmfber_free(asn1, 1);
314 	return (KMF_OK);
315 }
316 
317 static KMF_RETURN
318 get_spki(BerElement *asn1, KMF_X509_SPKI *spki)
319 {
320 	KMF_RETURN ret = KMF_OK;
321 	char *bitstr = NULL;
322 	ber_len_t size;
323 
324 	if (kmfber_scanf(asn1, "{") == -1)
325 		return (KMF_ERR_BAD_CERT_FORMAT);
326 
327 	if ((ret = get_algoid(asn1, &spki->algorithm)) != KMF_OK)
328 		return (ret);
329 
330 	if (kmfber_scanf(asn1, "B}", &bitstr, &size) == BER_BIT_STRING) {
331 		spki->subjectPublicKey.Data = (uchar_t *)bitstr;
332 		spki->subjectPublicKey.Length = size / 8;
333 	} else {
334 		ret = KMF_ERR_BAD_CERT_FORMAT;
335 		goto cleanup;
336 	}
337 cleanup:
338 	if (ret != KMF_OK) {
339 		if (bitstr != NULL)
340 			free(bitstr);
341 		spki->subjectPublicKey.Data = NULL;
342 		spki->subjectPublicKey.Length = 0;
343 
344 		free_algoid(&spki->algorithm);
345 	}
346 	return (ret);
347 }
348 
349 KMF_RETURN
350 DerEncodeDSASignature(KMF_DATA *rawdata, KMF_DATA *signature)
351 {
352 	BerElement *asn1;
353 	BerValue *buf;
354 	int n;
355 
356 	if (rawdata == NULL || signature == NULL)
357 		return (KMF_ERR_BAD_PARAMETER);
358 
359 	if (rawdata->Data == NULL || rawdata->Length != DSA_RAW_SIG_LEN)
360 		return (KMF_ERR_BAD_PARAMETER);
361 
362 	asn1 = kmfder_alloc();
363 	if (asn1 == NULL)
364 		return (KMF_ERR_MEMORY);
365 
366 	/*
367 	 * The DSA signature is the concatenation of 2 SHA-1 hashed
368 	 * bignum values.
369 	 */
370 	n = DSA_RAW_SIG_LEN/2;
371 	if (kmfber_printf(asn1, "{II}",
372 	    rawdata->Data, n, &rawdata->Data[n], n) == -1) {
373 		kmfber_free(asn1, 1);
374 		return (KMF_ERR_MEMORY);
375 	}
376 
377 	if (kmfber_flatten(asn1, &buf) == -1) {
378 		kmfber_free(asn1, 1);
379 		return (KMF_ERR_ENCODING);
380 	}
381 
382 	signature->Data = (uchar_t *)buf->bv_val;
383 	signature->Length = buf->bv_len;
384 
385 	kmfber_free(asn1, 1);
386 	free(buf);
387 
388 	return (KMF_OK);
389 }
390 
391 KMF_RETURN
392 DerDecodeDSASignature(KMF_DATA *encoded, KMF_DATA *signature)
393 {
394 	KMF_RETURN ret = KMF_OK;
395 	BerElement *asn1 = NULL;
396 	BerValue buf, *R = NULL, *S = NULL;
397 
398 	buf.bv_val = (char *)encoded->Data;
399 	buf.bv_len = encoded->Length;
400 
401 	if (encoded == NULL || encoded->Data == NULL ||
402 	    signature == NULL)
403 		return (KMF_ERR_BAD_PARAMETER);
404 
405 	signature->Data = NULL;
406 	signature->Length = 0;
407 
408 	if ((asn1 = kmfder_init(&buf)) == NULL)
409 		return (KMF_ERR_MEMORY);
410 
411 	if (kmfber_scanf(asn1, "{II}", &R, &S) == -1) {
412 		ret = KMF_ERR_BAD_PARAMETER;
413 		goto cleanup;
414 	}
415 	signature->Length = R->bv_len + S->bv_len;
416 	signature->Data = malloc(signature->Length);
417 	if (signature->Data == NULL)  {
418 		ret = KMF_ERR_MEMORY;
419 		goto cleanup;
420 	}
421 	(void) memcpy(signature->Data, R->bv_val, R->bv_len);
422 	(void) memcpy(&signature->Data[R->bv_len], S->bv_val, S->bv_len);
423 
424 cleanup:
425 	if (R && R->bv_val)
426 		free(R->bv_val);
427 	if (S && S->bv_val)
428 		free(S->bv_val);
429 
430 	if (S) free(S);
431 	if (R) free(R);
432 
433 	if (asn1) kmfber_free(asn1, 1);
434 
435 	return (ret);
436 }
437 
438 KMF_RETURN
439 DerDecodeSPKI(KMF_DATA *EncodedSPKI, KMF_X509_SPKI *spki)
440 {
441 	KMF_RETURN ret = KMF_OK;
442 	BerElement *asn1;
443 	BerValue bv;
444 
445 	if (EncodedSPKI == NULL || EncodedSPKI->Data == NULL ||
446 	    spki == NULL)
447 		return (KMF_ERR_BAD_PARAMETER);
448 
449 	(void) memset(spki, 0, sizeof (KMF_X509_SPKI));
450 
451 	bv.bv_val = (char *)EncodedSPKI->Data;
452 	bv.bv_len = EncodedSPKI->Length;
453 
454 	if ((asn1 = kmfder_init(&bv)) == NULL)
455 		return (KMF_ERR_MEMORY);
456 
457 	ret = get_spki(asn1, spki);
458 
459 cleanup:
460 	if (ret != KMF_OK) {
461 		free_decoded_spki(spki);
462 	}
463 	kmfber_free(asn1, 1);
464 
465 	return (ret);
466 }
467 
468 KMF_RETURN
469 CopySPKI(KMF_X509_SPKI *src,
470 		KMF_X509_SPKI **dest)
471 {
472 	KMF_RETURN ret = KMF_OK;
473 	KMF_X509_SPKI *newspki;
474 
475 	*dest = NULL;
476 
477 	newspki = malloc(sizeof (KMF_X509_SPKI));
478 	if (newspki == NULL)
479 		return (KMF_ERR_MEMORY);
480 	(void) memset(newspki, 0, sizeof (KMF_X509_SPKI));
481 
482 	ret = CopyData(&src->algorithm.algorithm,
483 	    &newspki->algorithm.algorithm);
484 	if (ret != KMF_OK)
485 		goto cleanup;
486 
487 	ret = CopyData(&src->algorithm.parameters,
488 	    &newspki->algorithm.parameters);
489 	if (ret != KMF_OK)
490 		goto cleanup;
491 
492 	ret = CopyData(&src->subjectPublicKey,
493 	    &newspki->subjectPublicKey);
494 	if (ret != KMF_OK)
495 		goto cleanup;
496 
497 	*dest = newspki;
498 cleanup:
499 	if (ret != KMF_OK) {
500 		if (newspki)
501 			free_decoded_spki(newspki);
502 	}
503 	return (ret);
504 }
505 
506 static KMF_RETURN
507 encode_validity(BerElement *asn1, KMF_X509_VALIDITY *validity)
508 {
509 	int ret;
510 
511 	ret = kmfber_printf(asn1, "{tsts}",
512 	    validity->notBefore.timeType,
513 	    validity->notBefore.time.Data,
514 	    validity->notAfter.timeType,
515 	    validity->notAfter.time.Data);
516 
517 	if (ret == -1)
518 		return (KMF_ERR_BAD_CERT_FORMAT);
519 
520 	return (KMF_OK);
521 }
522 
523 static KMF_RETURN
524 get_validity(BerElement *asn1, KMF_X509_VALIDITY *validity)
525 {
526 	KMF_RETURN ret = KMF_OK;
527 	int tag;
528 	int t1, t2;
529 	ber_len_t size;
530 	char *t1str, *t2str;
531 
532 	(void) memset(validity, 0, sizeof (KMF_X509_VALIDITY));
533 
534 	tag = kmfber_next_element(asn1, &size, NULL);
535 	if (tag != BER_CONSTRUCTED_SEQUENCE) {
536 		return (KMF_ERR_BAD_CERT_FORMAT);
537 	}
538 
539 	if (kmfber_scanf(asn1, "{tata}", &t1, &t1str, &t2, &t2str) == -1) {
540 		return (KMF_ERR_BAD_CERT_FORMAT);
541 	}
542 
543 	validity->notBefore.timeType = t1;
544 	validity->notBefore.time.Data = (uchar_t *)t1str;
545 	validity->notBefore.time.Length = strlen(t1str);
546 
547 	validity->notAfter.timeType = t2;
548 	validity->notAfter.time.Data = (uchar_t *)t2str;
549 	validity->notAfter.time.Length = strlen(t2str);
550 
551 	return (ret);
552 }
553 
554 KMF_RETURN
555 AddRDN(KMF_X509_NAME *name, KMF_X509_RDN *newrdn)
556 {
557 	KMF_RETURN ret = KMF_OK;
558 	KMF_X509_RDN *rdnslot = NULL;
559 
560 	/* Add new RDN record to existing list */
561 	name->numberOfRDNs++;
562 	name->RelativeDistinguishedName =
563 	    realloc(name->RelativeDistinguishedName,
564 	    name->numberOfRDNs * sizeof (KMF_X509_RDN));
565 
566 	if (name->RelativeDistinguishedName == NULL) {
567 		ret = KMF_ERR_MEMORY;
568 		goto cleanup;
569 	}
570 	rdnslot = &name->RelativeDistinguishedName[name->numberOfRDNs-1];
571 
572 	if (newrdn) {
573 		(void) memcpy(rdnslot, newrdn, sizeof (KMF_X509_RDN));
574 	} else {
575 		rdnslot->numberOfPairs = 0;
576 		rdnslot->AttributeTypeAndValue = NULL;
577 	}
578 
579 cleanup:
580 	/* No cleanup needed here */
581 	return (ret);
582 }
583 
584 static KMF_RETURN
585 encode_rdn(BerElement *asn1, KMF_X509_NAME *name)
586 {
587 	KMF_RETURN ret = KMF_OK;
588 	KMF_X509_TYPE_VALUE_PAIR *attrtvpair = NULL;
589 	int i;
590 	KMF_X509_RDN *rdn;
591 
592 	if (kmfber_printf(asn1, "{") == -1) {
593 		ret = KMF_ERR_MEMORY;
594 		goto cleanup;
595 	}
596 
597 	for (i = 0; i < name->numberOfRDNs; i++) {
598 		if (kmfber_printf(asn1, "[") == -1) {
599 			ret = KMF_ERR_MEMORY;
600 			goto cleanup;
601 		}
602 		rdn = &name->RelativeDistinguishedName[i];
603 		attrtvpair = rdn->AttributeTypeAndValue;
604 
605 		if (rdn->numberOfPairs > 0) {
606 			if (kmfber_printf(asn1, "{Dto}",
607 			    &attrtvpair->type,
608 			    attrtvpair->valueType,
609 			    attrtvpair->value.Data,
610 			    attrtvpair->value.Length) == -1) {
611 				ret = KMF_ERR_MEMORY;
612 				goto cleanup;
613 			}
614 		}
615 		if (kmfber_printf(asn1, "]") == -1) {
616 			ret = KMF_ERR_MEMORY;
617 			goto cleanup;
618 		}
619 	}
620 
621 	if (kmfber_printf(asn1, "}") == -1) {
622 		ret = KMF_ERR_MEMORY;
623 		goto cleanup;
624 	}
625 
626 cleanup:
627 	/* No cleanup needed here */
628 
629 	return (ret);
630 }
631 
632 
633 KMF_RETURN
634 CopyRDN(KMF_X509_NAME *srcname, KMF_X509_NAME **destname)
635 {
636 	KMF_RETURN ret = KMF_OK;
637 	KMF_X509_NAME 		*newname = NULL;
638 	KMF_X509_RDN 		*rdn, *dstrdn;
639 	KMF_X509_TYPE_VALUE_PAIR *av = NULL;
640 	KMF_X509_TYPE_VALUE_PAIR *srcav = NULL;
641 	KMF_X509_TYPE_VALUE_PAIR *dstav = NULL;
642 	int i, j;
643 
644 	newname = malloc(sizeof (KMF_X509_NAME));
645 	if (newname == NULL)
646 		return (KMF_ERR_MEMORY);
647 	(void) memset(newname, 0, sizeof (KMF_X509_NAME));
648 
649 	newname->numberOfRDNs = srcname->numberOfRDNs;
650 	newname->RelativeDistinguishedName = malloc(newname->numberOfRDNs *
651 	    sizeof (KMF_X509_RDN));
652 	if (newname->RelativeDistinguishedName == NULL) {
653 		free(newname);
654 		return (KMF_ERR_MEMORY);
655 	}
656 	/* Copy each RDN in the list */
657 	for (i = 0; i < newname->numberOfRDNs; i++) {
658 		rdn = &srcname->RelativeDistinguishedName[i];
659 
660 		dstrdn = &newname->RelativeDistinguishedName[i];
661 		(void) memset(dstrdn, 0, sizeof (KMF_X509_RDN));
662 
663 		dstrdn->numberOfPairs = rdn->numberOfPairs;
664 		if (dstrdn->numberOfPairs > 0) {
665 			av = malloc(dstrdn->numberOfPairs *
666 			    sizeof (KMF_X509_TYPE_VALUE_PAIR));
667 			if (av == NULL) {
668 				ret = KMF_ERR_MEMORY;
669 				goto cleanup;
670 			}
671 			(void) memset(av, 0, dstrdn->numberOfPairs *
672 			    sizeof (KMF_X509_TYPE_VALUE_PAIR));
673 
674 			dstrdn->AttributeTypeAndValue = av;
675 			if (av == NULL) {
676 				ret = KMF_ERR_MEMORY;
677 				goto cleanup;
678 			}
679 			/* Copy each A/V pair in the list */
680 			for (j = 0; j < dstrdn->numberOfPairs; j++) {
681 				srcav = &rdn->AttributeTypeAndValue[j];
682 				dstav = &dstrdn->AttributeTypeAndValue[j];
683 				if ((ret = CopyData(&srcav->type,
684 				    &dstav->type)) != KMF_OK)
685 					goto cleanup;
686 				dstav->valueType = srcav->valueType;
687 				if ((ret = CopyData(&srcav->value,
688 				    &dstav->value)) != KMF_OK)
689 					goto cleanup;
690 			}
691 		} else {
692 			dstrdn->AttributeTypeAndValue = NULL;
693 		}
694 	}
695 	*destname = newname;
696 
697 cleanup:
698 	if (ret != KMF_OK) {
699 		if (newname)
700 			free_rdn_data(newname);
701 
702 		free(newname);
703 		*destname = NULL;
704 	}
705 	return (ret);
706 }
707 
708 #define	VALID_DIRECTORYSTRING_TAG(t) ( \
709 	(t == BER_UTF8_STRING) || \
710 	(t == BER_PRINTABLE_STRING) || \
711 	(t == BER_IA5STRING) || \
712 	(t == BER_T61STRING) || \
713 	(t == BER_BMP_STRING) || \
714 	(t == BER_UNIVERSAL_STRING))
715 
716 static KMF_RETURN
717 get_rdn(BerElement *asn1, KMF_X509_NAME *name)
718 {
719 	KMF_RETURN ret = KMF_OK;
720 	ber_len_t size;
721 	char *end;
722 	int tag;
723 	BerValue AttrOID;
724 	char *AttrValue = NULL;
725 	KMF_X509_TYPE_VALUE_PAIR *newpair = NULL;
726 	KMF_X509_RDN 		newrdn;
727 
728 	/*
729 	 * AttributeType	::=  OBJECT IDENTIFIER
730 	 * AttributeValue	::=  ANY
731 	 *
732 	 * AttributeTypeAndValue	::=  SEQUENCE {
733 	 *	type    AttributeType,
734 	 *	value   AttributeValue }
735 	 *
736 	 * Name ::= CHOICE { -- only one possibility for now --
737 	 * 		rdnSequence  RDNSequence }
738 	 *
739 	 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
740 	 *
741 	 * DistinguishedName ::=   RDNSequence
742 	 *
743 	 * RelativeDistinguishedName  ::=
744 	 *		 SET SIZE (1 .. MAX) OF AttributeTypeAndValue
745 	 *
746 	 */
747 
748 	name->numberOfRDNs = 0;
749 	name->RelativeDistinguishedName = NULL;
750 
751 	/* Get the beginning of the RDN Set and a ptr to the end */
752 	tag = kmfber_first_element(asn1, &size, &end);
753 	if (tag != BER_CONSTRUCTED_SET) {
754 		goto cleanup;
755 	}
756 
757 	/* Walk through the individual SET items until the "end" is reached */
758 	while ((tag = kmfber_next_element(asn1, &size, end)) ==
759 	    BER_CONSTRUCTED_SET) {
760 		/* Skip over the SET tag */
761 		if (kmfber_scanf(asn1, "T", &tag) == -1) {
762 			ret = KMF_ERR_BAD_CERT_FORMAT;
763 			break;
764 		}
765 
766 		/* An "empty" set member means we tack on an empty node */
767 		if (size == 0) {
768 			if ((ret = AddRDN(name, NULL)) != KMF_OK)
769 				goto cleanup;
770 			continue;
771 		}
772 
773 		/* Attr OID and peek at the next tag and field length */
774 		if (kmfber_scanf(asn1, "{Dtl", &AttrOID, &tag, &size) == -1) {
775 			ret = KMF_ERR_BAD_CERT_FORMAT;
776 			break;
777 		}
778 
779 		if (!(VALID_DIRECTORYSTRING_TAG(tag))) {
780 			ret = KMF_ERR_BAD_CERT_FORMAT;
781 			break;
782 		}
783 
784 		if (kmfber_scanf(asn1, "a}]", &AttrValue) == -1) {
785 			ret = KMF_ERR_BAD_CERT_FORMAT;
786 			break;
787 		}
788 
789 		/* Allocate a new name/value pair record */
790 		newpair = malloc(sizeof (KMF_X509_TYPE_VALUE_PAIR));
791 		if (newpair == NULL) {
792 			ret = KMF_ERR_MEMORY;
793 			break;
794 		}
795 		(void) memset(newpair, 0, sizeof (KMF_X509_TYPE_VALUE_PAIR));
796 		newpair->type.Data = (uchar_t *)AttrOID.bv_val;
797 		newpair->type.Length = AttrOID.bv_len;
798 		newpair->valueType = tag; /* what kind of string is it? */
799 		newpair->value.Data = (uchar_t *)AttrValue;
800 		newpair->value.Length = strlen(AttrValue);
801 
802 		(void) memset(&newrdn, 0, sizeof (KMF_X509_RDN));
803 		newrdn.numberOfPairs = 1;
804 		newrdn.AttributeTypeAndValue = newpair;
805 
806 		if ((ret = AddRDN(name, &newrdn)) != KMF_OK)
807 			break;
808 	}
809 
810 cleanup:
811 	if (ret != KMF_OK) {
812 		free_rdn_data(name);
813 	}
814 	return (ret);
815 }
816 
817 static KMF_RETURN
818 set_der_integer(KMF_DATA *data, int value)
819 {
820 	if (data == NULL)
821 		return (KMF_ERR_BAD_PARAMETER);
822 
823 	data->Data = malloc(sizeof (int));
824 	if (data->Data == NULL)
825 		return (KMF_ERR_MEMORY);
826 
827 	data->Length = sizeof (int);
828 	(void) memcpy((void *)data->Data, (const void *)&value, sizeof (int));
829 
830 	return (KMF_OK);
831 }
832 
833 static KMF_RETURN
834 set_bigint(KMF_BIGINT *data, KMF_BIGINT *bigint)
835 {
836 	if (data == NULL || bigint == NULL)
837 		return (KMF_ERR_BAD_PARAMETER);
838 
839 	data->val = malloc(bigint->len);
840 	if (data->val == NULL)
841 		return (KMF_ERR_MEMORY);
842 
843 	data->len = bigint->len;
844 	(void) memcpy((void *)data->val, (const void *)bigint->val,
845 	    bigint->len);
846 
847 	return (KMF_OK);
848 }
849 
850 static KMF_RETURN
851 encode_uniqueid(BerElement *asn1, int tag, KMF_DATA *id)
852 {
853 	KMF_RETURN ret = KMF_OK;
854 	uint32_t len;
855 
856 	len = kmfber_calc_taglen(BER_BIT_STRING) +
857 	    kmfber_calc_lenlen(id->Length * 8) + id->Length;
858 	if (kmfber_printf(asn1, "TlB", tag, len,
859 	    id->Data, id->Length * 8) == -1)
860 		return (KMF_ERR_BAD_CERT_FORMAT);
861 
862 	return (ret);
863 }
864 
865 static KMF_RETURN
866 encode_extension_list(BerElement *asn1, KMF_X509_EXTENSIONS *extns)
867 {
868 	KMF_RETURN ret = KMF_OK;
869 	int i;
870 
871 	for (i = 0; i < extns->numberOfExtensions; i++) {
872 		BerValue v;
873 		v.bv_val = (char *)extns->extensions[i].extnId.Data;
874 		v.bv_len = extns->extensions[i].extnId.Length;
875 
876 		if (kmfber_printf(asn1, "{D", &v) == -1)  {
877 			ret = KMF_ERR_ENCODING;
878 			goto cleanup;
879 		}
880 
881 		if (extns->extensions[i].critical) {
882 			if (kmfber_printf(asn1, "b",
883 			    extns->extensions[i].critical) == -1) {
884 				ret = KMF_ERR_ENCODING;
885 				goto cleanup;
886 			}
887 		}
888 
889 		if (kmfber_printf(asn1, "o}",
890 		    extns->extensions[i].BERvalue.Data,
891 		    extns->extensions[i].BERvalue.Length) == -1) {
892 			ret = KMF_ERR_ENCODING;
893 			goto cleanup;
894 		}
895 	}
896 cleanup:
897 	return (ret);
898 }
899 
900 static KMF_RETURN
901 encode_extensions(BerElement *asn1, KMF_X509_EXTENSIONS *extns)
902 {
903 	KMF_RETURN ret = KMF_OK;
904 	BerElement *extn = NULL;
905 	BerValue *extnvalue = NULL;
906 
907 	extn = kmfder_alloc();
908 	if (extn == NULL)
909 		return (KMF_ERR_MEMORY);
910 
911 	if (kmfber_printf(extn, "{") == -1) {
912 		ret = KMF_ERR_ENCODING;
913 		goto cleanup;
914 	}
915 
916 	ret = encode_extension_list(extn, extns);
917 
918 	if (kmfber_printf(extn, "}") == -1) {
919 		ret = KMF_ERR_ENCODING;
920 		goto cleanup;
921 	}
922 
923 	if (kmfber_flatten(extn, &extnvalue) == -1) {
924 		ret = KMF_ERR_MEMORY;
925 		goto cleanup;
926 	}
927 
928 	if (kmfber_printf(asn1, "Tl", 0xA3, extnvalue->bv_len) == -1) {
929 		ret = KMF_ERR_BAD_CERT_FORMAT;
930 		goto cleanup;
931 	}
932 
933 	if (kmfber_write(asn1, extnvalue->bv_val, extnvalue->bv_len, 0) == -1) {
934 		ret = KMF_ERR_BAD_CERT_FORMAT;
935 		goto cleanup;
936 	}
937 
938 cleanup:
939 	kmfber_free(extn, 1);
940 	if (extnvalue != NULL)
941 		kmfber_bvfree(extnvalue);
942 
943 	return (ret);
944 }
945 
946 static KMF_RETURN
947 get_one_extension(BerElement *asn1, KMF_X509_EXTENSION **retex, char *end)
948 {
949 	KMF_RETURN ret = KMF_OK;
950 	ber_len_t size;
951 	int  critical, tag;
952 	KMF_X509_EXTENSION *ex = NULL;
953 	BerValue extOID;
954 	BerValue extValue;
955 	BerElement *extnber = NULL;
956 
957 	if (kmfber_scanf(asn1, "T", &tag) == -1) {
958 		ret = KMF_ERR_BAD_CERT_FORMAT;
959 		goto cleanup;
960 	}
961 
962 	tag = kmfber_next_element(asn1, &size, end);
963 	if (tag != BER_OBJECT_IDENTIFIER) {
964 		ret = KMF_ERR_BAD_CERT_FORMAT;
965 		goto cleanup;
966 	}
967 	if (kmfber_scanf(asn1, "D", &extOID) == -1) {
968 		ret = KMF_ERR_BAD_CERT_FORMAT;
969 		goto cleanup;
970 	}
971 
972 	tag = kmfber_next_element(asn1, &size, end);
973 	if (tag != BER_BOOLEAN) {
974 		critical = 0;
975 		if (tag != BER_OCTET_STRING)
976 			goto cleanup;
977 	} else {
978 		if (kmfber_scanf(asn1, "b", &critical) == -1)
979 			goto cleanup;
980 	}
981 
982 	tag = kmfber_next_element(asn1, &size, end);
983 	if (tag != BER_OCTET_STRING)  {
984 		ret = KMF_ERR_BAD_CERT_FORMAT;
985 		goto cleanup;
986 	}
987 	if (kmfber_scanf(asn1, "o", &extValue) == -1)  {
988 		ret = KMF_ERR_BAD_CERT_FORMAT;
989 		goto cleanup;
990 	}
991 
992 	/* allocate a new Extension record */
993 	ex = malloc(sizeof (KMF_X509_EXTENSION));
994 	if (ex == NULL) {
995 		ret = KMF_ERR_MEMORY;
996 		goto cleanup;
997 	}
998 	(void) memset(ex, 0, sizeof (ex));
999 
1000 	ex->extnId.Data = (uchar_t *)extOID.bv_val;
1001 	ex->extnId.Length = extOID.bv_len;
1002 	ex->critical = critical;
1003 	ex->format = KMF_X509_DATAFORMAT_ENCODED;
1004 	ex->BERvalue.Data = (uchar_t *)extValue.bv_val;
1005 	ex->BERvalue.Length = extValue.bv_len;
1006 
1007 	/* Tag and value is a little tricky */
1008 	ex->value.tagAndValue = malloc(sizeof (KMF_X509EXT_TAGandVALUE));
1009 	if (ex->value.tagAndValue == NULL) {
1010 		ret = KMF_ERR_MEMORY;
1011 		goto cleanup;
1012 	}
1013 	(void) memset(ex->value.tagAndValue, 0,
1014 	    sizeof (KMF_X509EXT_TAGandVALUE));
1015 
1016 	/* Parse the Extension value field */
1017 	extnber = kmfder_init(&extValue);
1018 	if (extnber == NULL) {
1019 		ret = KMF_ERR_MEMORY;
1020 		goto cleanup;
1021 	}
1022 
1023 	/* Get the tag and length of the extension field */
1024 	if (kmfber_scanf(extnber, "tl", &tag, &size) == -1) {
1025 		ret = KMF_ERR_BAD_CERT_FORMAT;
1026 		goto cleanup;
1027 	}
1028 
1029 	if (kmfber_scanf(extnber, "T", &tag) == -1) {
1030 		ret = KMF_ERR_BAD_CERT_FORMAT;
1031 		goto cleanup;
1032 	}
1033 
1034 	ex->value.tagAndValue->value.Data = malloc(size);
1035 	ex->value.tagAndValue->value.Length = size;
1036 	size = kmfber_read(extnber,
1037 	    (char *)ex->value.tagAndValue->value.Data, size);
1038 	if (size != ex->value.tagAndValue->value.Length) {
1039 		ret = KMF_ERR_BAD_CERT_FORMAT;
1040 		goto cleanup;
1041 	}
1042 	kmfber_free(extnber, 1);
1043 	ex->value.tagAndValue->type = tag;
1044 
1045 	*retex = ex;
1046 cleanup:
1047 	if (ret != KMF_OK) {
1048 		if (ex != NULL)
1049 			free_one_extension(ex);
1050 	}
1051 
1052 	return (ret);
1053 }
1054 
1055 static KMF_RETURN
1056 get_extensions(BerElement *asn1, KMF_X509_EXTENSIONS *extns)
1057 {
1058 	KMF_RETURN ret = KMF_OK;
1059 	ber_len_t size;
1060 	char *end = NULL;
1061 	KMF_X509_EXTENSION *ex = NULL;
1062 
1063 	/*
1064 	 * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
1065 	 *
1066 	 * Extension  ::=  SEQUENCE  {
1067 	 *	extnID		OBJECT IDENTIFIER,
1068 	 *	critical	BOOLEAN DEFAULT FALSE,
1069 	 *	extnValue	OCTET STRING  }
1070 	 *
1071 	 * { {{D}Bo}, ... }
1072 	 */
1073 	if (kmfber_first_element(asn1, &size, &end) !=
1074 	    BER_CONSTRUCTED_SEQUENCE)
1075 		return (KMF_ERR_BAD_CERT_FORMAT);
1076 
1077 	while (kmfber_next_element(asn1, &size, end) ==
1078 	    BER_CONSTRUCTED_SEQUENCE) {
1079 		ret = get_one_extension(asn1, &ex, end);
1080 		if (ret != KMF_OK)
1081 			goto cleanup;
1082 
1083 		extns->numberOfExtensions++;
1084 		extns->extensions = realloc(extns->extensions,
1085 		    extns->numberOfExtensions *
1086 		    sizeof (KMF_X509_EXTENSION));
1087 		if (extns->extensions == NULL) {
1088 			ret = KMF_ERR_MEMORY;
1089 			break;
1090 		}
1091 
1092 		extns->extensions[extns->numberOfExtensions-1] = *ex;
1093 		free(ex);
1094 	}
1095 
1096 cleanup:
1097 	if (ret != KMF_OK)
1098 		free_extensions(extns);
1099 
1100 	return (ret);
1101 }
1102 
1103 KMF_RETURN
1104 decode_tbscert_data(BerElement *asn1,
1105 	KMF_X509_TBS_CERT **signed_cert_ptr_ptr)
1106 {
1107 	KMF_RETURN ret = KMF_OK;
1108 	KMF_X509_TBS_CERT	*tbscert = NULL;
1109 	int tag, version;
1110 	struct berval *bvserno = NULL;
1111 	KMF_BIGINT serno;
1112 
1113 	if (kmfber_scanf(asn1, "{t", &tag) == -1) {
1114 		ret = KMF_ERR_BAD_CERT_FORMAT;
1115 		goto cleanup;
1116 	}
1117 
1118 	/* Version number is optional */
1119 	if (tag == 0xA0) {
1120 		if (kmfber_scanf(asn1, "Ti", &tag, &version) == -1) {
1121 			ret = KMF_ERR_BAD_CERT_FORMAT;
1122 			goto cleanup;
1123 		}
1124 	} else {
1125 		version = 0; /* DEFAULT v1 (0) */
1126 	}
1127 
1128 	/* Now get the serial number, it is not optional */
1129 	if (kmfber_scanf(asn1, "I", &bvserno) == -1) {
1130 		ret = KMF_ERR_BAD_CERT_FORMAT;
1131 		goto cleanup;
1132 	} else {
1133 		serno.val = (uchar_t *)bvserno->bv_val;
1134 		serno.len = bvserno->bv_len;
1135 	}
1136 
1137 	tbscert = malloc(sizeof (KMF_X509_TBS_CERT));
1138 	if (!tbscert) {
1139 		ret = KMF_ERR_MEMORY;
1140 		goto cleanup;
1141 	}
1142 
1143 	(void) memset(tbscert, 0, sizeof (KMF_X509_TBS_CERT));
1144 
1145 	if ((ret = set_der_integer(&tbscert->version, version)) != KMF_OK)
1146 		goto cleanup;
1147 
1148 	if ((ret = set_bigint(&tbscert->serialNumber, &serno)) != KMF_OK)
1149 		goto cleanup;
1150 
1151 	if ((ret = get_algoid(asn1, &tbscert->signature)) != KMF_OK)
1152 		goto cleanup;
1153 
1154 	if ((ret = get_rdn(asn1, &tbscert->issuer)) != KMF_OK)
1155 		goto cleanup;
1156 
1157 	if ((ret = get_validity(asn1, &tbscert->validity)) != KMF_OK)
1158 		goto cleanup;
1159 
1160 	if ((ret = get_rdn(asn1, &tbscert->subject)) != KMF_OK)
1161 		goto cleanup;
1162 
1163 	if ((ret = get_spki(asn1, &tbscert->subjectPublicKeyInfo)) != KMF_OK)
1164 		goto cleanup;
1165 
1166 	/* Check for the optional fields */
1167 	tbscert->extensions.numberOfExtensions = 0;
1168 	tbscert->extensions.extensions = NULL;
1169 
1170 	while ((kmfber_scanf(asn1, "t", &tag)) != -1 &&
1171 	    (tag == 0xA1 || tag == 0xA2 || tag == 0xA3)) {
1172 		char *optfield;
1173 		ber_len_t len;
1174 
1175 		/* consume the tag and length */
1176 		(void) kmfber_scanf(asn1, "T", &tag);
1177 		switch (tag) {
1178 			case 0xA1:
1179 				if (kmfber_scanf(asn1, "B", &optfield, &len) !=
1180 				    BER_BIT_STRING) {
1181 					ret = KMF_ERR_BAD_CERT_FORMAT;
1182 					goto cleanup;
1183 				}
1184 				tbscert->issuerUniqueIdentifier.Data =
1185 				    (uchar_t *)optfield;
1186 				tbscert->issuerUniqueIdentifier.Length =
1187 				    len / 8;
1188 				break;
1189 			case 0xA2:
1190 				if (kmfber_scanf(asn1, "B", &optfield, &len) !=
1191 				    BER_BIT_STRING) {
1192 					ret = KMF_ERR_BAD_CERT_FORMAT;
1193 					goto cleanup;
1194 				}
1195 				tbscert->subjectUniqueIdentifier.Data =
1196 				    (uchar_t *)optfield;
1197 				tbscert->subjectUniqueIdentifier.Length =
1198 				    len / 8;
1199 				break;
1200 			case 0xA3:
1201 			ret = get_extensions(asn1, &tbscert->extensions);
1202 			break;
1203 		}
1204 	}
1205 
1206 	*signed_cert_ptr_ptr = tbscert;
1207 
1208 cleanup:
1209 	if (bvserno != NULL) {
1210 		free(bvserno->bv_val);
1211 		free(bvserno);
1212 	}
1213 	if (ret != KMF_OK) {
1214 		if (tbscert) {
1215 			free_tbscert(tbscert);
1216 			free(tbscert);
1217 		}
1218 		*signed_cert_ptr_ptr = NULL;
1219 	}
1220 	return (ret);
1221 }
1222 
1223 KMF_RETURN
1224 DerDecodeTbsCertificate(const KMF_DATA *Value,
1225 	KMF_X509_TBS_CERT **tbscert)
1226 {
1227 	KMF_RETURN ret = KMF_OK;
1228 	BerElement *asn1 = NULL;
1229 	BerValue 	rawcert;
1230 	KMF_X509_TBS_CERT *newcert = NULL;
1231 
1232 	if (!tbscert || !Value || !Value->Data || !Value->Length)
1233 		return (KMF_ERR_BAD_PARAMETER);
1234 
1235 	rawcert.bv_val = (char *)Value->Data;
1236 	rawcert.bv_len = Value->Length;
1237 
1238 	if ((asn1 = kmfder_init(&rawcert)) == NULL)
1239 		return (KMF_ERR_MEMORY);
1240 
1241 	ret = decode_tbscert_data(asn1, &newcert);
1242 	if (ret != KMF_OK)
1243 		goto cleanup;
1244 
1245 	*tbscert = newcert;
1246 
1247 cleanup:
1248 	if (ret != KMF_OK) {
1249 		if (newcert)
1250 			free_tbscert(newcert);
1251 		*tbscert = NULL;
1252 	}
1253 	kmfber_free(asn1, 1);
1254 
1255 	return (ret);
1256 }
1257 
1258 /*
1259  * Name: DerDecodeSignedCertificate
1260  *
1261  * Description:
1262  * DER decodes the encoded X509 certificate
1263  *
1264  * Parameters:
1265  * Value (input): DER encoded object that shd be decoded
1266  *
1267  * signed_cert_ptr_ptr (output) : Decoded KMF_X509_CERTIFICATE object
1268  */
1269 KMF_RETURN
1270 DerDecodeSignedCertificate(const KMF_DATA *Value,
1271 	KMF_X509_CERTIFICATE **signed_cert_ptr_ptr)
1272 {
1273 	KMF_RETURN ret = KMF_OK;
1274 	BerElement *asn1 = NULL;
1275 	BerValue 	rawcert;
1276 	ber_tag_t	tag;
1277 	ber_len_t	size;
1278 	char		*end = NULL;
1279 	char		*signature;
1280 	KMF_X509_TBS_CERT	*tbscert = NULL;
1281 	KMF_X509_CERTIFICATE *certptr = NULL;
1282 
1283 	if (!signed_cert_ptr_ptr || !Value || !Value->Data || !Value->Length)
1284 		return (KMF_ERR_BAD_PARAMETER);
1285 
1286 	rawcert.bv_val = (char *)Value->Data;
1287 	rawcert.bv_len = Value->Length;
1288 
1289 	if ((asn1 = kmfder_init(&rawcert)) == NULL)
1290 		return (KMF_ERR_MEMORY);
1291 
1292 	if (kmfber_first_element(asn1, &size, &end) !=
1293 	    BER_CONSTRUCTED_SEQUENCE) {
1294 		ret = KMF_ERR_BAD_CERT_FORMAT;
1295 		goto cleanup;
1296 	}
1297 
1298 	certptr = malloc(sizeof (KMF_X509_CERTIFICATE));
1299 	if (certptr == NULL) {
1300 		ret = KMF_ERR_MEMORY;
1301 		goto cleanup;
1302 	}
1303 	(void) memset(certptr, 0, sizeof (KMF_X509_CERTIFICATE));
1304 
1305 	ret = decode_tbscert_data(asn1, &tbscert);
1306 	if (ret != KMF_OK)
1307 		goto cleanup;
1308 
1309 	certptr->certificate = *tbscert;
1310 	free(tbscert);
1311 	tbscert = NULL;
1312 
1313 	/*
1314 	 * The signature data my not be present yet.
1315 	 */
1316 	if ((ret = get_algoid(asn1,
1317 	    &certptr->signature.algorithmIdentifier)) == KMF_OK) {
1318 
1319 		/* Check to see if the cert has a signature yet */
1320 		if (kmfber_next_element(asn1, &size, end) == BER_BIT_STRING) {
1321 			/* Finally, get the encrypted signature BITSTRING */
1322 			if (kmfber_scanf(asn1, "tl", &tag, &size) == -1) {
1323 				ret = KMF_ERR_BAD_CERT_FORMAT;
1324 				goto cleanup;
1325 			}
1326 			if (tag != BER_BIT_STRING) {
1327 				ret = KMF_ERR_BAD_CERT_FORMAT;
1328 				goto cleanup;
1329 			}
1330 			if (kmfber_scanf(asn1, "B}", &signature, &size) == -1) {
1331 				ret = KMF_ERR_BAD_CERT_FORMAT;
1332 				goto cleanup;
1333 			}
1334 			certptr->signature.encrypted.Data =
1335 			    (uchar_t *)signature;
1336 			certptr->signature.encrypted.Length = size / 8;
1337 		} else {
1338 			certptr->signature.encrypted.Data = NULL;
1339 			certptr->signature.encrypted.Length = 0;
1340 		}
1341 	} else {
1342 		(void) memset(&certptr->signature, 0,
1343 		    sizeof (certptr->signature));
1344 		ret = KMF_OK;
1345 	}
1346 
1347 	*signed_cert_ptr_ptr = certptr;
1348 cleanup:
1349 	if (ret != KMF_OK) {
1350 		if (certptr) {
1351 			free_decoded_cert(certptr);
1352 			free(certptr);
1353 		}
1354 
1355 		*signed_cert_ptr_ptr = NULL;
1356 	}
1357 	if (asn1)
1358 		kmfber_free(asn1, 1);
1359 
1360 	return (ret);
1361 
1362 }
1363 
1364 KMF_RETURN
1365 DerDecodeExtension(KMF_DATA *Data, KMF_X509_EXTENSION **extn)
1366 {
1367 	KMF_RETURN ret = KMF_OK;
1368 	BerElement *asn1 = NULL;
1369 	BerValue bv;
1370 
1371 	bv.bv_val = (char *)Data->Data;
1372 	bv.bv_len = Data->Length;
1373 
1374 	asn1 = kmfder_init(&bv);
1375 	if (asn1 == NULL)
1376 		return (KMF_ERR_MEMORY);
1377 
1378 	ret = get_one_extension(asn1, extn, NULL);
1379 
1380 cleanup:
1381 	if (ret != KMF_OK) {
1382 		if (*extn != NULL) {
1383 			free(*extn);
1384 		}
1385 		*extn = NULL;
1386 	}
1387 
1388 	kmfber_free(asn1, 1);
1389 	return (ret);
1390 }
1391 
1392 KMF_RETURN
1393 DerDecodeName(KMF_DATA *encodedname, KMF_X509_NAME *name)
1394 {
1395 	KMF_RETURN ret = KMF_OK;
1396 	BerElement *asn1 = NULL;
1397 	BerValue  bv;
1398 
1399 	bv.bv_val = (char *)encodedname->Data;
1400 	bv.bv_len = encodedname->Length;
1401 
1402 	asn1 = kmfder_init(&bv);
1403 	if (asn1 == NULL)
1404 		return (KMF_ERR_MEMORY);
1405 
1406 	(void) memset((void *)name, 0, sizeof (KMF_X509_NAME));
1407 
1408 	if ((ret = get_rdn(asn1, name)) != KMF_OK)
1409 		goto cleanup;
1410 
1411 cleanup:
1412 	if (asn1)
1413 		kmfber_free(asn1, 1);
1414 	return (ret);
1415 }
1416 
1417 KMF_RETURN
1418 DerEncodeName(KMF_X509_NAME *name, KMF_DATA *encodedname)
1419 {
1420 	KMF_RETURN ret = KMF_OK;
1421 	BerElement *asn1 = NULL;
1422 	BerValue  *bv = NULL;
1423 
1424 	asn1 = kmfder_alloc();
1425 	if (asn1 == NULL)
1426 		return (KMF_ERR_MEMORY);
1427 
1428 	if ((ret = encode_rdn(asn1, name)) != KMF_OK)
1429 		goto cleanup;
1430 
1431 	if (kmfber_flatten(asn1, &bv) == -1) {
1432 		ret = KMF_ERR_BAD_CERT_FORMAT;
1433 		goto cleanup;
1434 	}
1435 
1436 	encodedname->Data = (uchar_t *)bv->bv_val;
1437 	encodedname->Length = bv->bv_len;
1438 
1439 cleanup:
1440 	if (bv)
1441 		free(bv);
1442 
1443 	if (asn1)
1444 		kmfber_free(asn1, 1);
1445 
1446 	return (ret);
1447 }
1448 
1449 static KMF_RETURN
1450 encode_tbs_cert(BerElement *asn1, KMF_X509_TBS_CERT *tbscert)
1451 {
1452 	KMF_RETURN ret = KMF_OK;
1453 	uint32_t version;
1454 
1455 	/* version should be 4 bytes or less */
1456 	if (tbscert->version.Length > sizeof (int))
1457 		return (KMF_ERR_BAD_CERT_FORMAT);
1458 
1459 	(void) memcpy(&version, tbscert->version.Data,
1460 	    tbscert->version.Length);
1461 
1462 	/* Start the sequence and add the version */
1463 	if (kmfber_printf(asn1, "{Tli", 0xA0, 3, version) == -1) {
1464 		ret = KMF_ERR_BAD_CERT_FORMAT;
1465 		goto cleanup;
1466 	}
1467 	/* Write the serial number */
1468 	if (kmfber_printf(asn1, "I",
1469 	    (char *)tbscert->serialNumber.val,
1470 	    (size_t)tbscert->serialNumber.len) == -1) {
1471 		ret = KMF_ERR_BAD_CERT_FORMAT;
1472 		goto cleanup;
1473 	}
1474 
1475 	if ((ret = encode_algoid(asn1, &tbscert->signature)) != KMF_OK)
1476 		goto cleanup;
1477 
1478 	/* Encode the Issuer RDN */
1479 	if ((ret = encode_rdn(asn1, &tbscert->issuer)) != KMF_OK)
1480 		goto cleanup;
1481 
1482 	/* Encode the Validity fields */
1483 	if ((ret = encode_validity(asn1, &tbscert->validity)) != KMF_OK)
1484 		goto cleanup;
1485 
1486 	/* Encode the Subject RDN */
1487 	if ((ret = encode_rdn(asn1, &tbscert->subject)) != KMF_OK)
1488 		goto cleanup;
1489 
1490 	/* Encode the Subject Public Key Info */
1491 	if ((ret = encode_spki(asn1, &tbscert->subjectPublicKeyInfo)) != KMF_OK)
1492 		goto cleanup;
1493 
1494 	/* Optional field:  issuer Unique ID */
1495 	if (tbscert->issuerUniqueIdentifier.Length > 0) {
1496 		if ((ret = encode_uniqueid(asn1, 0xA1,
1497 		    &tbscert->issuerUniqueIdentifier)) != KMF_OK)
1498 			goto cleanup;
1499 	}
1500 
1501 	/* Optional field:  Subject Unique ID */
1502 	if (tbscert->subjectUniqueIdentifier.Length > 0) {
1503 		if ((ret = encode_uniqueid(asn1, 0xA2,
1504 		    &tbscert->subjectUniqueIdentifier)) != KMF_OK)
1505 			goto cleanup;
1506 	}
1507 
1508 	/* Optional field: Certificate Extensions */
1509 	if (tbscert->extensions.numberOfExtensions > 0) {
1510 		if ((ret = encode_extensions(asn1,
1511 		    &tbscert->extensions)) != KMF_OK)
1512 			goto cleanup;
1513 	}
1514 
1515 	/* Close out the TBSCert sequence */
1516 	if (kmfber_printf(asn1, "}") == -1) {
1517 		ret = KMF_ERR_BAD_CERT_FORMAT;
1518 		goto cleanup;
1519 	}
1520 
1521 cleanup:
1522 	/*
1523 	 * Memory cleanup is done in the caller or in the individual
1524 	 * encoding routines.
1525 	 */
1526 
1527 	return (ret);
1528 }
1529 
1530 KMF_RETURN
1531 DerEncodeTbsCertificate(KMF_X509_TBS_CERT *tbs_cert_ptr,
1532 	KMF_DATA *enc_tbs_cert_ptr)
1533 {
1534 	KMF_RETURN ret;
1535 	BerElement *asn1 = NULL;
1536 	BerValue  *tbsdata = NULL;
1537 
1538 	asn1 = kmfder_alloc();
1539 	if (asn1 == NULL)
1540 		return (KMF_ERR_MEMORY);
1541 
1542 	enc_tbs_cert_ptr->Data = NULL;
1543 	enc_tbs_cert_ptr->Length = 0;
1544 
1545 	ret = encode_tbs_cert(asn1, tbs_cert_ptr);
1546 	if (ret != KMF_OK)
1547 		goto cleanup;
1548 
1549 	if (kmfber_flatten(asn1, &tbsdata) == -1) {
1550 		ret = KMF_ERR_MEMORY;
1551 		goto cleanup;
1552 	}
1553 
1554 	enc_tbs_cert_ptr->Data = (uchar_t *)tbsdata->bv_val;
1555 	enc_tbs_cert_ptr->Length = tbsdata->bv_len;
1556 
1557 cleanup:
1558 	if (ret != KMF_OK)
1559 		free_data(enc_tbs_cert_ptr);
1560 
1561 	if (asn1 != NULL)
1562 		kmfber_free(asn1, 1);
1563 
1564 	if (tbsdata)
1565 		free(tbsdata);
1566 
1567 	return (ret);
1568 }
1569 
1570 KMF_RETURN
1571 DerEncodeSignedCertificate(KMF_X509_CERTIFICATE *signed_cert_ptr,
1572 	KMF_DATA *encodedcert)
1573 {
1574 	KMF_RETURN ret = KMF_OK;
1575 	KMF_X509_TBS_CERT *tbscert = NULL;
1576 	KMF_X509_SIGNATURE		*signature = NULL;
1577 	BerElement	*asn1 = NULL;
1578 	BerValue 	*tbsdata = NULL;
1579 
1580 	if (signed_cert_ptr == NULL || encodedcert == NULL)
1581 		return (KMF_ERR_BAD_PARAMETER);
1582 
1583 	encodedcert->Data = NULL;
1584 	encodedcert->Length = 0;
1585 
1586 	tbscert = &signed_cert_ptr->certificate;
1587 	signature = &signed_cert_ptr->signature;
1588 
1589 	asn1 = kmfder_alloc();
1590 	if (asn1 == NULL)
1591 		return (KMF_ERR_MEMORY);
1592 
1593 	/* Start outer X509 Certificate SEQUENCE */
1594 	if (kmfber_printf(asn1, "{") == -1) {
1595 		ret = KMF_ERR_BAD_CERT_FORMAT;
1596 		goto cleanup;
1597 	}
1598 
1599 	if ((ret = encode_tbs_cert(asn1, tbscert)) != KMF_OK) {
1600 		ret = KMF_ERR_BAD_CERT_FORMAT;
1601 		goto cleanup;
1602 	}
1603 
1604 	/* Add the Algorithm & Signature Sequence */
1605 	if ((ret = encode_algoid(asn1,
1606 	    &signature->algorithmIdentifier)) != KMF_OK)
1607 		goto cleanup;
1608 
1609 	if (signature->encrypted.Length > 0) {
1610 		if (kmfber_printf(asn1, "B", signature->encrypted.Data,
1611 		    signature->encrypted.Length * 8) == -1) {
1612 			ret = KMF_ERR_BAD_CERT_FORMAT;
1613 			goto cleanup;
1614 		}
1615 	}
1616 
1617 	if (kmfber_printf(asn1, "}") == -1) {
1618 		ret = KMF_ERR_BAD_CERT_FORMAT;
1619 		goto cleanup;
1620 	}
1621 
1622 	if (kmfber_flatten(asn1, &tbsdata) == -1) {
1623 		ret = KMF_ERR_MEMORY;
1624 		goto cleanup;
1625 	}
1626 
1627 	encodedcert->Data = (uchar_t *)tbsdata->bv_val;
1628 	encodedcert->Length = tbsdata->bv_len;
1629 
1630 cleanup:
1631 	if (ret != KMF_OK)
1632 		free_data(encodedcert);
1633 
1634 	if (tbsdata)
1635 		free(tbsdata);
1636 
1637 	if (asn1)
1638 		kmfber_free(asn1, 1);
1639 
1640 	return (ret);
1641 }
1642 
1643 KMF_RETURN
1644 ExtractX509CertParts(KMF_DATA *x509cert, KMF_DATA *tbscert,
1645 		KMF_DATA *signature)
1646 {
1647 	KMF_RETURN ret = KMF_OK;
1648 	BerElement *der = NULL;
1649 	BerValue x509;
1650 	ber_tag_t tag;
1651 	ber_len_t size;
1652 
1653 	if (tbscert == NULL || x509cert == NULL)
1654 		return (KMF_ERR_BAD_PARAMETER);
1655 
1656 	x509.bv_val = (char *)x509cert->Data;
1657 	x509.bv_len = x509cert->Length;
1658 
1659 	der = kmfder_init(&x509);
1660 	if (der == NULL)
1661 		return (KMF_ERR_MEMORY);
1662 
1663 	/* Skip over the overall Sequence tag to get at the TBS Cert data */
1664 	if (kmfber_scanf(der, "Tl", &tag, &size) == -1) {
1665 		ret = KMF_ERR_BAD_CERT_FORMAT;
1666 		goto cleanup;
1667 	}
1668 	if (tag != BER_CONSTRUCTED_SEQUENCE) {
1669 		ret = KMF_ERR_BAD_CERT_FORMAT;
1670 		goto cleanup;
1671 	}
1672 
1673 	/*
1674 	 * Since we are extracting a copy of the ENCODED bytes, we
1675 	 * must make sure to also include the bytes for the tag and
1676 	 * the length fields for the CONSTRUCTED SEQUENCE (TBSCert).
1677 	 */
1678 	size += kmfber_calc_taglen(tag) + kmfber_calc_lenlen(size);
1679 
1680 	tbscert->Data = malloc(size);
1681 	if (tbscert->Data == NULL) {
1682 		ret = KMF_ERR_MEMORY;
1683 		goto cleanup;
1684 	}
1685 	tbscert->Length = size;
1686 
1687 	/* The der data ptr is now set to the start of the TBS cert sequence */
1688 	size = kmfber_read(der, (char *)tbscert->Data, tbscert->Length);
1689 	if (size != tbscert->Length) {
1690 		ret = KMF_ERR_BAD_CERT_FORMAT;
1691 		goto cleanup;
1692 	}
1693 
1694 	if (signature != NULL) {
1695 		KMF_X509_ALGORITHM_IDENTIFIER algoid;
1696 		if ((ret = get_algoid(der, &algoid)) != KMF_OK)
1697 			goto cleanup;
1698 		free_algoid(&algoid);
1699 
1700 		if (kmfber_scanf(der, "tl", &tag, &size) != BER_BIT_STRING) {
1701 			ret = KMF_ERR_BAD_CERT_FORMAT;
1702 			goto cleanup;
1703 		}
1704 		/* Now get the signature data */
1705 		if (kmfber_scanf(der, "B", (char **)&signature->Data,
1706 		    (ber_len_t *)&signature->Length) == -1) {
1707 			ret = KMF_ERR_BAD_CERT_FORMAT;
1708 			goto cleanup;
1709 		}
1710 		/* convert bitstring length to bytes */
1711 		signature->Length = signature->Length / 8;
1712 	}
1713 
1714 cleanup:
1715 	if (der)
1716 		kmfber_free(der, 1);
1717 
1718 	if (ret != KMF_OK)
1719 		free_data(tbscert);
1720 
1721 	return (ret);
1722 }
1723 
1724 /*
1725  * Name: GetKeyFromSpki
1726  *
1727  * Description:
1728  * This function parses the KMF_X509_SPKI into its
1729  * key and parameter components based on the key generation algorithm.
1730  * NOTE:  Currently, it only checks for the RSA and DSA algorithms.
1731  *	The RSA algorithm is equivalent to the default behavior.
1732  *	All other algorithms will default to the parameters = NULL and the
1733  *	key data equal to whatever is in the CSSM_KEY structure for the key
1734  *
1735  * Parameters:
1736  * AlgId (input) : Algorithm identifier
1737  * SpkiPtr (input): SPKI structure that contains the key
1738  * key_ptr(output): The output key
1739  *
1740  */
1741 KMF_RETURN
1742 GetKeyFromSpki(KMF_ALGORITHM_INDEX AlgId,
1743 	KMF_X509_SPKI *SpkiPtr,
1744 	KMF_DATA **key_ptr)
1745 {
1746 	KMF_RETURN ret = KMF_OK;
1747 	BerElement *asn1;
1748 	BerValue *encodedkey = NULL;
1749 
1750 	if (!key_ptr || !SpkiPtr) {
1751 		return (KMF_ERR_BAD_PARAMETER);
1752 	}
1753 	*key_ptr = NULL;
1754 
1755 	switch (AlgId) {
1756 		case KMF_ALGID_DSA:
1757 			asn1 = kmfder_alloc();
1758 			if (asn1 == NULL) {
1759 				return (KMF_ERR_MEMORY);
1760 			}
1761 
1762 			if ((ret = encode_spki(asn1, SpkiPtr)) != KMF_OK) {
1763 				ret = KMF_ERR_MEMORY;
1764 				goto cleanup;
1765 			}
1766 
1767 			if (kmfber_flatten(asn1, &encodedkey) == -1) {
1768 				ret = KMF_ERR_MEMORY;
1769 				goto cleanup;
1770 			}
1771 
1772 			*key_ptr = malloc(sizeof (KMF_DATA));
1773 
1774 			if (!*key_ptr) {
1775 				ret = KMF_ERR_MEMORY;
1776 				goto cleanup;
1777 			}
1778 
1779 			(*key_ptr)->Length = encodedkey->bv_len;
1780 			(*key_ptr)->Data = (uchar_t *)encodedkey->bv_val;
1781 cleanup:
1782 			kmfber_free(asn1, 1);
1783 			if (encodedkey)
1784 				free(encodedkey);
1785 		break;
1786 		default: /* RSA */
1787 			*key_ptr = malloc(sizeof (KMF_DATA));
1788 
1789 			if (!*key_ptr) {
1790 				return (KMF_ERR_MEMORY);
1791 			}
1792 			(*key_ptr)->Length = SpkiPtr->subjectPublicKey.Length;
1793 			(*key_ptr)->Data = malloc((*key_ptr)->Length);
1794 
1795 			if (!(*key_ptr)->Data) {
1796 				free(*key_ptr);
1797 				*key_ptr = NULL;
1798 				return (KMF_ERR_MEMORY);
1799 			}
1800 			(void) memcpy((*key_ptr)->Data,
1801 			    SpkiPtr->subjectPublicKey.Data,
1802 			    (*key_ptr)->Length);
1803 			return (ret);
1804 	}
1805 	return (ret);
1806 }
1807 
1808 static KMF_RETURN
1809 decode_csr_extensions(BerElement *asn1, KMF_X509_EXTENSIONS *extns)
1810 {
1811 	KMF_RETURN ret = KMF_OK;
1812 	BerValue oid;
1813 
1814 	if (kmfber_scanf(asn1, "{D", &oid) == -1) {
1815 		return (KMF_ERR_UNKNOWN_CSR_ATTRIBUTE);
1816 	}
1817 
1818 	/* We only understand extension requests in a CSR */
1819 	if (memcmp(oid.bv_val, extension_request_oid.Data,
1820 	    oid.bv_len) != 0) {
1821 		return (KMF_ERR_UNKNOWN_CSR_ATTRIBUTE);
1822 	}
1823 
1824 	if (kmfber_scanf(asn1, "[") == -1) {
1825 		return (KMF_ERR_ENCODING);
1826 	}
1827 	ret = get_extensions(asn1, extns);
1828 
1829 
1830 	return (ret);
1831 }
1832 
1833 static KMF_RETURN
1834 decode_tbscsr_data(BerElement *asn1,
1835 	KMF_TBS_CSR **signed_csr_ptr_ptr)
1836 {
1837 	KMF_RETURN ret = KMF_OK;
1838 	KMF_TBS_CSR	*tbscsr = NULL;
1839 	char *end = NULL;
1840 	uint32_t version;
1841 	ber_tag_t tag;
1842 	ber_len_t size;
1843 
1844 	/* Now get the version number, it is not optional */
1845 	if (kmfber_scanf(asn1, "{i", &version) == -1) {
1846 		ret = KMF_ERR_BAD_CERT_FORMAT;
1847 		goto cleanup;
1848 	}
1849 
1850 	tbscsr = malloc(sizeof (KMF_TBS_CSR));
1851 	if (!tbscsr) {
1852 		ret = KMF_ERR_MEMORY;
1853 		goto cleanup;
1854 	}
1855 
1856 	(void) memset(tbscsr, 0, sizeof (KMF_TBS_CSR));
1857 
1858 	if ((ret = set_der_integer(&tbscsr->version, version)) != KMF_OK)
1859 		goto cleanup;
1860 
1861 	if ((ret = get_rdn(asn1, &tbscsr->subject)) != KMF_OK)
1862 		goto cleanup;
1863 
1864 	if ((ret = get_spki(asn1, &tbscsr->subjectPublicKeyInfo)) != KMF_OK)
1865 		goto cleanup;
1866 
1867 	/* Check for the optional fields (attributes) */
1868 	if (kmfber_next_element(asn1, &size, end) == 0xA0) {
1869 		if (kmfber_scanf(asn1, "Tl", &tag, &size) == -1) {
1870 			ret = KMF_ERR_ENCODING;
1871 			goto cleanup;
1872 		}
1873 
1874 		ret = decode_csr_extensions(asn1, &tbscsr->extensions);
1875 	}
1876 	if (ret == KMF_OK)
1877 		*signed_csr_ptr_ptr = tbscsr;
1878 
1879 cleanup:
1880 	if (ret != KMF_OK) {
1881 		if (tbscsr) {
1882 			free_tbscsr(tbscsr);
1883 			free(tbscsr);
1884 		}
1885 		*signed_csr_ptr_ptr = NULL;
1886 	}
1887 	return (ret);
1888 }
1889 
1890 KMF_RETURN
1891 DerDecodeTbsCsr(const KMF_DATA *Value,
1892 	KMF_TBS_CSR **tbscsr)
1893 {
1894 	KMF_RETURN ret = KMF_OK;
1895 	BerElement *asn1 = NULL;
1896 	BerValue 	rawcsr;
1897 	KMF_TBS_CSR *newcsr = NULL;
1898 
1899 	if (!tbscsr || !Value || !Value->Data || !Value->Length)
1900 		return (KMF_ERR_BAD_PARAMETER);
1901 
1902 	rawcsr.bv_val = (char *)Value->Data;
1903 	rawcsr.bv_len = Value->Length;
1904 
1905 	if ((asn1 = kmfder_init(&rawcsr)) == NULL)
1906 		return (KMF_ERR_MEMORY);
1907 
1908 	ret = decode_tbscsr_data(asn1, &newcsr);
1909 	if (ret != KMF_OK)
1910 		goto cleanup;
1911 
1912 	*tbscsr = newcsr;
1913 
1914 cleanup:
1915 	if (ret != KMF_OK) {
1916 		if (newcsr)
1917 			free_tbscsr(newcsr);
1918 		*tbscsr = NULL;
1919 	}
1920 	kmfber_free(asn1, 1);
1921 
1922 	return (ret);
1923 }
1924 
1925 KMF_RETURN
1926 DerDecodeSignedCsr(const KMF_DATA *Value,
1927 	KMF_CSR_DATA **signed_csr_ptr_ptr)
1928 {
1929 	KMF_RETURN ret = KMF_OK;
1930 	BerElement *asn1 = NULL;
1931 	BerValue 	rawcsr;
1932 	int			tag;
1933 	ber_len_t	size;
1934 	char		*end = NULL;
1935 	char		*signature;
1936 	KMF_TBS_CSR	*tbscsr = NULL;
1937 	KMF_CSR_DATA *csrptr = NULL;
1938 
1939 	if (!signed_csr_ptr_ptr || !Value || !Value->Data || !Value->Length)
1940 		return (KMF_ERR_BAD_PARAMETER);
1941 
1942 	rawcsr.bv_val = (char *)Value->Data;
1943 	rawcsr.bv_len = Value->Length;
1944 
1945 	if ((asn1 = kmfder_init(&rawcsr)) == NULL)
1946 		return (KMF_ERR_MEMORY);
1947 
1948 	if (kmfber_first_element(asn1, &size, &end) !=
1949 	    BER_CONSTRUCTED_SEQUENCE) {
1950 		ret = KMF_ERR_BAD_CERT_FORMAT;
1951 		goto cleanup;
1952 	}
1953 
1954 	csrptr = malloc(sizeof (KMF_CSR_DATA));
1955 	if (csrptr == NULL) {
1956 		ret = KMF_ERR_MEMORY;
1957 		goto cleanup;
1958 	}
1959 	(void) memset(csrptr, 0, sizeof (KMF_CSR_DATA));
1960 
1961 	ret = decode_tbscsr_data(asn1, &tbscsr);
1962 	if (ret != KMF_OK)
1963 		goto cleanup;
1964 
1965 	csrptr->csr = *tbscsr;
1966 	free(tbscsr);
1967 	tbscsr = NULL;
1968 
1969 	if ((ret = get_algoid(asn1,
1970 	    &csrptr->signature.algorithmIdentifier)) != KMF_OK)
1971 		goto cleanup;
1972 
1973 	/* Check to see if the cert has a signature yet */
1974 	if (kmfber_next_element(asn1, &size, end) == BER_BIT_STRING) {
1975 		/* Finally, get the encrypted signature BITSTRING */
1976 		if (kmfber_scanf(asn1, "tl", &tag, &size) == -1) {
1977 			ret = KMF_ERR_BAD_CERT_FORMAT;
1978 			goto cleanup;
1979 		}
1980 		if (tag != BER_BIT_STRING) {
1981 			ret = KMF_ERR_BAD_CERT_FORMAT;
1982 			goto cleanup;
1983 		}
1984 		if (kmfber_scanf(asn1, "B}", &signature, &size) == -1) {
1985 			ret = KMF_ERR_BAD_CERT_FORMAT;
1986 			goto cleanup;
1987 		}
1988 		csrptr->signature.encrypted.Data = (uchar_t *)signature;
1989 		csrptr->signature.encrypted.Length = size / 8;
1990 	} else {
1991 		csrptr->signature.encrypted.Data = NULL;
1992 		csrptr->signature.encrypted.Length = 0;
1993 	}
1994 
1995 	*signed_csr_ptr_ptr = csrptr;
1996 cleanup:
1997 	if (ret != KMF_OK) {
1998 		free_tbscsr(&csrptr->csr);
1999 		free_algoid(&csrptr->signature.algorithmIdentifier);
2000 		if (csrptr->signature.encrypted.Data)
2001 			free(csrptr->signature.encrypted.Data);
2002 
2003 		if (csrptr)
2004 			free(csrptr);
2005 
2006 		*signed_csr_ptr_ptr = NULL;
2007 	}
2008 	if (asn1)
2009 		kmfber_free(asn1, 1);
2010 
2011 	return (ret);
2012 
2013 }
2014 
2015 static KMF_RETURN
2016 encode_csr_extensions(BerElement *asn1, KMF_TBS_CSR *tbscsr)
2017 {
2018 	KMF_RETURN ret = KMF_OK;
2019 	int attlen = 0;
2020 	BerElement *extnasn1 = NULL;
2021 	BerValue *extnvalue = NULL;
2022 
2023 	/* Optional field: CSR attributes and extensions */
2024 	if (tbscsr->extensions.numberOfExtensions > 0) {
2025 		if (kmfber_printf(asn1, "T", 0xA0) == -1) {
2026 			ret = KMF_ERR_ENCODING;
2027 			goto cleanup;
2028 		}
2029 	} else {
2030 		/* No extensions or attributes to encode */
2031 		return (KMF_OK);
2032 	}
2033 
2034 	/*
2035 	 * attributes [0] Attributes
2036 	 * Attributes := SET OF Attribute
2037 	 * Attribute  := SEQUENCE {
2038 	 *   { ATTRIBUTE ID
2039 	 *	values SET SIZE(1..MAX) of ATTRIBUTE
2040 	 *   }
2041 	 *
2042 	 * Ex: { ExtensionRequest OID [ { {extn1 } , {extn2 } } ] }
2043 	 */
2044 
2045 	/*
2046 	 * Encode any extensions and add to the attributes section.
2047 	 */
2048 	if (tbscsr->extensions.numberOfExtensions > 0) {
2049 		extnasn1 = kmfder_alloc();
2050 		if (extnasn1 == NULL) {
2051 			ret = KMF_ERR_MEMORY;
2052 			goto cleanup;
2053 		}
2054 
2055 		if (kmfber_printf(extnasn1, "{D[{",
2056 		    &extension_request_oid) == -1) {
2057 			ret = KMF_ERR_ENCODING;
2058 			goto cleanup_1;
2059 		}
2060 
2061 		if ((ret = encode_extension_list(extnasn1,
2062 		    &tbscsr->extensions)) != KMF_OK) {
2063 			goto cleanup_1;
2064 		}
2065 
2066 		if (kmfber_printf(extnasn1, "}]}") == -1) {
2067 			ret = KMF_ERR_ENCODING;
2068 			goto cleanup_1;
2069 		}
2070 
2071 		if (kmfber_flatten(extnasn1, &extnvalue) == -1) {
2072 			ret = KMF_ERR_MEMORY;
2073 			goto cleanup_1;
2074 		}
2075 cleanup_1:
2076 		kmfber_free(extnasn1, 1);
2077 
2078 		if (ret == KMF_OK)
2079 			/* Add 2 bytes to cover the tag and the length */
2080 			attlen = extnvalue->bv_len;
2081 	}
2082 	if (ret != KMF_OK)
2083 		goto cleanup;
2084 
2085 	if (kmfber_printf(asn1, "l", attlen) == -1) {
2086 		ret = KMF_ERR_ENCODING;
2087 		goto cleanup;
2088 	}
2089 
2090 	/* Write the actual encoded extensions */
2091 	if (extnvalue != NULL && extnvalue->bv_val != NULL) {
2092 		if (kmfber_write(asn1, extnvalue->bv_val,
2093 		    extnvalue->bv_len, 0) == -1) {
2094 			ret = KMF_ERR_ENCODING;
2095 			goto cleanup;
2096 		}
2097 	}
2098 
2099 cleanup:
2100 	/*
2101 	 * Memory cleanup is done in the caller or in the individual
2102 	 * encoding routines.
2103 	 */
2104 	if (extnvalue) {
2105 		if (extnvalue->bv_val)
2106 			free(extnvalue->bv_val);
2107 		free(extnvalue);
2108 	}
2109 
2110 	return (ret);
2111 }
2112 
2113 static KMF_RETURN
2114 encode_tbs_csr(BerElement *asn1, KMF_TBS_CSR *tbscsr)
2115 {
2116 	KMF_RETURN ret = KMF_OK;
2117 	uint32_t version;
2118 
2119 	/* Start the version */
2120 	(void) memcpy(&version, tbscsr->version.Data,
2121 	    tbscsr->version.Length);
2122 
2123 	if (kmfber_printf(asn1, "{i", version) == -1) {
2124 		ret = KMF_ERR_BAD_CERT_FORMAT;
2125 		goto cleanup;
2126 	}
2127 
2128 	/* Encode the Subject RDN */
2129 	if ((ret = encode_rdn(asn1, &tbscsr->subject)) != KMF_OK)
2130 		goto cleanup;
2131 
2132 	/* Encode the Subject Public Key Info */
2133 	if ((ret = encode_spki(asn1, &tbscsr->subjectPublicKeyInfo)) != KMF_OK)
2134 		goto cleanup;
2135 
2136 
2137 	if ((ret = encode_csr_extensions(asn1, tbscsr)) != KMF_OK)
2138 		goto cleanup;
2139 
2140 	/* Close out the TBSCert sequence */
2141 	if (kmfber_printf(asn1, "}") == -1) {
2142 		ret = KMF_ERR_BAD_CERT_FORMAT;
2143 		goto cleanup;
2144 	}
2145 
2146 cleanup:
2147 	return (ret);
2148 }
2149 
2150 KMF_RETURN
2151 DerEncodeDSAPrivateKey(KMF_DATA *encodedkey, KMF_RAW_DSA_KEY *dsa)
2152 {
2153 	KMF_RETURN rv = KMF_OK;
2154 	BerElement *asn1 = NULL;
2155 	BerValue  *dsadata = NULL;
2156 
2157 	asn1 = kmfder_alloc();
2158 	if (asn1 == NULL)
2159 		return (KMF_ERR_MEMORY);
2160 
2161 	if (kmfber_printf(asn1, "I",
2162 	    dsa->value.val, dsa->value.len) == -1) {
2163 		rv = KMF_ERR_MEMORY;
2164 		goto cleanup;
2165 	}
2166 
2167 	if (kmfber_flatten(asn1, &dsadata) == -1) {
2168 		rv = KMF_ERR_MEMORY;
2169 		goto cleanup;
2170 	}
2171 
2172 	encodedkey->Data = (uchar_t *)dsadata->bv_val;
2173 	encodedkey->Length = dsadata->bv_len;
2174 
2175 	free(dsadata);
2176 cleanup:
2177 	kmfber_free(asn1, 1);
2178 	return (rv);
2179 }
2180 
2181 KMF_RETURN
2182 DerEncodeRSAPrivateKey(KMF_DATA *encodedkey, KMF_RAW_RSA_KEY *rsa)
2183 {
2184 	KMF_RETURN rv = KMF_OK;
2185 	BerElement *asn1 = NULL;
2186 	uchar_t ver = 0;
2187 	BerValue  *rsadata = NULL;
2188 
2189 	asn1 = kmfder_alloc();
2190 	if (asn1 == NULL)
2191 		return (KMF_ERR_MEMORY);
2192 
2193 	if (kmfber_printf(asn1, "{IIIIIIIII}",
2194 	    &ver, 1,
2195 	    rsa->mod.val, rsa->mod.len,
2196 	    rsa->pubexp.val, rsa->pubexp.len,
2197 	    rsa->priexp.val, rsa->priexp.len,
2198 	    rsa->prime1.val, rsa->prime1.len,
2199 	    rsa->prime2.val, rsa->prime2.len,
2200 	    rsa->exp1.val, rsa->exp1.len,
2201 	    rsa->exp2.val, rsa->exp2.len,
2202 	    rsa->coef.val, rsa->coef.len) == -1)
2203 		goto cleanup;
2204 
2205 	if (kmfber_flatten(asn1, &rsadata) == -1) {
2206 		rv = KMF_ERR_MEMORY;
2207 		goto cleanup;
2208 	}
2209 
2210 	encodedkey->Data = (uchar_t *)rsadata->bv_val;
2211 	encodedkey->Length = rsadata->bv_len;
2212 
2213 	free(rsadata);
2214 cleanup:
2215 	kmfber_free(asn1, 1);
2216 	return (rv);
2217 }
2218 
2219 
2220 KMF_RETURN
2221 DerEncodeTbsCsr(KMF_TBS_CSR *tbs_csr_ptr,
2222 	KMF_DATA *enc_tbs_csr_ptr)
2223 {
2224 	KMF_RETURN ret;
2225 	BerValue  *tbsdata = NULL;
2226 	BerElement *asn1 = NULL;
2227 
2228 	asn1 = kmfder_alloc();
2229 
2230 	enc_tbs_csr_ptr->Data = NULL;
2231 	enc_tbs_csr_ptr->Length = 0;
2232 
2233 	if (asn1 == NULL)
2234 		return (KMF_ERR_MEMORY);
2235 
2236 	ret = encode_tbs_csr(asn1, tbs_csr_ptr);
2237 	if (ret != KMF_OK)
2238 		goto cleanup;
2239 
2240 	if (kmfber_flatten(asn1, &tbsdata) == -1) {
2241 		ret = KMF_ERR_MEMORY;
2242 		goto cleanup;
2243 	}
2244 
2245 	enc_tbs_csr_ptr->Data = (uchar_t *)tbsdata->bv_val;
2246 	enc_tbs_csr_ptr->Length = tbsdata->bv_len;
2247 
2248 cleanup:
2249 	if (ret != KMF_OK)
2250 		free_data(enc_tbs_csr_ptr);
2251 
2252 	if (asn1 != NULL)
2253 		kmfber_free(asn1, 1);
2254 
2255 	if (tbsdata)
2256 		free(tbsdata);
2257 
2258 	return (ret);
2259 }
2260 
2261 KMF_RETURN
2262 DerEncodeSignedCsr(KMF_CSR_DATA *signed_csr_ptr,
2263 	KMF_DATA *encodedcsr)
2264 {
2265 	KMF_RETURN ret = KMF_OK;
2266 	KMF_TBS_CSR *tbscsr = NULL;
2267 	KMF_X509_SIGNATURE		*signature = NULL;
2268 	BerElement	*asn1 = NULL;
2269 	BerValue 	*tbsdata = NULL;
2270 
2271 	if (signed_csr_ptr == NULL)
2272 		return (KMF_ERR_BAD_PARAMETER);
2273 
2274 	tbscsr = &signed_csr_ptr->csr;
2275 	signature = &signed_csr_ptr->signature;
2276 
2277 	asn1 = kmfder_alloc();
2278 	if (asn1 == NULL)
2279 		return (KMF_ERR_MEMORY);
2280 
2281 	/* Start outer CSR SEQUENCE */
2282 	if (kmfber_printf(asn1, "{") == -1) {
2283 		ret = KMF_ERR_BAD_CERT_FORMAT;
2284 		goto cleanup;
2285 	}
2286 
2287 	ret = encode_tbs_csr(asn1, tbscsr);
2288 
2289 	/* Add the Algorithm & Signature Sequence */
2290 	if ((ret = encode_algoid(asn1,
2291 	    &signature->algorithmIdentifier)) != KMF_OK)
2292 		goto cleanup;
2293 
2294 	if (signature->encrypted.Length > 0) {
2295 		if (kmfber_printf(asn1, "B", signature->encrypted.Data,
2296 		    signature->encrypted.Length * 8) == -1) {
2297 			ret = KMF_ERR_BAD_CERT_FORMAT;
2298 			goto cleanup;
2299 		}
2300 	}
2301 
2302 	if (kmfber_printf(asn1, "}") == -1) {
2303 		ret = KMF_ERR_BAD_CERT_FORMAT;
2304 		goto cleanup;
2305 	}
2306 
2307 	if (kmfber_flatten(asn1, &tbsdata) == -1) {
2308 		ret = KMF_ERR_MEMORY;
2309 		goto cleanup;
2310 	}
2311 
2312 	encodedcsr->Data = (uchar_t *)tbsdata->bv_val;
2313 	encodedcsr->Length = tbsdata->bv_len;
2314 
2315 cleanup:
2316 	if (ret != KMF_OK) {
2317 		free_data(encodedcsr);
2318 	}
2319 
2320 	if (tbsdata)
2321 		free(tbsdata);
2322 
2323 	if (asn1)
2324 		kmfber_free(asn1, 1);
2325 	return (ret);
2326 }
2327 
2328 KMF_RETURN
2329 ExtractSPKIData(
2330 	const KMF_X509_SPKI *pKey,
2331 	KMF_ALGORITHM_INDEX AlgorithmId,
2332 	KMF_DATA *pKeyParts,
2333 	uint32_t *uNumKeyParts)
2334 {
2335 	KMF_RETURN ret = KMF_OK;
2336 	BerElement *asn1 = NULL;
2337 	BerValue 	*P, *Q, *G, *Mod, *Exp, *PubKey;
2338 	BerValue	PubKeyParams, PubKeyData;
2339 
2340 	if (pKeyParts == NULL || uNumKeyParts == NULL || pKey == NULL)
2341 		return (KMF_ERR_BAD_PARAMETER);
2342 
2343 	switch (AlgorithmId) {
2344 		case KMF_ALGID_DSA:
2345 		case KMF_ALGID_SHA1WithDSA:
2346 			*uNumKeyParts = 0;
2347 			/* Get the parameters from the algorithm definition */
2348 			PubKeyParams.bv_val =
2349 			    (char *)pKey->algorithm.parameters.Data;
2350 			PubKeyParams.bv_len = pKey->algorithm.parameters.Length;
2351 			if ((asn1 = kmfder_init(&PubKeyParams)) == NULL)
2352 				return (KMF_ERR_MEMORY);
2353 
2354 			if (kmfber_scanf(asn1, "{III}", &P, &Q, &G) == -1) {
2355 				kmfber_free(asn1, 1);
2356 				return (KMF_ERR_BAD_KEY_FORMAT);
2357 			}
2358 			pKeyParts[KMF_DSA_PRIME].Data = (uchar_t *)P->bv_val;
2359 			pKeyParts[KMF_DSA_PRIME].Length = P->bv_len;
2360 			pKeyParts[KMF_DSA_SUB_PRIME].Data =
2361 			    (uchar_t *)Q->bv_val;
2362 			pKeyParts[KMF_DSA_SUB_PRIME].Length = Q->bv_len;
2363 			pKeyParts[KMF_DSA_BASE].Data = (uchar_t *)G->bv_val;
2364 			pKeyParts[KMF_DSA_BASE].Length = G->bv_len;
2365 
2366 			free(P);
2367 			free(Q);
2368 			free(G);
2369 			kmfber_free(asn1, 1);
2370 
2371 			/* Get the PubKey data */
2372 			PubKeyData.bv_val = (char *)pKey->subjectPublicKey.Data;
2373 			PubKeyData.bv_len = pKey->subjectPublicKey.Length;
2374 			if ((asn1 = kmfder_init(&PubKeyData)) == NULL) {
2375 				ret = KMF_ERR_MEMORY;
2376 				goto cleanup;
2377 			}
2378 			PubKey = NULL;
2379 			if (kmfber_scanf(asn1, "I", &PubKey) == -1) {
2380 				ret = KMF_ERR_BAD_KEY_FORMAT;
2381 				goto cleanup;
2382 			}
2383 			pKeyParts[KMF_DSA_PUBLIC_VALUE].Data =
2384 			    (uchar_t *)PubKey->bv_val;
2385 			pKeyParts[KMF_DSA_PUBLIC_VALUE].Length = PubKey->bv_len;
2386 
2387 			free(PubKey);
2388 
2389 			*uNumKeyParts = KMF_NUMBER_DSA_PUBLIC_KEY_PARTS;
2390 			break;
2391 
2392 		case KMF_ALGID_RSA:
2393 		case KMF_ALGID_MD2WithRSA:
2394 		case KMF_ALGID_MD5WithRSA:
2395 		case KMF_ALGID_SHA1WithRSA:
2396 			*uNumKeyParts = 0;
2397 			PubKeyData.bv_val = (char *)pKey->subjectPublicKey.Data;
2398 			PubKeyData.bv_len = pKey->subjectPublicKey.Length;
2399 			if ((asn1 = kmfder_init(&PubKeyData)) == NULL) {
2400 				ret = KMF_ERR_MEMORY;
2401 				goto cleanup;
2402 			}
2403 			if (kmfber_scanf(asn1, "{II}", &Mod, &Exp) == -1) {
2404 				ret = KMF_ERR_BAD_KEY_FORMAT;
2405 				goto cleanup;
2406 			}
2407 			pKeyParts[KMF_RSA_MODULUS].Data =
2408 			    (uchar_t *)Mod->bv_val;
2409 			pKeyParts[KMF_RSA_MODULUS].Length = Mod->bv_len;
2410 			pKeyParts[KMF_RSA_PUBLIC_EXPONENT].Data =
2411 			    (uchar_t *)Exp->bv_val;
2412 			pKeyParts[KMF_RSA_PUBLIC_EXPONENT].Length = Exp->bv_len;
2413 			*uNumKeyParts = KMF_NUMBER_RSA_PUBLIC_KEY_PARTS;
2414 
2415 			free(Mod);
2416 			free(Exp);
2417 			break;
2418 		default:
2419 			return (KMF_ERR_BAD_PARAMETER);
2420 	}
2421 cleanup:
2422 	if (ret != KMF_OK) {
2423 		int i;
2424 		for (i = 0; i < *uNumKeyParts; i++)
2425 			free_data(&pKeyParts[i]);
2426 	}
2427 	if (asn1 != NULL) {
2428 		kmfber_free(asn1, 1);
2429 	}
2430 
2431 	return (ret);
2432 }
2433