1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2002-2003 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #include <stdio.h> 28 #include <libintl.h> 29 #include <locale.h> 30 #include <sys/types.h> 31 #include <sys/stat.h> 32 #include <sys/wanboot_impl.h> 33 #include <unistd.h> 34 #include <string.h> 35 #include <libinetutil.h> 36 #include <wanbootutil.h> 37 38 #include <openssl/crypto.h> 39 #include <openssl/buffer.h> 40 #include <openssl/bio.h> 41 #include <openssl/err.h> 42 #include <openssl/x509.h> 43 #include <openssl/x509v3.h> 44 #include <openssl/pkcs12.h> 45 #include <openssl/evp.h> 46 #include <p12aux.h> 47 48 static boolean_t verbose = B_FALSE; /* When nonzero, do in verbose mode */ 49 50 /* The following match/cert values require PKCS12 */ 51 static int matchty; /* Type of matching do to on input */ 52 static char *k_matchval; /* localkeyid value to match */ 53 static uint_t k_len; /* length of k_matchval */ 54 55 #define IO_KEYFILE 1 /* Have a separate key file or data */ 56 #define IO_CERTFILE 2 /* Have a separate cert file or data */ 57 #define IO_TRUSTFILE 4 /* Have a separate trustanchor file */ 58 59 static char *input = NULL; /* Consolidated input file */ 60 static char *key_out = NULL; /* Key file to be output */ 61 static char *cert_out = NULL; /* Cert file to be output */ 62 static char *trust_out = NULL; /* Trust anchor file to be output */ 63 static uint_t outfiles; /* What files are there for output */ 64 static char *progname; 65 66 /* Returns from time_check */ 67 typedef enum { 68 CHK_TIME_OK = 0, /* Cert in effect and not expired */ 69 CHK_TIME_BEFORE_BAD, /* not_before field is invalid */ 70 CHK_TIME_AFTER_BAD, /* not_after field is invalid */ 71 CHK_TIME_IS_BEFORE, /* Cert not yet in force */ 72 CHK_TIME_HAS_EXPIRED /* Cert has expired */ 73 } time_errs_t; 74 75 static int parse_keyid(const char *); 76 static int do_certs(void); 77 static int read_files(STACK_OF(X509) **, X509 **, EVP_PKEY **); 78 static void check_certs(STACK_OF(X509) *, X509 **); 79 static time_errs_t time_check_print(X509 *); 80 static time_errs_t time_check(X509 *); 81 static int write_files(STACK_OF(X509) *, X509 *, EVP_PKEY *); 82 static int get_ifile(char *, char *, EVP_PKEY **, X509 **, STACK_OF(X509) **); 83 static int do_ofile(char *, EVP_PKEY *, X509 *, STACK_OF(X509) *); 84 static void usage(void); 85 static const char *cryptoerr(void); 86 87 int 88 main(int argc, char **argv) 89 { 90 int i; 91 92 /* 93 * Do the necessary magic for localization support. 94 */ 95 (void) setlocale(LC_ALL, ""); 96 #if !defined(TEXT_DOMAIN) 97 #define TEXT_DOMAIN "SYS_TEST" 98 #endif 99 (void) textdomain(TEXT_DOMAIN); 100 101 progname = strrchr(argv[0], '/'); 102 if (progname != NULL) 103 progname++; 104 else 105 progname = argv[0]; 106 107 wbku_errinit(progname); 108 109 matchty = DO_FIRST_PAIR; 110 while ((i = getopt(argc, argv, "vc:i:k:l:t:")) != -1) { 111 switch (i) { 112 case 'v': 113 verbose = B_TRUE; 114 break; 115 116 case 'l': 117 if (parse_keyid(optarg) < 0) 118 return (EXIT_FAILURE); 119 matchty = DO_FIND_KEYID; 120 break; 121 122 case 'c': 123 cert_out = optarg; 124 outfiles |= IO_CERTFILE; 125 break; 126 127 case 'k': 128 key_out = optarg; 129 outfiles |= IO_KEYFILE; 130 break; 131 132 case 't': 133 trust_out = optarg; 134 outfiles |= IO_TRUSTFILE; 135 break; 136 137 case 'i': 138 input = optarg; 139 break; 140 141 default: 142 usage(); 143 } 144 } 145 146 if (input == NULL) { 147 wbku_printerr("no input file specified\n"); 148 usage(); 149 } 150 151 /* 152 * Need output files. 153 */ 154 if (outfiles == 0) { 155 wbku_printerr("at least one output file must be specified\n"); 156 usage(); 157 } 158 159 if (do_certs() < 0) 160 return (EXIT_FAILURE); 161 162 return (EXIT_SUCCESS); 163 } 164 165 static int 166 parse_keyid(const char *keystr) 167 { 168 const char *rp; 169 char *wp; 170 char *nkeystr; 171 uint_t nkeystrlen; 172 173 /* 174 * In the worst case, we'll need one additional character in our 175 * output string -- e.g. "A\0" -> "0A\0" 176 */ 177 nkeystrlen = strlen(keystr) + 2; 178 k_len = (nkeystrlen + 1) / 2; 179 nkeystr = malloc(nkeystrlen); 180 k_matchval = malloc(k_len); 181 if (nkeystr == NULL || k_matchval == NULL) { 182 free(nkeystr); 183 free(k_matchval); 184 wbku_printerr("cannot allocate keyid"); 185 return (-1); 186 } 187 188 /* 189 * For convenience, we allow the user to put spaces between each digit 190 * when entering it on the command line. As a result, we need to 191 * process it into a format that hexascii_to_octet() can handle. Note 192 * that we're careful to map strings like "AA B CC D" to "AA0BCC0D". 193 */ 194 for (rp = keystr, wp = nkeystr; *rp != '\0'; rp++) { 195 if (*rp == ' ') 196 continue; 197 198 if (rp[1] == ' ' || rp[1] == '\0') { 199 *wp++ = '0'; /* one character sequence; prepend 0 */ 200 *wp++ = *rp; 201 } else { 202 *wp++ = *rp++; 203 *wp++ = *rp; 204 } 205 } 206 *wp = '\0'; 207 208 if (hexascii_to_octet(nkeystr, wp - nkeystr, k_matchval, &k_len) != 0) { 209 free(nkeystr); 210 free(k_matchval); 211 wbku_printerr("invalid keyid `%s'\n", keystr); 212 return (-1); 213 } 214 215 free(nkeystr); 216 return (0); 217 } 218 219 static int 220 do_certs(void) 221 { 222 char *bufp; 223 STACK_OF(X509) *ta_in = NULL; 224 EVP_PKEY *pkey_in = NULL; 225 X509 *xcert_in = NULL; 226 227 sunw_crypto_init(); 228 229 if (read_files(&ta_in, &xcert_in, &pkey_in) < 0) 230 return (-1); 231 232 if (verbose) { 233 if (xcert_in != NULL) { 234 (void) printf(gettext("\nMain cert:\n")); 235 236 /* 237 * sunw_subject_attrs() returns a pointer to 238 * memory allocated on our behalf. The same 239 * behavior is exhibited by sunw_issuer_attrs(). 240 */ 241 bufp = sunw_subject_attrs(xcert_in, NULL, 0); 242 if (bufp != NULL) { 243 (void) printf(gettext(" Subject: %s\n"), 244 bufp); 245 OPENSSL_free(bufp); 246 } 247 248 bufp = sunw_issuer_attrs(xcert_in, NULL, 0); 249 if (bufp != NULL) { 250 (void) printf(gettext(" Issuer: %s\n"), bufp); 251 OPENSSL_free(bufp); 252 } 253 254 (void) sunw_print_times(stdout, PRNT_BOTH, NULL, 255 xcert_in); 256 } 257 258 if (ta_in != NULL) { 259 X509 *x; 260 int i; 261 262 for (i = 0; i < sk_X509_num(ta_in); i++) { 263 x = sk_X509_value(ta_in, i); 264 (void) printf( 265 gettext("\nTrust Anchor cert %d:\n"), i); 266 267 /* 268 * sunw_subject_attrs() returns a pointer to 269 * memory allocated on our behalf. We get the 270 * same behavior from sunw_issuer_attrs(). 271 */ 272 bufp = sunw_subject_attrs(x, NULL, 0); 273 if (bufp != NULL) { 274 (void) printf( 275 gettext(" Subject: %s\n"), bufp); 276 OPENSSL_free(bufp); 277 } 278 279 bufp = sunw_issuer_attrs(x, NULL, 0); 280 if (bufp != NULL) { 281 (void) printf( 282 gettext(" Issuer: %s\n"), bufp); 283 OPENSSL_free(bufp); 284 } 285 286 (void) sunw_print_times(stdout, PRNT_BOTH, 287 NULL, x); 288 } 289 } 290 } 291 292 check_certs(ta_in, &xcert_in); 293 if (xcert_in != NULL && pkey_in != NULL) { 294 if (sunw_check_keys(xcert_in, pkey_in) == 0) { 295 wbku_printerr("warning: key and certificate do " 296 "not match\n"); 297 } 298 } 299 300 return (write_files(ta_in, xcert_in, pkey_in)); 301 } 302 303 static int 304 read_files(STACK_OF(X509) **t_in, X509 **c_in, EVP_PKEY **k_in) 305 { 306 char *i_pass; 307 308 i_pass = getpassphrase(gettext("Enter key password: ")); 309 310 if (get_ifile(input, i_pass, k_in, c_in, t_in) < 0) 311 return (-1); 312 313 /* 314 * If we are only interested in getting a trust anchor, and if there 315 * is no trust anchor but is a regular cert, use it instead. Do this 316 * to handle the insanity with openssl, which requires a matching cert 317 * and key in order to write a PKCS12 file. 318 */ 319 if (outfiles == IO_TRUSTFILE) { 320 if (c_in != NULL && *c_in != NULL && t_in != NULL) { 321 if (*t_in == NULL) { 322 if ((*t_in = sk_X509_new_null()) == NULL) { 323 wbku_printerr("out of memory\n"); 324 return (-1); 325 } 326 } 327 328 if (sk_X509_num(*t_in) == 0) { 329 if (sk_X509_push(*t_in, *c_in) == 0) { 330 wbku_printerr("out of memory\n"); 331 return (-1); 332 } 333 *c_in = NULL; 334 } 335 } 336 } 337 338 if ((outfiles & IO_KEYFILE) && *k_in == NULL) { 339 wbku_printerr("no matching key found\n"); 340 return (-1); 341 } 342 if ((outfiles & IO_CERTFILE) && *c_in == NULL) { 343 wbku_printerr("no matching certificate found\n"); 344 return (-1); 345 } 346 if ((outfiles & IO_TRUSTFILE) && *t_in == NULL) { 347 wbku_printerr("no matching trust anchor found\n"); 348 return (-1); 349 } 350 351 return (0); 352 } 353 354 static void 355 check_certs(STACK_OF(X509) *ta_in, X509 **c_in) 356 { 357 X509 *curr; 358 time_errs_t ret; 359 int i; 360 int del_expired = (outfiles != 0); 361 362 if (c_in != NULL && *c_in != NULL) { 363 ret = time_check_print(*c_in); 364 if ((ret != CHK_TIME_OK && ret != CHK_TIME_IS_BEFORE) && 365 del_expired) { 366 (void) fprintf(stderr, gettext(" Removing cert\n")); 367 X509_free(*c_in); 368 *c_in = NULL; 369 } 370 } 371 372 if (ta_in == NULL) 373 return; 374 375 for (i = 0; i < sk_X509_num(ta_in); ) { 376 curr = sk_X509_value(ta_in, i); 377 ret = time_check_print(curr); 378 if ((ret != CHK_TIME_OK && ret != CHK_TIME_IS_BEFORE) && 379 del_expired) { 380 (void) fprintf(stderr, gettext(" Removing cert\n")); 381 curr = sk_X509_delete(ta_in, i); 382 X509_free(curr); 383 continue; 384 } 385 i++; 386 } 387 } 388 389 static time_errs_t 390 time_check_print(X509 *cert) 391 { 392 char buf[256]; 393 int ret; 394 395 ret = time_check(cert); 396 if (ret == CHK_TIME_OK) 397 return (CHK_TIME_OK); 398 399 (void) fprintf(stderr, gettext(" Subject: %s"), 400 sunw_subject_attrs(cert, buf, sizeof (buf))); 401 (void) fprintf(stderr, gettext(" Issuer: %s"), 402 sunw_issuer_attrs(cert, buf, sizeof (buf))); 403 404 switch (ret) { 405 case CHK_TIME_BEFORE_BAD: 406 (void) fprintf(stderr, 407 gettext("\n Invalid cert 'not before' field\n")); 408 break; 409 410 case CHK_TIME_AFTER_BAD: 411 (void) fprintf(stderr, 412 gettext("\n Invalid cert 'not after' field\n")); 413 break; 414 415 case CHK_TIME_HAS_EXPIRED: 416 (void) sunw_print_times(stderr, PRNT_NOT_AFTER, 417 gettext("\n Cert has expired\n"), cert); 418 break; 419 420 case CHK_TIME_IS_BEFORE: 421 (void) sunw_print_times(stderr, PRNT_NOT_BEFORE, 422 gettext("\n Warning: cert not yet valid\n"), cert); 423 break; 424 425 default: 426 break; 427 } 428 429 return (ret); 430 } 431 432 static time_errs_t 433 time_check(X509 *cert) 434 { 435 int i; 436 437 i = X509_cmp_time(X509_get_notBefore(cert), NULL); 438 if (i == 0) 439 return (CHK_TIME_BEFORE_BAD); 440 if (i > 0) 441 return (CHK_TIME_IS_BEFORE); 442 /* After 'not before' time */ 443 444 i = X509_cmp_time(X509_get_notAfter(cert), NULL); 445 if (i == 0) 446 return (CHK_TIME_AFTER_BAD); 447 if (i < 0) 448 return (CHK_TIME_HAS_EXPIRED); 449 return (CHK_TIME_OK); 450 } 451 452 static int 453 write_files(STACK_OF(X509) *t_out, X509 *c_out, EVP_PKEY *k_out) 454 { 455 if (key_out != NULL) { 456 if (verbose) 457 (void) printf(gettext("%s: writing key\n"), progname); 458 if (do_ofile(key_out, k_out, NULL, NULL) < 0) 459 return (-1); 460 } 461 462 if (cert_out != NULL) { 463 if (verbose) 464 (void) printf(gettext("%s: writing cert\n"), progname); 465 if (do_ofile(cert_out, NULL, c_out, NULL) < 0) 466 return (-1); 467 } 468 469 if (trust_out != NULL) { 470 if (verbose) 471 (void) printf(gettext("%s: writing trust\n"), 472 progname); 473 if (do_ofile(trust_out, NULL, NULL, t_out) < 0) 474 return (-1); 475 } 476 477 return (0); 478 } 479 480 static int 481 get_ifile(char *name, char *pass, EVP_PKEY **tmp_k, X509 **tmp_c, 482 STACK_OF(X509) **tmp_t) 483 { 484 PKCS12 *p12; 485 FILE *fp; 486 int ret; 487 struct stat sbuf; 488 489 if (stat(name, &sbuf) == 0 && !S_ISREG(sbuf.st_mode)) { 490 wbku_printerr("%s is not a regular file\n", name); 491 return (-1); 492 } 493 494 if ((fp = fopen(name, "r")) == NULL) { 495 wbku_printerr("cannot open input file %s", name); 496 return (-1); 497 } 498 499 p12 = d2i_PKCS12_fp(fp, NULL); 500 if (p12 == NULL) { 501 wbku_printerr("cannot read file %s: %s\n", name, cryptoerr()); 502 (void) fclose(fp); 503 return (-1); 504 } 505 (void) fclose(fp); 506 507 ret = sunw_PKCS12_parse(p12, pass, matchty, k_matchval, k_len, 508 NULL, tmp_k, tmp_c, tmp_t); 509 if (ret <= 0) { 510 if (ret == 0) 511 wbku_printerr("cannot find matching cert and key\n"); 512 else 513 wbku_printerr("cannot parse %s: %s\n", name, 514 cryptoerr()); 515 PKCS12_free(p12); 516 return (-1); 517 } 518 return (0); 519 } 520 521 static int 522 do_ofile(char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ta) 523 { 524 STACK_OF(EVP_PKEY) *klist = NULL; 525 STACK_OF(X509) *clist = NULL; 526 PKCS12 *p12 = NULL; 527 int ret = 0; 528 FILE *fp; 529 struct stat sbuf; 530 531 if (stat(name, &sbuf) == 0 && !S_ISREG(sbuf.st_mode)) { 532 wbku_printerr("%s is not a regular file\n", name); 533 return (-1); 534 } 535 536 if ((fp = fopen(name, "w")) == NULL) { 537 wbku_printerr("cannot open output file %s", name); 538 return (-1); 539 } 540 541 if ((clist = sk_X509_new_null()) == NULL || 542 (klist = sk_EVP_PKEY_new_null()) == NULL) { 543 wbku_printerr("out of memory\n"); 544 ret = -1; 545 goto cleanup; 546 } 547 548 if (cert != NULL && sk_X509_push(clist, cert) == 0) { 549 wbku_printerr("out of memory\n"); 550 ret = -1; 551 goto cleanup; 552 } 553 554 if (pkey != NULL && sk_EVP_PKEY_push(klist, pkey) == 0) { 555 wbku_printerr("out of memory\n"); 556 ret = -1; 557 goto cleanup; 558 } 559 560 p12 = sunw_PKCS12_create(WANBOOT_PASSPHRASE, klist, clist, ta); 561 if (p12 == NULL) { 562 wbku_printerr("cannot create %s: %s\n", name, cryptoerr()); 563 ret = -1; 564 goto cleanup; 565 } 566 567 if (i2d_PKCS12_fp(fp, p12) == 0) { 568 wbku_printerr("cannot write %s: %s\n", name, cryptoerr()); 569 ret = -1; 570 goto cleanup; 571 } 572 573 cleanup: 574 (void) fclose(fp); 575 if (p12 != NULL) 576 PKCS12_free(p12); 577 /* 578 * Put the cert and pkey off of the stack so that they won't 579 * be freed two times. (If they get left in the stack then 580 * they will be freed with the stack.) 581 */ 582 if (clist != NULL) { 583 if (cert != NULL && sk_X509_num(clist) == 1) { 584 (void) sk_X509_delete(clist, 0); 585 } 586 sk_X509_pop_free(clist, X509_free); 587 } 588 if (klist != NULL) { 589 if (pkey != NULL && sk_EVP_PKEY_num(klist) == 1) { 590 (void) sk_EVP_PKEY_delete(klist, 0); 591 } 592 sk_EVP_PKEY_pop_free(klist, sunw_evp_pkey_free); 593 } 594 595 return (ret); 596 } 597 598 static void 599 usage(void) 600 { 601 (void) fprintf(stderr, 602 gettext("usage:\n" 603 " %s -i <file> -c <file> -k <file> -t <file> [-l <keyid> -v]\n" 604 "\n"), 605 progname); 606 (void) fprintf(stderr, 607 gettext(" where:\n" 608 " -i - input file to be split into component parts and put in\n" 609 " files given by -c, -k and -t\n" 610 " -c - output file for the client certificate\n" 611 " -k - output file for the client private key\n" 612 " -t - output file for the remaining certificates (assumed\n" 613 " to be trust anchors)\n" 614 "\n Files are assumed to be pkcs12-format files.\n\n" 615 " -v - verbose\n" 616 " -l - value of 'localkeyid' attribute in client cert and\n" 617 " private key to be selected from the input file.\n\n")); 618 exit(EXIT_FAILURE); 619 } 620 621 /* 622 * Return a pointer to a static buffer that contains a listing of crypto 623 * errors. We presume that the user doesn't want more than 8KB of error 624 * messages :-) 625 */ 626 static const char * 627 cryptoerr(void) 628 { 629 static char errbuf[8192]; 630 ulong_t err; 631 const char *pfile; 632 int line; 633 unsigned int nerr = 0; 634 635 errbuf[0] = '\0'; 636 while ((err = ERR_get_error_line(&pfile, &line)) != 0) { 637 if (++nerr > 1) 638 (void) strlcat(errbuf, "\n\t", sizeof (errbuf)); 639 640 if (err == (ulong_t)-1) { 641 (void) strlcat(errbuf, strerror(errno), 642 sizeof (errbuf)); 643 break; 644 } 645 (void) strlcat(errbuf, ERR_reason_error_string(err), 646 sizeof (errbuf)); 647 } 648 649 return (errbuf); 650 } 651