Print this page
4853 illumos-gate is not lint-clean when built with openssl 1.0
Reviewed by Keith Wesolowski <keith.wesolowski@joyent.com>
Reviewed by Alexander Eremin <alexander.eremin@nexenta.com>


2482 
2483 /* ocsp_find_signer_sk() is copied from openssl source */
2484 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
2485 {
2486         int i;
2487         unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
2488 
2489         /* Easy if lookup by name */
2490         if (id->type == V_OCSP_RESPID_NAME)
2491                 return (X509_find_by_subject(certs, id->value.byName));
2492 
2493         /* Lookup by key hash */
2494 
2495         /* If key hash isn't SHA1 length then forget it */
2496         if (id->value.byKey->length != SHA_DIGEST_LENGTH)
2497                 return (NULL);
2498 
2499         keyhash = id->value.byKey->data;
2500         /* Calculate hash of each key and compare */
2501         for (i = 0; i < sk_X509_num(certs); i++) {
2502                 /* LINTED E_BAD_PTR_CAST_ALIGN */
2503                 X509 *x = sk_X509_value(certs, i);
2504                 /* Use pubkey_digest to get the key ID value */
2505                 (void) X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
2506                 if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
2507                         return (x);
2508         }
2509         return (NULL);
2510 }
2511 
2512 /* ocsp_find_signer() is copied from openssl source */
2513 /* ARGSUSED2 */
2514 static int
2515 ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
2516     X509_STORE *st, unsigned long flags)
2517 {
2518         X509 *signer;
2519         OCSP_RESPID *rid = bs->tbsResponseData->responderId;
2520         if ((signer = ocsp_find_signer_sk(certs, rid))) {
2521                 *psigner = signer;
2522                 return (2);


3622         if (certs)
3623                 *certs = NULL;
3624         fp = fopen(filename, "r");
3625         if (fp == NULL)
3626                 return (KMF_ERR_OPEN_FILE);
3627 
3628         x509_info_stack = PEM_X509_INFO_read(fp, NULL, NULL, pin);
3629         if (x509_info_stack == NULL) {
3630                 (void) fclose(fp);
3631                 return (KMF_ERR_ENCODING);
3632         }
3633         cert_infos = (X509_INFO **)malloc(sk_X509_INFO_num(x509_info_stack) *
3634             sizeof (X509_INFO *));
3635         if (cert_infos == NULL) {
3636                 (void) fclose(fp);
3637                 rv = KMF_ERR_MEMORY;
3638                 goto err;
3639         }
3640 
3641         for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
3642                 /* LINTED E_BAD_PTR_CAST_ALIGN */
3643                 cert_infos[ncerts] = sk_X509_INFO_value(x509_info_stack, i);
3644                 ncerts++;
3645         }
3646 
3647         if (ncerts == 0) {
3648                 (void) fclose(fp);
3649                 rv = KMF_ERR_CERT_NOT_FOUND;
3650                 goto err;
3651         }
3652 
3653         if (priv_key != NULL) {
3654                 rewind(fp);
3655                 pkey = PEM_read_PrivateKey(fp, NULL, NULL, pin);
3656         }
3657         (void) fclose(fp);
3658 
3659         x = cert_infos[ncerts - 1]->x509;
3660         /*
3661          * Make sure the private key matchs the last cert in the file.
3662          */


3704         if (numcerts != NULL)
3705                 *numcerts = matchcerts;
3706 
3707         if (certs != NULL)
3708                 *certs = certlist;
3709         else if (certlist != NULL) {
3710                 for (i = 0; i < ncerts; i++)
3711                         kmf_free_data(&certlist[i]);
3712                 free(certlist);
3713                 certlist = NULL;
3714         }
3715 
3716         if (priv_key == NULL && pkey != NULL)
3717                 EVP_PKEY_free(pkey);
3718         else if (priv_key != NULL && pkey != NULL)
3719                 *priv_key = pkey;
3720 
3721 err:
3722         /* Cleanup the stack of X509 info records */
3723         for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
3724                 /* LINTED E_BAD_PTR_CAST_ALIGN */
3725                 info = (X509_INFO *)sk_X509_INFO_value(x509_info_stack, i);
3726                 X509_INFO_free(info);
3727         }
3728         if (x509_info_stack)
3729                 sk_X509_INFO_free(x509_info_stack);
3730 
3731         if (cert_infos != NULL)
3732                 free(cert_infos);
3733 
3734         return (rv);
3735 }
3736 
3737 static KMF_RETURN
3738 openssl_parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
3739         STACK_OF(EVP_PKEY) *keys, STACK_OF(X509) *certs)
3740 {
3741         KMF_RETURN ret;
3742         int i;
3743 
3744         for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
3745                 /* LINTED E_BAD_PTR_CAST_ALIGN */
3746                 PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(bags, i);
3747                 ret = openssl_parse_bag(bag, pin, (pin ? strlen(pin) : 0),
3748                     keys, certs);
3749 
3750                 if (ret != KMF_OK)
3751                         return (ret);
3752         }
3753 
3754         return (ret);
3755 }
3756 
3757 static KMF_RETURN
3758 set_pkey_attrib(EVP_PKEY *pkey, ASN1_TYPE *attrib, int nid)
3759 {
3760         X509_ATTRIBUTE *attr = NULL;
3761 
3762         if (pkey == NULL || attrib == NULL)
3763                 return (KMF_ERR_BAD_PARAMETER);
3764 
3765         if (pkey->attributes == NULL) {
3766                 pkey->attributes = sk_X509_ATTRIBUTE_new_null();
3767                 if (pkey->attributes == NULL)
3768                         return (KMF_ERR_MEMORY);
3769         }
3770         attr = X509_ATTRIBUTE_create(nid, attrib->type, attrib->value.ptr);
3771         if (attr != NULL) {
3772                 int i;
3773                 X509_ATTRIBUTE *a;
3774                 for (i = 0;
3775                     i < sk_X509_ATTRIBUTE_num(pkey->attributes); i++) {
3776                         /* LINTED E_BAD_PTR_CASE_ALIGN */
3777                         a = sk_X509_ATTRIBUTE_value(pkey->attributes, i);
3778                         if (OBJ_obj2nid(a->object) == nid) {
3779                                 X509_ATTRIBUTE_free(a);
3780                                 /* LINTED E_BAD_PTR_CAST_ALIGN */
3781                                 sk_X509_ATTRIBUTE_set(pkey->attributes,
3782                                     i, attr);
3783                                 return (KMF_OK);
3784                         }
3785                 }
3786                 if (sk_X509_ATTRIBUTE_push(pkey->attributes, attr) == NULL) {
3787                         X509_ATTRIBUTE_free(attr);
3788                         return (KMF_ERR_MEMORY);
3789                 }
3790         } else {
3791                 return (KMF_ERR_MEMORY);
3792         }
3793 
3794         return (KMF_OK);
3795 }
3796 
3797 static KMF_RETURN
3798 openssl_parse_bag(PKCS12_SAFEBAG *bag, char *pass, int passlen,
3799         STACK_OF(EVP_PKEY) *keylist, STACK_OF(X509) *certlist)
3800 {
3801         KMF_RETURN ret = KMF_OK;


3938         if (p12 == NULL || (keys == NULL && certs == NULL))
3939                 return (KMF_ERR_BAD_PARAMETER);
3940 
3941         if (pin == NULL || *pin == NULL) {
3942                 if (PKCS12_verify_mac(p12, NULL, 0)) {
3943                         pin = NULL;
3944                 } else if (PKCS12_verify_mac(p12, "", 0)) {
3945                         pin = "";
3946                 } else {
3947                         return (KMF_ERR_AUTH_FAILED);
3948                 }
3949         } else if (!PKCS12_verify_mac(p12, pin, -1)) {
3950                 return (KMF_ERR_AUTH_FAILED);
3951         }
3952 
3953         if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL)
3954                 return (KMF_ERR_PKCS12_FORMAT);
3955 
3956         for (i = 0; ret == KMF_OK && i < sk_PKCS7_num(asafes); i++) {
3957                 bags = NULL;
3958                 /* LINTED E_BAD_PTR_CAST_ALIGN */
3959                 p7 = sk_PKCS7_value(asafes, i);
3960                 bagnid = OBJ_obj2nid(p7->type);
3961 
3962                 if (bagnid == NID_pkcs7_data) {
3963                         bags = PKCS12_unpack_p7data(p7);
3964                 } else if (bagnid == NID_pkcs7_encrypted) {
3965                         bags = PKCS12_unpack_p7encdata(p7, pin,
3966                             (pin ? strlen(pin) : 0));
3967                 } else {
3968                         continue;
3969                 }
3970                 if (bags == NULL) {
3971                         ret = KMF_ERR_PKCS12_FORMAT;
3972                         goto out;
3973                 }
3974 
3975                 if (openssl_parse_bags(bags, pin, keys, certs) != KMF_OK)
3976                         ret = KMF_ERR_PKCS12_FORMAT;
3977 
3978                 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);


4216                 return (KMF_ERR_MEMORY);
4217 
4218         list[n] = *newkey;
4219         (*nkeys) = n + 1;
4220 
4221         *keylist = list;
4222 
4223         return (KMF_OK);
4224 }
4225 
4226 static X509_ATTRIBUTE *
4227 find_attr(STACK_OF(X509_ATTRIBUTE) *attrs, int nid)
4228 {
4229         X509_ATTRIBUTE *a;
4230         int i;
4231 
4232         if (attrs == NULL)
4233                 return (NULL);
4234 
4235         for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
4236                 /* LINTED E_BAD_PTR_CAST_ALIGN */
4237                 a = sk_X509_ATTRIBUTE_value(attrs, i);
4238                 if (OBJ_obj2nid(a->object) == nid)
4239                         return (a);
4240         }
4241         return (NULL);
4242 }
4243 
4244 static KMF_RETURN
4245 convertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key)
4246 {
4247         KMF_RETURN rv = KMF_OK;
4248         X509_ATTRIBUTE *attr;
4249 
4250         if (pkey == NULL || key == NULL)
4251                 return (KMF_ERR_BAD_PARAMETER);
4252         /* Convert SSL key to raw key */
4253         switch (pkey->type) {
4254                 case EVP_PKEY_RSA:
4255                         rv = exportRawRSAKey(EVP_PKEY_get1_RSA(pkey),
4256                             key);
4257                         if (rv != KMF_OK)
4258                                 return (rv);
4259                         break;
4260                 case EVP_PKEY_DSA:
4261                         rv = exportRawDSAKey(EVP_PKEY_get1_DSA(pkey),
4262                             key);
4263                         if (rv != KMF_OK)
4264                                 return (rv);
4265                         break;
4266                 default:
4267                         return (KMF_ERR_BAD_PARAMETER);
4268         }
4269         /*
4270          * If friendlyName, add it to record.
4271          */
4272         attr = find_attr(pkey->attributes, NID_friendlyName);
4273         if (attr != NULL) {
4274                 ASN1_TYPE *ty = NULL;
4275                 int numattr = sk_ASN1_TYPE_num(attr->value.set);
4276                 if (attr->single == 0 && numattr > 0) {
4277                         /* LINTED E_BAD_PTR_CAST_ALIGN */
4278                         ty = sk_ASN1_TYPE_value(attr->value.set, 0);
4279                 }
4280                 if (ty != NULL) {
4281 #if OPENSSL_VERSION_NUMBER < 0x10000000L
4282                         key->label = uni2asc(ty->value.bmpstring->data,
4283                             ty->value.bmpstring->length);
4284 #else
4285                         key->label = OPENSSL_uni2asc(ty->value.bmpstring->data,
4286                             ty->value.bmpstring->length);
4287 #endif
4288                 }
4289         } else {
4290                 key->label = NULL;
4291         }
4292 
4293         /*
4294          * If KeyID, add it to record as a KMF_DATA object.
4295          */
4296         attr = find_attr(pkey->attributes, NID_localKeyID);
4297         if (attr != NULL) {
4298                 ASN1_TYPE *ty = NULL;
4299                 int numattr = sk_ASN1_TYPE_num(attr->value.set);
4300                 if (attr->single == 0 && numattr > 0) {
4301                         /* LINTED E_BAD_PTR_CAST_ALIGN */
4302                         ty = sk_ASN1_TYPE_value(attr->value.set, 0);
4303                 }
4304                 key->id.Data = (uchar_t *)malloc(
4305                     ty->value.octet_string->length);
4306                 if (key->id.Data == NULL)
4307                         return (KMF_ERR_MEMORY);
4308                 (void) memcpy(key->id.Data, ty->value.octet_string->data,
4309                     ty->value.octet_string->length);
4310                 key->id.Length = ty->value.octet_string->length;
4311         } else {
4312                 (void) memset(&key->id, 0, sizeof (KMF_DATA));
4313         }
4314 
4315         return (rv);
4316 }
4317 
4318 static KMF_RETURN
4319 convertPK12Objects(
4320         KMF_HANDLE *kmfh,
4321         STACK_OF(EVP_PKEY) *sslkeys,
4322         STACK_OF(X509) *sslcert,
4323         STACK_OF(X509) *sslcacerts,
4324         KMF_RAW_KEY_DATA **keylist, int *nkeys,
4325         KMF_X509_DER_CERT **certlist, int *ncerts)
4326 {
4327         KMF_RETURN rv = KMF_OK;
4328         KMF_RAW_KEY_DATA key;
4329         int i;
4330 
4331         for (i = 0; sslkeys != NULL && i < sk_EVP_PKEY_num(sslkeys); i++) {
4332                 /* LINTED E_BAD_PTR_CAST_ALIGN */
4333                 EVP_PKEY *pkey = sk_EVP_PKEY_value(sslkeys, i);
4334                 rv = convertToRawKey(pkey, &key);
4335                 if (rv == KMF_OK)
4336                         rv = add_key_to_list(keylist, &key, nkeys);
4337 
4338                 if (rv != KMF_OK)
4339                         return (rv);
4340         }
4341 
4342         /* Now add the certificate to the certlist */
4343         for (i = 0; sslcert != NULL && i < sk_X509_num(sslcert); i++) {
4344                 /* LINTED E_BAD_PTR_CAST_ALIGN */
4345                 X509 *cert = sk_X509_value(sslcert, i);
4346                 rv = add_cert_to_list(kmfh, cert, certlist, ncerts);
4347                 if (rv != KMF_OK)
4348                         return (rv);
4349         }
4350 
4351         /* Also add any included CA certs to the list */
4352         for (i = 0; sslcacerts != NULL && i < sk_X509_num(sslcacerts); i++) {
4353                 X509 *c;
4354                 /*
4355                  * sk_X509_value() is macro that embeds a cast to (X509 *).
4356                  * Here it translates into ((X509 *)sk_value((ca), (i))).
4357                  * Lint is complaining about the embedded casting, and
4358                  * to fix it, you need to fix openssl header files.
4359                  */
4360                 /* LINTED E_BAD_PTR_CAST_ALIGN */
4361                 c = sk_X509_value(sslcacerts, i);
4362 
4363                 /* Now add the ca cert to the certlist */
4364                 rv = add_cert_to_list(kmfh, c, certlist, ncerts);
4365                 if (rv != KMF_OK)
4366                         return (rv);
4367         }
4368         return (rv);
4369 }
4370 
4371 KMF_RETURN
4372 openssl_import_objects(KMF_HANDLE *kmfh,
4373         char *filename, KMF_CREDENTIAL *cred,
4374         KMF_X509_DER_CERT **certlist, int *ncerts,
4375         KMF_RAW_KEY_DATA **keylist, int *nkeys)
4376 {
4377         KMF_RETURN      rv = KMF_OK;
4378         KMF_ENCODE_FORMAT format;
4379         BIO             *bio = NULL;
4380         STACK_OF(EVP_PKEY)      *privkeys = NULL;


5407                 ret = KMF_ERR_BAD_CERTFILE;
5408                 goto end;
5409         }
5410 
5411         /* Check if the certificate and the CRL have same issuer */
5412         if (X509_NAME_cmp(xcert->cert_info->issuer, xcrl->crl->issuer) != 0) {
5413                 ret = KMF_ERR_ISSUER;
5414                 goto end;
5415         }
5416 
5417         /* Check to see if the certificate serial number is revoked */
5418         revoke_stack = X509_CRL_get_REVOKED(xcrl);
5419         if (sk_X509_REVOKED_num(revoke_stack) <= 0) {
5420                 /* No revoked certificates in the CRL file */
5421                 SET_ERROR(kmfh, ERR_get_error());
5422                 ret = KMF_ERR_EMPTY_CRL;
5423                 goto end;
5424         }
5425 
5426         for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) {
5427                 /* LINTED E_BAD_PTR_CAST_ALIGN */
5428                 revoke = sk_X509_REVOKED_value(revoke_stack, i);
5429                 if (ASN1_INTEGER_cmp(xcert->cert_info->serialNumber,
5430                     revoke->serialNumber) == 0) {
5431                         break;
5432                 }
5433         }
5434 
5435         if (i < sk_X509_REVOKED_num(revoke_stack)) {
5436                 ret = KMF_OK;
5437         } else {
5438                 ret = KMF_ERR_NOT_REVOKED;
5439         }
5440 
5441 end:
5442         if (in != NULL)
5443                 (void) BIO_free(in);
5444         if (xcrl != NULL)
5445                 X509_CRL_free(xcrl);
5446         if (xcert != NULL)
5447                 X509_free(xcert);




2482 
2483 /* ocsp_find_signer_sk() is copied from openssl source */
2484 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
2485 {
2486         int i;
2487         unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
2488 
2489         /* Easy if lookup by name */
2490         if (id->type == V_OCSP_RESPID_NAME)
2491                 return (X509_find_by_subject(certs, id->value.byName));
2492 
2493         /* Lookup by key hash */
2494 
2495         /* If key hash isn't SHA1 length then forget it */
2496         if (id->value.byKey->length != SHA_DIGEST_LENGTH)
2497                 return (NULL);
2498 
2499         keyhash = id->value.byKey->data;
2500         /* Calculate hash of each key and compare */
2501         for (i = 0; i < sk_X509_num(certs); i++) {

2502                 X509 *x = sk_X509_value(certs, i);
2503                 /* Use pubkey_digest to get the key ID value */
2504                 (void) X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
2505                 if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
2506                         return (x);
2507         }
2508         return (NULL);
2509 }
2510 
2511 /* ocsp_find_signer() is copied from openssl source */
2512 /* ARGSUSED2 */
2513 static int
2514 ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
2515     X509_STORE *st, unsigned long flags)
2516 {
2517         X509 *signer;
2518         OCSP_RESPID *rid = bs->tbsResponseData->responderId;
2519         if ((signer = ocsp_find_signer_sk(certs, rid))) {
2520                 *psigner = signer;
2521                 return (2);


3621         if (certs)
3622                 *certs = NULL;
3623         fp = fopen(filename, "r");
3624         if (fp == NULL)
3625                 return (KMF_ERR_OPEN_FILE);
3626 
3627         x509_info_stack = PEM_X509_INFO_read(fp, NULL, NULL, pin);
3628         if (x509_info_stack == NULL) {
3629                 (void) fclose(fp);
3630                 return (KMF_ERR_ENCODING);
3631         }
3632         cert_infos = (X509_INFO **)malloc(sk_X509_INFO_num(x509_info_stack) *
3633             sizeof (X509_INFO *));
3634         if (cert_infos == NULL) {
3635                 (void) fclose(fp);
3636                 rv = KMF_ERR_MEMORY;
3637                 goto err;
3638         }
3639 
3640         for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {

3641                 cert_infos[ncerts] = sk_X509_INFO_value(x509_info_stack, i);
3642                 ncerts++;
3643         }
3644 
3645         if (ncerts == 0) {
3646                 (void) fclose(fp);
3647                 rv = KMF_ERR_CERT_NOT_FOUND;
3648                 goto err;
3649         }
3650 
3651         if (priv_key != NULL) {
3652                 rewind(fp);
3653                 pkey = PEM_read_PrivateKey(fp, NULL, NULL, pin);
3654         }
3655         (void) fclose(fp);
3656 
3657         x = cert_infos[ncerts - 1]->x509;
3658         /*
3659          * Make sure the private key matchs the last cert in the file.
3660          */


3702         if (numcerts != NULL)
3703                 *numcerts = matchcerts;
3704 
3705         if (certs != NULL)
3706                 *certs = certlist;
3707         else if (certlist != NULL) {
3708                 for (i = 0; i < ncerts; i++)
3709                         kmf_free_data(&certlist[i]);
3710                 free(certlist);
3711                 certlist = NULL;
3712         }
3713 
3714         if (priv_key == NULL && pkey != NULL)
3715                 EVP_PKEY_free(pkey);
3716         else if (priv_key != NULL && pkey != NULL)
3717                 *priv_key = pkey;
3718 
3719 err:
3720         /* Cleanup the stack of X509 info records */
3721         for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {

3722                 info = (X509_INFO *)sk_X509_INFO_value(x509_info_stack, i);
3723                 X509_INFO_free(info);
3724         }
3725         if (x509_info_stack)
3726                 sk_X509_INFO_free(x509_info_stack);
3727 
3728         if (cert_infos != NULL)
3729                 free(cert_infos);
3730 
3731         return (rv);
3732 }
3733 
3734 static KMF_RETURN
3735 openssl_parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
3736         STACK_OF(EVP_PKEY) *keys, STACK_OF(X509) *certs)
3737 {
3738         KMF_RETURN ret;
3739         int i;
3740 
3741         for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {

3742                 PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(bags, i);
3743                 ret = openssl_parse_bag(bag, pin, (pin ? strlen(pin) : 0),
3744                     keys, certs);
3745 
3746                 if (ret != KMF_OK)
3747                         return (ret);
3748         }
3749 
3750         return (ret);
3751 }
3752 
3753 static KMF_RETURN
3754 set_pkey_attrib(EVP_PKEY *pkey, ASN1_TYPE *attrib, int nid)
3755 {
3756         X509_ATTRIBUTE *attr = NULL;
3757 
3758         if (pkey == NULL || attrib == NULL)
3759                 return (KMF_ERR_BAD_PARAMETER);
3760 
3761         if (pkey->attributes == NULL) {
3762                 pkey->attributes = sk_X509_ATTRIBUTE_new_null();
3763                 if (pkey->attributes == NULL)
3764                         return (KMF_ERR_MEMORY);
3765         }
3766         attr = X509_ATTRIBUTE_create(nid, attrib->type, attrib->value.ptr);
3767         if (attr != NULL) {
3768                 int i;
3769                 X509_ATTRIBUTE *a;
3770                 for (i = 0;
3771                     i < sk_X509_ATTRIBUTE_num(pkey->attributes); i++) {

3772                         a = sk_X509_ATTRIBUTE_value(pkey->attributes, i);
3773                         if (OBJ_obj2nid(a->object) == nid) {
3774                                 X509_ATTRIBUTE_free(a);
3775                                 (void) sk_X509_ATTRIBUTE_set(pkey->attributes,

3776                                     i, attr);
3777                                 return (KMF_OK);
3778                         }
3779                 }
3780                 if (sk_X509_ATTRIBUTE_push(pkey->attributes, attr) == NULL) {
3781                         X509_ATTRIBUTE_free(attr);
3782                         return (KMF_ERR_MEMORY);
3783                 }
3784         } else {
3785                 return (KMF_ERR_MEMORY);
3786         }
3787 
3788         return (KMF_OK);
3789 }
3790 
3791 static KMF_RETURN
3792 openssl_parse_bag(PKCS12_SAFEBAG *bag, char *pass, int passlen,
3793         STACK_OF(EVP_PKEY) *keylist, STACK_OF(X509) *certlist)
3794 {
3795         KMF_RETURN ret = KMF_OK;


3932         if (p12 == NULL || (keys == NULL && certs == NULL))
3933                 return (KMF_ERR_BAD_PARAMETER);
3934 
3935         if (pin == NULL || *pin == NULL) {
3936                 if (PKCS12_verify_mac(p12, NULL, 0)) {
3937                         pin = NULL;
3938                 } else if (PKCS12_verify_mac(p12, "", 0)) {
3939                         pin = "";
3940                 } else {
3941                         return (KMF_ERR_AUTH_FAILED);
3942                 }
3943         } else if (!PKCS12_verify_mac(p12, pin, -1)) {
3944                 return (KMF_ERR_AUTH_FAILED);
3945         }
3946 
3947         if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL)
3948                 return (KMF_ERR_PKCS12_FORMAT);
3949 
3950         for (i = 0; ret == KMF_OK && i < sk_PKCS7_num(asafes); i++) {
3951                 bags = NULL;

3952                 p7 = sk_PKCS7_value(asafes, i);
3953                 bagnid = OBJ_obj2nid(p7->type);
3954 
3955                 if (bagnid == NID_pkcs7_data) {
3956                         bags = PKCS12_unpack_p7data(p7);
3957                 } else if (bagnid == NID_pkcs7_encrypted) {
3958                         bags = PKCS12_unpack_p7encdata(p7, pin,
3959                             (pin ? strlen(pin) : 0));
3960                 } else {
3961                         continue;
3962                 }
3963                 if (bags == NULL) {
3964                         ret = KMF_ERR_PKCS12_FORMAT;
3965                         goto out;
3966                 }
3967 
3968                 if (openssl_parse_bags(bags, pin, keys, certs) != KMF_OK)
3969                         ret = KMF_ERR_PKCS12_FORMAT;
3970 
3971                 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);


4209                 return (KMF_ERR_MEMORY);
4210 
4211         list[n] = *newkey;
4212         (*nkeys) = n + 1;
4213 
4214         *keylist = list;
4215 
4216         return (KMF_OK);
4217 }
4218 
4219 static X509_ATTRIBUTE *
4220 find_attr(STACK_OF(X509_ATTRIBUTE) *attrs, int nid)
4221 {
4222         X509_ATTRIBUTE *a;
4223         int i;
4224 
4225         if (attrs == NULL)
4226                 return (NULL);
4227 
4228         for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {

4229                 a = sk_X509_ATTRIBUTE_value(attrs, i);
4230                 if (OBJ_obj2nid(a->object) == nid)
4231                         return (a);
4232         }
4233         return (NULL);
4234 }
4235 
4236 static KMF_RETURN
4237 convertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key)
4238 {
4239         KMF_RETURN rv = KMF_OK;
4240         X509_ATTRIBUTE *attr;
4241 
4242         if (pkey == NULL || key == NULL)
4243                 return (KMF_ERR_BAD_PARAMETER);
4244         /* Convert SSL key to raw key */
4245         switch (pkey->type) {
4246                 case EVP_PKEY_RSA:
4247                         rv = exportRawRSAKey(EVP_PKEY_get1_RSA(pkey),
4248                             key);
4249                         if (rv != KMF_OK)
4250                                 return (rv);
4251                         break;
4252                 case EVP_PKEY_DSA:
4253                         rv = exportRawDSAKey(EVP_PKEY_get1_DSA(pkey),
4254                             key);
4255                         if (rv != KMF_OK)
4256                                 return (rv);
4257                         break;
4258                 default:
4259                         return (KMF_ERR_BAD_PARAMETER);
4260         }
4261         /*
4262          * If friendlyName, add it to record.
4263          */
4264         attr = find_attr(pkey->attributes, NID_friendlyName);
4265         if (attr != NULL) {
4266                 ASN1_TYPE *ty = NULL;
4267                 int numattr = sk_ASN1_TYPE_num(attr->value.set);
4268                 if (attr->single == 0 && numattr > 0) {

4269                         ty = sk_ASN1_TYPE_value(attr->value.set, 0);
4270                 }
4271                 if (ty != NULL) {
4272 #if OPENSSL_VERSION_NUMBER < 0x10000000L
4273                         key->label = uni2asc(ty->value.bmpstring->data,
4274                             ty->value.bmpstring->length);
4275 #else
4276                         key->label = OPENSSL_uni2asc(ty->value.bmpstring->data,
4277                             ty->value.bmpstring->length);
4278 #endif
4279                 }
4280         } else {
4281                 key->label = NULL;
4282         }
4283 
4284         /*
4285          * If KeyID, add it to record as a KMF_DATA object.
4286          */
4287         attr = find_attr(pkey->attributes, NID_localKeyID);
4288         if (attr != NULL) {
4289                 ASN1_TYPE *ty = NULL;
4290                 int numattr = sk_ASN1_TYPE_num(attr->value.set);
4291                 if (attr->single == 0 && numattr > 0) {

4292                         ty = sk_ASN1_TYPE_value(attr->value.set, 0);
4293                 }
4294                 key->id.Data = (uchar_t *)malloc(
4295                     ty->value.octet_string->length);
4296                 if (key->id.Data == NULL)
4297                         return (KMF_ERR_MEMORY);
4298                 (void) memcpy(key->id.Data, ty->value.octet_string->data,
4299                     ty->value.octet_string->length);
4300                 key->id.Length = ty->value.octet_string->length;
4301         } else {
4302                 (void) memset(&key->id, 0, sizeof (KMF_DATA));
4303         }
4304 
4305         return (rv);
4306 }
4307 
4308 static KMF_RETURN
4309 convertPK12Objects(
4310         KMF_HANDLE *kmfh,
4311         STACK_OF(EVP_PKEY) *sslkeys,
4312         STACK_OF(X509) *sslcert,
4313         STACK_OF(X509) *sslcacerts,
4314         KMF_RAW_KEY_DATA **keylist, int *nkeys,
4315         KMF_X509_DER_CERT **certlist, int *ncerts)
4316 {
4317         KMF_RETURN rv = KMF_OK;
4318         KMF_RAW_KEY_DATA key;
4319         int i;
4320 
4321         for (i = 0; sslkeys != NULL && i < sk_EVP_PKEY_num(sslkeys); i++) {

4322                 EVP_PKEY *pkey = sk_EVP_PKEY_value(sslkeys, i);
4323                 rv = convertToRawKey(pkey, &key);
4324                 if (rv == KMF_OK)
4325                         rv = add_key_to_list(keylist, &key, nkeys);
4326 
4327                 if (rv != KMF_OK)
4328                         return (rv);
4329         }
4330 
4331         /* Now add the certificate to the certlist */
4332         for (i = 0; sslcert != NULL && i < sk_X509_num(sslcert); i++) {

4333                 X509 *cert = sk_X509_value(sslcert, i);
4334                 rv = add_cert_to_list(kmfh, cert, certlist, ncerts);
4335                 if (rv != KMF_OK)
4336                         return (rv);
4337         }
4338 
4339         /* Also add any included CA certs to the list */
4340         for (i = 0; sslcacerts != NULL && i < sk_X509_num(sslcacerts); i++) {
4341                 X509 *c;
4342                 /*
4343                  * sk_X509_value() is macro that embeds a cast to (X509 *).
4344                  * Here it translates into ((X509 *)sk_value((ca), (i))).
4345                  * Lint is complaining about the embedded casting, and
4346                  * to fix it, you need to fix openssl header files.
4347                  */

4348                 c = sk_X509_value(sslcacerts, i);
4349 
4350                 /* Now add the ca cert to the certlist */
4351                 rv = add_cert_to_list(kmfh, c, certlist, ncerts);
4352                 if (rv != KMF_OK)
4353                         return (rv);
4354         }
4355         return (rv);
4356 }
4357 
4358 KMF_RETURN
4359 openssl_import_objects(KMF_HANDLE *kmfh,
4360         char *filename, KMF_CREDENTIAL *cred,
4361         KMF_X509_DER_CERT **certlist, int *ncerts,
4362         KMF_RAW_KEY_DATA **keylist, int *nkeys)
4363 {
4364         KMF_RETURN      rv = KMF_OK;
4365         KMF_ENCODE_FORMAT format;
4366         BIO             *bio = NULL;
4367         STACK_OF(EVP_PKEY)      *privkeys = NULL;


5394                 ret = KMF_ERR_BAD_CERTFILE;
5395                 goto end;
5396         }
5397 
5398         /* Check if the certificate and the CRL have same issuer */
5399         if (X509_NAME_cmp(xcert->cert_info->issuer, xcrl->crl->issuer) != 0) {
5400                 ret = KMF_ERR_ISSUER;
5401                 goto end;
5402         }
5403 
5404         /* Check to see if the certificate serial number is revoked */
5405         revoke_stack = X509_CRL_get_REVOKED(xcrl);
5406         if (sk_X509_REVOKED_num(revoke_stack) <= 0) {
5407                 /* No revoked certificates in the CRL file */
5408                 SET_ERROR(kmfh, ERR_get_error());
5409                 ret = KMF_ERR_EMPTY_CRL;
5410                 goto end;
5411         }
5412 
5413         for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) {

5414                 revoke = sk_X509_REVOKED_value(revoke_stack, i);
5415                 if (ASN1_INTEGER_cmp(xcert->cert_info->serialNumber,
5416                     revoke->serialNumber) == 0) {
5417                         break;
5418                 }
5419         }
5420 
5421         if (i < sk_X509_REVOKED_num(revoke_stack)) {
5422                 ret = KMF_OK;
5423         } else {
5424                 ret = KMF_ERR_NOT_REVOKED;
5425         }
5426 
5427 end:
5428         if (in != NULL)
5429                 (void) BIO_free(in);
5430         if (xcrl != NULL)
5431                 X509_CRL_free(xcrl);
5432         if (xcert != NULL)
5433                 X509_free(xcert);