1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2002-2003 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <stdio.h> 30 #include <libintl.h> 31 #include <locale.h> 32 #include <sys/types.h> 33 #include <sys/stat.h> 34 #include <sys/wanboot_impl.h> 35 #include <unistd.h> 36 #include <string.h> 37 #include <libinetutil.h> 38 #include <wanbootutil.h> 39 40 #include <openssl/crypto.h> 41 #include <openssl/buffer.h> 42 #include <openssl/bio.h> 43 #include <openssl/err.h> 44 #include <openssl/x509.h> 45 #include <openssl/x509v3.h> 46 #include <openssl/pkcs12.h> 47 #include <openssl/evp.h> 48 #include <p12aux.h> 49 50 static boolean_t verbose = B_FALSE; /* When nonzero, do in verbose mode */ 51 52 /* The following match/cert values require PKCS12 */ 53 static int matchty; /* Type of matching do to on input */ 54 static char *k_matchval; /* localkeyid value to match */ 55 static uint_t k_len; /* length of k_matchval */ 56 57 #define IO_KEYFILE 1 /* Have a separate key file or data */ 58 #define IO_CERTFILE 2 /* Have a separate cert file or data */ 59 #define IO_TRUSTFILE 4 /* Have a separate trustanchor file */ 60 61 static char *input = NULL; /* Consolidated input file */ 62 static char *key_out = NULL; /* Key file to be output */ 63 static char *cert_out = NULL; /* Cert file to be output */ 64 static char *trust_out = NULL; /* Trust anchor file to be output */ 65 static uint_t outfiles; /* What files are there for output */ 66 static char *progname; 67 68 /* Returns from time_check */ 69 typedef enum { 70 CHK_TIME_OK = 0, /* Cert in effect and not expired */ 71 CHK_TIME_BEFORE_BAD, /* not_before field is invalid */ 72 CHK_TIME_AFTER_BAD, /* not_after field is invalid */ 73 CHK_TIME_IS_BEFORE, /* Cert not yet in force */ 74 CHK_TIME_HAS_EXPIRED /* Cert has expired */ 75 } time_errs_t; 76 77 static int parse_keyid(const char *); 78 static int do_certs(void); 79 static int read_files(STACK_OF(X509) **, X509 **, EVP_PKEY **); 80 static void check_certs(STACK_OF(X509) *, X509 **); 81 static time_errs_t time_check_print(X509 *); 82 static time_errs_t time_check(X509 *); 83 static int write_files(STACK_OF(X509) *, X509 *, EVP_PKEY *); 84 static int get_ifile(char *, char *, EVP_PKEY **, X509 **, STACK_OF(X509) **); 85 static int do_ofile(char *, EVP_PKEY *, X509 *, STACK_OF(X509) *); 86 static void usage(void); 87 static const char *cryptoerr(void); 88 89 int 90 main(int argc, char **argv) 91 { 92 int i; 93 94 /* 95 * Do the necessary magic for localization support. 96 */ 97 (void) setlocale(LC_ALL, ""); 98 #if !defined(TEXT_DOMAIN) 99 #define TEXT_DOMAIN "SYS_TEST" 100 #endif 101 (void) textdomain(TEXT_DOMAIN); 102 103 progname = strrchr(argv[0], '/'); 104 if (progname != NULL) 105 progname++; 106 else 107 progname = argv[0]; 108 109 wbku_errinit(progname); 110 111 matchty = DO_FIRST_PAIR; 112 while ((i = getopt(argc, argv, "vc:i:k:l:t:")) != -1) { 113 switch (i) { 114 case 'v': 115 verbose = B_TRUE; 116 break; 117 118 case 'l': 119 if (parse_keyid(optarg) < 0) 120 return (EXIT_FAILURE); 121 matchty = DO_FIND_KEYID; 122 break; 123 124 case 'c': 125 cert_out = optarg; 126 outfiles |= IO_CERTFILE; 127 break; 128 129 case 'k': 130 key_out = optarg; 131 outfiles |= IO_KEYFILE; 132 break; 133 134 case 't': 135 trust_out = optarg; 136 outfiles |= IO_TRUSTFILE; 137 break; 138 139 case 'i': 140 input = optarg; 141 break; 142 143 default: 144 usage(); 145 } 146 } 147 148 if (input == NULL) { 149 wbku_printerr("no input file specified\n"); 150 usage(); 151 } 152 153 /* 154 * Need output files. 155 */ 156 if (outfiles == 0) { 157 wbku_printerr("at least one output file must be specified\n"); 158 usage(); 159 } 160 161 if (do_certs() < 0) 162 return (EXIT_FAILURE); 163 164 return (EXIT_SUCCESS); 165 } 166 167 static int 168 parse_keyid(const char *keystr) 169 { 170 const char *rp; 171 char *wp; 172 char *nkeystr; 173 uint_t nkeystrlen; 174 175 /* 176 * In the worst case, we'll need one additional character in our 177 * output string -- e.g. "A\0" -> "0A\0" 178 */ 179 nkeystrlen = strlen(keystr) + 2; 180 k_len = (nkeystrlen + 1) / 2; 181 nkeystr = malloc(nkeystrlen); 182 k_matchval = malloc(k_len); 183 if (nkeystr == NULL || k_matchval == NULL) { 184 free(nkeystr); 185 free(k_matchval); 186 wbku_printerr("cannot allocate keyid"); 187 return (-1); 188 } 189 190 /* 191 * For convenience, we allow the user to put spaces between each digit 192 * when entering it on the command line. As a result, we need to 193 * process it into a format that hexascii_to_octet() can handle. Note 194 * that we're careful to map strings like "AA B CC D" to "AA0BCC0D". 195 */ 196 for (rp = keystr, wp = nkeystr; *rp != '\0'; rp++) { 197 if (*rp == ' ') 198 continue; 199 200 if (rp[1] == ' ' || rp[1] == '\0') { 201 *wp++ = '0'; /* one character sequence; prepend 0 */ 202 *wp++ = *rp; 203 } else { 204 *wp++ = *rp++; 205 *wp++ = *rp; 206 } 207 } 208 *wp = '\0'; 209 210 if (hexascii_to_octet(nkeystr, wp - nkeystr, k_matchval, &k_len) != 0) { 211 free(nkeystr); 212 free(k_matchval); 213 wbku_printerr("invalid keyid `%s'\n", keystr); 214 return (-1); 215 } 216 217 free(nkeystr); 218 return (0); 219 } 220 221 static int 222 do_certs(void) 223 { 224 char *bufp; 225 STACK_OF(X509) *ta_in = NULL; 226 EVP_PKEY *pkey_in = NULL; 227 X509 *xcert_in = NULL; 228 229 sunw_crypto_init(); 230 231 if (read_files(&ta_in, &xcert_in, &pkey_in) < 0) 232 return (-1); 233 234 if (verbose) { 235 if (xcert_in != NULL) { 236 (void) printf(gettext("\nMain cert:\n")); 237 238 /* 239 * sunw_subject_attrs() returns a pointer to 240 * memory allocated on our behalf. The same 241 * behavior is exhibited by sunw_issuer_attrs(). 242 */ 243 bufp = sunw_subject_attrs(xcert_in, NULL, 0); 244 if (bufp != NULL) { 245 (void) printf(gettext(" Subject: %s\n"), 246 bufp); 247 OPENSSL_free(bufp); 248 } 249 250 bufp = sunw_issuer_attrs(xcert_in, NULL, 0); 251 if (bufp != NULL) { 252 (void) printf(gettext(" Issuer: %s\n"), bufp); 253 OPENSSL_free(bufp); 254 } 255 256 (void) sunw_print_times(stdout, PRNT_BOTH, NULL, 257 xcert_in); 258 } 259 260 if (ta_in != NULL) { 261 X509 *x; 262 int i; 263 264 for (i = 0; i < sk_X509_num(ta_in); i++) { 265 /* LINTED */ 266 x = sk_X509_value(ta_in, i); 267 (void) printf( 268 gettext("\nTrust Anchor cert %d:\n"), i); 269 270 /* 271 * sunw_subject_attrs() returns a pointer to 272 * memory allocated on our behalf. We get the 273 * same behavior from sunw_issuer_attrs(). 274 */ 275 bufp = sunw_subject_attrs(x, NULL, 0); 276 if (bufp != NULL) { 277 (void) printf( 278 gettext(" Subject: %s\n"), bufp); 279 OPENSSL_free(bufp); 280 } 281 282 bufp = sunw_issuer_attrs(x, NULL, 0); 283 if (bufp != NULL) { 284 (void) printf( 285 gettext(" Issuer: %s\n"), bufp); 286 OPENSSL_free(bufp); 287 } 288 289 (void) sunw_print_times(stdout, PRNT_BOTH, 290 NULL, x); 291 } 292 } 293 } 294 295 check_certs(ta_in, &xcert_in); 296 if (xcert_in != NULL && pkey_in != NULL) { 297 if (sunw_check_keys(xcert_in, pkey_in) == 0) { 298 wbku_printerr("warning: key and certificate do " 299 "not match\n"); 300 } 301 } 302 303 return (write_files(ta_in, xcert_in, pkey_in)); 304 } 305 306 static int 307 read_files(STACK_OF(X509) **t_in, X509 **c_in, EVP_PKEY **k_in) 308 { 309 char *i_pass; 310 311 i_pass = getpassphrase(gettext("Enter key password: ")); 312 313 if (get_ifile(input, i_pass, k_in, c_in, t_in) < 0) 314 return (-1); 315 316 /* 317 * If we are only interested in getting a trust anchor, and if there 318 * is no trust anchor but is a regular cert, use it instead. Do this 319 * to handle the insanity with openssl, which requires a matching cert 320 * and key in order to write a PKCS12 file. 321 */ 322 if (outfiles == IO_TRUSTFILE) { 323 if (c_in != NULL && *c_in != NULL && t_in != NULL) { 324 if (*t_in == NULL) { 325 if ((*t_in = sk_X509_new_null()) == NULL) { 326 wbku_printerr("out of memory\n"); 327 return (-1); 328 } 329 } 330 331 if (sk_X509_num(*t_in) == 0) { 332 if (sk_X509_push(*t_in, *c_in) == 0) { 333 wbku_printerr("out of memory\n"); 334 return (-1); 335 } 336 *c_in = NULL; 337 } 338 } 339 } 340 341 if ((outfiles & IO_KEYFILE) && *k_in == NULL) { 342 wbku_printerr("no matching key found\n"); 343 return (-1); 344 } 345 if ((outfiles & IO_CERTFILE) && *c_in == NULL) { 346 wbku_printerr("no matching certificate found\n"); 347 return (-1); 348 } 349 if ((outfiles & IO_TRUSTFILE) && *t_in == NULL) { 350 wbku_printerr("no matching trust anchor found\n"); 351 return (-1); 352 } 353 354 return (0); 355 } 356 357 static void 358 check_certs(STACK_OF(X509) *ta_in, X509 **c_in) 359 { 360 X509 *curr; 361 time_errs_t ret; 362 int i; 363 int del_expired = (outfiles != 0); 364 365 if (c_in != NULL && *c_in != NULL) { 366 ret = time_check_print(*c_in); 367 if ((ret != CHK_TIME_OK && ret != CHK_TIME_IS_BEFORE) && 368 del_expired) { 369 (void) fprintf(stderr, gettext(" Removing cert\n")); 370 X509_free(*c_in); 371 *c_in = NULL; 372 } 373 } 374 375 if (ta_in == NULL) 376 return; 377 378 for (i = 0; i < sk_X509_num(ta_in); ) { 379 /* LINTED */ 380 curr = sk_X509_value(ta_in, i); 381 ret = time_check_print(curr); 382 if ((ret != CHK_TIME_OK && ret != CHK_TIME_IS_BEFORE) && 383 del_expired) { 384 (void) fprintf(stderr, gettext(" Removing cert\n")); 385 /* LINTED */ 386 curr = sk_X509_delete(ta_in, i); 387 X509_free(curr); 388 continue; 389 } 390 i++; 391 } 392 } 393 394 static time_errs_t 395 time_check_print(X509 *cert) 396 { 397 char buf[256]; 398 int ret; 399 400 ret = time_check(cert); 401 if (ret == CHK_TIME_OK) 402 return (CHK_TIME_OK); 403 404 (void) fprintf(stderr, gettext(" Subject: %s"), 405 sunw_subject_attrs(cert, buf, sizeof (buf))); 406 (void) fprintf(stderr, gettext(" Issuer: %s"), 407 sunw_issuer_attrs(cert, buf, sizeof (buf))); 408 409 switch (ret) { 410 case CHK_TIME_BEFORE_BAD: 411 (void) fprintf(stderr, 412 gettext("\n Invalid cert 'not before' field\n")); 413 break; 414 415 case CHK_TIME_AFTER_BAD: 416 (void) fprintf(stderr, 417 gettext("\n Invalid cert 'not after' field\n")); 418 break; 419 420 case CHK_TIME_HAS_EXPIRED: 421 (void) sunw_print_times(stderr, PRNT_NOT_AFTER, 422 gettext("\n Cert has expired\n"), cert); 423 break; 424 425 case CHK_TIME_IS_BEFORE: 426 (void) sunw_print_times(stderr, PRNT_NOT_BEFORE, 427 gettext("\n Warning: cert not yet valid\n"), cert); 428 break; 429 430 default: 431 break; 432 } 433 434 return (ret); 435 } 436 437 static time_errs_t 438 time_check(X509 *cert) 439 { 440 int i; 441 442 i = X509_cmp_time(X509_get_notBefore(cert), NULL); 443 if (i == 0) 444 return (CHK_TIME_BEFORE_BAD); 445 if (i > 0) 446 return (CHK_TIME_IS_BEFORE); 447 /* After 'not before' time */ 448 449 i = X509_cmp_time(X509_get_notAfter(cert), NULL); 450 if (i == 0) 451 return (CHK_TIME_AFTER_BAD); 452 if (i < 0) 453 return (CHK_TIME_HAS_EXPIRED); 454 return (CHK_TIME_OK); 455 } 456 457 static int 458 write_files(STACK_OF(X509) *t_out, X509 *c_out, EVP_PKEY *k_out) 459 { 460 if (key_out != NULL) { 461 if (verbose) 462 (void) printf(gettext("%s: writing key\n"), progname); 463 if (do_ofile(key_out, k_out, NULL, NULL) < 0) 464 return (-1); 465 } 466 467 if (cert_out != NULL) { 468 if (verbose) 469 (void) printf(gettext("%s: writing cert\n"), progname); 470 if (do_ofile(cert_out, NULL, c_out, NULL) < 0) 471 return (-1); 472 } 473 474 if (trust_out != NULL) { 475 if (verbose) 476 (void) printf(gettext("%s: writing trust\n"), 477 progname); 478 if (do_ofile(trust_out, NULL, NULL, t_out) < 0) 479 return (-1); 480 } 481 482 return (0); 483 } 484 485 static int 486 get_ifile(char *name, char *pass, EVP_PKEY **tmp_k, X509 **tmp_c, 487 STACK_OF(X509) **tmp_t) 488 { 489 PKCS12 *p12; 490 FILE *fp; 491 int ret; 492 struct stat sbuf; 493 494 if (stat(name, &sbuf) == 0 && !S_ISREG(sbuf.st_mode)) { 495 wbku_printerr("%s is not a regular file\n", name); 496 return (-1); 497 } 498 499 if ((fp = fopen(name, "r")) == NULL) { 500 wbku_printerr("cannot open input file %s", name); 501 return (-1); 502 } 503 504 p12 = d2i_PKCS12_fp(fp, NULL); 505 if (p12 == NULL) { 506 wbku_printerr("cannot read file %s: %s\n", name, cryptoerr()); 507 (void) fclose(fp); 508 return (-1); 509 } 510 (void) fclose(fp); 511 512 ret = sunw_PKCS12_parse(p12, pass, matchty, k_matchval, k_len, 513 NULL, tmp_k, tmp_c, tmp_t); 514 if (ret <= 0) { 515 if (ret == 0) 516 wbku_printerr("cannot find matching cert and key\n"); 517 else 518 wbku_printerr("cannot parse %s: %s\n", name, 519 cryptoerr()); 520 PKCS12_free(p12); 521 return (-1); 522 } 523 return (0); 524 } 525 526 static int 527 do_ofile(char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ta) 528 { 529 STACK_OF(EVP_PKEY) *klist = NULL; 530 STACK_OF(X509) *clist = NULL; 531 PKCS12 *p12 = NULL; 532 int ret = 0; 533 FILE *fp; 534 struct stat sbuf; 535 536 if (stat(name, &sbuf) == 0 && !S_ISREG(sbuf.st_mode)) { 537 wbku_printerr("%s is not a regular file\n", name); 538 return (-1); 539 } 540 541 if ((fp = fopen(name, "w")) == NULL) { 542 wbku_printerr("cannot open output file %s", name); 543 return (-1); 544 } 545 546 if ((clist = sk_X509_new_null()) == NULL || 547 (klist = sk_EVP_PKEY_new_null()) == NULL) { 548 wbku_printerr("out of memory\n"); 549 ret = -1; 550 goto cleanup; 551 } 552 553 if (cert != NULL && sk_X509_push(clist, cert) == 0) { 554 wbku_printerr("out of memory\n"); 555 ret = -1; 556 goto cleanup; 557 } 558 559 if (pkey != NULL && sk_EVP_PKEY_push(klist, pkey) == 0) { 560 wbku_printerr("out of memory\n"); 561 ret = -1; 562 goto cleanup; 563 } 564 565 p12 = sunw_PKCS12_create(WANBOOT_PASSPHRASE, klist, clist, ta); 566 if (p12 == NULL) { 567 wbku_printerr("cannot create %s: %s\n", name, cryptoerr()); 568 ret = -1; 569 goto cleanup; 570 } 571 572 if (i2d_PKCS12_fp(fp, p12) == 0) { 573 wbku_printerr("cannot write %s: %s\n", name, cryptoerr()); 574 ret = -1; 575 goto cleanup; 576 } 577 578 cleanup: 579 (void) fclose(fp); 580 if (p12 != NULL) 581 PKCS12_free(p12); 582 /* 583 * Put the cert and pkey off of the stack so that they won't 584 * be freed two times. (If they get left in the stack then 585 * they will be freed with the stack.) 586 */ 587 if (clist != NULL) { 588 if (cert != NULL && sk_X509_num(clist) == 1) { 589 /* LINTED */ 590 (void) sk_X509_delete(clist, 0); 591 } 592 sk_X509_pop_free(clist, X509_free); 593 } 594 if (klist != NULL) { 595 if (pkey != NULL && sk_EVP_PKEY_num(klist) == 1) { 596 /* LINTED */ 597 (void) sk_EVP_PKEY_delete(klist, 0); 598 } 599 sk_EVP_PKEY_pop_free(klist, sunw_evp_pkey_free); 600 } 601 602 return (ret); 603 } 604 605 static void 606 usage(void) 607 { 608 (void) fprintf(stderr, 609 gettext("usage:\n" 610 " %s -i <file> -c <file> -k <file> -t <file> [-l <keyid> -v]\n" 611 "\n"), 612 progname); 613 (void) fprintf(stderr, 614 gettext(" where:\n" 615 " -i - input file to be split into component parts and put in\n" 616 " files given by -c, -k and -t\n" 617 " -c - output file for the client certificate\n" 618 " -k - output file for the client private key\n" 619 " -t - output file for the remaining certificates (assumed\n" 620 " to be trust anchors)\n" 621 "\n Files are assumed to be pkcs12-format files.\n\n" 622 " -v - verbose\n" 623 " -l - value of 'localkeyid' attribute in client cert and\n" 624 " private key to be selected from the input file.\n\n")); 625 exit(EXIT_FAILURE); 626 } 627 628 /* 629 * Return a pointer to a static buffer that contains a listing of crypto 630 * errors. We presume that the user doesn't want more than 8KB of error 631 * messages :-) 632 */ 633 static const char * 634 cryptoerr(void) 635 { 636 static char errbuf[8192]; 637 ulong_t err; 638 const char *pfile; 639 int line; 640 unsigned int nerr = 0; 641 642 errbuf[0] = '\0'; 643 while ((err = ERR_get_error_line(&pfile, &line)) != 0) { 644 if (++nerr > 1) 645 (void) strlcat(errbuf, "\n\t", sizeof (errbuf)); 646 647 if (err == (ulong_t)-1) { 648 (void) strlcat(errbuf, strerror(errno), 649 sizeof (errbuf)); 650 break; 651 } 652 (void) strlcat(errbuf, ERR_reason_error_string(err), 653 sizeof (errbuf)); 654 } 655 656 return (errbuf); 657 }