2482
2483 /* ocsp_find_signer_sk() is copied from openssl source */
2484 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
2485 {
2486 int i;
2487 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
2488
2489 /* Easy if lookup by name */
2490 if (id->type == V_OCSP_RESPID_NAME)
2491 return (X509_find_by_subject(certs, id->value.byName));
2492
2493 /* Lookup by key hash */
2494
2495 /* If key hash isn't SHA1 length then forget it */
2496 if (id->value.byKey->length != SHA_DIGEST_LENGTH)
2497 return (NULL);
2498
2499 keyhash = id->value.byKey->data;
2500 /* Calculate hash of each key and compare */
2501 for (i = 0; i < sk_X509_num(certs); i++) {
2502 /* LINTED E_BAD_PTR_CAST_ALIGN */
2503 X509 *x = sk_X509_value(certs, i);
2504 /* Use pubkey_digest to get the key ID value */
2505 (void) X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
2506 if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
2507 return (x);
2508 }
2509 return (NULL);
2510 }
2511
2512 /* ocsp_find_signer() is copied from openssl source */
2513 /* ARGSUSED2 */
2514 static int
2515 ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
2516 X509_STORE *st, unsigned long flags)
2517 {
2518 X509 *signer;
2519 OCSP_RESPID *rid = bs->tbsResponseData->responderId;
2520 if ((signer = ocsp_find_signer_sk(certs, rid))) {
2521 *psigner = signer;
2522 return (2);
3622 if (certs)
3623 *certs = NULL;
3624 fp = fopen(filename, "r");
3625 if (fp == NULL)
3626 return (KMF_ERR_OPEN_FILE);
3627
3628 x509_info_stack = PEM_X509_INFO_read(fp, NULL, NULL, pin);
3629 if (x509_info_stack == NULL) {
3630 (void) fclose(fp);
3631 return (KMF_ERR_ENCODING);
3632 }
3633 cert_infos = (X509_INFO **)malloc(sk_X509_INFO_num(x509_info_stack) *
3634 sizeof (X509_INFO *));
3635 if (cert_infos == NULL) {
3636 (void) fclose(fp);
3637 rv = KMF_ERR_MEMORY;
3638 goto err;
3639 }
3640
3641 for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
3642 /* LINTED E_BAD_PTR_CAST_ALIGN */
3643 cert_infos[ncerts] = sk_X509_INFO_value(x509_info_stack, i);
3644 ncerts++;
3645 }
3646
3647 if (ncerts == 0) {
3648 (void) fclose(fp);
3649 rv = KMF_ERR_CERT_NOT_FOUND;
3650 goto err;
3651 }
3652
3653 if (priv_key != NULL) {
3654 rewind(fp);
3655 pkey = PEM_read_PrivateKey(fp, NULL, NULL, pin);
3656 }
3657 (void) fclose(fp);
3658
3659 x = cert_infos[ncerts - 1]->x509;
3660 /*
3661 * Make sure the private key matchs the last cert in the file.
3662 */
3704 if (numcerts != NULL)
3705 *numcerts = matchcerts;
3706
3707 if (certs != NULL)
3708 *certs = certlist;
3709 else if (certlist != NULL) {
3710 for (i = 0; i < ncerts; i++)
3711 kmf_free_data(&certlist[i]);
3712 free(certlist);
3713 certlist = NULL;
3714 }
3715
3716 if (priv_key == NULL && pkey != NULL)
3717 EVP_PKEY_free(pkey);
3718 else if (priv_key != NULL && pkey != NULL)
3719 *priv_key = pkey;
3720
3721 err:
3722 /* Cleanup the stack of X509 info records */
3723 for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
3724 /* LINTED E_BAD_PTR_CAST_ALIGN */
3725 info = (X509_INFO *)sk_X509_INFO_value(x509_info_stack, i);
3726 X509_INFO_free(info);
3727 }
3728 if (x509_info_stack)
3729 sk_X509_INFO_free(x509_info_stack);
3730
3731 if (cert_infos != NULL)
3732 free(cert_infos);
3733
3734 return (rv);
3735 }
3736
3737 static KMF_RETURN
3738 openssl_parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
3739 STACK_OF(EVP_PKEY) *keys, STACK_OF(X509) *certs)
3740 {
3741 KMF_RETURN ret;
3742 int i;
3743
3744 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
3745 /* LINTED E_BAD_PTR_CAST_ALIGN */
3746 PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(bags, i);
3747 ret = openssl_parse_bag(bag, pin, (pin ? strlen(pin) : 0),
3748 keys, certs);
3749
3750 if (ret != KMF_OK)
3751 return (ret);
3752 }
3753
3754 return (ret);
3755 }
3756
3757 static KMF_RETURN
3758 set_pkey_attrib(EVP_PKEY *pkey, ASN1_TYPE *attrib, int nid)
3759 {
3760 X509_ATTRIBUTE *attr = NULL;
3761
3762 if (pkey == NULL || attrib == NULL)
3763 return (KMF_ERR_BAD_PARAMETER);
3764
3765 if (pkey->attributes == NULL) {
3766 pkey->attributes = sk_X509_ATTRIBUTE_new_null();
3767 if (pkey->attributes == NULL)
3768 return (KMF_ERR_MEMORY);
3769 }
3770 attr = X509_ATTRIBUTE_create(nid, attrib->type, attrib->value.ptr);
3771 if (attr != NULL) {
3772 int i;
3773 X509_ATTRIBUTE *a;
3774 for (i = 0;
3775 i < sk_X509_ATTRIBUTE_num(pkey->attributes); i++) {
3776 /* LINTED E_BAD_PTR_CASE_ALIGN */
3777 a = sk_X509_ATTRIBUTE_value(pkey->attributes, i);
3778 if (OBJ_obj2nid(a->object) == nid) {
3779 X509_ATTRIBUTE_free(a);
3780 /* LINTED E_BAD_PTR_CAST_ALIGN */
3781 sk_X509_ATTRIBUTE_set(pkey->attributes,
3782 i, attr);
3783 return (KMF_OK);
3784 }
3785 }
3786 if (sk_X509_ATTRIBUTE_push(pkey->attributes, attr) == NULL) {
3787 X509_ATTRIBUTE_free(attr);
3788 return (KMF_ERR_MEMORY);
3789 }
3790 } else {
3791 return (KMF_ERR_MEMORY);
3792 }
3793
3794 return (KMF_OK);
3795 }
3796
3797 static KMF_RETURN
3798 openssl_parse_bag(PKCS12_SAFEBAG *bag, char *pass, int passlen,
3799 STACK_OF(EVP_PKEY) *keylist, STACK_OF(X509) *certlist)
3800 {
3801 KMF_RETURN ret = KMF_OK;
3938 if (p12 == NULL || (keys == NULL && certs == NULL))
3939 return (KMF_ERR_BAD_PARAMETER);
3940
3941 if (pin == NULL || *pin == NULL) {
3942 if (PKCS12_verify_mac(p12, NULL, 0)) {
3943 pin = NULL;
3944 } else if (PKCS12_verify_mac(p12, "", 0)) {
3945 pin = "";
3946 } else {
3947 return (KMF_ERR_AUTH_FAILED);
3948 }
3949 } else if (!PKCS12_verify_mac(p12, pin, -1)) {
3950 return (KMF_ERR_AUTH_FAILED);
3951 }
3952
3953 if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL)
3954 return (KMF_ERR_PKCS12_FORMAT);
3955
3956 for (i = 0; ret == KMF_OK && i < sk_PKCS7_num(asafes); i++) {
3957 bags = NULL;
3958 /* LINTED E_BAD_PTR_CAST_ALIGN */
3959 p7 = sk_PKCS7_value(asafes, i);
3960 bagnid = OBJ_obj2nid(p7->type);
3961
3962 if (bagnid == NID_pkcs7_data) {
3963 bags = PKCS12_unpack_p7data(p7);
3964 } else if (bagnid == NID_pkcs7_encrypted) {
3965 bags = PKCS12_unpack_p7encdata(p7, pin,
3966 (pin ? strlen(pin) : 0));
3967 } else {
3968 continue;
3969 }
3970 if (bags == NULL) {
3971 ret = KMF_ERR_PKCS12_FORMAT;
3972 goto out;
3973 }
3974
3975 if (openssl_parse_bags(bags, pin, keys, certs) != KMF_OK)
3976 ret = KMF_ERR_PKCS12_FORMAT;
3977
3978 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
4216 return (KMF_ERR_MEMORY);
4217
4218 list[n] = *newkey;
4219 (*nkeys) = n + 1;
4220
4221 *keylist = list;
4222
4223 return (KMF_OK);
4224 }
4225
4226 static X509_ATTRIBUTE *
4227 find_attr(STACK_OF(X509_ATTRIBUTE) *attrs, int nid)
4228 {
4229 X509_ATTRIBUTE *a;
4230 int i;
4231
4232 if (attrs == NULL)
4233 return (NULL);
4234
4235 for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
4236 /* LINTED E_BAD_PTR_CAST_ALIGN */
4237 a = sk_X509_ATTRIBUTE_value(attrs, i);
4238 if (OBJ_obj2nid(a->object) == nid)
4239 return (a);
4240 }
4241 return (NULL);
4242 }
4243
4244 static KMF_RETURN
4245 convertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key)
4246 {
4247 KMF_RETURN rv = KMF_OK;
4248 X509_ATTRIBUTE *attr;
4249
4250 if (pkey == NULL || key == NULL)
4251 return (KMF_ERR_BAD_PARAMETER);
4252 /* Convert SSL key to raw key */
4253 switch (pkey->type) {
4254 case EVP_PKEY_RSA:
4255 rv = exportRawRSAKey(EVP_PKEY_get1_RSA(pkey),
4256 key);
4257 if (rv != KMF_OK)
4258 return (rv);
4259 break;
4260 case EVP_PKEY_DSA:
4261 rv = exportRawDSAKey(EVP_PKEY_get1_DSA(pkey),
4262 key);
4263 if (rv != KMF_OK)
4264 return (rv);
4265 break;
4266 default:
4267 return (KMF_ERR_BAD_PARAMETER);
4268 }
4269 /*
4270 * If friendlyName, add it to record.
4271 */
4272 attr = find_attr(pkey->attributes, NID_friendlyName);
4273 if (attr != NULL) {
4274 ASN1_TYPE *ty = NULL;
4275 int numattr = sk_ASN1_TYPE_num(attr->value.set);
4276 if (attr->single == 0 && numattr > 0) {
4277 /* LINTED E_BAD_PTR_CAST_ALIGN */
4278 ty = sk_ASN1_TYPE_value(attr->value.set, 0);
4279 }
4280 if (ty != NULL) {
4281 #if OPENSSL_VERSION_NUMBER < 0x10000000L
4282 key->label = uni2asc(ty->value.bmpstring->data,
4283 ty->value.bmpstring->length);
4284 #else
4285 key->label = OPENSSL_uni2asc(ty->value.bmpstring->data,
4286 ty->value.bmpstring->length);
4287 #endif
4288 }
4289 } else {
4290 key->label = NULL;
4291 }
4292
4293 /*
4294 * If KeyID, add it to record as a KMF_DATA object.
4295 */
4296 attr = find_attr(pkey->attributes, NID_localKeyID);
4297 if (attr != NULL) {
4298 ASN1_TYPE *ty = NULL;
4299 int numattr = sk_ASN1_TYPE_num(attr->value.set);
4300 if (attr->single == 0 && numattr > 0) {
4301 /* LINTED E_BAD_PTR_CAST_ALIGN */
4302 ty = sk_ASN1_TYPE_value(attr->value.set, 0);
4303 }
4304 key->id.Data = (uchar_t *)malloc(
4305 ty->value.octet_string->length);
4306 if (key->id.Data == NULL)
4307 return (KMF_ERR_MEMORY);
4308 (void) memcpy(key->id.Data, ty->value.octet_string->data,
4309 ty->value.octet_string->length);
4310 key->id.Length = ty->value.octet_string->length;
4311 } else {
4312 (void) memset(&key->id, 0, sizeof (KMF_DATA));
4313 }
4314
4315 return (rv);
4316 }
4317
4318 static KMF_RETURN
4319 convertPK12Objects(
4320 KMF_HANDLE *kmfh,
4321 STACK_OF(EVP_PKEY) *sslkeys,
4322 STACK_OF(X509) *sslcert,
4323 STACK_OF(X509) *sslcacerts,
4324 KMF_RAW_KEY_DATA **keylist, int *nkeys,
4325 KMF_X509_DER_CERT **certlist, int *ncerts)
4326 {
4327 KMF_RETURN rv = KMF_OK;
4328 KMF_RAW_KEY_DATA key;
4329 int i;
4330
4331 for (i = 0; sslkeys != NULL && i < sk_EVP_PKEY_num(sslkeys); i++) {
4332 /* LINTED E_BAD_PTR_CAST_ALIGN */
4333 EVP_PKEY *pkey = sk_EVP_PKEY_value(sslkeys, i);
4334 rv = convertToRawKey(pkey, &key);
4335 if (rv == KMF_OK)
4336 rv = add_key_to_list(keylist, &key, nkeys);
4337
4338 if (rv != KMF_OK)
4339 return (rv);
4340 }
4341
4342 /* Now add the certificate to the certlist */
4343 for (i = 0; sslcert != NULL && i < sk_X509_num(sslcert); i++) {
4344 /* LINTED E_BAD_PTR_CAST_ALIGN */
4345 X509 *cert = sk_X509_value(sslcert, i);
4346 rv = add_cert_to_list(kmfh, cert, certlist, ncerts);
4347 if (rv != KMF_OK)
4348 return (rv);
4349 }
4350
4351 /* Also add any included CA certs to the list */
4352 for (i = 0; sslcacerts != NULL && i < sk_X509_num(sslcacerts); i++) {
4353 X509 *c;
4354 /*
4355 * sk_X509_value() is macro that embeds a cast to (X509 *).
4356 * Here it translates into ((X509 *)sk_value((ca), (i))).
4357 * Lint is complaining about the embedded casting, and
4358 * to fix it, you need to fix openssl header files.
4359 */
4360 /* LINTED E_BAD_PTR_CAST_ALIGN */
4361 c = sk_X509_value(sslcacerts, i);
4362
4363 /* Now add the ca cert to the certlist */
4364 rv = add_cert_to_list(kmfh, c, certlist, ncerts);
4365 if (rv != KMF_OK)
4366 return (rv);
4367 }
4368 return (rv);
4369 }
4370
4371 KMF_RETURN
4372 openssl_import_objects(KMF_HANDLE *kmfh,
4373 char *filename, KMF_CREDENTIAL *cred,
4374 KMF_X509_DER_CERT **certlist, int *ncerts,
4375 KMF_RAW_KEY_DATA **keylist, int *nkeys)
4376 {
4377 KMF_RETURN rv = KMF_OK;
4378 KMF_ENCODE_FORMAT format;
4379 BIO *bio = NULL;
4380 STACK_OF(EVP_PKEY) *privkeys = NULL;
5407 ret = KMF_ERR_BAD_CERTFILE;
5408 goto end;
5409 }
5410
5411 /* Check if the certificate and the CRL have same issuer */
5412 if (X509_NAME_cmp(xcert->cert_info->issuer, xcrl->crl->issuer) != 0) {
5413 ret = KMF_ERR_ISSUER;
5414 goto end;
5415 }
5416
5417 /* Check to see if the certificate serial number is revoked */
5418 revoke_stack = X509_CRL_get_REVOKED(xcrl);
5419 if (sk_X509_REVOKED_num(revoke_stack) <= 0) {
5420 /* No revoked certificates in the CRL file */
5421 SET_ERROR(kmfh, ERR_get_error());
5422 ret = KMF_ERR_EMPTY_CRL;
5423 goto end;
5424 }
5425
5426 for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) {
5427 /* LINTED E_BAD_PTR_CAST_ALIGN */
5428 revoke = sk_X509_REVOKED_value(revoke_stack, i);
5429 if (ASN1_INTEGER_cmp(xcert->cert_info->serialNumber,
5430 revoke->serialNumber) == 0) {
5431 break;
5432 }
5433 }
5434
5435 if (i < sk_X509_REVOKED_num(revoke_stack)) {
5436 ret = KMF_OK;
5437 } else {
5438 ret = KMF_ERR_NOT_REVOKED;
5439 }
5440
5441 end:
5442 if (in != NULL)
5443 (void) BIO_free(in);
5444 if (xcrl != NULL)
5445 X509_CRL_free(xcrl);
5446 if (xcert != NULL)
5447 X509_free(xcert);
|
2482
2483 /* ocsp_find_signer_sk() is copied from openssl source */
2484 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
2485 {
2486 int i;
2487 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
2488
2489 /* Easy if lookup by name */
2490 if (id->type == V_OCSP_RESPID_NAME)
2491 return (X509_find_by_subject(certs, id->value.byName));
2492
2493 /* Lookup by key hash */
2494
2495 /* If key hash isn't SHA1 length then forget it */
2496 if (id->value.byKey->length != SHA_DIGEST_LENGTH)
2497 return (NULL);
2498
2499 keyhash = id->value.byKey->data;
2500 /* Calculate hash of each key and compare */
2501 for (i = 0; i < sk_X509_num(certs); i++) {
2502 X509 *x = sk_X509_value(certs, i);
2503 /* Use pubkey_digest to get the key ID value */
2504 (void) X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
2505 if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
2506 return (x);
2507 }
2508 return (NULL);
2509 }
2510
2511 /* ocsp_find_signer() is copied from openssl source */
2512 /* ARGSUSED2 */
2513 static int
2514 ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
2515 X509_STORE *st, unsigned long flags)
2516 {
2517 X509 *signer;
2518 OCSP_RESPID *rid = bs->tbsResponseData->responderId;
2519 if ((signer = ocsp_find_signer_sk(certs, rid))) {
2520 *psigner = signer;
2521 return (2);
3621 if (certs)
3622 *certs = NULL;
3623 fp = fopen(filename, "r");
3624 if (fp == NULL)
3625 return (KMF_ERR_OPEN_FILE);
3626
3627 x509_info_stack = PEM_X509_INFO_read(fp, NULL, NULL, pin);
3628 if (x509_info_stack == NULL) {
3629 (void) fclose(fp);
3630 return (KMF_ERR_ENCODING);
3631 }
3632 cert_infos = (X509_INFO **)malloc(sk_X509_INFO_num(x509_info_stack) *
3633 sizeof (X509_INFO *));
3634 if (cert_infos == NULL) {
3635 (void) fclose(fp);
3636 rv = KMF_ERR_MEMORY;
3637 goto err;
3638 }
3639
3640 for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
3641 cert_infos[ncerts] = sk_X509_INFO_value(x509_info_stack, i);
3642 ncerts++;
3643 }
3644
3645 if (ncerts == 0) {
3646 (void) fclose(fp);
3647 rv = KMF_ERR_CERT_NOT_FOUND;
3648 goto err;
3649 }
3650
3651 if (priv_key != NULL) {
3652 rewind(fp);
3653 pkey = PEM_read_PrivateKey(fp, NULL, NULL, pin);
3654 }
3655 (void) fclose(fp);
3656
3657 x = cert_infos[ncerts - 1]->x509;
3658 /*
3659 * Make sure the private key matchs the last cert in the file.
3660 */
3702 if (numcerts != NULL)
3703 *numcerts = matchcerts;
3704
3705 if (certs != NULL)
3706 *certs = certlist;
3707 else if (certlist != NULL) {
3708 for (i = 0; i < ncerts; i++)
3709 kmf_free_data(&certlist[i]);
3710 free(certlist);
3711 certlist = NULL;
3712 }
3713
3714 if (priv_key == NULL && pkey != NULL)
3715 EVP_PKEY_free(pkey);
3716 else if (priv_key != NULL && pkey != NULL)
3717 *priv_key = pkey;
3718
3719 err:
3720 /* Cleanup the stack of X509 info records */
3721 for (i = 0; i < sk_X509_INFO_num(x509_info_stack); i++) {
3722 info = (X509_INFO *)sk_X509_INFO_value(x509_info_stack, i);
3723 X509_INFO_free(info);
3724 }
3725 if (x509_info_stack)
3726 sk_X509_INFO_free(x509_info_stack);
3727
3728 if (cert_infos != NULL)
3729 free(cert_infos);
3730
3731 return (rv);
3732 }
3733
3734 static KMF_RETURN
3735 openssl_parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *pin,
3736 STACK_OF(EVP_PKEY) *keys, STACK_OF(X509) *certs)
3737 {
3738 KMF_RETURN ret;
3739 int i;
3740
3741 for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) {
3742 PKCS12_SAFEBAG *bag = sk_PKCS12_SAFEBAG_value(bags, i);
3743 ret = openssl_parse_bag(bag, pin, (pin ? strlen(pin) : 0),
3744 keys, certs);
3745
3746 if (ret != KMF_OK)
3747 return (ret);
3748 }
3749
3750 return (ret);
3751 }
3752
3753 static KMF_RETURN
3754 set_pkey_attrib(EVP_PKEY *pkey, ASN1_TYPE *attrib, int nid)
3755 {
3756 X509_ATTRIBUTE *attr = NULL;
3757
3758 if (pkey == NULL || attrib == NULL)
3759 return (KMF_ERR_BAD_PARAMETER);
3760
3761 if (pkey->attributes == NULL) {
3762 pkey->attributes = sk_X509_ATTRIBUTE_new_null();
3763 if (pkey->attributes == NULL)
3764 return (KMF_ERR_MEMORY);
3765 }
3766 attr = X509_ATTRIBUTE_create(nid, attrib->type, attrib->value.ptr);
3767 if (attr != NULL) {
3768 int i;
3769 X509_ATTRIBUTE *a;
3770 for (i = 0;
3771 i < sk_X509_ATTRIBUTE_num(pkey->attributes); i++) {
3772 a = sk_X509_ATTRIBUTE_value(pkey->attributes, i);
3773 if (OBJ_obj2nid(a->object) == nid) {
3774 X509_ATTRIBUTE_free(a);
3775 (void) sk_X509_ATTRIBUTE_set(pkey->attributes,
3776 i, attr);
3777 return (KMF_OK);
3778 }
3779 }
3780 if (sk_X509_ATTRIBUTE_push(pkey->attributes, attr) == NULL) {
3781 X509_ATTRIBUTE_free(attr);
3782 return (KMF_ERR_MEMORY);
3783 }
3784 } else {
3785 return (KMF_ERR_MEMORY);
3786 }
3787
3788 return (KMF_OK);
3789 }
3790
3791 static KMF_RETURN
3792 openssl_parse_bag(PKCS12_SAFEBAG *bag, char *pass, int passlen,
3793 STACK_OF(EVP_PKEY) *keylist, STACK_OF(X509) *certlist)
3794 {
3795 KMF_RETURN ret = KMF_OK;
3932 if (p12 == NULL || (keys == NULL && certs == NULL))
3933 return (KMF_ERR_BAD_PARAMETER);
3934
3935 if (pin == NULL || *pin == NULL) {
3936 if (PKCS12_verify_mac(p12, NULL, 0)) {
3937 pin = NULL;
3938 } else if (PKCS12_verify_mac(p12, "", 0)) {
3939 pin = "";
3940 } else {
3941 return (KMF_ERR_AUTH_FAILED);
3942 }
3943 } else if (!PKCS12_verify_mac(p12, pin, -1)) {
3944 return (KMF_ERR_AUTH_FAILED);
3945 }
3946
3947 if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL)
3948 return (KMF_ERR_PKCS12_FORMAT);
3949
3950 for (i = 0; ret == KMF_OK && i < sk_PKCS7_num(asafes); i++) {
3951 bags = NULL;
3952 p7 = sk_PKCS7_value(asafes, i);
3953 bagnid = OBJ_obj2nid(p7->type);
3954
3955 if (bagnid == NID_pkcs7_data) {
3956 bags = PKCS12_unpack_p7data(p7);
3957 } else if (bagnid == NID_pkcs7_encrypted) {
3958 bags = PKCS12_unpack_p7encdata(p7, pin,
3959 (pin ? strlen(pin) : 0));
3960 } else {
3961 continue;
3962 }
3963 if (bags == NULL) {
3964 ret = KMF_ERR_PKCS12_FORMAT;
3965 goto out;
3966 }
3967
3968 if (openssl_parse_bags(bags, pin, keys, certs) != KMF_OK)
3969 ret = KMF_ERR_PKCS12_FORMAT;
3970
3971 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
4209 return (KMF_ERR_MEMORY);
4210
4211 list[n] = *newkey;
4212 (*nkeys) = n + 1;
4213
4214 *keylist = list;
4215
4216 return (KMF_OK);
4217 }
4218
4219 static X509_ATTRIBUTE *
4220 find_attr(STACK_OF(X509_ATTRIBUTE) *attrs, int nid)
4221 {
4222 X509_ATTRIBUTE *a;
4223 int i;
4224
4225 if (attrs == NULL)
4226 return (NULL);
4227
4228 for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
4229 a = sk_X509_ATTRIBUTE_value(attrs, i);
4230 if (OBJ_obj2nid(a->object) == nid)
4231 return (a);
4232 }
4233 return (NULL);
4234 }
4235
4236 static KMF_RETURN
4237 convertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key)
4238 {
4239 KMF_RETURN rv = KMF_OK;
4240 X509_ATTRIBUTE *attr;
4241
4242 if (pkey == NULL || key == NULL)
4243 return (KMF_ERR_BAD_PARAMETER);
4244 /* Convert SSL key to raw key */
4245 switch (pkey->type) {
4246 case EVP_PKEY_RSA:
4247 rv = exportRawRSAKey(EVP_PKEY_get1_RSA(pkey),
4248 key);
4249 if (rv != KMF_OK)
4250 return (rv);
4251 break;
4252 case EVP_PKEY_DSA:
4253 rv = exportRawDSAKey(EVP_PKEY_get1_DSA(pkey),
4254 key);
4255 if (rv != KMF_OK)
4256 return (rv);
4257 break;
4258 default:
4259 return (KMF_ERR_BAD_PARAMETER);
4260 }
4261 /*
4262 * If friendlyName, add it to record.
4263 */
4264 attr = find_attr(pkey->attributes, NID_friendlyName);
4265 if (attr != NULL) {
4266 ASN1_TYPE *ty = NULL;
4267 int numattr = sk_ASN1_TYPE_num(attr->value.set);
4268 if (attr->single == 0 && numattr > 0) {
4269 ty = sk_ASN1_TYPE_value(attr->value.set, 0);
4270 }
4271 if (ty != NULL) {
4272 #if OPENSSL_VERSION_NUMBER < 0x10000000L
4273 key->label = uni2asc(ty->value.bmpstring->data,
4274 ty->value.bmpstring->length);
4275 #else
4276 key->label = OPENSSL_uni2asc(ty->value.bmpstring->data,
4277 ty->value.bmpstring->length);
4278 #endif
4279 }
4280 } else {
4281 key->label = NULL;
4282 }
4283
4284 /*
4285 * If KeyID, add it to record as a KMF_DATA object.
4286 */
4287 attr = find_attr(pkey->attributes, NID_localKeyID);
4288 if (attr != NULL) {
4289 ASN1_TYPE *ty = NULL;
4290 int numattr = sk_ASN1_TYPE_num(attr->value.set);
4291 if (attr->single == 0 && numattr > 0) {
4292 ty = sk_ASN1_TYPE_value(attr->value.set, 0);
4293 }
4294 key->id.Data = (uchar_t *)malloc(
4295 ty->value.octet_string->length);
4296 if (key->id.Data == NULL)
4297 return (KMF_ERR_MEMORY);
4298 (void) memcpy(key->id.Data, ty->value.octet_string->data,
4299 ty->value.octet_string->length);
4300 key->id.Length = ty->value.octet_string->length;
4301 } else {
4302 (void) memset(&key->id, 0, sizeof (KMF_DATA));
4303 }
4304
4305 return (rv);
4306 }
4307
4308 static KMF_RETURN
4309 convertPK12Objects(
4310 KMF_HANDLE *kmfh,
4311 STACK_OF(EVP_PKEY) *sslkeys,
4312 STACK_OF(X509) *sslcert,
4313 STACK_OF(X509) *sslcacerts,
4314 KMF_RAW_KEY_DATA **keylist, int *nkeys,
4315 KMF_X509_DER_CERT **certlist, int *ncerts)
4316 {
4317 KMF_RETURN rv = KMF_OK;
4318 KMF_RAW_KEY_DATA key;
4319 int i;
4320
4321 for (i = 0; sslkeys != NULL && i < sk_EVP_PKEY_num(sslkeys); i++) {
4322 EVP_PKEY *pkey = sk_EVP_PKEY_value(sslkeys, i);
4323 rv = convertToRawKey(pkey, &key);
4324 if (rv == KMF_OK)
4325 rv = add_key_to_list(keylist, &key, nkeys);
4326
4327 if (rv != KMF_OK)
4328 return (rv);
4329 }
4330
4331 /* Now add the certificate to the certlist */
4332 for (i = 0; sslcert != NULL && i < sk_X509_num(sslcert); i++) {
4333 X509 *cert = sk_X509_value(sslcert, i);
4334 rv = add_cert_to_list(kmfh, cert, certlist, ncerts);
4335 if (rv != KMF_OK)
4336 return (rv);
4337 }
4338
4339 /* Also add any included CA certs to the list */
4340 for (i = 0; sslcacerts != NULL && i < sk_X509_num(sslcacerts); i++) {
4341 X509 *c;
4342 /*
4343 * sk_X509_value() is macro that embeds a cast to (X509 *).
4344 * Here it translates into ((X509 *)sk_value((ca), (i))).
4345 * Lint is complaining about the embedded casting, and
4346 * to fix it, you need to fix openssl header files.
4347 */
4348 c = sk_X509_value(sslcacerts, i);
4349
4350 /* Now add the ca cert to the certlist */
4351 rv = add_cert_to_list(kmfh, c, certlist, ncerts);
4352 if (rv != KMF_OK)
4353 return (rv);
4354 }
4355 return (rv);
4356 }
4357
4358 KMF_RETURN
4359 openssl_import_objects(KMF_HANDLE *kmfh,
4360 char *filename, KMF_CREDENTIAL *cred,
4361 KMF_X509_DER_CERT **certlist, int *ncerts,
4362 KMF_RAW_KEY_DATA **keylist, int *nkeys)
4363 {
4364 KMF_RETURN rv = KMF_OK;
4365 KMF_ENCODE_FORMAT format;
4366 BIO *bio = NULL;
4367 STACK_OF(EVP_PKEY) *privkeys = NULL;
5394 ret = KMF_ERR_BAD_CERTFILE;
5395 goto end;
5396 }
5397
5398 /* Check if the certificate and the CRL have same issuer */
5399 if (X509_NAME_cmp(xcert->cert_info->issuer, xcrl->crl->issuer) != 0) {
5400 ret = KMF_ERR_ISSUER;
5401 goto end;
5402 }
5403
5404 /* Check to see if the certificate serial number is revoked */
5405 revoke_stack = X509_CRL_get_REVOKED(xcrl);
5406 if (sk_X509_REVOKED_num(revoke_stack) <= 0) {
5407 /* No revoked certificates in the CRL file */
5408 SET_ERROR(kmfh, ERR_get_error());
5409 ret = KMF_ERR_EMPTY_CRL;
5410 goto end;
5411 }
5412
5413 for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) {
5414 revoke = sk_X509_REVOKED_value(revoke_stack, i);
5415 if (ASN1_INTEGER_cmp(xcert->cert_info->serialNumber,
5416 revoke->serialNumber) == 0) {
5417 break;
5418 }
5419 }
5420
5421 if (i < sk_X509_REVOKED_num(revoke_stack)) {
5422 ret = KMF_OK;
5423 } else {
5424 ret = KMF_ERR_NOT_REVOKED;
5425 }
5426
5427 end:
5428 if (in != NULL)
5429 (void) BIO_free(in);
5430 if (xcrl != NULL)
5431 X509_CRL_free(xcrl);
5432 if (xcert != NULL)
5433 X509_free(xcert);
|