#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <cryptoutil.h>
#include <security/cryptoki.h>
#include "common.h"
#include <kmfapi.h>
#include <kmfapiP.h>
#define SET_VALUE(f, s) \
rv = f; \
if (rv != KMF_OK) { \
cryptoerror(LOG_STDERR, \
gettext("Failed to set %s: 0x%02x\n"), s, rv); \
goto cleanup; \
}
static int
read_csrdata(KMF_HANDLE_T handle, char *csrfile, KMF_CSR_DATA *csrdata)
{
KMF_RETURN rv = KMF_OK;
KMF_ENCODE_FORMAT csrfmt;
KMF_DATA csrfiledata = { 0, NULL };
KMF_DATA rawcsr = { 0, NULL };
rv = kmf_get_file_format(csrfile, &csrfmt);
if (rv != KMF_OK)
return (rv);
rv = kmf_read_input_file(handle, csrfile, &csrfiledata);
if (rv != KMF_OK)
return (rv);
if (csrfmt == KMF_FORMAT_PEM) {
rv = kmf_pem_to_der(csrfiledata.Data, csrfiledata.Length,
&rawcsr.Data, (int *)&rawcsr.Length);
if (rv != KMF_OK)
return (rv);
kmf_free_data(&csrfiledata);
} else {
rawcsr.Data = csrfiledata.Data;
rawcsr.Length = csrfiledata.Length;
}
rv = kmf_decode_csr(handle, &rawcsr, csrdata);
kmf_free_data(&rawcsr);
return (rv);
}
static KMF_RETURN
find_csr_extn(KMF_X509_EXTENSIONS *extnlist, KMF_OID *extoid,
KMF_X509_EXTENSION *outextn)
{
int i, found = 0;
KMF_X509_EXTENSION *eptr;
KMF_RETURN rv = KMF_OK;
(void) memset(outextn, 0, sizeof (KMF_X509_EXTENSION));
for (i = 0; !found && i < extnlist->numberOfExtensions; i++) {
eptr = &extnlist->extensions[i];
if (IsEqualOid(extoid, &eptr->extnId)) {
rv = copy_extension_data(outextn, eptr);
found++;
}
}
if (found == 0 || rv != KMF_OK)
return (1);
else
return (rv);
}
static int
build_cert_from_csr(KMF_CSR_DATA *csrdata,
KMF_X509_CERTIFICATE *signedCert,
KMF_BIGINT *serial,
uint32_t ltime,
char *issuer, char *subject,
char *altname,
KMF_GENERALNAMECHOICES alttype,
int altcrit,
uint16_t kubits,
int kucrit,
EKU_LIST *ekulist)
{
KMF_RETURN rv = KMF_OK;
KMF_X509_NAME issuerDN, subjectDN;
(void) memset(signedCert, 0, sizeof (KMF_X509_CERTIFICATE));
(void) memset(&issuerDN, 0, sizeof (issuerDN));
(void) memset(&subjectDN, 0, sizeof (subjectDN));
SET_VALUE(kmf_set_cert_version(signedCert, 2), "version number");
SET_VALUE(kmf_set_cert_serial(signedCert, serial), "serial number");
SET_VALUE(kmf_set_cert_validity(signedCert, 0, ltime),
"validity time");
if (issuer) {
if (kmf_dn_parser(issuer, &issuerDN) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Issuer name cannot be parsed\n"));
return (PK_ERR_USAGE);
}
SET_VALUE(kmf_set_cert_issuer(signedCert, &issuerDN),
"Issuer Name");
}
if (subject) {
if (kmf_dn_parser(subject, &subjectDN) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Subject name cannot be parsed\n"));
return (PK_ERR_USAGE);
}
SET_VALUE(kmf_set_cert_subject(signedCert, &subjectDN),
"Subject Name");
} else {
signedCert->certificate.subject = csrdata->csr.subject;
}
signedCert->certificate.subjectPublicKeyInfo =
csrdata->csr.subjectPublicKeyInfo;
signedCert->certificate.extensions = csrdata->csr.extensions;
signedCert->certificate.signature =
csrdata->signature.algorithmIdentifier;
if (kubits != 0) {
KMF_X509_EXTENSION extn;
uint16_t oldbits;
rv = find_csr_extn(&csrdata->csr.extensions,
(KMF_OID *)&KMFOID_KeyUsage, &extn);
if (rv == KMF_OK) {
extn.critical |= kucrit;
if (extn.value.tagAndValue->value.Length > 1) {
oldbits =
extn.value.tagAndValue->value.Data[1] << 8;
} else {
oldbits =
extn.value.tagAndValue->value.Data[0];
}
oldbits |= kubits;
} else {
SET_VALUE(kmf_set_cert_ku(signedCert, kucrit, kubits),
"KeyUsage");
}
}
if (altname != NULL) {
SET_VALUE(kmf_set_cert_subject_altname(signedCert,
altcrit, alttype, altname), "subjectAltName");
}
if (ekulist != NULL) {
int i;
for (i = 0; rv == KMF_OK && i < ekulist->eku_count; i++) {
SET_VALUE(kmf_add_cert_eku(signedCert,
&ekulist->ekulist[i],
ekulist->critlist[i]), "Extended Key Usage");
}
}
cleanup:
if (issuer != NULL)
kmf_free_dn(&issuerDN);
if (subject != NULL)
kmf_free_dn(&subjectDN);
return (rv);
}
static int
pk_sign_cert(KMF_HANDLE_T handle, KMF_X509_CERTIFICATE *cert,
KMF_KEY_HANDLE *key, KMF_OID *sigoid, KMF_DATA *outdata)
{
KMF_RETURN rv;
int numattr;
KMF_ATTRIBUTE attrlist[4];
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYSTORE_TYPE_ATTR,
&key->kstype, sizeof (KMF_KEYSTORE_TYPE));
kmf_set_attr_at_index(attrlist, numattr++, KMF_KEY_HANDLE_ATTR,
key, sizeof (KMF_KEY_HANDLE_ATTR));
kmf_set_attr_at_index(attrlist, numattr++, KMF_X509_CERTIFICATE_ATTR,
cert, sizeof (KMF_X509_CERTIFICATE));
kmf_set_attr_at_index(attrlist, numattr++, KMF_CERT_DATA_ATTR,
outdata, sizeof (KMF_DATA));
if (sigoid) {
kmf_set_attr_at_index(attrlist, numattr++, KMF_OID_ATTR,
sigoid, sizeof (KMF_OID));
}
if ((rv = kmf_sign_cert(handle, numattr, attrlist)) != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Failed to sign certificate.\n"));
return (rv);
}
return (rv);
}
static int
pk_signcsr_files(KMF_HANDLE_T handle,
char *signkey,
char *csrfile,
KMF_BIGINT *serial,
char *certfile,
char *issuer,
char *subject,
char *altname,
KMF_GENERALNAMECHOICES alttype,
int altcrit,
uint16_t kubits,
int kucrit,
EKU_LIST *ekulist,
uint32_t ltime,
KMF_ENCODE_FORMAT fmt)
{
KMF_RETURN rv = KMF_OK;
KMF_CSR_DATA csrdata;
KMF_ATTRIBUTE attrlist[16];
KMF_X509_CERTIFICATE signedCert;
KMF_KEYSTORE_TYPE kstype = KMF_KEYSTORE_OPENSSL;
KMF_KEY_CLASS keyclass = KMF_ASYM_PRI;
KMF_KEY_HANDLE cakey;
KMF_DATA certdata = { 0, NULL };
int numattr, count;
(void) memset(&cakey, 0, sizeof (cakey));
(void) memset(&signedCert, 0, sizeof (signedCert));
rv = read_csrdata(handle, csrfile, &csrdata);
if (rv != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Error reading CSR data\n"));
return (rv);
}
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_CSR_DATA_ATTR,
&csrdata, sizeof (csrdata));
numattr++;
rv = kmf_verify_csr(handle, numattr, attrlist);
if (rv != KMF_OK) {
cryptoerror(LOG_STDERR, gettext("CSR signature "
"verification failed.\n"));
goto cleanup;
}
rv = build_cert_from_csr(&csrdata, &signedCert, serial, ltime,
issuer, subject, altname, alttype, altcrit, kubits,
kucrit, ekulist);
if (rv != KMF_OK)
goto cleanup;
(void) memset(&cakey, 0, sizeof (cakey));
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_FILENAME_ATTR,
signkey, strlen(signkey));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR,
&keyclass, sizeof (keyclass));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
&cakey, sizeof (cakey));
numattr++;
count = 1;
kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
&count, sizeof (count));
numattr++;
rv = kmf_find_key(handle, numattr, attrlist);
if (rv != KMF_OK) {
cryptoerror(LOG_STDERR, gettext(
"Error finding CA signing key\n"));
goto cleanup;
}
rv = pk_sign_cert(handle, &signedCert, &cakey, NULL, &certdata);
if (rv != KMF_OK) {
cryptoerror(LOG_STDERR, gettext(
"Error signing certificate.\n"));
goto cleanup;
}
rv = kmf_create_cert_file(&certdata, fmt, certfile);
cleanup:
kmf_free_signed_csr(&csrdata);
kmf_free_data(&certdata);
kmf_free_kmf_key(handle, &cakey);
return (rv);
}
static int
pk_signcsr_pk11_nss(KMF_HANDLE_T handle,
KMF_KEYSTORE_TYPE kstype,
char *dir, char *prefix,
char *token, KMF_CREDENTIAL *cred,
char *signkey, char *csrfile,
KMF_BIGINT *serial, char *certfile, char *issuer, char *subject,
char *altname, KMF_GENERALNAMECHOICES alttype, int altcrit,
uint16_t kubits, int kucrit,
EKU_LIST *ekulist, uint32_t ltime,
KMF_ENCODE_FORMAT fmt, int store, char *outlabel)
{
KMF_RETURN rv = KMF_OK;
KMF_DATA outcert = { 0, NULL };
KMF_CSR_DATA csrdata = { 0, NULL };
KMF_KEY_HANDLE casignkey;
KMF_KEY_CLASS keyclass = KMF_ASYM_PRI;
KMF_ATTRIBUTE attrlist[16];
KMF_X509_CERTIFICATE signedCert;
boolean_t token_bool = B_TRUE;
boolean_t private_bool = B_TRUE;
int numattr = 0;
int keys = 1;
(void) memset(&casignkey, 0, sizeof (KMF_KEY_HANDLE));
(void) memset(&signedCert, 0, sizeof (signedCert));
rv = read_csrdata(handle, csrfile, &csrdata);
if (rv != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Error reading CSR data\n"));
return (rv);
}
if (kstype == KMF_KEYSTORE_PK11TOKEN) {
rv = select_token(handle, token, FALSE);
} else if (kstype == KMF_KEYSTORE_NSS) {
rv = configure_nss(handle, dir, prefix);
}
kmf_set_attr_at_index(attrlist, numattr, KMF_CSR_DATA_ATTR,
&csrdata, sizeof (csrdata));
numattr++;
rv = kmf_verify_csr(handle, numattr, attrlist);
if (rv != KMF_OK) {
cryptoerror(LOG_STDERR, gettext("CSR signature "
"verification failed.\n"));
goto cleanup;
}
rv = build_cert_from_csr(&csrdata,
&signedCert, serial, ltime,
issuer, subject, altname,
alttype, altcrit, kubits,
kucrit, ekulist);
if (rv != KMF_OK)
goto cleanup;
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
if (kstype == KMF_KEYSTORE_NSS) {
kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_LABEL_ATTR,
token, strlen(token));
numattr++;
}
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYLABEL_ATTR, signkey,
strlen(signkey));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_PRIVATE_BOOL_ATTR,
&private_bool, sizeof (private_bool));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_TOKEN_BOOL_ATTR,
&token_bool, sizeof (token_bool));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYCLASS_ATTR,
&keyclass, sizeof (keyclass));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_CREDENTIAL_ATTR,
cred, sizeof (KMF_CREDENTIAL_ATTR));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_COUNT_ATTR,
&keys, sizeof (keys));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEY_HANDLE_ATTR,
&casignkey, sizeof (casignkey));
numattr++;
rv = kmf_find_key(handle, numattr, attrlist);
if (rv != KMF_OK) {
cryptoerror(LOG_STDERR,
gettext("Failed to find signing key\n"));
goto cleanup;
}
rv = pk_sign_cert(handle, &signedCert, &casignkey, NULL,
&outcert);
if (rv != KMF_OK) {
cryptoerror(LOG_STDERR, gettext(
"Error signing certificate.\n"));
goto cleanup;
}
if (store) {
numattr = 0;
kmf_set_attr_at_index(attrlist, numattr, KMF_KEYSTORE_TYPE_ATTR,
&kstype, sizeof (kstype));
numattr++;
kmf_set_attr_at_index(attrlist, numattr, KMF_CERT_DATA_ATTR,
&outcert, sizeof (KMF_DATA));
numattr++;
if (outlabel != NULL) {
kmf_set_attr_at_index(attrlist, numattr,
KMF_CERT_LABEL_ATTR,
outlabel, strlen(outlabel));
numattr++;
}
if (kstype == KMF_KEYSTORE_NSS) {
if (token != NULL)
kmf_set_attr_at_index(attrlist, numattr,
KMF_TOKEN_LABEL_ATTR,
token, strlen(token));
numattr++;
}
rv = kmf_store_cert(handle, numattr, attrlist);
if (rv != KMF_OK) {
display_error(handle, rv,
gettext("Failed to store cert "
"on PKCS#11 token.\n"));
rv = KMF_OK;
}
}
rv = kmf_create_cert_file(&outcert, fmt, certfile);
cleanup:
kmf_free_signed_csr(&csrdata);
kmf_free_data(&outcert);
kmf_free_kmf_key(handle, &casignkey);
return (rv);
}
int
pk_signcsr(int argc, char *argv[])
{
int opt;
extern int optind_av;
extern char *optarg_av;
char *token_spec = NULL;
char *subject = NULL;
char *issuer = NULL;
char *dir = NULL;
char *prefix = NULL;
char *csrfile = NULL;
char *serstr = NULL;
char *ekustr = NULL;
char *kustr = NULL;
char *format = NULL;
char *storestr = NULL;
char *altname = NULL;
char *certfile = NULL;
char *lifetime = NULL;
char *signkey = NULL;
char *outlabel = NULL;
uint32_t ltime = 365 * 24 * 60 * 60;
int store = 0;
uint16_t kubits = 0;
int altcrit = 0, kucrit = 0;
KMF_BIGINT serial = { NULL, 0 };
EKU_LIST *ekulist = NULL;
KMF_KEYSTORE_TYPE kstype = 0;
KMF_RETURN rv = KMF_OK;
KMF_HANDLE_T kmfhandle = NULL;
KMF_CREDENTIAL tokencred = { NULL, 0 };
KMF_GENERALNAMECHOICES alttype = 0;
KMF_ENCODE_FORMAT fmt = KMF_FORMAT_PEM;
while ((opt = getopt_av(argc, argv,
"k:(keystore)c:(csr)T:(token)d:(dir)"
"p:(prefix)S:(serial)s:(subject)a:(altname)"
"t:(store)F:(format)K:(keyusage)l:(signkey)"
"L:(lifetime)e:(eku)i:(issuer)"
"n:(outlabel)o:(outcert)")) != EOF) {
if (EMPTYSTRING(optarg_av))
return (PK_ERR_USAGE);
switch (opt) {
case 'k':
if (kstype != 0)
return (PK_ERR_USAGE);
kstype = KS2Int(optarg_av);
if (kstype == 0)
return (PK_ERR_USAGE);
break;
case 't':
if (storestr != NULL)
return (PK_ERR_USAGE);
storestr = optarg_av;
store = yn_to_int(optarg_av);
if (store == -1)
return (PK_ERR_USAGE);
break;
case 'a':
if (altname)
return (PK_ERR_USAGE);
altname = optarg_av;
break;
case 's':
if (subject)
return (PK_ERR_USAGE);
subject = optarg_av;
break;
case 'i':
if (issuer)
return (PK_ERR_USAGE);
issuer = optarg_av;
break;
case 'd':
if (dir)
return (PK_ERR_USAGE);
dir = optarg_av;
break;
case 'p':
if (prefix)
return (PK_ERR_USAGE);
prefix = optarg_av;
break;
case 'S':
if (serstr != NULL)
return (PK_ERR_USAGE);
serstr = optarg_av;
break;
case 'c':
if (csrfile)
return (PK_ERR_USAGE);
csrfile = optarg_av;
break;
case 'T':
if (token_spec)
return (PK_ERR_USAGE);
token_spec = optarg_av;
break;
case 'l':
if (signkey)
return (PK_ERR_USAGE);
signkey = optarg_av;
break;
case 'e':
if (ekustr != NULL)
return (PK_ERR_USAGE);
ekustr = optarg_av;
break;
case 'K':
if (kustr != NULL)
return (PK_ERR_USAGE);
kustr = optarg_av;
break;
case 'F':
if (format != NULL)
return (PK_ERR_USAGE);
format = optarg_av;
break;
case 'o':
if (certfile != NULL)
return (PK_ERR_USAGE);
certfile = optarg_av;
break;
case 'L':
if (lifetime != NULL)
return (PK_ERR_USAGE);
lifetime = optarg_av;
break;
case 'n':
if (outlabel != NULL)
return (PK_ERR_USAGE);
outlabel = optarg_av;
break;
default:
return (PK_ERR_USAGE);
}
}
argc -= optind_av;
argv += optind_av;
if (argc)
return (PK_ERR_USAGE);
if (kstype == 0)
kstype = KMF_KEYSTORE_PK11TOKEN;
DIR_OPTION_CHECK(kstype, dir);
if (signkey == NULL) {
(void) fprintf(stderr, gettext("The signing key label "
"or filename was not specified\n"));
return (PK_ERR_USAGE);
}
if (csrfile == NULL) {
(void) fprintf(stderr, gettext("The CSR filename was not"
" specified\n"));
return (PK_ERR_USAGE);
}
if (certfile == NULL) {
(void) fprintf(stderr, gettext("The output certificate file "
"was not specified\n"));
return (PK_ERR_USAGE);
}
if (issuer == NULL) {
(void) fprintf(stderr, gettext("The issuer DN "
"was not specified\n"));
return (PK_ERR_USAGE);
}
if (lifetime != NULL) {
if (Str2Lifetime(lifetime, <ime) != 0) {
cryptoerror(LOG_STDERR,
gettext("Error parsing lifetime string\n"));
return (PK_ERR_USAGE);
}
}
if (kstype == KMF_KEYSTORE_PK11TOKEN && EMPTYSTRING(token_spec)) {
token_spec = PK_DEFAULT_PK11TOKEN;
} else if (kstype == KMF_KEYSTORE_NSS && EMPTYSTRING(token_spec)) {
token_spec = DEFAULT_NSS_TOKEN;
}
if (serstr != NULL) {
uchar_t *bytes = NULL;
size_t bytelen;
rv = kmf_hexstr_to_bytes((uchar_t *)serstr, &bytes, &bytelen);
if (rv != KMF_OK || bytes == NULL) {
(void) fprintf(stderr, gettext("Serial number "
"must be specified as a hex number "
"(ex: 0x0102030405ffeeddee)\n"));
return (PK_ERR_USAGE);
}
serial.val = bytes;
serial.len = bytelen;
} else {
(void) fprintf(stderr, gettext("The serial number was not"
" specified\n"));
return (PK_ERR_USAGE);
}
if ((kstype == KMF_KEYSTORE_PK11TOKEN ||
kstype == KMF_KEYSTORE_NSS)) {
(void) get_token_password(kstype, token_spec,
&tokencred);
}
if (kustr != NULL) {
rv = verify_keyusage(kustr, &kubits, &kucrit);
if (rv != KMF_OK) {
(void) fprintf(stderr, gettext("KeyUsage "
"must be specified as a comma-separated list. "
"See the man page for details.\n"));
rv = PK_ERR_USAGE;
goto end;
}
}
if (ekustr != NULL) {
rv = verify_ekunames(ekustr, &ekulist);
if (rv != KMF_OK) {
(void) fprintf(stderr, gettext("EKUs must "
"be specified as a comma-separated list. "
"See the man page for details.\n"));
rv = PK_ERR_USAGE;
goto end;
}
}
if (altname != NULL) {
char *p;
rv = verify_altname(altname, &alttype, &altcrit);
if (rv != KMF_OK) {
(void) fprintf(stderr, gettext("Subject AltName "
"must be specified as a name=value pair. "
"See the man page for details.\n"));
rv = PK_ERR_USAGE;
goto end;
}
p = strchr(altname, '=');
if (p != NULL)
altname = p + 1;
}
if (format && (fmt = Str2Format(format)) == KMF_FORMAT_UNDEF) {
cryptoerror(LOG_STDERR,
gettext("Error parsing format string (%s).\n"),
format);
return (PK_ERR_USAGE);
}
if ((rv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) {
return (rv);
}
if (kstype == KMF_KEYSTORE_PK11TOKEN) {
rv = pk_signcsr_pk11_nss(kmfhandle,
kstype, dir, prefix, token_spec, &tokencred,
signkey, csrfile, &serial, certfile, issuer, subject,
altname, alttype, altcrit, kubits, kucrit,
ekulist, ltime, fmt, store, outlabel);
} else if (kstype == KMF_KEYSTORE_NSS) {
if (dir == NULL)
dir = PK_DEFAULT_DIRECTORY;
rv = pk_signcsr_pk11_nss(kmfhandle,
kstype, dir, prefix, token_spec, &tokencred,
signkey, csrfile, &serial, certfile, issuer, subject,
altname, alttype, altcrit, kubits, kucrit,
ekulist, ltime, fmt, store, outlabel);
} else if (kstype == KMF_KEYSTORE_OPENSSL) {
rv = pk_signcsr_files(kmfhandle,
signkey, csrfile, &serial, certfile, issuer, subject,
altname, alttype, altcrit, kubits, kucrit,
ekulist, ltime, fmt);
}
end:
if (rv != KMF_OK) {
display_error(kmfhandle, rv,
gettext("Error listing objects"));
}
if (serial.val != NULL)
free(serial.val);
if (tokencred.cred != NULL)
free(tokencred.cred);
free_eku_list(ekulist);
(void) kmf_finalize(kmfhandle);
return (rv);
}
