6525220 KMF_ValidateCert() and KMF_FindCertInCRL() should take a subject certificate as input

author: hylee <none@none> 2007-02-21 15:26:17 -0800
committer: hylee <none@none> 2007-02-21 15:26:17 -0800
commit: 5363b1129db4ee42d2c9736898eab4670580bec7 (patch)
tree: 37ffe4cce4bcd402add730107740450585f6e854 /usr/src/lib/libkmf
parent: 7ec75eb832385e67982f8d8a1679382d66c28f6a (diff)
download: illumos-gate-5363b1129db4ee42d2c9736898eab4670580bec7.tar.gz
3 files changed, 55 insertions, 81 deletions
diff --git a/usr/src/lib/libkmf/include/kmftypes.h b/usr/src/lib/libkmf/include/kmftypes.h
index c827efb322..c2e954c981 100644
--- a/usr/src/lib/libkmf/include/kmftypes.h
+++ b/usr/src/lib/libkmf/include/kmftypes.h
@@ -151,6 +151,14 @@ typedef struct
 	boolean_t crl_check;	/* for ImportCRL */
 
 	/*
+	 * The following 2 variables are for FindCertInCRL. The caller can
+	 * either specify certLabel or provide the entire certificate in
+	 * DER format as input.
+	 */
+	char	*certLabel;	/* for FindCertInCRL */
+	KMF_DATA *certificate;  /* for FindCertInCRL */
+
+	/*
 	 * crl_subjName and crl_issuerName are used as the CRL deletion
 	 * criteria.  One should be non-NULL and the other one should be NULL.
 	 * If crl_subjName is not NULL, then delete CRL by the subject name.
@@ -195,11 +203,7 @@ typedef struct {
 
 typedef struct {
 	KMF_KEYSTORE_TYPE	kstype;
-	char			*certLabel;
-	char			*issuer;
-	char			*subject;
-	char			*idstr;
-	KMF_BIGINT		*serial;
+	KMF_DATA		*certificate;
 	KMF_DATA		*ocsp_response;
 
 	union {
@@ -332,7 +336,6 @@ typedef struct {
 
 typedef struct {
 	KMF_KEYSTORE_TYPE	kstype;
-	char			*certLabel;
 
 	union {
 		KMF_NSS_PARAMS	nss_opts;
diff --git a/usr/src/lib/libkmf/libkmf/common/certop.c b/usr/src/lib/libkmf/libkmf/common/certop.c
index 7cd380fa30..16d17bfa16 100644
--- a/usr/src/lib/libkmf/libkmf/common/certop.c
+++ b/usr/src/lib/libkmf/libkmf/common/certop.c
@@ -1092,7 +1092,7 @@ cert_crl_check(KMF_HANDLE_T handle,
 	fcrl_params.kstype = params->kstype;
 	switch (params->kstype) {
 	case KMF_KEYSTORE_NSS:
-		fcrl_params.certLabel = params->certLabel;
+		fcrl_params.nssparms.certificate = params->certificate;
 		break;
 	case KMF_KEYSTORE_PK11TOKEN:
 		/*
@@ -1747,13 +1747,9 @@ KMF_ValidateCert(KMF_HANDLE_T handle,
 	int  *result)
 {
 	KMF_RETURN ret = KMF_OK;
-	KMF_FINDCERT_PARAMS fc_target;
-	KMF_OPENSSL_PARAMS ssl_params;
-	KMF_X509_DER_CERT  user_retrCert;
+	KMF_DATA *pcert = NULL;
 	KMF_DATA ta_cert = {0, NULL};
-	KMF_DATA user_cert = {0, NULL};
 	KMF_DATA issuer_cert = {0, NULL};
-	uint32_t num = 0;
 	char *user_issuer = NULL, *user_subject = NULL;
 	KMF_X509_NAME user_issuerDN, user_subjectDN;
 	boolean_t	self_signed = B_FALSE;
@@ -1763,68 +1759,33 @@ KMF_ValidateCert(KMF_HANDLE_T handle,
 	if (ret != KMF_OK)
 		return (ret);
 
-	if ((params == NULL) || (result == NULL))
+	if (params == NULL || params->certificate == NULL || result == NULL)
 		return (KMF_ERR_BAD_PARAMETER);
 
 	policy = handle->policy;
-
 	*result = KMF_CERT_VALIDATE_OK;
-	(void) memset(&fc_target, 0, sizeof (fc_target));
-	(void) memset(&ssl_params, 0, sizeof (ssl_params));
-	(void) memset(&user_issuerDN, 0, sizeof (user_issuerDN));
-	(void) memset(&user_subjectDN, 0, sizeof (user_subjectDN));
-
-	fc_target.kstype = params->kstype;
-	fc_target.certLabel = params->certLabel;
-	fc_target.issuer = params->issuer;
-	fc_target.subject = params->subject;
-	fc_target.idstr = params->idstr;
-	fc_target.serial = params->serial;
-	if (params->kstype == KMF_KEYSTORE_NSS)
-		fc_target.ks_opt_u.nss_opts = params->ks_opt_u.nss_opts;
-	else if (params->kstype == KMF_KEYSTORE_OPENSSL)
-		fc_target.ks_opt_u.openssl_opts = params->ks_opt_u.openssl_opts;
-	else if (params->kstype == KMF_KEYSTORE_PK11TOKEN)
-		fc_target.ks_opt_u.pkcs11_opts = params->ks_opt_u.pkcs11_opts;
-	else
-		return (KMF_ERR_PLUGIN_NOTFOUND);
+	pcert = params->certificate;
 
 	/*
-	 * Find the Subscriber's certificate based on the input parameter
+	 * Get the issuer information from the input certficate first.
 	 */
-	ret = KMF_FindCert(handle, &fc_target, NULL, &num);
-	if (ret != KMF_OK || num != 1) {
-		(*result) = (*result) | KMF_CERT_VALIDATE_ERR_USER;
-		if (num == 0)
-			ret = KMF_ERR_CERT_NOT_FOUND;
-		if (num > 1)
-			ret = KMF_ERR_CERT_MULTIPLE_FOUND;
-		goto out;
-	}
-
-	(void) memset(&user_retrCert, 0, sizeof (KMF_X509_DER_CERT));
-
-	ret = KMF_FindCert(handle, &fc_target, &user_retrCert, &num);
-	if (ret == KMF_OK)  {
-		user_cert.Length = user_retrCert.certificate.Length;
-		user_cert.Data = user_retrCert.certificate.Data;
-	} else {
-		*result |= KMF_CERT_VALIDATE_ERR_USER;
-		goto out;
-	}
-
-	if ((ret = KMF_GetCertIssuerNameString(handle, &user_cert,
+	if ((ret = KMF_GetCertIssuerNameString(handle, pcert,
 	    &user_issuer)) != KMF_OK) {
 		*result |= KMF_CERT_VALIDATE_ERR_USER;
 		goto out;
 	}
 
+
+	(void) memset(&user_issuerDN, 0, sizeof (user_issuerDN));
 	if ((ret = KMF_DNParser(user_issuer,  &user_issuerDN)) != KMF_OK) {
 		*result |= KMF_CERT_VALIDATE_ERR_USER;
 		goto out;
 	}
 
-	if ((ret = KMF_GetCertSubjectNameString(handle, &user_cert,
+	/*
+	 * Check if the certificate is a self-signed cert.
+	 */
+	if ((ret = KMF_GetCertSubjectNameString(handle, pcert,
 	    &user_subject)) != KMF_OK) {
 		*result |= KMF_CERT_VALIDATE_ERR_USER;
 		KMF_FreeDN(&user_issuerDN);
@@ -1847,25 +1808,25 @@ KMF_ValidateCert(KMF_HANDLE_T handle,
 	KMF_FreeDN(&user_subjectDN);
 
 	/*
-	 * Check KeyUsage extension of the subscriber's certificate
+	 * Check KeyUsage extension.
 	 */
-	ret = cert_ku_check(handle, &user_cert);
+	ret = cert_ku_check(handle, pcert);
 	if (ret != KMF_OK)  {
 		*result |= KMF_CERT_VALIDATE_ERR_KEYUSAGE;
 		goto out;
 	}
 
 	/*
-	 * Validate Extended KeyUsage extension
+	 * Validate Extended KeyUsage extension.
 	 */
-	ret = cert_eku_check(handle, &user_cert);
+	ret = cert_eku_check(handle, pcert);
 	if (ret != KMF_OK)  {
 		*result |= KMF_CERT_VALIDATE_ERR_EXT_KEYUSAGE;
 		goto out;
 	}
 
 	/*
-	 * Check the certificate's validity period
+	 * Check the certificate's validity period.
 	 *
 	 * This step is needed when "ignore_date" in policy is set
 	 * to false.
@@ -1874,7 +1835,7 @@ KMF_ValidateCert(KMF_HANDLE_T handle,
 		/*
 		 * Validate expiration date
 		 */
-		ret = KMF_CheckCertDate(handle, &user_cert);
+		ret = KMF_CheckCertDate(handle, pcert);
 		if (ret != KMF_OK)  {
 			*result |= KMF_CERT_VALIDATE_ERR_TIME;
 			goto out;
@@ -1895,23 +1856,24 @@ KMF_ValidateCert(KMF_HANDLE_T handle,
 		goto check_revocation;
 	}
 
-	ret = kmf_find_ta_cert(handle, params, &ta_cert, &user_issuerDN);
-	if (ret != KMF_OK)  {
-		*result |= KMF_CERT_VALIDATE_ERR_TA;
-		goto out;
-	}
-
 	/*
 	 * Verify the signature of subscriber's certificate using
 	 * TA certificate.
 	 */
 	if (self_signed) {
 		ret = KMF_VerifyCertWithCert(handle,
-		    &user_cert, &user_cert);
+		    pcert, pcert);
 	} else {
-		ret = KMF_VerifyCertWithCert(handle,
-		    &user_cert, &ta_cert);
+		ret = kmf_find_ta_cert(handle, params, &ta_cert,
+		    &user_issuerDN);
+		if (ret != KMF_OK)  {
+			*result |= KMF_CERT_VALIDATE_ERR_TA;
+			goto out;
+		}
+
+		ret = KMF_VerifyCertWithCert(handle, pcert, &ta_cert);
 	}
+
 	if (ret != KMF_OK)  {
 		*result |= KMF_CERT_VALIDATE_ERR_SIGNATURE;
 		goto out;
@@ -1947,7 +1909,7 @@ check_revocation:
 
 	if (policy->revocation & KMF_REVOCATION_METHOD_CRL) {
 		ret = cert_crl_check(handle, params,
-		    &user_cert, &issuer_cert);
+		    pcert, &issuer_cert);
 		if (ret != KMF_OK)  {
 			*result |= KMF_CERT_VALIDATE_ERR_CRL;
 			goto out;
@@ -1956,7 +1918,7 @@ check_revocation:
 
 	if (policy->revocation & KMF_REVOCATION_METHOD_OCSP) {
 		ret = cert_ocsp_check(handle, params,
-			&user_cert, &issuer_cert, params->ocsp_response);
+			pcert, &issuer_cert, params->ocsp_response);
 		if (ret != KMF_OK)  {
 			*result |= KMF_CERT_VALIDATE_ERR_OCSP;
 			goto out;
@@ -1964,9 +1926,6 @@ check_revocation:
 	}
 
 out:
-	if (user_retrCert.certificate.Data)
-		KMF_FreeKMFCert(handle, &user_retrCert);
-
 	if (user_issuer) {
 		KMF_FreeDN(&user_issuerDN);
 		free(user_issuer);
diff --git a/usr/src/lib/libkmf/plugins/kmf_nss/common/nss_spi.c b/usr/src/lib/libkmf/plugins/kmf_nss/common/nss_spi.c
index b23886aaae..84af5ad7cd 100644
--- a/usr/src/lib/libkmf/plugins/kmf_nss/common/nss_spi.c
+++ b/usr/src/lib/libkmf/plugins/kmf_nss/common/nss_spi.c
@@ -21,7 +21,7 @@
 /*
  * NSS keystore wrapper
  *
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -1578,7 +1578,9 @@ NSS_FindCertInCRL(KMF_HANDLE_T handle, KMF_FINDCERTINCRL_PARAMS *params)
 	CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
 
 	/* check params */
-	if (params == NULL || params->certLabel == NULL) {
+	if (params == NULL ||
+	    (params->ks_opt_u.nss_opts.certLabel == NULL &&
+	    params->ks_opt_u.nss_opts.certificate == NULL)) {
 		return (KMF_ERR_BAD_PARAMETER);
 	}
 
@@ -1588,8 +1590,18 @@ NSS_FindCertInCRL(KMF_HANDLE_T handle, KMF_FINDCERTINCRL_PARAMS *params)
 		return (rv);
 	}
 
-	cert = CERT_FindCertByNicknameOrEmailAddr(certHandle,
-	    params->certLabel);
+	/* Find the certificate first */
+	if (params->ks_opt_u.nss_opts.certLabel != NULL) {
+		cert = CERT_FindCertByNicknameOrEmailAddr(certHandle,
+		    params->ks_opt_u.nss_opts.certLabel);
+	} else {
+		SECItem derCert = { NULL, 0};
+
+		derCert.data = params->ks_opt_u.nss_opts.certificate->Data;
+		derCert.len =  params->ks_opt_u.nss_opts.certificate->Length;
+		cert = CERT_FindCertByDERCert(certHandle, &derCert);
+	}
+
 	if (!cert) {
 		SET_ERROR(kmfh, PORT_GetError());
 		rv = KMF_ERR_CERT_NOT_FOUND;
author	hylee <none@none>	2007-02-21 15:26:17 -0800
committer	hylee <none@none>	2007-02-21 15:26:17 -0800
commit	5363b1129db4ee42d2c9736898eab4670580bec7 (patch)
tree	37ffe4cce4bcd402add730107740450585f6e854 /usr/src/lib/libkmf
parent	7ec75eb832385e67982f8d8a1679382d66c28f6a (diff)
download	illumos-gate-5363b1129db4ee42d2c9736898eab4670580bec7.tar.gz