summaryrefslogtreecommitdiff
path: root/usr/src/cmd/cmd-crypto/kmfcfg/modify.c
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src/cmd/cmd-crypto/kmfcfg/modify.c')
-rw-r--r--usr/src/cmd/cmd-crypto/kmfcfg/modify.c845
1 files changed, 845 insertions, 0 deletions
diff --git a/usr/src/cmd/cmd-crypto/kmfcfg/modify.c b/usr/src/cmd/cmd-crypto/kmfcfg/modify.c
new file mode 100644
index 0000000000..413bda3be7
--- /dev/null
+++ b/usr/src/cmd/cmd-crypto/kmfcfg/modify.c
@@ -0,0 +1,845 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ *
+ * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident "%Z%%M% %I% %E% SMI"
+
+#include <stdio.h>
+#include <strings.h>
+#include <ctype.h>
+#include <libgen.h>
+#include <libintl.h>
+#include <errno.h>
+#include <kmfapiP.h>
+#include <cryptoutil.h>
+#include "util.h"
+
+#define KC_IGNORE_DATE 0x0000001
+#define KC_IGNORE_UNKNOWN_EKUS 0x0000002
+#define KC_IGNORE_TRUST_ANCHOR 0x0000004
+#define KC_VALIDITY_ADJUSTTIME 0x0000008
+#define KC_TA_NAME 0x0000010
+#define KC_TA_SERIAL 0x0000020
+#define KC_OCSP_RESPONDER_URI 0x0000040
+#define KC_OCSP_PROXY 0x0000080
+#define KC_OCSP_URI_FROM_CERT 0x0000100
+#define KC_OCSP_RESP_LIFETIME 0x0000200
+#define KC_OCSP_IGNORE_RESP_SIGN 0x0000400
+#define KC_OCSP_RESP_CERT_NAME 0x0000800
+#define KC_OCSP_RESP_CERT_SERIAL 0x0001000
+#define KC_OCSP_NONE 0x0002000
+#define KC_CRL_BASEFILENAME 0x0004000
+#define KC_CRL_DIRECTORY 0x0008000
+#define KC_CRL_GET_URI 0x0010000
+#define KC_CRL_PROXY 0x0020000
+#define KC_CRL_IGNORE_SIGN 0x0040000
+#define KC_CRL_IGNORE_DATE 0x0080000
+#define KC_CRL_NONE 0x0100000
+#define KC_KEYUSAGE 0x0200000
+#define KC_KEYUSAGE_NONE 0x0400000
+#define KC_EKUS 0x0800000
+#define KC_EKUS_NONE 0x1000000
+
+int
+kc_modify(int argc, char *argv[])
+{
+ KMF_RETURN ret;
+ int rv = KC_OK;
+ int opt;
+ extern int optind_av;
+ extern char *optarg_av;
+ char *filename = NULL;
+ uint32_t flags = 0;
+ boolean_t ocsp_none_opt = B_FALSE;
+ boolean_t crl_none_opt = B_FALSE;
+ boolean_t ku_none_opt = B_FALSE;
+ boolean_t eku_none_opt = B_FALSE;
+ int ocsp_set_attr = 0;
+ int crl_set_attr = 0;
+ KMF_POLICY_RECORD oplc, plc;
+
+ (void) memset(&plc, 0, sizeof (KMF_POLICY_RECORD));
+ (void) memset(&oplc, 0, sizeof (KMF_POLICY_RECORD));
+
+ while ((opt = getopt_av(argc, argv,
+ "i:(dbfile)"
+ "p:(policy)"
+ "d:(ignore-date)"
+ "e:(ignore-unknown-eku)"
+ "a:(ignore-trust-anchor)"
+ "v:(validity-adjusttime)"
+ "t:(ta-name)"
+ "s:(ta-serial)"
+ "o:(ocsp-responder)"
+ "P:(ocsp-proxy)"
+ "r:(ocsp-use-cert-responder)"
+ "T:(ocsp-response-lifetime)"
+ "R:(ocsp-ignore-response-sign)"
+ "n:(ocsp-responder-cert-name)"
+ "A:(ocsp-responder-cert-serial)"
+ "y:(ocsp-none)"
+ "c:(crl-basefilename)"
+ "I:(crl-directory)"
+ "g:(crl-get-crl-uri)"
+ "X:(crl-proxy)"
+ "S:(crl-ignore-crl-sign)"
+ "D:(crl-ignore-crl-date)"
+ "z:(crl-none)"
+ "u:(keyusage)"
+ "Y:(keyusage-none)"
+ "E:(ekunames)"
+ "O:(ekuoids)"
+ "Z:(eku-none)")) != EOF) {
+ switch (opt) {
+ case 'i':
+ filename = get_string(optarg_av, &rv);
+ if (filename == NULL) {
+ (void) fprintf(stderr,
+ gettext("Error dbfile input.\n"));
+ }
+ break;
+ case 'p':
+ plc.name = get_string(optarg_av, &rv);
+ if (plc.name == NULL) {
+ (void) fprintf(stderr,
+ gettext("Error policy name.\n"));
+ }
+ break;
+ case 'd':
+ plc.ignore_date = get_boolean(optarg_av);
+ if (plc.ignore_date == -1) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_IGNORE_DATE;
+ }
+ break;
+ case 'e':
+ plc.ignore_unknown_ekus =
+ get_boolean(optarg_av);
+ if (plc.ignore_unknown_ekus == -1) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_IGNORE_UNKNOWN_EKUS;
+ }
+ break;
+ case 'a':
+ plc.ignore_trust_anchor =
+ get_boolean(optarg_av);
+ if (plc.ignore_trust_anchor == -1) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_IGNORE_TRUST_ANCHOR;
+ }
+ break;
+ case 'v':
+ plc.validity_adjusttime =
+ get_string(optarg_av, &rv);
+ if (plc.validity_adjusttime == NULL) {
+ (void) fprintf(stderr,
+ gettext("Error time input.\n"));
+ } else {
+ uint32_t adj;
+ /* for syntax checking */
+ if (str2lifetime(
+ plc.validity_adjusttime,
+ &adj) < 0) {
+ (void) fprintf(stderr,
+ gettext("Error time "
+ "input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_VALIDITY_ADJUSTTIME;
+ }
+ }
+ break;
+ case 't':
+ plc.ta_name = get_string(optarg_av, &rv);
+ if (plc.ta_name == NULL) {
+ (void) fprintf(stderr,
+ gettext("Error name input.\n"));
+ } else {
+ KMF_X509_NAME taDN;
+ /* for syntax checking */
+ if (KMF_DNParser(plc.ta_name,
+ &taDN) != KMF_OK) {
+ (void) fprintf(stderr,
+ gettext("Error name "
+ "input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ KMF_FreeDN(&taDN);
+ flags |= KC_TA_NAME;
+ }
+ }
+ break;
+ case 's':
+ plc.ta_serial = get_string(optarg_av, &rv);
+ if (plc.ta_serial == NULL) {
+ (void) fprintf(stderr,
+ gettext("Error serial input.\n"));
+ } else {
+ uchar_t *bytes = NULL;
+ size_t bytelen;
+
+ ret = KMF_HexString2Bytes(
+ (uchar_t *)plc.ta_serial,
+ &bytes, &bytelen);
+ if (ret != KMF_OK || bytes == NULL) {
+ (void) fprintf(stderr,
+ gettext("serial number "
+ "must be specified as a "
+ "hex number "
+ "(ex: 0x0102030405"
+ "ffeeddee)\n"));
+ rv = KC_ERR_USAGE;
+ break;
+ }
+ if (bytes != NULL)
+ free(bytes);
+ flags |= KC_TA_SERIAL;
+ }
+ break;
+ case 'o':
+ plc.VAL_OCSP_RESPONDER_URI =
+ get_string(optarg_av, &rv);
+ if (plc.VAL_OCSP_RESPONDER_URI == NULL) {
+ (void) fprintf(stderr,
+ gettext("Error responder "
+ "input.\n"));
+ } else {
+ flags |= KC_OCSP_RESPONDER_URI;
+ ocsp_set_attr++;
+ }
+ break;
+ case 'P':
+ plc.VAL_OCSP_PROXY = get_string(optarg_av, &rv);
+ if (plc.VAL_OCSP_PROXY == NULL) {
+ (void) fprintf(stderr,
+ gettext("Error proxy input.\n"));
+ } else {
+ flags |= KC_OCSP_PROXY;
+ ocsp_set_attr++;
+ }
+ break;
+ case 'r':
+ plc.VAL_OCSP_URI_FROM_CERT =
+ get_boolean(optarg_av);
+ if (plc.VAL_OCSP_URI_FROM_CERT == -1) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_OCSP_URI_FROM_CERT;
+ ocsp_set_attr++;
+ }
+ break;
+ case 'T':
+ plc.VAL_OCSP_RESP_LIFETIME =
+ get_string(optarg_av, &rv);
+ if (plc.VAL_OCSP_RESP_LIFETIME == NULL) {
+ (void) fprintf(stderr,
+ gettext("Error time input.\n"));
+ } else {
+ uint32_t adj;
+ /* for syntax checking */
+ if (str2lifetime(
+ plc.VAL_OCSP_RESP_LIFETIME,
+ &adj) < 0) {
+ (void) fprintf(stderr,
+ gettext("Error time "
+ "input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_OCSP_RESP_LIFETIME;
+ ocsp_set_attr++;
+ }
+ }
+ break;
+ case 'R':
+ plc.VAL_OCSP_IGNORE_RESP_SIGN =
+ get_boolean(optarg_av);
+ if (plc.VAL_OCSP_IGNORE_RESP_SIGN == -1) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_OCSP_IGNORE_RESP_SIGN;
+ ocsp_set_attr++;
+ }
+ break;
+ case 'n':
+ plc.VAL_OCSP_RESP_CERT_NAME =
+ get_string(optarg_av, &rv);
+ if (plc.VAL_OCSP_RESP_CERT_NAME == NULL) {
+ (void) fprintf(stderr,
+ gettext("Error name input.\n"));
+ } else {
+ KMF_X509_NAME respDN;
+ /* for syntax checking */
+ if (KMF_DNParser(
+ plc.VAL_OCSP_RESP_CERT_NAME,
+ &respDN) != KMF_OK) {
+ (void) fprintf(stderr,
+ gettext("Error name "
+ "input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ KMF_FreeDN(&respDN);
+ flags |= KC_OCSP_RESP_CERT_NAME;
+ ocsp_set_attr++;
+ }
+ }
+ break;
+ case 'A':
+ plc.VAL_OCSP_RESP_CERT_SERIAL =
+ get_string(optarg_av, &rv);
+ if (plc.VAL_OCSP_RESP_CERT_SERIAL == NULL) {
+ (void) fprintf(stderr,
+ gettext("Error serial input.\n"));
+ } else {
+ uchar_t *bytes = NULL;
+ size_t bytelen;
+
+ ret = KMF_HexString2Bytes((uchar_t *)
+ plc.VAL_OCSP_RESP_CERT_SERIAL,
+ &bytes, &bytelen);
+ if (ret != KMF_OK || bytes == NULL) {
+ (void) fprintf(stderr,
+ gettext("serial number "
+ "must be specified as a "
+ "hex number "
+ "(ex: 0x0102030405"
+ "ffeeddee)\n"));
+ rv = KC_ERR_USAGE;
+ break;
+ }
+ if (bytes != NULL)
+ free(bytes);
+ flags |= KC_OCSP_RESP_CERT_SERIAL;
+ ocsp_set_attr++;
+ }
+ break;
+ case 'y':
+ ocsp_none_opt = get_boolean(optarg_av);
+ if (ocsp_none_opt == -1) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_OCSP_NONE;
+ }
+ break;
+ case 'c':
+ plc.VAL_CRL_BASEFILENAME =
+ get_string(optarg_av, &rv);
+ if (plc.VAL_CRL_BASEFILENAME == NULL) {
+ (void) fprintf(stderr, gettext(
+ "Error basefilename input.\n"));
+ } else {
+ flags |= KC_CRL_BASEFILENAME;
+ crl_set_attr++;
+ }
+ break;
+ case 'I':
+ plc.VAL_CRL_DIRECTORY =
+ get_string(optarg_av, &rv);
+ if (plc.VAL_CRL_DIRECTORY == NULL) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ } else {
+ flags |= KC_CRL_DIRECTORY;
+ crl_set_attr++;
+ }
+ break;
+ case 'g':
+ plc.VAL_CRL_GET_URI = get_boolean(optarg_av);
+ if (plc.VAL_CRL_GET_URI == -1) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_CRL_GET_URI;
+ crl_set_attr++;
+ }
+ break;
+ case 'X':
+ plc.VAL_CRL_PROXY = get_string(optarg_av, &rv);
+ if (plc.VAL_CRL_PROXY == NULL) {
+ (void) fprintf(stderr,
+ gettext("Error proxy input.\n"));
+ } else {
+ flags |= KC_CRL_PROXY;
+ crl_set_attr++;
+ }
+ break;
+ case 'S':
+ plc.VAL_CRL_IGNORE_SIGN =
+ get_boolean(optarg_av);
+ if (plc.VAL_CRL_IGNORE_SIGN == -1) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_CRL_IGNORE_SIGN;
+ crl_set_attr++;
+ }
+ break;
+ case 'D':
+ plc.VAL_CRL_IGNORE_DATE =
+ get_boolean(optarg_av);
+ if (plc.VAL_CRL_IGNORE_DATE == -1) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_CRL_IGNORE_DATE;
+ crl_set_attr++;
+ }
+ break;
+ case 'z':
+ crl_none_opt = get_boolean(optarg_av);
+ if (crl_none_opt == -1) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_CRL_NONE;
+ }
+ break;
+ case 'u':
+ plc.ku_bits = parseKUlist(optarg_av);
+ if (plc.ku_bits == 0) {
+ (void) fprintf(stderr, gettext(
+ "Error keyusage input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_KEYUSAGE;
+ }
+ break;
+ case 'Y':
+ ku_none_opt = get_boolean(optarg_av);
+ if (ku_none_opt == -1) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_KEYUSAGE_NONE;
+ }
+ break;
+ case 'E':
+ if (parseEKUNames(optarg_av, &plc) != 0) {
+ (void) fprintf(stderr,
+ gettext("Error EKU input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_EKUS;
+ }
+ break;
+ case 'O':
+ if (parseEKUOIDs(optarg_av, &plc) != 0) {
+ (void) fprintf(stderr,
+ gettext("Error EKU OID input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_EKUS;
+ }
+ break;
+ case 'Z':
+ eku_none_opt = get_boolean(optarg_av);
+ if (eku_none_opt == -1) {
+ (void) fprintf(stderr,
+ gettext("Error boolean input.\n"));
+ rv = KC_ERR_USAGE;
+ } else {
+ flags |= KC_EKUS_NONE;
+ }
+ break;
+ default:
+ (void) fprintf(stderr,
+ gettext("Error input option.\n"));
+ rv = KC_ERR_USAGE;
+ break;
+ }
+ if (rv != KC_OK)
+ goto out;
+ }
+
+ /* No additional args allowed. */
+ argc -= optind_av;
+ if (argc) {
+ (void) fprintf(stderr,
+ gettext("Error input option\n"));
+ rv = KC_ERR_USAGE;
+ goto out;
+ }
+
+ if (filename == NULL) {
+ filename = strdup(KMF_DEFAULT_POLICY_FILE);
+ if (filename == NULL) {
+ rv = KC_ERR_MEMORY;
+ goto out;
+ }
+ }
+
+ /*
+ * Must have a policy name. The policy name can not be default
+ * if using the default policy file.
+ */
+ if (plc.name == NULL) {
+ (void) fprintf(stderr,
+ gettext("You must specify a policy name.\n"));
+ rv = KC_ERR_USAGE;
+ goto out;
+ } else if (strcmp(filename, KMF_DEFAULT_POLICY_FILE) == 0 &&
+ strcmp(plc.name, KMF_DEFAULT_POLICY_NAME) == 0) {
+ (void) fprintf(stderr,
+ gettext("Can not modify the default policy in the default "
+ "policy file.\n"));
+ rv = KC_ERR_USAGE;
+ goto out;
+ }
+
+ /* Check the access permission of the policy DB */
+ if (access(filename, W_OK) < 0) {
+ int err = errno;
+ (void) fprintf(stderr,
+ gettext("Cannot access \"%s\" for modify - %s\n"),
+ filename, strerror(err));
+ rv = KC_ERR_ACCESS;
+ goto out;
+ }
+
+ /* Try to load the named policy from the DB */
+ ret = KMF_GetPolicy(filename, plc.name, &oplc);
+ if (ret != KMF_OK) {
+ (void) fprintf(stderr,
+ gettext("Error loading policy \"%s\" from %s\n"), filename,
+ plc.name);
+ return (KC_ERR_FIND_POLICY);
+ }
+
+ /* Update the general policy attributes. */
+ if (flags & KC_IGNORE_DATE)
+ oplc.ignore_date = plc.ignore_date;
+
+ if (flags & KC_IGNORE_UNKNOWN_EKUS)
+ oplc.ignore_unknown_ekus = plc.ignore_unknown_ekus;
+
+ if (flags & KC_IGNORE_TRUST_ANCHOR)
+ oplc.ignore_trust_anchor = plc.ignore_trust_anchor;
+
+ if (flags & KC_VALIDITY_ADJUSTTIME) {
+ if (oplc.validity_adjusttime)
+ free(oplc.validity_adjusttime);
+ oplc.validity_adjusttime =
+ plc.validity_adjusttime;
+ }
+
+ if (flags & KC_TA_NAME) {
+ if (oplc.ta_name)
+ free(oplc.ta_name);
+ oplc.ta_name = plc.ta_name;
+ }
+ if (flags & KC_TA_SERIAL) {
+ if (oplc.ta_serial)
+ free(oplc.ta_serial);
+ oplc.ta_serial = plc.ta_serial;
+ }
+
+ /* Update the OCSP policy */
+ if (ocsp_none_opt == B_TRUE) {
+ if (ocsp_set_attr > 0) {
+ (void) fprintf(stderr,
+ gettext("Can not set ocsp-none=true and other "
+ "OCSP attributes at the same time.\n"));
+ rv = KC_ERR_USAGE;
+ goto out;
+ }
+
+ /*
+ * If the original policy does not have OCSP checking,
+ * then we do not need to do anything. If the original
+ * policy has the OCSP checking, then we need to release the
+ * space of OCSP attributes and turn the OCSP checking off.
+ */
+ if (oplc.revocation & KMF_REVOCATION_METHOD_OCSP) {
+ if (oplc.VAL_OCSP_BASIC.responderURI) {
+ free(oplc.VAL_OCSP_BASIC.responderURI);
+ oplc.VAL_OCSP_BASIC.responderURI = NULL;
+ }
+
+ if (oplc.VAL_OCSP_BASIC.proxy) {
+ free(oplc.VAL_OCSP_BASIC.proxy);
+ oplc.VAL_OCSP_BASIC.proxy = NULL;
+ }
+
+ if (oplc.VAL_OCSP_BASIC.response_lifetime) {
+ free(oplc.VAL_OCSP_BASIC.response_lifetime);
+ oplc.VAL_OCSP_BASIC.response_lifetime = NULL;
+ }
+
+ if (flags & KC_OCSP_RESP_CERT_NAME) {
+ free(oplc.VAL_OCSP_RESP_CERT.name);
+ oplc.VAL_OCSP_RESP_CERT.name = NULL;
+ }
+
+ if (flags & KC_OCSP_RESP_CERT_SERIAL) {
+ free(oplc.VAL_OCSP_RESP_CERT.serial);
+ oplc.VAL_OCSP_RESP_CERT.serial = NULL;
+ }
+
+ /* Turn off the OCSP checking */
+ oplc.revocation &= ~KMF_REVOCATION_METHOD_OCSP;
+ }
+
+ } else {
+ /*
+ * If the "ocsp-none" option is not set or is set to false,
+ * then we only need to do the modification if there is at
+ * least one OCSP attribute is specified.
+ */
+ if (ocsp_set_attr > 0) {
+ if (flags & KC_OCSP_RESPONDER_URI) {
+ if (oplc.VAL_OCSP_RESPONDER_URI)
+ free(oplc.VAL_OCSP_RESPONDER_URI);
+ oplc.VAL_OCSP_RESPONDER_URI =
+ plc.VAL_OCSP_RESPONDER_URI;
+ }
+
+ if (flags & KC_OCSP_PROXY) {
+ if (oplc.VAL_OCSP_PROXY)
+ free(oplc.VAL_OCSP_PROXY);
+ oplc.VAL_OCSP_PROXY = plc.VAL_OCSP_PROXY;
+ }
+
+ if (flags & KC_OCSP_URI_FROM_CERT)
+ oplc.VAL_OCSP_URI_FROM_CERT =
+ plc.VAL_OCSP_URI_FROM_CERT;
+
+ if (flags & KC_OCSP_RESP_LIFETIME) {
+ if (oplc.VAL_OCSP_RESP_LIFETIME)
+ free(oplc.VAL_OCSP_RESP_LIFETIME);
+ oplc.VAL_OCSP_RESP_LIFETIME =
+ plc.VAL_OCSP_RESP_LIFETIME;
+ }
+
+ if (flags & KC_OCSP_IGNORE_RESP_SIGN)
+ oplc.VAL_OCSP_IGNORE_RESP_SIGN =
+ plc.VAL_OCSP_IGNORE_RESP_SIGN;
+
+ if (flags & KC_OCSP_RESP_CERT_NAME) {
+ if (oplc.VAL_OCSP_RESP_CERT_NAME)
+ free(oplc.VAL_OCSP_RESP_CERT_NAME);
+ oplc.VAL_OCSP_RESP_CERT_NAME =
+ plc.VAL_OCSP_RESP_CERT_NAME;
+ }
+
+ if (flags & KC_OCSP_RESP_CERT_SERIAL) {
+ if (oplc.VAL_OCSP_RESP_CERT_SERIAL)
+ free(oplc.VAL_OCSP_RESP_CERT_SERIAL);
+ oplc.VAL_OCSP_RESP_CERT_SERIAL =
+ plc.VAL_OCSP_RESP_CERT_SERIAL;
+ }
+
+ if (oplc.VAL_OCSP_RESP_CERT_NAME != NULL &&
+ oplc.VAL_OCSP_RESP_CERT_SERIAL != NULL)
+ oplc.VAL_OCSP.has_resp_cert = B_TRUE;
+ else
+ oplc.VAL_OCSP.has_resp_cert = B_FALSE;
+
+ /* Turn on the OCSP checking */
+ oplc.revocation |= KMF_REVOCATION_METHOD_OCSP;
+ }
+ }
+
+ /* Update the CRL policy */
+ if (crl_none_opt == B_TRUE) {
+ if (crl_set_attr > 0) {
+ (void) fprintf(stderr,
+ gettext("Can not set crl-none=true and other CRL "
+ "attributes at the same time.\n"));
+ rv = KC_ERR_USAGE;
+ goto out;
+ }
+
+ /*
+ * If the original policy does not have CRL checking,
+ * then we do not need to do anything. If the original
+ * policy has the CRL checking, then we need to release the
+ * space of CRL attributes and turn the CRL checking off.
+ */
+ if (oplc.revocation & KMF_REVOCATION_METHOD_CRL) {
+ if (oplc.VAL_CRL_BASEFILENAME) {
+ free(oplc.VAL_CRL_BASEFILENAME);
+ oplc.VAL_CRL_BASEFILENAME = NULL;
+ }
+
+ if (oplc.VAL_CRL_DIRECTORY) {
+ free(oplc.VAL_CRL_DIRECTORY);
+ oplc.VAL_CRL_DIRECTORY = NULL;
+ }
+
+ if (oplc.VAL_CRL_PROXY) {
+ free(oplc.VAL_CRL_PROXY);
+ oplc.VAL_CRL_PROXY = NULL;
+ }
+
+ /* Turn off the CRL checking */
+ oplc.revocation &= ~KMF_REVOCATION_METHOD_CRL;
+ }
+ } else {
+ /*
+ * If the "ocsp-none" option is not set or is set to false,
+ * then we only need to do the modification if there is at
+ * least one CRL attribute is specified.
+ */
+ if (crl_set_attr > 0) {
+ if (flags & KC_CRL_BASEFILENAME) {
+ if (oplc.VAL_CRL_BASEFILENAME)
+ free(oplc.VAL_CRL_BASEFILENAME);
+ oplc.VAL_CRL_BASEFILENAME =
+ plc.VAL_CRL_BASEFILENAME;
+ }
+
+ if (flags & KC_CRL_DIRECTORY) {
+ if (oplc.VAL_CRL_DIRECTORY)
+ free(oplc.VAL_CRL_DIRECTORY);
+ oplc.VAL_CRL_DIRECTORY = plc.VAL_CRL_DIRECTORY;
+ }
+
+ if (flags & KC_CRL_GET_URI) {
+ oplc.VAL_CRL_GET_URI = plc.VAL_CRL_GET_URI;
+ }
+
+ if (flags & KC_CRL_PROXY) {
+ if (oplc.VAL_CRL_PROXY)
+ free(oplc.VAL_CRL_PROXY);
+ oplc.VAL_CRL_PROXY = plc.VAL_CRL_PROXY;
+ }
+
+ if (flags & KC_CRL_IGNORE_SIGN) {
+ oplc.VAL_CRL_IGNORE_SIGN =
+ plc.VAL_CRL_IGNORE_SIGN;
+ }
+
+ if (flags & KC_CRL_IGNORE_DATE) {
+ oplc.VAL_CRL_IGNORE_DATE =
+ plc.VAL_CRL_IGNORE_DATE;
+ }
+
+ /* Turn on the CRL checking */
+ oplc.revocation |= KMF_REVOCATION_METHOD_CRL;
+ }
+ }
+
+ /* Update the Key Usage */
+ if (ku_none_opt == B_TRUE) {
+ if (flags & KC_KEYUSAGE) {
+ (void) fprintf(stderr,
+ gettext("Can not set keyusage-none=true and "
+ "modify the keyusage value at the same time.\n"));
+ rv = KC_ERR_USAGE;
+ goto out;
+ }
+
+ oplc.ku_bits = 0;
+ } else {
+ /*
+ * If the "keyusage-none" option is not set or is set to
+ * false, then we only need to do the modification if
+ * the keyusage value is specified.
+ */
+ if (flags & KC_KEYUSAGE)
+ oplc.ku_bits = plc.ku_bits;
+ }
+
+
+ /* Update the Extended Key Usage */
+ if (eku_none_opt == B_TRUE) {
+ if (flags & KC_EKUS) {
+ (void) fprintf(stderr,
+ gettext("Can not set eku-none=true and modify "
+ "EKU values at the same time.\n"));
+ rv = KC_ERR_USAGE;
+ goto out;
+ }
+
+ /* Release current EKU list (if any) */
+ if (oplc.eku_set.eku_count > 0) {
+ KMF_FreeEKUPolicy(&oplc.eku_set);
+ oplc.eku_set.eku_count = 0;
+ oplc.eku_set.ekulist = NULL;
+ }
+ } else {
+ /*
+ * If the "eku-none" option is not set or is set to false,
+ * then we only need to do the modification if either
+ * "ekuname" or "ekuoids" is specified.
+ */
+ if (flags & KC_EKUS) {
+ /* Release current EKU list (if any) */
+ KMF_FreeEKUPolicy(&oplc.eku_set);
+ oplc.eku_set = plc.eku_set;
+ }
+ }
+
+ /* Do a sanity check on the modified policy */
+ ret = KMF_VerifyPolicy(&oplc);
+ if (ret != KMF_OK) {
+ print_sanity_error(ret);
+ rv = KC_ERR_VERIFY_POLICY;
+ goto out;
+ }
+
+ /* The modify operation is a delete followed by an add */
+ ret = KMF_DeletePolicyFromDB(oplc.name, filename);
+ if (ret != KMF_OK) {
+ rv = KC_ERR_DELETE_POLICY;
+ goto out;
+ }
+
+ /*
+ * Now add the modified policy back to the DB.
+ */
+ ret = KMF_AddPolicyToDB(&oplc, filename, B_FALSE);
+ if (ret != KMF_OK) {
+ (void) fprintf(stderr,
+ gettext("Error adding policy to database: 0x%04x\n"), ret);
+ rv = KC_ERR_ADD_POLICY;
+ goto out;
+ }
+
+out:
+ if (filename != NULL)
+ free(filename);
+
+ KMF_FreePolicyRecord(&oplc);
+
+ return (rv);
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-28 11:20:46 +0000