diff options
Diffstat (limited to 'usr/src/common/net/wanboot/p12access.c')
| -rw-r--r-- | usr/src/common/net/wanboot/p12access.c | 496 |
1 files changed, 0 insertions, 496 deletions
diff --git a/usr/src/common/net/wanboot/p12access.c b/usr/src/common/net/wanboot/p12access.c deleted file mode 100644 index 53419dda42..0000000000 --- a/usr/src/common/net/wanboot/p12access.c +++ /dev/null @@ -1,496 +0,0 @@ -/* - * CDDL HEADER START - * - * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. - * - * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE - * or http://www.opensolaris.org/os/licensing. - * See the License for the specific language governing permissions - * and limitations under the License. - * - * When distributing Covered Code, include this CDDL HEADER in each - * file and include the License file at usr/src/OPENSOLARIS.LICENSE. - * If applicable, add the following below this CDDL HEADER, with the - * fields enclosed by brackets "[]" replaced with your own identifying - * information: Portions Copyright [yyyy] [name of copyright owner] - * - * CDDL HEADER END - */ -/* - * This file includes interfaces to be used together with SSL to get PKCS#12 - * certs and pass them to SSL. They replace similar functions for PEM, - * already provided for within SSL. - * - * The interfaces included here are: - * sunw_p12_use_certfile - gets the user's cert from a pkcs12 file & pass - * it to SSL. - * sunw_p12_use_keyfile - gets the RSA private key from a pkcs12 file and - * pass it to SSL - * sunw_p12_use_trustfile - read the pkcs12 trust anchor (aka certificate - * authority certs) file into memory and hand them off to SSL. - * - * These functions use the sunw_PKCS12_parse to read the certs. - * - * Copyright 2002-2003 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -#pragma ident "%Z%%M% %I% %E% SMI" - -#include <stdio.h> -#include <strings.h> -#include <stdlib.h> -#include <sys/stat.h> -#include <unistd.h> - -#include <openssl/crypto.h> -#include <openssl/err.h> -#include <openssl/x509.h> -#include <openssl/ssl.h> - -#include <openssl/pkcs12.h> -#include <p12access.h> -#include <p12err.h> - -static PKCS12 *p12_read_file(char *); -static int p12_doparse(PKCS12 *, char *, int, EVP_PKEY **, - X509 **, STACK_OF(X509) **); -static int checkfile(char *); -static int check_password(PKCS12 *, char *); - -/* - * sunw_use_x509cert - pass an x509 client certificate to ssl - * - * Arguments: - * ctx - SSL's context structure - * cert - Certificate to pass in x509 format - * - * Returns: - * <=0 - Error occurred. Check the error stack for specifics. - * >0 - Success. Cert was successfully added. - */ -static int -sunw_use_x509cert(SSL_CTX *ctx, X509 *cert) -{ - ERR_clear_error(); - - if (ctx == NULL || cert == NULL) { - SUNWerr(SUNW_F_USE_X509CERT, SUNW_R_INVALID_ARG); - return (-1); - } - - if (SSL_CTX_use_certificate(ctx, cert) != 1) { - SUNWerr(SUNW_F_USE_X509CERT, SUNW_R_CERT_ERR); - return (-1); - } - return (1); -} - -/* - * sunw_use_pkey - pass an EVP_PKEY private key to ssl - * - * Arguments: - * ctx - SSL's context structure - * pkey - EVP_PKEY formatted private key - * - * Returns: - * <=0 - Error occurred. Check the error stack for specifics. - * >0 - Success. - */ -static int -sunw_use_pkey(SSL_CTX *ctx, EVP_PKEY *pkey) -{ - ERR_clear_error(); - if (ctx == NULL || pkey == NULL) { - SUNWerr(SUNW_F_USE_PKEY, SUNW_R_INVALID_ARG); - return (-1); - } - - if (SSL_CTX_use_PrivateKey(ctx, pkey) != 1) { - SUNWerr(SUNW_F_USE_PKEY, SUNW_R_PKEY_ERR); - return (-1); - } - - return (1); -} - -/* - * sunw_use_tastore - take a stack of X509 certs and add them to the - * SSL store of trust anchors (aka CA certs). - * - * This function takes the certs in the stack and passes them into - * SSL for addition to the cache of TA certs. - * - * Arguments: - * ctx - SSL's context structure - * ta_certs - Stack of certs to add to the list of SSL trust anchors. - * - * Returns: - * <=0 - Error occurred. Check the error stack for specifics. - * >0 - Success. Certs were successfully added. - */ -static int -sunw_use_tastore(SSL_CTX *ctx, STACK_OF(X509) *ta_certs) -{ - X509 *tmp; - int ret = -1; - int i; - - ERR_clear_error(); - if (ctx == NULL || ctx->cert_store == NULL || ta_certs == NULL) { - SUNWerr(SUNW_F_USE_TASTORE, SUNW_R_INVALID_ARG); - return (-1); - } - - if (sk_X509_num(ta_certs) == 0) { - SUNWerr(SUNW_F_USE_TASTORE, SUNW_R_NO_TRUST_ANCHOR); - return (-1); - } - - for (i = 0; i < sk_X509_num(ta_certs); i++) { - tmp = sk_X509_value(ta_certs, i); - - ret = X509_STORE_add_cert(ctx->cert_store, tmp); - if (ret == 0) { - if (ERR_GET_REASON(ERR_peek_error()) == - X509_R_CERT_ALREADY_IN_HASH_TABLE) { - ERR_clear_error(); - continue; - } - SUNWerr(SUNW_F_USE_TASTORE, SUNW_R_ADD_TRUST_ERR); - return (-1); - } else if (ret < 0) { - break; - } - } - - if (ret < 0) { - SUNWerr(SUNW_F_USE_TASTORE, SUNW_R_ADD_TRUST_ERR); - } - - return (ret); -} - -/* - * sunw_p12_use_certfile - read a client certificate from a pkcs12 file and - * pass it in to SSL. - * - * Read in the certificate in pkcs12-formated file. Use the provided - * passphrase to decrypt it. Pass the cert to SSL. - * - * Arguments: - * ctx - SSL's context structure - * filename - Name of file with the client certificate. - * passwd - Passphrase for pkcs12 data. - * - * Returns: - * <=0 - Error occurred. Check the error stack for specifics. - * >0 - Success. Cert was successfully added. - */ -int -sunw_p12_use_certfile(SSL_CTX *ctx, char *filename, char *passwd) -{ - PKCS12 *p12 = NULL; - X509 *cert = NULL; - int ret = -1; - - ERR_clear_error(); - if (ctx == NULL || filename == NULL) { - SUNWerr(SUNW_F_USE_CERTFILE, SUNW_R_INVALID_ARG); - return (-1); - } - - p12 = p12_read_file(filename); - if (p12 != NULL) { - ret = p12_doparse(p12, passwd, DO_UNMATCHING, NULL, - &cert, NULL); - if (ret > 0 && cert != NULL) { - if (sunw_use_x509cert(ctx, cert) == -1) { - /* - * Error already on stack - */ - ret = -1; - } - } - } - - if (p12 != NULL) - PKCS12_free(p12); - - if (ret == -1 && cert != NULL) { - X509_free(cert); - cert = NULL; - } - - return (ret); -} - -/* - * sunw_p12_use_keyfile - read a RSA private key from a pkcs12 file and pass - * it in to SSL. - * - * Read in the RSA private key in pkcs12 format. Use the provided - * passphrase to decrypt it. Pass the cert to SSL. - * - * Arguments: - * ctx - SSL's context structure - * filename - Name of file with private key. - * passwd - Passphrase for pkcs12 data. - * - * Returns: - * <=0 - Error occurred. Check the error stack for specifics. - * >0 - Success. Key was successfully added. - */ -int -sunw_p12_use_keyfile(SSL_CTX *ctx, char *filename, char *passwd) -{ - EVP_PKEY *pkey = NULL; - PKCS12 *p12 = NULL; - int ret = -1; - - ERR_clear_error(); - if (ctx == NULL || filename == NULL) { - SUNWerr(SUNW_F_USE_KEYFILE, SUNW_R_INVALID_ARG); - return (-1); - } - - p12 = p12_read_file(filename); - if (p12 != NULL) { - ret = p12_doparse(p12, passwd, DO_UNMATCHING, &pkey, NULL, - NULL); - if (ret > 0 && pkey != NULL) { - if (sunw_use_pkey(ctx, pkey) != 1) { - /* - * Error already on stack - */ - ret = -1; - } - } else { - SUNWerr(SUNW_F_USE_KEYFILE, SUNW_R_BAD_PKEY); - } - } else { - SUNWerr(SUNW_F_USE_KEYFILE, SUNW_R_PKEY_READ_ERR); - } - - if (p12 != NULL) - PKCS12_free(p12); - - if (ret == -1 && pkey != NULL) { - sunw_evp_pkey_free(pkey); - pkey = NULL; - } - - return (ret); -} - -/* - * sunw_p12_use_trustfile - read a list of trustanchors from a pkcs12 file and - * pass the stack in to SSL. - * - * Read in the trust anchors from pkcs12-formated file. Use the provided - * passphrase to decrypt it. Pass the cert to SSL. - * - * Arguments: - * ctx - SSL's context structure - * filename - Name of file with the certificates. - * passwd - Passphrase for pkcs12 data. - * - * Returns: - * <=0 - Error occurred. Check the error stack for specifics. - * >0 - Success. Trust anchors were successfully added. - */ -int -sunw_p12_use_trustfile(SSL_CTX *ctx, char *filename, char *passwd) -{ - PKCS12 *p12 = NULL; - STACK_OF(X509) *ta_sk = NULL; - int ret = -1; - - ERR_clear_error(); - if (ctx == NULL || filename == NULL) { - SUNWerr(SUNW_F_USE_TRUSTFILE, SUNW_R_INVALID_ARG); - return (-1); - } - - p12 = p12_read_file(filename); - if (p12 != NULL) { - ret = p12_doparse(p12, passwd, DO_NONE, NULL, NULL, - &ta_sk); - if (ret > 0 && ta_sk != NULL) - ret = sunw_use_tastore(ctx, ta_sk); - else { - SUNWerr(SUNW_F_USE_TRUSTFILE, SUNW_R_BAD_TRUST); - ret = -1; - } - } else { - SUNWerr(SUNW_F_USE_TRUSTFILE, SUNW_R_READ_TRUST_ERR); - } - - if (p12 != NULL) - PKCS12_free(p12); - - if (ta_sk != NULL) - sk_X509_pop_free(ta_sk, X509_free); - - return (ret); -} - -/* - * p12_read_file - read a pkcs12 file and get its contents. Return the - * pkcs12 structures. - * - * Arguments: - * filename - Name of file with the client certificate. - * - * - * Returns: - * NULL - Error occurred. Check the error stack for specifics. - * != NULL - Success. The return value is the address of a pkcs12 - * structure. - */ -static PKCS12 * -p12_read_file(char *filename) -{ - PKCS12 *p12 = NULL; - FILE *fp = NULL; - int ret = 0; - - ERR_clear_error(); - if (checkfile(filename) == -1) { - /* - * Error already on stack - */ - return (NULL); - } - - if ((fp = fopen(filename, "r")) == 0) { - SYSerr(SYS_F_FOPEN, errno); - return (NULL); - } - - p12 = d2i_PKCS12_fp(fp, NULL); - if (p12 == NULL) { - SUNWerr(SUNW_F_READ_FILE, SUNW_R_READ_ERR); - ret = -1; - } - - if (fp != NULL) - (void) fclose(fp); - - if (ret == -1 && p12 != NULL) { - PKCS12_free(p12); - p12 = NULL; - } - - return (p12); -} - -/* - * p12_doparse - Given a pkcs12 structure, check the passphrase and then - * parse it. - * - * Arguments: - * p12 - Structure with pkcs12 data which has been read in - * passwd - Passphrase for pkcs12 data & key. - * matchty - How to decide which matching entry to take... See the - * DO_* definitions for valid values. - * pkey - Points at pointer to private key structure. - * cert - Points at pointer to client certificate structure - * ca - Points at pointer to list of CA certs - * - * Returns: - * <=0 - Error occurred. Check the error stack for specifics. - * >0 - Success. Bits set reflect the kind of information - * returned. (See the FOUND_* definitions.) - */ -static int -p12_doparse(PKCS12 *p12, char *passwd, int matchty, - EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) -{ - int ret = 0; - - ERR_clear_error(); - - /* - * Check passphrase (including null one). - */ - if (check_password(p12, passwd) == 0) { - SUNWerr(SUNW_F_DOPARSE, SUNW_R_MAC_VERIFY_FAILURE); - return (-1); - } - - ret = sunw_PKCS12_parse(p12, passwd, matchty, NULL, 0, NULL, - pkey, cert, ca); - if (ret <= 0) { - /* - * Error already on stack - */ - return (-1); - } - - return (ret); -} - -/* - * checkfile - given a file name, verify that the file exists and is - * readable. - */ -/* ARGSUSED */ -static int -checkfile(char *filename) -{ -#ifndef _BOOT - struct stat sbuf; - - if (access(filename, R_OK) == -1 || stat(filename, &sbuf) == -1) { - SYSerr(SYS_F_FOPEN, errno); - return (-1); - } - - if (!S_ISREG(sbuf.st_mode)) { - SUNWerr(SUNW_F_CHECKFILE, SUNW_R_BAD_FILETYPE); - return (-1); - } -#endif - return (0); -} - -/* - * check_password - do various password checks to see if the current password - * will work or we need to prompt for a new one. - * - * Arguments: - * pass - password to check - * - * Returns: - * 1 - Password is OK. - * 0 - Password not valid. Error stack was set - use ERR_get_error() to - * to get the error. - */ -static int -check_password(PKCS12 *p12, char *pass) -{ - int ret = 1; - - /* - * If password is zero length or NULL then try verifying both cases - * to determine which password is correct. The reason for this is that - * under PKCS#12 password based encryption no password and a zero - * length password are two different things. Otherwise, calling - * PKCS12_verify_mac() with a length of -1 means that the length - * can be determined via strlen(). - */ - /* Check the mac */ - if (pass == NULL || *pass == '\0') { - if (PKCS12_verify_mac(p12, NULL, 0) == 0 && - PKCS12_verify_mac(p12, "", 0) == 0) - ret = 0; - } else if (PKCS12_verify_mac(p12, pass, -1) == 0) { - ret = 0; - } - - return (ret); -} |