xref: /onnv-gate/usr/src/lib/libkmsagent/common/KMSAgentPKICommon.h (revision 12720:3db6e0082404) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*-------------------------------------------------------------------------*/
27 /**
28  * \file KMSAgentPKICommon.h
29  *
30  * X.509 Certificate and Private Key Support Interface
31  *
32  * This module provides simple interfaces to support SSL communication
33  * for the KMS Agent enrollment protocol.  Basic classes supporting
34  * X.509 certificates, private key management are provided and hide
35  * specific implementations from users of these classes.
36  */
37 /*-------------------------------------------------------------------------*/
38 
39 #ifndef K_KMSAgentPKICommon_h
40 #define K_KMSAgentPKICommon_h
41 
42 #ifdef WIN32
43 #pragma warning(disable: 4786)
44 #endif
45 
46 #define MAX_CERT_SIZE                                       4096
47 #define MAX_KEY_SIZE                                        4096
48 
49 #define DEFAULT_KEY_SIZE                                    2048
50 
51 #ifdef KMSUSERPKCS12
52 enum EnumPKIFileFormat { FILE_FORMAT_DER, FILE_FORMAT_PEM, FILE_FORMAT_PKCS12 };
53 #else
54 enum EnumPKIFileFormat { FILE_FORMAT_DER, FILE_FORMAT_PEM };
55 #endif
56 
57 /**
58  *   This class provides a simple interface for the management of
59  *   public keys.  Simple load and store operations are provided for
60  *   storage and retrieval from memory buffers.
61  */
62 class CPublicKey
63 {
64 
65 public:
66 
67 	CPublicKey();
68 
69 	/**
70      * This method saves public key into a buffer,
71      * it also returns the actual used buffer length.
72      * @param i_pcBuffer Buffer to receive public key
73      * @param i_iBufferLength length of the buffer provided
74      * @param o_pActualLength actual length of the public key stored into the buffer
75      * @param i_iFormat key format, @see EnumPKIFileFormat
76      */
77     bool Save(unsigned char * const i_pcBuffer,
78             int                     i_iBufferLength,
79             int * const             o_pActualLength,
80 			int                     i_iFormat);
81    /**
82      *  This method loads the public key from a buffer
83      *  @param i_pcBuffer
84      *  @param i_iLength
85      *  @param i_iFormat   one of the enums from EnumPKIFileFormat,
86      *                     only FILE_FORMAT_PEM is supported.
87      *  @return true for success, false otherwise
88      */
89     bool Load (unsigned char * const i_pcBuffer,
90                int i_iLength,
91                int i_iFormat);
92 
93    /**
94      *   use this object's public key to encrypt plaintext buffer
95      */
96     bool Encrypt (int i_iLength,
97                   const unsigned char * const i_pcPlainText,
98                   unsigned char * const o_pcCypherText,
99                   int * const o_pActualLength);
100 
101     ~CPublicKey();
102 
103 private:
104    void *m_pPublicKeyImpl;
105 };
106 
107 /**
108  *   This class provides a simple interface for the management of
109  *   private keys.  Simple load and store operations are provided for
110  *   storage and retrieval from memory buffers.
111  *
112  */
113 class CPrivateKey
114 {
115 
116   public:
117 
118    CPrivateKey();
119 
120    /**
121     *   Saves the private key to a memory buffer specified by
122     *   i_pcBuffer. Currently just the PEM format is supported.
123     *   Specification of a passphrase allows encryption of the private
124     *   key subject to the choice of the implementation.
125     *
126     *   @param[in]   i_pcBuffer
127     *   @param[in]   i_iBufferLength
128     *   @param[out]  o_pActualLength
129     *   @param[in]   i_pPassphrase optional, if non-null the private key is
130     *   wrapped using this passphrase
131     *   @param[in]   i_iFormat   one of the enums from EnumPKIFileFormat,
132     *                      only FILE_FORMAT_PEM is supported.
133     *   @return true for success, false otherwise
134     */
135    bool Save( unsigned char * const      i_pcBuffer,
136               int                        i_iBufferLength,
137               int * const                o_pActualLength,
138               const char * const         i_pPassphrase,
139               int                        i_iFormat );
140 
141    /**
142     *  This method loads the private key from a buffer
143     *  @param i_pcBuffer
144     *  @param i_iLength
145     *  @param i_pPassphrase optional, if non-null the private key is
146     *   unwrapped using this passphrase
147     *  @param i_iFormat   one of the enums from EnumPKIFileFormat,
148     *                     only FILE_FORMAT_PEM is supported.
149     *  @return true for success, false otherwise
150     */
151    bool Load(unsigned char * const i_pcBuffer,
152              int                   i_iLength,
153              const char * const    i_pPassphrase,
154              int                   i_iFormat);
155 
156    ~CPrivateKey();
157 
158 #ifdef KMSUSERPKCS12
159 	void *GetNative();
160 	void SetNative(void *);
161 #endif
162   private:
163    void *m_pPKeyImpl;
164 
165 };
166 
167 /**
168  *   This class provides a simple interface for managing X.509
169  *   certificates providing only simple load and save operations for
170  *   storage and retrieval.
171  *
172  */
173 class CCertificate
174 {
175 
176 public:
177 	CCertificate();
178 
179 	~CCertificate();
180 
181     /**
182      *   save the certificate to the specified file name. Currently,
183      *   only FILE_FORMAT_PEM is supported.
184      */
185 	bool Save(  const char * const  i_pcFileName,
186                 int                 i_iFormat);
187 
188     /**
189      *  save the certificate to the specified buffer. Currently, only
190      *  FILE_FORMAT_PEM is supported.
191      */
192 	bool Save( unsigned char * const i_pcBuffer,
193                int                   i_iBufferLength,
194                int * const           o_pActualLength,
195                int                   i_iFormat);
196 
197     /**
198      *   load a certificate from the specified filename. Currently,
199      *   only FILE_FORMAT_PEM is supported.
200      */
201     bool Load( const char * const i_pcFileName,
202                int                i_iFormat );
203 
204     /**
205      *   load a certificate from the specified buffer. Currently, only
206      *   FILE_FORMAT_PEM is supported.
207      */
208     bool Load( unsigned char * const i_pcBuffer,
209                int                   i_iLength,
210                int                   i_iFormat );
211 
212     /**
213      *   prints the certificate to stdout
214      */
215     bool Dump();
216 
217 #ifdef KMSUSERPKCS12
218 	bool LoadPKCS12CertAndKey(char *filename,
219 		int i_iFormat,
220 		CPrivateKey *i_pPrivateKey,
221 		char *i_pPassphrase);
222 
223 	bool SavePKCS12(
224 	    unsigned char *i_pcBuffer,
225 	    int i_iBufferLength,
226 	    int *o_pActualLength,
227 	    CPrivateKey* i_pPrivateKey,
228 	    char* i_sPassphrase );
229 #endif
230 
231 private:
232     /**
233      *  an opague pointer to implementation specific resources to be
234      *  freed by the Destructor.
235      */
236     void    *m_pCertImpl;
237 #ifdef KMSUSERPKCS12
238     /**
239      * saves certificate to PKCS#12 memory BIO
240      * @param i_pPrivateKey
241      * @param i_sPassphrase
242      * @return pointer to the Memory BIO
243      */
244     void* SaveCertToPKCS12MemoryBIO(
245             CPrivateKey* i_pPrivateKey,
246             char *i_sPassphrase);
247 #endif
248 
249 };
250 
251 
252 /**
253  *  This class provides a method for storing an X.509 certificate and
254  *  private key to a file.  The private key is appended to the
255  *  certificate and optionally encrypted with the specified passphrase
256  *  for encoding and storage in PEM format.
257  */
258 class CPKI
259 {
260   public:
261    CPKI();
262    ~CPKI();
263 
264   public:
265 
266       /**
267        *   exports a certificate and associated private key to the
268        *   specified file.
269        *   @param i_pCertificate a pointer to an instance of a certificate
270        *   @param i_pPrivateKey  a pointer to an instance of a private key
271        *   @param i_pcFileName  the name of the file to store the cert and private key
272        *   @param i_sPassphrase optional but when provided supplies a
273        *   pass phrase to use for encrypting the private key.  The cipher
274        *   used for encryption is determined by the underlying implementation
275        *   which for the reference implementation uses triple DES by default.
276        *   @param i_eFileFormat the encoding format to use for the certificate and private key
277        */
278       bool ExportCertAndKeyToFile(
279             CCertificate* const         i_pCertificate,
280             CPrivateKey*  const         i_pPrivateKey,
281             const char* const           i_pcFileName,
282             const char* const           i_sPassphrase,
283             EnumPKIFileFormat           i_eFileFormat );
284 
285   private:
286 
287    int m_iKeyLength;
288 
289    CCertificate *m_pCACertificate;
290    CPrivateKey *m_pCAPrivateKey;
291  };
292 
293 #endif  //K_KMSAgentPKICommon_h
294