xref: /onnv-gate/usr/src/cmd/svr4pkg/pkgadm/certs.c (revision 9781)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */


#include <stdio.h>
#include <limits.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <pkglocs.h>
#include <locale.h>
#include <libintl.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/statvfs.h>
#include <sys/types.h>
#include <fcntl.h>
#include <libintl.h>
#include <dirent.h>
#include <openssl/err.h>
#include <openssl/pkcs7.h>
#include <openssl/pkcs12.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>

#include <pkglib.h>
#include <p12lib.h>
#include <install.h>
#include <libadm.h>
#include <libinst.h>
#include "pkgadm.h"
#include "pkgadm_msgs.h"


/*
 * Function:	load_cert_and_key
 * Description:	Loads a public key certificate and associated private key
 *		from a stream.
 * Parameters:	err	- Where to write errors to for underlying library calls
 *		incert - File to read certs and keys from
 *		format - The format of the file
 *		passarg - How to collect password if needed to decrypt file
 *		key - Location to store resulting key if found
 *		cert - Location to store resulting cert if found.
 *
 * Returns:	f one or more certificates are found in the file,
 *		and one or more keys are found, then the first
 *		certificate is used, and the keys are searched for a
 *		match.  If no key matches the cert, then only the cert
 *		is returned.  If no certs are found, but one or more
 *		keys are found, then the first key is returned.
 */
int
load_cert_and_key(PKG_ERR *err, FILE *incert,
    keystore_encoding_format_t format, char *passarg, EVP_PKEY **key,
    X509 **cert)
{
	X509 *tmpcert = NULL;
	EVP_PKEY *tmpkey = NULL;
	STACK_OF(EVP_PKEY)	*keys = NULL;
	STACK_OF(X509)		*certs = NULL;
	int i, ret = 0;
	keystore_passphrase_data	data;
	unsigned long crypto_err;

	if (key) *key = NULL;
	if (cert) *cert = NULL;

	switch (format) {
	case KEYSTORE_FORMAT_DER:
		/* first try to load a DER cert, which cannot contain a key */
		if ((tmpcert = d2i_X509_fp(incert, NULL)) == NULL) {
			log_msg(LOG_MSG_ERR, MSG_PARSE);
			ret = 1;
		}
		break;
	case KEYSTORE_FORMAT_PEM:
	default:
		data.err = err;
		set_passphrase_passarg(passarg);
		set_passphrase_prompt(gettext("Enter PEM passphrase:"));
		if (sunw_PEM_contents(incert, pkg_passphrase_cb,
		    &data, &keys, &certs) < 0) {
			/* print out openssl-generated PEM errors */
			while ((crypto_err = ERR_get_error()) != 0) {
				log_msg(LOG_MSG_ERR,
				    ERR_reason_error_string(crypto_err));
			}
			ret = 1;
			goto cleanup;
		}

		/* take the first cert in the file, if any */
		if (cert && (certs != NULL)) {
			if (sk_X509_num(certs) != 1) {
				log_msg(LOG_MSG_ERR, MSG_MULTIPLE_CERTS);
				ret = 1;
				goto cleanup;
			} else {
				tmpcert = sk_X509_value(certs, 0);
			}
		}

		if (key && (keys != NULL)) {
			if (tmpcert != NULL) {
				/*
				 * if we found a cert and some keys,
				 * only return the key that
				 * matches the cert
				 */
				for (i = 0; i < sk_EVP_PKEY_num(keys); i++) {
					if (X509_check_private_key(tmpcert,
					    sk_EVP_PKEY_value(keys, i))) {
						tmpkey =
						    sk_EVP_PKEY_value(keys, i);
						break;
					}
				}
			} else {
				if (sk_EVP_PKEY_num(keys) > 0) {
					tmpkey = sk_EVP_PKEY_value(keys, 0);
				}
			}
		}
		break;
	}

	/* set results */
	if (key && tmpkey) {
		*key = tmpkey;
		tmpkey = NULL;
	}

	if (cert && tmpcert) {
		*cert = tmpcert;
		tmpcert = NULL;
	}

cleanup:
	if (tmpcert != NULL) {
		X509_free(tmpcert);
	}
	if (tmpkey != NULL) {
		sunw_evp_pkey_free(tmpkey);
	}
	return (ret);
}

/*
 * Function:	load_all_certs
 * Description:	Loads alll certificates from a stream.
 * Parameters:	err	- Where to write errors to for underlying library calls
 *		incert - File to read certs and keys from
 *		format - The format of the file
 *		passarg - How to collect password if needed to decrypt file
 *		certs - Location to store resulting cert if found.
 *
 * Returns:	0 - success, all certs placed in ''certs'
 *		non-zero failure, errors in 'err'
 */
int
load_all_certs(PKG_ERR *err, FILE *incert,
    keystore_encoding_format_t format, char *passarg, STACK_OF(X509) **certs)
{
	X509 *tmpcert = NULL;
	STACK_OF(X509) *tmpcerts = NULL;
	int ret = 0;
	keystore_passphrase_data	data;
	unsigned long crypto_err;
	if (certs) *certs = NULL;

	switch (format) {
	case KEYSTORE_FORMAT_DER:
		/* first try to load a DER cert, which cannot contain a key */
		if ((tmpcert = d2i_X509_fp(incert, NULL)) == NULL) {
		    log_msg(LOG_MSG_ERR, MSG_PARSE);
			ret = 1;
			goto cleanup;
		}

		if ((tmpcerts = sk_X509_new_null()) == NULL) {
			log_msg(LOG_MSG_ERR, MSG_MEM);
			ret = 1;
			goto cleanup;
		}
		sk_X509_push(tmpcerts, tmpcert);
		break;
	case KEYSTORE_FORMAT_PEM:
	default:
		data.err = err;
		set_passphrase_prompt(MSG_PEM_PASSPROMPT);
		set_passphrase_passarg(passarg);
		if (sunw_PEM_contents(incert, pkg_passphrase_cb,
		    &data, NULL, &tmpcerts) < 0) {
			/* print out openssl-generated PEM errors */
			while ((crypto_err = ERR_get_error()) != 0) {
				log_msg(LOG_MSG_ERR,
				    ERR_reason_error_string(crypto_err));
			}
		}
		break;
	}

	/* set results */
	if (certs && tmpcerts) {
		*certs = tmpcerts;
		tmpcerts = NULL;
	}

cleanup:
	if (tmpcerts != NULL) {
		sk_X509_free(tmpcerts);
	}
	return (ret);
}