4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
21 * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
30 #include <cryptoutil.h>
31 #include <security/cryptoki.h>
36 #define SET_VALUE(f, s) { \
38 if (kmfrv != KMF_OK) { \
39 cryptoerror(LOG_STDERR, \
40 gettext("Failed to set %s: 0x%02x\n"), \
47 gencert_pkcs11(KMF_HANDLE_T kmfhandle
,
48 char *token
, char *subject
, char *altname
,
49 KMF_GENERALNAMECHOICES alttype
, int altcrit
,
50 char *certlabel
, KMF_KEY_ALG keyAlg
,
51 KMF_ALGORITHM_INDEX sigAlg
,
52 int keylen
, uint32_t ltime
, KMF_BIGINT
*serial
,
53 uint16_t kubits
, int kucrit
, KMF_CREDENTIAL
*tokencred
,
54 EKU_LIST
*ekulist
, KMF_OID
*curveoid
)
56 KMF_RETURN kmfrv
= KMF_OK
;
57 KMF_KEY_HANDLE pubk
, prik
;
58 KMF_X509_CERTIFICATE signedCert
;
59 KMF_X509_NAME certSubject
;
60 KMF_X509_NAME certIssuer
;
62 KMF_KEYSTORE_TYPE kstype
= KMF_KEYSTORE_PK11TOKEN
;
63 KMF_ATTRIBUTE attrlist
[16];
68 (void) memset(&signedCert
, 0, sizeof (signedCert
));
69 (void) memset(&certSubject
, 0, sizeof (certSubject
));
70 (void) memset(&certIssuer
, 0, sizeof (certIssuer
));
71 (void) memset(&x509DER
, 0, sizeof (x509DER
));
73 /* If the subject name cannot be parsed, flag it now and exit */
74 if (kmf_dn_parser(subject
, &certSubject
) != KMF_OK
) {
75 cryptoerror(LOG_STDERR
,
76 gettext("Subject name cannot be parsed.\n"));
77 return (PK_ERR_USAGE
);
80 /* For a self-signed cert, the issuser and subject are the same */
81 if (kmf_dn_parser(subject
, &certIssuer
) != KMF_OK
) {
82 cryptoerror(LOG_STDERR
,
83 gettext("Subject name cannot be parsed.\n"));
84 return (PK_ERR_USAGE
);
87 keylength
= keylen
; /* bits */
90 /* Select a PKCS11 token */
91 kmfrv
= select_token(kmfhandle
, token
, FALSE
);
92 if (kmfrv
!= KMF_OK
) {
97 * Share the "genkeypair" routine for creating the keypair.
99 kmfrv
= genkeypair_pkcs11(kmfhandle
, token
, certlabel
,
100 keytype
, keylength
, tokencred
, curveoid
, &prik
, &pubk
);
104 SET_VALUE(kmf_set_cert_pubkey(kmfhandle
, &pubk
, &signedCert
),
107 SET_VALUE(kmf_set_cert_version(&signedCert
, 2), "version number");
109 SET_VALUE(kmf_set_cert_serial(&signedCert
, serial
),
112 SET_VALUE(kmf_set_cert_validity(&signedCert
, 0, ltime
),
115 SET_VALUE(kmf_set_cert_sig_alg(&signedCert
, sigAlg
),
116 "signature algorithm");
118 SET_VALUE(kmf_set_cert_subject(&signedCert
, &certSubject
),
121 SET_VALUE(kmf_set_cert_issuer(&signedCert
, &certIssuer
),
125 SET_VALUE(kmf_set_cert_subject_altname(&signedCert
, altcrit
,
126 alttype
, altname
), "subjectAltName");
129 SET_VALUE(kmf_set_cert_ku(&signedCert
, kucrit
, kubits
),
132 if (ekulist
!= NULL
) {
134 for (i
= 0; kmfrv
== KMF_OK
&& i
< ekulist
->eku_count
; i
++) {
135 SET_VALUE(kmf_add_cert_eku(&signedCert
,
136 &ekulist
->ekulist
[i
], ekulist
->critlist
[i
]),
137 "Extended Key Usage");
142 * Construct attributes for the kmf_sign_cert operation.
145 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
146 &kstype
, sizeof (kstype
));
149 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEY_HANDLE_ATTR
,
150 &prik
, sizeof (KMF_KEY_HANDLE_ATTR
));
153 /* cert data that is to be signed */
154 kmf_set_attr_at_index(attrlist
, numattr
, KMF_X509_CERTIFICATE_ATTR
,
155 &signedCert
, sizeof (KMF_X509_CERTIFICATE
));
158 /* output buffer for the signed cert */
159 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CERT_DATA_ATTR
,
160 &x509DER
, sizeof (KMF_DATA
));
163 kmf_set_attr_at_index(attrlist
, numattr
, KMF_ALGORITHM_INDEX_ATTR
,
164 &sigAlg
, sizeof (sigAlg
));
167 if ((kmfrv
= kmf_sign_cert(kmfhandle
, numattr
, attrlist
)) !=
173 * Store the cert in the DB.
176 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
177 &kstype
, sizeof (kstype
));
179 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CERT_DATA_ATTR
,
180 &x509DER
, sizeof (KMF_DATA
));
183 if (certlabel
!= NULL
) {
184 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CERT_LABEL_ATTR
,
185 certlabel
, strlen(certlabel
));
189 kmfrv
= kmf_store_cert(kmfhandle
, numattr
, attrlist
);
192 kmf_free_data(&x509DER
);
193 kmf_free_dn(&certSubject
);
194 kmf_free_dn(&certIssuer
);
197 * If kmf_sign_cert or kmf_store_cert failed, then we need to clean up
198 * the key pair from the token.
200 if (kmfrv
!= KMF_OK
) {
201 /* delete the public key */
203 kmf_set_attr_at_index(attrlist
, numattr
,
204 KMF_KEYSTORE_TYPE_ATTR
, &kstype
, sizeof (kstype
));
207 kmf_set_attr_at_index(attrlist
, numattr
,
208 KMF_KEY_HANDLE_ATTR
, &pubk
, sizeof (KMF_KEY_HANDLE
));
211 if (tokencred
!= NULL
&& tokencred
->cred
!= NULL
) {
212 kmf_set_attr_at_index(attrlist
, numattr
,
213 KMF_CREDENTIAL_ATTR
, tokencred
,
214 sizeof (KMF_CREDENTIAL
));
218 (void) kmf_delete_key_from_keystore(kmfhandle
, numattr
,
221 /* delete the private key */
223 kmf_set_attr_at_index(attrlist
, numattr
,
224 KMF_KEYSTORE_TYPE_ATTR
, &kstype
, sizeof (kstype
));
227 kmf_set_attr_at_index(attrlist
, numattr
,
228 KMF_KEY_HANDLE_ATTR
, &prik
, sizeof (KMF_KEY_HANDLE
));
231 if (tokencred
!= NULL
&& tokencred
->cred
!= NULL
) {
232 kmf_set_attr_at_index(attrlist
, numattr
,
233 KMF_CREDENTIAL_ATTR
, tokencred
,
234 sizeof (KMF_CREDENTIAL
));
238 (void) kmf_delete_key_from_keystore(kmfhandle
, numattr
,
246 gencert_file(KMF_HANDLE_T kmfhandle
,
247 KMF_KEY_ALG keyAlg
, KMF_ALGORITHM_INDEX sigAlg
,
248 int keylen
, KMF_ENCODE_FORMAT fmt
,
249 uint32_t ltime
, char *subject
, char *altname
,
250 KMF_GENERALNAMECHOICES alttype
, int altcrit
,
251 KMF_BIGINT
*serial
, uint16_t kubits
, int kucrit
,
252 char *outcert
, char *outkey
,
256 KMF_KEY_HANDLE pubk
, prik
;
257 KMF_X509_CERTIFICATE signedCert
;
258 KMF_X509_NAME certSubject
;
259 KMF_X509_NAME certIssuer
;
261 char *fullcertpath
= NULL
;
262 char *fullkeypath
= NULL
;
263 KMF_KEYSTORE_TYPE kstype
= KMF_KEYSTORE_OPENSSL
;
264 KMF_ATTRIBUTE attrlist
[10];
267 (void) memset(&signedCert
, 0, sizeof (signedCert
));
268 (void) memset(&certSubject
, 0, sizeof (certSubject
));
269 (void) memset(&certIssuer
, 0, sizeof (certIssuer
));
270 (void) memset(&x509DER
, 0, sizeof (x509DER
));
272 if (EMPTYSTRING(outcert
) || EMPTYSTRING(outkey
)) {
273 cryptoerror(LOG_STDERR
,
274 gettext("No output file was specified for "
275 "the cert or key\n"));
276 return (PK_ERR_USAGE
);
278 fullcertpath
= strdup(outcert
);
279 if (verify_file(fullcertpath
)) {
280 cryptoerror(LOG_STDERR
,
281 gettext("Cannot write the indicated output "
282 "certificate file (%s).\n"), fullcertpath
);
284 return (PK_ERR_USAGE
);
287 /* If the subject name cannot be parsed, flag it now and exit */
288 if (kmf_dn_parser(subject
, &certSubject
) != KMF_OK
) {
289 cryptoerror(LOG_STDERR
,
290 gettext("Subject name cannot be parsed (%s)\n"), subject
);
291 return (PK_ERR_USAGE
);
294 /* For a self-signed cert, the issuser and subject are the same */
295 if (kmf_dn_parser(subject
, &certIssuer
) != KMF_OK
) {
296 cryptoerror(LOG_STDERR
,
297 gettext("Subject name cannot be parsed (%s)\n"), subject
);
298 kmf_free_dn(&certSubject
);
299 return (PK_ERR_USAGE
);
303 * Share the "genkeypair" routine for creating the keypair.
305 kmfrv
= genkeypair_file(kmfhandle
, keyAlg
, keylen
,
306 fmt
, outkey
, &prik
, &pubk
);
310 SET_VALUE(kmf_set_cert_pubkey(kmfhandle
, &pubk
, &signedCert
),
313 SET_VALUE(kmf_set_cert_version(&signedCert
, 2), "version number");
315 SET_VALUE(kmf_set_cert_serial(&signedCert
, serial
),
318 SET_VALUE(kmf_set_cert_validity(&signedCert
, 0, ltime
),
321 SET_VALUE(kmf_set_cert_sig_alg(&signedCert
, sigAlg
),
322 "signature algorithm");
324 SET_VALUE(kmf_set_cert_subject(&signedCert
, &certSubject
),
327 SET_VALUE(kmf_set_cert_issuer(&signedCert
, &certIssuer
),
331 SET_VALUE(kmf_set_cert_subject_altname(&signedCert
, altcrit
,
332 alttype
, altname
), "subjectAltName");
335 SET_VALUE(kmf_set_cert_ku(&signedCert
, kucrit
, kubits
),
338 if (ekulist
!= NULL
) {
340 for (i
= 0; kmfrv
== KMF_OK
&& i
< ekulist
->eku_count
; i
++) {
341 SET_VALUE(kmf_add_cert_eku(&signedCert
,
342 &ekulist
->ekulist
[i
],
343 ekulist
->critlist
[i
]), "Extended Key Usage");
347 * Construct attributes for the kmf_sign_cert operation.
350 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
351 &kstype
, sizeof (kstype
));
354 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEY_HANDLE_ATTR
,
355 &prik
, sizeof (KMF_KEY_HANDLE_ATTR
));
358 /* cert data that is to be signed */
359 kmf_set_attr_at_index(attrlist
, numattr
, KMF_X509_CERTIFICATE_ATTR
,
360 &signedCert
, sizeof (KMF_X509_CERTIFICATE
));
363 /* output buffer for the signed cert */
364 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CERT_DATA_ATTR
,
365 &x509DER
, sizeof (KMF_DATA
));
368 kmf_set_attr_at_index(attrlist
, numattr
, KMF_ALGORITHM_INDEX_ATTR
,
369 &sigAlg
, sizeof (sigAlg
));
372 if ((kmfrv
= kmf_sign_cert(kmfhandle
, numattr
, attrlist
)) !=
378 * Store the cert in the DB.
381 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
382 &kstype
, sizeof (kstype
));
384 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CERT_DATA_ATTR
,
385 &x509DER
, sizeof (KMF_DATA
));
387 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CERT_FILENAME_ATTR
,
388 fullcertpath
, strlen(fullcertpath
));
390 kmf_set_attr_at_index(attrlist
, numattr
, KMF_ENCODE_FORMAT_ATTR
,
394 kmfrv
= kmf_store_cert(kmfhandle
, numattr
, attrlist
);
400 kmf_free_data(&x509DER
);
401 kmf_free_dn(&certSubject
);
402 kmf_free_dn(&certIssuer
);
407 gencert_nss(KMF_HANDLE_T kmfhandle
,
408 char *token
, char *subject
, char *altname
,
409 KMF_GENERALNAMECHOICES alttype
, int altcrit
,
410 char *nickname
, char *dir
, char *prefix
,
412 KMF_ALGORITHM_INDEX sigAlg
,
413 int keylen
, char *trust
,
414 uint32_t ltime
, KMF_BIGINT
*serial
, uint16_t kubits
,
415 int kucrit
, KMF_CREDENTIAL
*tokencred
,
416 EKU_LIST
*ekulist
, KMF_OID
*curveoid
)
419 KMF_KEY_HANDLE pubk
, prik
;
420 KMF_X509_CERTIFICATE signedCert
;
421 KMF_X509_NAME certSubject
;
422 KMF_X509_NAME certIssuer
;
424 KMF_KEYSTORE_TYPE kstype
= KMF_KEYSTORE_NSS
;
425 KMF_ATTRIBUTE attrlist
[16];
429 token
= DEFAULT_NSS_TOKEN
;
431 kmfrv
= configure_nss(kmfhandle
, dir
, prefix
);
435 (void) memset(&signedCert
, 0, sizeof (signedCert
));
436 (void) memset(&certSubject
, 0, sizeof (certSubject
));
437 (void) memset(&certIssuer
, 0, sizeof (certIssuer
));
438 (void) memset(&x509DER
, 0, sizeof (x509DER
));
440 /* If the subject name cannot be parsed, flag it now and exit */
441 if (kmf_dn_parser(subject
, &certSubject
) != KMF_OK
) {
442 cryptoerror(LOG_STDERR
,
443 gettext("Subject name cannot be parsed.\n"));
444 return (PK_ERR_USAGE
);
447 /* For a self-signed cert, the issuser and subject are the same */
448 if (kmf_dn_parser(subject
, &certIssuer
) != KMF_OK
) {
449 cryptoerror(LOG_STDERR
,
450 gettext("Subject name cannot be parsed.\n"));
451 return (PK_ERR_USAGE
);
454 kmfrv
= genkeypair_nss(kmfhandle
, token
, nickname
, dir
,
455 prefix
, keyAlg
, keylen
, tokencred
, curveoid
,
460 SET_VALUE(kmf_set_cert_pubkey(kmfhandle
, &pubk
, &signedCert
),
463 SET_VALUE(kmf_set_cert_version(&signedCert
, 2), "version number");
465 SET_VALUE(kmf_set_cert_serial(&signedCert
, serial
),
468 SET_VALUE(kmf_set_cert_validity(&signedCert
, 0, ltime
),
471 SET_VALUE(kmf_set_cert_sig_alg(&signedCert
, sigAlg
),
472 "signature algorithm");
474 SET_VALUE(kmf_set_cert_subject(&signedCert
, &certSubject
),
477 SET_VALUE(kmf_set_cert_issuer(&signedCert
, &certIssuer
),
481 SET_VALUE(kmf_set_cert_subject_altname(&signedCert
, altcrit
,
482 alttype
, altname
), "subjectAltName");
485 SET_VALUE(kmf_set_cert_ku(&signedCert
, kucrit
, kubits
),
488 if (ekulist
!= NULL
) {
490 for (i
= 0; kmfrv
== KMF_OK
&& i
< ekulist
->eku_count
; i
++) {
491 SET_VALUE(kmf_add_cert_eku(&signedCert
,
492 &ekulist
->ekulist
[i
],
493 ekulist
->critlist
[i
]), "Extended Key Usage");
497 * Construct attributes for the kmf_sign_cert operation.
500 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
501 &kstype
, sizeof (kstype
));
504 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEY_HANDLE_ATTR
,
505 &prik
, sizeof (KMF_KEY_HANDLE_ATTR
));
508 /* cert data that is to be signed */
509 kmf_set_attr_at_index(attrlist
, numattr
, KMF_X509_CERTIFICATE_ATTR
,
510 &signedCert
, sizeof (KMF_X509_CERTIFICATE
));
513 /* output buffer for the signed cert */
514 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CERT_DATA_ATTR
,
515 &x509DER
, sizeof (KMF_DATA
));
518 kmf_set_attr_at_index(attrlist
, numattr
, KMF_ALGORITHM_INDEX_ATTR
,
519 &sigAlg
, sizeof (sigAlg
));
522 if ((kmfrv
= kmf_sign_cert(kmfhandle
, numattr
, attrlist
)) !=
528 * Store the cert in the DB.
531 kmf_set_attr_at_index(attrlist
, numattr
, KMF_KEYSTORE_TYPE_ATTR
,
532 &kstype
, sizeof (kstype
));
535 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CERT_DATA_ATTR
,
536 &x509DER
, sizeof (KMF_DATA
));
539 if (nickname
!= NULL
) {
540 kmf_set_attr_at_index(attrlist
, numattr
, KMF_CERT_LABEL_ATTR
,
541 nickname
, strlen(nickname
));
546 kmf_set_attr_at_index(attrlist
, numattr
, KMF_TRUSTFLAG_ATTR
,
547 trust
, strlen(trust
));
552 kmf_set_attr_at_index(attrlist
, numattr
, KMF_TOKEN_LABEL_ATTR
,
553 token
, strlen(token
));
557 kmfrv
= kmf_store_cert(kmfhandle
, numattr
, attrlist
);
560 kmf_free_data(&x509DER
);
561 kmf_free_dn(&certSubject
);
562 kmf_free_dn(&certIssuer
);
567 pk_gencert(int argc
, char *argv
[])
571 extern int optind_av
;
572 extern char *optarg_av
;
573 KMF_KEYSTORE_TYPE kstype
= 0;
574 char *subject
= NULL
;
575 char *tokenname
= NULL
;
578 char *keytype
= PK_DEFAULT_KEYTYPE
;
579 int keylen
= PK_DEFAULT_KEYLENGTH
;
581 char *lifetime
= NULL
;
582 char *certlabel
= NULL
;
583 char *outcert
= NULL
;
587 char *altname
= NULL
;
588 char *keyusagestr
= NULL
;
590 char *hashname
= NULL
;
591 KMF_GENERALNAMECHOICES alttype
= 0;
592 KMF_BIGINT serial
= { NULL
, 0 };
594 KMF_HANDLE_T kmfhandle
= NULL
;
595 KMF_ENCODE_FORMAT fmt
= KMF_FORMAT_ASN1
;
596 KMF_KEY_ALG keyAlg
= KMF_RSA
;
597 KMF_ALGORITHM_INDEX sigAlg
= KMF_ALGID_SHA1WithRSA
;
598 boolean_t interactive
= B_FALSE
;
599 char *subname
= NULL
;
600 KMF_CREDENTIAL tokencred
= { NULL
, 0 };
602 int altcrit
= 0, kucrit
= 0;
603 EKU_LIST
*ekulist
= NULL
;
604 KMF_OID
*curveoid
= NULL
; /* ECC */
605 KMF_OID
*hashoid
= NULL
;
608 while ((opt
= getopt_av(argc
, argv
,
609 "ik:(keystore)s:(subject)n:(nickname)A:(altname)"
610 "T:(token)d:(dir)p:(prefix)t:(keytype)y:(keylen)"
611 "r:(trust)L:(lifetime)l:(label)c:(outcert)e:(eku)"
612 "K:(outkey)S:(serial)F:(format)u:(keyusage)C:(curve)"
613 "E(listcurves)h:(hash)")) != EOF
) {
615 if (opt
!= 'i' && opt
!= 'E' && EMPTYSTRING(optarg_av
))
616 return (PK_ERR_USAGE
);
623 if (interactive
|| subject
)
624 return (PK_ERR_USAGE
);
626 interactive
= B_TRUE
;
629 kstype
= KS2Int(optarg_av
);
631 return (PK_ERR_USAGE
);
634 if (interactive
|| subject
)
635 return (PK_ERR_USAGE
);
642 return (PK_ERR_USAGE
);
643 certlabel
= optarg_av
;
647 return (PK_ERR_USAGE
);
648 tokenname
= optarg_av
;
652 return (PK_ERR_USAGE
);
657 return (PK_ERR_USAGE
);
664 keyusagestr
= optarg_av
;
667 if (sscanf(optarg_av
, "%d",
669 cryptoerror(LOG_STDERR
,
670 gettext("key length must be"
671 "a numeric value (%s)\n"),
673 return (PK_ERR_USAGE
);
679 return (PK_ERR_USAGE
);
684 return (PK_ERR_USAGE
);
685 lifetime
= optarg_av
;
689 return (PK_ERR_USAGE
);
694 return (PK_ERR_USAGE
);
702 return (PK_ERR_USAGE
);
709 curveoid
= ecc_name_to_oid(optarg_av
);
710 if (curveoid
== NULL
) {
711 cryptoerror(LOG_STDERR
,
712 gettext("Unrecognized ECC "
714 return (PK_ERR_USAGE
);
719 * This argument is only to be used
720 * by itself, no other options should
724 cryptoerror(LOG_STDERR
,
725 gettext("listcurves has no other "
727 return (PK_ERR_USAGE
);
732 hashname
= optarg_av
;
733 hashoid
= ecc_name_to_oid(optarg_av
);
734 if (hashoid
== NULL
) {
735 cryptoerror(LOG_STDERR
,
736 gettext("Unrecognized hash.\n"));
737 return (PK_ERR_USAGE
);
741 return (PK_ERR_USAGE
);
745 /* No additional args allowed. */
749 return (PK_ERR_USAGE
);
752 if ((rv
= kmf_initialize(&kmfhandle
, NULL
, NULL
)) != KMF_OK
) {
753 cryptoerror(LOG_STDERR
, gettext("Error initializing KMF\n"));
754 return (PK_ERR_USAGE
);
757 /* Assume keystore = PKCS#11 if not specified. */
759 kstype
= KMF_KEYSTORE_PK11TOKEN
;
761 if ((kstype
== KMF_KEYSTORE_NSS
|| kstype
== KMF_KEYSTORE_PK11TOKEN
)) {
762 if (interactive
&& EMPTYSTRING(certlabel
)) {
763 (void) get_certlabel(&certlabel
);
765 /* It better not be empty now */
766 if (EMPTYSTRING(certlabel
)) {
767 cryptoerror(LOG_STDERR
, gettext("A label must be "
768 "specified to create a self-signed certificate."
770 return (PK_ERR_USAGE
);
772 } else if (kstype
== KMF_KEYSTORE_OPENSSL
&& EMPTYSTRING(outcert
)) {
773 cryptoerror(LOG_STDERR
, gettext("A certificate filename must "
774 "be specified to create a self-signed certificate.\n"));
775 return (PK_ERR_USAGE
);
778 DIR_OPTION_CHECK(kstype
, dir
);
780 if (format
&& (fmt
= Str2Format(format
)) == KMF_FORMAT_UNDEF
) {
781 cryptoerror(LOG_STDERR
,
782 gettext("Error parsing format string (%s).\n"),
784 return (PK_ERR_USAGE
);
787 if (Str2Lifetime(lifetime
, <ime
) != 0) {
788 cryptoerror(LOG_STDERR
,
789 gettext("Error parsing lifetime string\n"));
790 return (PK_ERR_USAGE
);
793 if (Str2KeyType(keytype
, hashoid
, &keyAlg
, &sigAlg
) != 0) {
794 cryptoerror(LOG_STDERR
,
795 gettext("Unsupported key/hash combination (%s/%s).\n"),
796 keytype
, (hashname
? hashname
: "none"));
797 return (PK_ERR_USAGE
);
799 if (curveoid
!= NULL
&& keyAlg
!= KMF_ECDSA
) {
800 cryptoerror(LOG_STDERR
, gettext("EC curves are only "
801 "valid for EC keytypes.\n"));
802 return (PK_ERR_USAGE
);
804 if (keyAlg
== KMF_ECDSA
&& curveoid
== NULL
) {
805 cryptoerror(LOG_STDERR
, gettext("A curve must be "
806 "specifed when using EC keys.\n"));
807 return (PK_ERR_USAGE
);
809 /* Adjust default keylength for NSS and DSA */
810 if (keyAlg
== KMF_DSA
&& !y_flag
&& kstype
== KMF_KEYSTORE_NSS
)
814 * Check the subject name.
815 * If interactive is true, get it now interactively.
819 if (get_subname(&subname
) != KMF_OK
|| subname
== NULL
) {
820 cryptoerror(LOG_STDERR
, gettext("Failed to get the "
821 "subject name interactively.\n"));
822 return (PK_ERR_USAGE
);
824 if (serstr
== NULL
) {
825 (void) get_serial(&serstr
);
828 if (EMPTYSTRING(subject
)) {
829 cryptoerror(LOG_STDERR
, gettext("A subject name or "
830 "-i must be specified to create a self-signed "
832 return (PK_ERR_USAGE
);
834 subname
= strdup(subject
);
835 if (subname
== NULL
) {
836 cryptoerror(LOG_STDERR
,
837 gettext("Out of memory.\n"));
838 return (PK_ERR_SYSTEM
);
843 if (serstr
== NULL
) {
844 (void) fprintf(stderr
, gettext("A serial number "
845 "must be specified as a hex number when creating"
846 " a self-signed certificate "
847 "(ex: serial=0x0102030405feedface)\n"));
851 uchar_t
*bytes
= NULL
;
854 rv
= kmf_hexstr_to_bytes((uchar_t
*)serstr
, &bytes
, &bytelen
);
855 if (rv
!= KMF_OK
|| bytes
== NULL
) {
856 (void) fprintf(stderr
, gettext("serial number "
857 "must be specified as a hex number "
858 "(ex: 0x0102030405ffeeddee)\n"));
863 serial
.len
= bytelen
;
866 if (altname
!= NULL
) {
867 rv
= verify_altname(altname
, &alttype
, &altcrit
);
869 (void) fprintf(stderr
, gettext("Subject AltName "
870 "must be specified as a name=value pair. "
871 "See the man page for details.\n"));
875 /* advance the altname past the '=' sign */
876 char *p
= strchr(altname
, '=');
882 if (keyusagestr
!= NULL
) {
883 rv
= verify_keyusage(keyusagestr
, &kubits
, &kucrit
);
885 (void) fprintf(stderr
, gettext("KeyUsage "
886 "must be specified as a comma-separated list. "
887 "See the man page for details.\n"));
892 if (ekustr
!= NULL
) {
893 rv
= verify_ekunames(ekustr
, &ekulist
);
895 (void) fprintf(stderr
, gettext("EKUs must "
896 "be specified as a comma-separated list. "
897 "See the man page for details.\n"));
902 if (keyAlg
== KMF_ECDSA
&& kstype
== KMF_KEYSTORE_OPENSSL
) {
903 (void) fprintf(stderr
, gettext("ECC certificates are"
904 "only supported with the pkcs11 and nss keystores\n"));
909 if (kstype
== KMF_KEYSTORE_NSS
|| kstype
== KMF_KEYSTORE_PK11TOKEN
) {
910 if (tokenname
== NULL
|| !strlen(tokenname
)) {
911 if (kstype
== KMF_KEYSTORE_NSS
) {
912 tokenname
= "internal";
914 tokenname
= PK_DEFAULT_PK11TOKEN
;
918 (void) get_token_password(kstype
, tokenname
, &tokencred
);
921 if (kstype
== KMF_KEYSTORE_NSS
) {
923 dir
= PK_DEFAULT_DIRECTORY
;
925 rv
= gencert_nss(kmfhandle
,
926 tokenname
, subname
, altname
, alttype
, altcrit
,
927 certlabel
, dir
, prefix
, keyAlg
, sigAlg
, keylen
,
928 trust
, ltime
, &serial
, kubits
, kucrit
, &tokencred
,
931 } else if (kstype
== KMF_KEYSTORE_PK11TOKEN
) {
932 rv
= gencert_pkcs11(kmfhandle
,
933 tokenname
, subname
, altname
, alttype
, altcrit
,
934 certlabel
, keyAlg
, sigAlg
, keylen
, ltime
,
935 &serial
, kubits
, kucrit
, &tokencred
, ekulist
,
938 } else if (kstype
== KMF_KEYSTORE_OPENSSL
) {
939 rv
= gencert_file(kmfhandle
,
940 keyAlg
, sigAlg
, keylen
, fmt
,
941 ltime
, subname
, altname
, alttype
, altcrit
,
942 &serial
, kubits
, kucrit
, outcert
, outkey
,
947 display_error(kmfhandle
, rv
,
948 gettext("Error creating certificate and keypair"));
951 free_eku_list(ekulist
);
953 free(tokencred
.cred
);
957 (void) kmf_finalize(kmfhandle
);