OpenSolaris_b135/lib/libpkg/common/keystore.c
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2006 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* Module: keystore.c
* Description: This module contains the structure definitions for processing
* package keystore files.
*/
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <strings.h>
#include <libintl.h>
#include <time.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/pkcs12.h>
#include <openssl/asn1.h>
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/safestack.h>
#include <openssl/stack.h>
#include "p12lib.h"
#include "pkgerr.h"
#include "keystore.h"
#include "pkglib.h"
#include "pkglibmsgs.h"
typedef struct keystore_t {
boolean_t dirty;
boolean_t new;
char *path;
char *passphrase;
/* truststore handles */
int cafd;
STACK_OF(X509) *cacerts;
char *capath;
/* user certificate handles */
STACK_OF(X509) *clcerts;
char *clpath;
/* private key handles */
STACK_OF(EVP_PKEY) *pkeys;
char *keypath;
} keystore_t;
/* local routines */
static keystore_t *new_keystore(void);
static void free_keystore(keystore_t *);
static boolean_t verify_keystore_integrity(PKG_ERR *, keystore_t *);
static boolean_t check_password(PKCS12 *, char *);
static boolean_t resolve_paths(PKG_ERR *, char *, char *,
long, keystore_t *);
static boolean_t lock_keystore(PKG_ERR *, long, keystore_t *);
static boolean_t unlock_keystore(PKG_ERR *, keystore_t *);
static boolean_t read_keystore(PKG_ERR *, keystore_t *,
keystore_passphrase_cb);
static boolean_t write_keystore(PKG_ERR *, keystore_t *,
keystore_passphrase_cb);
static boolean_t write_keystore_file(PKG_ERR *, char *, PKCS12 *);
static boolean_t clear_keystore_file(PKG_ERR *, char *);
static PKCS12 *read_keystore_file(PKG_ERR *, char *);
static char *get_time_string(ASN1_TIME *);
/* locking routines */
static boolean_t restore_keystore_file(PKG_ERR *, char *);
static int file_lock(int, int, int);
static int file_unlock(int);
static boolean_t file_lock_test(int, int);
static boolean_t file_empty(char *);
static boolean_t get_keystore_passwd(PKG_ERR *err, PKCS12 *p12,
keystore_passphrase_cb cb, keystore_t *keystore);
static boolean_t wait_restore(int, char *, char *, char *);
#define KEYSTORE_PERMS (S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH)
/* wait on other keystore access for 1 minute before giving up */
#define LOCK_TIMEOUT 60
/*
* print_certs - prints certificates out of a keystore, to a file.
*
* Arguments:
* err - Error object to append errors to
* keystore - Keystore on which to operate
* alias - Name of certificate to print, NULL means print all
* format - Format in which to print certificates
* outfile - Where to print certificates
*
* Returns:
* 0 - Success
* non-zero - Failure, errors added to err
*/
int
print_certs(PKG_ERR *err, keystore_handle_t keystore_h, char *alias,
keystore_encoding_format_t format, FILE *outfile)
{
int i;
X509 *cert;
char *fname = NULL;
boolean_t found = B_FALSE;
keystore_t *keystore = keystore_h;
if (keystore->clcerts != NULL) {
/* print out each client cert */
for (i = 0; i < sk_X509_num(keystore->clcerts); i++) {
cert = sk_X509_value(keystore->clcerts, i);
(void) sunw_get_cert_fname(GETDO_COPY, cert,
&fname);
if (fname == NULL) {
/* no name recorded, keystore is corrupt */
pkgerr_add(err, PKGERR_CORRUPT,
gettext(ERR_KEYSTORE_NO_ALIAS),
get_subject_display_name(cert));
return (1);
}
if ((alias != NULL) && (!streq(alias, fname))) {
/* name does not match, skip it */
(void) OPENSSL_free(fname);
fname = NULL;
continue;
} else {
found = B_TRUE;
(void) print_cert(err, cert, format,
fname, B_FALSE, outfile);
(void) OPENSSL_free(fname);
fname = NULL;
}
}
}
if (fname != NULL) {
(void) OPENSSL_free(fname);
fname = NULL;
}
if (keystore->cacerts != NULL) {
/* print out each trusted cert */
for (i = 0; i < sk_X509_num(keystore->cacerts); i++) {
cert = sk_X509_value(keystore->cacerts, i);
(void) sunw_get_cert_fname(GETDO_COPY,
cert, &fname);
if (fname == NULL) {
/* no name recorded, keystore is corrupt */
pkgerr_add(err, PKGERR_CORRUPT,
gettext(ERR_KEYSTORE_NO_ALIAS),
get_subject_display_name(cert));
return (1);
}
if ((alias != NULL) && (!streq(alias, fname))) {
/* name does not match, skip it */
(void) OPENSSL_free(fname);
fname = NULL;
continue;
} else {
found = B_TRUE;
(void) print_cert(err, cert, format,
fname, B_TRUE, outfile);
(void) OPENSSL_free(fname);
fname = NULL;
}
}
}
if (fname != NULL) {
(void) OPENSSL_free(fname);
fname = NULL;
}
if (found) {
return (0);
} else {
/* no certs printed */
if (alias != NULL) {
pkgerr_add(err, PKGERR_NOALIASMATCH,
gettext(ERR_KEYSTORE_NOCERT),
alias, keystore->path);
} else {
pkgerr_add(err, PKGERR_NOPUBKEY,
gettext(ERR_KEYSTORE_NOPUBCERTS),
keystore->path);
pkgerr_add(err, PKGERR_NOCACERT,
gettext(ERR_KEYSTORE_NOCACERTS),
keystore->path);
}
return (1);
}
}
/*
* print_cert - prints a single certificate, to a file
*
* Arguments:
* err - Error object to append errors to
* x - The certificate to print
* alias - Name of certificate to print
* format - Format in which to print certificate
* outfile - Where to print certificate
*
* Returns:
* 0 - Success
* non-zero - Failure, errors added to err
*/
int print_cert(PKG_ERR *err, X509 *x,
keystore_encoding_format_t format, char *alias, boolean_t is_trusted,
FILE *outfile)
{
char *vdb_str;
char *vda_str;
char vd_str[ATTR_MAX];
int ret = 0;
char *cn_str, *icn_str, *typ_str;
char *tmp;
char *md5_fp;
char *sha1_fp;
int len;
/* need to localize the word "Fingerprint", hence these pointers */
char md5_label[ATTR_MAX];
char sha1_label[ATTR_MAX];
if (is_trusted) {
typ_str = gettext(MSG_KEYSTORE_TRUSTED);
} else {
typ_str = gettext(MSG_KEYSTORE_UNTRUSTED);
}
if ((cn_str = get_subject_display_name(x)) == NULL) {
cn_str = gettext(MSG_KEYSTORE_UNKNOWN);
}
if ((icn_str = get_issuer_display_name(x)) == NULL) {
icn_str = gettext(MSG_KEYSTORE_UNKNOWN);
}
vdb_str = xstrdup(get_time_string(X509_get_notBefore(x)));
vda_str = xstrdup(get_time_string(X509_get_notAfter(x)));
if (((len = snprintf(vd_str, ATTR_MAX, "<%s> - <%s>",
vdb_str, vda_str)) < 0) || (len >= ATTR_MAX)) {
pkgerr_add(err, PKGERR_WEB, gettext(ERR_LEN), vdb_str);
ret = 1;
goto cleanup;
}
if ((tmp = get_fingerprint(x, EVP_md5())) == NULL) {
md5_fp = gettext(MSG_KEYSTORE_UNKNOWN);
} else {
/*
* make a copy, otherwise the next call to get_fingerprint
* will overwrite this one
*/
md5_fp = xstrdup(tmp);
}
if ((tmp = get_fingerprint(x, EVP_sha1())) == NULL) {
sha1_fp = gettext(MSG_KEYSTORE_UNKNOWN);
} else {
sha1_fp = xstrdup(tmp);
}
(void) snprintf(md5_label, ATTR_MAX, "%s %s",
OBJ_nid2sn(EVP_MD_type(EVP_md5())),
/* i18n: 14 characters max */
gettext(MSG_KEYSTORE_FP));
(void) snprintf(sha1_label, ATTR_MAX, "%s %s",
OBJ_nid2sn(EVP_MD_type(EVP_sha1())),
/* i18n: 14 characters max */
gettext(MSG_KEYSTORE_FP));
switch (format) {
case KEYSTORE_FORMAT_PEM:
(void) PEM_write_X509(outfile, x);
break;
case KEYSTORE_FORMAT_DER:
(void) i2d_X509_fp(outfile, x);
break;
case KEYSTORE_FORMAT_TEXT:
(void) fprintf(outfile, "%18s: %s\n",
/* i18n: 18 characters max */
gettext(MSG_KEYSTORE_AL), alias);
(void) fprintf(outfile, "%18s: %s\n",
/* i18n: 18 characters max */
gettext(MSG_KEYSTORE_CN), cn_str);
(void) fprintf(outfile, "%18s: %s\n",
/* i18n: 18 characters max */
gettext(MSG_KEYSTORE_TY), typ_str);
(void) fprintf(outfile, "%18s: %s\n",
/* i18n: 18 characters max */
gettext(MSG_KEYSTORE_IN), icn_str);
(void) fprintf(outfile, "%18s: %s\n",
/* i18n: 18 characters max */
gettext(MSG_KEYSTORE_VD), vd_str);
(void) fprintf(outfile, "%18s: %s\n", md5_label, md5_fp);
(void) fprintf(outfile, "%18s: %s\n", sha1_label, sha1_fp);
(void) fprintf(outfile, "\n");
break;
default:
pkgerr_add(err, PKGERR_INTERNAL,
gettext(ERR_KEYSTORE_INTERNAL),
__FILE__, __LINE__);
ret = 1;
goto cleanup;
}
cleanup:
if (md5_fp != NULL)
free(md5_fp);
if (sha1_fp != NULL)
free(sha1_fp);
if (vda_str != NULL)
free(vda_str);
if (vdb_str != NULL)
free(vdb_str);
return (ret);
}
/*
* open_keystore - Initialize new keystore object for
* impending access.
*
* Arguments:
* err - Error object to append errors to
* keystore_file - Base filename or directory of keystore
* app - Application making request
* passwd - Password used to decrypt keystore
* flags - Control flags used to control access mode and behavior
* result - Resulting keystore object stored here on success
*
* Returns:
* 0 - Success - result contains a pointer to the opened keystore
* non-zero - Failure, errors added to err
*/
int
open_keystore(PKG_ERR *err, char *keystore_file, char *app,
keystore_passphrase_cb cb, long flags, keystore_handle_t *result)
{
int ret = 0;
keystore_t *tmpstore;
tmpstore = new_keystore();
tmpstore->dirty = B_FALSE;
tmpstore->new = B_FALSE;
tmpstore->path = xstrdup(keystore_file);
if (!resolve_paths(err, keystore_file, app, flags, tmpstore)) {
/* unable to determine keystore paths */
pkgerr_add(err, PKGERR_CORRUPT, gettext(ERR_KEYSTORE_REPAIR),
keystore_file);
ret = 1;
goto cleanup;
}
if (!verify_keystore_integrity(err, tmpstore)) {
/* unable to repair keystore */
pkgerr_add(err, PKGERR_CORRUPT, gettext(ERR_KEYSTORE_REPAIR),
keystore_file);
ret = 1;
goto cleanup;
}
if (!lock_keystore(err, flags, tmpstore)) {
pkgerr_add(err, PKGERR_LOCKED, gettext(ERR_KEYSTORE_LOCKED),
keystore_file);
ret = 1;
goto cleanup;
}
/* now that we have locked the keystore, go ahead and read it */
if (!read_keystore(err, tmpstore, cb)) {
pkgerr_add(err, PKGERR_READ, gettext(ERR_PARSE),
keystore_file);
ret = 1;
goto cleanup;
}
*result = tmpstore;
tmpstore = NULL;
cleanup:
if (tmpstore != NULL)
free_keystore(tmpstore);
return (ret);
}
/*
* new_keystore - Allocates and initializes a Keystore object
*
* Arguments:
* NONE
*
* Returns:
* NULL - out of memory
* otherwise, returns a pointer to the newly allocated object,
* which should be freed with free_keystore() when no longer
* needed.
*/
static keystore_t
*new_keystore(void)
{
keystore_t *tmpstore;
if ((tmpstore = (keystore_t *)malloc(sizeof (keystore_t))) == NULL) {
return (NULL);
}
tmpstore->dirty = B_FALSE;
tmpstore->new = B_FALSE;
tmpstore->path = NULL;
tmpstore->passphrase = NULL;
tmpstore->cafd = -1;
tmpstore->cacerts = NULL;
tmpstore->capath = NULL;
tmpstore->clcerts = NULL;
tmpstore->clpath = NULL;
tmpstore->pkeys = NULL;
tmpstore->keypath = NULL;
return (tmpstore);
}
/*
* free_keystore - Deallocates a Keystore object
*
* Arguments:
* keystore - The keystore to deallocate
*
* Returns:
* NONE
*/
static void
free_keystore(keystore_t *keystore)
{
if (keystore->path != NULL)
free(keystore->path);
if (keystore->capath != NULL)
free(keystore->capath);
if (keystore->passphrase != NULL)
free(keystore->passphrase);
if (keystore->clpath != NULL)
free(keystore->clpath);
if (keystore->keypath != NULL)
free(keystore->keypath);
if (keystore->pkeys != NULL) {
sk_EVP_PKEY_pop_free(keystore->pkeys,
sunw_evp_pkey_free);
}
if (keystore->clcerts != NULL)
sk_X509_free(keystore->clcerts);
if (keystore->cacerts != NULL)
sk_X509_free(keystore->cacerts);
free(keystore);
}
/*
* close_keystore - Writes keystore to disk if needed, then
* unlocks and closes keystore.
*
* Arguments:
* err - Error object to append errors to
* keystore - Keystore which should be closed
* passwd - Password used to encrypt keystore
*
* Returns:
* 0 - Success - keystore is committed to disk, and unlocked
* non-zero - Failure, errors added to err
*/
int
close_keystore(PKG_ERR *err, keystore_handle_t keystore_h,
keystore_passphrase_cb cb)
{
int ret = 0;
keystore_t *keystore = keystore_h;
if (keystore->dirty) {
/* write out the keystore first */
if (!write_keystore(err, keystore, cb)) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_WRITE),
keystore->path);
ret = 1;
goto cleanup;
}
}
if (!unlock_keystore(err, keystore)) {
pkgerr_add(err, PKGERR_UNLOCK, gettext(ERR_KEYSTORE_UNLOCK),
keystore->path);
ret = 1;
goto cleanup;
}
free_keystore(keystore);
cleanup:
return (ret);
}
/*
* merge_ca_cert - Adds a trusted certificate (trust anchor) to a keystore.
* certificate checked for validity dates and non-duplicity.
*
* Arguments:
* err - Error object to add errors to
* cacert - Certificate which to merge into keystore
* keystore - The keystore into which the certificate is merged
*
* Returns:
* 0 - Success - Certificate passes validity, and
* is merged into keystore
* non-zero - Failure, errors recorded in err
*/
int
merge_ca_cert(PKG_ERR *err, X509 *cacert, keystore_handle_t keystore_h)
{
int ret = 0;
X509 *existing = NULL;
char *fname;
keystore_t *keystore = keystore_h;
/* check validity dates */
if (check_cert(err, cacert) != 0) {
ret = 1;
goto cleanup;
}
/* create the certificate's friendlyName */
fname = get_subject_display_name(cacert);
if (sunw_set_fname(fname, NULL, cacert) != 0) {
pkgerr_add(err, PKGERR_NOMEM, gettext(ERR_MEM));
ret = 1;
goto cleanup;
}
/* merge certificate into the keystore */
if (keystore->cacerts == NULL) {
/* no existing truststore, so make a new one */
if ((keystore->cacerts = sk_X509_new_null()) == NULL) {
pkgerr_add(err, PKGERR_NOMEM, gettext(ERR_MEM));
ret = 1;
goto cleanup;
}
} else {
/* existing truststore, make sure there's no duplicate */
if (sunw_find_fname(fname, NULL, keystore->cacerts,
NULL, &existing) < 0) {
pkgerr_add(err, PKGERR_INTERNAL,
gettext(ERR_KEYSTORE_INTERNAL),
__FILE__, __LINE__);
ERR_print_errors_fp(stderr);
ret = 1;
goto cleanup;
/* could not search properly! */
}
if (existing != NULL) {
/* whoops, found one already */
pkgerr_add(err, PKGERR_DUPLICATE,
gettext(ERR_KEYSTORE_DUPLICATECERT), fname);
ret = 1;
goto cleanup;
}
}
(void) sk_X509_push(keystore->cacerts, cacert);
keystore->dirty = B_TRUE;
cleanup:
if (existing != NULL)
X509_free(existing);
return (ret);
}
/*
* find_key_cert_pair - Searches a keystore for a matching
* public key certificate and private key, given an alias.
*
* Arguments:
* err - Error object to add errors to
* ks - Keystore to search
* alias - Name to used to match certificate's alias
* key - Resulting key is placed here
* cert - Resulting cert is placed here
*
* Returns:
* 0 - Success - Matching cert/key pair placed in key and cert.
* non-zero - Failure, errors recorded in err
*/
int
find_key_cert_pair(PKG_ERR *err, keystore_handle_t ks_h, char *alias,
EVP_PKEY **key, X509 **cert)
{
X509 *tmpcert = NULL;
EVP_PKEY *tmpkey = NULL;
int ret = 0;
int items_found;
keystore_t *ks = ks_h;
if (key == NULL || cert == NULL) {
pkgerr_add(err, PKGERR_NOPUBKEY,
gettext(ERR_KEYSTORE_NOPUBCERTS), ks->path);
ret = 1;
goto cleanup;
}
if (ks->clcerts == NULL) {
/* no public certs */
pkgerr_add(err, PKGERR_NOPUBKEY,
gettext(ERR_KEYSTORE_NOCERTS), ks->path);
ret = 1;
goto cleanup;
}
if (ks->pkeys == NULL) {
/* no private keys */
pkgerr_add(err, PKGERR_NOPRIVKEY,
gettext(ERR_KEYSTORE_NOKEYS), ks->path);
ret = 1;
goto cleanup;
}
/* try the easy case first */
if ((sk_EVP_PKEY_num(ks->pkeys) == 1) &&
(sk_X509_num(ks->clcerts) == 1)) {
tmpkey = sk_EVP_PKEY_value(ks->pkeys, 0);
tmpcert = sk_X509_value(ks->clcerts, 0);
if (sunw_check_keys(tmpcert, tmpkey)) {
/*
* only one private key and public key cert, and they
* match, so use them
*/
*key = tmpkey;
tmpkey = NULL;
*cert = tmpcert;
tmpcert = NULL;
goto cleanup;
}
}
/* Attempt to find the right pair given the alias */
items_found = sunw_find_fname(alias, ks->pkeys, ks->clcerts,
&tmpkey, &tmpcert);
if ((items_found < 0) ||
(items_found & (FOUND_PKEY | FOUND_CERT)) == 0) {
/* no key/cert pair found. bail. */
pkgerr_add(err, PKGERR_BADALIAS,
gettext(ERR_KEYSTORE_NOMATCH), alias);
ret = 1;
goto cleanup;
}
/* success */
*key = tmpkey;
tmpkey = NULL;
*cert = tmpcert;
tmpcert = NULL;
cleanup:
if (tmpcert != NULL)
(void) X509_free(tmpcert);
if (tmpkey != NULL)
sunw_evp_pkey_free(tmpkey);
return (ret);
}
/*
* find_ca_certs - Searches a keystore for trusted certificates
*
* Arguments:
* err - Error object to add errors to
* ks - Keystore to search
* cacerts - resulting set of trusted certs are placed here
*
* Returns:
* 0 - Success - trusted cert list returned in cacerts
* non-zero - Failure, errors recorded in err
*/
int
find_ca_certs(PKG_ERR *err, keystore_handle_t ks_h, STACK_OF(X509) **cacerts)
{
keystore_t *ks = ks_h;
/* easy */
if (cacerts == NULL) {
pkgerr_add(err, PKGERR_INTERNAL,
gettext(ERR_KEYSTORE_INTERNAL), __FILE__, __LINE__);
return (1);
}
*cacerts = ks->cacerts;
return (0);
}
/*
* find_cl_certs - Searches a keystore for user certificates
*
* Arguments:
* err - Error object to add errors to
* ks - Keystore to search
* cacerts - resulting set of user certs are placed here
*
* No matching of any kind is performed.
* Returns:
* 0 - Success - trusted cert list returned in cacerts
* non-zero - Failure, errors recorded in err
*/
/* ARGSUSED */
int
find_cl_certs(PKG_ERR *err, keystore_handle_t ks_h, STACK_OF(X509) **clcerts)
{
keystore_t *ks = ks_h;
/* easy */
*clcerts = ks->clcerts;
return (0);
}
/*
* merge_cert_and_key - Adds a user certificate and matching
* private key to a keystore.
* certificate checked for validity dates and non-duplicity.
*
* Arguments:
* err - Error object to add errors to
* cert - Certificate which to merge into keystore
* key - matching private key to 'cert'
* alias - Name which to store the cert and key under
* keystore - The keystore into which the certificate is merged
*
* Returns:
* 0 - Success - Certificate passes validity, and
* is merged into keystore, along with key
* non-zero - Failure, errors recorded in err
*/
int
merge_cert_and_key(PKG_ERR *err, X509 *cert, EVP_PKEY *key, char *alias,
keystore_handle_t keystore_h)
{
X509 *existingcert = NULL;
EVP_PKEY *existingkey = NULL;
int ret = 0;
keystore_t *keystore = keystore_h;
/* check validity dates */
if (check_cert(err, cert) != 0) {
ret = 1;
goto cleanup;
}
/* set the friendlyName of the key and cert to the supplied alias */
if (sunw_set_fname(alias, key, cert) != 0) {
pkgerr_add(err, PKGERR_NOMEM, gettext(ERR_MEM));
ret = 1;
goto cleanup;
}
/* merge certificate and key into the keystore */
if (keystore->clcerts == NULL) {
/* no existing truststore, so make a new one */
if ((keystore->clcerts = sk_X509_new_null()) == NULL) {
pkgerr_add(err, PKGERR_NOMEM, gettext(ERR_MEM));
ret = 1;
goto cleanup;
}
} else {
/* existing certstore, make sure there's no duplicate */
if (sunw_find_fname(alias, NULL, keystore->clcerts,
NULL, &existingcert) < 0) {
pkgerr_add(err, PKGERR_INTERNAL,
gettext(ERR_KEYSTORE_INTERNAL),
__FILE__, __LINE__);
ERR_print_errors_fp(stderr);
ret = 1;
goto cleanup;
/* could not search properly! */
}
if (existingcert != NULL) {
/* whoops, found one already */
pkgerr_add(err, PKGERR_DUPLICATE,
gettext(ERR_KEYSTORE_DUPLICATECERT), alias);
ret = 1;
goto cleanup;
}
}
if (keystore->pkeys == NULL) {
/* no existing keystore, so make a new one */
if ((keystore->pkeys = sk_EVP_PKEY_new_null()) == NULL) {
pkgerr_add(err, PKGERR_NOMEM, gettext(ERR_MEM));
ret = 1;
goto cleanup;
}
} else {
/* existing keystore, so make sure there's no duplicate entry */
if (sunw_find_fname(alias, keystore->pkeys, NULL,
&existingkey, NULL) < 0) {
pkgerr_add(err, PKGERR_INTERNAL,
gettext(ERR_KEYSTORE_INTERNAL),
__FILE__, __LINE__);
ERR_print_errors_fp(stderr);
ret = 1;
goto cleanup;
/* could not search properly! */
}
if (existingkey != NULL) {
/* whoops, found one already */
pkgerr_add(err, PKGERR_DUPLICATE,
gettext(ERR_KEYSTORE_DUPLICATEKEY), alias);
ret = 1;
goto cleanup;
}
}
(void) sk_X509_push(keystore->clcerts, cert);
(void) sk_EVP_PKEY_push(keystore->pkeys, key);
keystore->dirty = B_TRUE;
cleanup:
if (existingcert != NULL)
(void) X509_free(existingcert);
if (existingkey != NULL)
(void) sunw_evp_pkey_free(existingkey);
return (ret);
}
/*
* delete_cert_and_keys - Deletes one or more certificates
* and matching private keys from a keystore.
*
* Arguments:
* err - Error object to add errors to
* ks - The keystore from which certs and keys are deleted
* alias - Name which to search for certificates and keys
* to delete
*
* Returns:
* 0 - Success - All trusted certs which match 'alias'
* are deleted. All user certificates
* which match 'alias' are deleted, along
* with the matching private key.
* non-zero - Failure, errors recorded in err
*/
int
delete_cert_and_keys(PKG_ERR *err, keystore_handle_t ks_h, char *alias)
{
X509 *existingcert;
EVP_PKEY *existingkey;
int i;
char *fname = NULL;
boolean_t found = B_FALSE;
keystore_t *ks = ks_h;
/* delete any and all client certs with the supplied name */
if (ks->clcerts != NULL) {
for (i = 0; i < sk_X509_num(ks->clcerts); i++) {
existingcert = sk_X509_value(ks->clcerts, i);
if (sunw_get_cert_fname(GETDO_COPY,
existingcert, &fname) >= 0) {
if (streq(fname, alias)) {
/* match, so nuke it */
existingcert =
sk_X509_delete(ks->clcerts, i);
X509_free(existingcert);
existingcert = NULL;
found = B_TRUE;
}
(void) OPENSSL_free(fname);
fname = NULL;
}
}
if (sk_X509_num(ks->clcerts) <= 0) {
/* we deleted all the client certs */
sk_X509_free(ks->clcerts);
ks->clcerts = NULL;
}
}
/* and now the private keys */
if (ks->pkeys != NULL) {
for (i = 0; i < sk_EVP_PKEY_num(ks->pkeys); i++) {
existingkey = sk_EVP_PKEY_value(ks->pkeys, i);
if (sunw_get_pkey_fname(GETDO_COPY,
existingkey, &fname) >= 0) {
if (streq(fname, alias)) {
/* match, so nuke it */
existingkey =
sk_EVP_PKEY_delete(ks->pkeys, i);
sunw_evp_pkey_free(existingkey);
existingkey = NULL;
found = B_TRUE;
}
(void) OPENSSL_free(fname);
fname = NULL;
}
}
if (sk_EVP_PKEY_num(ks->pkeys) <= 0) {
/* we deleted all the private keys */
sk_EVP_PKEY_free(ks->pkeys);
ks->pkeys = NULL;
}
}
/* finally, remove any trust anchors that match */
if (ks->cacerts != NULL) {
for (i = 0; i < sk_X509_num(ks->cacerts); i++) {
existingcert = sk_X509_value(ks->cacerts, i);
if (sunw_get_cert_fname(GETDO_COPY,
existingcert, &fname) >= 0) {
if (streq(fname, alias)) {
/* match, so nuke it */
existingcert =
sk_X509_delete(ks->cacerts, i);
X509_free(existingcert);
existingcert = NULL;
found = B_TRUE;
}
(void) OPENSSL_free(fname);
fname = NULL;
}
}
if (sk_X509_num(ks->cacerts) <= 0) {
/* we deleted all the CA certs */
sk_X509_free(ks->cacerts);
ks->cacerts = NULL;
}
}
if (found) {
ks->dirty = B_TRUE;
return (0);
} else {
/* no certs or keys deleted */
pkgerr_add(err, PKGERR_NOALIASMATCH,
gettext(ERR_KEYSTORE_NOCERTKEY),
alias, ks->path);
return (1);
}
}
/*
* check_cert - Checks certificate validity. This routine
* checks that the current time falls within the period
* of validity for the cert.
*
* Arguments:
* err - Error object to add errors to
* cert - The certificate to check
*
* Returns:
* 0 - Success - Certificate checks out
* non-zero - Failure, errors and reasons recorded in err
*/
int
check_cert(PKG_ERR *err, X509 *cert)
{
char currtimestr[ATTR_MAX];
time_t currtime;
char *r, *before_str, *after_str;
/* get current time */
if ((currtime = time(NULL)) == (time_t)-1) {
pkgerr_add(err, PKGERR_TIME, gettext(ERR_CURR_TIME));
return (1);
}
(void) strlcpy(currtimestr, ctime(&currtime), ATTR_MAX);
/* trim whitespace from end of time string */
for (r = (currtimestr + strlen(currtimestr) - 1); isspace(*r); r--) {
*r = '\0';
}
/* check validity of cert */
switch (sunw_check_cert_times(CHK_BOTH, cert)) {
case CHKERR_TIME_OK:
/* Current time meets requested checks */
break;
case CHKERR_TIME_BEFORE_BAD:
/* 'not before' field is invalid */
case CHKERR_TIME_AFTER_BAD:
/* 'not after' field is invalid */
pkgerr_add(err, PKGERR_TIME, gettext(ERR_CERT_TIME_BAD));
return (1);
case CHKERR_TIME_IS_BEFORE:
/* Current time is before 'not before' */
case CHKERR_TIME_HAS_EXPIRED:
/*
* Ignore expiration time since the trust cert used to
* verify the certs used to sign Sun patches is already
* expired. Once the patches get resigned with the new
* cert we will check expiration against the time the
* patch was signed and not the time it is installed.
*/
return (0);
default:
pkgerr_add(err, PKGERR_INTERNAL,
gettext(ERR_KEYSTORE_INTERNAL),
__FILE__, __LINE__);
return (1);
}
/* all checks ok */
return (0);
}
/*
* check_cert - Checks certificate validity. This routine
* checks everything that check_cert checks, and additionally
* verifies that the private key and corresponding public
* key are indeed a pair.
*
* Arguments:
* err - Error object to add errors to
* cert - The certificate to check
* key - the key to check
* Returns:
* 0 - Success - Certificate checks out
* non-zero - Failure, errors and reasons recorded in err
*/
int
check_cert_and_key(PKG_ERR *err, X509 *cert, EVP_PKEY *key)
{
/* check validity dates */
if (check_cert(err, cert) != 0) {
return (1);
}
/* check key pair match */
if (sunw_check_keys(cert, key) == 0) {
pkgerr_add(err, PKGERR_VERIFY, gettext(ERR_MISMATCHED_KEYS),
get_subject_display_name(cert));
return (1);
}
/* all checks OK */
return (0);
}
/* ------------------ private functions ---------------------- */
/*
* verify_keystore_integrity - Searches for the remnants
* of a failed or aborted keystore modification, and
* cleans up the files, retstores the keystore to a known
* state.
*
* Arguments:
* err - Error object to add errors to
* keystore_file - Base directory or filename of keystore
* app - Application making request
*
* Returns:
* 0 - Success - Keystore is restored, or untouched in the
* case that cleanup was unnecessary
* non-zero - Failure, errors and reasons recorded in err
*/
static boolean_t
verify_keystore_integrity(PKG_ERR *err, keystore_t *keystore)
{
if (keystore->capath != NULL) {
if (!restore_keystore_file(err, keystore->capath)) {
return (B_FALSE);
}
}
if (keystore->clpath != NULL) {
if (!restore_keystore_file(err, keystore->clpath)) {
return (B_FALSE);
}
}
if (keystore->keypath != NULL) {
if (!restore_keystore_file(err, keystore->keypath)) {
return (B_FALSE);
}
}
return (B_TRUE);
}
/*
* restore_keystore_file - restores a keystore file to
* a known state.
*
* Keystore files can possibly be corrupted by a variety
* of error conditions during reading/writing. This
* routine, along with write_keystore_file, tries to
* maintain keystore integrity by writing the files
* out in a particular order, minimizing the time period
* that the keystore is in an indeterminate state.
*
* With the current implementation, there are some failures
* that are wholly unrecoverable, such as disk corruption.
* These routines attempt to minimize the risk, but not
* eliminate it. When better, atomic operations are available
* (such as a trued atabase with commit, rollback, and
* guaranteed atomicity), this implementation should use that.
*
* Arguments:
* err - Error object to add errors to
* keystore_file - keystore file path to restore.
*
* Returns:
* 0 - Success - Keystore file is restored, or untouched in the
* case that cleanup was unnecessary
* non-zero - Failure, errors and reasons recorded in err
*/
/* ARGSUSED */
static boolean_t
restore_keystore_file(PKG_ERR *err, char *keystore_file)
{
char newpath[MAXPATHLEN];
char backuppath[MAXPATHLEN];
int newfd;
struct stat buf;
int len;
if (((len = snprintf(newpath, MAXPATHLEN, "%s.new",
keystore_file)) < 0) ||
(len >= ATTR_MAX)) {
pkgerr_add(err, PKGERR_WEB, gettext(ERR_LEN), keystore_file);
return (B_FALSE);
}
if (((len = snprintf(backuppath, MAXPATHLEN, "%s.bak",
keystore_file)) < 0) ||
(len >= ATTR_MAX)) {
pkgerr_add(err, PKGERR_WEB, gettext(ERR_LEN), keystore_file);
return (B_FALSE);
}
if ((newfd = open(newpath, O_RDWR|O_NONBLOCK, 0)) != -1) {
if (fstat(newfd, &buf) != -1) {
if (S_ISREG(buf.st_mode)) {
/*
* restore the file, waiting on it
* to be free for locking, or for
* it to disappear
*/
if (!wait_restore(newfd, keystore_file,
newpath, backuppath)) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_WRITE),
newpath, strerror(errno));
(void) close(newfd);
return (B_FALSE);
} else {
return (B_TRUE);
}
} else {
/* "new" file is not a regular file */
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_NOT_REG), newpath);
(void) close(newfd);
return (B_FALSE);
}
} else {
/* couldn't stat "new" file */
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_WRITE), newpath,
strerror(errno));
(void) close(newfd);
return (B_FALSE);
}
} else {
/* "new" file doesn't exist */
return (B_TRUE);
}
}
static boolean_t
wait_restore(int newfd, char *keystore_file,
char *origpath, char *backuppath)
{
struct stat buf;
FILE *newstream;
PKCS12 *p12;
(void) alarm(LOCK_TIMEOUT);
if (file_lock(newfd, F_WRLCK, 1) == -1) {
/* could not lock file */
(void) alarm(0);
return (B_FALSE);
}
(void) alarm(0);
if (fstat(newfd, &buf) != -1) {
if (S_ISREG(buf.st_mode)) {
/*
* The new file still
* exists, with no
* owner. It must be
* the result of an
* aborted update.
*/
newstream = fdopen(newfd, "r");
if ((p12 =
d2i_PKCS12_fp(newstream,
NULL)) != NULL) {
/*
* The file
* appears
* complete.
* Replace the
* exsisting
* keystore
* file with
* this one
*/
(void) rename(keystore_file, backuppath);
(void) rename(origpath, keystore_file);
PKCS12_free(p12);
} else {
/* The file is not complete. Remove it */
(void) remove(origpath);
}
/* remove backup file */
(void) remove(backuppath);
(void) fclose(newstream);
(void) close(newfd);
return (B_TRUE);
} else {
/*
* new file exists, but is not a
* regular file
*/
(void) close(newfd);
return (B_FALSE);
}
} else {
/*
* could not stat file. Unless
* the reason was that the file
* is now gone, this is an error
*/
if (errno != ENOENT) {
(void) close(newfd);
return (B_FALSE);
}
/*
* otherwise, file is gone. The process
* that held the lock must have
* successfully cleaned up and
* exited with a valid keystore
* state
*/
(void) close(newfd);
return (B_TRUE);
}
}
/*
* resolve_paths - figure out if we are dealing with a single-file
* or multi-file keystore
*
* The flags tell resolve_paths how to behave:
*
* KEYSTORE_PATH_SOFT
* If the keystore file does not exist at <base>/<app> then
* use <base> as the path to the keystore. This can be used,
* for example, to access an app-specific keystore iff it
* exists, otherwise revert back to an app-generic keystore.
*
* KEYSTORE_PATH_HARD
* Always use the keystore located at <keystore_path>/<app>.
* In read/write mode, if the files do not exist, then
* they will be created. This is used to avoid falling
* back to an app-generic keystore path when the app-specific
* one does not exist.
*
* Arguments:
* err - Error object to add errors to
* keystore_file - base keystore file path to lock
* app - Application making requests
* flags - Control flags (see above description)
* keystore - object which is being locked
*
* Returns:
* B_TRUE - Success - Keystore file is locked, paths to
* appropriate files placed in keystore.
* B_FALSE - Failure, errors and reasons recorded in err
*/
static boolean_t
resolve_paths(PKG_ERR *err, char *keystore_file, char *app,
long flags, keystore_t *keystore)
{
char storepath[PATH_MAX];
struct stat buf;
boolean_t multi = B_FALSE;
int fd1, fd2, len;
/*
* figure out whether we are dealing with a single-file keystore
* or a multi-file keystore
*/
if (app != NULL) {
if (((len = snprintf(storepath, PATH_MAX, "%s/%s",
keystore_file, app)) < 0) ||
(len >= ATTR_MAX)) {
pkgerr_add(err, PKGERR_WEB, gettext(ERR_LEN),
keystore_file);
return (B_FALSE);
}
if (((fd1 = open(storepath, O_NONBLOCK|O_RDONLY)) == -1) ||
(fstat(fd1, &buf) == -1) ||
!S_ISDIR(buf.st_mode)) {
/*
* app-specific does not exist
* fallback to app-generic, if flags say we can
*/
if ((flags & KEYSTORE_PATH_MASK) ==
KEYSTORE_PATH_SOFT) {
if (((fd2 = open(keystore_file,
O_NONBLOCK|O_RDONLY)) != -1) &&
(fstat(fd2, &buf) != -1)) {
if (S_ISDIR(buf.st_mode)) {
/*
* app-generic dir
* exists, so use it
* as a multi-file
* keystore
*/
multi = B_TRUE;
app = NULL;
} else if (S_ISREG(buf.st_mode)) {
/*
* app-generic file exists, so
* use it as a single file ks
*/
multi = B_FALSE;
app = NULL;
}
}
}
}
if (fd1 != -1)
(void) close(fd1);
if (fd2 != -1)
(void) close(fd2);
} else {
if (((fd1 = open(keystore_file,
O_NONBLOCK|O_RDONLY)) != -1) &&
(fstat(fd1, &buf) != -1) &&
S_ISDIR(buf.st_mode)) {
/*
* app-generic dir exists, so use
* it as a multi-file keystore
*/
multi = B_TRUE;
}
if (fd1 != -1)
(void) close(fd1);
}
if (app != NULL) {
/* app-specific keystore */
(void) snprintf(storepath, PATH_MAX, "%s/%s/%s",
keystore_file, app, TRUSTSTORE);
keystore->capath = xstrdup(storepath);
(void) snprintf(storepath, PATH_MAX, "%s/%s/%s",
keystore_file, app, CERTSTORE);
keystore->clpath = xstrdup(storepath);
(void) snprintf(storepath, PATH_MAX, "%s/%s/%s",
keystore_file, app, KEYSTORE);
keystore->keypath = xstrdup(storepath);
} else {
/* app-generic keystore */
if (!multi) {
/* single-file app-generic keystore */
keystore->capath = xstrdup(keystore_file);
keystore->keypath = NULL;
keystore->clpath = NULL;
} else {
/* multi-file app-generic keystore */
(void) snprintf(storepath, PATH_MAX, "%s/%s",
keystore_file, TRUSTSTORE);
keystore->capath = xstrdup(storepath);
(void) snprintf(storepath, PATH_MAX, "%s/%s",
keystore_file, CERTSTORE);
keystore->clpath = xstrdup(storepath);
(void) snprintf(storepath, PATH_MAX, "%s/%s",
keystore_file, KEYSTORE);
keystore->keypath = xstrdup(storepath);
}
}
return (B_TRUE);
}
/*
* lock_keystore - Locks a keystore for shared (read-only)
* or exclusive (read-write) access.
*
* The flags tell lock_keystore how to behave:
*
* KEYSTORE_ACCESS_READONLY
* opens keystore read-only. Attempts to modify results in an error
*
* KEYSTORE_ACCESS_READWRITE
* opens keystore read-write
*
* KEYSTORE_PATH_SOFT
* If the keystore file does not exist at <base>/<app> then
* use <base> as the path to the keystore. This can be used,
* for example, to access an app-specific keystore iff it
* exists, otherwise revert back to an app-generic keystore.
*
* KEYSTORE_PATH_HARD
* Always use the keystore located at <keystore_path>/<app>.
* In read/write mode, if the files do not exist, then
* they will be created. This is used to avoid falling
* back to an app-generic keystore path when the app-specific
* one does not exist.
*
* Arguments:
* err - Error object to add errors to
* flags - Control flags (see above description)
* keystore - object which is being locked
*
* Returns:
* 0 - Success - Keystore file is locked, paths to
* appropriate files placed in keystore.
* non-zero - Failure, errors and reasons recorded in err
*/
static boolean_t
lock_keystore(PKG_ERR *err, long flags, keystore_t *keystore)
{
boolean_t ret = B_TRUE;
struct stat buf;
switch (flags & KEYSTORE_ACCESS_MASK) {
case KEYSTORE_ACCESS_READONLY:
if ((keystore->cafd =
open(keystore->capath, O_NONBLOCK|O_RDONLY)) == -1) {
if (errno == ENOENT) {
/*
* no keystore. try to create an
* empty one so we can lock on it and
* prevent others from gaining
* exclusive access. It will be
* deleted when the keystore is closed.
*/
if ((keystore->cafd =
open(keystore->capath,
O_NONBLOCK|O_RDWR|O_CREAT|O_EXCL,
S_IRUSR|S_IWUSR)) == -1) {
pkgerr_add(err, PKGERR_READ,
gettext(ERR_NO_KEYSTORE),
keystore->capath);
ret = B_FALSE;
goto cleanup;
}
} else {
pkgerr_add(err, PKGERR_READ,
gettext(ERR_KEYSTORE_OPEN),
keystore->capath, strerror(errno));
ret = B_FALSE;
goto cleanup;
}
}
if (fstat(keystore->cafd, &buf) != -1) {
if (S_ISREG(buf.st_mode)) {
if (file_lock(keystore->cafd, F_RDLCK,
0) == -1) {
pkgerr_add(err, PKGERR_LOCKED,
gettext(ERR_KEYSTORE_LOCKED_READ),
keystore->capath);
ret = B_FALSE;
goto cleanup;
}
} else {
/* ca file not a regular file! */
pkgerr_add(err, PKGERR_READ,
gettext(ERR_NOT_REG),
keystore->capath);
ret = B_FALSE;
goto cleanup;
}
} else {
pkgerr_add(err, PKGERR_READ,
gettext(ERR_KEYSTORE_OPEN),
keystore->capath, strerror(errno));
ret = B_FALSE;
goto cleanup;
}
break;
case KEYSTORE_ACCESS_READWRITE:
if ((keystore->cafd = open(keystore->capath,
O_RDWR|O_NONBLOCK)) == -1) {
/* does not exist. try to create an empty one */
if (errno == ENOENT) {
if ((keystore->cafd =
open(keystore->capath,
O_NONBLOCK|O_RDWR|O_CREAT|O_EXCL,
S_IRUSR|S_IWUSR)) == -1) {
pkgerr_add(err, PKGERR_READ,
gettext(ERR_KEYSTORE_WRITE),
keystore->capath);
ret = B_FALSE;
goto cleanup;
}
} else {
pkgerr_add(err, PKGERR_READ,
gettext(ERR_KEYSTORE_OPEN),
keystore->capath, strerror(errno));
ret = B_FALSE;
goto cleanup;
}
}
if (fstat(keystore->cafd, &buf) != -1) {
if (S_ISREG(buf.st_mode)) {
if (file_lock(keystore->cafd, F_WRLCK,
0) == -1) {
pkgerr_add(err, PKGERR_LOCKED,
gettext(ERR_KEYSTORE_LOCKED),
keystore->capath);
ret = B_FALSE;
goto cleanup;
}
} else {
/* ca file not a regular file! */
pkgerr_add(err, PKGERR_READ,
gettext(ERR_NOT_REG),
keystore->capath);
ret = B_FALSE;
goto cleanup;
}
} else {
pkgerr_add(err, PKGERR_READ,
gettext(ERR_KEYSTORE_OPEN),
keystore->capath, strerror(errno));
ret = B_FALSE;
goto cleanup;
}
break;
default:
pkgerr_add(err, PKGERR_INTERNAL,
gettext(ERR_KEYSTORE_INTERNAL),
__FILE__, __LINE__);
ret = B_FALSE;
goto cleanup;
}
cleanup:
if (!ret) {
if (keystore->cafd > 0) {
(void) file_unlock(keystore->cafd);
(void) close(keystore->cafd);
keystore->cafd = -1;
}
if (keystore->capath != NULL)
free(keystore->capath);
if (keystore->clpath != NULL)
free(keystore->clpath);
if (keystore->keypath != NULL)
free(keystore->keypath);
keystore->capath = NULL;
keystore->clpath = NULL;
keystore->keypath = NULL;
}
return (ret);
}
/*
* unlock_keystore - Unocks a keystore
*
* Arguments:
* err - Error object to add errors to
* keystore - keystore object to unlock
* Returns:
* 0 - Success - Keystore files are unlocked, files are closed,
* non-zero - Failure, errors and reasons recorded in err
*/
/* ARGSUSED */
static boolean_t
unlock_keystore(PKG_ERR *err, keystore_t *keystore)
{
/*
* Release lock on the CA file.
* Delete file if it is empty
*/
if (file_empty(keystore->capath)) {
(void) remove(keystore->capath);
}
(void) file_unlock(keystore->cafd);
(void) close(keystore->cafd);
return (B_TRUE);
}
/*
* read_keystore - Reads keystore files of disk, parses
* into internal structures.
*
* Arguments:
* err - Error object to add errors to
* keystore - keystore object to read into
* cb - callback to get password, if required
* Returns:
* 0 - Success - Keystore files are read, and placed
* into keystore structure.
* non-zero - Failure, errors and reasons recorded in err
*/
static boolean_t
read_keystore(PKG_ERR *err, keystore_t *keystore, keystore_passphrase_cb cb)
{
boolean_t ret = B_TRUE;
PKCS12 *p12 = NULL;
boolean_t ca_empty;
boolean_t have_passwd = B_FALSE;
boolean_t cl_empty = B_TRUE;
boolean_t key_empty = B_TRUE;
ca_empty = file_empty(keystore->capath);
if (keystore->clpath != NULL)
cl_empty = file_empty(keystore->clpath);
if (keystore->keypath != NULL)
key_empty = file_empty(keystore->keypath);
if (ca_empty && cl_empty && key_empty) {
keystore->new = B_TRUE;
}
if (!ca_empty) {
/* first read the ca file */
if ((p12 = read_keystore_file(err,
keystore->capath)) == NULL) {
pkgerr_add(err, PKGERR_CORRUPT,
gettext(ERR_KEYSTORE_CORRUPT), keystore->capath);
ret = B_FALSE;
goto cleanup;
}
/* Get password, using callback if necessary */
if (!have_passwd) {
if (!get_keystore_passwd(err, p12, cb, keystore)) {
ret = B_FALSE;
goto cleanup;
}
have_passwd = B_TRUE;
}
/* decrypt and parse keystore file */
if (sunw_PKCS12_contents(p12, keystore->passphrase,
&keystore->pkeys, &keystore->cacerts) < 0) {
/* could not parse the contents */
pkgerr_add(err, PKGERR_CORRUPT,
gettext(ERR_KEYSTORE_CORRUPT), keystore->capath);
ret = B_FALSE;
goto cleanup;
}
PKCS12_free(p12);
p12 = NULL;
} else {
/*
* truststore is empty, so we don't have any trusted
* certs
*/
keystore->cacerts = NULL;
}
/*
* if there is no cl file or key file, use the cl's and key's found
* in the ca file
*/
if (keystore->clpath == NULL && !ca_empty) {
if (sunw_split_certs(keystore->pkeys, keystore->cacerts,
&keystore->clcerts, NULL) < 0) {
pkgerr_add(err, PKGERR_CORRUPT,
gettext(ERR_KEYSTORE_CORRUPT), keystore->capath);
ret = B_FALSE;
goto cleanup;
}
} else {
/*
* files are in separate files. read keys out of the keystore
* certs out of the certstore, if they are not empty
*/
if (!cl_empty) {
if ((p12 = read_keystore_file(err,
keystore->clpath)) == NULL) {
pkgerr_add(err, PKGERR_CORRUPT,
gettext(ERR_KEYSTORE_CORRUPT),
keystore->clpath);
ret = B_FALSE;
goto cleanup;
}
/* Get password, using callback if necessary */
if (!have_passwd) {
if (!get_keystore_passwd(err, p12, cb,
keystore)) {
ret = B_FALSE;
goto cleanup;
}
have_passwd = B_TRUE;
}
if (check_password(p12,
keystore->passphrase) == B_FALSE) {
/*
* password in client cert file
* is different than
* the one in the other files!
*/
pkgerr_add(err, PKGERR_BADPASS,
gettext(ERR_MISMATCHPASS),
keystore->clpath,
keystore->capath, keystore->path);
ret = B_FALSE;
goto cleanup;
}
if (sunw_PKCS12_contents(p12, keystore->passphrase,
NULL, &keystore->clcerts) < 0) {
/* could not parse the contents */
pkgerr_add(err, PKGERR_CORRUPT,
gettext(ERR_KEYSTORE_CORRUPT),
keystore->clpath);
ret = B_FALSE;
goto cleanup;
}
PKCS12_free(p12);
p12 = NULL;
} else {
keystore->clcerts = NULL;
}
if (!key_empty) {
if ((p12 = read_keystore_file(err,
keystore->keypath)) == NULL) {
pkgerr_add(err, PKGERR_CORRUPT,
gettext(ERR_KEYSTORE_CORRUPT),
keystore->keypath);
ret = B_FALSE;
goto cleanup;
}
/* Get password, using callback if necessary */
if (!have_passwd) {
if (!get_keystore_passwd(err, p12, cb,
keystore)) {
ret = B_FALSE;
goto cleanup;
}
have_passwd = B_TRUE;
}
if (check_password(p12,
keystore->passphrase) == B_FALSE) {
pkgerr_add(err, PKGERR_BADPASS,
gettext(ERR_MISMATCHPASS),
keystore->keypath,
keystore->capath, keystore->path);
ret = B_FALSE;
goto cleanup;
}
if (sunw_PKCS12_contents(p12, keystore->passphrase,
&keystore->pkeys, NULL) < 0) {
/* could not parse the contents */
pkgerr_add(err, PKGERR_CORRUPT,
gettext(ERR_KEYSTORE_CORRUPT),
keystore->keypath);
ret = B_FALSE;
goto cleanup;
}
PKCS12_free(p12);
p12 = NULL;
} else {
keystore->pkeys = NULL;
}
}
cleanup:
if (p12 != NULL)
PKCS12_free(p12);
return (ret);
}
/*
* get_keystore_password - retrieves pasword used to
* decrypt PKCS12 structure.
*
* Arguments:
* err - Error object to add errors to
* p12 - PKCS12 structure which returned password should
* decrypt
* cb - callback to collect password.
* keystore - The keystore in which the PKCS12 structure
* will eventually populate.
* Returns:
* B_TRUE - success.
* keystore password is set in keystore->passphrase.
* B_FALSE - failure, errors logged
*/
static boolean_t
get_keystore_passwd(PKG_ERR *err, PKCS12 *p12, keystore_passphrase_cb cb,
keystore_t *keystore)
{
char *passwd;
char passbuf[KEYSTORE_PASS_MAX + 1];
keystore_passphrase_data data;
/* see if no password is the right password */
if (check_password(p12, "") == B_TRUE) {
passwd = "";
} else if (check_password(p12, NULL) == B_TRUE) {
passwd = NULL;
} else {
/* oops, it's encrypted. get password */
data.err = err;
if (cb(passbuf, KEYSTORE_PASS_MAX, 0,
&data) == -1) {
/* could not get password */
return (B_FALSE);
}
if (check_password(p12, passbuf) == B_FALSE) {
/* wrong password */
pkgerr_add(err, PKGERR_BADPASS,
gettext(ERR_BADPASS));
return (B_FALSE);
}
/*
* make copy of password buffer, since it
* goes away upon return
*/
passwd = xstrdup(passbuf);
}
keystore->passphrase = passwd;
return (B_TRUE);
}
/*
* write_keystore - Writes keystore files to disk
*
* Arguments:
* err - Error object to add errors to
* keystore - keystore object to write from
* passwd - password used to encrypt keystore
* Returns:
* 0 - Success - Keystore contents are written out to
* the same locations as read from
* non-zero - Failure, errors and reasons recorded in err
*/
static boolean_t
write_keystore(PKG_ERR *err, keystore_t *keystore,
keystore_passphrase_cb cb)
{
PKCS12 *p12 = NULL;
boolean_t ret = B_TRUE;
keystore_passphrase_data data;
char passbuf[KEYSTORE_PASS_MAX + 1];
if (keystore->capath != NULL && keystore->clpath == NULL &&
keystore->keypath == NULL) {
/*
* keystore is a file.
* just write out a single file
*/
if ((keystore->pkeys == NULL) &&
(keystore->clcerts == NULL) &&
(keystore->cacerts == NULL)) {
if (!clear_keystore_file(err, keystore->capath)) {
/*
* no keys or certs to write out, so
* blank the ca file. we do not
* delete it since it is used as a
* lock by lock_keystore() in
* subsequent invocations
*/
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_WRITE),
keystore->capath);
ret = B_FALSE;
goto cleanup;
}
} else {
/*
* if the keystore is being created for the first time,
* prompt for a passphrase for encryption
*/
if (keystore->new) {
data.err = err;
if (cb(passbuf, KEYSTORE_PASS_MAX,
1, &data) == -1) {
ret = B_FALSE;
goto cleanup;
}
} else {
/*
* use the one used when the keystore
* was read
*/
strlcpy(passbuf, keystore->passphrase,
KEYSTORE_PASS_MAX);
}
p12 = sunw_PKCS12_create(passbuf, keystore->pkeys,
keystore->clcerts, keystore->cacerts);
if (p12 == NULL) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_FORM),
keystore->capath);
ret = B_FALSE;
goto cleanup;
}
if (!write_keystore_file(err, keystore->capath, p12)) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_WRITE),
keystore->capath);
ret = B_FALSE;
goto cleanup;
}
}
} else {
/* files are seprate. Do one at a time */
/*
* if the keystore is being created for the first time,
* prompt for a passphrase for encryption
*/
if (keystore->new && ((keystore->pkeys != NULL) ||
(keystore->clcerts != NULL) ||
(keystore->cacerts != NULL))) {
data.err = err;
if (cb(passbuf, KEYSTORE_PASS_MAX,
1, &data) == -1) {
ret = B_FALSE;
goto cleanup;
}
} else {
/* use the one used when the keystore was read */
strlcpy(passbuf, keystore->passphrase,
KEYSTORE_PASS_MAX);
}
/* do private keys first */
if (keystore->pkeys != NULL) {
p12 = sunw_PKCS12_create(passbuf, keystore->pkeys,
NULL, NULL);
if (p12 == NULL) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_FORM),
keystore->keypath);
ret = B_FALSE;
goto cleanup;
}
if (!write_keystore_file(err, keystore->keypath,
p12)) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_WRITE),
keystore->keypath);
ret = B_FALSE;
goto cleanup;
}
PKCS12_free(p12);
} else {
if ((remove(keystore->keypath) != 0) &&
(errno != ENOENT)) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_REMOVE),
keystore->keypath);
ret = B_FALSE;
goto cleanup;
}
}
/* do user certs next */
if (keystore->clcerts != NULL) {
p12 = sunw_PKCS12_create(passbuf, NULL,
keystore->clcerts, NULL);
if (p12 == NULL) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_FORM),
keystore->clpath);
ret = B_FALSE;
goto cleanup;
}
if (!write_keystore_file(err, keystore->clpath, p12)) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_WRITE),
keystore->clpath);
ret = B_FALSE;
goto cleanup;
}
PKCS12_free(p12);
} else {
if ((remove(keystore->clpath) != 0) &&
(errno != ENOENT)) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_REMOVE),
keystore->clpath);
ret = B_FALSE;
goto cleanup;
}
}
/* finally do CA cert file */
if (keystore->cacerts != NULL) {
p12 = sunw_PKCS12_create(passbuf, NULL,
NULL, keystore->cacerts);
if (p12 == NULL) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_FORM),
keystore->capath);
ret = B_FALSE;
goto cleanup;
}
if (!write_keystore_file(err, keystore->capath, p12)) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_WRITE),
keystore->capath);
ret = B_FALSE;
goto cleanup;
}
PKCS12_free(p12);
p12 = NULL;
} else {
/*
* nothing to write out, so truncate the file
* (it will be deleted during close_keystore)
*/
if (!clear_keystore_file(err, keystore->capath)) {
pkgerr_add(err, PKGERR_WRITE,
gettext(ERR_KEYSTORE_WRITE),
keystore->capath);
ret = B_FALSE;
goto cleanup;
}
}
}
cleanup:
if (p12 != NULL)
PKCS12_free(p12);
return (ret);
}
/*
* clear_keystore_file - Clears (zeros out) a keystore file.
*
* Arguments:
* err - Error object to add errors to
* dest - Path of keystore file to zero out.
* Returns:
* 0 - Success - Keystore file is truncated to zero length
* non-zero - Failure, errors and reasons recorded in err
*/
static boolean_t
clear_keystore_file(PKG_ERR *err, char *dest)
{
int fd;
struct stat buf;
fd = open(dest, O_RDWR|O_NONBLOCK);
if (fd == -1) {
/* can't open for writing */
pkgerr_add(err, PKGERR_WRITE, gettext(MSG_OPEN),
errno);
return (B_FALSE);
}
if ((fstat(fd, &buf) == -1) || !S_ISREG(buf.st_mode)) {
/* not a regular file */
(void) close(fd);
pkgerr_add(err, PKGERR_WRITE, gettext(ERR_NOT_REG),
dest);
return (B_FALSE);
}
if (ftruncate(fd, 0) == -1) {
(void) close(fd);
pkgerr_add(err, PKGERR_WRITE, gettext(ERR_WRITE),
dest, strerror(errno));
return (B_FALSE);
}
(void) close(fd);
return (B_TRUE);
}
/*
* write_keystore_file - Writes keystore file to disk.
*
* Keystore files can possibly be corrupted by a variety
* of error conditions during reading/writing. This
* routine, along with restore_keystore_file, tries to
* maintain keystore integity by writing the files
* out in a particular order, minimizing the time period
* that the keystore is in an indeterminate state.
*
* With the current implementation, there are some failures
* that are wholly unrecoverable, such as disk corruption.
* These routines attempt to minimize the risk, but not
* eliminate it. When better, atomic operations are available
* (such as a true database with commit, rollback, and
* guaranteed atomicity), this implementation should use that.
*
*
* Arguments:
* err - Error object to add errors to
* dest - Destination filename
* contents - Contents to write to the file
* Returns:
* 0 - Success - Keystore contents are written out to
* the destination.
* non-zero - Failure, errors and reasons recorded in err
*/
static boolean_t
write_keystore_file(PKG_ERR *err, char *dest, PKCS12 *contents)
{
FILE *newfile = NULL;
boolean_t ret = B_TRUE;
char newpath[MAXPATHLEN];
char backuppath[MAXPATHLEN];
struct stat buf;
int fd;
(void) snprintf(newpath, MAXPATHLEN, "%s.new", dest);
(void) snprintf(backuppath, MAXPATHLEN, "%s.bak", dest);
if ((fd = open(newpath, O_CREAT|O_EXCL|O_WRONLY|O_NONBLOCK,
S_IRUSR|S_IWUSR)) == -1) {
pkgerr_add(err, PKGERR_READ, gettext(ERR_KEYSTORE_OPEN),
newpath, strerror(errno));
ret = B_FALSE;
goto cleanup;
}
if (fstat(fd, &buf) == -1) {
pkgerr_add(err, PKGERR_READ, gettext(ERR_KEYSTORE_OPEN),
newpath, strerror(errno));
ret = B_FALSE;
goto cleanup;
}
if (!S_ISREG(buf.st_mode)) {
pkgerr_add(err, PKGERR_READ, gettext(ERR_NOT_REG),
newpath);
ret = B_FALSE;
goto cleanup;
}
if ((newfile = fdopen(fd, "w")) == NULL) {
pkgerr_add(err, PKGERR_READ, gettext(ERR_KEYSTORE_OPEN),
newpath, strerror(errno));
ret = B_FALSE;
goto cleanup;
}
if (i2d_PKCS12_fp(newfile, contents) == 0) {
pkgerr_add(err, PKGERR_WRITE, gettext(ERR_KEYSTORE_WRITE),
newpath);
ret = B_FALSE;
goto cleanup;
}
/* flush, then close */
(void) fflush(newfile);
(void) fclose(newfile);
newfile = NULL;
/* now back up the original file */
(void) rename(dest, backuppath);
/* put new one in its place */
(void) rename(newpath, dest);
/* remove backup */
(void) remove(backuppath);
cleanup:
if (newfile != NULL)
(void) fclose(newfile);
if (fd != -1)
(void) close(fd);
return (ret);
}
/*
* read_keystore_file - Reads single keystore file
* off disk in PKCS12 format.
*
* Arguments:
* err - Error object to add errors to
* file - File path to read
* Returns:
* PKCS12 contents of file, or NULL if an error occurred.
* errors recorded in 'err'.
*/
static PKCS12
*read_keystore_file(PKG_ERR *err, char *file)
{
int fd;
struct stat buf;
FILE *newfile;
PKCS12 *p12 = NULL;
if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
pkgerr_add(err, PKGERR_READ, gettext(ERR_KEYSTORE_OPEN),
file, strerror(errno));
goto cleanup;
}
if (fstat(fd, &buf) == -1) {
pkgerr_add(err, PKGERR_READ, gettext(ERR_KEYSTORE_OPEN),
file, strerror(errno));
goto cleanup;
}
if (!S_ISREG(buf.st_mode)) {
pkgerr_add(err, PKGERR_READ, gettext(ERR_NOT_REG),
file);
goto cleanup;
}
if ((newfile = fdopen(fd, "r")) == NULL) {
pkgerr_add(err, PKGERR_READ, gettext(ERR_KEYSTORE_OPEN),
file, strerror(errno));
goto cleanup;
}
if ((p12 = d2i_PKCS12_fp(newfile, NULL)) == NULL) {
pkgerr_add(err, PKGERR_CORRUPT,
gettext(ERR_KEYSTORE_CORRUPT), file);
goto cleanup;
}
cleanup:
if (newfile != NULL)
(void) fclose(newfile);
if (fd != -1)
(void) close(fd);
return (p12);
}
/*
* Locks the specified file.
*/
static int
file_lock(int fd, int type, int wait)
{
struct flock lock;
lock.l_type = type;
lock.l_start = 0;
lock.l_whence = SEEK_SET;
lock.l_len = 0;
if (!wait) {
if (file_lock_test(fd, type)) {
/*
* The caller would have to wait to get the
* lock on this file.
*/
return (-1);
}
}
return (fcntl(fd, F_SETLKW, &lock));
}
/*
* Returns FALSE if the file is not locked; TRUE
* otherwise.
*/
static boolean_t
file_lock_test(int fd, int type)
{
struct flock lock;
lock.l_type = type;
lock.l_start = 0;
lock.l_whence = SEEK_SET;
lock.l_len = 0;
if (fcntl(fd, F_GETLK, &lock) != -1) {
if (lock.l_type != F_UNLCK) {
/*
* The caller would have to wait to get the
* lock on this file.
*/
return (B_TRUE);
}
}
/*
* The file is not locked.
*/
return (B_FALSE);
}
/*
* Unlocks the specified file.
*/
static int
file_unlock(int fd)
{
struct flock lock;
lock.l_type = F_UNLCK;
lock.l_start = 0;
lock.l_whence = SEEK_SET;
lock.l_len = 0;
return (fcntl(fd, F_SETLK, &lock));
}
/*
* Determines if file has a length of 0 or not
*/
static boolean_t
file_empty(char *path)
{
struct stat buf;
/* file is empty if size = 0 or it doesn't exist */
if (lstat(path, &buf) == 0) {
if (buf.st_size == 0) {
return (B_TRUE);
}
} else {
if (errno == ENOENT) {
return (B_TRUE);
}
}
return (B_FALSE);
}
/*
* Name: get_time_string
* Description: Generates a human-readable string from an ASN1_TIME
*
* Arguments: intime - The time to convert
*
* Returns : A pointer to a static string representing the passed-in time.
*/
static char
*get_time_string(ASN1_TIME *intime)
{
static char time[ATTR_MAX];
BIO *mem;
char *p;
if (intime == NULL) {
return (NULL);
}
if ((mem = BIO_new(BIO_s_mem())) == NULL) {
return (NULL);
}
if (ASN1_TIME_print(mem, intime) == 0) {
(void) BIO_free(mem);
return (NULL);
}
if (BIO_gets(mem, time, ATTR_MAX) <= 0) {
(void) BIO_free(mem);
return (NULL);
}
(void) BIO_free(mem);
/* trim the end of the string */
for (p = time + strlen(time) - 1; isspace(*p); p--) {
*p = '\0';
}
return (time);
}
/*
* check_password - do various password checks to see if the current password
* will work or we need to prompt for a new one.
*
* Arguments:
* pass - password to check
*
* Returns:
* B_TRUE - Password is OK.
* B_FALSE - Password not valid.
*/
static boolean_t
check_password(PKCS12 *p12, char *pass)
{
boolean_t ret = B_TRUE;
/*
* If password is zero length or NULL then try verifying both cases
* to determine which password is correct. The reason for this is that
* under PKCS#12 password based encryption no password and a zero
* length password are two different things...
*/
/* Check the mac */
if (pass == NULL || *pass == '\0') {
if (PKCS12_verify_mac(p12, NULL, 0) == 0 &&
PKCS12_verify_mac(p12, "", 0) == 0)
ret = B_FALSE;
} else if (PKCS12_verify_mac(p12, pass, -1) == 0) {
ret = B_FALSE;
}
return (ret);
}