KMSAgentPKICommon.h revision 12720:3db6e0082404 
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22/*
23 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26/*-------------------------------------------------------------------------*/
27/**
28 * \file KMSAgentPKICommon.h
29 *
30 * X.509 Certificate and Private Key Support Interface
31 *
32 * This module provides simple interfaces to support SSL communication
33 * for the KMS Agent enrollment protocol.  Basic classes supporting
34 * X.509 certificates, private key management are provided and hide
35 * specific implementations from users of these classes.
36 */
37/*-------------------------------------------------------------------------*/
38
39#ifndef K_KMSAgentPKICommon_h
40#define K_KMSAgentPKICommon_h
41
42#ifdef WIN32
43#pragma warning(disable: 4786)
44#endif
45
46#define MAX_CERT_SIZE                                       4096
47#define MAX_KEY_SIZE                                        4096
48
49#define DEFAULT_KEY_SIZE                                    2048
50
51#ifdef KMSUSERPKCS12
52enum EnumPKIFileFormat { FILE_FORMAT_DER, FILE_FORMAT_PEM, FILE_FORMAT_PKCS12 };
53#else
54enum EnumPKIFileFormat { FILE_FORMAT_DER, FILE_FORMAT_PEM };
55#endif
56
57/**
58 *   This class provides a simple interface for the management of
59 *   public keys.  Simple load and store operations are provided for
60 *   storage and retrieval from memory buffers.
61 */
62class CPublicKey
63{
64
65public:
66
67	CPublicKey();
68
69	/**
70     * This method saves public key into a buffer,
71     * it also returns the actual used buffer length.
72     * @param i_pcBuffer Buffer to receive public key
73     * @param i_iBufferLength length of the buffer provided
74     * @param o_pActualLength actual length of the public key stored into the buffer
75     * @param i_iFormat key format, @see EnumPKIFileFormat
76     */
77    bool Save(unsigned char * const i_pcBuffer,
78            int                     i_iBufferLength,
79            int * const             o_pActualLength,
80			int                     i_iFormat);
81   /**
82     *  This method loads the public key from a buffer
83     *  @param i_pcBuffer
84     *  @param i_iLength
85     *  @param i_iFormat   one of the enums from EnumPKIFileFormat,
86     *                     only FILE_FORMAT_PEM is supported.
87     *  @return true for success, false otherwise
88     */
89    bool Load (unsigned char * const i_pcBuffer,
90               int i_iLength,
91               int i_iFormat);
92
93   /**
94     *   use this object's public key to encrypt plaintext buffer
95     */
96    bool Encrypt (int i_iLength,
97                  const unsigned char * const i_pcPlainText,
98                  unsigned char * const o_pcCypherText,
99                  int * const o_pActualLength);
100
101    ~CPublicKey();
102
103private:
104   void *m_pPublicKeyImpl;
105};
106
107/**
108 *   This class provides a simple interface for the management of
109 *   private keys.  Simple load and store operations are provided for
110 *   storage and retrieval from memory buffers.
111 *
112 */
113class CPrivateKey
114{
115
116  public:
117
118   CPrivateKey();
119
120   /**
121    *   Saves the private key to a memory buffer specified by
122    *   i_pcBuffer. Currently just the PEM format is supported.
123    *   Specification of a passphrase allows encryption of the private
124    *   key subject to the choice of the implementation.
125    *
126    *   @param[in]   i_pcBuffer
127    *   @param[in]   i_iBufferLength
128    *   @param[out]  o_pActualLength
129    *   @param[in]   i_pPassphrase optional, if non-null the private key is
130    *   wrapped using this passphrase
131    *   @param[in]   i_iFormat   one of the enums from EnumPKIFileFormat,
132    *                      only FILE_FORMAT_PEM is supported.
133    *   @return true for success, false otherwise
134    */
135   bool Save( unsigned char * const      i_pcBuffer,
136              int                        i_iBufferLength,
137              int * const                o_pActualLength,
138              const char * const         i_pPassphrase,
139              int                        i_iFormat );
140
141   /**
142    *  This method loads the private key from a buffer
143    *  @param i_pcBuffer
144    *  @param i_iLength
145    *  @param i_pPassphrase optional, if non-null the private key is
146    *   unwrapped using this passphrase
147    *  @param i_iFormat   one of the enums from EnumPKIFileFormat,
148    *                     only FILE_FORMAT_PEM is supported.
149    *  @return true for success, false otherwise
150    */
151   bool Load(unsigned char * const i_pcBuffer,
152             int                   i_iLength,
153             const char * const    i_pPassphrase,
154             int                   i_iFormat);
155
156   ~CPrivateKey();
157
158#ifdef KMSUSERPKCS12
159	void *GetNative();
160	void SetNative(void *);
161#endif
162  private:
163   void *m_pPKeyImpl;
164
165};
166
167/**
168 *   This class provides a simple interface for managing X.509
169 *   certificates providing only simple load and save operations for
170 *   storage and retrieval.
171 *
172 */
173class CCertificate
174{
175
176public:
177	CCertificate();
178
179	~CCertificate();
180
181    /**
182     *   save the certificate to the specified file name. Currently,
183     *   only FILE_FORMAT_PEM is supported.
184     */
185	bool Save(  const char * const  i_pcFileName,
186                int                 i_iFormat);
187
188    /**
189     *  save the certificate to the specified buffer. Currently, only
190     *  FILE_FORMAT_PEM is supported.
191     */
192	bool Save( unsigned char * const i_pcBuffer,
193               int                   i_iBufferLength,
194               int * const           o_pActualLength,
195               int                   i_iFormat);
196
197    /**
198     *   load a certificate from the specified filename. Currently,
199     *   only FILE_FORMAT_PEM is supported.
200     */
201    bool Load( const char * const i_pcFileName,
202               int                i_iFormat );
203
204    /**
205     *   load a certificate from the specified buffer. Currently, only
206     *   FILE_FORMAT_PEM is supported.
207     */
208    bool Load( unsigned char * const i_pcBuffer,
209               int                   i_iLength,
210               int                   i_iFormat );
211
212    /**
213     *   prints the certificate to stdout
214     */
215    bool Dump();
216
217#ifdef KMSUSERPKCS12
218	bool LoadPKCS12CertAndKey(char *filename,
219		int i_iFormat,
220		CPrivateKey *i_pPrivateKey,
221		char *i_pPassphrase);
222
223	bool SavePKCS12(
224	    unsigned char *i_pcBuffer,
225	    int i_iBufferLength,
226	    int *o_pActualLength,
227	    CPrivateKey* i_pPrivateKey,
228	    char* i_sPassphrase );
229#endif
230
231private:
232    /**
233     *  an opague pointer to implementation specific resources to be
234     *  freed by the Destructor.
235     */
236    void    *m_pCertImpl;
237#ifdef KMSUSERPKCS12
238    /**
239     * saves certificate to PKCS#12 memory BIO
240     * @param i_pPrivateKey
241     * @param i_sPassphrase
242     * @return pointer to the Memory BIO
243     */
244    void* SaveCertToPKCS12MemoryBIO(
245            CPrivateKey* i_pPrivateKey,
246            char *i_sPassphrase);
247#endif
248
249};
250
251
252/**
253 *  This class provides a method for storing an X.509 certificate and
254 *  private key to a file.  The private key is appended to the
255 *  certificate and optionally encrypted with the specified passphrase
256 *  for encoding and storage in PEM format.
257 */
258class CPKI
259{
260  public:
261   CPKI();
262   ~CPKI();
263
264  public:
265
266      /**
267       *   exports a certificate and associated private key to the
268       *   specified file.
269       *   @param i_pCertificate a pointer to an instance of a certificate
270       *   @param i_pPrivateKey  a pointer to an instance of a private key
271       *   @param i_pcFileName  the name of the file to store the cert and private key
272       *   @param i_sPassphrase optional but when provided supplies a
273       *   pass phrase to use for encrypting the private key.  The cipher
274       *   used for encryption is determined by the underlying implementation
275       *   which for the reference implementation uses triple DES by default.
276       *   @param i_eFileFormat the encoding format to use for the certificate and private key
277       */
278      bool ExportCertAndKeyToFile(
279            CCertificate* const         i_pCertificate,
280            CPrivateKey*  const         i_pPrivateKey,
281            const char* const           i_pcFileName,
282            const char* const           i_sPassphrase,
283            EnumPKIFileFormat           i_eFileFormat );
284
285  private:
286
287   int m_iKeyLength;
288
289   CCertificate *m_pCACertificate;
290   CPrivateKey *m_pCAPrivateKey;
291 };
292
293#endif  //K_KMSAgentPKICommon_h
294