[apple/security.git] / SecurityTests / clxutils / certSerialEncodeTest / certSerialEncodeTest.cpp

/* Copyright (c) 2006 Apple Computer, Inc.
 *
 * certSerialEncodeTest.cpp
 *
 * Verify proper encoding of unsigned integer as a DER_encoded signed integer.
 * Verifies Radar 4471281.
 *
 */

#include <utilLib/common.h>
#include <utilLib/cspwrap.h>
#include <security_cdsa_utils/cuFileIo.h>
#include <clAppUtils/clutils.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <Security/cssm.h>
#include <Security/x509defs.h>
#include <Security/oidsattr.h>
#include <Security/oidscert.h>
#include <Security/oidsalg.h>
#include <Security/certextensions.h>
#include <Security/cssmapple.h>
#include <string.h>

#define SUBJ_KEY_LABEL		"subjectKey"
#define ROOT_KEY_LABEL		"rootKey"
/* default key and signature algorithm */
#define SIG_ALG_DEFAULT		CSSM_ALGID_SHA1WithRSA
#define SIG_OID_DEFAULT		CSSMOID_SHA1WithRSA
#define KEY_ALG_DEFAULT		CSSM_ALGID_RSA

/* for write certs/keys option */
#define ROOT_CERT_FILE_NAME		"ssRootCert.cer"
#define SUBJ_CERT_FILE_NAME		"ssSubjCert.cer"

/* public key in ref form, TP supports this as of 1/30/02 */
#define PUB_KEY_IS_REF			CSSM_TRUE

static void usage(char **argv)
{
	printf("Usage: %s [options]\n", argv[0]);
	printf("Options:\n");
	printf("    w[rite certs]\n");
	printf("    p(ause for MallocDebug)\n");
	printf("    q(uiet)\n");
	exit(1);
}

/*
 * RDN components
 */
static CSSM_APPLE_TP_NAME_OID rootRdn[] = 
{
	{ "Apple Computer",					&CSSMOID_OrganizationName },
	{ "The Big Cheesy Debug Root",		&CSSMOID_CommonName }
};
#define NUM_ROOT_NAMES	(sizeof(rootRdn) / sizeof(CSSM_APPLE_TP_NAME_OID))

/* test cases */
typedef struct {
	uint32		serialIn;		/* --> CSSM_TP_SubmitCredRequest */
	CSSM_SIZE	expectLen;	
	const uint8	*expect;
} SerialNumber;

/* 0x7f */
static const uint8 sn0_Data[1] = {0x7f};
static const SerialNumber sn0 = {0x7f, 1, sn0_Data };

/* 0x80 */
static const uint8 sn1_Data[2] = {0x00, 0x80};
static const SerialNumber sn1 = {0x80, 2, sn1_Data };

/* 0x7ff */
static const uint8 sn2_Data[2] = {0x07, 0xff};
static const SerialNumber sn2 = {0x7ff, 2, sn2_Data };

/* 0x80ff */
static const uint8 sn3_Data[3] = {0x00, 0x80, 0xff};
static const SerialNumber sn3 = {0x80ff, 3, sn3_Data };

/* 0xfffffff */
static const uint8 sn4_Data[4] = {0x0f, 0xff, 0xff, 0xff};
static const SerialNumber sn4 = {0xfffffff, 4, sn4_Data };

/* 0x0fffffff */
static const uint8 sn5_Data[4] = {0x0f, 0xff, 0xff, 0xff};
static const SerialNumber sn5 = {0x0fffffff, 4, sn5_Data };

/* 0x80000000 */
static const uint8 sn6_Data[5] = {0x00, 0x80, 0x00, 0x00, 0x00};
static const SerialNumber sn6 = {0x80000000, 5, sn6_Data };

static const SerialNumber *serialNumbers[] = {
	&sn0, &sn1, &sn2, &sn3, &sn4, &sn5, &sn6
};
#define NUM_SERIAL_NUMS (sizeof(serialNumbers) / sizeof(serialNumbers[0]))

static int doTest(
	CSSM_CL_HANDLE	clHand,			// CL handle
	CSSM_CSP_HANDLE	cspHand,		// CSP handle
	CSSM_TP_HANDLE	tpHand,			// TP handle
	CSSM_KEY_PTR	subjPubKey,
	CSSM_KEY_PTR	signerPrivKey,
	uint32			serialNumIn,
	CSSM_SIZE		serialNumExpLen,
	const uint8		*serialNumExp,
	CSSM_BOOL		quiet,
	CSSM_BOOL 		writeBlobs)
{
	CSSM_DATA					refId;			// mallocd by CSSM_TP_SubmitCredRequest
	CSSM_APPLE_TP_CERT_REQUEST	certReq;
	CSSM_TP_REQUEST_SET			reqSet;
	sint32						estTime;
	CSSM_BOOL					confirmRequired;
	CSSM_TP_RESULT_SET_PTR		resultSet;
	CSSM_ENCODED_CERT			*encCert;
	CSSM_TP_CALLERAUTH_CONTEXT 	CallerAuthContext;
	CSSM_FIELD					policyId;
	CSSM_RETURN					crtn;
	CSSM_DATA					*signedRootCert;
	int							ourRtn = 0;
	CSSM_DATA_PTR 				foundSerial = NULL;
	CSSM_HANDLE 				resultHand = 0;
	uint32 						numFields;

	/* certReq for root */
	memset(&certReq, 0, sizeof(CSSM_APPLE_TP_CERT_REQUEST));
	certReq.cspHand = cspHand;
	certReq.clHand = clHand;
	certReq.serialNumber = serialNumIn;
	certReq.numSubjectNames = NUM_ROOT_NAMES;
	certReq.subjectNames = rootRdn;
	certReq.numIssuerNames = 0;
	certReq.issuerNames = NULL;
	certReq.certPublicKey = subjPubKey;
	certReq.issuerPrivateKey = signerPrivKey;
	certReq.signatureAlg = CSSM_ALGID_SHA1WithRSA;
	certReq.signatureOid = CSSMOID_SHA1WithRSA;
	certReq.notBefore = 0;			// now
	certReq.notAfter = 10000;		// seconds from now
	certReq.numExtensions = 0;
	certReq.extensions = NULL;
	
	reqSet.NumberOfRequests = 1;
	reqSet.Requests = &certReq;
	
	/* a big CSSM_TP_CALLERAUTH_CONTEXT just to specify an OID */
	memset(&CallerAuthContext, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
	memset(&policyId, 0, sizeof(CSSM_FIELD));
	policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN;
	CallerAuthContext.Policy.NumberOfPolicyIds = 1;
	CallerAuthContext.Policy.PolicyIds = &policyId;
	
	/* generate root cert */
	if(!quiet) {
		printf("Creating root cert...\n");
	}
	crtn = CSSM_TP_SubmitCredRequest(tpHand,
		NULL,				// PreferredAuthority
		CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
		&reqSet,
		&CallerAuthContext,	
		&estTime,
		&refId);
	if(crtn) {
		printError("CSSM_TP_SubmitCredRequest", crtn);
		ourRtn = -1;
		goto errOut;
	}
	crtn = CSSM_TP_RetrieveCredResult(tpHand,
		&refId,
		NULL,				// CallerAuthCredentials
		&estTime,
		&confirmRequired,
		&resultSet);
	if(crtn) {
		printError("CSSM_TP_RetrieveCredResult", crtn);
		ourRtn = -1;
		goto errOut;
	}
	if(resultSet == NULL) {
		printf("***CSSM_TP_RetrieveCredResult returned NULL result set.\n");
		ourRtn = -1;
		goto errOut;
	}
	encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
	signedRootCert = &encCert->CertBlob;
	if(writeBlobs) {
		writeFile(ROOT_CERT_FILE_NAME, signedRootCert->Data, signedRootCert->Length);
		printf("...wrote %lu bytes to %s\n", signedRootCert->Length, 
			ROOT_CERT_FILE_NAME);
	}

	/* make sure it self-verifies */
	crtn = CSSM_CL_CertVerify(clHand, 0 /* CCHandle */,
		signedRootCert, signedRootCert,
		NULL, 0);
	if(crtn) {
		cssmPerror("CSSM_CL_CertVerify", crtn);
		printf("***Created cert does not self-verify\n");
		ourRtn = -1;
		goto errOut;
	}

	/* extract the field we're interested in verifying */
	crtn = CSSM_CL_CertGetFirstFieldValue(clHand, signedRootCert,
		&CSSMOID_X509V1SerialNumber, &resultHand, &numFields, &foundSerial);
	if(crtn) {
		cssmPerror("CSSM_CL_CertGetFirstFieldValue(serialNumber)", crtn);
		printf("***Can't obtain serial number\n");
		ourRtn = -1;
		goto errOut;
	}
	CSSM_CL_CertAbortQuery(clHand, resultHand);
	if(foundSerial->Length != serialNumExpLen) {
		printf("***expected serialNumber len 0x%lu, got 0x%lu\n",
			(unsigned long)serialNumExpLen, (unsigned long)foundSerial->Length);
		ourRtn = -1;
		goto errOut;
	}
	for(unsigned dex=0; dex<serialNumExpLen; dex++) {
		if(foundSerial->Data[dex] != serialNumExp[dex]) {
			printf("***SerialNumber mismatch at index %u: exp %02X got %02X\n",
				dex, (unsigned)serialNumExp[dex], 
				(unsigned)foundSerial->Data[dex]);
			ourRtn = -1;
		}
	}
	/* free retrieved serial number and the result set itself */
	CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SerialNumber, foundSerial);
	CSSM_FREE(signedRootCert->Data);
	CSSM_FREE(encCert);
	CSSM_FREE(resultSet);
	/* Per the spec, this is supposed to be Opaque to us and the TP is supposed to free
	 * it when it goes out of scope...but libsecurity_keychains's 
	 * CertificateRequest::submitDotMac() frees this...that would have to change
	 * in order for the TP to free this properly. Someday maybe. No big deal. 
	 */
	CSSM_FREE(refId.Data);
errOut:
	return ourRtn;
}

int main(int argc, char **argv)
{
	CSSM_CL_HANDLE	clHand;			// CL handle
	CSSM_CSP_HANDLE	cspHand;		// CSP handle
	CSSM_TP_HANDLE	tpHand;			// TP handle
	CSSM_KEY		rootPubKey;		// root's RSA public key blob
	CSSM_KEY		rootPrivKey;	// root's RSA private key - ref format
	CSSM_RETURN		crtn;
	int				arg;
	unsigned 		dex;
	int 			ourRtn = 0;
	uint32			keySizeInBits = 512;
	CSSM_BOOL		doPause = CSSM_FALSE;

	/* user-spec'd variables */
	CSSM_BOOL		writeBlobs = CSSM_FALSE;
	CSSM_BOOL		quiet = CSSM_FALSE;

	for(arg=1; arg<argc; arg++) {
		switch(argv[arg][0]) {
			case 'w':
				writeBlobs = CSSM_TRUE;
				break;
			case 'q':
				quiet = CSSM_TRUE;
				break;
			case 'p':
				doPause = CSSM_TRUE;
				break;
			default:
				usage(argv);
		}
	}
	
	testStartBanner("certSerialEncodeTest", argc, argv);
	
	
	/* connect to CL, TP, and CSP */
	clHand = clStartup();
	if(clHand == 0) {
		return -1;
	}
	tpHand = tpStartup();
	if(tpHand == 0) {
		return -1;
	}
	cspHand = cspStartup();
	if(cspHand == 0) {
		return -1;
	}

	/* cook up key pair for self-signed cert */
	crtn = cspGenKeyPair(cspHand,
		CSSM_ALGID_RSA,
		ROOT_KEY_LABEL,
		strlen(ROOT_KEY_LABEL),
		keySizeInBits,
		&rootPubKey,
		CSSM_FALSE,			// pubIsRef - should work both ways, but not yet
		CSSM_KEYUSE_VERIFY,
		CSSM_KEYBLOB_RAW_FORMAT_NONE,
		&rootPrivKey,
		writeBlobs ? CSSM_FALSE : CSSM_TRUE,	// privIsRef
		CSSM_KEYUSE_SIGN,
		CSSM_KEYBLOB_RAW_FORMAT_NONE,
		CSSM_FALSE);
	if(crtn) {
		ourRtn = -1;
		goto abort;
	}

	for(dex=0; dex<NUM_SERIAL_NUMS; dex++) {
		const SerialNumber *sn = serialNumbers[dex];
		if(!quiet) {
			printf("...testing serial number 0x%lx\n", (unsigned long)sn->serialIn);
		}
		ourRtn = doTest(clHand, cspHand, tpHand,
			&rootPubKey, &rootPrivKey,
			sn->serialIn, sn->expectLen, sn->expect,
			quiet, writeBlobs);
		if(ourRtn) {
			break;
		}
		if(doPause) {
			fpurge(stdin);
			printf("Pausing for MallocDebug. a to abort, anything else to continue: ");
			if(getchar() == 'a') {
				break;
			}
		}
	}

	cspFreeKey(cspHand, &rootPubKey);
	cspFreeKey(cspHand, &rootPrivKey);

abort:
	if(cspHand != 0) {
		CSSM_ModuleDetach(cspHand);
	}
	if(clHand != 0) {
		CSSM_ModuleDetach(clHand);
	}
	if(tpHand != 0) {
		CSSM_ModuleDetach(tpHand);
	}

	if((ourRtn == 0) && !quiet) {
		printf("certSerialEncodeTest test succeeded\n");
	}
	return ourRtn;
}
Commit	Line	Data
d8f41ccd A	1	/* Copyright (c) 2006 Apple Computer, Inc.
	2	*
	3	* certSerialEncodeTest.cpp
	4	*
	5	* Verify proper encoding of unsigned integer as a DER_encoded signed integer.
	6	* Verifies Radar 4471281.
	7	*
	8	*/
	9
	10	#include <utilLib/common.h>
	11	#include <utilLib/cspwrap.h>
	12	#include <security_cdsa_utils/cuFileIo.h>
	13	#include <clAppUtils/clutils.h>
	14	#include <stdlib.h>
	15	#include <stdio.h>
	16	#include <string.h>
	17	#include <Security/cssm.h>
	18	#include <Security/x509defs.h>
	19	#include <Security/oidsattr.h>
	20	#include <Security/oidscert.h>
	21	#include <Security/oidsalg.h>
	22	#include <Security/certextensions.h>
	23	#include <Security/cssmapple.h>
	24	#include <string.h>
	25
	26	#define SUBJ_KEY_LABEL "subjectKey"
	27	#define ROOT_KEY_LABEL "rootKey"
	28	/* default key and signature algorithm */
	29	#define SIG_ALG_DEFAULT CSSM_ALGID_SHA1WithRSA
	30	#define SIG_OID_DEFAULT CSSMOID_SHA1WithRSA
	31	#define KEY_ALG_DEFAULT CSSM_ALGID_RSA
	32
	33	/* for write certs/keys option */
	34	#define ROOT_CERT_FILE_NAME "ssRootCert.cer"
	35	#define SUBJ_CERT_FILE_NAME "ssSubjCert.cer"
	36
	37	/* public key in ref form, TP supports this as of 1/30/02 */
	38	#define PUB_KEY_IS_REF CSSM_TRUE
	39
	40	static void usage(char **argv)
	41	{
	42	printf("Usage: %s [options]\n", argv[0]);
	43	printf("Options:\n");
	44	printf(" w[rite certs]\n");
	45	printf(" p(ause for MallocDebug)\n");
	46	printf(" q(uiet)\n");
	47	exit(1);
	48	}
	49
	50	/*
	51	* RDN components
	52	*/
	53	static CSSM_APPLE_TP_NAME_OID rootRdn[] =
	54	{
	55	{ "Apple Computer", &CSSMOID_OrganizationName },
	56	{ "The Big Cheesy Debug Root", &CSSMOID_CommonName }
	57	};
	58	#define NUM_ROOT_NAMES (sizeof(rootRdn) / sizeof(CSSM_APPLE_TP_NAME_OID))
	59
	60	/* test cases */
	61	typedef struct {
	62	uint32 serialIn; /* --> CSSM_TP_SubmitCredRequest */
	63	CSSM_SIZE expectLen;
	64	const uint8 *expect;
65	} SerialNumber;
66
67	/* 0x7f */
68	static const uint8 sn0_Data[1] = {0x7f};
69	static const SerialNumber sn0 = {0x7f, 1, sn0_Data };
70
71	/* 0x80 */
72	static const uint8 sn1_Data[2] = {0x00, 0x80};
73	static const SerialNumber sn1 = {0x80, 2, sn1_Data };
74
75	/* 0x7ff */
76	static const uint8 sn2_Data[2] = {0x07, 0xff};
77	static const SerialNumber sn2 = {0x7ff, 2, sn2_Data };
78
79	/* 0x80ff */
80	static const uint8 sn3_Data[3] = {0x00, 0x80, 0xff};
81	static const SerialNumber sn3 = {0x80ff, 3, sn3_Data };
82
83	/* 0xfffffff */
84	static const uint8 sn4_Data[4] = {0x0f, 0xff, 0xff, 0xff};
85	static const SerialNumber sn4 = {0xfffffff, 4, sn4_Data };
86
87	/* 0x0fffffff */
88	static const uint8 sn5_Data[4] = {0x0f, 0xff, 0xff, 0xff};
89	static const SerialNumber sn5 = {0x0fffffff, 4, sn5_Data };
90
91	/* 0x80000000 */
92	static const uint8 sn6_Data[5] = {0x00, 0x80, 0x00, 0x00, 0x00};
93	static const SerialNumber sn6 = {0x80000000, 5, sn6_Data };
94
95	static const SerialNumber *serialNumbers[] = {
96	&sn0, &sn1, &sn2, &sn3, &sn4, &sn5, &sn6
97	};
98	#define NUM_SERIAL_NUMS (sizeof(serialNumbers) / sizeof(serialNumbers[0]))
99
100	static int doTest(
101	CSSM_CL_HANDLE clHand, // CL handle
102	CSSM_CSP_HANDLE cspHand, // CSP handle
103	CSSM_TP_HANDLE tpHand, // TP handle
104	CSSM_KEY_PTR subjPubKey,
105	CSSM_KEY_PTR signerPrivKey,
106	uint32 serialNumIn,
107	CSSM_SIZE serialNumExpLen,
108	const uint8 *serialNumExp,
109	CSSM_BOOL quiet,
110	CSSM_BOOL writeBlobs)
111	{
112	CSSM_DATA refId; // mallocd by CSSM_TP_SubmitCredRequest
113	CSSM_APPLE_TP_CERT_REQUEST certReq;
114	CSSM_TP_REQUEST_SET reqSet;
115	sint32 estTime;
116	CSSM_BOOL confirmRequired;
117	CSSM_TP_RESULT_SET_PTR resultSet;
118	CSSM_ENCODED_CERT *encCert;
119	CSSM_TP_CALLERAUTH_CONTEXT CallerAuthContext;
120	CSSM_FIELD policyId;
121	CSSM_RETURN crtn;
122	CSSM_DATA *signedRootCert;
123	int ourRtn = 0;
124	CSSM_DATA_PTR foundSerial = NULL;
125	CSSM_HANDLE resultHand = 0;
126	uint32 numFields;
127
128	/* certReq for root */
129	memset(&certReq, 0, sizeof(CSSM_APPLE_TP_CERT_REQUEST));
130	certReq.cspHand = cspHand;
131	certReq.clHand = clHand;
132	certReq.serialNumber = serialNumIn;
133	certReq.numSubjectNames = NUM_ROOT_NAMES;
134	certReq.subjectNames = rootRdn;
135	certReq.numIssuerNames = 0;
136	certReq.issuerNames = NULL;
137	certReq.certPublicKey = subjPubKey;
138	certReq.issuerPrivateKey = signerPrivKey;
139	certReq.signatureAlg = CSSM_ALGID_SHA1WithRSA;
140	certReq.signatureOid = CSSMOID_SHA1WithRSA;
141	certReq.notBefore = 0; // now
142	certReq.notAfter = 10000; // seconds from now
143	certReq.numExtensions = 0;
144	certReq.extensions = NULL;
145
146	reqSet.NumberOfRequests = 1;
147	reqSet.Requests = &certReq;
148
149	/* a big CSSM_TP_CALLERAUTH_CONTEXT just to specify an OID */
150	memset(&CallerAuthContext, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
151	memset(&policyId, 0, sizeof(CSSM_FIELD));
152	policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN;
153	CallerAuthContext.Policy.NumberOfPolicyIds = 1;
154	CallerAuthContext.Policy.PolicyIds = &policyId;
155
156	/* generate root cert */
157	if(!quiet) {
158	printf("Creating root cert...\n");
159	}
160	crtn = CSSM_TP_SubmitCredRequest(tpHand,
161	NULL, // PreferredAuthority
162	CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
163	&reqSet,
164	&CallerAuthContext,
165	&estTime,
166	&refId);
167	if(crtn) {
168	printError("CSSM_TP_SubmitCredRequest", crtn);
169	ourRtn = -1;
170	goto errOut;
171	}
172	crtn = CSSM_TP_RetrieveCredResult(tpHand,
173	&refId,
174	NULL, // CallerAuthCredentials
175	&estTime,
176	&confirmRequired,
177	&resultSet);
178	if(crtn) {
179	printError("CSSM_TP_RetrieveCredResult", crtn);
180	ourRtn = -1;
181	goto errOut;
182	}
183	if(resultSet == NULL) {
184	printf("***CSSM_TP_RetrieveCredResult returned NULL result set.\n");
185	ourRtn = -1;
186	goto errOut;
187	}
188	encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
189	signedRootCert = &encCert->CertBlob;
190	if(writeBlobs) {
191	writeFile(ROOT_CERT_FILE_NAME, signedRootCert->Data, signedRootCert->Length);
192	printf("...wrote %lu bytes to %s\n", signedRootCert->Length,
193	ROOT_CERT_FILE_NAME);
194	}
195
196	/* make sure it self-verifies */
197	crtn = CSSM_CL_CertVerify(clHand, 0 /* CCHandle */,
198	signedRootCert, signedRootCert,
199	NULL, 0);
200	if(crtn) {
201	cssmPerror("CSSM_CL_CertVerify", crtn);
202	printf("***Created cert does not self-verify\n");
203	ourRtn = -1;
204	goto errOut;
205	}
206
207	/* extract the field we're interested in verifying */
208	crtn = CSSM_CL_CertGetFirstFieldValue(clHand, signedRootCert,
209	&CSSMOID_X509V1SerialNumber, &resultHand, &numFields, &foundSerial);
210	if(crtn) {
211	cssmPerror("CSSM_CL_CertGetFirstFieldValue(serialNumber)", crtn);
212	printf("***Can't obtain serial number\n");
213	ourRtn = -1;
214	goto errOut;
215	}
216	CSSM_CL_CertAbortQuery(clHand, resultHand);
217	if(foundSerial->Length != serialNumExpLen) {
218	printf("***expected serialNumber len 0x%lu, got 0x%lu\n",
219	(unsigned long)serialNumExpLen, (unsigned long)foundSerial->Length);
220	ourRtn = -1;
221	goto errOut;
222	}
223	for(unsigned dex=0; dex<serialNumExpLen; dex++) {
224	if(foundSerial->Data[dex] != serialNumExp[dex]) {
225	printf("***SerialNumber mismatch at index %u: exp %02X got %02X\n",
226	dex, (unsigned)serialNumExp[dex],
227	(unsigned)foundSerial->Data[dex]);
228	ourRtn = -1;
229	}
230	}
231	/* free retrieved serial number and the result set itself */
232	CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SerialNumber, foundSerial);
233	CSSM_FREE(signedRootCert->Data);
234	CSSM_FREE(encCert);
235	CSSM_FREE(resultSet);
236	/* Per the spec, this is supposed to be Opaque to us and the TP is supposed to free
237	* it when it goes out of scope...but libsecurity_keychains's
238	* CertificateRequest::submitDotMac() frees this...that would have to change
239	* in order for the TP to free this properly. Someday maybe. No big deal.
240	*/
241	CSSM_FREE(refId.Data);
242	errOut:
243	return ourRtn;
244	}
245
246	int main(int argc, char **argv)
247	{
248	CSSM_CL_HANDLE clHand; // CL handle
249	CSSM_CSP_HANDLE cspHand; // CSP handle
250	CSSM_TP_HANDLE tpHand; // TP handle
251	CSSM_KEY rootPubKey; // root's RSA public key blob
252	CSSM_KEY rootPrivKey; // root's RSA private key - ref format
253	CSSM_RETURN crtn;
254	int arg;
255	unsigned dex;
256	int ourRtn = 0;
257	uint32 keySizeInBits = 512;
258	CSSM_BOOL doPause = CSSM_FALSE;
259
260	/* user-spec'd variables */
261	CSSM_BOOL writeBlobs = CSSM_FALSE;
262	CSSM_BOOL quiet = CSSM_FALSE;
263
264	for(arg=1; arg<argc; arg++) {
265	switch(argv[arg][0]) {
266	case 'w':
267	writeBlobs = CSSM_TRUE;
268	break;
269	case 'q':
270	quiet = CSSM_TRUE;
271	break;
272	case 'p':
273	doPause = CSSM_TRUE;
274	break;
275	default:
276	usage(argv);
277	}
278	}
279
280	testStartBanner("certSerialEncodeTest", argc, argv);
281
282
283	/* connect to CL, TP, and CSP */
284	clHand = clStartup();
285	if(clHand == 0) {
286	return -1;
287	}
288	tpHand = tpStartup();
289	if(tpHand == 0) {
290	return -1;
291	}
292	cspHand = cspStartup();
293	if(cspHand == 0) {
294	return -1;
295	}
296
297	/* cook up key pair for self-signed cert */
298	crtn = cspGenKeyPair(cspHand,
299	CSSM_ALGID_RSA,
300	ROOT_KEY_LABEL,
301	strlen(ROOT_KEY_LABEL),
302	keySizeInBits,
303	&rootPubKey,
304	CSSM_FALSE, // pubIsRef - should work both ways, but not yet
305	CSSM_KEYUSE_VERIFY,
306	CSSM_KEYBLOB_RAW_FORMAT_NONE,
307	&rootPrivKey,
308	writeBlobs ? CSSM_FALSE : CSSM_TRUE, // privIsRef
309	CSSM_KEYUSE_SIGN,
310	CSSM_KEYBLOB_RAW_FORMAT_NONE,
311	CSSM_FALSE);
312	if(crtn) {
313	ourRtn = -1;
314	goto abort;
315	}
316
317	for(dex=0; dex<NUM_SERIAL_NUMS; dex++) {
318	const SerialNumber *sn = serialNumbers[dex];
319	if(!quiet) {
320	printf("...testing serial number 0x%lx\n", (unsigned long)sn->serialIn);
321	}
322	ourRtn = doTest(clHand, cspHand, tpHand,
323	&rootPubKey, &rootPrivKey,
324	sn->serialIn, sn->expectLen, sn->expect,
325	quiet, writeBlobs);
326	if(ourRtn) {
327	break;
328	}
329	if(doPause) {
330	fpurge(stdin);
331	printf("Pausing for MallocDebug. a to abort, anything else to continue: ");
332	if(getchar() == 'a') {
333	break;
334	}
335	}
336	}
337
338	cspFreeKey(cspHand, &rootPubKey);
339	cspFreeKey(cspHand, &rootPrivKey);
340
341	abort:
342	if(cspHand != 0) {
343	CSSM_ModuleDetach(cspHand);
344	}
345	if(clHand != 0) {
346	CSSM_ModuleDetach(clHand);
347	}
348	if(tpHand != 0) {
349	CSSM_ModuleDetach(tpHand);
350	}
351
352	if((ourRtn == 0) && !quiet) {
353	printf("certSerialEncodeTest test succeeded\n");
354	}
355	return ourRtn;
356	}
357
358