[apple/security.git] / SecurityTests / clxutils / NISCC / TLS_SSL / dmitchNotes

testing the NISCC test cases

-- testing client certs, use good server cert --------

1. Set up server KC

   % rm -f ~/Library/Keychains/nisccServer
   % certtool i server_crt.pem k=nisccServer r=server_key.pem c
   
2. Run server (from testcases dir)

   % sslServer l k=nisccServer P=1300 a rootca.crt u=t
   
   -- not u=t --> try auth
   
3. Run client no auth 

   % sv localhost P=1300 H a rootca.crt
   
   -- note 'H' - disable host name verify since server common name = 
      "Simple Server"
	  
4. Set up client keychain

   % rm -f ~/Library/Keychains/nisccClient
   % certtool i client_crt.pem k=nisccClient r=client_key.pem c
   
5. Run client w/auth

   % sv localhost P=1300 H a rootca.crt k=nisccClient
   
6. Bad client

   # just once
   % pemtool d client_key.pem client_key.der
   #
   % rm -f ~/Library/Keychains/nisccClient
   % certtool i simple_client/00035377 k=nisccClient r=client_key.der c
   % sv localhost P=1300 H k=nisccClient x
   
   ...note 'x' avoids client checking its own bogus cert, and we don't have to specify 
      an anchor
   
   result on client side = errSSLPeerCertUnknown
   clientCertState = ClientCertRejected
   
   result on server side = errSSLXCertChainInvalid
   clientCertState = ClientCertRejected

7. Mods needed to uses these certs

  -- modified dbTool to allow importing a bad cert (via DL/DB, not Sec*)
  -- wrote simple client app, clxutils/NISCC/TLS_SSL/nisccSimpleClient
  
  -- also SecureTransport needs the following mod to ignore bad certs on client side

===================================================================
RCS file: /cvs/root/Security/SecureTransport/sslKeychain.cpp,v
retrieving revision 1.5
diff -u -r1.5 sslKeychain.cpp
--- sslKeychain.cpp     2003/04/25 19:40:18     1.5
+++ sslKeychain.cpp     2003/11/10 21:20:14
@@ -174,6 +174,11 @@
        /* FIXME = release keyRef? */
 
        /* obtain public key from cert */
+       /*
+        * FIXME : THIS IS TOTALLY UNNECESSARY WHEN PARSING OUR OWN CERTS, except
+        * for the "separate signing and encryptionj certs" case. For now, to   
+        * facilitate NISCC testing, we ignore errors here. 
+        */
        ortn = SecCertificateGetCLHandle(certRef, &clHand);
        if(ortn) {
                sslErrorLog("parseIncomingCerts: SecCertificateGetCLHandle err %d\n",
@@ -183,10 +188,12 @@
        certData.Data = thisSslCert->derCert.data;
        certData.Length = thisSslCert->derCert.length;
        crtn = CSSM_CL_CertGetKeyInfo(clHand, &certData, pubKey);
+       #if 0
        if(crtn) {
                sslErrorLog("parseIncomingCerts: CSSM_CL_CertGetKeyInfo err\n");
                return (OSStatus)crtn;
        }
+       #endif
 
        /* obtain keychain from key, CSP handle from keychain */
        ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)keyRef, &kcRef);

........

...with this in place cert 00070004 causes anything parsing it to get a seg fault. 

...........

problems found:

1. Processing SEC_ASN1_SAVE, the destination item is mallocd once, with the length 
   of the top-level item to be saved. However data gets added to this item on a 
   leaf-by-leaf basis so that if the sizes of the leaves adds up to greater than
   the stated/mallocd len of the otp-level item, overflow. 
   
   -- verified by disabling the SAVE in TBS_Cert
   -- fixed using sec_asn1d_state.dest_alloc_len field to track alloc size in 
      aggregate items
   
..............

certs known to crash the Panther Security.framework:

	"00000668",
	"00000681",
	"00001980",
	"00002040",
	"00007472",
	"00008064",
	"00008656",
	"00009840",
	"00010432",
	"00011614",	
	"00011615",
	"00011616",
Commit	Line	Data
d8f41ccd A	1	testing the NISCC test cases
	2
	3	-- testing client certs, use good server cert --------
	4
	5	1. Set up server KC
	6
	7	% rm -f ~/Library/Keychains/nisccServer
	8	% certtool i server_crt.pem k=nisccServer r=server_key.pem c
	9
	10	2. Run server (from testcases dir)
	11
	12	% sslServer l k=nisccServer P=1300 a rootca.crt u=t
	13
	14	-- not u=t --> try auth
	15
	16	3. Run client no auth
	17
	18	% sv localhost P=1300 H a rootca.crt
	19
	20	-- note 'H' - disable host name verify since server common name =
	21	"Simple Server"
	22
	23	4. Set up client keychain
	24
	25	% rm -f ~/Library/Keychains/nisccClient
	26	% certtool i client_crt.pem k=nisccClient r=client_key.pem c
	27
	28	5. Run client w/auth
	29
	30	% sv localhost P=1300 H a rootca.crt k=nisccClient
	31
	32	6. Bad client
	33
	34	# just once
	35	% pemtool d client_key.pem client_key.der
	36	#
	37	% rm -f ~/Library/Keychains/nisccClient
	38	% certtool i simple_client/00035377 k=nisccClient r=client_key.der c
	39	% sv localhost P=1300 H k=nisccClient x
	40
	41	...note 'x' avoids client checking its own bogus cert, and we don't have to specify
	42	an anchor
	43
	44	result on client side = errSSLPeerCertUnknown
	45	clientCertState = ClientCertRejected
	46
	47	result on server side = errSSLXCertChainInvalid
	48	clientCertState = ClientCertRejected
	49
	50	7. Mods needed to uses these certs
	51
	52	-- modified dbTool to allow importing a bad cert (via DL/DB, not Sec*)
	53	-- wrote simple client app, clxutils/NISCC/TLS_SSL/nisccSimpleClient
	54
	55	-- also SecureTransport needs the following mod to ignore bad certs on client side
	56
	57	===================================================================
	58	RCS file: /cvs/root/Security/SecureTransport/sslKeychain.cpp,v
	59	retrieving revision 1.5
	60	diff -u -r1.5 sslKeychain.cpp
	61	--- sslKeychain.cpp 2003/04/25 19:40:18 1.5
	62	+++ sslKeychain.cpp 2003/11/10 21:20:14
	63	@@ -174,6 +174,11 @@
	64	/* FIXME = release keyRef? */
65
66	/* obtain public key from cert */
67	+ /*
68	+ * FIXME : THIS IS TOTALLY UNNECESSARY WHEN PARSING OUR OWN CERTS, except
69	+ * for the "separate signing and encryptionj certs" case. For now, to
70	+ * facilitate NISCC testing, we ignore errors here.
71	+ */
72	ortn = SecCertificateGetCLHandle(certRef, &clHand);
73	if(ortn) {
74	sslErrorLog("parseIncomingCerts: SecCertificateGetCLHandle err %d\n",
75	@@ -183,10 +188,12 @@
76	certData.Data = thisSslCert->derCert.data;
77	certData.Length = thisSslCert->derCert.length;
78	crtn = CSSM_CL_CertGetKeyInfo(clHand, &certData, pubKey);
79	+ #if 0
80	if(crtn) {
81	sslErrorLog("parseIncomingCerts: CSSM_CL_CertGetKeyInfo err\n");
82	return (OSStatus)crtn;
83	}
84	+ #endif
85
86	/* obtain keychain from key, CSP handle from keychain */
87	ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)keyRef, &kcRef);
88
89	........
90
91	...with this in place cert 00070004 causes anything parsing it to get a seg fault.
92
93	...........
94
95	problems found:
96
97	1. Processing SEC_ASN1_SAVE, the destination item is mallocd once, with the length
98	of the top-level item to be saved. However data gets added to this item on a
99	leaf-by-leaf basis so that if the sizes of the leaves adds up to greater than
100	the stated/mallocd len of the otp-level item, overflow.
101
102	-- verified by disabling the SAVE in TBS_Cert
103	-- fixed using sec_asn1d_state.dest_alloc_len field to track alloc size in
104	aggregate items
105
106	..............
107
108	certs known to crash the Panther Security.framework:
109
110	"00000668",
111	"00000681",
112	"00001980",
113	"00002040",
114	"00007472",
115	"00008064",
116	"00008656",
117	"00009840",
118	"00010432",
119	"00011614",
120	"00011615",
121	"00011616",