2 * makeExpiredCerts.cpp - Make expired certs to verify Radar 3622125.
9 #include <utilLib/common.h>
10 #include <utilLib/cspwrap.h>
11 #include <security_cdsa_utils/cuFileIo.h>
12 #include <clAppUtils/CertBuilderApp.h>
13 #include <clAppUtils/clutils.h>
14 #include <Security/x509defs.h>
15 #include <Security/oidsattr.h>
16 #include <Security/oidscert.h>
17 #include <Security/oidsalg.h>
20 * The certs we create and write.
21 * -- GOOD_ROOT and EXPIRED_ROOT use same key pair, subject, issuer name
22 * -- GOOD_CA and EXPIRED_CA use same key pair, subject, issuer name; both are
23 * verifiable by both GOOD_ROOT and EXPIRED_ROOT (temporal validity aside,
25 * -- GOOD_LEAF and EXPIRED_LEAF use same key pair, subject, issuer name, both
26 * are verifiable by both GOOD_CA and EXPIRED_CA (temporal validity aside,
29 #define GOOD_ROOT "ecGoodRoot.cer"
30 #define EXPIRED_ROOT "ecExpiredRoot.cer"
31 #define GOOD_CA "ecGoodCA.cer"
32 #define EXPIRED_CA "ecExpiredCA.cer"
33 #define GOOD_LEAF "ecGoodLeaf.cer"
34 #define EXPIRED_LEAF "ecExpiredLeaf.cer"
37 * RDN components for root, CA, subject
39 CB_NameOid rootRdn
[] =
41 { "Expired Cert Test Root", &CSSMOID_CommonName
}
43 #define NUM_ROOT_NAMES (sizeof(rootRdn) / sizeof(CB_NameOid))
47 { "Expired Cert Test CA", &CSSMOID_CommonName
}
49 #define NUM_CA_NAMES (sizeof(caRdn) / sizeof(CB_NameOid))
51 CB_NameOid leafRdn
[] =
53 { "Expired Cert Test Leaf", &CSSMOID_CommonName
}
55 #define NUM_LEAF_NAMES (sizeof(leafRdn) / sizeof(CB_NameOid))
58 #define LEAF_KEY_LABEL "Expired Cert Leaf"
59 #define CA_KEY_LABEL "Expired Cert CA"
60 #define ROOT_KEY_LABEL "Expired Cert Root"
61 #define SIG_ALG CSSM_ALGID_SHA1WithRSA
62 #define KEY_ALG CSSM_ALGID_RSA
65 static void usage(char **argv
)
67 printf("usage: %s dstdir\n", argv
[0]);
71 /* write cert to dstDir/fileName */
73 const CSSM_DATA
*certData
,
77 unsigned pathLen
= strlen(fileName
) + strlen(dstDir
) + 2;
78 char filePath
[pathLen
];
79 sprintf(filePath
, "%s/%s", dstDir
, fileName
);
80 if(writeFile(filePath
, certData
->Data
, certData
->Length
)) {
81 printf("***Error writing cert to %s\n", filePath
);
85 printf("...wrote %lu bytes to %s.\n", (unsigned long)certData
->Length
, filePath
);
91 CSSM_CL_HANDLE clHand
,
92 CSSM_CSP_HANDLE cspHand
,
93 CSSM_X509_NAME
*subject
,
94 CSSM_X509_NAME
*issuer
,
96 CSSM_X509_TIME
*notBefore
,
97 CSSM_X509_TIME
*notAfter
,
98 CSSM_KEY_PTR privKey
, /* signed with this */
99 CSSM_KEY_PTR pubKey
, /* contains this */
101 CSSM_DATA
*certData
, /* signed cert returned here */
103 const char *fileName
) /* and written here in dstDir/fileName */
105 CSSM_DATA_PTR tbsCert
;
106 CSSM_X509_EXTENSION ext
;
107 CE_BasicConstraints bc
;
109 ext
.extnId
= CSSMOID_BasicConstraints
;
110 ext
.critical
= CSSM_TRUE
;
111 ext
.format
= CSSM_X509_DATAFORMAT_PARSED
;
112 bc
.cA
= isCA
? CSSM_TRUE
: CSSM_FALSE
;
113 bc
.pathLenConstraintPresent
= CSSM_FALSE
;
114 bc
.pathLenConstraint
= 0;
115 ext
.value
.parsedValue
= &bc
;
116 ext
.BERvalue
.Data
= NULL
;
117 ext
.BERvalue
.Length
= 0;
119 tbsCert
= CB_MakeCertTemplate(clHand
,
127 NULL
, // subjUniqueId
128 NULL
, // issuerUniqueId
131 if(tbsCert
== NULL
) {
135 CSSM_CC_HANDLE signContext
;
137 crtn
= CSSM_CSP_CreateSignatureContext(cspHand
,
143 cssmPerror("CSSM_CSP_CreateSignatureContext", crtn
);
144 /* this program is way sloppy about cleanup on errors */
147 certData
->Data
= NULL
;
148 certData
->Length
= 0;
149 crtn
= CSSM_CL_CertSign(clHand
,
151 tbsCert
, // CertToBeSigned
156 cssmPerror("CSSM_CL_CertSign", crtn
);
159 CSSM_DeleteContext(signContext
);
160 appFreeCssmData(tbsCert
, CSSM_TRUE
);
161 return writeCert(certData
, fileName
, dstDir
);
164 int main(int argc
, char **argv
)
169 const char *dstDir
= argv
[1];
171 CSSM_CL_HANDLE clHand
= clStartup();
175 CSSM_CSP_HANDLE cspHand
= cspStartup();
180 /* Cook up 3 key pairs */
181 CSSM_KEY rootPrivKey
;
185 CSSM_KEY leafPrivKey
;
188 CSSM_RETURN crtn
= cspGenKeyPair(cspHand
,
191 strlen(ROOT_KEY_LABEL
),
194 CSSM_FALSE
, // pubIsRef
196 CSSM_KEYBLOB_RAW_FORMAT_NONE
,
198 CSSM_FALSE
, // privIsRef
200 CSSM_KEYBLOB_RAW_FORMAT_NONE
,
205 crtn
= cspGenKeyPair(cspHand
,
208 strlen(CA_KEY_LABEL
),
211 CSSM_FALSE
, // pubIsRef
213 CSSM_KEYBLOB_RAW_FORMAT_NONE
,
215 CSSM_FALSE
, // privIsRef
217 CSSM_KEYBLOB_RAW_FORMAT_NONE
,
222 crtn
= cspGenKeyPair(cspHand
,
225 strlen(LEAF_KEY_LABEL
),
228 CSSM_FALSE
, // pubIsRef
230 CSSM_KEYBLOB_RAW_FORMAT_NONE
,
232 CSSM_FALSE
, // privIsRef
234 CSSM_KEYBLOB_RAW_FORMAT_NONE
,
240 /* now, subject and issuer names */
241 CSSM_X509_NAME
*rootSubj
= CB_BuildX509Name(rootRdn
, NUM_ROOT_NAMES
);
242 CSSM_X509_NAME
*caSubj
= CB_BuildX509Name(caRdn
, NUM_CA_NAMES
);
243 CSSM_X509_NAME
*leafSubj
= CB_BuildX509Name(leafRdn
, NUM_LEAF_NAMES
);
245 /* times: now (for all not before), +10 seconds (for expired), +10 years (for valid not after) */
246 CSSM_X509_TIME
*nowTime
= CB_BuildX509Time(0, NULL
);
247 CSSM_X509_TIME
*soonTime
= CB_BuildX509Time(10, NULL
);
248 CSSM_X509_TIME
*futureTime
= CB_BuildX509Time(60 * 60 * 24 * 365 * 10, NULL
);
252 CSSM_DATA expiredRoot
;
256 CSSM_DATA expiredLeaf
;
257 uint32 serialNum
= 0;
259 if(makeCert(clHand
, cspHand
,
260 rootSubj
, rootSubj
, serialNum
++, nowTime
, futureTime
,
261 &rootPrivKey
, &rootPubKey
, true,
262 &goodRoot
, dstDir
, GOOD_ROOT
)) {
263 printf("***Error creating good root. Aborting.\n");
266 if(makeCert(clHand
, cspHand
,
267 rootSubj
, rootSubj
, serialNum
++, nowTime
, soonTime
,
268 &rootPrivKey
, &rootPubKey
, true,
269 &expiredRoot
, dstDir
, EXPIRED_ROOT
)) {
270 printf("***Error creating expired root. Aborting.\n");
274 /* CA signed by root */
275 if(makeCert(clHand
, cspHand
,
276 caSubj
, rootSubj
, serialNum
++, nowTime
, futureTime
,
277 &rootPrivKey
, &caPubKey
, true,
278 &goodCA
, dstDir
, GOOD_CA
)) {
279 printf("***Error creating good CA. Aborting.\n");
282 if(makeCert(clHand
, cspHand
,
283 caSubj
, rootSubj
, serialNum
++, nowTime
, soonTime
,
284 &rootPrivKey
, &caPubKey
, true,
285 &expiredCA
, dstDir
, EXPIRED_CA
)) {
286 printf("***Error creating expired CA. Aborting.\n");
290 /* Leaf signed by CA */
291 if(makeCert(clHand
, cspHand
,
292 leafSubj
, caSubj
, serialNum
++, nowTime
, futureTime
,
293 &caPrivKey
, &leafPubKey
, false,
294 &goodLeaf
, dstDir
, GOOD_LEAF
)) {
295 printf("***Error creating good leaf. Aborting.\n");
298 if(makeCert(clHand
, cspHand
,
299 leafSubj
, caSubj
, serialNum
++, nowTime
, soonTime
,
300 &caPrivKey
, &leafPubKey
, false,
301 &expiredLeaf
, dstDir
, EXPIRED_LEAF
)) {
302 printf("***Error creating expired leaf. Aborting.\n");
306 /* cleanup if you think you must */