]> git.saurik.com Git - apple/security.git/blob - SecurityTests/clxutils/smimePolicy/smimePolicy.cpp
Security-57031.1.35.tar.gz
[apple/security.git] / SecurityTests / clxutils / smimePolicy / smimePolicy.cpp
1 /* Copyright (c) 2002-2004,2006,2008 Apple Inc.
2 *
3 * smimePolicy.cpp
4 *
5 * Test CSSMOID_APPLE_TP_SMIME and CSSMOID_APPLE_TP_ICHAT TP policies.
6 *
7 */
8
9 #include <utilLib/common.h>
10 #include <utilLib/cspwrap.h>
11 #include <clAppUtils/clutils.h>
12 #include <clAppUtils/certVerify.h>
13 #include <clAppUtils/BlobList.h>
14 #include <stdlib.h>
15 #include <stdio.h>
16 #include <string.h>
17 #include <Security/cssm.h>
18 #include <Security/x509defs.h>
19 #include <Security/oidsattr.h>
20 #include <Security/oidscert.h>
21 #include <Security/oidsalg.h>
22 #include <Security/certextensions.h>
23 #include <Security/cssmapple.h>
24 #include <security_cdsa_utils/cuPrintCert.h>
25 #include <string.h>
26
27 /* key labels */
28 #define SUBJ_KEY_LABEL "subjectKey"
29 #define ROOT_KEY_LABEL "rootKey"
30
31 /* key and signature algorithm - shouldn't matter for this test */
32 #define SIG_ALG_DEFAULT CSSM_ALGID_SHA1WithRSA
33 #define SIG_OID_DEFAULT CSSMOID_SHA1WithRSA
34 #define KEY_ALG_DEFAULT CSSM_ALGID_RSA
35
36 #define KEY_SIZE_DEFAULT 512
37
38 static void usage(char **argv)
39 {
40 printf("Usage: %s [options]\n", argv[0]);
41 printf("Options:\n");
42 printf(" p(rint leaf certs)\n");
43 printf(" P(ause for MallocDebug)\n");
44 printf(" q(uiet)\n");
45 printf(" v(erbose)\n");
46 exit(1);
47 }
48
49 /*
50 * RDN components for root
51 */
52 CSSM_APPLE_TP_NAME_OID rootRdn[] =
53 {
54 { "Apple Computer", &CSSMOID_OrganizationName },
55 { "The Big Cheese", &CSSMOID_Title }
56 };
57 #define NUM_ROOT_NAMES (sizeof(rootRdn) / sizeof(CSSM_APPLE_TP_NAME_OID))
58
59 /*
60 * Test cases
61 */
62 typedef struct {
63 /* test description */
64 const char *testDesc;
65
66 /* policy: CVP_SMIME or CVP_iChat */
67 CertVerifyPolicy policy;
68
69 /* email addrs for leaf cert - zero, one, or two of these */
70 const char *subjNameEmail; // CSSMOID_EmailAddress
71 const char *subjAltNameEmail; // RFC822Name
72 CSSM_BOOL subjAltNameCritical;
73
74 /* common name portion of Subject Name, optional */
75 const char *subjNameCommon;
76
77 /* email addrs for CertGroupVerify */
78 const char *vfyEmailAddrs;
79
80 /* Key Usage - if zero, no KU extension */
81 CE_KeyUsage certKeyUse;
82 CSSM_BOOL keyUseCritical;
83
84 /* key usage specified in CertGroupVerify */
85 CE_KeyUsage vfyKeyUse;
86
87 /* ExtendedKeyUSage OID - NULL means no EKU */
88 const CSSM_OID *ekuOid;
89
90 /* expected error - NULL or e.g. "CSSMERR_TP_VERIFY_ACTION_FAILED" */
91 const char *expectErrStr;
92
93 /* one optional per-cert error string */
94 /* e.g., "0:CSSMERR_APPLETP_SMIME_BAD_KEY_USE" */
95 const char *certErrorStr;
96
97 /* addenda - at end so we don't have to update every existing test case.
98 * For iChat, orgUnit and org fields in SubjectName.
99 */
100 const char *orgUnit;
101 const char *orgName; /* nominally either Apple Computer, Inc. */
102
103 } SP_TestCase;
104
105 /*
106 * upper case char in each component to make sure both ends get
107 * normalized as appropriate
108 */
109 #define GOOD_EMAIL "Alice@Apple.com"
110 #define BAD_EMAIL "bob@apple.com" /* always bad */
111 #define CASE_EMAIL_GOOD "Alice@APPLE.com" /* always good */
112 /*
113 * iChat: good
114 * SMIME, emailAddrs in subjAltName: bad
115 * SMIME, emailAddrs in SUbjectName RDN: good
116 */
117 #define CASE_EMAIL_BAD "ALice@Apple.com"
118 #define COMMON_NAME "Alice"
119
120 /* for Apple-custom iChat name encoding */
121 /* first the constant org field, case sensitive */
122 #define ICHAT_ORG "Apple Computer, Inc." /* reference */
123 #define ICHAT_ORG_CASE "APPLE Computer, Inc." /* should fail */
124 #define ICHAT_ORG_BAD "Apple Computer, Inc"
125
126 /* commonName = name, orgUnit = domain, case insensitive */
127 #define ICHAT_NAME "Alice" /* commonName */
128 #define ICHAT_DOMAIN "mac.com" /* orgUnit */
129 #define ICHAT_HANDLE "Alice@mac.com" /* what we pass in */
130
131 #define ICHAT_HANDLE_CASE1 "ALice@mac.com"
132 #define ICHAT_HANDLE_CASE2 "Alice@mAc.com"
133 #define ICHAT_NAME_CASE "ALice"
134 #define ICHAT_DOMAIN_CASE "maC.com"
135 #define ICHAT_NAME_BAD "Alice_"
136 #define ICHAT_DOMAIN_BAD "mac.co"
137 #define ICHAT_HANDLE_BAD1 "Alice@mac.co"
138 #define ICHAT_HANDLE_BAD2 "Alicg@mac.com"
139 #define ICHAT_HANDLE_BAD3 "Alicemac.com"
140 #define ICHAT_HANDLE_BAD4 "Alice@mac@com"
141
142 #define KEYUSE_NONE 0
143
144 SP_TestCase testCases[] =
145 {
146 /* move these to end after we debug 'em */
147 /* custom iChat name encoding */
148 {
149 "iChat custom",
150 CVP_iChat,
151 NULL, NULL, CSSM_FALSE, // no email address
152 ICHAT_NAME, ICHAT_HANDLE,
153 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
154 &CSSMOID_APPLE_EKU_ICHAT_SIGNING,
155 NULL, NULL,
156 ICHAT_DOMAIN, ICHAT_ORG
157 },
158 {
159 "iChat custom",
160 CVP_iChat,
161 NULL, NULL, CSSM_FALSE, // no email address
162 ICHAT_NAME, ICHAT_HANDLE,
163 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
164 /* verify this EKU */
165 &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
166 NULL, NULL,
167 ICHAT_DOMAIN, ICHAT_ORG
168 },
169 {
170 "iChat custom",
171 CVP_iChat,
172 NULL, NULL, CSSM_FALSE, // no email address
173 ICHAT_NAME, ICHAT_HANDLE,
174 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
175 /* verify this EKU */
176 &CSSMOID_ExtendedKeyUsageAny,
177 NULL, NULL,
178 ICHAT_DOMAIN, ICHAT_ORG
179 },
180 {
181 "iChat custom, alt case in name",
182 CVP_iChat,
183 NULL, NULL, CSSM_FALSE, // no email address
184 ICHAT_NAME_CASE, ICHAT_HANDLE,
185 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
186 &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
187 NULL, NULL,
188 ICHAT_DOMAIN, ICHAT_ORG
189 },
190 {
191 "iChat custom, alt case in domain",
192 CVP_iChat,
193 NULL, NULL, CSSM_FALSE, // no email address
194 ICHAT_NAME, ICHAT_HANDLE,
195 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
196 &CSSMOID_APPLE_EKU_ICHAT_SIGNING,
197 NULL, NULL,
198 ICHAT_DOMAIN_CASE, ICHAT_ORG
199 },
200 {
201 "iChat custom, alt case in org, expect fail",
202 CVP_iChat,
203 NULL, NULL, CSSM_FALSE, // no email address
204 ICHAT_NAME, ICHAT_HANDLE,
205 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
206 &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
207 "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
208 "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
209 ICHAT_DOMAIN, ICHAT_ORG_CASE
210 },
211 {
212 "iChat custom, bad name",
213 CVP_iChat,
214 NULL, NULL, CSSM_FALSE, // no email address
215 ICHAT_NAME_BAD, ICHAT_HANDLE,
216 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
217 &CSSMOID_APPLE_EKU_ICHAT_SIGNING,
218 "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
219 "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
220 ICHAT_DOMAIN, ICHAT_ORG
221 },
222 {
223 "iChat custom, bad name",
224 CVP_iChat,
225 NULL, NULL, CSSM_FALSE, // no email address
226 ICHAT_NAME_BAD, ICHAT_HANDLE,
227 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
228 &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
229 "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
230 "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
231 ICHAT_DOMAIN, ICHAT_ORG
232 },
233 {
234 "iChat custom, bad domain",
235 CVP_iChat,
236 NULL, NULL, CSSM_FALSE, // no email address
237 ICHAT_NAME, ICHAT_HANDLE,
238 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
239 &CSSMOID_ExtendedKeyUsageAny,
240 "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
241 "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
242 ICHAT_DOMAIN_BAD, ICHAT_ORG
243 },
244 {
245 "iChat custom, bad org",
246 CVP_iChat,
247 NULL, NULL, CSSM_FALSE, // no email address
248 ICHAT_NAME, ICHAT_HANDLE,
249 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
250 &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
251 "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
252 "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
253 ICHAT_DOMAIN, ICHAT_ORG_BAD
254 },
255 {
256 "iChat custom, bad handle (short)",
257 CVP_iChat,
258 NULL, NULL, CSSM_FALSE, // no email address
259 ICHAT_NAME, ICHAT_HANDLE_BAD1,
260 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
261 &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
262 "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
263 "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
264 ICHAT_DOMAIN, ICHAT_ORG
265 },
266 {
267 "iChat custom, bad handle (bad name component)",
268 CVP_iChat,
269 NULL, NULL, CSSM_FALSE, // no email address
270 ICHAT_NAME, ICHAT_HANDLE_BAD2,
271 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
272 &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
273 "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
274 "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
275 ICHAT_DOMAIN, ICHAT_ORG
276 },
277 {
278 "iChat custom, bad handle (no @)",
279 CVP_iChat,
280 NULL, NULL, CSSM_FALSE, // no email address
281 ICHAT_NAME, ICHAT_HANDLE_BAD3,
282 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
283 &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
284 "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
285 "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
286 ICHAT_DOMAIN, ICHAT_ORG
287 },
288 {
289 "iChat custom, bad handle (two @s)",
290 CVP_iChat,
291 NULL, NULL, CSSM_FALSE, // no email address
292 ICHAT_NAME, ICHAT_HANDLE_BAD4,
293 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
294 &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
295 "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
296 "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
297 ICHAT_DOMAIN, ICHAT_ORG
298 },
299 {
300 "iChat custom, no EKU",
301 CVP_iChat,
302 NULL, NULL, CSSM_FALSE, // no email address
303 ICHAT_NAME, ICHAT_HANDLE,
304 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
305 NULL,
306 "CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
307 "0:CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
308 ICHAT_DOMAIN, ICHAT_ORG
309 },
310 {
311 "iChat custom, bad EKU",
312 CVP_iChat,
313 NULL, NULL, CSSM_FALSE, // no email address
314 ICHAT_NAME, ICHAT_HANDLE,
315 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
316 &CSSMOID_TimeStamping,
317 "CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
318 "0:CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
319 ICHAT_DOMAIN, ICHAT_ORG
320 },
321
322 /* end of move to end */
323 {
324 "Email addrs in subjAltName, S/MIME",
325 CVP_SMIME,
326 NULL, GOOD_EMAIL, CSSM_FALSE,
327 COMMON_NAME, GOOD_EMAIL,
328 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
329 NULL, // ekuOid
330 NULL, NULL
331 },
332 {
333 "Email addrs in subjAltName, iChat",
334 CVP_iChat,
335 NULL, GOOD_EMAIL, CSSM_FALSE,
336 COMMON_NAME, GOOD_EMAIL,
337 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
338 &CSSMOID_EmailProtection,
339 NULL, NULL
340 },
341 {
342 "Email addrs in subject name, S/MIME",
343 CVP_SMIME,
344 GOOD_EMAIL, NULL, CSSM_FALSE,
345 COMMON_NAME, GOOD_EMAIL,
346 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
347 NULL,
348 NULL, NULL
349 },
350 {
351 "Email addrs in subject name, iChat",
352 CVP_iChat,
353 GOOD_EMAIL, NULL, CSSM_FALSE,
354 COMMON_NAME, GOOD_EMAIL,
355 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
356 &CSSMOID_EmailProtection,
357 NULL, NULL
358 },
359 {
360 /*
361 * The spec (RFC 2632) says that if there is no email address
362 * in the cert at all, then the TP doesn't have to
363 * enforce a match. So this one works, since we're not
364 * putting any email addresses in the cert.
365 */
366 "No Email addrs, S/MIME",
367 CVP_SMIME,
368 NULL, NULL, CSSM_FALSE,
369 COMMON_NAME, GOOD_EMAIL,
370 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
371 NULL,
372 NULL, NULL
373 },
374 {
375 /*
376 * For iChat the same scenario fails; it requires an email address in
377 * the cert if we pass one in.
378 */
379 "No Email addrs, iChat",
380 CVP_iChat,
381 NULL, NULL, CSSM_FALSE,
382 COMMON_NAME, GOOD_EMAIL,
383 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
384 &CSSMOID_EmailProtection,
385 "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
386 "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS"
387 },
388 {
389 "Wrong email addrs in SubjectName, S/MIME",
390 CVP_SMIME,
391 BAD_EMAIL, NULL, CSSM_FALSE,
392 COMMON_NAME, GOOD_EMAIL,
393 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
394 NULL,
395 "CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND",
396 "0:CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND"
397 },
398 {
399 "Wrong email addrs in SubjectName, iChat",
400 CVP_iChat,
401 BAD_EMAIL, NULL, CSSM_FALSE,
402 COMMON_NAME, GOOD_EMAIL,
403 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
404 &CSSMOID_EmailProtection,
405 "CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND",
406 "0:CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND"
407 },
408 {
409 "Wrong email addrs in SubjectAltName, S/MIME",
410 CVP_SMIME,
411 NULL, BAD_EMAIL, CSSM_FALSE,
412 COMMON_NAME, GOOD_EMAIL,
413 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
414 NULL,
415 "CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND",
416 "0:CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND"
417 },
418 {
419 "Wrong email addrs in SubjectAltName, iChat",
420 CVP_iChat,
421 NULL, BAD_EMAIL, CSSM_FALSE,
422 COMMON_NAME, GOOD_EMAIL,
423 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
424 &CSSMOID_EmailProtection,
425 "CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND",
426 "0:CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND"
427 },
428
429 /*
430 * The presence of an incorrect email address is not supposed
431 * be an error as long as the right one is in there somewhere.
432 */
433 {
434 "Wrong addrs in subj name, correct in subjAltName, S/MIME",
435 CVP_SMIME,
436 BAD_EMAIL, GOOD_EMAIL, CSSM_FALSE,
437 COMMON_NAME, GOOD_EMAIL,
438 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
439 NULL,
440 NULL, NULL
441 },
442 {
443 "Wrong addrs in subj name, correct in subjAltName, iChat",
444 CVP_iChat,
445 BAD_EMAIL, GOOD_EMAIL, CSSM_FALSE,
446 COMMON_NAME, GOOD_EMAIL,
447 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
448 &CSSMOID_EmailProtection,
449 NULL, NULL
450 },
451 {
452 "Wrong addrs in subjAltname, correct in subjName, S/MIME",
453 CVP_SMIME,
454 GOOD_EMAIL, BAD_EMAIL, CSSM_FALSE,
455 COMMON_NAME, GOOD_EMAIL,
456 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
457 NULL,
458 NULL, NULL
459 },
460 {
461 "Wrong addrs in subjAltname, correct in subjName, iChat",
462 CVP_iChat,
463 GOOD_EMAIL, BAD_EMAIL, CSSM_FALSE,
464 COMMON_NAME, GOOD_EMAIL,
465 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
466 &CSSMOID_EmailProtection,
467 NULL, NULL
468 },
469 /* empty subject name processing - S/MIME only*/
470 {
471 "Empty subj name, correct subjAltName, no search",
472 CVP_SMIME,
473 NULL, GOOD_EMAIL, CSSM_TRUE,
474 NULL, NULL,
475 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
476 NULL,
477 NULL, NULL
478 },
479 {
480 "Empty subj name, correct subjAltName, good search",
481 CVP_SMIME,
482 NULL, GOOD_EMAIL, CSSM_TRUE,
483 NULL, GOOD_EMAIL,
484 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
485 NULL,
486 NULL, NULL
487 },
488 {
489 "Empty subj name, correct subjAltName, not critical, no search",
490 CVP_SMIME,
491 NULL, GOOD_EMAIL, CSSM_FALSE,
492 NULL, NULL,
493 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
494 NULL,
495 "CSSMERR_TP_VERIFY_ACTION_FAILED",
496 "0:CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT"
497 },
498 {
499 "Empty subj name, correct subjAltName, not critical, good search",
500 CVP_SMIME,
501 NULL, GOOD_EMAIL, CSSM_FALSE,
502 NULL, GOOD_EMAIL,
503 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
504 NULL,
505 "CSSMERR_TP_VERIFY_ACTION_FAILED",
506 "0:CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT"
507 },
508 {
509 "Empty subj name, empty subjAltName, no search",
510 CVP_SMIME,
511 NULL, NULL, CSSM_FALSE,
512 NULL, NULL,
513 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
514 NULL,
515 "CSSMERR_TP_VERIFY_ACTION_FAILED",
516 "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS"
517 },
518
519 /* case sensitivity handling */
520 {
521 "Different case domain in subjAltName, S/MIME",
522 CVP_SMIME,
523 NULL, CASE_EMAIL_GOOD, CSSM_FALSE,
524 COMMON_NAME, GOOD_EMAIL,
525 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
526 NULL, // ekuOid
527 NULL, NULL
528 },
529 {
530 "Different case domain in subjAltName, iChat",
531 CVP_iChat,
532 NULL, CASE_EMAIL_GOOD, CSSM_FALSE,
533 COMMON_NAME, GOOD_EMAIL,
534 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
535 &CSSMOID_EmailProtection,
536 NULL, NULL
537 },
538 {
539 "Different case domain in subjectName, S/MIME",
540 CVP_SMIME,
541 CASE_EMAIL_GOOD, NULL, CSSM_FALSE,
542 COMMON_NAME, GOOD_EMAIL,
543 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
544 NULL,
545 NULL, NULL
546 },
547 {
548 "Different case domain in subjectName, iChat",
549 CVP_iChat,
550 CASE_EMAIL_GOOD, NULL, CSSM_FALSE,
551 COMMON_NAME, GOOD_EMAIL,
552 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
553 &CSSMOID_EmailProtection,
554 NULL, NULL
555 },
556 /*
557 * local-part:
558 * SMIME, emailAddrs in SubjectName - case insensitive
559 * SMIME, emailAddrs in SubjectAltName - case sensitive
560 * iChat, anywhere - case insensitive
561 */
562 {
563 /* the only time local-part is case sensitive */
564 "Different case local-part in subjAltName, SMIME",
565 CVP_SMIME,
566 NULL, CASE_EMAIL_BAD, CSSM_FALSE,
567 COMMON_NAME, GOOD_EMAIL,
568 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
569 NULL,
570 "CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND",
571 "0:CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND"
572 },
573 {
574 "Different case local-part in subjAltName, iChat",
575 CVP_iChat,
576 NULL, CASE_EMAIL_BAD, CSSM_FALSE,
577 COMMON_NAME, GOOD_EMAIL,
578 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
579 &CSSMOID_EmailProtection,
580 NULL, NULL
581 },
582 {
583 "Different case local-part in SubjectName, S/MIME",
584 CVP_SMIME,
585 CASE_EMAIL_BAD, NULL, CSSM_FALSE,
586 COMMON_NAME, GOOD_EMAIL,
587 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
588 NULL,
589 NULL, NULL
590 },
591 {
592 "Different case local-part in SubjectName, iChat",
593 CVP_iChat,
594 CASE_EMAIL_BAD, NULL, CSSM_FALSE,
595 COMMON_NAME, GOOD_EMAIL,
596 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
597 &CSSMOID_EmailProtection,
598 NULL, NULL
599 },
600 {
601 /* just to test a corner case of tpNormalizeAddrSpec */
602 "local-part missing @ in SubjectName",
603 CVP_SMIME,
604 "alice_apple.com", NULL, CSSM_FALSE,
605 COMMON_NAME, GOOD_EMAIL,
606 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
607 NULL,
608 "CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND",
609 "0:CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND"
610 },
611
612 /***
613 *** Key Usage testing
614 ***
615 *** All leaf certs have good email addrs in subjectAltName
616 ***/
617 {
618 "Key Usage good 1",
619 CVP_SMIME,
620 NULL, GOOD_EMAIL, CSSM_FALSE,
621 COMMON_NAME, GOOD_EMAIL,
622 CE_KU_DigitalSignature, CSSM_TRUE, CE_KU_DigitalSignature,
623 NULL,
624 NULL, NULL
625 },
626 {
627 "Key Usage good 2",
628 CVP_SMIME,
629 NULL, GOOD_EMAIL, CSSM_FALSE,
630 COMMON_NAME, GOOD_EMAIL,
631 CE_KU_DigitalSignature | CE_KU_NonRepudiation, CSSM_TRUE,
632 CE_KU_DigitalSignature,
633 NULL,
634 NULL, NULL
635 },
636 {
637 "KeyUsage in cert but not verified",
638 CVP_SMIME,
639 NULL, GOOD_EMAIL, CSSM_FALSE,
640 COMMON_NAME, GOOD_EMAIL,
641 CE_KU_DigitalSignature | CE_KU_NonRepudiation, CSSM_TRUE,
642 KEYUSE_NONE, // no use specified
643 NULL,
644 NULL, NULL
645 },
646 {
647 "Key Usage bad 1",
648 CVP_SMIME,
649 NULL, GOOD_EMAIL, CSSM_FALSE,
650 COMMON_NAME, GOOD_EMAIL,
651 CE_KU_DigitalSignature, CSSM_TRUE, CE_KU_NonRepudiation,
652 NULL,
653 "CSSMERR_TP_VERIFY_ACTION_FAILED",
654 "0:CSSMERR_APPLETP_SMIME_BAD_KEY_USE"
655 },
656 {
657 "Key Usage bad 2",
658 CVP_SMIME,
659 NULL, GOOD_EMAIL, CSSM_FALSE,
660 COMMON_NAME, GOOD_EMAIL,
661 CE_KU_DigitalSignature | CE_KU_NonRepudiation, CSSM_TRUE,
662 CE_KU_CRLSign,
663 NULL,
664 "CSSMERR_TP_VERIFY_ACTION_FAILED",
665 "0:CSSMERR_APPLETP_SMIME_BAD_KEY_USE"
666 },
667 #if 0
668 /* obsolete per radar 3523221 */
669 {
670 "Key Usage not critical",
671 NULL, GOOD_EMAIL, CSSM_FALSE,
672 COMMON_NAME, GOOD_EMAIL,
673 CE_KU_DigitalSignature, CSSM_FALSE, CE_KU_DigitalSignature,
674 NULL,
675 "CSSMERR_TP_VERIFY_ACTION_FAILED",
676 "0:CSSMERR_APPLETP_SMIME_KEYUSAGE_NOT_CRITICAL"
677 },
678 #endif
679 /*
680 * The tricky ones involving KeyAgreement
681 */
682 {
683 "Key Usage KeyAgreement good 1",
684 CVP_SMIME,
685 NULL, GOOD_EMAIL, CSSM_FALSE,
686 COMMON_NAME, GOOD_EMAIL,
687 CE_KU_KeyAgreement | CE_KU_EncipherOnly, CSSM_TRUE,
688 CE_KU_KeyAgreement | CE_KU_EncipherOnly,
689 NULL,
690 NULL, NULL
691 },
692 {
693 "Key Usage KeyAgreement good 2",
694 CVP_SMIME,
695 NULL, GOOD_EMAIL, CSSM_FALSE,
696 COMMON_NAME, GOOD_EMAIL,
697 CE_KU_KeyAgreement | CE_KU_DecipherOnly, CSSM_TRUE,
698 CE_KU_KeyAgreement | CE_KU_DecipherOnly,
699 NULL,
700 NULL, NULL
701 },
702 {
703 "Key Usage KeyAgreement no {En,De}CipherOnly",
704 CVP_SMIME,
705 NULL, GOOD_EMAIL, CSSM_FALSE,
706 COMMON_NAME, GOOD_EMAIL,
707 CE_KU_KeyAgreement | CE_KU_DecipherOnly, CSSM_TRUE,
708 CE_KU_KeyAgreement,
709 NULL,
710 "CSSMERR_TP_VERIFY_ACTION_FAILED",
711 "0:CSSMERR_APPLETP_SMIME_BAD_KEY_USE"
712 },
713 {
714 "Key Usage KeyAgreement bad EncipherOnly",
715 CVP_SMIME,
716 NULL, GOOD_EMAIL, CSSM_FALSE,
717 COMMON_NAME, GOOD_EMAIL,
718 CE_KU_KeyAgreement | CE_KU_DecipherOnly, CSSM_TRUE,
719 CE_KU_KeyAgreement | CE_KU_EncipherOnly,
720 NULL,
721 "CSSMERR_TP_VERIFY_ACTION_FAILED",
722 "0:CSSMERR_APPLETP_SMIME_BAD_KEY_USE"
723 },
724 {
725 "Key Usage KeyAgreement bad DecipherOnly",
726 CVP_SMIME,
727 NULL, GOOD_EMAIL, CSSM_FALSE,
728 COMMON_NAME, GOOD_EMAIL,
729 CE_KU_KeyAgreement | CE_KU_EncipherOnly, CSSM_TRUE,
730 CE_KU_KeyAgreement | CE_KU_DecipherOnly,
731 NULL,
732 "CSSMERR_TP_VERIFY_ACTION_FAILED",
733 "0:CSSMERR_APPLETP_SMIME_BAD_KEY_USE"
734 },
735
736 /* Extended Key Usage tests */
737 {
738 "Extended Key Usage EmailProtection, S/MIME",
739 CVP_SMIME,
740 NULL, GOOD_EMAIL, CSSM_FALSE,
741 COMMON_NAME, GOOD_EMAIL,
742 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
743 &CSSMOID_EmailProtection,
744 NULL, NULL
745 },
746 {
747 "Extended Key Usage EmailProtection, iChat",
748 CVP_iChat,
749 NULL, GOOD_EMAIL, CSSM_FALSE,
750 COMMON_NAME, GOOD_EMAIL,
751 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
752 &CSSMOID_EmailProtection,
753 NULL, NULL
754 },
755 {
756 "Extended Key Usage ExtendedKeyUsageAny, S/MIME",
757 CVP_SMIME,
758 NULL, GOOD_EMAIL, CSSM_FALSE,
759 COMMON_NAME, GOOD_EMAIL,
760 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
761 &CSSMOID_ExtendedKeyUsageAny,
762 NULL, NULL
763 },
764 {
765 "Extended Key Usage ExtendedKeyUsageAny, iChat",
766 CVP_iChat,
767 NULL, GOOD_EMAIL, CSSM_FALSE,
768 COMMON_NAME, GOOD_EMAIL,
769 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
770 &CSSMOID_ExtendedKeyUsageAny,
771 NULL, NULL
772 },
773 {
774 "Extended Key Usage TimeStamping (bad), S/MIME",
775 CVP_SMIME,
776 NULL, GOOD_EMAIL, CSSM_FALSE,
777 COMMON_NAME, GOOD_EMAIL,
778 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
779 &CSSMOID_TimeStamping,
780 "CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
781 "0:CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE"
782 },
783 {
784 "Extended Key Usage TimeStamping (bad), iChat",
785 CVP_iChat,
786 NULL, GOOD_EMAIL, CSSM_FALSE,
787 COMMON_NAME, GOOD_EMAIL,
788 KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
789 &CSSMOID_TimeStamping,
790 "CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
791 "0:CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE"
792 },
793 {
794 "iChat custom, missing ICHAT_SIGNING EKU",
795 CVP_iChat,
796 NULL, NULL, CSSM_FALSE, // no email address
797 ICHAT_NAME, ICHAT_HANDLE,
798 CE_KU_DigitalSignature, CSSM_TRUE, CE_KU_DigitalSignature,
799 NULL, // requires &CSSMOID_APPLE_EKU_ICHAT_SIGNING,
800 "CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
801 "0:CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
802 ICHAT_DOMAIN, ICHAT_ORG
803 },
804 {
805 "iChat custom, missing ICHAT_ENCRYPTION EKU",
806 CVP_iChat,
807 NULL, NULL, CSSM_FALSE, // no email address
808 ICHAT_NAME, ICHAT_HANDLE,
809 CE_KU_DataEncipherment, CSSM_TRUE, CE_KU_DataEncipherment,
810 NULL, // requires &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
811 "CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
812 "0:CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
813 ICHAT_DOMAIN, ICHAT_ORG
814 },
815 };
816
817 #define NUM_TEST_CASES (sizeof(testCases) / sizeof(SP_TestCase))
818
819 /*
820 * Generate a pair of certs. Root is standard, we never mess with
821 * it.
822 */
823 static CSSM_RETURN genCerts(
824 CSSM_CL_HANDLE clHand,
825 CSSM_CSP_HANDLE cspHand,
826 CSSM_TP_HANDLE tpHand,
827 CSSM_KEY_PTR rootPrivKey,
828 CSSM_KEY_PTR rootPubKey,
829 CSSM_KEY_PTR subjPubKey,
830
831 /* all five SubjectName components are optional */
832 const char *subjNameEmail, // CSSMOID_EmailAddress
833 const char *subjAltNameEmail, // RFC822Name
834 const char *subjNameCommon,
835 CSSM_BOOL subjAltNameCritical,
836 const char *subjOrgUnit,
837 const char *subjOrgName,
838
839 /* Key Usage - if zero, no KU extension */
840 CE_KeyUsage certKeyUse,
841 CSSM_BOOL keyUseCritical,
842
843 /* ExtendedKeyUSage OID - if NULL, no EKU extension */
844 const CSSM_OID *ekuOid,
845
846 CSSM_DATA &rootCert, // RETURNED
847 CSSM_DATA &subjCert) // RETURNED
848
849 {
850 CSSM_DATA refId;
851 // mallocd by CSSM_TP_SubmitCredRequest
852 CSSM_RETURN crtn;
853 CSSM_APPLE_TP_CERT_REQUEST certReq;
854 CSSM_TP_REQUEST_SET reqSet;
855 sint32 estTime;
856 CSSM_BOOL confirmRequired;
857 CSSM_TP_RESULT_SET_PTR resultSet;
858 CSSM_ENCODED_CERT *encCert;
859 CSSM_TP_CALLERAUTH_CONTEXT CallerAuthContext;
860 CSSM_FIELD policyId;
861 CE_GeneralNames genNames;
862 CE_GeneralName genName;
863 CE_ExtendedKeyUsage extendedKeyUse;
864
865 /*
866 * Subject has zero, one, two, or three extensions (KeyUsage,
867 * subjectAltName, extendedKeyUsage); root has two: KeyUsage and
868 * BasicConstraints.
869 */
870 CE_DataAndType rootExts[2];
871 CE_DataAndType leafExts[3];
872 unsigned numLeafExts = 0;
873
874 /*
875 * root extensions
876 * 1. KeyUSage
877 */
878 rootExts[0].type = DT_KeyUsage;
879 rootExts[0].critical = CSSM_TRUE;
880 rootExts[0].extension.keyUsage =
881 CE_KU_DigitalSignature | CE_KU_KeyCertSign;
882
883 /*
884 * 2. BasicConstraints
885 */
886 rootExts[1].type = DT_BasicConstraints;
887 rootExts[1].critical = CSSM_TRUE;
888 rootExts[1].extension.basicConstraints.cA = CSSM_TRUE;
889 rootExts[1].extension.basicConstraints.pathLenConstraintPresent =
890 CSSM_TRUE;
891 rootExts[1].extension.basicConstraints.pathLenConstraint = 2;
892
893 /*
894 * Leaf extensions - all are optional
895 */
896 if(certKeyUse) {
897 leafExts[0].type = DT_KeyUsage;
898 leafExts[0].critical = keyUseCritical;
899 leafExts[0].extension.keyUsage = certKeyUse;
900 numLeafExts++;
901 }
902 if(subjAltNameEmail) {
903 leafExts[numLeafExts].type = DT_SubjectAltName;
904 leafExts[numLeafExts].critical = subjAltNameCritical;
905
906 genName.berEncoded = CSSM_FALSE;
907 genName.name.Data = (uint8 *)subjAltNameEmail;
908 genName.nameType = GNT_RFC822Name;
909 genName.name.Length = strlen(subjAltNameEmail);
910
911 genNames.numNames = 1;
912 genNames.generalName = &genName;
913 leafExts[numLeafExts].extension.subjectAltName = genNames;
914 numLeafExts++;
915 }
916 if(ekuOid) {
917 leafExts[numLeafExts].type = DT_ExtendedKeyUsage;
918 leafExts[numLeafExts].critical = CSSM_FALSE; // don't care - right?
919 extendedKeyUse.numPurposes = 1;
920 extendedKeyUse.purposes = (CSSM_OID_PTR)ekuOid;
921 leafExts[numLeafExts].extension.extendedKeyUsage = extendedKeyUse;
922 numLeafExts++;
923 }
924
925 /*
926 * Variable length subject name for leaf
927 */
928 CSSM_APPLE_TP_NAME_OID subjRdn[4];
929 unsigned numSubjNames = 0;
930 if(subjNameEmail) {
931 subjRdn[0].string = subjNameEmail;
932 subjRdn[0].oid = &CSSMOID_EmailAddress;
933 numSubjNames++;
934 }
935 if(subjNameCommon) {
936 subjRdn[numSubjNames].string = subjNameCommon;
937 subjRdn[numSubjNames].oid = &CSSMOID_CommonName;
938 numSubjNames++;
939 }
940 if(subjOrgUnit) {
941 subjRdn[numSubjNames].string = subjOrgUnit;
942 subjRdn[numSubjNames].oid = &CSSMOID_OrganizationalUnitName;
943 numSubjNames++;
944 }
945 if(subjOrgName) {
946 subjRdn[numSubjNames].string = subjOrgName;
947 subjRdn[numSubjNames].oid = &CSSMOID_OrganizationName;
948 numSubjNames++;
949 }
950
951 /* certReq for root */
952 memset(&certReq, 0, sizeof(CSSM_APPLE_TP_CERT_REQUEST));
953 certReq.cspHand = cspHand;
954 certReq.clHand = clHand;
955 certReq.serialNumber = 0x12345678;
956 certReq.numSubjectNames = NUM_ROOT_NAMES;
957 certReq.subjectNames = rootRdn;
958 certReq.numIssuerNames = 0;
959 certReq.issuerNames = NULL;
960 certReq.certPublicKey = rootPubKey;
961 certReq.issuerPrivateKey = rootPrivKey;
962 certReq.signatureAlg = SIG_ALG_DEFAULT;
963 certReq.signatureOid = SIG_OID_DEFAULT;
964 certReq.notBefore = 0; // now
965 certReq.notAfter = 10000; // seconds from now
966 certReq.numExtensions = 2;
967 certReq.extensions = rootExts;
968
969 reqSet.NumberOfRequests = 1;
970 reqSet.Requests = &certReq;
971
972 /* a big CSSM_TP_CALLERAUTH_CONTEXT just to specify an OID */
973 memset(&CallerAuthContext, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
974 memset(&policyId, 0, sizeof(CSSM_FIELD));
975 policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN;
976 CallerAuthContext.Policy.NumberOfPolicyIds = 1;
977 CallerAuthContext.Policy.PolicyIds = &policyId;
978
979 /* generate root cert */
980 crtn = CSSM_TP_SubmitCredRequest(tpHand,
981 NULL, // PreferredAuthority
982 CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
983 &reqSet,
984 &CallerAuthContext,
985 &estTime,
986 &refId);
987 if(crtn) {
988 printError("CSSM_TP_SubmitCredRequest", crtn);
989 return crtn;
990 }
991 crtn = CSSM_TP_RetrieveCredResult(tpHand,
992 &refId,
993 NULL, // CallerAuthCredentials
994 &estTime,
995 &confirmRequired,
996 &resultSet);
997 if(crtn) {
998 printError("CSSM_TP_RetrieveCredResult", crtn);
999 return crtn;
1000 }
1001 if(resultSet == NULL) {
1002 printf("***CSSM_TP_RetrieveCredResult returned NULL result set.\n");
1003 return crtn;
1004 }
1005 encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
1006 rootCert = encCert->CertBlob;
1007 CSSM_FREE(encCert);
1008 CSSM_FREE(resultSet);
1009
1010 /* now a subject cert signed by the root cert */
1011 certReq.serialNumber = 0x8765;
1012 certReq.numSubjectNames = numSubjNames;
1013 certReq.subjectNames = subjRdn;
1014 certReq.numIssuerNames = NUM_ROOT_NAMES;
1015 certReq.issuerNames = rootRdn;
1016 certReq.certPublicKey = subjPubKey;
1017 certReq.issuerPrivateKey = rootPrivKey;
1018 certReq.numExtensions = numLeafExts;
1019 certReq.extensions = leafExts;
1020
1021 crtn = CSSM_TP_SubmitCredRequest(tpHand,
1022 NULL, // PreferredAuthority
1023 CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
1024 &reqSet,
1025 &CallerAuthContext,
1026 &estTime,
1027 &refId);
1028 if(crtn) {
1029 printError("CSSM_TP_SubmitCredRequest (2)", crtn);
1030 return crtn;
1031 }
1032 crtn = CSSM_TP_RetrieveCredResult(tpHand,
1033 &refId,
1034 NULL, // CallerAuthCredentials
1035 &estTime,
1036 &confirmRequired,
1037 &resultSet); // leaks.....
1038 if(crtn) {
1039 printError("CSSM_TP_RetrieveCredResult (2)", crtn);
1040 return crtn;
1041 }
1042 if(resultSet == NULL) {
1043 printf("***CSSM_TP_RetrieveCredResult (2) returned NULL "
1044 "result set.\n");
1045 return crtn;
1046 }
1047 encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
1048 subjCert = encCert->CertBlob;
1049 CSSM_FREE(encCert);
1050 CSSM_FREE(resultSet);
1051
1052 return CSSM_OK;
1053 }
1054
1055 static void copyToBlob(
1056 const CSSM_DATA &src,
1057 CSSM_DATA &blob)
1058 {
1059 blob.Data = (uint8 *)malloc(src.Length);
1060 blob.Length = src.Length;
1061 memmove(blob.Data, src.Data, src.Length);
1062 }
1063
1064 int main(int argc, char **argv)
1065 {
1066 CSSM_CL_HANDLE clHand; // CL handle
1067 CSSM_CSP_HANDLE cspHand; // CSP handle
1068 CSSM_TP_HANDLE tpHand; // TP handle
1069 CSSM_DATA rootCert;
1070 CSSM_DATA subjCert;
1071 CSSM_KEY subjPubKey; // subject's RSA public key blob
1072 CSSM_KEY subjPrivKey; // subject's RSA private key - ref format
1073 CSSM_KEY rootPubKey; // root's RSA public key blob
1074 CSSM_KEY rootPrivKey; // root's RSA private key - ref format
1075 CSSM_RETURN crtn = CSSM_OK;
1076 int vfyRtn = 0;
1077 int arg;
1078 SP_TestCase *testCase;
1079 unsigned testNum;
1080
1081 CSSM_BOOL printLeafCerts = CSSM_FALSE;
1082 CSSM_BOOL quiet = CSSM_FALSE;
1083 CSSM_BOOL verbose = CSSM_FALSE;
1084 CSSM_BOOL doPause = CSSM_FALSE;
1085
1086 for(arg=1; arg<argc; arg++) {
1087 char *argp = argv[arg];
1088 switch(argp[0]) {
1089 case 'p':
1090 printLeafCerts = CSSM_TRUE;
1091 break;
1092 case 'P':
1093 doPause = CSSM_TRUE;
1094 break;
1095 case 'q':
1096 quiet = CSSM_TRUE;
1097 break;
1098 case 'v':
1099 verbose = CSSM_TRUE;
1100 break;
1101 default:
1102 usage(argv);
1103 }
1104 }
1105
1106 testStartBanner("smimePolicy", argc, argv);
1107
1108 /* connect to CL, TP, and CSP */
1109 clHand = clStartup();
1110 if(clHand == 0) {
1111 return 0;
1112 }
1113 tpHand = tpStartup();
1114 if(tpHand == 0) {
1115 return 0;
1116 }
1117 cspHand = cspStartup();
1118 if(cspHand == 0) {
1119 return 0;
1120 }
1121
1122 /* subsequent errors to abort: to detach */
1123
1124 /* cook up an RSA key pair for the subject */
1125 crtn = cspGenKeyPair(cspHand,
1126 KEY_ALG_DEFAULT,
1127 SUBJ_KEY_LABEL,
1128 strlen(SUBJ_KEY_LABEL),
1129 KEY_SIZE_DEFAULT,
1130 &subjPubKey,
1131 CSSM_FALSE, // pubIsRef
1132 CSSM_KEYUSE_VERIFY,
1133 CSSM_KEYBLOB_RAW_FORMAT_NONE,
1134 &subjPrivKey,
1135 CSSM_TRUE, // privIsRef - doesn't matter
1136 CSSM_KEYUSE_SIGN,
1137 CSSM_KEYBLOB_RAW_FORMAT_NONE,
1138 CSSM_FALSE);
1139 if(crtn) {
1140 return crtn;
1141 }
1142
1143 /* and the root */
1144 crtn = cspGenKeyPair(cspHand,
1145 KEY_ALG_DEFAULT,
1146 ROOT_KEY_LABEL,
1147 strlen(ROOT_KEY_LABEL),
1148 KEY_SIZE_DEFAULT,
1149 &rootPubKey,
1150 CSSM_FALSE, // pubIsRef
1151 CSSM_KEYUSE_VERIFY,
1152 CSSM_KEYBLOB_RAW_FORMAT_NONE,
1153 &rootPrivKey,
1154 CSSM_TRUE, // privIsRef - doesn't matter
1155 CSSM_KEYUSE_SIGN,
1156 CSSM_KEYBLOB_RAW_FORMAT_NONE,
1157 CSSM_FALSE);
1158 if(crtn) {
1159 goto abort;
1160 }
1161
1162 for(testNum=0; testNum<NUM_TEST_CASES; testNum++) {
1163 testCase = &testCases[testNum];
1164 if(!quiet) {
1165 printf("%s\n", testCase->testDesc);
1166 }
1167 crtn = genCerts(clHand, cspHand, tpHand,
1168 &rootPrivKey, &rootPubKey, &subjPubKey,
1169 testCase->subjNameEmail, testCase->subjAltNameEmail,
1170 testCase->subjNameCommon, testCase->subjAltNameCritical,
1171 testCase->orgUnit, testCase->orgName,
1172 testCase->certKeyUse, testCase->keyUseCritical, testCase->ekuOid,
1173 rootCert, subjCert);
1174 if(printLeafCerts) {
1175 printCert(subjCert.Data, subjCert.Length, CSSM_FALSE);
1176 }
1177 BlobList leaf;
1178 BlobList root;
1179 /* BlobList uses regular free() on the referent of the blobs */
1180 CSSM_DATA blob;
1181 copyToBlob(subjCert, blob);
1182 CSSM_FREE(subjCert.Data);
1183 leaf.addBlob(blob);
1184 copyToBlob(rootCert, blob);
1185 CSSM_FREE(rootCert.Data);
1186 root.addBlob(blob);
1187 if(crtn) {
1188 if(testError(quiet)) {
1189 break;
1190 }
1191 }
1192 vfyRtn = certVerifySimple(tpHand, clHand, cspHand,
1193 leaf, root,
1194 CSSM_FALSE, // useSystemAnchors
1195 CSSM_FALSE, // leafCertIsCA
1196 CSSM_FALSE, // allow expired root
1197 testCase->policy,
1198 NULL, // sslHost
1199 CSSM_FALSE, // sslClient
1200 testCase->vfyEmailAddrs,
1201 testCase->vfyKeyUse,
1202 testCase->expectErrStr,
1203 testCase->certErrorStr ? 1 : 0,
1204 testCase->certErrorStr ? (const char **)&testCase->certErrorStr :
1205 NULL,
1206 0, NULL, // certStatus
1207 CSSM_FALSE, // trustSettings
1208 quiet,
1209 verbose);
1210 if(vfyRtn) {
1211 if(testError(quiet)) {
1212 break;
1213 }
1214 }
1215 /* cert data freed by ~BlobList */
1216
1217 if(doPause) {
1218 fpurge(stdin);
1219 printf("Pausing for mallocDebug. CR to continue: ");
1220 getchar();
1221 }
1222 }
1223
1224 /* free keys */
1225 cspFreeKey(cspHand, &rootPubKey);
1226 cspFreeKey(cspHand, &rootPrivKey);
1227 cspFreeKey(cspHand, &subjPubKey);
1228 cspFreeKey(cspHand, &subjPrivKey);
1229
1230 abort:
1231 if(cspHand != 0) {
1232 CSSM_ModuleDetach(cspHand);
1233 }
1234 if(clHand != 0) {
1235 CSSM_ModuleDetach(clHand);
1236 }
1237 if(tpHand != 0) {
1238 CSSM_ModuleDetach(tpHand);
1239 }
1240 if(!vfyRtn && !crtn && !quiet) {
1241 printf("...test passed\n");
1242 }
1243 return 0;
1244 }
1245
1246