+++ /dev/null
-/*
- * Copyright (c) 2002,2011-2012,2014 Apple Inc. All Rights Reserved.
- *
- * The contents of this file constitute Original Code as defined in and are
- * subject to the Apple Public Source License Version 1.2 (the 'License').
- * You may not use this file except in compliance with the License. Please obtain
- * a copy of the License at http://www.apple.com/publicsource and read it before
- * using this file.
- *
- * This Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
- * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
- * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
- * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
- * specific language governing rights and limitations under the License.
- */
-
-/*
- * cuPrintCert.cpp - Parse a cert or CRL, dump contents.
- */
-#include "cuCdsaUtils.h"
-#include <stdio.h>
-#include <stdlib.h>
-#include <Security/oidscert.h>
-#include <Security/oidscrl.h>
-#include <Security/x509defs.h>
-#include <Security/oidsattr.h>
-#include <Security/oidsalg.h>
-#include <Security/cssmapple.h>
-#include <string.h>
-#include "cuPrintCert.h"
-#include "cuOidParser.h"
-#include "cuTimeStr.h"
-#include <Security/certextensions.h>
-#include <Security/SecAsn1Coder.h>
-#include <Security/keyTemplates.h>
-
-static const char *months[] = {
- "Jan", "Feb", "Mar", "Apr", "May", "Jun",
- "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
-};
-
-static void printTimeStr(const CSSM_DATA *cssmTime)
-{
- struct tm tm;
-
- /* ignore cssmTime->timeType for now */
- if(cuTimeStringToTm((char *)cssmTime->Data, (unsigned int)cssmTime->Length, &tm)) {
- printf("***Bad time string format***\n");
- return;
- }
- if(tm.tm_mon > 11) {
- printf("***Bad time string format***\n");
- return;
- }
- printf("%02d:%02d:%02d %s %d, %04d\n",
- tm.tm_hour, tm.tm_min, tm.tm_sec,
- months[tm.tm_mon], tm.tm_mday, tm.tm_year + 1900);
-
-}
-
-
-static void printTime(const CSSM_X509_TIME *cssmTime)
-{
- /* ignore cssmTime->timeType for now */
- printTimeStr(&cssmTime->time);
-}
-
-static void printDataAsHex(
- const CSSM_DATA *d,
- unsigned maxToPrint = 0) // optional, 0 means print it all
-{
- unsigned i;
- bool more = false;
- uint32 len = (uint32)d->Length;
- uint8 *cp = d->Data;
-
- if((maxToPrint != 0) && (len > maxToPrint)) {
- len = maxToPrint;
- more = true;
- }
- for(i=0; i<len; i++) {
- printf("%02X ", ((unsigned char *)cp)[i]);
- }
- if(more) {
- printf("...\n");
- }
- else {
- printf("\n");
- }
-}
-
-/*
- * Identify CSSM_BER_TAG with a C string.
- */
-static const char *tagTypeString(
- CSSM_BER_TAG tagType)
-{
- static char unknownType[80];
-
- switch(tagType) {
- case BER_TAG_UNKNOWN:
- return "BER_TAG_UNKNOWN";
- case BER_TAG_BOOLEAN:
- return "BER_TAG_BOOLEAN";
- case BER_TAG_INTEGER:
- return "BER_TAG_INTEGER";
- case BER_TAG_BIT_STRING:
- return "BER_TAG_BIT_STRING";
- case BER_TAG_OCTET_STRING:
- return "BER_TAG_OCTET_STRING";
- case BER_TAG_NULL:
- return "BER_TAG_NULL";
- case BER_TAG_OID:
- return "BER_TAG_OID";
- case BER_TAG_SEQUENCE:
- return "BER_TAG_SEQUENCE";
- case BER_TAG_SET:
- return "BER_TAG_SET";
- case BER_TAG_PRINTABLE_STRING:
- return "BER_TAG_PRINTABLE_STRING";
- case BER_TAG_T61_STRING:
- return "BER_TAG_T61_STRING";
- case BER_TAG_IA5_STRING:
- return "BER_TAG_IA5_STRING";
- case BER_TAG_UTC_TIME:
- return "BER_TAG_UTC_TIME";
- case BER_TAG_GENERALIZED_TIME:
- return "BER_TAG_GENERALIZED_TIME";
- default:
- sprintf(unknownType, "Other type (0x%x)", tagType);
- return unknownType;
- }
-}
-
-/*
- * Print an OID, assumed to be in BER encoded "Intel" format
- * Length is inferred from oid->Length
- * Tag is implied
- */
-static void printOid(OidParser &parser, const CSSM_DATA *oid)
-{
- char strBuf[OID_PARSER_STRING_SIZE];
-
- if(oid == NULL) {
- printf("NULL\n");
- return;
- }
- if((oid->Length == 0) || (oid->Data == NULL)) {
- printf("EMPTY\n");
- return;
- }
- parser.oidParse(oid->Data, (unsigned int)oid->Length, strBuf);
- printf("%s\n", strBuf);
-}
-
-/*
- * Used to print generic blobs which we don't really understand.
- * The bytesToPrint argument is usually thing->Length; it's here because snacc
- * peports lengths of bit strings in BITS. Caller knows this and
- * modifies bytesToPrint accordingly. In any case, bytesToPrint is the
- * max number of valid bytes in *thing->Data.
- */
-#define BLOB_LENGTH_PRINT 3
-
-static void printBlobBytes(
- const char *blobType,
- const char *quanta, // e.g., "bytes', "bits"
- uint32 bytesToPrint,
- const CSSM_DATA *thing)
-{
- uint32 dex;
- uint32 toPrint = bytesToPrint;
-
- if(toPrint > BLOB_LENGTH_PRINT) {
- toPrint = BLOB_LENGTH_PRINT;
- }
- printf("%s; Length %u %s; data = ",
- blobType, (unsigned)thing->Length, quanta);
- for(dex=0; dex<toPrint; dex++) {
- printf("0x%x ", thing->Data[dex]);
- if(dex == (toPrint - 1)) {
- break;
- }
- }
- if(dex < bytesToPrint) {
- printf(" ...\n");
- }
- else {
- printf("\n");
- }
-}
-
-/*
- * Print an IA5String or Printable string. Null terminator is not assumed.
- * Trailing newline is printed.
- */
-static void printString(
- const CSSM_DATA *str)
-{
- unsigned i;
- char *cp = (char *)str->Data;
- for(i=0; i<str->Length; i++) {
- printf("%c", *cp++);
- }
- printf("\n");
-}
-
-static void printDerThing(
- CSSM_BER_TAG tagType,
- const CSSM_DATA *thing,
- OidParser &parser)
-{
- switch(tagType) {
- case BER_TAG_INTEGER:
- printf("%d\n", cuDER_ToInt(thing));
- return;
- case BER_TAG_BOOLEAN:
- if(thing->Length != 1) {
- printf("***malformed BER_TAG_BOOLEAN: length %u data ",
- (unsigned)thing->Length);
- }
- printf("%u\n", cuDER_ToInt(thing));
- return;
- case BER_TAG_PRINTABLE_STRING:
- case BER_TAG_IA5_STRING:
- case BER_TAG_T61_STRING:
- case BER_TAG_PKIX_UTF8_STRING: // mostly printable....
- printString(thing);
- return;
- case BER_TAG_OCTET_STRING:
- printBlobBytes("Byte string", "bytes", (uint32)thing->Length, thing);
- return;
- case BER_TAG_BIT_STRING:
- printBlobBytes("Bit string", "bits", (uint32)(thing->Length + 7) / 8, thing);
- return;
- case BER_TAG_SEQUENCE:
- printBlobBytes("Sequence", "bytes", (uint32)thing->Length, thing);
- return;
- case BER_TAG_SET:
- printBlobBytes("Set", "bytes", (uint32)thing->Length, thing);
- return;
- case BER_TAG_OID:
- printf("OID = ");
- printOid(parser, thing);
- break;
- default:
- printf("not displayed (tagType = %s; length %u)\n",
- tagTypeString(tagType), (unsigned)thing->Length);
- break;
-
- }
-}
-
-/* compare two OIDs, return CSSM_TRUE if identical */
-static CSSM_BOOL compareOids(
- const CSSM_OID *oid1,
- const CSSM_OID *oid2)
-{
- if((oid1 == NULL) || (oid2 == NULL)) {
- return CSSM_FALSE;
- }
- if(oid1->Length != oid2->Length) {
- return CSSM_FALSE;
- }
- if(memcmp(oid1->Data, oid2->Data, oid1->Length)) {
- return CSSM_FALSE;
- }
- else {
- return CSSM_TRUE;
- }
-}
-
-/*
- * Following a CSSMOID_ECDSA_WithSpecified algorithm is another encoded
- * CSSM_X509_ALGORITHM_IDENTIFIER containing the digest algorithm OID.
- * Decode and print the OID.
- */
-static void printECDSA_SigAlgParams(
- const CSSM_DATA *params,
- OidParser &parser)
-{
- SecAsn1CoderRef coder = NULL;
- if(SecAsn1CoderCreate(&coder)) {
- printf("***Error in SecAsn1CoderCreate()\n");
- return;
- }
- CSSM_X509_ALGORITHM_IDENTIFIER algParams;
- memset(&algParams, 0, sizeof(algParams));
- if(SecAsn1DecodeData(coder, params, kSecAsn1AlgorithmIDTemplate,
- &algParams)) {
- printf("***Error decoding CSSM_X509_ALGORITHM_IDENTIFIER\n");
- goto errOut;
- }
- printOid(parser, &algParams.algorithm);
-errOut:
- SecAsn1CoderRelease(coder);
-}
-
-static void printSigAlg(
- const CSSM_X509_ALGORITHM_IDENTIFIER *sigAlg,
- OidParser &parser)
-{
- printOid(parser, &sigAlg->algorithm);
- if(sigAlg->parameters.Data != NULL) {
- printf(" alg params : ");
- if(compareOids(&sigAlg->algorithm, &CSSMOID_ecPublicKey) &&
- (sigAlg->parameters.Data[0] == BER_TAG_OID) &&
- (sigAlg->parameters.Length > 2)) {
- /*
- * An OID accompanying an ECDSA public key. The OID is an ECDSA curve.
- * Do a quickie DER-decode of the OID - it's here in encoded form
- * because this field is an ASN_ANY - and print the resulting OID.
- */
- CSSM_OID curveOid = {sigAlg->parameters.Length-2, sigAlg->parameters.Data+2};
- printOid(parser, &curveOid);
- }
- else if(compareOids(&sigAlg->algorithm, &CSSMOID_ECDSA_WithSpecified)) {
- /*
- * The accompanying params specify the digest algorithm.
- */
- printECDSA_SigAlgParams(&sigAlg->parameters, parser);
- }
- else {
- /* All others - ASN_ANY - punt */
- printDataAsHex(&sigAlg->parameters, 8);
- }
- }
-}
-
-static void printRdn(
- const CSSM_X509_RDN *rdnp,
- OidParser &parser)
-{
- CSSM_X509_TYPE_VALUE_PAIR *ptvp;
- unsigned pairDex;
- const char *fieldName;
-
- for(pairDex=0; pairDex<rdnp->numberOfPairs; pairDex++) {
- ptvp = &rdnp->AttributeTypeAndValue[pairDex];
- if(compareOids(&ptvp->type, &CSSMOID_CountryName)) {
- fieldName = "Country ";
- }
- else if(compareOids(&ptvp->type, &CSSMOID_OrganizationName)) {
- fieldName = "Org ";
- }
- else if(compareOids(&ptvp->type, &CSSMOID_LocalityName)) {
- fieldName = "Locality ";
- }
- else if(compareOids(&ptvp->type, &CSSMOID_OrganizationalUnitName)) {
- fieldName = "OrgUnit ";
- }
- else if(compareOids(&ptvp->type, &CSSMOID_CommonName)) {
- fieldName = "Common Name ";
- }
- else if(compareOids(&ptvp->type, &CSSMOID_Surname)) {
- fieldName = "Surname ";
- }
- else if(compareOids(&ptvp->type, &CSSMOID_Title)) {
- fieldName = "Title ";
- }
- else if(compareOids(&ptvp->type, &CSSMOID_Surname)) {
- fieldName = "Surname ";
- }
- else if(compareOids(&ptvp->type, &CSSMOID_StateProvinceName)) {
- fieldName = "State ";
- }
- else if(compareOids(&ptvp->type, &CSSMOID_CollectiveStateProvinceName)) {
- fieldName = "Coll. State ";
- }
- else if(compareOids(&ptvp->type, &CSSMOID_EmailAddress)) {
- /* deprecated, used by Thawte */
- fieldName = "Email addrs ";
- }
- else if(compareOids(&ptvp->type, &CSSMOID_Description)) {
- fieldName = "Description ";
- }
- else {
- fieldName = "Other name ";
- }
- printf(" %s : ", fieldName);
- printDerThing(ptvp->valueType, &ptvp->value, parser);
- } /* for each type/value pair */
-}
-
-static CSSM_RETURN printName(
- const CSSM_X509_NAME *x509Name,
- OidParser &parser)
-{
- CSSM_X509_RDN_PTR rdnp;
- unsigned rdnDex;
-
- for(rdnDex=0; rdnDex<x509Name->numberOfRDNs; rdnDex++) {
- rdnp = &x509Name->RelativeDistinguishedName[rdnDex];
- printRdn(rdnp, parser);
- }
-
- return CSSM_OK;
-}
-
-static void printKeyHeader(
- const CSSM_KEYHEADER &hdr)
-{
- printf(" Algorithm : ");
- switch(hdr.AlgorithmId) {
- case CSSM_ALGID_RSA:
- printf("RSA\n");
- break;
- case CSSM_ALGID_DSA:
- printf("DSA\n");
- break;
- case CSSM_ALGID_FEE:
- printf("FEE\n");
- break;
- case CSSM_ALGID_DH:
- printf("Diffie-Hellman\n");
- break;
- case CSSM_ALGID_ECDSA:
- printf("ECDSA\n");
- break;
- default:
- printf("Unknown(%u(d), 0x%x)\n", (unsigned)hdr.AlgorithmId,
- (unsigned)hdr.AlgorithmId);
- }
- printf(" Key Size : %u bits\n", (unsigned)hdr.LogicalKeySizeInBits);
- printf(" Key Use : ");
- CSSM_KEYUSE usage = hdr.KeyUsage;
- if(usage & CSSM_KEYUSE_ANY) {
- printf("CSSM_KEYUSE_ANY ");
- }
- if(usage & CSSM_KEYUSE_ENCRYPT) {
- printf("CSSM_KEYUSE_ENCRYPT ");
- }
- if(usage & CSSM_KEYUSE_DECRYPT) {
- printf("CSSM_KEYUSE_DECRYPT ");
- }
- if(usage & CSSM_KEYUSE_SIGN) {
- printf("CSSM_KEYUSE_SIGN ");
- }
- if(usage & CSSM_KEYUSE_VERIFY) {
- printf("CSSM_KEYUSE_VERIFY ");
- }
- if(usage & CSSM_KEYUSE_SIGN_RECOVER) {
- printf("CSSM_KEYUSE_SIGN_RECOVER ");
- }
- if(usage & CSSM_KEYUSE_VERIFY_RECOVER) {
- printf("CSSM_KEYUSE_VERIFY_RECOVER ");
- }
- if(usage & CSSM_KEYUSE_WRAP) {
- printf("CSSM_KEYUSE_WRAP ");
- }
- if(usage & CSSM_KEYUSE_UNWRAP) {
- printf("CSSM_KEYUSE_UNWRAP ");
- }
- if(usage & CSSM_KEYUSE_DERIVE) {
- printf("CSSM_KEYUSE_DERIVE ");
- }
- printf("\n");
-
-}
-
-/*
- * Print contents of a CE_GeneralName as best we can.
- */
-static void printGeneralName(
- const CE_GeneralName *name,
- OidParser &parser)
-{
- switch(name->nameType) {
- case GNT_RFC822Name:
- printf(" RFC822Name : ");
- printString(&name->name);
- break;
- case GNT_DNSName:
- printf(" DNSName : ");
- printString(&name->name);
- break;
- case GNT_URI:
- printf(" URI : ");
- printString(&name->name);
- break;
- case GNT_IPAddress:
- printf(" IP Address : ");
- for(unsigned i=0; i<name->name.Length; i++) {
- printf("%d", name->name.Data[i]);
- if(i < (name->name.Length - 1)) {
- printf(".");
- }
- }
- printf("\n");
- break;
- case GNT_RegisteredID:
- printf(" RegisteredID : ");
- printOid(parser, &name->name);
- break;
- case GNT_X400Address:
- /* ORAddress, a very complicated struct - punt */
- printf(" X400Address : ");
- printBlobBytes("Sequence", "bytes", (uint32)name->name.Length, &name->name);
- break;
- case GNT_DirectoryName:
- if(!name->berEncoded) {
- /* CL parsed it for us into an CSSM_X509_NAME */
- if(name->name.Length != sizeof(CSSM_X509_NAME)) {
- printf("***MALFORMED GNT_DirectoryName\n");
- break;
- }
- const CSSM_X509_NAME *x509Name =
- (const CSSM_X509_NAME *)name->name.Data;
- printf(" Dir Name :\n");
- printName(x509Name, parser);
- }
- else {
- /* encoded Name (i.e. CSSM_X509_NAME) */
- printf(" Dir Name : ");
- printBlobBytes("Byte string", "bytes",
- (uint32)name->name.Length, &name->name);
- }
- break;
- case GNT_EdiPartyName:
- /* sequence EDIPartyName */
- printf(" EdiPartyName : ");
- printBlobBytes("Sequence", "bytes", (uint32)name->name.Length, &name->name);
- break;
- case GNT_OtherName:
- {
- printf(" OtherName :\n");
- if(name->name.Length != sizeof(CE_OtherName)) {
- printf("***Malformed CE_OtherName\n");
- break;
- }
- CE_OtherName *other = (CE_OtherName *)name->name.Data;
- printf(" typeID : ");
- printOid(parser, &other->typeId);
- printf(" value : ");
- printDataAsHex(&other->value, 0);
- break;
- }
- }
-}
-
-
-/*
- * Print contents of a CE_GeneralNames as best we can.
- */
-static void printGeneralNames(
- const CE_GeneralNames *generalNames,
- OidParser &parser)
-{
- unsigned i;
- CE_GeneralName *name;
-
- for(i=0; i<generalNames->numNames; i++) {
- name = &generalNames->generalName[i];
- printGeneralName(name, parser);
- }
-}
-
-static int printCdsaExtensionCommon(
- const CSSM_X509_EXTENSION *cssmExt,
- OidParser &parser,
- bool expectParsed,
- CSSM_BOOL verbose,
- bool extraIndent = false)
-{
- if(extraIndent) {
- printf(" Extension : "); printOid(parser, &cssmExt->extnId);
- printf(" Critical : %s\n", cssmExt->critical ? "TRUE" : "FALSE");
- }
- else {
- printf("Extension struct : "); printOid(parser, &cssmExt->extnId);
- printf(" Critical : %s\n", cssmExt->critical ? "TRUE" : "FALSE");
- }
-
- /* currently (since Radar 3593624), these are both always valid */
- #if 0
- /* this prevents printing pre-encoded extensions in clxutils/extenTest */
- if((cssmExt->BERvalue.Data == NULL) ||
- (cssmExt->value.parsedValue == NULL)) { /* actually, one of three variants */
- printf("***Malformed CSSM_X509_EXTENSION (1)\n");
- return 1;
- }
- #endif
- switch(cssmExt->format) {
- case CSSM_X509_DATAFORMAT_ENCODED:
- if(expectParsed) {
- printf("Bad CSSM_X509_EXTENSION; expected FORMAT_PARSED\n");
- return 1;
- }
- break;
- case CSSM_X509_DATAFORMAT_PARSED:
- if(!expectParsed) {
- printf("Bad CSSM_X509_EXTENSION; expected FORMAT_ENCODED\n");
- return 1;
- }
- break;
- case CSSM_X509_DATAFORMAT_PAIR:
- /* unsupported */
- printf("Bad CSSM_X509_EXTENSION format:FORMAT_PAIR\n");
- return 1;
- default:
- printf("***Unknown CSSM_X509_EXTENSION.format\n");
- return 1;
- }
- return 0;
-}
-
-static int printExtensionCommon(
- const CSSM_DATA &value,
- OidParser &parser,
- CSSM_BOOL verbose,
- bool expectParsed = true)
-{
- if(value.Length != sizeof(CSSM_X509_EXTENSION)) {
- printf("***malformed CSSM_FIELD (1)\n");
- return 1;
- }
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)value.Data;
- return printCdsaExtensionCommon(cssmExt, parser, expectParsed, verbose);
-}
-
-
-static void printKeyUsage(
- const CSSM_DATA &value)
-{
- CE_KeyUsage usage;
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)value.Data;
-
- usage = *((CE_KeyUsage *)cssmExt->value.parsedValue);
- printf(" usage : ");
- if(usage & CE_KU_DigitalSignature) {
- printf("DigitalSignature ");
- }
- if(usage & CE_KU_NonRepudiation) {
- printf("NonRepudiation ");
- }
- if(usage & CE_KU_KeyEncipherment) {
- printf("KeyEncipherment ");
- }
- if(usage & CE_KU_DataEncipherment) {
- printf("DataEncipherment ");
- }
- if(usage & CE_KU_KeyAgreement) {
- printf("KeyAgreement ");
- }
- if(usage & CE_KU_KeyCertSign) {
- printf("KeyCertSign ");
- }
- if(usage & CE_KU_CRLSign) {
- printf("CRLSign ");
- }
- if(usage & CE_KU_EncipherOnly) {
- printf("EncipherOnly ");
- }
- if(usage & CE_KU_DecipherOnly) {
- printf("DecipherOnly ");
- }
- printf("\n");
-
-}
-
-static void printBasicConstraints(
- const CSSM_DATA &value)
-{
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)value.Data;
- CE_BasicConstraints *bc = (CE_BasicConstraints *)cssmExt->value.parsedValue;
- printf(" CA : %s\n", bc->cA ? "TRUE" : "FALSE");
- if(bc->pathLenConstraintPresent) {
- printf(" pathLenConstr : %u\n", (unsigned)bc->pathLenConstraint);
- }
-}
-
-static void printExtKeyUsage(
- const CSSM_DATA &value,
- OidParser &parser)
-{
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)value.Data;
- CE_ExtendedKeyUsage *eku = (CE_ExtendedKeyUsage *)cssmExt->value.parsedValue;
- unsigned oidDex;
- for(oidDex=0; oidDex<eku->numPurposes; oidDex++) {
- printf(" purpose %2d : ", oidDex);
- printOid(parser, &eku->purposes[oidDex]);
- }
-}
-
-static void printCssmAuthorityKeyId(
- const CE_AuthorityKeyID *akid,
- OidParser &parser)
-{
- if(akid->keyIdentifierPresent) {
- printf(" Auth KeyID : ");
- printDataAsHex(&akid->keyIdentifier,
-8);
- }
- if(akid->generalNamesPresent) {
- printGeneralNames(akid->generalNames, parser);
- }
- if(akid->serialNumberPresent) {
- printf(" serialNumber : ");
- printDataAsHex(&akid->serialNumber, 8);
- }
-}
-
-static void printAuthorityKeyId(
- const CSSM_DATA &value,
- OidParser &parser)
-{
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)value.Data;
- CE_AuthorityKeyID *akid = (CE_AuthorityKeyID *)cssmExt->value.parsedValue;
- printCssmAuthorityKeyId(akid, parser);
-}
-
-static void printSubjectIssuerAltName(
- const CSSM_DATA &value,
- OidParser &parser)
-{
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)value.Data;
- CE_GeneralNames *san = (CE_GeneralNames *)cssmExt->value.parsedValue;
- printGeneralNames(san, parser);
-}
-
-static void printDistPointName(
- const CE_DistributionPointName *dpn,
- OidParser &parser)
-{
- switch(dpn->nameType) {
- case CE_CDNT_FullName:
- printGeneralNames(dpn->dpn.fullName, parser);
- break;
- case CE_CDNT_NameRelativeToCrlIssuer:
- printRdn(dpn->dpn.rdn, parser);
- break;
- default:
- printf("***BOGUS CE_DistributionPointName.nameType\n");
- break;
- }
-}
-
-static void printDistPoint(
- const CE_CRLDistributionPoint *dp,
- OidParser &parser)
-{
- if(dp->distPointName) {
- printf(" Dist pt Name :\n");
- printDistPointName(dp->distPointName, parser);
- }
- printf(" reasonsPresent : %s\n", dp->reasonsPresent ? "TRUE" : "FALSE");
- if(dp->reasonsPresent) {
- /* FIXME - parse */
- printf(" reasons : 0x%X\n", dp->reasons);
- }
- if(dp->crlIssuer) {
- printf(" CRLIssuer :\n");
- printGeneralNames(dp->crlIssuer, parser);
- }
-}
-
-static void printDistributionPoints(
- const CSSM_DATA &value,
- OidParser &parser)
-{
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)value.Data;
- CE_CRLDistPointsSyntax *dps = (CE_CRLDistPointsSyntax *)cssmExt->value.parsedValue;
-
- for(unsigned dex=0; dex<dps->numDistPoints; dex++) {
- printf(" Dist pt %d :\n", dex);
- printDistPoint(&dps->distPoints[dex], parser);
- }
-}
-
-static void printValueOrNotPresent(
- CSSM_BOOL present,
- CSSM_BOOL value)
-{
- if(!present) {
- printf("<Not Present>\n");
- }
- else if(value) {
- printf("TRUE\n");
- }
- else {
- printf("FALSE");
- }
-}
-
-static void printIssuingDistributionPoint(
- const CE_IssuingDistributionPoint *idp,
- OidParser &parser)
-{
- if(idp->distPointName) {
- printf(" Dist pt :\n");
- printDistPointName(idp->distPointName, parser);
- }
- printf(" Only user certs : ");
- printValueOrNotPresent(idp->onlyUserCertsPresent, idp->onlyUserCerts);
- printf(" Only CA certs : ");
- printValueOrNotPresent(idp->onlyCACertsPresent, idp->onlyCACerts);
- printf(" Only some reason: ");
- printValueOrNotPresent(idp->onlySomeReasonsPresent, idp->onlySomeReasons);
- printf(" Indirectl CRL : ");
- printValueOrNotPresent(idp->indirectCrlPresent, idp->indirectCrl);
-}
-
-static void printCertPolicies(
- const CSSM_DATA &value,
- OidParser &parser)
-{
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)value.Data;
- CE_CertPolicies *cdsaObj = (CE_CertPolicies *)cssmExt->value.parsedValue;
- for(unsigned polDex=0; polDex<cdsaObj->numPolicies; polDex++) {
- CE_PolicyInformation *cPolInfo = &cdsaObj->policies[polDex];
- printf(" Policy %2d : ID ", polDex);
- printOid(parser, &cPolInfo->certPolicyId);
- for(unsigned qualDex=0; qualDex<cPolInfo->numPolicyQualifiers; qualDex++) {
- CE_PolicyQualifierInfo *cQualInfo = &cPolInfo->policyQualifiers[qualDex];
- printf(" Qual %2d : ID ", qualDex);
- printOid(parser, &cQualInfo->policyQualifierId);
- if(cuCompareCssmData(&cQualInfo->policyQualifierId,
- &CSSMOID_QT_CPS)) {
- printf(" CPS : ");
- printString(&cQualInfo->qualifier);
- }
- else {
- printf(" unparsed : ");
- printDataAsHex(&cQualInfo->qualifier, 8);
- }
- }
- }
-}
-
-static void printNetscapeCertType(
- const CSSM_DATA &value)
-{
- CE_NetscapeCertType certType;
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)value.Data;
-
- certType = *((CE_NetscapeCertType *)cssmExt->value.parsedValue);
- printf(" certType : ");
- if(certType & CE_NCT_SSL_Client) {
- printf("SSL_Client ");
- }
- if(certType & CE_NCT_SSL_Server) {
- printf("SSL_Server ");
- }
- if(certType & CE_NCT_SMIME) {
- printf("S/MIME ");
- }
- if(certType & CE_NCT_ObjSign) {
- printf("ObjectSign ");
- }
- if(certType & CE_NCT_Reserved) {
- printf("Reserved ");
- }
- if(certType & CE_NCT_SSL_CA) {
- printf("SSL_CA ");
- }
- if(certType & CE_NCT_SMIME_CA) {
- printf("SMIME_CA ");
- }
- if(certType & CE_NCT_ObjSignCA) {
- printf("ObjSignCA ");
- }
- printf("\n");
-}
-
-static void printAuthorityInfoAccess(
- const CSSM_DATA &value,
- OidParser &parser)
-{
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)value.Data;
- CE_AuthorityInfoAccess *info = (CE_AuthorityInfoAccess *)cssmExt->value.parsedValue;
-
- printf(" numDescriptions : %lu\n", (unsigned long)info->numAccessDescriptions);
- for(unsigned dex=0; dex<info->numAccessDescriptions; dex++) {
- printf(" description %u : \n", dex);
- printf(" accessMethod : ");
- CE_AccessDescription *descr = &info->accessDescriptions[dex];
- printOid(parser, &descr->accessMethod);
- printGeneralName(&descr->accessLocation, parser);
- }
-}
-
-static void printQualCertStatements(
- const CSSM_DATA &value,
- OidParser &parser)
-{
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)value.Data;
- CE_QC_Statements *qcss = (CE_QC_Statements *)cssmExt->value.parsedValue;
-
- printf(" numQCStatements : %lu\n", (unsigned long)qcss->numQCStatements);
- for(unsigned dex=0; dex<qcss->numQCStatements; dex++) {
- CE_QC_Statement *qcs = &qcss->qcStatements[dex];
-
- printf(" statement %u : \n", dex);
- printf(" statementId : ");
- printOid(parser, &qcs->statementId);
- if(qcs->semanticsInfo) {
- printf(" semanticsInfo :\n");
- CE_SemanticsInformation *si = qcs->semanticsInfo;
- if(si->semanticsIdentifier) {
- printf(" semanticsId : ");
- printOid(parser, si->semanticsIdentifier);
- }
- if(si->nameRegistrationAuthorities) {
- printf(" nameRegAuth :\n");
- printGeneralNames(si->nameRegistrationAuthorities, parser);
- }
- }
- if(qcs->otherInfo) {
- printf(" otherInfo : "); printDataAsHex(qcs->otherInfo, 8);
- }
- }
-}
-
-/* print one field */
-void printCertField(
- const CSSM_FIELD &field,
- OidParser &parser,
- CSSM_BOOL verbose)
-{
- const CSSM_DATA *thisData = &field.FieldValue;
- const CSSM_OID *thisOid = &field.FieldOid;
-
- if(cuCompareCssmData(thisOid, &CSSMOID_X509V1Version)) {
- if(verbose) {
- printf("Version : %u\n", cuDER_ToInt(thisData));
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1SerialNumber)) {
- printf("Serial Number : "); printDataAsHex(thisData, 0);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1IssuerNameCStruct)) {
- printf("Issuer Name :\n");
- CSSM_X509_NAME_PTR name = (CSSM_X509_NAME_PTR)thisData->Data;
- if((name == NULL) || (thisData->Length != sizeof(CSSM_X509_NAME))) {
- printf(" ***malformed CSSM_X509_NAME\n");
- }
- else {
- printName(name, parser);
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1SubjectNameCStruct)) {
- printf("Subject Name :\n");
- CSSM_X509_NAME_PTR name = (CSSM_X509_NAME_PTR)thisData->Data;
- if((name == NULL) || (thisData->Length != sizeof(CSSM_X509_NAME))) {
- printf(" ***malformed CSSM_X509_NAME\n");
- }
- else {
- printName(name, parser);
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1ValidityNotBefore)) {
- CSSM_X509_TIME *cssmTime = (CSSM_X509_TIME *)thisData->Data;
- if((cssmTime == NULL) || (thisData->Length != sizeof(CSSM_X509_TIME))) {
- printf(" ***malformed CSSM_X509_TIME\n");
- }
- else if(verbose) {
- printf("Not Before : "); printString(&cssmTime->time);
- printf(" : ");
- printTime(cssmTime);
- }
- else {
- printf("Not Before : ");
- printTime(cssmTime);
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1ValidityNotAfter)) {
- CSSM_X509_TIME *cssmTime = (CSSM_X509_TIME *)thisData->Data;
- if((cssmTime == NULL) || (thisData->Length != sizeof(CSSM_X509_TIME))) {
- printf(" ***malformed CSSM_X509_TIME\n");
- }
- else if(verbose) {
- printf("Not After : "); printString(&cssmTime->time);
- printf(" : ");
- printTime(cssmTime);
- }
- else {
- printf("Not After : ");
- printTime(cssmTime);
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1SignatureAlgorithmTBS)) {
- if(verbose) {
- /* normally skip, it's the same as TBS sig alg */
- printf("TBS Sig Algorithm : ");
- CSSM_X509_ALGORITHM_IDENTIFIER *algId =
- (CSSM_X509_ALGORITHM_IDENTIFIER *)thisData->Data;
- if((algId == NULL) ||
- (thisData->Length != sizeof(CSSM_X509_ALGORITHM_IDENTIFIER))) {
- printf(" ***malformed CSSM_X509_ALGORITHM_IDENTIFIER\n");
- }
- else {
- printSigAlg(algId, parser);
- }
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1SignatureAlgorithm)) {
- printf("Cert Sig Algorithm : ");
- CSSM_X509_ALGORITHM_IDENTIFIER *algId =
- (CSSM_X509_ALGORITHM_IDENTIFIER *)thisData->Data;
- if((algId == NULL) ||
- (thisData->Length != sizeof(CSSM_X509_ALGORITHM_IDENTIFIER))) {
- printf(" ***malformed CSSM_X509_ALGORITHM_IDENTIFIER\n");
- }
- else {
- printSigAlg(algId, parser);
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1CertificateIssuerUniqueId)) {
- if(verbose) {
- printf("Issuer UniqueId : ");
- printDerThing(BER_TAG_BIT_STRING, thisData, parser);
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1CertificateSubjectUniqueId)) {
- if(verbose) {
- printf("Subject UniqueId : ");
- printDerThing(BER_TAG_BIT_STRING, thisData, parser);
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1SubjectPublicKeyCStruct)) {
- CSSM_X509_SUBJECT_PUBLIC_KEY_INFO *pubKeyInfo =
- (CSSM_X509_SUBJECT_PUBLIC_KEY_INFO *)thisData->Data;
- printf("Pub Key Algorithm : ");
- if((pubKeyInfo == NULL) ||
- (thisData->Length != sizeof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO))) {
- printf(" ***malformed CSSM_X509_SUBJECT_PUBLIC_KEY_INFO\n");
- }
- else {
- printSigAlg(&pubKeyInfo->algorithm, parser);
- printf("Pub key Bytes : Length %u bytes : ",
- (unsigned)pubKeyInfo->subjectPublicKey.Length);
- printDataAsHex(&pubKeyInfo->subjectPublicKey, 8);
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_CSSMKeyStruct)) {
- CSSM_KEY_PTR cssmKey = (CSSM_KEY_PTR)thisData->Data;
- printf("CSSM Key :\n");
- if((cssmKey == NULL) ||
- (thisData->Length != sizeof(CSSM_KEY))) {
- printf(" ***malformed CSSM_KEY\n");
- }
- else {
- printKeyHeader(cssmKey->KeyHeader);
- if(verbose) {
- printf(" Key Blob : ");
- printDataAsHex(&cssmKey->KeyData, 8);
- }
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1Signature)) {
- printf("Signature : %u bytes : ", (unsigned)thisData->Length);
- printDataAsHex(thisData, 8);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V3CertificateExtensionCStruct)) {
- if(printExtensionCommon(*thisData, parser, verbose, false)) {
- return;
- }
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)thisData->Data;
- printf(" Unparsed data : "); printDataAsHex(&cssmExt->BERvalue, 8);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_KeyUsage)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- printKeyUsage(*thisData);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_BasicConstraints)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- printBasicConstraints(*thisData);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_ExtendedKeyUsage)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- printExtKeyUsage(*thisData, parser);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_SubjectKeyIdentifier)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)thisData->Data;
- CSSM_DATA_PTR cdata = (CSSM_DATA_PTR)cssmExt->value.parsedValue;
- if((cdata == NULL) || (cdata->Data == NULL)) {
- printf("****Malformed extension (no parsedValue)\n");
- }
- else {
- printf(" Subject KeyID : "); printDataAsHex(cdata, 8);
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_AuthorityKeyIdentifier)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- printAuthorityKeyId(*thisData, parser);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_SubjectAltName)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- printSubjectIssuerAltName(*thisData, parser);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_IssuerAltName)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- printSubjectIssuerAltName(*thisData, parser);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_CertificatePolicies)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- printCertPolicies(*thisData, parser);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_NetscapeCertType)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- printNetscapeCertType(*thisData);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_CrlDistributionPoints)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- printDistributionPoints(*thisData, parser);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_AuthorityInfoAccess)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- printAuthorityInfoAccess(*thisData, parser);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_SubjectInfoAccess)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- printAuthorityInfoAccess(*thisData, parser);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_QC_Statements)) {
- if(printExtensionCommon(*thisData, parser, verbose)) {
- return;
- }
- printQualCertStatements(*thisData, parser);
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1IssuerName)) {
- if(verbose) {
- printf("Normalized Issuer : ");
- printDataAsHex(thisData, 8);
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1SubjectName)) {
- if(verbose) {
- printf("Normalized Subject : ");
- printDataAsHex(thisData, 8);
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1IssuerNameStd)) {
- if(verbose) {
- printf("DER-encoded issuer : ");
- printDataAsHex(thisData, 8);
- }
- }
- else if(cuCompareCssmData(thisOid, &CSSMOID_X509V1SubjectNameStd)) {
- if(verbose) {
- printf("DER-encoded subject: ");
- printDataAsHex(thisData, 8);
- }
- }
- else {
- printf("Other field: : "); printOid(parser, thisOid);
- }
-}
-
-static
-void printCrlExten(
- const CSSM_X509_EXTENSION *exten,
- CSSM_BOOL verbose,
- OidParser &parser)
-{
- const CSSM_OID *oid = &exten->extnId;
- const void *thisData = exten->value.parsedValue;
-
- if(exten->format == CSSM_X509_DATAFORMAT_ENCODED) {
- if(printCdsaExtensionCommon(exten, parser, false, verbose)) {
- return;
- }
- printf(" Unparsed data : "); printDataAsHex(&exten->BERvalue, 8);
- }
- else if(exten->format != CSSM_X509_DATAFORMAT_PARSED) {
- printf("***Badly formatted CSSM_X509_EXTENSION\n");
- return;
- }
- else if(cuCompareCssmData(oid, &CSSMOID_AuthorityKeyIdentifier)) {
- if(printCdsaExtensionCommon(exten, parser, true, verbose)) {
- return;
- }
- printCssmAuthorityKeyId((CE_AuthorityKeyID *)thisData, parser);
- }
- else if(cuCompareCssmData(oid, &CSSMOID_IssuerAltName)) {
- if(printCdsaExtensionCommon(exten, parser, true, verbose)) {
- return;
- }
- printGeneralNames((CE_GeneralNames *)thisData, parser);
- }
- else if(cuCompareCssmData(oid, &CSSMOID_CrlNumber)) {
- if(printCdsaExtensionCommon(exten, parser, true, verbose)) {
- return;
- }
- printf(" CRL Number : %u\n", *((unsigned *)thisData));
- }
- else if(cuCompareCssmData(oid, &CSSMOID_DeltaCrlIndicator)) {
- if(printCdsaExtensionCommon(exten, parser, true, verbose)) {
- return;
- }
- printf(" Delta CRL Base : %u\n", *((unsigned *)thisData));
- }
- else if(cuCompareCssmData(oid, &CSSMOID_IssuingDistributionPoint)) {
- if(printCdsaExtensionCommon(exten, parser, true, verbose)) {
- return;
- }
- printIssuingDistributionPoint((CE_IssuingDistributionPoint *)thisData,
- parser);
- }
- else {
- /* should never happen - we're out of sync with the CL */
- printf("UNKNOWN EXTENSION : "); printOid(parser, oid);
- }
-}
-
-
-static
-void printCrlEntryExten(
- const CSSM_X509_EXTENSION *exten,
- CSSM_BOOL verbose,
- OidParser &parser)
-{
- const CSSM_OID *oid = &exten->extnId;
- const void *thisData = exten->value.parsedValue;
-
- if(exten->format == CSSM_X509_DATAFORMAT_ENCODED) {
- if(printCdsaExtensionCommon(exten, parser, false, verbose, true)) {
- return;
- }
- printf(" Unparsed data: "); printDataAsHex(&exten->BERvalue, 8);
- }
- else if(exten->format != CSSM_X509_DATAFORMAT_PARSED) {
- printf("***Badly formatted CSSM_X509_EXTENSION\n");
- return;
- }
- else if(cuCompareCssmData(oid, &CSSMOID_CrlReason)) {
- if(printCdsaExtensionCommon(exten, parser, true, verbose, true)) {
- return;
- }
- CE_CrlReason *cr = (CE_CrlReason *)thisData;
- const char *reason = "UNKNOWN";
- switch(*cr) {
- case CE_CR_Unspecified:
- reason = "CE_CR_Unspecified"; break;
- case CE_CR_KeyCompromise:
- reason = "CE_CR_KeyCompromise"; break;
- case CE_CR_CACompromise:
- reason = "CE_CR_CACompromise"; break;
- case CE_CR_AffiliationChanged:
- reason = "CE_CR_AffiliationChanged"; break;
- case CE_CR_Superseded:
- reason = "CE_CR_Superseded"; break;
- case CE_CR_CessationOfOperation:
- reason = "CE_CR_CessationOfOperation"; break;
- case CE_CR_CertificateHold:
- reason = "CE_CR_CertificateHold"; break;
- case CE_CR_RemoveFromCRL:
- reason = "CE_CR_RemoveFromCRL"; break;
- default:
- break;
- }
- printf(" CRL Reason : %s\n", reason);
- }
- else if(cuCompareCssmData(oid, &CSSMOID_HoldInstructionCode)) {
- if(printCdsaExtensionCommon(exten, parser, true, verbose, true)) {
- return;
- }
- printf(" Hold Instr : ");
- printOid(parser, (CSSM_OID_PTR)thisData);
- }
- else if(cuCompareCssmData(oid, &CSSMOID_InvalidityDate)) {
- if(printCdsaExtensionCommon(exten, parser, true, verbose, true)) {
- return;
- }
- printf(" Invalid Date : ");
- printTimeStr((CSSM_DATA_PTR)thisData);
- }
- else if(cuCompareCssmData(oid, &CSSMOID_CertIssuer)) {
- if(printCdsaExtensionCommon(exten, parser, true, verbose, true)) {
- return;
- }
- printGeneralNames((CE_GeneralNames *)thisData, parser);
- }
- else {
- /* should never happen - we're out of sync with the CL */
- printf("UNKNOWN EXTENSION : "); printOid(parser, oid);
- }
-}
-
-static
-void printCrlFields(
- const CSSM_X509_SIGNED_CRL *signedCrl,
- CSSM_BOOL verbose,
- OidParser &parser)
-{
- unsigned i;
- const CSSM_X509_TBS_CERTLIST *tbsCrl = &signedCrl->tbsCertList;
-
- if(tbsCrl->version.Data) {
- printf("Version : %d\n", cuDER_ToInt(&tbsCrl->version));
- }
-
- printf("TBS Sig Algorithm : ");
- const CSSM_X509_ALGORITHM_IDENTIFIER *algId = &tbsCrl->signature;
- printSigAlg(algId, parser);
-
- printf("Issuer Name :\n");
- printName(&tbsCrl->issuer, parser);
-
- printf("This Update : ");
- printTime(&tbsCrl->thisUpdate);
- printf("Next Update : ");
- if(tbsCrl->nextUpdate.time.Data) {
- printTime(&tbsCrl->nextUpdate);
- }
- else {
- printf("<not present>\n");
- }
-
- CSSM_X509_REVOKED_CERT_LIST_PTR certList = tbsCrl->revokedCertificates;
- if(certList) {
- if(verbose) {
- printf("Num Revoked Certs : %d\n",
- (int)certList->numberOfRevokedCertEntries);
- for(i=0; i<certList->numberOfRevokedCertEntries; i++) {
- CSSM_X509_REVOKED_CERT_ENTRY_PTR entry;
- entry = &certList->revokedCertEntry[i];
- printf("Revoked Cert %d :\n", (int)i);
- printf(" Serial number : ");
- printDataAsHex(&entry->certificateSerialNumber, 0);
- printf(" Revocation time : ");
- printTime(&entry->revocationDate);
- const CSSM_X509_EXTENSIONS *cssmExtens = &entry->extensions;
- uint32 numExtens = cssmExtens->numberOfExtensions;
- if(numExtens == 0) {
- continue;
- }
- printf(" Num Extensions : %u\n", (unsigned)numExtens);
- for(unsigned dex=0; dex<numExtens; dex++) {
- printCrlEntryExten(&cssmExtens->extensions[dex], verbose,
- parser);
- }
- }
- }
- else {
- printf("Num Revoked Certs : %d (use verbose option to see)\n",
- (int)certList->numberOfRevokedCertEntries);
- }
- }
-
- const CSSM_X509_EXTENSIONS *crlExtens = &tbsCrl->extensions;
- if(crlExtens->numberOfExtensions) {
- printf("Num CRL Extensions : %d\n",
- (int)crlExtens->numberOfExtensions);
- for(i=0; i<crlExtens->numberOfExtensions; i++) {
- printCrlExten(&crlExtens->extensions[i], verbose, parser);
- }
- }
-
- const CSSM_X509_SIGNATURE *sig = &signedCrl->signature;
- if(sig->encrypted.Data) {
- printf("Signature : %u bytes : ", (unsigned)sig->encrypted.Length);
- printDataAsHex(&sig->encrypted, 8);
- }
-}
-
-
-/* connect to CSSM/CL lazily, once */
-static CSSM_CL_HANDLE clHand = 0;
-
-int printCert(
- const unsigned char *certData,
- unsigned certLen,
- CSSM_BOOL verbose)
-{
- CSSM_FIELD_PTR fieldPtr; // mallocd by CL
- uint32 i;
- uint32 numFields;
- OidParser parser;
- CSSM_DATA cert;
-
- if(clHand == 0) {
- clHand = cuClStartup();
- if(clHand == 0) {
- printf("***Error connecting to CSSM cert module; aborting cert "
- "display\n");
- return 0;
- }
- }
- cert.Data = (uint8 *)certData;
- cert.Length = certLen;
-
- CSSM_RETURN crtn = CSSM_CL_CertGetAllFields(clHand,
- &cert,
- &numFields,
- &fieldPtr);
- if(crtn) {
- cuPrintError("CSSM_CL_CertGetAllFields", crtn);
- return crtn;
- }
-
- for(i=0; i<numFields; i++) {
- printCertField(fieldPtr[i], parser, verbose);
- }
-
- crtn = CSSM_CL_FreeFields(clHand, numFields, &fieldPtr);
- if(crtn) {
- cuPrintError("CSSM_CL_FreeFields", crtn);
- return crtn;
- }
- return 0;
-}
-
-/* parse CRL */
-/* This one's easier, we just get one field - the whole parsed CRL */
-int printCrl(
- const unsigned char *crlData,
- unsigned crlLen,
- CSSM_BOOL verbose)
-{
- CSSM_DATA_PTR value; // mallocd by CL
- uint32 numFields;
- OidParser parser;
- CSSM_DATA crl;
- CSSM_HANDLE result;
-
- if(clHand == 0) {
- clHand = cuClStartup();
- if(clHand == 0) {
- printf("***Error connecting to CSSM cert module; aborting CRL"
- "display\n");
- return 0;
- }
- }
- crl.Data = (uint8 *)crlData;
- crl.Length = crlLen;
-
- CSSM_RETURN crtn = CSSM_CL_CrlGetFirstFieldValue(clHand,
- &crl,
- &CSSMOID_X509V2CRLSignedCrlCStruct,
- &result,
- &numFields,
- &value);
- if(crtn) {
- cuPrintError("CSSM_CL_CrlGetFirstFieldValue", crtn);
- return crtn;
- }
- if(numFields != 1) {
- printf("***CSSM_CL_CrlGetFirstFieldValue: numFields error\n");
- printf(" expected 1, got %d\n", (int)numFields);
- return 1;
- }
- crtn = CSSM_CL_CrlAbortQuery(clHand, result);
- if(crtn) {
- cuPrintError("CSSM_CL_CertAbortQuery", crtn);
- return crtn;
- }
-
- if(value == NULL) {
- printf("***CSSM_CL_CrlGetFirstFieldValue: value error (1)\n");
- return 1;
- }
- if((value->Data == NULL) ||
- (value->Length != sizeof(CSSM_X509_SIGNED_CRL))) {
- printf("***CSSM_CL_CrlGetFirstFieldValue: value error (2)\n");
- return 1;
- }
- const CSSM_X509_SIGNED_CRL *signedCrl =
- (const CSSM_X509_SIGNED_CRL *)value->Data;
- printCrlFields(signedCrl, verbose, parser);
-
- crtn = CSSM_CL_FreeFieldValue(clHand,
- &CSSMOID_X509V2CRLSignedCrlCStruct,
- value);
- if(crtn) {
- cuPrintError("CSSM_CL_FreeFieldValue", crtn);
- return crtn;
- }
- return 0;
-}
-
-
-void printCertShutdown()
-{
- if(clHand != 0) {
- CSSM_ModuleDetach(clHand);
- }
-}
projects / apple / security.git / blobdiff