--- /dev/null
+/*
+ * anchorTest.cpp - test cert encode/decode using known good system
+ * anchors
+ */
+#include <stdio.h>
+#include <string.h>
+#include <Security/cssm.h>
+#include <Security/x509defs.h>
+#include <Security/oidsattr.h>
+#include <Security/oidscert.h>
+#include <Security/certextensions.h>
+#include <Security/SecTrust.h>
+#include <Security/SecTrustSettingsPriv.h>
+#include <security_cdsa_utils/cuOidParser.h>
+#include <security_cdsa_utils/cuPrintCert.h>
+#include <utilLib/common.h>
+#include <utilLib/cspwrap.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <clAppUtils/clutils.h>
+#include <clAppUtils/certVerify.h>
+#include <clAppUtils/tpUtils.h>
+#include <Security/SecAsn1Coder.h>
+#include <Security/X509Templates.h>
+
+#define ENC_TBS_BLOB "encodedTbs.der"
+#define DEC_TBS_BLOB "decodedTbs.der"
+
+static void usage(char **argv)
+{
+ printf("Usage: %s [options]\n", argv[0]);
+ printf("Options:\n");
+ printf(" w -- writeBlobs\n");
+ printf(" e -- allow expired roots\n");
+ printf(" t -- use Trust Settings\n");
+ printf(" q -- quiet\n");
+ printf(" v -- verbose\n");
+ exit(1);
+}
+
+/*
+ * Certs for which we skip the "compare TBS blob" test, enumerated by
+ * DER-encoded issuer name.
+ *
+ * Get this formatted data from the extractCertFields program.
+ *
+ * All of these have non-standard KeyUsage encoding (legal but it's
+ * not the same as ours or everyone else's).
+ */
+/*
+ Country : HU
+ Locality : Budapest
+ Org : NetLock Halozatbiztonsagi Kft.
+ OrgUnit : Tanusitvanykiadok
+ Common Name : NetLock Expressz (Class C) Tanusitvanykiado
+ */
+static const uint8 anchor_46_derIssuer_bytes[] = {
+ 0x30, 0x81, 0x9b, 0x31, 0x0b, 0x30, 0x09, 0x06,
+ 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x48, 0x55,
+ 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04,
+ 0x07, 0x13, 0x08, 0x42, 0x75, 0x64, 0x61, 0x70,
+ 0x65, 0x73, 0x74, 0x31, 0x27, 0x30, 0x25, 0x06,
+ 0x03, 0x55, 0x04, 0x0a, 0x13, 0x1e, 0x4e, 0x65,
+ 0x74, 0x4c, 0x6f, 0x63, 0x6b, 0x20, 0x48, 0x61,
+ 0x6c, 0x6f, 0x7a, 0x61, 0x74, 0x62, 0x69, 0x7a,
+ 0x74, 0x6f, 0x6e, 0x73, 0x61, 0x67, 0x69, 0x20,
+ 0x4b, 0x66, 0x74, 0x2e, 0x31, 0x1a, 0x30, 0x18,
+ 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x11, 0x54,
+ 0x61, 0x6e, 0x75, 0x73, 0x69, 0x74, 0x76, 0x61,
+ 0x6e, 0x79, 0x6b, 0x69, 0x61, 0x64, 0x6f, 0x6b,
+ 0x31, 0x34, 0x30, 0x32, 0x06, 0x03, 0x55, 0x04,
+ 0x03, 0x13, 0x2b, 0x4e, 0x65, 0x74, 0x4c, 0x6f,
+ 0x63, 0x6b, 0x20, 0x45, 0x78, 0x70, 0x72, 0x65,
+ 0x73, 0x73, 0x7a, 0x20, 0x28, 0x43, 0x6c, 0x61,
+ 0x73, 0x73, 0x20, 0x43, 0x29, 0x20, 0x54, 0x61,
+ 0x6e, 0x75, 0x73, 0x69, 0x74, 0x76, 0x61, 0x6e,
+ 0x79, 0x6b, 0x69, 0x61, 0x64, 0x6f
+};
+static const CSSM_DATA anchor_46_derIssuer = { 158, (uint8 *)anchor_46_derIssuer_bytes };
+
+/*
+ Country : HU
+ State : Hungary
+ Locality : Budapest
+ Org : NetLock Halozatbiztonsagi Kft.
+ OrgUnit : Tanusitvanykiadok
+ Common Name : NetLock Kozjegyzoi (Class A) Tanusitvanykiado
+*/
+static const uint8 anchor_53_derIssuer_bytes[] = {
+ 0x30, 0x81, 0xaf, 0x31, 0x0b, 0x30, 0x09, 0x06,
+ 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x48, 0x55,
+ 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x13, 0x07, 0x48, 0x75, 0x6e, 0x67, 0x61,
+ 0x72, 0x79, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03,
+ 0x55, 0x04, 0x07, 0x13, 0x08, 0x42, 0x75, 0x64,
+ 0x61, 0x70, 0x65, 0x73, 0x74, 0x31, 0x27, 0x30,
+ 0x25, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x1e,
+ 0x4e, 0x65, 0x74, 0x4c, 0x6f, 0x63, 0x6b, 0x20,
+ 0x48, 0x61, 0x6c, 0x6f, 0x7a, 0x61, 0x74, 0x62,
+ 0x69, 0x7a, 0x74, 0x6f, 0x6e, 0x73, 0x61, 0x67,
+ 0x69, 0x20, 0x4b, 0x66, 0x74, 0x2e, 0x31, 0x1a,
+ 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13,
+ 0x11, 0x54, 0x61, 0x6e, 0x75, 0x73, 0x69, 0x74,
+ 0x76, 0x61, 0x6e, 0x79, 0x6b, 0x69, 0x61, 0x64,
+ 0x6f, 0x6b, 0x31, 0x36, 0x30, 0x34, 0x06, 0x03,
+ 0x55, 0x04, 0x03, 0x13, 0x2d, 0x4e, 0x65, 0x74,
+ 0x4c, 0x6f, 0x63, 0x6b, 0x20, 0x4b, 0x6f, 0x7a,
+ 0x6a, 0x65, 0x67, 0x79, 0x7a, 0x6f, 0x69, 0x20,
+ 0x28, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x41,
+ 0x29, 0x20, 0x54, 0x61, 0x6e, 0x75, 0x73, 0x69,
+ 0x74, 0x76, 0x61, 0x6e, 0x79, 0x6b, 0x69, 0x61,
+ 0x64, 0x6f
+};
+static const CSSM_DATA anchor_53_derIssuer = { 178, (uint8 *)anchor_53_derIssuer_bytes };
+
+/*
+ Country : HU
+ Locality : Budapest
+ Org : NetLock Halozatbiztonsagi Kft.
+ OrgUnit : Tanusitvanykiadok
+ Common Name : NetLock Uzleti (Class B) Tanusitvanykiado
+*/
+static const uint8 anchor_60_derIssuer_bytes[] = {
+ 0x30, 0x81, 0x99, 0x31, 0x0b, 0x30, 0x09, 0x06,
+ 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x48, 0x55,
+ 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04,
+ 0x07, 0x13, 0x08, 0x42, 0x75, 0x64, 0x61, 0x70,
+ 0x65, 0x73, 0x74, 0x31, 0x27, 0x30, 0x25, 0x06,
+ 0x03, 0x55, 0x04, 0x0a, 0x13, 0x1e, 0x4e, 0x65,
+ 0x74, 0x4c, 0x6f, 0x63, 0x6b, 0x20, 0x48, 0x61,
+ 0x6c, 0x6f, 0x7a, 0x61, 0x74, 0x62, 0x69, 0x7a,
+ 0x74, 0x6f, 0x6e, 0x73, 0x61, 0x67, 0x69, 0x20,
+ 0x4b, 0x66, 0x74, 0x2e, 0x31, 0x1a, 0x30, 0x18,
+ 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x11, 0x54,
+ 0x61, 0x6e, 0x75, 0x73, 0x69, 0x74, 0x76, 0x61,
+ 0x6e, 0x79, 0x6b, 0x69, 0x61, 0x64, 0x6f, 0x6b,
+ 0x31, 0x32, 0x30, 0x30, 0x06, 0x03, 0x55, 0x04,
+ 0x03, 0x13, 0x29, 0x4e, 0x65, 0x74, 0x4c, 0x6f,
+ 0x63, 0x6b, 0x20, 0x55, 0x7a, 0x6c, 0x65, 0x74,
+ 0x69, 0x20, 0x28, 0x43, 0x6c, 0x61, 0x73, 0x73,
+ 0x20, 0x42, 0x29, 0x20, 0x54, 0x61, 0x6e, 0x75,
+ 0x73, 0x69, 0x74, 0x76, 0x61, 0x6e, 0x79, 0x6b,
+ 0x69, 0x61, 0x64, 0x6f
+};
+static const CSSM_DATA anchor_60_derIssuer = { 156, (uint8 *)anchor_60_derIssuer_bytes };
+
+/*
+ Country : TR
+ Locality : Ankara
+ Org : (c) 2005 TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş.
+ Common Name : TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
+ Serial Number : 01
+ Not Before : 10:27:17 May 13, 2005
+ Not After : 10:27:17 Mar 22, 2015
+*/
+static const uint8 turk1_derIssuer_bytes[] = {
+ 0x30, 0x81, 0xb7, 0x31, 0x3f, 0x30, 0x3d, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x0c, 0x36, 0x54, 0xc3,
+ 0x9c, 0x52, 0x4b, 0x54, 0x52, 0x55, 0x53, 0x54,
+ 0x20, 0x45, 0x6c, 0x65, 0x6b, 0x74, 0x72, 0x6f,
+ 0x6e, 0x69, 0x6b, 0x20, 0x53, 0x65, 0x72, 0x74,
+ 0x69, 0x66, 0x69, 0x6b, 0x61, 0x20, 0x48, 0x69,
+ 0x7a, 0x6d, 0x65, 0x74, 0x20, 0x53, 0x61, 0xc4,
+ 0x9f, 0x6c, 0x61, 0x79, 0xc4, 0xb1, 0x63, 0xc4,
+ 0xb1, 0x73, 0xc4, 0xb1, 0x31, 0x0b, 0x30, 0x09,
+ 0x06, 0x03, 0x55, 0x04, 0x06, 0x0c, 0x02, 0x54,
+ 0x52, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55,
+ 0x04, 0x07, 0x0c, 0x06, 0x41, 0x4e, 0x4b, 0x41,
+ 0x52, 0x41, 0x31, 0x56, 0x30, 0x54, 0x06, 0x03,
+ 0x55, 0x04, 0x0a, 0x0c, 0x4d, 0x28, 0x63, 0x29,
+ 0x20, 0x32, 0x30, 0x30, 0x35, 0x20, 0x54, 0xc3,
+ 0x9c, 0x52, 0x4b, 0x54, 0x52, 0x55, 0x53, 0x54,
+ 0x20, 0x42, 0x69, 0x6c, 0x67, 0x69, 0x20, 0xc4,
+ 0xb0, 0x6c, 0x65, 0x74, 0x69, 0xc5, 0x9f, 0x69,
+ 0x6d, 0x20, 0x76, 0x65, 0x20, 0x42, 0x69, 0x6c,
+ 0x69, 0xc5, 0x9f, 0x69, 0x6d, 0x20, 0x47, 0xc3,
+ 0xbc, 0x76, 0x65, 0x6e, 0x6c, 0x69, 0xc4, 0x9f,
+ 0x69, 0x20, 0x48, 0x69, 0x7a, 0x6d, 0x65, 0x74,
+ 0x6c, 0x65, 0x72, 0x69, 0x20, 0x41, 0x2e, 0xc5,
+ 0x9e, 0x2e
+};
+static const CSSM_DATA turk1_derIssuer = { 186, (uint8 *)turk1_derIssuer_bytes };
+
+/*
+ Country : TR
+ Locality : Ankara
+ Org : TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005
+ Common Name : TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
+ Serial Number : 01
+ Not Before : 10:07:57 Nov 7, 2005
+ Not After : 10:07:57 Sep 16, 2015
+*/
+static const uint8 turk2_derIssuer_bytes[] = {
+ 0x30, 0x81, 0xbe, 0x31, 0x3f, 0x30, 0x3d, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x0c, 0x36, 0x54, 0xc3,
+ 0x9c, 0x52, 0x4b, 0x54, 0x52, 0x55, 0x53, 0x54,
+ 0x20, 0x45, 0x6c, 0x65, 0x6b, 0x74, 0x72, 0x6f,
+ 0x6e, 0x69, 0x6b, 0x20, 0x53, 0x65, 0x72, 0x74,
+ 0x69, 0x66, 0x69, 0x6b, 0x61, 0x20, 0x48, 0x69,
+ 0x7a, 0x6d, 0x65, 0x74, 0x20, 0x53, 0x61, 0xc4,
+ 0x9f, 0x6c, 0x61, 0x79, 0xc4, 0xb1, 0x63, 0xc4,
+ 0xb1, 0x73, 0xc4, 0xb1, 0x31, 0x0b, 0x30, 0x09,
+ 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x54,
+ 0x52, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55,
+ 0x04, 0x07, 0x0c, 0x06, 0x41, 0x6e, 0x6b, 0x61,
+ 0x72, 0x61, 0x31, 0x5d, 0x30, 0x5b, 0x06, 0x03,
+ 0x55, 0x04, 0x0a, 0x0c, 0x54, 0x54, 0xc3, 0x9c,
+ 0x52, 0x4b, 0x54, 0x52, 0x55, 0x53, 0x54, 0x20,
+ 0x42, 0x69, 0x6c, 0x67, 0x69, 0x20, 0xc4, 0xb0,
+ 0x6c, 0x65, 0x74, 0x69, 0xc5, 0x9f, 0x69, 0x6d,
+ 0x20, 0x76, 0x65, 0x20, 0x42, 0x69, 0x6c, 0x69,
+ 0xc5, 0x9f, 0x69, 0x6d, 0x20, 0x47, 0xc3, 0xbc,
+ 0x76, 0x65, 0x6e, 0x6c, 0x69, 0xc4, 0x9f, 0x69,
+ 0x20, 0x48, 0x69, 0x7a, 0x6d, 0x65, 0x74, 0x6c,
+ 0x65, 0x72, 0x69, 0x20, 0x41, 0x2e, 0xc5, 0x9e,
+ 0x2e, 0x20, 0x28, 0x63, 0x29, 0x20, 0x4b, 0x61,
+ 0x73, 0xc4, 0xb1, 0x6d, 0x20, 0x32, 0x30, 0x30,
+ 0x35
+};
+static const CSSM_DATA turk2_derIssuer = { 193, (uint8 *)turk2_derIssuer_bytes };
+
+/*
+ Country : TR
+ Locality : Ankara
+ Org : TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007
+ Common Name : TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
+ Serial Number : 01
+ Not Before : 18:37:19 Dec 25, 2007
+ Not After : 18:37:19 Dec 22, 2017
+*/
+static const uint8 turk3_derIssuer_bytes[] = {
+ 0x30, 0x81, 0xbf, 0x31, 0x3f, 0x30, 0x3d, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x0c, 0x36, 0x54, 0xc3,
+ 0x9c, 0x52, 0x4b, 0x54, 0x52, 0x55, 0x53, 0x54,
+ 0x20, 0x45, 0x6c, 0x65, 0x6b, 0x74, 0x72, 0x6f,
+ 0x6e, 0x69, 0x6b, 0x20, 0x53, 0x65, 0x72, 0x74,
+ 0x69, 0x66, 0x69, 0x6b, 0x61, 0x20, 0x48, 0x69,
+ 0x7a, 0x6d, 0x65, 0x74, 0x20, 0x53, 0x61, 0xc4,
+ 0x9f, 0x6c, 0x61, 0x79, 0xc4, 0xb1, 0x63, 0xc4,
+ 0xb1, 0x73, 0xc4, 0xb1, 0x31, 0x0b, 0x30, 0x09,
+ 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x54,
+ 0x52, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55,
+ 0x04, 0x07, 0x0c, 0x06, 0x41, 0x6e, 0x6b, 0x61,
+ 0x72, 0x61, 0x31, 0x5e, 0x30, 0x5c, 0x06, 0x03,
+ 0x55, 0x04, 0x0a, 0x0c, 0x55, 0x54, 0xc3, 0x9c,
+ 0x52, 0x4b, 0x54, 0x52, 0x55, 0x53, 0x54, 0x20,
+ 0x42, 0x69, 0x6c, 0x67, 0x69, 0x20, 0xc4, 0xb0,
+ 0x6c, 0x65, 0x74, 0x69, 0xc5, 0x9f, 0x69, 0x6d,
+ 0x20, 0x76, 0x65, 0x20, 0x42, 0x69, 0x6c, 0x69,
+ 0xc5, 0x9f, 0x69, 0x6d, 0x20, 0x47, 0xc3, 0xbc,
+ 0x76, 0x65, 0x6e, 0x6c, 0x69, 0xc4, 0x9f, 0x69,
+ 0x20, 0x48, 0x69, 0x7a, 0x6d, 0x65, 0x74, 0x6c,
+ 0x65, 0x72, 0x69, 0x20, 0x41, 0x2e, 0xc5, 0x9e,
+ 0x2e, 0x20, 0x28, 0x63, 0x29, 0x20, 0x41, 0x72,
+ 0x61, 0x6c, 0xc4, 0xb1, 0x6b, 0x20, 0x32, 0x30,
+ 0x30, 0x37
+};
+static const CSSM_DATA turk3_derIssuer = { 194, (uint8 *)turk3_derIssuer_bytes };
+
+/*
+Cert File Name: globalSignRoot.cer
+ Country : BE
+ Org : GlobalSign nv-sa
+ OrgUnit : Root CA
+ Common Name : GlobalSign Root CA
+*/
+static const uint8 globalSignRoot_derIssuer_bytes[] = {
+ 0x30, 0x57, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+ 0x55, 0x04, 0x06, 0x13, 0x02, 0x42, 0x45, 0x31,
+ 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x0a,
+ 0x13, 0x10, 0x47, 0x6c, 0x6f, 0x62, 0x61, 0x6c,
+ 0x53, 0x69, 0x67, 0x6e, 0x20, 0x6e, 0x76, 0x2d,
+ 0x73, 0x61, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03,
+ 0x55, 0x04, 0x0b, 0x13, 0x07, 0x52, 0x6f, 0x6f,
+ 0x74, 0x20, 0x43, 0x41, 0x31, 0x1b, 0x30, 0x19,
+ 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x12, 0x47,
+ 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x53, 0x69, 0x67,
+ 0x6e, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43,
+ 0x41
+};
+static const CSSM_DATA globalSignRoot_derIssuer = { 89, (uint8 *)globalSignRoot_derIssuer_bytes };
+
+/***********************
+Cert File Name: swisssign.der
+Subject Name :
+ Country : CH
+ Org : SwissSign
+ Common Name : SwissSign CA (RSA IK May 6 1999 18:00:58)
+ Email addrs : ca@SwissSign.com
+
+ This one has a bogus AuthorityKeyId, with a value of {0x30, 0} inside the octet string.
+ ***********************/
+static const uint8 swisssign_derIssuer_bytes[] = {
+ 0x30, 0x76, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+ 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48, 0x31,
+ 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a,
+ 0x13, 0x09, 0x53, 0x77, 0x69, 0x73, 0x73, 0x53,
+ 0x69, 0x67, 0x6e, 0x31, 0x32, 0x30, 0x30, 0x06,
+ 0x03, 0x55, 0x04, 0x03, 0x13, 0x29, 0x53, 0x77,
+ 0x69, 0x73, 0x73, 0x53, 0x69, 0x67, 0x6e, 0x20,
+ 0x43, 0x41, 0x20, 0x28, 0x52, 0x53, 0x41, 0x20,
+ 0x49, 0x4b, 0x20, 0x4d, 0x61, 0x79, 0x20, 0x36,
+ 0x20, 0x31, 0x39, 0x39, 0x39, 0x20, 0x31, 0x38,
+ 0x3a, 0x30, 0x30, 0x3a, 0x35, 0x38, 0x29, 0x31,
+ 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10,
+ 0x63, 0x61, 0x40, 0x53, 0x77, 0x69, 0x73, 0x73,
+ 0x53, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d
+
+};
+static const CSSM_DATA swisssign_derIssuer = { 120, (uint8 *)swisssign_derIssuer_bytes };
+
+/*
+ * Simple class to hold arrays of fields.
+ */
+class FieldArray {
+public:
+ /*
+ * Create from existing field array obtained from
+ * CSSM_CL_CertGetAllFields(). We'll do the CSSM_CL_FreeFields()
+ * in our destructor.
+ */
+ FieldArray(
+ CSSM_FIELD *fields,
+ uint32 numFields,
+ CSSM_CL_HANDLE clHand);
+
+ /*
+ * Create empty array of specified size. We don't own the fields
+ * themselves.
+ */
+ FieldArray(
+ uint32 size);
+
+ ~FieldArray();
+
+ /*
+ * Append a field - no realloc!
+ */
+ void appendField(CSSM_FIELD &field);
+
+ /* get specified field */
+ CSSM_FIELD &fieldAt(uint32 index);
+
+ /* get nth occurence of field matching specified OID */
+ int fieldForOid(
+ const CSSM_OID &oid,
+ unsigned n, // n == 0 --> first one
+ CSSM_FIELD *&found); // RETURNED
+
+ CSSM_FIELD *mFields;
+ uint32 mNumFields; // sizeof of *fields
+ uint32 mMallocdSize; // if NULL, read-only
+ CSSM_CL_HANDLE mClHand;
+};
+
+FieldArray::FieldArray(
+ CSSM_FIELD *fields,
+ uint32 numFields,
+ CSSM_CL_HANDLE clHand)
+{
+ mFields = fields;
+ mNumFields = numFields;
+ mMallocdSize = 0;
+ mClHand = clHand;
+}
+
+FieldArray::FieldArray(
+ uint32 size)
+{
+ unsigned len = sizeof(CSSM_FIELD) * size;
+ mFields = (CSSM_FIELD_PTR)malloc(len);
+ memset(mFields, 0, len);
+ mNumFields = 0;
+ mMallocdSize = size;
+ mClHand = 0;
+}
+
+FieldArray::~FieldArray()
+{
+ if(mMallocdSize != 0) {
+ /*
+ * Just free the array of fields we mallocd, not the fields
+ * themselves
+ */
+ free(mFields);
+ }
+ else {
+ /* The CL mallocd these fields, tell it to free the whole thing */
+ CSSM_RETURN crtn = CSSM_CL_FreeFields(mClHand,
+ mNumFields, &mFields);
+ if(crtn) {
+ printError("CSSM_CL_FreeFields", crtn);
+ }
+ }
+ mFields = NULL;
+ mNumFields = 0;
+ mMallocdSize = 0;
+}
+
+void FieldArray::appendField(
+ CSSM_FIELD &field)
+{
+ if(mMallocdSize == 0) {
+ printf("***Attempt to append to a read-only FieldArray\n");
+ exit(1);
+ }
+ if(mNumFields >= mMallocdSize) {
+ printf("***Attempt to append past present size of FieldArray\n");
+ exit(1);
+ }
+ mFields[mNumFields] = field;
+ mNumFields++;
+}
+
+CSSM_FIELD &FieldArray::fieldAt(
+ uint32 index)
+{
+ if(index >= mNumFields) {
+ printf("***Attempt to access past present size of FieldArray\n");
+ exit(1);
+ }
+ return mFields[index];
+}
+
+/* get nth occurence of field matching specified OID */
+/* returns nonzero on error */
+int FieldArray::fieldForOid(
+ const CSSM_OID &oid,
+ unsigned n, // n == 0 --> first one
+ CSSM_FIELD *&found) // RETURNED
+{
+ unsigned foundDex = 0;
+ for(unsigned dex=0; dex<mNumFields; dex++) {
+ CSSM_FIELD &field = mFields[dex];
+ if(appCompareCssmData(&field.FieldOid, &oid)) {
+ if(foundDex == n) {
+ found = &field;
+ return 0;
+ }
+ foundDex++;
+ }
+ }
+ printf("FieldArray::fieldForOid field not found\n");
+ return 1;
+}
+
+/*
+ * How many items in a NULL-terminated array of pointers?
+ */
+static unsigned nssArraySize(
+ const void **array)
+{
+ unsigned count = 0;
+ if (array) {
+ while (*array++) {
+ count++;
+ }
+ }
+ return count;
+}
+
+static void doPrintCert(
+ const CSSM_DATA &cert)
+{
+ printCert(cert.Data, cert.Length, CSSM_TRUE);
+}
+
+/*
+ * The extensions whose presence causes us to skip the "compare
+ * encoded and original TBS" test.
+ */
+#define USE_SKIPPED_EXTENS 1
+#if USE_SKIPPED_EXTENS
+static const CSSM_OID *skippedExtens[] = { // %%% FIXME: this is a workaround for <rdar://8265523>; shouldn't need to skip!
+ &CSSMOID_PolicyMappings,
+ &CSSMOID_PolicyConstraints
+};
+#define NUM_SKIPPED_EXTENS \
+ (sizeof(skippedExtens) / sizeof(skippedExtens[0]))
+#endif /* USE_SKIPPED_EXTENS */
+
+static const CSSM_DATA *skippedCerts[] = {
+ &anchor_46_derIssuer,
+ &anchor_53_derIssuer,
+ &anchor_60_derIssuer,
+ &turk1_derIssuer,
+ &turk2_derIssuer,
+ &turk3_derIssuer,
+ &globalSignRoot_derIssuer,
+ &swisssign_derIssuer
+};
+#define NUM_SKIPPED_CERTS (sizeof(skippedCerts) / sizeof(skippedCerts[0]))
+
+static bool skipThisCert(
+ const NSS_TBSCertificate &tbs)
+{
+ /* search by extension - currently unused */
+ unsigned dex;
+ #if USE_SKIPPED_EXTENS
+ unsigned numExtens = nssArraySize((const void **)tbs.extensions);
+ /* skip this section if that's empty - compiler warning causes failure */
+ for(dex=0; dex<numExtens; dex++) {
+ NSS_CertExtension *exten = tbs.extensions[dex];
+ CSSM_OID *oid = &exten->extnId;
+ for(unsigned skipDex=0; skipDex<NUM_SKIPPED_EXTENS; skipDex++) {
+ if(appCompareCssmData(skippedExtens[skipDex], oid)) {
+ return true;
+ }
+ }
+ }
+ #endif /* USE_SKIPPED_EXTENS */
+
+ /* search by specific issuer */
+ for(dex=0; dex<NUM_SKIPPED_CERTS; dex++) {
+ if(appCompareCssmData(skippedCerts[dex], &tbs.derIssuer)) {
+ return true;
+ }
+ }
+ return false;
+}
+
+/*
+ * Given a field OID, figure out what WE think this field is.
+ */
+
+/* the field types we grok */
+typedef enum {
+ FT_Unknown, // probably means we're out of sync with the CL
+ FT_Normal, // standard component of TBS
+ FT_ReadOnly, // Read only, don't use to create template
+ FT_NotTBS, // part of top-level cert, don't use to create TBS
+ FT_ExtenParsed, // extension the CL SHOULD HAVE parsed
+ FT_ExtenUnknown // extension the CL should NOT have parsed
+} FieldType;
+
+/* map OID --> FieldType */
+typedef struct {
+ const CSSM_OID *oid;
+ FieldType type;
+} FieldOidType;
+
+/*
+ * The CL-specific mapping table.
+ * This has to change whenever the CL is modified to add or delete
+ * an extension or field!
+ * For newbies, a tip: this basically has to stay in sync with the
+ * fieldFuncTable array in Security/AppleX509CL/CertFields.cpp.
+ */
+FieldOidType knownFields[] = {
+ { &CSSMOID_X509V1Version, FT_Normal },
+ { &CSSMOID_X509V1SerialNumber, FT_Normal },
+ { &CSSMOID_X509V1IssuerNameCStruct, FT_Normal },
+ { &CSSMOID_X509V1SubjectNameCStruct, FT_Normal },
+ { &CSSMOID_X509V1SignatureAlgorithmTBS, FT_Normal },
+ { &CSSMOID_X509V1SignatureAlgorithm, FT_NotTBS },
+ { &CSSMOID_X509V1ValidityNotBefore, FT_Normal },
+ { &CSSMOID_X509V1ValidityNotAfter, FT_Normal },
+ { &CSSMOID_X509V1CertificateIssuerUniqueId, FT_Normal },
+ { &CSSMOID_X509V1CertificateSubjectUniqueId, FT_Normal },
+ /* only one of these two can be set - use the SubjectPublicKeyInfo
+ * version */
+ { &CSSMOID_X509V1SubjectPublicKeyCStruct, FT_Normal },
+ { &CSSMOID_CSSMKeyStruct, FT_ReadOnly },
+ { &CSSMOID_X509V1Signature, FT_NotTBS },
+ { &CSSMOID_X509V1IssuerName, FT_ReadOnly }, // DER encoded
+ { &CSSMOID_X509V1SubjectName, FT_ReadOnly }, // DER encoded
+ { &CSSMOID_X509V1IssuerNameStd, FT_ReadOnly }, // DER encoded
+ { &CSSMOID_X509V1SubjectNameStd,FT_ReadOnly }, // DER encoded
+
+ /* Extensions */
+ { &CSSMOID_KeyUsage, FT_ExtenParsed },
+ { &CSSMOID_BasicConstraints, FT_ExtenParsed },
+ { &CSSMOID_ExtendedKeyUsage, FT_ExtenParsed } ,
+ { &CSSMOID_SubjectKeyIdentifier, FT_ExtenParsed } ,
+ { &CSSMOID_AuthorityKeyIdentifier, FT_ExtenParsed } ,
+ { &CSSMOID_SubjectAltName, FT_ExtenParsed } ,
+ { &CSSMOID_IssuerAltName, FT_ExtenParsed } ,
+ { &CSSMOID_CertificatePolicies, FT_ExtenParsed } ,
+ { &CSSMOID_NetscapeCertType, FT_ExtenParsed } ,
+ { &CSSMOID_CrlDistributionPoints, FT_ExtenParsed },
+ { &CSSMOID_AuthorityInfoAccess, FT_ExtenParsed },
+ { &CSSMOID_SubjectInfoAccess, FT_ExtenParsed },
+ { &CSSMOID_X509V3CertificateExtensionCStruct, FT_ExtenUnknown },
+ { &CSSMOID_QC_Statements, FT_ExtenParsed },
+ { &CSSMOID_NameConstraints, FT_ExtenParsed },
+ { &CSSMOID_PolicyMappings, FT_ExtenParsed },
+ { &CSSMOID_PolicyConstraints, FT_ExtenParsed },
+// { &CSSMOID_InhibitAnyPolicy, FT_ExtenParsed } //%%% FIXME: CSSMOID_InhibitAnyPolicy not exported!?
+};
+#define NUM_KNOWN_FIELDS (sizeof(knownFields) / sizeof(knownFields[0]))
+
+static FieldType typeForOid(
+ const CSSM_OID &oid)
+{
+ for(unsigned dex=0; dex<NUM_KNOWN_FIELDS; dex++) {
+ FieldOidType &ft = knownFields[dex];
+ if(appCompareCssmData(&oid, ft.oid)) {
+ return ft.type;
+ }
+ }
+ /* not found */
+ return FT_Unknown;
+}
+
+static const char *fieldTypeStr(
+ FieldType type)
+{
+ switch(type) {
+ case FT_Unknown: return "FT_Unknown";
+ case FT_Normal: return "FT_Normal";
+ case FT_ReadOnly: return "FT_ReadOnly";
+ case FT_NotTBS: return "FT_NotTBS";
+ case FT_ExtenParsed: return "FT_ExtenParsed";
+ case FT_ExtenUnknown: return "FT_ExtenUnknown";
+ default:
+ printf("***BRRZAP!\n");
+ exit(1);
+ }
+}
+
+static const uint8 emptyAuthKeyId[2] = {0x30, 0};
+
+/*
+ * Extensions come in two flavors - parsed and not. However the
+ * CL will give us an unparsed version for extensions it normally
+ * understands but failed to decode. Detect that, and basic
+ * extension formatting screwups, here.
+ */
+static int vfyExtens(
+ FieldArray &extenFields,
+ const CSSM_DATA &cert, // for error display only
+ CSSM_BOOL quiet)
+{
+ for(unsigned dex=0; dex<extenFields.mNumFields; dex++) {
+ CSSM_FIELD &extenField = extenFields.fieldAt(dex);
+ FieldType type = typeForOid(extenField.FieldOid);
+ FieldType expectType;
+
+ /* first verify well-formed extension field */
+ CSSM_DATA &fieldValue = extenField.FieldValue;
+ CSSM_X509_EXTENSION *exten = (CSSM_X509_EXTENSION *)fieldValue.Data;
+ if((exten == NULL) ||
+ (fieldValue.Length != sizeof(CSSM_X509_EXTENSION))) {
+ doPrintCert(cert);
+ printf("***Malformed CSSM_X509_EXTENSION\n");
+ if(testError(quiet)) {
+ return 1;
+ }
+ /* well let's limp along */
+ continue;
+ }
+
+ /* currently (since Radar 3593624), these are both always valid */
+ if((exten->BERvalue.Data == NULL) ||
+ (exten->value.parsedValue == NULL)) { /* actually, one of three variants */
+ printf("***Malformed CSSM_X509_EXTENSION (1)\n");
+ return 1;
+ }
+
+ switch(exten->format) {
+ case CSSM_X509_DATAFORMAT_ENCODED:
+ if(type != FT_ExtenUnknown) {
+ doPrintCert(cert);
+ printf("***Entension format ENCODED, expected PARSED\n");
+ if(testError(quiet)) {
+ return 1;
+ }
+ }
+
+ /*
+ * Now make sure that the underlying extension ID isn't
+ * one that the CL was SUPPOSED to parse
+ */
+ // %%% FIXME: need to investigate why these are not fully parsed: <rdar://8265523>
+ if(appCompareCssmData(&exten->extnId, &CSSMOID_PolicyConstraints)) {
+ printf("...skipping policyConstraints extension per <rdar://8265523> (fix me!)\n");
+ break;
+ }
+ if(appCompareCssmData(&exten->extnId, &CSSMOID_PolicyMappings)) {
+ printf("...skipping policyMappings extension per <rdar://8265523> (fix me!)\n");
+ break;
+ }
+
+ expectType = typeForOid(exten->extnId);
+ if(expectType != FT_Unknown) {
+ /*
+ * Swisscom root has an authorityKeyId extension with an illegal value,
+ * data inside the octet string is <30 00>, no context-specific wrapper
+ * or tag.
+ * Instead of a hopeless complaint about that cert, let's just tolerate it
+ * like this...
+ */
+ if(appCompareCssmData(&exten->extnId, &CSSMOID_AuthorityKeyIdentifier) &&
+ (exten->BERvalue.Length == 2) &&
+ !memcmp(emptyAuthKeyId, exten->BERvalue.Data, 2)) {
+ printf("...skipping bogus swisssign AuthorityKeyId\n");
+ break;
+ }
+ doPrintCert(cert);
+ printf("***underlying exten type %s, expect Unknown\n",
+ fieldTypeStr(expectType));
+ if(testError(quiet)) {
+ return 1;
+ }
+ }
+ break;
+
+ case CSSM_X509_DATAFORMAT_PARSED:
+ if(type != FT_ExtenParsed) {
+ doPrintCert(cert);
+ printf("***Entension format PARSED, expected ENCODED\n");
+ if(testError(quiet)) {
+ return 1;
+ }
+ }
+ if(exten->value.parsedValue == NULL) {
+ doPrintCert(cert);
+ printf("***Parsed extension with NULL parsedValue\n");
+ if(testError(quiet)) {
+ return 1;
+ }
+ }
+ break;
+
+ default:
+ doPrintCert(cert);
+ printf("***Unknown Entension format %u\n",
+ exten->format);
+ if(testError(quiet)) {
+ return 1;
+ }
+ break;
+
+ } /* switch(exten.format) */
+ }
+ return 0;
+}
+
+/*
+ * Here's the hard part.
+ * Given a raw cert and its components in two FieldArrays, crate a TBS
+ * cert from scratch from those fields and ensure that the result
+ * is the same as the raw TBS field in the original cert.
+ */
+static int buildTbs(
+ CSSM_CL_HANDLE clHand,
+ const CSSM_DATA &rawCert,
+ FieldArray &allFields, // on entry, standard fields
+ FieldArray &extenFields, // extensions only
+ CSSM_BOOL quiet,
+ CSSM_BOOL verbose,
+ CSSM_BOOL writeBlobs)
+{
+ /*
+ * First do raw BER-decode in two ways - one to get the
+ * extensions as they actuallly appear in the cert, and one
+ * to get the raw undecoded TBS.
+ */
+ SecAsn1CoderRef coder;
+ OSStatus ortn = SecAsn1CoderCreate(&coder);
+ if(ortn) {
+ cssmPerror("SecAsn1CoderCreate", ortn);
+ return testError(quiet);
+ }
+
+ NSS_SignedCertOrCRL signedCert; // with TBS as ASN_ANY
+ memset(&signedCert, 0, sizeof(signedCert));
+ if(SecAsn1DecodeData(coder, &rawCert, kSecAsn1SignedCertOrCRLTemplate,
+ &signedCert)) {
+ doPrintCert(rawCert);
+ printf("***Error decoding cert to kSecAsn1SignedCertOrCRL\n");
+ return testError(quiet);
+ }
+
+ NSS_Certificate fullCert; // fully decoded
+ memset(&fullCert, 0, sizeof(fullCert));
+ if(SecAsn1DecodeData(coder, &rawCert, kSecAsn1SignedCertTemplate,
+ &fullCert)) {
+ doPrintCert(rawCert);
+ printf("***Error decoding cert to kSecAsn1Certificate\n");
+ return testError(quiet);
+ }
+
+ NSS_TBSCertificate &tbs = fullCert.tbs;
+ unsigned numExtens = nssArraySize((const void **)tbs.extensions);
+ if(numExtens != extenFields.mNumFields) {
+ /* The CL told us the wrong number of extensions */
+ doPrintCert(rawCert);
+ printf("***NSS says %u extens, CL says %u\n", numExtens,
+ (unsigned)extenFields.mNumFields);
+ return testError(quiet);
+ }
+
+ if(skipThisCert(tbs)) {
+ if(verbose) {
+ printf(" ...skipping TBS blob check\n");
+ }
+ SecAsn1CoderRelease(coder);
+ return 0;
+ }
+
+ /*
+ * The CL returns extension fields in an order which differs from
+ * the order of the extensions in the actual cert (because it
+ * does a table-based lookup, field by field, when doing a
+ * CSSM_CL_CertGetAllFields()). We have to add the extensions
+ * from extenFields to allFields in the order they appear in
+ * OUR decoded fullCert.
+ */
+ unsigned numUnknowns = 0;
+ for(unsigned dex=0; dex<numExtens; dex++) {
+ NSS_CertExtension *exten = tbs.extensions[dex];
+ CSSM_OID &oid = exten->extnId;
+ FieldType type = typeForOid(oid);
+ CSSM_FIELD *found = NULL;
+ int rtn;
+ switch(type) {
+ case FT_ExtenParsed:
+ /*
+ * look for this exact extension
+ * NOTE we're assuming that only one copy of
+ * each specific parsed extension exists. The
+ * 509 spec does't specifically require this but
+ * I've never seen a case of multiple extensions
+ * of the same type in one cert.
+ */
+ rtn = extenFields.fieldForOid(oid, 0, found);
+ break;
+ case FT_Unknown:
+ /* search for nth unparsed exten field */
+ rtn = extenFields.fieldForOid(
+ CSSMOID_X509V3CertificateExtensionCStruct,
+ numUnknowns++,
+ found);
+ break;
+ default:
+ /* caller was already supposed to check this */
+ doPrintCert(rawCert);
+ printf("***HEY! buildTBS was given a bogus extension!\n");
+ return 1;
+ }
+ if(rtn) {
+ doPrintCert(rawCert);
+ printf("***buildTBS could not find extension in CL's fields\n");
+ return testError(quiet);
+ }
+
+ allFields.appendField(*found);
+ } /* processing extensions */
+
+ /*
+ * OK, the field array in allFields is ready to go down to
+ * the CL.
+ */
+ CSSM_RETURN crtn;
+ CSSM_DATA clTbs = {0, NULL};
+ crtn = CSSM_CL_CertCreateTemplate(clHand,
+ allFields.mNumFields,
+ allFields.mFields,
+ &clTbs);
+ if(crtn) {
+ doPrintCert(rawCert);
+ printError("CSSM_CL_CertCreateTemplate", crtn);
+ return testError(quiet);
+ }
+
+ /*
+ * The moment of truth. Is that template identical to the
+ * raw undecoded TBS blob we got by decoding a NSS_SignedCertOrCRL?
+ */
+ int ourRtn = 0;
+ if(!appCompareCssmData(&clTbs, &signedCert.tbsBlob)) {
+ doPrintCert(rawCert);
+ printf("***Encoded TBS does not match decoded TBS.\n");
+ if(writeBlobs) {
+ writeFile(ENC_TBS_BLOB, clTbs.Data, clTbs.Length);
+ writeFile(DEC_TBS_BLOB, signedCert.tbsBlob.Data,
+ signedCert.tbsBlob.Length);
+ printf("...wrote TBS blobs to %s and %s\n",
+ ENC_TBS_BLOB, DEC_TBS_BLOB);
+ }
+ ourRtn = testError(quiet);
+ }
+ CSSM_FREE(clTbs.Data);
+ SecAsn1CoderRelease(coder);
+ return ourRtn;
+}
+
+/* verify root with itself using TP */
+static int verifyRoot(
+ CSSM_TP_HANDLE tpHand,
+ CSSM_CL_HANDLE clHand,
+ CSSM_CSP_HANDLE cspHand,
+ const CSSM_DATA &cert,
+ CSSM_BOOL allowExpired,
+ CSSM_BOOL useTrustSettings,
+ CSSM_BOOL quiet)
+{
+ BlobList blobs;
+ blobs.addBlob(cert, CSSM_TRUE);
+ int i;
+
+ const char *certStatus;
+ if(useTrustSettings) {
+ /*
+ * CSSM_CERT_STATUS_IS_IN_INPUT_CERTS
+ * CSSM_CERT_STATUS_IS_ROOT
+ * CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_SYSTEM
+ * CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST
+ */
+ certStatus = "0:0x314";
+ }
+ else {
+ /*
+ * CSSM_CERT_STATUS_IS_IN_INPUT_CERTS (new since radar 3855635 was fixed)
+ * CSSM_CERT_STATUS_IS_IN_ANCHORS
+ * CSSM_CERT_STATUS_IS_ROOT
+ */
+ certStatus = "0:0x1C";
+ }
+
+ /* try one with allowExpiredRoot false, then true on error and if so
+ * enabled to make sure we know what's going wrong */
+ CSSM_BOOL expireEnable = CSSM_FALSE;
+ for(int dex=0; dex<2; dex++) {
+ i = certVerifySimple(tpHand, clHand, cspHand,
+ blobs, // certs
+ blobs, // and roots
+ CSSM_FALSE, // useSystemAnchors
+ CSSM_TRUE, // leaf is CA
+ expireEnable,
+ CVP_Basic,
+ NULL, // SSL host
+ CSSM_FALSE, // SSL client
+ NULL, // sender email
+ 0, // key use
+ NULL, // expected error str
+ 0, NULL, // per-cert errors
+ 1, &certStatus, // per-cert status
+ useTrustSettings,
+ quiet,
+ CSSM_FALSE); // verbose
+ if(i == 0) {
+ /* success */
+ if(dex == 1) {
+ printf("...warning: expired root detected. Be aware.\n");
+ }
+ return 0;
+ }
+ if(!allowExpired) {
+ /* no second chance */
+ return i;
+ }
+ expireEnable = CSSM_TRUE;
+ if(useTrustSettings) {
+ /* now expect EXPIRED, IS_ROOT, IS_IN_INPUT_CERTS, TRUST_SETTINGS_FOUND_SYSTEM,
+ * CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST */
+ certStatus = "0:0x315";
+ }
+ else {
+ /* now expect EXPIRED, IS_ROOT, IS_IN_ANCHORS, IS_IN_INPUT_CERTS */
+ certStatus = "0:0x1d";
+ }
+ }
+ return i;
+}
+
+
+static int doTest(
+ CSSM_CL_HANDLE clHand,
+ CSSM_TP_HANDLE tpHand,
+ CSSM_CSP_HANDLE cspHand,
+ const CSSM_DATA &cert,
+ CSSM_BOOL allowExpired,
+ CSSM_BOOL quiet,
+ CSSM_BOOL verbose,
+ CSSM_BOOL writeBlobs,
+ CSSM_BOOL useTrustSettings)
+{
+ /* first see if this anchor self-verifies. */
+ if(verifyRoot(tpHand, clHand, cspHand, cert, allowExpired,
+ useTrustSettings, quiet)) {
+ doPrintCert(cert);
+ printf("***This anchor does not self-verify!\n");
+ return testError(quiet);
+ }
+
+ /* have the CL parse it to the best of its ability */
+ CSSM_FIELD_PTR certFields;
+ uint32 numFields;
+ CSSM_RETURN crtn = CSSM_CL_CertGetAllFields(clHand, &cert, &numFields,
+ &certFields);
+ if(crtn) {
+ printError("CSSM_CL_CertGetAllFields", crtn);
+ doPrintCert(cert);
+ printf("***The CL can not parse this anchor!\n");
+ return testError(quiet);
+ }
+
+ /* save, this object does the free fields when it goes out of scope */
+ FieldArray parsed(certFields, numFields, clHand);
+
+ /*
+ * We're going to build a TBSCert from these received fields.
+ * Extensions need to be processed specially because they
+ * come back from the CL ordered differently than they appear
+ * in the cert.
+ *
+ * First make two buckets for making copies of incoming fields.
+ */
+ FieldArray forCreate(numFields); // for creating template
+ FieldArray extenFields(numFields);
+
+ for(unsigned dex=0; dex<numFields; dex++) {
+ CSSM_FIELD &parsedField = parsed.fieldAt(dex);
+ FieldType type = typeForOid(parsedField.FieldOid);
+ switch(type) {
+ case FT_Normal:
+ forCreate.appendField(parsedField);
+ break;
+ case FT_ReadOnly:
+ case FT_NotTBS:
+ /* ignore */
+ break;
+ case FT_ExtenParsed:
+ case FT_ExtenUnknown:
+ /* extensions, save and process later */
+ extenFields.appendField(parsedField);
+ break;
+ default:
+ doPrintCert(cert);
+ printf("***This anchor contains an unknown field!\n");
+ if(testError(quiet)) {
+ return 1;
+ }
+ /* well let's limp along */
+ forCreate.appendField(parsedField);
+ break;
+ }
+ }
+
+ /* basic extension verification */
+ if(vfyExtens(extenFields, cert, quiet)) {
+ return 1;
+ }
+ return buildTbs(clHand, cert, forCreate, extenFields, quiet,
+ verbose, writeBlobs);
+}
+
+int main(int argc, char **argv)
+{
+ CSSM_BOOL quiet = CSSM_FALSE;
+ CSSM_BOOL verbose = CSSM_FALSE;
+ CSSM_BOOL writeBlobs = CSSM_FALSE;
+ CSSM_BOOL allowExpired = CSSM_FALSE;
+ CSSM_BOOL useTrustSettings = CSSM_FALSE;
+
+ for(int arg=1; arg<argc; arg++) {
+ switch(argv[arg][0]) {
+ case 'q':
+ quiet = CSSM_TRUE;
+ break;
+ case 'v':
+ verbose = CSSM_TRUE;
+ break;
+ case 'w':
+ writeBlobs = CSSM_TRUE;
+ break;
+ case 't':
+ useTrustSettings = CSSM_TRUE;
+ break;
+ case 'e':
+ allowExpired = CSSM_TRUE;
+ break;
+ default:
+ usage(argv);
+ }
+ }
+
+ printf("Starting anchorTest; args: ");
+ for(int i=1; i<argc; i++) {
+ printf("%s ", argv[i]);
+ }
+ printf("\n");
+
+ /* get system anchors only; convert to CSSM */
+ CFArrayRef cfAnchors;
+ OSStatus ortn;
+ CSSM_DATA *anchors;
+ unsigned numAnchors;
+ ortn = getSystemAnchors(&cfAnchors, &anchors, &numAnchors);
+ if(ortn) {
+ exit(1);
+ }
+ if(numAnchors < 50) {
+ printf("***Hey! I can only find %u anchors; there should be way more than that.\n",
+ numAnchors);
+ exit(1);
+ }
+
+ CSSM_CL_HANDLE clHand = clStartup();
+ CSSM_TP_HANDLE tpHand = tpStartup();
+ CSSM_CSP_HANDLE cspHand = cspStartup();
+ if((clHand == 0) || (tpHand == 0) || (cspHand == 0)) {
+ return 0;
+ }
+
+ int rtn = 0;
+ for(unsigned dex=0; dex<numAnchors; dex++) {
+ if(!quiet) {
+ printf("...anchor %u\n", dex);
+ }
+ rtn = doTest(clHand, tpHand, cspHand, anchors[dex], allowExpired,
+ quiet, verbose, writeBlobs, useTrustSettings);
+ if(rtn) {
+ break;
+ }
+ }
+ if(rtn == 0) {
+ if(!quiet) {
+ printf("...%s success.\n", argv[0]);
+ }
+ }
+ return rtn;
+}
projects / apple / security.git / blobdiff