--- /dev/null
+/* Copyright (c) 2006 Apple Computer, Inc.
+ *
+ * certSerialEncodeTest.cpp
+ *
+ * Verify proper encoding of unsigned integer as a DER_encoded signed integer.
+ * Verifies Radar 4471281.
+ *
+ */
+
+#include <utilLib/common.h>
+#include <utilLib/cspwrap.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <clAppUtils/clutils.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <Security/cssm.h>
+#include <Security/x509defs.h>
+#include <Security/oidsattr.h>
+#include <Security/oidscert.h>
+#include <Security/oidsalg.h>
+#include <Security/certextensions.h>
+#include <Security/cssmapple.h>
+#include <string.h>
+
+#define SUBJ_KEY_LABEL "subjectKey"
+#define ROOT_KEY_LABEL "rootKey"
+/* default key and signature algorithm */
+#define SIG_ALG_DEFAULT CSSM_ALGID_SHA1WithRSA
+#define SIG_OID_DEFAULT CSSMOID_SHA1WithRSA
+#define KEY_ALG_DEFAULT CSSM_ALGID_RSA
+
+/* for write certs/keys option */
+#define ROOT_CERT_FILE_NAME "ssRootCert.cer"
+#define SUBJ_CERT_FILE_NAME "ssSubjCert.cer"
+
+/* public key in ref form, TP supports this as of 1/30/02 */
+#define PUB_KEY_IS_REF CSSM_TRUE
+
+static void usage(char **argv)
+{
+ printf("Usage: %s [options]\n", argv[0]);
+ printf("Options:\n");
+ printf(" w[rite certs]\n");
+ printf(" p(ause for MallocDebug)\n");
+ printf(" q(uiet)\n");
+ exit(1);
+}
+
+/*
+ * RDN components
+ */
+static CSSM_APPLE_TP_NAME_OID rootRdn[] =
+{
+ { "Apple Computer", &CSSMOID_OrganizationName },
+ { "The Big Cheesy Debug Root", &CSSMOID_CommonName }
+};
+#define NUM_ROOT_NAMES (sizeof(rootRdn) / sizeof(CSSM_APPLE_TP_NAME_OID))
+
+/* test cases */
+typedef struct {
+ uint32 serialIn; /* --> CSSM_TP_SubmitCredRequest */
+ CSSM_SIZE expectLen;
+ const uint8 *expect;
+} SerialNumber;
+
+/* 0x7f */
+static const uint8 sn0_Data[1] = {0x7f};
+static const SerialNumber sn0 = {0x7f, 1, sn0_Data };
+
+/* 0x80 */
+static const uint8 sn1_Data[2] = {0x00, 0x80};
+static const SerialNumber sn1 = {0x80, 2, sn1_Data };
+
+/* 0x7ff */
+static const uint8 sn2_Data[2] = {0x07, 0xff};
+static const SerialNumber sn2 = {0x7ff, 2, sn2_Data };
+
+/* 0x80ff */
+static const uint8 sn3_Data[3] = {0x00, 0x80, 0xff};
+static const SerialNumber sn3 = {0x80ff, 3, sn3_Data };
+
+/* 0xfffffff */
+static const uint8 sn4_Data[4] = {0x0f, 0xff, 0xff, 0xff};
+static const SerialNumber sn4 = {0xfffffff, 4, sn4_Data };
+
+/* 0x0fffffff */
+static const uint8 sn5_Data[4] = {0x0f, 0xff, 0xff, 0xff};
+static const SerialNumber sn5 = {0x0fffffff, 4, sn5_Data };
+
+/* 0x80000000 */
+static const uint8 sn6_Data[5] = {0x00, 0x80, 0x00, 0x00, 0x00};
+static const SerialNumber sn6 = {0x80000000, 5, sn6_Data };
+
+static const SerialNumber *serialNumbers[] = {
+ &sn0, &sn1, &sn2, &sn3, &sn4, &sn5, &sn6
+};
+#define NUM_SERIAL_NUMS (sizeof(serialNumbers) / sizeof(serialNumbers[0]))
+
+static int doTest(
+ CSSM_CL_HANDLE clHand, // CL handle
+ CSSM_CSP_HANDLE cspHand, // CSP handle
+ CSSM_TP_HANDLE tpHand, // TP handle
+ CSSM_KEY_PTR subjPubKey,
+ CSSM_KEY_PTR signerPrivKey,
+ uint32 serialNumIn,
+ CSSM_SIZE serialNumExpLen,
+ const uint8 *serialNumExp,
+ CSSM_BOOL quiet,
+ CSSM_BOOL writeBlobs)
+{
+ CSSM_DATA refId; // mallocd by CSSM_TP_SubmitCredRequest
+ CSSM_APPLE_TP_CERT_REQUEST certReq;
+ CSSM_TP_REQUEST_SET reqSet;
+ sint32 estTime;
+ CSSM_BOOL confirmRequired;
+ CSSM_TP_RESULT_SET_PTR resultSet;
+ CSSM_ENCODED_CERT *encCert;
+ CSSM_TP_CALLERAUTH_CONTEXT CallerAuthContext;
+ CSSM_FIELD policyId;
+ CSSM_RETURN crtn;
+ CSSM_DATA *signedRootCert;
+ int ourRtn = 0;
+ CSSM_DATA_PTR foundSerial = NULL;
+ CSSM_HANDLE resultHand = 0;
+ uint32 numFields;
+
+ /* certReq for root */
+ memset(&certReq, 0, sizeof(CSSM_APPLE_TP_CERT_REQUEST));
+ certReq.cspHand = cspHand;
+ certReq.clHand = clHand;
+ certReq.serialNumber = serialNumIn;
+ certReq.numSubjectNames = NUM_ROOT_NAMES;
+ certReq.subjectNames = rootRdn;
+ certReq.numIssuerNames = 0;
+ certReq.issuerNames = NULL;
+ certReq.certPublicKey = subjPubKey;
+ certReq.issuerPrivateKey = signerPrivKey;
+ certReq.signatureAlg = CSSM_ALGID_SHA1WithRSA;
+ certReq.signatureOid = CSSMOID_SHA1WithRSA;
+ certReq.notBefore = 0; // now
+ certReq.notAfter = 10000; // seconds from now
+ certReq.numExtensions = 0;
+ certReq.extensions = NULL;
+
+ reqSet.NumberOfRequests = 1;
+ reqSet.Requests = &certReq;
+
+ /* a big CSSM_TP_CALLERAUTH_CONTEXT just to specify an OID */
+ memset(&CallerAuthContext, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
+ memset(&policyId, 0, sizeof(CSSM_FIELD));
+ policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN;
+ CallerAuthContext.Policy.NumberOfPolicyIds = 1;
+ CallerAuthContext.Policy.PolicyIds = &policyId;
+
+ /* generate root cert */
+ if(!quiet) {
+ printf("Creating root cert...\n");
+ }
+ crtn = CSSM_TP_SubmitCredRequest(tpHand,
+ NULL, // PreferredAuthority
+ CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
+ &reqSet,
+ &CallerAuthContext,
+ &estTime,
+ &refId);
+ if(crtn) {
+ printError("CSSM_TP_SubmitCredRequest", crtn);
+ ourRtn = -1;
+ goto errOut;
+ }
+ crtn = CSSM_TP_RetrieveCredResult(tpHand,
+ &refId,
+ NULL, // CallerAuthCredentials
+ &estTime,
+ &confirmRequired,
+ &resultSet);
+ if(crtn) {
+ printError("CSSM_TP_RetrieveCredResult", crtn);
+ ourRtn = -1;
+ goto errOut;
+ }
+ if(resultSet == NULL) {
+ printf("***CSSM_TP_RetrieveCredResult returned NULL result set.\n");
+ ourRtn = -1;
+ goto errOut;
+ }
+ encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
+ signedRootCert = &encCert->CertBlob;
+ if(writeBlobs) {
+ writeFile(ROOT_CERT_FILE_NAME, signedRootCert->Data, signedRootCert->Length);
+ printf("...wrote %lu bytes to %s\n", signedRootCert->Length,
+ ROOT_CERT_FILE_NAME);
+ }
+
+ /* make sure it self-verifies */
+ crtn = CSSM_CL_CertVerify(clHand, 0 /* CCHandle */,
+ signedRootCert, signedRootCert,
+ NULL, 0);
+ if(crtn) {
+ cssmPerror("CSSM_CL_CertVerify", crtn);
+ printf("***Created cert does not self-verify\n");
+ ourRtn = -1;
+ goto errOut;
+ }
+
+ /* extract the field we're interested in verifying */
+ crtn = CSSM_CL_CertGetFirstFieldValue(clHand, signedRootCert,
+ &CSSMOID_X509V1SerialNumber, &resultHand, &numFields, &foundSerial);
+ if(crtn) {
+ cssmPerror("CSSM_CL_CertGetFirstFieldValue(serialNumber)", crtn);
+ printf("***Can't obtain serial number\n");
+ ourRtn = -1;
+ goto errOut;
+ }
+ CSSM_CL_CertAbortQuery(clHand, resultHand);
+ if(foundSerial->Length != serialNumExpLen) {
+ printf("***expected serialNumber len 0x%lu, got 0x%lu\n",
+ (unsigned long)serialNumExpLen, (unsigned long)foundSerial->Length);
+ ourRtn = -1;
+ goto errOut;
+ }
+ for(unsigned dex=0; dex<serialNumExpLen; dex++) {
+ if(foundSerial->Data[dex] != serialNumExp[dex]) {
+ printf("***SerialNumber mismatch at index %u: exp %02X got %02X\n",
+ dex, (unsigned)serialNumExp[dex],
+ (unsigned)foundSerial->Data[dex]);
+ ourRtn = -1;
+ }
+ }
+ /* free retrieved serial number and the result set itself */
+ CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SerialNumber, foundSerial);
+ CSSM_FREE(signedRootCert->Data);
+ CSSM_FREE(encCert);
+ CSSM_FREE(resultSet);
+ /* Per the spec, this is supposed to be Opaque to us and the TP is supposed to free
+ * it when it goes out of scope...but libsecurity_keychains's
+ * CertificateRequest::submitDotMac() frees this...that would have to change
+ * in order for the TP to free this properly. Someday maybe. No big deal.
+ */
+ CSSM_FREE(refId.Data);
+errOut:
+ return ourRtn;
+}
+
+int main(int argc, char **argv)
+{
+ CSSM_CL_HANDLE clHand; // CL handle
+ CSSM_CSP_HANDLE cspHand; // CSP handle
+ CSSM_TP_HANDLE tpHand; // TP handle
+ CSSM_KEY rootPubKey; // root's RSA public key blob
+ CSSM_KEY rootPrivKey; // root's RSA private key - ref format
+ CSSM_RETURN crtn;
+ int arg;
+ unsigned dex;
+ int ourRtn = 0;
+ uint32 keySizeInBits = 512;
+ CSSM_BOOL doPause = CSSM_FALSE;
+
+ /* user-spec'd variables */
+ CSSM_BOOL writeBlobs = CSSM_FALSE;
+ CSSM_BOOL quiet = CSSM_FALSE;
+
+ for(arg=1; arg<argc; arg++) {
+ switch(argv[arg][0]) {
+ case 'w':
+ writeBlobs = CSSM_TRUE;
+ break;
+ case 'q':
+ quiet = CSSM_TRUE;
+ break;
+ case 'p':
+ doPause = CSSM_TRUE;
+ break;
+ default:
+ usage(argv);
+ }
+ }
+
+ testStartBanner("certSerialEncodeTest", argc, argv);
+
+
+ /* connect to CL, TP, and CSP */
+ clHand = clStartup();
+ if(clHand == 0) {
+ return -1;
+ }
+ tpHand = tpStartup();
+ if(tpHand == 0) {
+ return -1;
+ }
+ cspHand = cspStartup();
+ if(cspHand == 0) {
+ return -1;
+ }
+
+ /* cook up key pair for self-signed cert */
+ crtn = cspGenKeyPair(cspHand,
+ CSSM_ALGID_RSA,
+ ROOT_KEY_LABEL,
+ strlen(ROOT_KEY_LABEL),
+ keySizeInBits,
+ &rootPubKey,
+ CSSM_FALSE, // pubIsRef - should work both ways, but not yet
+ CSSM_KEYUSE_VERIFY,
+ CSSM_KEYBLOB_RAW_FORMAT_NONE,
+ &rootPrivKey,
+ writeBlobs ? CSSM_FALSE : CSSM_TRUE, // privIsRef
+ CSSM_KEYUSE_SIGN,
+ CSSM_KEYBLOB_RAW_FORMAT_NONE,
+ CSSM_FALSE);
+ if(crtn) {
+ ourRtn = -1;
+ goto abort;
+ }
+
+ for(dex=0; dex<NUM_SERIAL_NUMS; dex++) {
+ const SerialNumber *sn = serialNumbers[dex];
+ if(!quiet) {
+ printf("...testing serial number 0x%lx\n", (unsigned long)sn->serialIn);
+ }
+ ourRtn = doTest(clHand, cspHand, tpHand,
+ &rootPubKey, &rootPrivKey,
+ sn->serialIn, sn->expectLen, sn->expect,
+ quiet, writeBlobs);
+ if(ourRtn) {
+ break;
+ }
+ if(doPause) {
+ fpurge(stdin);
+ printf("Pausing for MallocDebug. a to abort, anything else to continue: ");
+ if(getchar() == 'a') {
+ break;
+ }
+ }
+ }
+
+ cspFreeKey(cspHand, &rootPubKey);
+ cspFreeKey(cspHand, &rootPrivKey);
+
+abort:
+ if(cspHand != 0) {
+ CSSM_ModuleDetach(cspHand);
+ }
+ if(clHand != 0) {
+ CSSM_ModuleDetach(clHand);
+ }
+ if(tpHand != 0) {
+ CSSM_ModuleDetach(tpHand);
+ }
+
+ if((ourRtn == 0) && !quiet) {
+ printf("certSerialEncodeTest test succeeded\n");
+ }
+ return ourRtn;
+}
+
+
projects / apple / security.git / blobdiff