+/*
+ * CertBuilderApp.cpp - support for constructing certs, CDSA version
+ */
+
+#include "clutils.h"
+#include <utilLib/common.h>
+#include "CertBuilderApp.h"
+#include "timeStr.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <Security/oidscert.h>
+#include <Security/oidsalg.h>
+#include <Security/x509defs.h>
+#include <Security/SecAsn1Coder.h>
+/* private header */
+#include <Security/keyTemplates.h>
+
+/*
+ * Build up a CSSM_X509_NAME from an arbitrary list of name/OID pairs.
+ * We do one a/v pair per RDN.
+ */
+CSSM_X509_NAME *CB_BuildX509Name(
+ const CB_NameOid *nameArray,
+ unsigned numNames)
+{
+ CSSM_X509_NAME *top = (CSSM_X509_NAME *)appMalloc(sizeof(CSSM_X509_NAME), 0);
+ if(top == NULL) {
+ return NULL;
+ }
+ top->numberOfRDNs = numNames;
+ top->RelativeDistinguishedName =
+ (CSSM_X509_RDN_PTR)appMalloc(sizeof(CSSM_X509_RDN) * numNames, 0);
+ if(top->RelativeDistinguishedName == NULL) {
+ return NULL;
+ }
+ CSSM_X509_RDN_PTR rdn;
+ const CB_NameOid *nameOid;
+ unsigned nameDex;
+ for(nameDex=0; nameDex<numNames; nameDex++) {
+ rdn = &top->RelativeDistinguishedName[nameDex];
+ nameOid = &nameArray[nameDex];
+ rdn->numberOfPairs = 1;
+ rdn->AttributeTypeAndValue = (CSSM_X509_TYPE_VALUE_PAIR_PTR)
+ appMalloc(sizeof(CSSM_X509_TYPE_VALUE_PAIR), 0);
+ CSSM_X509_TYPE_VALUE_PAIR_PTR atvp = rdn->AttributeTypeAndValue;
+ if(atvp == NULL) {
+ return NULL;
+ }
+ appCopyCssmData(nameOid->oid, &atvp->type);
+ atvp->valueType = BER_TAG_PRINTABLE_STRING;
+ atvp->value.Length = strlen(nameOid->string);
+ atvp->value.Data = (uint8 *)CSSM_MALLOC(atvp->value.Length);
+ memmove(atvp->value.Data, nameOid->string, atvp->value.Length);
+ }
+ return top;
+}
+
+/* free the CSSM_X509_NAME obtained from CB_BuildX509Name */
+void CB_FreeX509Name(
+ CSSM_X509_NAME *top)
+{
+ if(top == NULL) {
+ return;
+ }
+ unsigned nameDex;
+ CSSM_X509_RDN_PTR rdn;
+ for(nameDex=0; nameDex<top->numberOfRDNs; nameDex++) {
+ rdn = &top->RelativeDistinguishedName[nameDex];
+ if(rdn->AttributeTypeAndValue) {
+ for(unsigned aDex=0; aDex<rdn->numberOfPairs; aDex++) {
+ CSSM_X509_TYPE_VALUE_PAIR_PTR atvp =
+ &rdn->AttributeTypeAndValue[aDex];
+ CSSM_FREE(atvp->type.Data);
+ CSSM_FREE(atvp->value.Data);
+ }
+ CSSM_FREE(rdn->AttributeTypeAndValue);
+ }
+ }
+ CSSM_FREE(top->RelativeDistinguishedName);
+ CSSM_FREE(top);
+}
+
+/* Obtain a CSSM_X509_TIME representing "now" plus specified seconds, or
+ * from a preformatted gen time string */
+CSSM_X509_TIME *CB_BuildX509Time(
+ unsigned secondsFromNow, /* ignored if timeStr non-NULL */
+ const char *timeStr) /* optional, from genTimeAtNowPlus */
+{
+ CSSM_X509_TIME *xtime = (CSSM_X509_TIME *)appMalloc(sizeof(CSSM_X509_TIME), 0);
+ if(xtime == NULL) {
+ return NULL;
+ }
+ xtime->timeType = BER_TAG_GENERALIZED_TIME;
+ char *ts;
+ if(timeStr == NULL) {
+ ts = genTimeAtNowPlus(secondsFromNow);
+ }
+ else {
+ ts = (char *)appMalloc(strlen(timeStr) + 1, 0);
+ strcpy(ts, timeStr);
+ }
+ xtime->time.Data = (uint8 *)ts;
+ xtime->time.Length = strlen(ts);
+ return xtime;
+}
+
+/* Free CSSM_X509_TIME obtained in CB_BuildX509Time */
+void CB_FreeX509Time(
+ CSSM_X509_TIME *xtime)
+{
+ if(xtime == NULL) {
+ return;
+ }
+ freeTimeString((char *)xtime->time.Data);
+ appFree(xtime, 0);
+}
+
+/*
+ * Encode an OID as a CSSM_X509_ALGORITHM_IDENTIFIER.
+ * Returns nonzero on error.
+ * Returned data is appMallocd's caller must appFree.
+ */
+int encodeParamOid(
+ const CSSM_OID *paramOid,
+ CSSM_DATA *params)
+{
+ SecAsn1CoderRef coder = NULL;
+ if(SecAsn1CoderCreate(&coder)) {
+ printf("***Error in SecAsn1CoderCreate()\n");
+ return -1;
+ }
+
+ CSSM_X509_ALGORITHM_IDENTIFIER algParams;
+ memset(&algParams, 0, sizeof(algParams));
+ algParams.algorithm = *paramOid;
+ CSSM_DATA encoded = {0, NULL};
+ int ourRtn = 0;
+ if(SecAsn1EncodeItem(coder, &algParams, kSecAsn1AlgorithmIDTemplate,
+ &encoded)) {
+ printf("***Error encoding CSSM_X509_ALGORITHM_IDENTIFIER\n");
+ ourRtn = -1;
+ goto errOut;
+ }
+
+ /* That data is in the coder's memory space: copy ou9t to caller */
+ if(appCopyCssmData(&encoded, params)) {
+ printf("***encodeParamOid malloc failure\n");
+ ourRtn = -1;
+ }
+errOut:
+ SecAsn1CoderRelease(coder);
+ return ourRtn;
+}
+
+/*
+ * Cook up an unsigned cert.
+ * This is just a wrapper for CSSM_CL_CertCreateTemplate().
+ */
+
+#define ALWAYS_SET_VERSION 0
+
+CSSM_DATA_PTR CB_MakeCertTemplate(
+ /* required */
+ CSSM_CL_HANDLE clHand,
+ uint32 serialNumber,
+ const CSSM_X509_NAME *issuerName,
+ const CSSM_X509_NAME *subjectName,
+ const CSSM_X509_TIME *notBefore,
+ const CSSM_X509_TIME *notAfter,
+ const CSSM_KEY_PTR subjectPubKey,
+ CSSM_ALGORITHMS sigAlg, // e.g., CSSM_ALGID_SHA1WithRSA
+ /* optional */
+ const CSSM_DATA *subjectUniqueId,
+ const CSSM_DATA *issuerUniqueId,
+ CSSM_X509_EXTENSION *extensions,
+ unsigned numExtensions)
+{
+ CSSM_FIELD *certTemp;
+ unsigned fieldDex = 0; // index into certTemp
+ CSSM_DATA_PTR serialDER = NULL; // serial number, DER format
+ CSSM_DATA_PTR rawCert; // from CSSM_CL_CertCreateTemplate
+ unsigned version = 0;
+ CSSM_DATA_PTR versionDER = NULL;
+ unsigned extNum;
+ int setVersion = ALWAYS_SET_VERSION;
+ const CSSM_OID *paramOid = NULL;
+
+ /* convert uint32-style algorithm to the associated struct */
+ CSSM_X509_ALGORITHM_IDENTIFIER algId;
+ switch(sigAlg) {
+ case CSSM_ALGID_SHA1WithRSA:
+ algId.algorithm = CSSMOID_SHA1WithRSA;
+ break;
+ case CSSM_ALGID_MD5WithRSA:
+ algId.algorithm = CSSMOID_MD5WithRSA;
+ break;
+ case CSSM_ALGID_MD2WithRSA:
+ algId.algorithm = CSSMOID_MD2WithRSA;
+ break;
+ case CSSM_ALGID_FEE_MD5:
+ algId.algorithm = CSSMOID_APPLE_FEE_MD5;
+ break;
+ case CSSM_ALGID_FEE_SHA1:
+ algId.algorithm = CSSMOID_APPLE_FEE_SHA1;
+ break;
+ case CSSM_ALGID_SHA1WithECDSA:
+ algId.algorithm = CSSMOID_ECDSA_WithSHA1;
+ break;
+ case CSSM_ALGID_SHA1WithDSA:
+ algId.algorithm = CSSMOID_SHA1WithDSA_CMS;
+ break;
+ case CSSM_ALGID_SHA224WithRSA:
+ algId.algorithm = CSSMOID_SHA224WithRSA;
+ break;
+ case CSSM_ALGID_SHA256WithRSA:
+ algId.algorithm = CSSMOID_SHA256WithRSA;
+ break;
+ case CSSM_ALGID_SHA384WithRSA:
+ algId.algorithm = CSSMOID_SHA384WithRSA;
+ break;
+ case CSSM_ALGID_SHA512WithRSA:
+ algId.algorithm = CSSMOID_SHA512WithRSA;
+ break;
+ /* These specify the digest algorithm via an additional parameter OID */
+ case CSSM_ALGID_SHA224WithECDSA:
+ algId.algorithm = CSSMOID_ECDSA_WithSpecified;
+ paramOid = &CSSMOID_SHA224;
+ break;
+ case CSSM_ALGID_SHA256WithECDSA:
+ algId.algorithm = CSSMOID_ECDSA_WithSpecified;
+ paramOid = &CSSMOID_SHA256;
+ break;
+ case CSSM_ALGID_SHA384WithECDSA:
+ algId.algorithm = CSSMOID_ECDSA_WithSpecified;
+ paramOid = &CSSMOID_SHA384;
+ break;
+ case CSSM_ALGID_SHA512WithECDSA:
+ algId.algorithm = CSSMOID_ECDSA_WithSpecified;
+ paramOid = &CSSMOID_SHA512;
+ break;
+ default:
+ printf("CB_MakeCertTemplate: unknown sig alg (%u)\n", (unsigned)sigAlg);
+ return NULL;
+ }
+ if(paramOid != NULL) {
+ /* not-quite-trivial encoding of digest algorithm */
+ if(encodeParamOid(paramOid, &algId.parameters)) {
+ return NULL;
+ }
+ }
+ else {
+ algId.parameters.Data = NULL;
+ algId.parameters.Length = 0;
+ }
+
+ /*
+ * version, we infer
+ * serialNumber thru subjectPubKey
+ */
+ unsigned numFields = 7 + numExtensions;
+ if(numExtensions) {
+ version = 2;
+ }
+ if(subjectUniqueId) {
+ numFields++;
+ if(version == 0) {
+ version = 1;
+ }
+ }
+ if(issuerUniqueId) {
+ numFields++;
+ if(version == 0) {
+ version = 1;
+ }
+ }
+ if(version > 0) {
+ setVersion = 1;
+ }
+ if(setVersion) {
+ numFields++;
+ }
+
+ certTemp = (CSSM_FIELD *)CSSM_MALLOC(sizeof(CSSM_FIELD) * numFields);
+
+ /* version */
+ if(setVersion) {
+ versionDER = intToDER(version);
+ certTemp[fieldDex].FieldOid = CSSMOID_X509V1Version;
+ certTemp[fieldDex++].FieldValue = *versionDER;
+ }
+
+ /* serial number */
+ serialDER = intToDER(serialNumber);
+ certTemp[fieldDex].FieldOid = CSSMOID_X509V1SerialNumber;
+ certTemp[fieldDex++].FieldValue = *serialDER;
+
+ /* subject and issuer name */
+ certTemp[fieldDex].FieldOid = CSSMOID_X509V1IssuerNameCStruct;
+ certTemp[fieldDex].FieldValue.Data = (uint8 *)issuerName;
+ certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_X509_NAME);
+
+ certTemp[fieldDex].FieldOid = CSSMOID_X509V1SubjectNameCStruct;
+ certTemp[fieldDex].FieldValue.Data = (uint8 *)subjectName;
+ certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_X509_NAME);
+
+ /* not before/after */
+ certTemp[fieldDex].FieldOid = CSSMOID_X509V1ValidityNotBefore;
+ certTemp[fieldDex].FieldValue.Data = (uint8 *)notBefore;
+ certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_X509_TIME);
+
+ certTemp[fieldDex].FieldOid = CSSMOID_X509V1ValidityNotAfter;
+ certTemp[fieldDex].FieldValue.Data = (uint8 *)notAfter;
+ certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_X509_TIME);
+
+ /* the subject key */
+ certTemp[fieldDex].FieldOid = CSSMOID_CSSMKeyStruct;
+ certTemp[fieldDex].FieldValue.Data = (uint8 *)subjectPubKey;
+ certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_KEY);
+
+ /* signature algorithm */
+ certTemp[fieldDex].FieldOid = CSSMOID_X509V1SignatureAlgorithmTBS;
+ certTemp[fieldDex].FieldValue.Data = (uint8 *)&algId;
+ certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_X509_ALGORITHM_IDENTIFIER);
+
+ /* subject/issuer unique IDs */
+ if(subjectUniqueId != 0) {
+ certTemp[fieldDex].FieldOid = CSSMOID_X509V1CertificateSubjectUniqueId;
+ certTemp[fieldDex++].FieldValue = *subjectUniqueId;
+ }
+ if(issuerUniqueId != 0) {
+ certTemp[fieldDex].FieldOid = CSSMOID_X509V1CertificateIssuerUniqueId;
+ certTemp[fieldDex++].FieldValue = *issuerUniqueId;
+ }
+
+ for(extNum=0; extNum<numExtensions; extNum++) {
+ CSSM_X509_EXTENSION_PTR ext = &extensions[extNum];
+ if(ext->format == CSSM_X509_DATAFORMAT_PARSED) {
+ certTemp[fieldDex].FieldOid = ext->extnId;
+ }
+ else {
+ certTemp[fieldDex].FieldOid = CSSMOID_X509V3CertificateExtensionCStruct;
+ }
+ certTemp[fieldDex].FieldValue.Data = (uint8 *)ext;
+ certTemp[fieldDex++].FieldValue.Length = sizeof(CSSM_X509_EXTENSION);
+ }
+ if(fieldDex != numFields) {
+ printf("CB_MakeCertTemplate numFields screwup\n");
+ return NULL;
+ }
+
+ /*
+ * OK, here we go
+ */
+ rawCert = (CSSM_DATA_PTR)CSSM_MALLOC(sizeof(CSSM_DATA));
+ rawCert->Data = NULL;
+ rawCert->Length = 0;
+ CSSM_RETURN crtn = CSSM_CL_CertCreateTemplate(clHand,
+ fieldDex,
+ certTemp,
+ rawCert);
+ if(crtn) {
+ printError("CSSM_CL_CertCreateTemplate", crtn);
+ appFreeCssmData(rawCert, CSSM_TRUE);
+ rawCert = NULL;
+ }
+
+ /* free the stuff we mallocd to get here */
+ appFreeCssmData(serialDER, CSSM_TRUE);
+ appFreeCssmData(versionDER, CSSM_TRUE);
+ CSSM_FREE(certTemp);
+ if((paramOid != NULL) && (algId.parameters.Data != NULL)) {
+ CSSM_FREE(algId.parameters.Data);
+ }
+ return rawCert;
+}
projects / apple / security.git / blobdiff