--- /dev/null
+/*
+ * certVerify.cpp - execute cert/CRL verify; display results
+ */
+
+#include "certVerify.h"
+#include "tpUtils.h"
+#include <utilLib/common.h>
+#include <clAppUtils/clutils.h>
+#include <clAppUtils/tpUtils.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <Security/cssm.h>
+#include <Security/oidsalg.h>
+#include <Security/SecTrust.h>
+#include <Security/SecPolicySearch.h>
+#include <Security/cssmapplePriv.h>
+#include <security_cdsa_utils/cuCdsaUtils.h>
+#include <Security/TrustSettingsSchema.h>
+
+static int vfyCertErrors(
+ const CSSM_TP_VERIFY_CONTEXT_RESULT *vfyResult,
+ unsigned numCertErrors,
+ const char **certErrors, // e.g., "2:CSSMERR_TP_CERT_EXPIRED"
+ CSSM_BOOL quiet)
+{
+ if(numCertErrors == 0) {
+ return 0;
+ }
+ if(vfyResult->NumberOfEvidences != 3) {
+ printf("***vfyCertErrors: NumberOfEvidences is %u, expect 3\n",
+ (unsigned)vfyResult->NumberOfEvidences);
+ return 1;
+ }
+
+ /* numCerts from evidence[1] */
+ const CSSM_EVIDENCE *ev = &vfyResult->Evidence[1];
+ const CSSM_CERTGROUP *grp = (const CSSM_CERTGROUP *)ev->Evidence;
+ unsigned numCerts = grp->NumCerts;
+ /* array of Apple-specific info from evidence[2] */
+ ev = &vfyResult->Evidence[2];
+ const CSSM_TP_APPLE_EVIDENCE_INFO *info =
+ (const CSSM_TP_APPLE_EVIDENCE_INFO *)ev->Evidence;
+ int ourRtn = 0;
+
+ for(unsigned dex=0; dex<numCertErrors; dex++) {
+ const char *str = certErrors[dex];
+ char buf[8];
+ unsigned i;
+
+ /*
+ * Format is certNum:errorString
+ * first get the cert number
+ */
+ for(i=0; *str != '\0'; i++, str++) {
+ if(*str == ':') {
+ break;
+ }
+ buf[i] = *str;
+ }
+ if(*str != ':') {
+ printf("***Bad certerror value, format is certNum:errorString\n");
+ return 1;
+ }
+ buf[i] = '\0';
+ unsigned certNum = atoi(buf);
+ if(certNum > (numCerts-1)) {
+ printf("***certerror specified for cert %u, but only %u certs"
+ " available\n", certNum, numCerts);
+ return 1;
+ }
+ str++; // pts to actual desired error string now
+
+ /*
+ * There may be multiple per-cert statuses in the evidence; search all
+ * looking for a match
+ */
+ const CSSM_TP_APPLE_EVIDENCE_INFO *thisInfo = &info[certNum];
+ char *found = NULL;
+ for(unsigned i=0; i<thisInfo->NumStatusCodes; i++) {
+ CSSM_RETURN actRtn = thisInfo->StatusCodes[i];
+ const char *actRtnStr = cssmErrToStr(actRtn);
+ found = strstr(actRtnStr, str);
+ if(found) {
+ break;
+ }
+ }
+ if(found) {
+ if(!quiet) {
+ printf("...%s per-cert status received as expected\n", str);
+ }
+ }
+ else {
+ printf("***Per cert status %s not found\n", str);
+ ourRtn = 1;
+ /* might as well keep going */
+ }
+ }
+ return ourRtn;
+}
+
+static int vfyCertStatus(
+ const CSSM_TP_VERIFY_CONTEXT_RESULT *vfyResult,
+ unsigned numCertStatus,
+ const char **certStatus, // e.g., "1:0x18", leading 0x optional
+ CSSM_BOOL quiet)
+{
+ if(numCertStatus == 0) {
+ return 0;
+ }
+ if(vfyResult->NumberOfEvidences != 3) {
+ printf("***vfyCertStatus: NumberOfEvidences is %u, expect 3\n",
+ (unsigned)vfyResult->NumberOfEvidences);
+ return 1;
+ }
+
+ /* numCerts from evidence[1] */
+ const CSSM_EVIDENCE *ev = &vfyResult->Evidence[1];
+ const CSSM_CERTGROUP *grp = (const CSSM_CERTGROUP *)ev->Evidence;
+ unsigned numCerts = grp->NumCerts;
+ /* array of Apple-specific info from evidence[2] */
+ ev = &vfyResult->Evidence[2];
+ const CSSM_TP_APPLE_EVIDENCE_INFO *info =
+ (const CSSM_TP_APPLE_EVIDENCE_INFO *)ev->Evidence;
+ int ourRtn = 0;
+
+ for(unsigned dex=0; dex<numCertStatus; dex++) {
+ const char *str = certStatus[dex];
+ char buf[8];
+ unsigned i;
+
+ /*
+ * Format is certNum:status_in_hex
+ * first get the cert number
+ */
+ for(i=0; *str != '\0'; i++, str++) {
+ if(*str == ':') {
+ break;
+ }
+ buf[i] = *str;
+ }
+ if(*str != ':') {
+ printf("***Bad certstatus value, format is certNum:status_in_hex\n");
+ return 1;
+ }
+ buf[i] = '\0';
+ unsigned certNum = atoi(buf);
+ if(certNum > (numCerts-1)) {
+ printf("***certerror specified for cert %u, but only %u certs"
+ " available\n", certNum, numCerts);
+ return 1;
+ }
+ str++; // pts to actual desired status string now
+ unsigned certStat = hexToBin(str);
+ const CSSM_TP_APPLE_EVIDENCE_INFO *thisInfo = &info[certNum];
+ if(certStat == thisInfo->StatusBits) {
+ if(!quiet) {
+ printf("...0x%x per-cert status received as expected\n", certStat);
+ }
+ }
+ else {
+ printf("***Expected per cert status 0x%x, got 0x%x\n",
+ (unsigned)certStat, (unsigned)thisInfo->StatusBits);
+ ourRtn = 1;
+ }
+ }
+ return ourRtn;
+}
+
+/*
+ * Ensure that the policy being evaluated is accessible via
+ * SecPolicySearch*(). Not really part of the test, but a handy place
+ * to catch this common error before checking in TP changes.
+ */
+static int verifySecPolicy(
+ const CSSM_OID *oid)
+{
+ SecPolicySearchRef srchRef = NULL;
+ OSStatus ortn;
+
+ ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3, oid, NULL, &srchRef);
+ if(ortn) {
+ cssmPerror("SecPolicySearchCreate", ortn);
+ return -1;
+ }
+ SecPolicyRef policyRef = NULL;
+ ortn = SecPolicySearchCopyNext(srchRef, &policyRef);
+ if(ortn) {
+ cssmPerror("SecPolicySearchCopyNext", ortn);
+ printf("***The TP policy used in this test is not accessible via SecPolicySearchCopyNext().\n");
+ printf(" You probably forgot to add the policy to the theOidList table in PolicyCursor.cpp\n");
+ printf(" in the libsecurity_keychain project.\n");
+ }
+ CFRelease(srchRef);
+ if(policyRef) {
+ CFRelease(policyRef);
+ }
+ return ortn;
+}
+
+int certVerify(CertVerifyArgs *vfyArgs)
+{
+ if(vfyArgs->version != CERT_VFY_ARGS_VERS) {
+ printf("***CertVerifyArgs.Version mismatch. Clean and rebuild.\n");
+ return -1;
+ }
+
+ /* main job is building a CSSM_TP_VERIFY_CONTEXT and its components */
+ CSSM_TP_VERIFY_CONTEXT vfyCtx;
+ CSSM_TP_CALLERAUTH_CONTEXT authCtx;
+ CSSM_TP_VERIFY_CONTEXT_RESULT vfyResult;
+ CSSM_APPLE_TP_SSL_OPTIONS sslOpts;
+ CSSM_APPLE_TP_SMIME_OPTIONS smimeOpts;
+
+ memset(&vfyCtx, 0, sizeof(CSSM_TP_VERIFY_CONTEXT));
+ memset(&authCtx, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
+
+ /* CSSM_TP_CALLERAUTH_CONTEXT components */
+ /*
+ typedef struct cssm_tp_callerauth_context {
+ CSSM_TP_POLICYINFO Policy;
+ CSSM_TIMESTRING VerifyTime;
+ CSSM_TP_STOP_ON VerificationAbortOn;
+ CSSM_TP_VERIFICATION_RESULTS_CALLBACK CallbackWithVerifiedCert;
+ uint32 NumberOfAnchorCerts;
+ CSSM_DATA_PTR AnchorCerts;
+ CSSM_DL_DB_LIST_PTR DBList;
+ CSSM_ACCESS_CREDENTIALS_PTR CallerCredentials;
+ } CSSM_TP_CALLERAUTH_CONTEXT, *CSSM_TP_CALLERAUTH_CONTEXT_PTR;
+ */
+ /* up to 3 policies */
+ CSSM_FIELD policyIds[3];
+ CSSM_FIELD *policyPtr = &policyIds[0];
+ uint32 numPolicies = 0;
+ memset(policyIds, 0, 3 * sizeof(CSSM_FIELD));
+
+ switch(vfyArgs->vfyPolicy) {
+ case CVP_SSL:
+ case CVP_IPSec:
+ if(vfyArgs->vfyPolicy == CVP_SSL) {
+ policyPtr->FieldOid = CSSMOID_APPLE_TP_SSL;
+ }
+ else {
+ policyPtr->FieldOid = CSSMOID_APPLE_TP_IP_SEC;
+ }
+ /* otherwise these policies are identical */
+ /* sslOpts is optional */
+ if((vfyArgs->sslHost != NULL) || vfyArgs->sslClient) {
+ memset(&sslOpts, 0, sizeof(sslOpts));
+ sslOpts.Version = CSSM_APPLE_TP_SSL_OPTS_VERSION;
+ sslOpts.ServerName = vfyArgs->sslHost;
+ if(vfyArgs->sslHost != NULL) {
+ sslOpts.ServerNameLen = strlen(vfyArgs->sslHost) + 1;
+ }
+ if(vfyArgs->sslClient) {
+ sslOpts.Flags |= CSSM_APPLE_TP_SSL_CLIENT;
+ }
+ policyPtr->FieldValue.Data = (uint8 *)&sslOpts;
+ policyPtr->FieldValue.Length = sizeof(sslOpts);
+ }
+ break;
+ case CVP_SMIME:
+ case CVP_iChat:
+ if(vfyArgs->vfyPolicy == CVP_SMIME) {
+ policyPtr->FieldOid = CSSMOID_APPLE_TP_SMIME;
+ }
+ else {
+ policyPtr->FieldOid = CSSMOID_APPLE_TP_ICHAT;
+ }
+ /* otherwise these policies are identical */
+ /* smimeOpts is optional */
+ if(vfyArgs->senderEmail != NULL) {
+ smimeOpts.Version = CSSM_APPLE_TP_SMIME_OPTS_VERSION;
+ smimeOpts.IntendedUsage = vfyArgs->intendedKeyUse;
+ smimeOpts.SenderEmail = vfyArgs->senderEmail;
+ smimeOpts.SenderEmailLen = strlen(vfyArgs->senderEmail) + 1;
+ policyPtr->FieldValue.Data = (uint8 *)&smimeOpts;
+ policyPtr->FieldValue.Length = sizeof(smimeOpts);
+ }
+ break;
+ case CVP_Basic:
+ policyPtr->FieldOid = CSSMOID_APPLE_X509_BASIC;
+ break;
+ case CVP_SWUpdateSign:
+ /* no options */
+ policyPtr->FieldOid = CSSMOID_APPLE_TP_SW_UPDATE_SIGNING;
+ break;
+ case CVP_ResourceSigning:
+ /* no options */
+ policyPtr->FieldOid = CSSMOID_APPLE_TP_RESOURCE_SIGN;
+ break;
+ case CVP_PKINIT_Server:
+ /* no options */
+ policyPtr->FieldOid = CSSMOID_APPLE_TP_PKINIT_SERVER;
+ break;
+ case CVP_PKINIT_Client:
+ /* no options */
+ policyPtr->FieldOid = CSSMOID_APPLE_TP_PKINIT_CLIENT;
+ break;
+ case CVP_AppleCodeSigning:
+ /* no options */
+ policyPtr->FieldOid = CSSMOID_APPLE_TP_CODE_SIGNING;
+ break;
+ case CVP_PackageSigning:
+ /* no options */
+ policyPtr->FieldOid = CSSMOID_APPLE_TP_PACKAGE_SIGNING;
+ break;
+ default:
+ printf("***certVerify: bogus vfyPolicy\n");
+ return 1;
+ }
+ if(verifySecPolicy(&policyPtr->FieldOid)) {
+ return -1;
+ }
+ policyPtr++;
+ numPolicies++;
+
+ CSSM_APPLE_TP_CRL_OPTIONS crlOpts;
+ if((vfyArgs->revokePolicy == CRP_CRL) || (vfyArgs->revokePolicy == CRP_CRL_OCSP)) {
+ memset(&crlOpts, 0, sizeof(crlOpts));
+ policyPtr->FieldOid = CSSMOID_APPLE_TP_REVOCATION_CRL;
+
+ crlOpts.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION;
+ crlOpts.CrlFlags = 0;
+ crlOpts.crlStore = NULL;
+ policyPtr->FieldValue.Data = (uint8 *)&crlOpts;
+ policyPtr->FieldValue.Length = sizeof(crlOpts);
+ if(vfyArgs->requireCrlForAll) {
+ crlOpts.CrlFlags |= CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT;
+ }
+ if(vfyArgs->crlNetFetchEnable) {
+ crlOpts.CrlFlags |= CSSM_TP_ACTION_FETCH_CRL_FROM_NET;
+ }
+ if(vfyArgs->requireCrlIfPresent) {
+ crlOpts.CrlFlags |= CSSM_TP_ACTION_REQUIRE_CRL_IF_PRESENT;
+ }
+ crlOpts.crlStore = vfyArgs->crlDlDb;
+ policyPtr++;
+ numPolicies++;
+ }
+
+ CSSM_APPLE_TP_OCSP_OPTIONS ocspOpts;
+ CSSM_DATA respUriData;
+ CSSM_DATA respCertData = {vfyArgs->responderCertLen,
+ (uint8 *)vfyArgs->responderCert};
+ if((vfyArgs->revokePolicy == CRP_OCSP) || (vfyArgs->revokePolicy == CRP_CRL_OCSP)) {
+ memset(&ocspOpts, 0, sizeof(ocspOpts));
+ policyPtr->FieldOid = CSSMOID_APPLE_TP_REVOCATION_OCSP;
+
+ crlOpts.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION;
+ policyPtr->FieldValue.Data = (uint8 *)&ocspOpts;
+ policyPtr->FieldValue.Length = sizeof(ocspOpts);
+ if(vfyArgs->requireOcspForAll) {
+ ocspOpts.Flags |= CSSM_TP_ACTION_OCSP_REQUIRE_PER_CERT;
+ }
+ if(vfyArgs->requireOcspIfPresent) {
+ ocspOpts.Flags |= CSSM_TP_ACTION_OCSP_REQUIRE_IF_RESP_PRESENT;
+ }
+ if(vfyArgs->disableCache) {
+ ocspOpts.Flags |= (CSSM_TP_ACTION_OCSP_CACHE_READ_DISABLE |
+ CSSM_TP_ACTION_OCSP_CACHE_WRITE_DISABLE);
+ }
+ if(vfyArgs->disableOcspNet) {
+ ocspOpts.Flags |= CSSM_TP_ACTION_OCSP_DISABLE_NET;
+ }
+ if(vfyArgs->generateOcspNonce) {
+ ocspOpts.Flags |= CSSM_TP_OCSP_GEN_NONCE;
+ }
+ if(vfyArgs->requireOcspRespNonce) {
+ ocspOpts.Flags |= CSSM_TP_OCSP_REQUIRE_RESP_NONCE;
+ }
+ if(vfyArgs->responderURI != NULL) {
+ respUriData.Data = (uint8 *)vfyArgs->responderURI;
+ respUriData.Length = strlen(vfyArgs->responderURI);
+ ocspOpts.LocalResponder = &respUriData;
+ }
+ if(vfyArgs->responderCert != NULL) {
+ ocspOpts.LocalResponderCert = &respCertData;
+ }
+ /* other OCSP options here */
+ policyPtr++;
+ numPolicies++;
+ }
+
+ authCtx.Policy.NumberOfPolicyIds = numPolicies;
+
+ authCtx.Policy.PolicyIds = policyIds;
+ authCtx.Policy.PolicyControl = NULL;
+
+ authCtx.VerifyTime = vfyArgs->vfyTime; // may be NULL
+ authCtx.VerificationAbortOn = CSSM_TP_STOP_ON_POLICY;
+ authCtx.CallbackWithVerifiedCert = NULL;
+
+ /*
+ * DLDBs - the caller's optional set, plus two more we open
+ * if trust settings are enabled and we're told to use system
+ * anchors. (System anchors are normally passed in via
+ * authCtx.AnchorCerts; they're passed in as DLDBs when
+ * using TrustSettings.)
+ */
+ uint32 totalNumDbs = 0;
+ uint32 numCallerDbs = 0;
+ CSSM_BOOL weOpenedDbs = CSSM_FALSE;
+ if(vfyArgs->dlDbList != NULL) {
+ totalNumDbs = numCallerDbs = vfyArgs->dlDbList->NumHandles;
+ }
+ if(vfyArgs->useTrustSettings && vfyArgs->useSystemAnchors) {
+ /* we'll cook up two more DBs and possible append them */
+ totalNumDbs += 2;
+ weOpenedDbs = CSSM_TRUE;
+ }
+ CSSM_DL_DB_HANDLE dlDbHandles[totalNumDbs];
+ CSSM_DL_DB_LIST dlDbList;
+ CSSM_DL_HANDLE dlHand = 0;
+ for(unsigned dex=0; dex<numCallerDbs; dex++) {
+ dlDbHandles[dex] = vfyArgs->dlDbList->DLDBHandle[dex];
+ }
+ if(weOpenedDbs) {
+ /* get a DL handle, somehow */
+ if(numCallerDbs == 0) {
+ /* new DL handle */
+ dlHand = cuDlStartup();
+ dlDbHandles[0].DLHandle = dlHand;
+ dlDbHandles[1].DLHandle = dlHand;
+ }
+ else {
+ /* use the same one caller passed in */
+ dlDbHandles[numCallerDbs].DLHandle = dlDbHandles[0].DLHandle;
+ dlDbHandles[numCallerDbs + 1].DLHandle = dlDbHandles[0].DLHandle;
+ }
+ /* now open two DBs */
+ dlDbHandles[numCallerDbs].DBHandle =
+ cuDbStartupByName(dlDbHandles[numCallerDbs].DLHandle,
+ (char *)ADMIN_CERT_STORE_PATH, CSSM_FALSE, CSSM_TRUE);
+ dlDbHandles[numCallerDbs + 1].DBHandle =
+ cuDbStartupByName(dlDbHandles[numCallerDbs].DLHandle,
+ (char *)SYSTEM_ROOT_STORE_PATH, CSSM_FALSE, CSSM_TRUE);
+ }
+ dlDbList.DLDBHandle = dlDbHandles;
+ dlDbList.NumHandles = totalNumDbs;
+ authCtx.DBList = &dlDbList;
+
+ CFArrayRef cfAnchors = NULL;
+ CSSM_DATA *cssmAnchors = NULL;
+ unsigned numAnchors = 0;
+
+ if(vfyArgs->useSystemAnchors) {
+ if(!vfyArgs->useTrustSettings) {
+ /* standard system anchors - ingore error, I'm sure the
+ * current test will eventually fail */
+ getSystemAnchors(&cfAnchors, &cssmAnchors, &numAnchors);
+ authCtx.NumberOfAnchorCerts = numAnchors;
+ authCtx.AnchorCerts = cssmAnchors;
+ }
+ }
+ else {
+ /* anchors are our caller's roots */
+ if(vfyArgs->roots) {
+ authCtx.NumberOfAnchorCerts = vfyArgs->roots->numBlobs();
+ authCtx.AnchorCerts = vfyArgs->roots->blobList();
+ }
+ }
+ authCtx.CallerCredentials = NULL;
+
+ if(vfyArgs->crls) {
+ /* cook up CRL group */
+ CSSM_CRLGROUP_PTR cssmCrls = &vfyCtx.Crls;
+ cssmCrls->CrlType = CSSM_CRL_TYPE_X_509v1;
+ cssmCrls->CrlEncoding = CSSM_CRL_ENCODING_DER;
+ cssmCrls->NumberOfCrls = vfyArgs->crls->numBlobs();
+ cssmCrls->GroupCrlList.CrlList = vfyArgs->crls->blobList();
+ cssmCrls->CrlGroupType = CSSM_CRLGROUP_DATA;
+ }
+
+ /* CSSM_APPLE_TP_ACTION_DATA */
+ CSSM_APPLE_TP_ACTION_DATA tpAction;
+ tpAction.Version = CSSM_APPLE_TP_ACTION_VERSION;
+ tpAction.ActionFlags = 0;
+ if(vfyArgs->leafCertIsCA) {
+ tpAction.ActionFlags |= CSSM_TP_ACTION_LEAF_IS_CA;
+ }
+ if(vfyArgs->certNetFetchEnable) {
+ tpAction.ActionFlags |= CSSM_TP_ACTION_FETCH_CERT_FROM_NET;
+ }
+ if(vfyArgs->allowExpiredRoot) {
+ tpAction.ActionFlags |= CSSM_TP_ACTION_ALLOW_EXPIRED_ROOT;
+ }
+ if(!vfyArgs->allowUnverified) {
+ tpAction.ActionFlags |= CSSM_TP_ACTION_REQUIRE_REV_PER_CERT;
+ }
+ if(vfyArgs->useTrustSettings) {
+ tpAction.ActionFlags |= CSSM_TP_ACTION_TRUST_SETTINGS;
+ }
+ if(vfyArgs->implicitAnchors) {
+ tpAction.ActionFlags |= CSSM_TP_ACTION_IMPLICIT_ANCHORS;
+ }
+
+ /* CSSM_TP_VERIFY_CONTEXT */
+ vfyCtx.ActionData.Data = (uint8 *)&tpAction;
+ vfyCtx.ActionData.Length = sizeof(tpAction);
+
+ vfyCtx.Action = CSSM_TP_ACTION_DEFAULT;
+ vfyCtx.Cred = &authCtx;
+
+ /* cook up cert group */
+ CSSM_CERTGROUP cssmCerts;
+ cssmCerts.CertType = CSSM_CERT_X_509v3;
+ cssmCerts.CertEncoding = CSSM_CERT_ENCODING_DER;
+ cssmCerts.NumCerts = vfyArgs->certs->numBlobs();
+ cssmCerts.GroupList.CertList = vfyArgs->certs->blobList();
+ cssmCerts.CertGroupType = CSSM_CERTGROUP_DATA;
+
+ int ourRtn = 0;
+ CSSM_RETURN crtn = CSSM_TP_CertGroupVerify(vfyArgs->tpHand,
+ vfyArgs->clHand,
+ vfyArgs->cspHand,
+ &cssmCerts,
+ &vfyCtx,
+ &vfyResult);
+ if(vfyArgs->expectedErrStr != NULL) {
+ const char *actRtn;
+ if(crtn == CSSM_OK) {
+ /* cssmErrorString munges this to "[ok]" */
+ actRtn = "CSSM_OK";
+ }
+ else {
+ actRtn = cssmErrToStr(crtn);
+ }
+ char *found = strstr(actRtn, vfyArgs->expectedErrStr);
+ if(found) {
+ if(!vfyArgs->quiet) {
+ printf("...%s received as expected\n", vfyArgs->expectedErrStr);
+ }
+ }
+ else {
+ printf("***CSSM_TP_CertGroupVerify error\n");
+ printf(" expected rtn : %s\n", vfyArgs->expectedErrStr);
+ printf(" actual rtn : %s\n", actRtn);
+ ourRtn = 1;
+ }
+ }
+ else {
+ if(crtn) {
+ if(!vfyArgs->quiet) {
+ printError("CSSM_TP_CertGroupVerify", crtn);
+ }
+ ourRtn = 1;
+ }
+ else if(!vfyArgs->quiet) {
+ printf("...verify successful\n");
+ }
+ }
+ if(vfyArgs->certErrors) {
+ if(vfyCertErrors(&vfyResult, vfyArgs->numCertErrors, vfyArgs->certErrors,
+ vfyArgs->quiet)) {
+ ourRtn = 1;
+ }
+ }
+ if(vfyArgs->certStatus) {
+ if(vfyCertStatus(&vfyResult, vfyArgs->numCertStatus, vfyArgs->certStatus,
+ vfyArgs->quiet)) {
+ ourRtn = 1;
+ }
+ }
+ if(vfyArgs->verbose) {
+ dumpVfyResult(&vfyResult);
+ }
+ freeVfyResult(&vfyResult);
+ if(weOpenedDbs) {
+ /* close the DBs and maybe the DL we opened */
+ CSSM_DL_DbClose(dlDbHandles[numCallerDbs]);
+ CSSM_DL_DbClose(dlDbHandles[numCallerDbs + 1]);
+ if(dlHand != 0) {
+ cuDlDetachUnload(dlHand);
+ }
+ }
+ if(cfAnchors) {
+ CFRelease(cfAnchors);
+ }
+ if(cssmAnchors) {
+ free(cssmAnchors);
+ }
+ return ourRtn;
+}
+
+unsigned hexDigit(char digit)
+{
+ if((digit >= '0') && (digit <= '9')) {
+ return digit - '0';
+ }
+ if((digit >= 'a') && (digit <= 'f')) {
+ return 10 + digit - 'a';
+ }
+ if((digit >= 'A') && (digit <= 'F')) {
+ return 10 + digit - 'A';
+ }
+ printf("***BAD HEX DIGIT (%c)\n", digit);
+ return 0;
+}
+
+/* convert ASCII string in hex to unsigned */
+unsigned hexToBin(const char *hex)
+{
+ unsigned rtn = 0;
+ const char *cp = hex;
+ if((cp[0] == '0') && (cp[1] == 'x')) {
+ cp += 2;
+ }
+ if(strlen(cp) > 8) {
+ printf("***BAD HEX STRING (%s)\n", cp);
+ return 0;
+ }
+ while(*cp) {
+ rtn <<= 4;
+ rtn += hexDigit(*cp);
+ cp++;
+ }
+ return rtn;
+}
+
+/*
+ * A slightly simplified version of certVerify:
+ * -- no CRLs (includes allowUnverified = CSSM_FALSE)
+ * -- revokePOlicy = None
+ * -- no DlDbs
+ * -- no net fetch
+ * -- time = now.
+ */
+int certVerifySimple(
+ CSSM_TP_HANDLE tpHand,
+ CSSM_CL_HANDLE clHand,
+ CSSM_CSP_HANDLE cspHand,
+ BlobList &certs,
+ BlobList &roots,
+ CSSM_BOOL useSystemAnchors,
+ CSSM_BOOL leafCertIsCA,
+ CSSM_BOOL allowExpiredRoot,
+ CertVerifyPolicy vfyPolicy,
+ const char *sslHost, // optional, SSL policy
+ CSSM_BOOL sslClient, // normally server side
+ const char *senderEmail, // optional, SMIME
+ CE_KeyUsage intendedKeyUse, // optional, SMIME only
+ const char *expectedErrStr,// e.g.,
+ // "CSSMERR_APPLETP_CRL_NOT_TRUSTED"
+
+ /*
+ * expected per-cert errors
+ * format is certNum:errorString
+ * e.g., "1:CSSMERR_APPLETP_CRL_NOT_TRUSTED"
+ */
+ unsigned numCertErrors,
+ const char **certErrors, // per-cert status
+
+ /*
+ * Expected per-cert status (CSSM_TP_APPLE_EVIDENCE_INFO.StatusBits)
+ * format is certNum:status_in_hex
+ * e.g., "1:0x18", leading 0x optional
+ */
+ unsigned numCertStatus,
+ const char **certStatus,
+ CSSM_BOOL useTrustSettings,
+ CSSM_BOOL quiet,
+ CSSM_BOOL verbose)
+{
+ CertVerifyArgs vfyArgs;
+ memset(&vfyArgs, 0, sizeof(vfyArgs));
+ vfyArgs.version = CERT_VFY_ARGS_VERS;
+ vfyArgs.tpHand = tpHand;
+ vfyArgs.clHand = clHand;
+ vfyArgs.cspHand = cspHand;
+ vfyArgs.certs = &certs;
+ vfyArgs.roots = &roots;
+ vfyArgs.useSystemAnchors = useSystemAnchors;
+ vfyArgs.useTrustSettings = useTrustSettings;
+ vfyArgs.leafCertIsCA = leafCertIsCA;
+ vfyArgs.allowExpiredRoot = allowExpiredRoot;
+ vfyArgs.vfyPolicy = vfyPolicy;
+ vfyArgs.sslHost = sslHost;
+ vfyArgs.sslClient = sslClient;
+ vfyArgs.senderEmail = senderEmail;
+ vfyArgs.intendedKeyUse = intendedKeyUse;
+ vfyArgs.allowUnverified = CSSM_TRUE;
+ vfyArgs.expectedErrStr = expectedErrStr;
+ vfyArgs.numCertErrors = numCertErrors;
+ vfyArgs.certErrors = certErrors;
+ vfyArgs.numCertStatus = numCertStatus;
+ vfyArgs.certStatus = certStatus;
+ vfyArgs.quiet = quiet;
+ vfyArgs.verbose = verbose;
+ return certVerify(&vfyArgs);
+}
+
projects / apple / security.git / blobdiff